current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20120628.00
Release:        %mkrel 1
License:        GPL
Group:          System/Servers
URL:            http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt
Source1:        certdata.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2:         generate-cacerts-rename-duplicates.patch
BuildRequires:  perl openssl nss
%if %with java
BuildRequires:  java-rpmbuild
%endif

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt

# extract the license
head -36 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
rm -rf %{buildroot}

%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# fix #58107
install -d %{buildroot}%{_sysconfdir}/ssl
ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs

%clean
rm -rf %{buildroot}

%files 
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs

%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
1	# don't make useless debug packages
2	%define _enable_debug_packages %{nil}
3	%define debug_package %{nil}
4
5	# _without = java enabled, _with = java disabled
6	%ifnarch %arm %mips
7	%bcond_without java
8	%else
9	%bcond_with java
10	%endif
11
12	Summary: Bundle of CA Root Certificates
13	Name: rootcerts
14	# <mrl> Use this versioning style in order to be easily backportable.
15	# Note that the release is the last two digits on the version.
16	# All BuildRequires for rootcerts should be done this way:
17	# BuildRequires: rootcerts >= 0:20070402.00, for example
18	# - NEVER specifying the %%{release}
19	Epoch: 1
20	Version: 20120628.00
21	Release: %mkrel 1
22	License: GPL
23	Group: System/Servers
24	URL: http://www.mageia.org
25	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26	Source0: rootcerts.tar.bz2
27	# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt
29	Source1: certdata.txt
30	Source2: rootcerts-igp-brasil.txt
31	# http://www.cacert.org/certs/root.der
32	Source3: cacert.org.der
33	# http://qa.mandriva.com/show_bug.cgi?id=29612
34	# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
35	Source4: verisign-class-3-secure-server-ca.pem
36	# Java JKS keystore generator:
37	# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
38	Source6: generate-cacerts.pl
39	# Fix overwriting issue with generate-cacerts.pl
40	Patch0: generate-cacerts-fix-entrustsslca.patch
41	# Some hacks to make generate-cacerts.pl work with some of our certificates
42	Patch1: generate-cacerts-mageia.patch
43	# Just rename identically named certificates that are not handled by mageia.patch
44	Patch2: generate-cacerts-rename-duplicates.patch
45	BuildRequires: perl openssl nss
46	%if %with java
47	BuildRequires: java-rpmbuild
48	%endif
49
50	%description
51	This is a bundle of X.509 certificates of public Certificate
52	Authorities (CA). These were automatically extracted from Mozilla's
53	root CA list (the file "certdata.txt"). It contains the certificates
54	in both plain text and PEM format and therefore can be directly used
55	with an Apache/mod_ssl webserver for SSL client authentication. Just
56	configure this file as the SSLCACertificateFile.
57
58	%if %with java
59	%package java
60	Summary: Bundle of CA Root Certificates for Java
61	Group: Development/Java
62
63	%description java
64	Bundle of X.509 certificates of public Certificate Authorities (CA)
65	in a format used by Java Runtime Environment.
66	%endif
67
68	%prep
69
70	%setup -q -n rootcerts
71
72	mkdir -p builtins
73	cp %{SOURCE1} builtins/certdata.txt
74
75	# extract the license
76	head -36 builtins/certdata.txt > LICENSE
77
78	# add additional CA's here, needs to have the mozilla format...
79	cat %{SOURCE2} >> builtins/certdata.txt
80
81	# CAcert
82	cp %{SOURCE3} .
83
84	cp %{SOURCE6} .
85	%patch0 -p0
86	%patch1 -p0
87	%patch2 -p0
88
89	%build
90	rm -f configure
91	libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
92
93	# CAcert
94	# http://wiki.cacert.org/wiki/NSSLib
95	addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
96
97	# new verisign intermediate certificate
98	# -t trust trust flags (cCTpPuw).
99	openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
100	addbuiltin -n "VeriSign Class 3 Secure Server CA" \
101	-t "CT,C,C" >> builtins/certdata.txt
102
103	perl mkcerts.pl > certs.sh
104
105	%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
106	%make
107	cat pem/*.pem > ca-bundle.crt
108	cat %{SOURCE4} >> ca-bundle.crt
109
110	%if %with java
111	mkdir -p java
112	cd java
113	LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
114	cd ..
115	%endif
116
117	%install
118	rm -rf %{buildroot}
119
120	%makeinstall_std
121
122	install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
123	install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
124	install -d %{buildroot}%{_bindir}
125
126	install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
127	ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
128
129	install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
130
131	%if %with java
132	install -d %{buildroot}%{_sysconfdir}/pki/java
133	install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
134	%endif
135
136	cat > README << EOF
137
138	R O O T C E R T S
139	-----------------
140
141	This is a bundle of X.509 certificates of public Certificate
142	Authorities (CA). These were automatically extracted from Mozilla's
143	root CA list (the file "certdata.txt"). It contains the certificates
144	in both plain text and PEM format and therefore can be directly used
145	with an Apache/mod_ssl webserver for SSL client authentication. Just
146	configure this file as the SSLCACertificateFile.
147
148	EOF
149
150	# fix #58107
151	install -d %{buildroot}%{_sysconfdir}/ssl
152	ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs
153
154	%clean
155	rm -rf %{buildroot}
156
157	%files
158	%defattr(-,root,root)
159	%doc README LICENSE
160	%{_sysconfdir}/pki/tls/cert.pem
161	%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
162	%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
163	%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
164	%{_sysconfdir}/ssl/certs
165
166	%if %with java
167	%files java
168	%defattr(-,root,root)
169	%dir %{_sysconfdir}/pki/java
170	%config(noreplace) %{_sysconfdir}/pki/java/cacerts
171	%endif