current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20130411.00
Release:        %mkrel 1
License:        GPL
Group:          Security
URL:            http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/projects/nss/raw-file/31f662841be2/lib/ckfw/builtins/certdata.txt
Source1:        certdata-%{version}.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2:         generate-cacerts-rename-duplicates.patch
BuildRequires:  perl openssl nss
%if %with java
BuildRequires:  java-rpmbuild
%endif

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt

# extract the license
head -4 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
rm -rf %{buildroot}

%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
    ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done

%clean
rm -rf %{buildroot}

%files 
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private

%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
1	# don't make useless debug packages
2	%define _enable_debug_packages %{nil}
3	%define debug_package %{nil}
4
5	# _without = java enabled, _with = java disabled
6	%ifnarch %arm %mips
7	%bcond_without java
8	%else
9	%bcond_with java
10	%endif
11
12	Summary: Bundle of CA Root Certificates
13	Name: rootcerts
14	# <mrl> Use this versioning style in order to be easily backportable.
15	# Note that the release is the last two digits on the version.
16	# All BuildRequires for rootcerts should be done this way:
17	# BuildRequires: rootcerts >= 0:20070402.00, for example
18	# - NEVER specifying the %%{release}
19	Epoch: 1
20	Version: 20130411.00
21	Release: %mkrel 1
22	License: GPL
23	Group: Security
24	URL: http://www.mageia.org
25	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26	Source0: rootcerts.tar.bz2
27	# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
29	# https://hg.mozilla.org/projects/nss/raw-file/31f662841be2/lib/ckfw/builtins/certdata.txt
30	Source1: certdata-%{version}.txt
31	Source2: rootcerts-igp-brasil.txt
32	# http://www.cacert.org/certs/root.der
33	Source3: cacert.org.der
34	# http://qa.mandriva.com/show_bug.cgi?id=29612
35	# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
36	Source4: verisign-class-3-secure-server-ca.pem
37	# Java JKS keystore generator:
38	# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
39	Source6: generate-cacerts.pl
40	# Fix overwriting issue with generate-cacerts.pl
41	Patch0: generate-cacerts-fix-entrustsslca.patch
42	# Some hacks to make generate-cacerts.pl work with some of our certificates
43	Patch1: generate-cacerts-mageia.patch
44	# Just rename identically named certificates that are not handled by mageia.patch
45	Patch2: generate-cacerts-rename-duplicates.patch
46	BuildRequires: perl openssl nss
47	%if %with java
48	BuildRequires: java-rpmbuild
49	%endif
50
51	%description
52	This is a bundle of X.509 certificates of public Certificate
53	Authorities (CA). These were automatically extracted from Mozilla's
54	root CA list (the file "certdata.txt"). It contains the certificates
55	in both plain text and PEM format and therefore can be directly used
56	with an Apache/mod_ssl webserver for SSL client authentication. Just
57	configure this file as the SSLCACertificateFile.
58
59	%if %with java
60	%package java
61	Summary: Bundle of CA Root Certificates for Java
62	Group: Development/Java
63
64	%description java
65	Bundle of X.509 certificates of public Certificate Authorities (CA)
66	in a format used by Java Runtime Environment.
67	%endif
68
69	%prep
70
71	%setup -q -n rootcerts
72
73	mkdir -p builtins
74	cp %{SOURCE1} builtins/certdata.txt
75
76	# extract the license
77	head -4 builtins/certdata.txt > LICENSE
78
79	# add additional CA's here, needs to have the mozilla format...
80	cat %{SOURCE2} >> builtins/certdata.txt
81
82	# CAcert
83	cp %{SOURCE3} .
84
85	cp %{SOURCE6} .
86	%patch0 -p0
87	%patch1 -p0
88	%patch2 -p0
89
90	%build
91	rm -f configure
92	libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
93
94	# CAcert
95	# http://wiki.cacert.org/wiki/NSSLib
96	addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
97
98	# new verisign intermediate certificate
99	# -t trust trust flags (cCTpPuw).
100	openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
101	addbuiltin -n "VeriSign Class 3 Secure Server CA" \
102	-t "CT,C,C" >> builtins/certdata.txt
103
104	perl mkcerts.pl > certs.sh
105
106	%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
107	%make
108	cat pem/*.pem > ca-bundle.crt
109	cat %{SOURCE4} >> ca-bundle.crt
110
111	%if %with java
112	mkdir -p java
113	cd java
114	LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
115	cd ..
116	%endif
117
118	%install
119	rm -rf %{buildroot}
120
121	%makeinstall_std
122
123	install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
124	install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
125	install -d %{buildroot}%{_bindir}
126
127	install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
128	ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
129
130	install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
131
132	%if %with java
133	install -d %{buildroot}%{_sysconfdir}/pki/java
134	install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
135	%endif
136
137	cat > README << EOF
138
139	R O O T C E R T S
140	-----------------
141
142	This is a bundle of X.509 certificates of public Certificate
143	Authorities (CA). These were automatically extracted from Mozilla's
144	root CA list (the file "certdata.txt"). It contains the certificates
145	in both plain text and PEM format and therefore can be directly used
146	with an Apache/mod_ssl webserver for SSL client authentication. Just
147	configure this file as the SSLCACertificateFile.
148
149	EOF
150
151	# be compatible with Debian/Ubuntu SSL paths
152	# fix #58107 (also used by dovecot default config)
153	install -d %{buildroot}%{_sysconfdir}/ssl
154	for d in certs private; do
155	ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
156	done
157
158	%clean
159	rm -rf %{buildroot}
160
161	%files
162	%defattr(-,root,root)
163	%doc README LICENSE
164	%{_sysconfdir}/pki/tls/cert.pem
165	%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
166	%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
167	%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
168	%{_sysconfdir}/ssl/certs
169	%{_sysconfdir}/ssl/private
170
171	%if %with java
172	%files java
173	%defattr(-,root,root)
174	%dir %{_sysconfdir}/pki/java
175	%config(noreplace) %{_sysconfdir}/pki/java/cacerts
176	%endif