current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20131111.00
Release:        %mkrel 1
License:        GPL
Group:          Security
URL:            http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
Source1:        certdata-%{version}.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2:         generate-cacerts-rename-duplicates.patch
BuildRequires:  perl openssl nss
%if %with java
BuildRequires:  javapackages-tools
BuildRequires:  java-devel
%endif

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt

# extract the license
head -4 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
rm -rf %{buildroot}

%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
    ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done

%clean
rm -rf %{buildroot}

%files 
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private

%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
1	# don't make useless debug packages
2	%define _enable_debug_packages %{nil}
3	%define debug_package %{nil}
4
5	# _without = java enabled, _with = java disabled
6	%ifnarch %arm %mips
7	%bcond_without java
8	%else
9	%bcond_with java
10	%endif
11
12	Summary: Bundle of CA Root Certificates
13	Name: rootcerts
14	# <mrl> Use this versioning style in order to be easily backportable.
15	# Note that the release is the last two digits on the version.
16	# All BuildRequires for rootcerts should be done this way:
17	# BuildRequires: rootcerts >= 0:20070402.00, for example
18	# - NEVER specifying the %%{release}
19	Epoch: 1
20	Version: 20131111.00
21	Release: %mkrel 1
22	License: GPL
23	Group: Security
24	URL: http://www.mageia.org
25	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26	Source0: rootcerts.tar.bz2
27	# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
29	# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
30	Source1: certdata-%{version}.txt
31	Source2: rootcerts-igp-brasil.txt
32	# http://www.cacert.org/certs/root.der
33	Source3: cacert.org.der
34	# http://qa.mandriva.com/show_bug.cgi?id=29612
35	# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
36	Source4: verisign-class-3-secure-server-ca.pem
37	# Java JKS keystore generator:
38	# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
39	Source6: generate-cacerts.pl
40	# Fix overwriting issue with generate-cacerts.pl
41	Patch0: generate-cacerts-fix-entrustsslca.patch
42	# Some hacks to make generate-cacerts.pl work with some of our certificates
43	Patch1: generate-cacerts-mageia.patch
44	# Just rename identically named certificates that are not handled by mageia.patch
45	Patch2: generate-cacerts-rename-duplicates.patch
46	BuildRequires: perl openssl nss
47	%if %with java
48	BuildRequires: javapackages-tools
49	BuildRequires: java-devel
50	%endif
51
52	%description
53	This is a bundle of X.509 certificates of public Certificate
54	Authorities (CA). These were automatically extracted from Mozilla's
55	root CA list (the file "certdata.txt"). It contains the certificates
56	in both plain text and PEM format and therefore can be directly used
57	with an Apache/mod_ssl webserver for SSL client authentication. Just
58	configure this file as the SSLCACertificateFile.
59
60	%if %with java
61	%package java
62	Summary: Bundle of CA Root Certificates for Java
63	Group: Development/Java
64
65	%description java
66	Bundle of X.509 certificates of public Certificate Authorities (CA)
67	in a format used by Java Runtime Environment.
68	%endif
69
70	%prep
71
72	%setup -q -n rootcerts
73
74	mkdir -p builtins
75	cp %{SOURCE1} builtins/certdata.txt
76
77	# extract the license
78	head -4 builtins/certdata.txt > LICENSE
79
80	# add additional CA's here, needs to have the mozilla format...
81	cat %{SOURCE2} >> builtins/certdata.txt
82
83	# CAcert
84	cp %{SOURCE3} .
85
86	cp %{SOURCE6} .
87	%patch0 -p0
88	%patch1 -p0
89	%patch2 -p0
90
91	%build
92	rm -f configure
93	libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
94
95	# CAcert
96	# http://wiki.cacert.org/wiki/NSSLib
97	addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
98
99	# new verisign intermediate certificate
100	# -t trust trust flags (cCTpPuw).
101	openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
102	addbuiltin -n "VeriSign Class 3 Secure Server CA" \
103	-t "CT,C,C" >> builtins/certdata.txt
104
105	perl mkcerts.pl > certs.sh
106
107	%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
108	%make
109	cat pem/*.pem > ca-bundle.crt
110	cat %{SOURCE4} >> ca-bundle.crt
111
112	%if %with java
113	mkdir -p java
114	cd java
115	LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
116	cd ..
117	%endif
118
119	%install
120	rm -rf %{buildroot}
121
122	%makeinstall_std
123
124	install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
125	install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
126	install -d %{buildroot}%{_bindir}
127
128	install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
129	ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
130
131	install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
132
133	%if %with java
134	install -d %{buildroot}%{_sysconfdir}/pki/java
135	install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
136	%endif
137
138	cat > README << EOF
139
140	R O O T C E R T S
141	-----------------
142
143	This is a bundle of X.509 certificates of public Certificate
144	Authorities (CA). These were automatically extracted from Mozilla's
145	root CA list (the file "certdata.txt"). It contains the certificates
146	in both plain text and PEM format and therefore can be directly used
147	with an Apache/mod_ssl webserver for SSL client authentication. Just
148	configure this file as the SSLCACertificateFile.
149
150	EOF
151
152	# be compatible with Debian/Ubuntu SSL paths
153	# fix #58107 (also used by dovecot default config)
154	install -d %{buildroot}%{_sysconfdir}/ssl
155	for d in certs private; do
156	ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
157	done
158
159	%clean
160	rm -rf %{buildroot}
161
162	%files
163	%defattr(-,root,root)
164	%doc README LICENSE
165	%{_sysconfdir}/pki/tls/cert.pem
166	%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
167	%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
168	%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
169	%{_sysconfdir}/ssl/certs
170	%{_sysconfdir}/ssl/private
171
172	%if %with java
173	%files java
174	%defattr(-,root,root)
175	%dir %{_sysconfdir}/pki/java
176	%config(noreplace) %{_sysconfdir}/pki/java/cacerts
177	%endif