current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20140805.00
Release:        %mkrel 3
License:        GPL
Group:          Security
URL:            http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
# 
# For Source1, the NSS commit trunk version of this file is here:
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
# The version tag for this package should come from the commit date of the version used from the NSS repository above
# To choose which NSS commit version to use, we can check the certdata.txt file used in either...
# the current Mozilla release:
# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# or the Mozilla development commit trunk:
# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# Ideally, it should correspond to the version shipped in the NSS release we are using
Source1:        certdata-%{version}.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2:         generate-cacerts-rename-duplicates.patch
BuildRequires:  perl 
BuildRequires:  openssl 
BuildRequires:  nss
%if %with java
BuildRequires:  javapackages-tools
BuildRequires:  java-devel
%endif

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt

# extract the license
head -4 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
    ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done

%files 
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private

%if %with java
%files java
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
1	# don't make useless debug packages
2	%define _enable_debug_packages %{nil}
3	%define debug_package %{nil}
4
5	# _without = java enabled, _with = java disabled
6	%ifnarch %arm %mips
7	%bcond_without java
8	%else
9	%bcond_with java
10	%endif
11
12	Summary: Bundle of CA Root Certificates
13	Name: rootcerts
14	# <mrl> Use this versioning style in order to be easily backportable.
15	# Note that the release is the last two digits on the version.
16	# All BuildRequires for rootcerts should be done this way:
17	# BuildRequires: rootcerts >= 0:20070402.00, for example
18	# - NEVER specifying the %%{release}
19	Epoch: 1
20	Version: 20140805.00
21	Release: %mkrel 3
22	License: GPL
23	Group: Security
24	URL: http://www.mageia.org
25	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26	Source0: rootcerts.tar.bz2
27	# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	#
29	# For Source1, the NSS commit trunk version of this file is here:
30	# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
31	# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
32	# The version tag for this package should come from the commit date of the version used from the NSS repository above
33	# To choose which NSS commit version to use, we can check the certdata.txt file used in either...
34	# the current Mozilla release:
35	# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt
36	# or the Mozilla development commit trunk:
37	# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
38	# Ideally, it should correspond to the version shipped in the NSS release we are using
39	Source1: certdata-%{version}.txt
40	Source2: rootcerts-igp-brasil.txt
41	# http://www.cacert.org/certs/root.der
42	Source3: cacert.org.der
43	# http://qa.mandriva.com/show_bug.cgi?id=29612
44	# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
45	Source4: verisign-class-3-secure-server-ca.pem
46	# Java JKS keystore generator:
47	# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
48	Source6: generate-cacerts.pl
49	# Fix overwriting issue with generate-cacerts.pl
50	Patch0: generate-cacerts-fix-entrustsslca.patch
51	# Some hacks to make generate-cacerts.pl work with some of our certificates
52	Patch1: generate-cacerts-mageia.patch
53	# Just rename identically named certificates that are not handled by mageia.patch
54	Patch2: generate-cacerts-rename-duplicates.patch
55	BuildRequires: perl
56	BuildRequires: openssl
57	BuildRequires: nss
58	%if %with java
59	BuildRequires: javapackages-tools
60	BuildRequires: java-devel
61	%endif
62
63	%description
64	This is a bundle of X.509 certificates of public Certificate
65	Authorities (CA). These were automatically extracted from Mozilla's
66	root CA list (the file "certdata.txt"). It contains the certificates
67	in both plain text and PEM format and therefore can be directly used
68	with an Apache/mod_ssl webserver for SSL client authentication. Just
69	configure this file as the SSLCACertificateFile.
70
71	%if %with java
72	%package java
73	Summary: Bundle of CA Root Certificates for Java
74	Group: Development/Java
75
76	%description java
77	Bundle of X.509 certificates of public Certificate Authorities (CA)
78	in a format used by Java Runtime Environment.
79	%endif
80
81	%prep
82
83	%setup -q -n rootcerts
84
85	mkdir -p builtins
86	cp %{SOURCE1} builtins/certdata.txt
87
88	# extract the license
89	head -4 builtins/certdata.txt > LICENSE
90
91	# add additional CA's here, needs to have the mozilla format...
92	cat %{SOURCE2} >> builtins/certdata.txt
93
94	# CAcert
95	cp %{SOURCE3} .
96
97	cp %{SOURCE6} .
98	%patch0 -p0
99	%patch1 -p0
100	%patch2 -p0
101
102	%build
103	rm -f configure
104	libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
105
106	# CAcert
107	# http://wiki.cacert.org/wiki/NSSLib
108	addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
109
110	# new verisign intermediate certificate
111	# -t trust trust flags (cCTpPuw).
112	openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
113	addbuiltin -n "VeriSign Class 3 Secure Server CA" \
114	-t "CT,C,C" >> builtins/certdata.txt
115
116	perl mkcerts.pl > certs.sh
117
118	%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
119	%make
120	cat pem/*.pem > ca-bundle.crt
121	cat %{SOURCE4} >> ca-bundle.crt
122
123	%if %with java
124	mkdir -p java
125	cd java
126	LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
127	cd ..
128	%endif
129
130	%install
131	%makeinstall_std
132
133	install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
134	install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
135	install -d %{buildroot}%{_bindir}
136
137	install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
138	ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
139
140	install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
141
142	%if %with java
143	install -d %{buildroot}%{_sysconfdir}/pki/java
144	install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
145	%endif
146
147	cat > README << EOF
148
149	R O O T C E R T S
150	-----------------
151
152	This is a bundle of X.509 certificates of public Certificate
153	Authorities (CA). These were automatically extracted from Mozilla's
154	root CA list (the file "certdata.txt"). It contains the certificates
155	in both plain text and PEM format and therefore can be directly used
156	with an Apache/mod_ssl webserver for SSL client authentication. Just
157	configure this file as the SSLCACertificateFile.
158
159	EOF
160
161	# be compatible with Debian/Ubuntu SSL paths
162	# fix #58107 (also used by dovecot default config)
163	install -d %{buildroot}%{_sysconfdir}/ssl
164	for d in certs private; do
165	ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
166	done
167
168	%files
169	%doc README LICENSE
170	%{_sysconfdir}/pki/tls/cert.pem
171	%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
172	%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
173	%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
174	%{_sysconfdir}/ssl/certs
175	%{_sysconfdir}/ssl/private
176
177	%if %with java
178	%files java
179	%dir %{_sysconfdir}/pki/java
180	%config(noreplace) %{_sysconfdir}/pki/java/cacerts
181	%endif