2020-09-09 21:41:53 +03:00
|
|
|
%bcond_with bootstrap
|
2020-09-09 20:37:18 +00:00
|
|
|
%bcond_without java
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
%define pkidir %{_sysconfdir}/pki
|
2015-10-07 11:08:14 +03:00
|
|
|
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
2020-09-09 21:41:53 +03:00
|
|
|
%define classic_tls_bundle ca-bundle.crt
|
|
|
|
%define openssl_format_trust_bundle ca-bundle.trust.crt
|
|
|
|
%define p11_format_bundle ca-bundle.trust.p11-kit
|
|
|
|
%define legacy_default_bundle ca-bundle.legacy.default.crt
|
|
|
|
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
|
|
|
|
%define java_bundle java/cacerts
|
2015-10-07 11:08:14 +03:00
|
|
|
|
2012-02-01 14:52:42 +04:00
|
|
|
Summary: Bundle of CA Root Certificates
|
|
|
|
Name: rootcerts
|
|
|
|
Epoch: 1
|
2020-09-09 21:41:53 +03:00
|
|
|
# *** Important: update BOTH Source0 and Source1 when newer than date below
|
|
|
|
Version: 20200909.00
|
2020-09-09 20:37:18 +00:00
|
|
|
Release: 1.vsos0
|
2012-02-01 14:52:42 +04:00
|
|
|
License: GPL
|
2020-09-09 21:41:53 +03:00
|
|
|
Group: Security
|
|
|
|
URL: https://fedoraproject.org/wiki/CA-Certificates
|
|
|
|
# For Source0, the NSS commit trunk version of this file is here:
|
|
|
|
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
|
|
|
|
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
|
|
|
|
# The version tag for this package should come from the commit date of the version used from the NSS repository above
|
|
|
|
# To choose which NSS commit version to use, we can check the certdata.txt file used in either...
|
|
|
|
# the current Mozilla release:
|
|
|
|
# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
|
# or the Mozilla development commit trunk:
|
|
|
|
# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
|
# Ideally, it should correspond to the version shipped in the NSS release we are using
|
|
|
|
Source0: certdata-%{version}.txt
|
|
|
|
# Similarly, Source1 comes from:
|
|
|
|
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
|
|
|
|
# Check the log to see if it needs to be updated:
|
|
|
|
# https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/nssckbi.h
|
|
|
|
Source1: nssckbi.h
|
|
|
|
Source2: update-ca-trust
|
|
|
|
Source3: trust-fixes
|
|
|
|
Source4: certdata2pem.py
|
|
|
|
Source5: ca-legacy.conf
|
|
|
|
Source6: ca-legacy
|
|
|
|
Source9: ca-legacy.8.txt
|
|
|
|
Source10: update-ca-trust.8.txt
|
|
|
|
Requires(post): coreutils
|
|
|
|
Requires(post): p11-kit
|
|
|
|
Requires(post): p11-kit-trust
|
2013-11-27 00:16:10 +04:00
|
|
|
BuildRequires: perl
|
|
|
|
BuildRequires: openssl
|
2020-09-09 21:41:53 +03:00
|
|
|
%if %{without bootstrap}
|
2013-11-27 00:16:10 +04:00
|
|
|
BuildRequires: nss
|
2020-09-09 21:41:53 +03:00
|
|
|
%endif
|
|
|
|
%if %with java
|
|
|
|
BuildRequires: javapackages-tools
|
2015-08-22 12:37:35 +04:00
|
|
|
BuildRequires: java-devel
|
2012-02-01 14:52:42 +04:00
|
|
|
%endif
|
2020-09-09 21:41:53 +03:00
|
|
|
BuildRequires: asciidoc
|
|
|
|
BuildRequires: xsltproc
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
BuildArch: noarch
|
2015-10-07 11:08:14 +03:00
|
|
|
Provides: ca-certificates
|
|
|
|
|
2012-02-01 14:52:42 +04:00
|
|
|
%description
|
|
|
|
This is a bundle of X.509 certificates of public Certificate
|
|
|
|
Authorities (CA). These were automatically extracted from Mozilla's
|
|
|
|
root CA list (the file "certdata.txt"). It contains the certificates
|
|
|
|
in both plain text and PEM format and therefore can be directly used
|
|
|
|
with an Apache/mod_ssl webserver for SSL client authentication. Just
|
|
|
|
configure this file as the SSLCACertificateFile.
|
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
%if %with java
|
2012-02-01 14:52:42 +04:00
|
|
|
%package java
|
|
|
|
Summary: Bundle of CA Root Certificates for Java
|
|
|
|
Group: Development/Java
|
|
|
|
|
|
|
|
%description java
|
|
|
|
Bundle of X.509 certificates of public Certificate Authorities (CA)
|
|
|
|
in a format used by Java Runtime Environment.
|
|
|
|
%endif
|
|
|
|
|
|
|
|
%prep
|
2020-09-09 21:41:53 +03:00
|
|
|
rm -rf %{name}
|
|
|
|
mkdir -p %{name}/certs/legacy-default
|
|
|
|
mkdir %{name}/certs/legacy-disable
|
|
|
|
mkdir %{name}/java
|
2012-02-01 14:52:42 +04:00
|
|
|
|
|
|
|
|
2013-11-27 00:16:10 +04:00
|
|
|
%build
|
2020-09-09 21:41:53 +03:00
|
|
|
pushd %{name}/certs
|
|
|
|
cp %{SOURCE0} certdata.txt
|
|
|
|
python3 %{SOURCE4} >c2p.log 2>c2p.err
|
|
|
|
popd
|
|
|
|
pushd %{name}
|
|
|
|
(
|
|
|
|
cat <<EOF
|
|
|
|
# This is a bundle of X.509 certificates of public Certificate
|
|
|
|
# Authorities. It was generated from the Mozilla root CA list.
|
|
|
|
# These certificates and trust/distrust attributes use the file format accepted
|
|
|
|
# by the p11-kit-trust module.
|
|
|
|
#
|
|
|
|
# Source: nss/lib/ckfw/builtins/certdata.txt
|
|
|
|
# Source: nss/lib/ckfw/builtins/nssckbi.h
|
|
|
|
#
|
|
|
|
# Generated from:
|
|
|
|
EOF
|
|
|
|
cat %{SOURCE1} |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
|
|
|
|
echo '#';
|
|
|
|
) > %{p11_format_bundle}
|
|
|
|
|
|
|
|
touch %{legacy_default_bundle}
|
|
|
|
NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l`
|
|
|
|
if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
|
|
|
|
for f in certs/legacy-default/*.crt; do
|
|
|
|
echo "processing $f"
|
|
|
|
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
|
|
|
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
|
|
|
|
targs=""
|
|
|
|
if [ -n "$tbits" ]; then
|
|
|
|
for t in $tbits; do
|
|
|
|
targs="${targs} -addtrust $t"
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
if [ -n "$targs" ]; then
|
|
|
|
echo "legacy default flags $targs for $f" >> info.trust
|
|
|
|
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_default_bundle}
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
touch %{legacy_disable_bundle}
|
|
|
|
NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l`
|
|
|
|
if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
|
|
|
|
for f in certs/legacy-disable/*.crt; do
|
|
|
|
echo "processing $f"
|
|
|
|
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
|
|
|
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
|
|
|
|
targs=""
|
|
|
|
if [ -n "$tbits" ]; then
|
|
|
|
for t in $tbits; do
|
|
|
|
targs="${targs} -addtrust $t"
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
if [ -n "$targs" ]; then
|
|
|
|
echo "legacy disable flags $targs for $f" >> info.trust
|
|
|
|
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`
|
|
|
|
if [ $P11FILES -ne 0 ]; then
|
|
|
|
for p in certs/*.tmp-p11-kit; do
|
|
|
|
cat "$p" >> %{p11_format_bundle}
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
# Append our trust fixes
|
|
|
|
cat %{SOURCE3} >> %{p11_format_bundle}
|
|
|
|
popd
|
2013-11-27 00:16:10 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
#manpage
|
|
|
|
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
|
|
|
|
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
|
|
|
|
xsltproc --nonet -o %{name}/update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
|
2013-11-27 00:16:10 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
cp %{SOURCE9} %{name}/ca-legacy.8.txt
|
|
|
|
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
|
|
|
|
xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2015-10-07 02:45:08 +03:00
|
|
|
|
2012-02-01 14:52:42 +04:00
|
|
|
%install
|
2020-09-09 21:41:53 +03:00
|
|
|
mkdir -p -m 755 %{buildroot}%{pkidir}/java
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/source
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java
|
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2
|
|
|
|
mkdir -p -m 755 %{buildroot}%{_mandir}/man8
|
|
|
|
install -p -m 644 %{name}/update-ca-trust.8 %{buildroot}%{_mandir}/man8
|
|
|
|
install -p -m 644 %{name}/ca-legacy.8 %{buildroot}%{_mandir}/man8
|
2012-02-01 14:52:42 +04:00
|
|
|
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
|
2020-09-09 21:41:53 +03:00
|
|
|
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs/source
|
2012-02-01 14:52:42 +04:00
|
|
|
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
|
|
|
|
install -d %{buildroot}%{_bindir}
|
2020-09-09 21:41:53 +03:00
|
|
|
install -p -m 644 %{SOURCE5} %{buildroot}%{catrustdir}/ca-legacy.conf
|
|
|
|
install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
|
|
|
|
install -p -m 755 %{SOURCE6} %{buildroot}%{_bindir}/ca-legacy
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
install -m0644 %{name}/certs/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
mkdir -p -m 755 %{buildroot}%{catrustdir}/source
|
|
|
|
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source
|
|
|
|
install -p -m 644 %{name}/%{p11_format_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy
|
|
|
|
install -p -m 644 %{name}/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
|
|
|
|
install -p -m 644 %{name}/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
|
|
|
|
|
|
|
|
%if %with java
|
2012-02-01 14:52:42 +04:00
|
|
|
install -d %{buildroot}%{_sysconfdir}/pki/java
|
|
|
|
%endif
|
|
|
|
|
|
|
|
cat > README << EOF
|
|
|
|
|
|
|
|
R O O T C E R T S
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
This is a bundle of X.509 certificates of public Certificate
|
|
|
|
Authorities (CA). These were automatically extracted from Mozilla's
|
|
|
|
root CA list (the file "certdata.txt"). It contains the certificates
|
|
|
|
in both plain text and PEM format and therefore can be directly used
|
|
|
|
with an Apache/mod_ssl webserver for SSL client authentication. Just
|
|
|
|
configure this file as the SSLCACertificateFile.
|
|
|
|
|
|
|
|
EOF
|
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
# be compatible with Debian/Ubuntu SSL paths
|
|
|
|
# fix #58107 (also used by dovecot default config)
|
2012-02-01 14:52:42 +04:00
|
|
|
install -d %{buildroot}%{_sysconfdir}/ssl
|
2013-11-27 00:16:10 +04:00
|
|
|
for d in certs private; do
|
2020-09-09 21:41:53 +03:00
|
|
|
ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
|
2013-11-27 00:16:10 +04:00
|
|
|
done
|
2012-02-01 14:52:42 +04:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
# touch ghosted files that will be extracted dynamically
|
|
|
|
# Set chmod 444 to use identical permission
|
|
|
|
touch %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
|
|
|
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
|
|
|
touch %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|
|
|
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|
|
|
touch %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
|
|
|
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
|
|
|
touch %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
|
|
|
chmod 444 %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
|
|
|
touch %{buildroot}%{catrustdir}/extracted/%{java_bundle}
|
|
|
|
chmod 444 %{buildroot}%{catrustdir}/extracted/%{java_bundle}
|
|
|
|
touch %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
|
|
|
|
chmod 444 %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
|
|
|
|
|
|
|
|
# legacy filenames
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
%{buildroot}%{pkidir}/tls/cert.pem
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
%{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}
|
|
|
|
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
|
|
|
|
%{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
|
|
|
%if %with java
|
|
|
|
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
|
|
|
%{buildroot}%{pkidir}/%{java_bundle}
|
|
|
|
%endif
|
2015-10-07 02:45:08 +03:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
%post
|
|
|
|
if [ -x %{_bindir}/ln ]; then
|
|
|
|
%{_bindir}/ca-legacy install
|
|
|
|
%{_bindir}/update-ca-trust
|
|
|
|
fi
|
2015-10-07 02:45:08 +03:00
|
|
|
|
2020-09-09 21:41:53 +03:00
|
|
|
%posttrans
|
|
|
|
%{_bindir}/ca-legacy install
|
|
|
|
%{_bindir}/update-ca-trust
|
|
|
|
|
|
|
|
%files
|
|
|
|
%doc README
|
|
|
|
%dir %{catrustdir}/source
|
|
|
|
%dir %{catrustdir}/source/anchors
|
|
|
|
%dir %{catrustdir}/source/blacklist
|
2012-02-01 14:52:42 +04:00
|
|
|
%{_sysconfdir}/pki/tls/cert.pem
|
2020-09-09 21:41:53 +03:00
|
|
|
%{_mandir}/man8/ca-legacy.8.*
|
|
|
|
%{_mandir}/man8/update-ca-trust.8.*
|
2012-02-01 14:52:42 +04:00
|
|
|
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
|
|
|
|
%{_sysconfdir}/ssl/certs
|
2013-11-27 00:16:10 +04:00
|
|
|
%{_sysconfdir}/ssl/private
|
2020-09-09 21:41:53 +03:00
|
|
|
# symlinks for old locations
|
|
|
|
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
|
|
|
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
|
|
|
# master bundle file with trust
|
|
|
|
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
|
|
|
|
|
|
|
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
|
|
|
|
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
|
|
|
|
# update/extract tool
|
|
|
|
%config(noreplace) %{catrustdir}/ca-legacy.conf
|
2015-10-07 02:45:08 +03:00
|
|
|
%{_bindir}/update-ca-trust
|
2020-09-09 21:41:53 +03:00
|
|
|
%{_bindir}/ca-legacy
|
|
|
|
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
|
|
|
|
# files extracted files
|
|
|
|
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
|
|
|
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|
|
|
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
|
|
|
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
|
|
|
%ghost %{catrustdir}/extracted/%{java_bundle}
|
|
|
|
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
|
|
|
|
|
|
|
%if %with java
|
2012-02-01 14:52:42 +04:00
|
|
|
%files java
|
|
|
|
%dir %{_sysconfdir}/pki/java
|
|
|
|
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
|
|
|
|
%endif
|