summaryrefslogtreecommitdiff
path: root/security/mozilla-rootcerts
diff options
context:
space:
mode:
authorjlam <jlam@pkgsrc.org>2007-09-20 20:02:53 +0000
committerjlam <jlam@pkgsrc.org>2007-09-20 20:02:53 +0000
commit909f41a1422cdce8dfd884abb1202d0d3a1848cb (patch)
treea37a67809bd2a775bdc9d96d366498e79fb94ffb /security/mozilla-rootcerts
parent8f8cf43dfadea6de86b3d7fac512c6d245fd8670 (diff)
downloadpkgsrc-909f41a1422cdce8dfd884abb1202d0d3a1848cb.tar.gz
Import security/mozilla-rootcerts:
This package provides a script which can be used to extract the root CA certificates distributed by the Mozilla Project into the current working directory and to rehash the existing certificates. The directory can be used by most SSL-aware programs that expect a "CA certificate path".
Diffstat (limited to 'security/mozilla-rootcerts')
-rw-r--r--security/mozilla-rootcerts/DESCR5
-rw-r--r--security/mozilla-rootcerts/Makefile39
-rw-r--r--security/mozilla-rootcerts/PLIST4
-rw-r--r--security/mozilla-rootcerts/distinfo5
-rw-r--r--security/mozilla-rootcerts/files/mozilla-rootcerts.sh171
5 files changed, 224 insertions, 0 deletions
diff --git a/security/mozilla-rootcerts/DESCR b/security/mozilla-rootcerts/DESCR
new file mode 100644
index 00000000000..45f13cd8731
--- /dev/null
+++ b/security/mozilla-rootcerts/DESCR
@@ -0,0 +1,5 @@
+This package provides a script which can be used to extract the root
+CA certificates distributed by the Mozilla Project into the current
+working directory and to rehash the existing certificates. The directory
+can be used by most SSL-aware programs that expect a "CA certificate
+path".
diff --git a/security/mozilla-rootcerts/Makefile b/security/mozilla-rootcerts/Makefile
new file mode 100644
index 00000000000..0749e36e076
--- /dev/null
+++ b/security/mozilla-rootcerts/Makefile
@@ -0,0 +1,39 @@
+# $NetBSD: Makefile,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+
+DISTNAME= mozilla-rootcerts-1.0.${CERTDATA_DATE}
+CATEGORIES= security
+MASTER_SITES= ${MASTER_SITE_LOCAL}
+DISTFILES= ${CERTDATA}
+EXTRACT_SUFX= # empty
+
+MAINTAINER= jlam@pkgsrc.org
+HOMEPAGE= http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
+COMMENT= root CA certificates from the Mozilla Project
+
+USE_TOOLS= awk:run echo:run expr:run ln:run ls:run openssl:run rm:run
+
+CERTDATA_DATE= 20070713
+CERTDATA= certdata-${CERTDATA_DATE}.txt
+
+WRKSRC= ${WRKDIR}
+BUILD_DIRS= # empty
+DATADIR= ${PREFIX}/share/${PKGBASE}
+
+SUBST_CLASSES= paths
+SUBST_MESSAGE.paths= Replacing hard-coded paths.
+SUBST_STAGE.paths= post-configure
+SUBST_FILES.paths= mozilla-rootcerts.sh
+SUBST_VARS.paths= AWK ECHO EXPR LN LS OPENSSL RM DATADIR
+
+INSTALLATION_DIRS= sbin ${DATADIR}
+
+do-extract:
+ ${CP} ${FILESDIR}/mozilla-rootcerts.sh ${WRKSRC}
+ ${CP} ${DISTDIR}/${CERTDATA} ${WRKSRC}
+
+do-install:
+ ${INSTALL_SCRIPT} ${WRKSRC}/mozilla-rootcerts.sh \
+ ${PREFIX}/sbin/mozilla-rootcerts
+ ${INSTALL_DATA} ${WRKSRC}/${CERTDATA} ${DATADIR}/certdata.txt
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/mozilla-rootcerts/PLIST b/security/mozilla-rootcerts/PLIST
new file mode 100644
index 00000000000..e86ff96b6f2
--- /dev/null
+++ b/security/mozilla-rootcerts/PLIST
@@ -0,0 +1,4 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+sbin/mozilla-rootcerts
+share/mozilla-rootcerts/certdata.txt
+@dirrm share/mozilla-rootcerts
diff --git a/security/mozilla-rootcerts/distinfo b/security/mozilla-rootcerts/distinfo
new file mode 100644
index 00000000000..f81e78032c5
--- /dev/null
+++ b/security/mozilla-rootcerts/distinfo
@@ -0,0 +1,5 @@
+$NetBSD: distinfo,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+
+SHA1 (certdata-20070713.txt) = 2f07092e7bceb4354f9255a8455d46671831b2be
+RMD160 (certdata-20070713.txt) = c665e7265fb7fc2a04bc4405d4d650f8ff1c182e
+Size (certdata-20070713.txt) = 793526 bytes
diff --git a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
new file mode 100644
index 00000000000..84ec5ea318c
--- /dev/null
+++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
@@ -0,0 +1,171 @@
+#!/bin/sh
+#
+# $NetBSD: mozilla-rootcerts.sh,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+#
+# This script is meant to be used as follows:
+#
+# # cd /etc/openssl/certs
+# # mozilla-rootcerts extract
+# # mozilla-rootcerts rehash
+#
+
+: ${AWK=@AWK@}
+: ${ECHO=@ECHO@}
+: ${EXPR=@EXPR@}
+: ${LN=@LN@}
+: ${LS=@LS@}
+: ${OPENSSL=@OPENSSL@}
+: ${RM=@RM@}
+
+self="mozilla-rootcerts"
+certfile="@DATADIR@/certdata.txt"
+
+usage()
+{
+ ${ECHO} 1>&2 "usage: $self [-f certfile] extract|rehash"
+ exit $1
+}
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ -f) certfile="$2"; shift 2 ;;
+ --) shift; break ;;
+ -*) ${ECHO} 1>&2 "$self: unknown option -- $1"
+ usage 128 ;;
+ *) break ;;
+ esac
+done
+
+[ $# -eq 1 ] || usage 128
+
+action="$1"; shift
+
+#
+# link_hash pemtype pemfile
+#
+# Link a certificate or CRL to its subject name hash value.
+# Each hash is of the form <hash>.<n> for certificates and
+# <hash>.r<n> for CRLs, where n is an integer. If the hash
+# value already exists, then we need to up the value of n, unless
+# it's a duplicate, in which case we skip the link. We check
+# for duplicates by comparing fingerprints.
+#
+link_hash()
+{
+ _pemtype="$1"; _pemfile="$2"; shift 2
+
+ _hash=`${OPENSSL} "$_pemtype" -hash -noout -in "$_pemfile"`
+ _fprint=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_pemfile"`
+ _suffix=0
+ while [ 1 = 1 ] ; do
+ case $_pemtype in
+ crl) _hashfile="$_hash.r$_suffix" ;;
+ x509|*) _hashfile="$_hash.$_suffix" ;;
+ esac
+ if [ ! -f "$_hashfile" ]; then
+ ${ECHO} "$_pemfile => $_hashfile"
+ ${LN} -sf "$_pemfile" "$_hashfile"
+ break
+ fi
+ _fprintold=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_hashfile"`
+ if [ "$_fprint" = "$_fprintold" ]; then
+ ${ECHO} 1>&2 "WARNING: Skipping duplicate certificate $_pemfile"
+ return
+ fi
+ suffix=`${EXPR} $suffix + 1`
+ done
+}
+
+case $action in
+rehash)
+ # Delete any existing symbolic links.
+ ${LS} | while read entry; do
+ [ ! -h "$entry" ] || ${RM} -f "$entry"
+ done
+
+ ${LS} | while read pemfile; do
+ case $pemfile in
+ *.pem) ;;
+ *) continue ;;
+ esac
+ pemtype=
+ while read line; do
+ case $line in
+ "-----BEGIN CERTIFICATE-----"|\
+ "-----BEGIN X509 CERTIFICATE-----"|\
+ "-----BEGIN TRUSTED CERTIFICATE-----")
+ pemtype=x509
+ break
+ ;;
+ "-----BEGIN X509 CRL-----")
+ pemtype=crl
+ break
+ ;;
+ esac
+ done < "$pemfile"
+ case $pemtype in
+ x509|crl)
+ link_hash "$pemtype" "$pemfile"
+ ;;
+ *)
+ ${ECHO} 1>&2 "WARNING: $pemfile does not contain a certificate or CRL: skipping"
+ continue
+ ;;
+ esac
+ done
+ ;;
+
+extract)
+ #
+ # Certificates in octal-encoded DER format are delimited by
+ # "CKA_VALUE MULTILINE_OCTAL"/"END" pairs. Convert them into
+ # long character strings and pipe them through openssl to
+ # convert from DER to PEM format.
+ #
+ # The resulting PEM format certificates are saved as
+ # "mozilla-rootcert-<n>.pem" in the current working directory.
+ #
+ cat "$certfile" | ${AWK} -v OPENSSL=${OPENSSL} '
+ function join(array, start, end, separator, result, i) {
+ result = array[start]
+ for (i = start + 1; i <= end; i++)
+ result = result separator array[i]
+ return result
+ }
+
+ function base8to10(o, octal, decimal, power, i, n) {
+ decimal = 0
+ n = split(o, octal, "")
+ while (n > 0) {
+ power = 1
+ for (i = 1; i < n; i++)
+ power *= 8
+ decimal += octal[4-n] * power
+ n--
+ }
+ return decimal
+ }
+
+ BEGIN {
+ filenum = 0
+ while (getline) {
+ D = 0
+ if ($0 !~ /^CKA_VALUE MULTILINE_OCTAL/) continue
+
+ filename = "mozilla-rootcert-" filenum ".pem"
+ filenum++
+ cmd = OPENSSL " x509 -inform der -outform pem -text >" filename
+ print filename
+ while (getline) {
+ if ($0 ~ /^END/) break
+ n = split($0, line, "\\")
+ for (i = 2; i <= n; i++) {
+ der[D++] = sprintf("%c", base8to10(line[i]))
+ }
+ }
+ printf("%s", join(der, 0, D, "")) | cmd
+ close(cmd)
+ }
+ }'
+ ;;
+esac