diff options
| author | jlam <jlam@pkgsrc.org> | 2007-09-20 20:02:53 +0000 |
|---|---|---|
| committer | jlam <jlam@pkgsrc.org> | 2007-09-20 20:02:53 +0000 |
| commit | 909f41a1422cdce8dfd884abb1202d0d3a1848cb (patch) | |
| tree | a37a67809bd2a775bdc9d96d366498e79fb94ffb /security | |
| parent | 8f8cf43dfadea6de86b3d7fac512c6d245fd8670 (diff) | |
| download | pkgsrc-909f41a1422cdce8dfd884abb1202d0d3a1848cb.tar.gz | |
Import security/mozilla-rootcerts:
This package provides a script which can be used to extract the root
CA certificates distributed by the Mozilla Project into the current
working directory and to rehash the existing certificates. The directory
can be used by most SSL-aware programs that expect a "CA certificate
path".
Diffstat (limited to 'security')
| -rw-r--r-- | security/mozilla-rootcerts/DESCR | 5 | ||||
| -rw-r--r-- | security/mozilla-rootcerts/Makefile | 39 | ||||
| -rw-r--r-- | security/mozilla-rootcerts/PLIST | 4 | ||||
| -rw-r--r-- | security/mozilla-rootcerts/distinfo | 5 | ||||
| -rw-r--r-- | security/mozilla-rootcerts/files/mozilla-rootcerts.sh | 171 |
5 files changed, 224 insertions, 0 deletions
diff --git a/security/mozilla-rootcerts/DESCR b/security/mozilla-rootcerts/DESCR new file mode 100644 index 00000000000..45f13cd8731 --- /dev/null +++ b/security/mozilla-rootcerts/DESCR @@ -0,0 +1,5 @@ +This package provides a script which can be used to extract the root +CA certificates distributed by the Mozilla Project into the current +working directory and to rehash the existing certificates. The directory +can be used by most SSL-aware programs that expect a "CA certificate +path". diff --git a/security/mozilla-rootcerts/Makefile b/security/mozilla-rootcerts/Makefile new file mode 100644 index 00000000000..0749e36e076 --- /dev/null +++ b/security/mozilla-rootcerts/Makefile @@ -0,0 +1,39 @@ +# $NetBSD: Makefile,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ + +DISTNAME= mozilla-rootcerts-1.0.${CERTDATA_DATE} +CATEGORIES= security +MASTER_SITES= ${MASTER_SITE_LOCAL} +DISTFILES= ${CERTDATA} +EXTRACT_SUFX= # empty + +MAINTAINER= jlam@pkgsrc.org +HOMEPAGE= http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 +COMMENT= root CA certificates from the Mozilla Project + +USE_TOOLS= awk:run echo:run expr:run ln:run ls:run openssl:run rm:run + +CERTDATA_DATE= 20070713 +CERTDATA= certdata-${CERTDATA_DATE}.txt + +WRKSRC= ${WRKDIR} +BUILD_DIRS= # empty +DATADIR= ${PREFIX}/share/${PKGBASE} + +SUBST_CLASSES= paths +SUBST_MESSAGE.paths= Replacing hard-coded paths. +SUBST_STAGE.paths= post-configure +SUBST_FILES.paths= mozilla-rootcerts.sh +SUBST_VARS.paths= AWK ECHO EXPR LN LS OPENSSL RM DATADIR + +INSTALLATION_DIRS= sbin ${DATADIR} + +do-extract: + ${CP} ${FILESDIR}/mozilla-rootcerts.sh ${WRKSRC} + ${CP} ${DISTDIR}/${CERTDATA} ${WRKSRC} + +do-install: + ${INSTALL_SCRIPT} ${WRKSRC}/mozilla-rootcerts.sh \ + ${PREFIX}/sbin/mozilla-rootcerts + ${INSTALL_DATA} ${WRKSRC}/${CERTDATA} ${DATADIR}/certdata.txt + +.include "../../mk/bsd.pkg.mk" diff --git a/security/mozilla-rootcerts/PLIST b/security/mozilla-rootcerts/PLIST new file mode 100644 index 00000000000..e86ff96b6f2 --- /dev/null +++ b/security/mozilla-rootcerts/PLIST @@ -0,0 +1,4 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ +sbin/mozilla-rootcerts +share/mozilla-rootcerts/certdata.txt +@dirrm share/mozilla-rootcerts diff --git a/security/mozilla-rootcerts/distinfo b/security/mozilla-rootcerts/distinfo new file mode 100644 index 00000000000..f81e78032c5 --- /dev/null +++ b/security/mozilla-rootcerts/distinfo @@ -0,0 +1,5 @@ +$NetBSD: distinfo,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ + +SHA1 (certdata-20070713.txt) = 2f07092e7bceb4354f9255a8455d46671831b2be +RMD160 (certdata-20070713.txt) = c665e7265fb7fc2a04bc4405d4d650f8ff1c182e +Size (certdata-20070713.txt) = 793526 bytes diff --git a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh new file mode 100644 index 00000000000..84ec5ea318c --- /dev/null +++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh @@ -0,0 +1,171 @@ +#!/bin/sh +# +# $NetBSD: mozilla-rootcerts.sh,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ +# +# This script is meant to be used as follows: +# +# # cd /etc/openssl/certs +# # mozilla-rootcerts extract +# # mozilla-rootcerts rehash +# + +: ${AWK=@AWK@} +: ${ECHO=@ECHO@} +: ${EXPR=@EXPR@} +: ${LN=@LN@} +: ${LS=@LS@} +: ${OPENSSL=@OPENSSL@} +: ${RM=@RM@} + +self="mozilla-rootcerts" +certfile="@DATADIR@/certdata.txt" + +usage() +{ + ${ECHO} 1>&2 "usage: $self [-f certfile] extract|rehash" + exit $1 +} + +while [ $# -gt 0 ]; do + case "$1" in + -f) certfile="$2"; shift 2 ;; + --) shift; break ;; + -*) ${ECHO} 1>&2 "$self: unknown option -- $1" + usage 128 ;; + *) break ;; + esac +done + +[ $# -eq 1 ] || usage 128 + +action="$1"; shift + +# +# link_hash pemtype pemfile +# +# Link a certificate or CRL to its subject name hash value. +# Each hash is of the form <hash>.<n> for certificates and +# <hash>.r<n> for CRLs, where n is an integer. If the hash +# value already exists, then we need to up the value of n, unless +# it's a duplicate, in which case we skip the link. We check +# for duplicates by comparing fingerprints. +# +link_hash() +{ + _pemtype="$1"; _pemfile="$2"; shift 2 + + _hash=`${OPENSSL} "$_pemtype" -hash -noout -in "$_pemfile"` + _fprint=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_pemfile"` + _suffix=0 + while [ 1 = 1 ] ; do + case $_pemtype in + crl) _hashfile="$_hash.r$_suffix" ;; + x509|*) _hashfile="$_hash.$_suffix" ;; + esac + if [ ! -f "$_hashfile" ]; then + ${ECHO} "$_pemfile => $_hashfile" + ${LN} -sf "$_pemfile" "$_hashfile" + break + fi + _fprintold=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_hashfile"` + if [ "$_fprint" = "$_fprintold" ]; then + ${ECHO} 1>&2 "WARNING: Skipping duplicate certificate $_pemfile" + return + fi + suffix=`${EXPR} $suffix + 1` + done +} + +case $action in +rehash) + # Delete any existing symbolic links. + ${LS} | while read entry; do + [ ! -h "$entry" ] || ${RM} -f "$entry" + done + + ${LS} | while read pemfile; do + case $pemfile in + *.pem) ;; + *) continue ;; + esac + pemtype= + while read line; do + case $line in + "-----BEGIN CERTIFICATE-----"|\ + "-----BEGIN X509 CERTIFICATE-----"|\ + "-----BEGIN TRUSTED CERTIFICATE-----") + pemtype=x509 + break + ;; + "-----BEGIN X509 CRL-----") + pemtype=crl + break + ;; + esac + done < "$pemfile" + case $pemtype in + x509|crl) + link_hash "$pemtype" "$pemfile" + ;; + *) + ${ECHO} 1>&2 "WARNING: $pemfile does not contain a certificate or CRL: skipping" + continue + ;; + esac + done + ;; + +extract) + # + # Certificates in octal-encoded DER format are delimited by + # "CKA_VALUE MULTILINE_OCTAL"/"END" pairs. Convert them into + # long character strings and pipe them through openssl to + # convert from DER to PEM format. + # + # The resulting PEM format certificates are saved as + # "mozilla-rootcert-<n>.pem" in the current working directory. + # + cat "$certfile" | ${AWK} -v OPENSSL=${OPENSSL} ' + function join(array, start, end, separator, result, i) { + result = array[start] + for (i = start + 1; i <= end; i++) + result = result separator array[i] + return result + } + + function base8to10(o, octal, decimal, power, i, n) { + decimal = 0 + n = split(o, octal, "") + while (n > 0) { + power = 1 + for (i = 1; i < n; i++) + power *= 8 + decimal += octal[4-n] * power + n-- + } + return decimal + } + + BEGIN { + filenum = 0 + while (getline) { + D = 0 + if ($0 !~ /^CKA_VALUE MULTILINE_OCTAL/) continue + + filename = "mozilla-rootcert-" filenum ".pem" + filenum++ + cmd = OPENSSL " x509 -inform der -outform pem -text >" filename + print filename + while (getline) { + if ($0 ~ /^END/) break + n = split($0, line, "\\") + for (i = 2; i <= n; i++) { + der[D++] = sprintf("%c", base8to10(line[i])) + } + } + printf("%s", join(der, 0, D, "")) | cmd + close(cmd) + } + }' + ;; +esac |