diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/mozilla-rootcerts/DESCR | 5 | ||||
-rw-r--r-- | security/mozilla-rootcerts/Makefile | 39 | ||||
-rw-r--r-- | security/mozilla-rootcerts/PLIST | 4 | ||||
-rw-r--r-- | security/mozilla-rootcerts/distinfo | 5 | ||||
-rw-r--r-- | security/mozilla-rootcerts/files/mozilla-rootcerts.sh | 171 |
5 files changed, 224 insertions, 0 deletions
diff --git a/security/mozilla-rootcerts/DESCR b/security/mozilla-rootcerts/DESCR new file mode 100644 index 00000000000..45f13cd8731 --- /dev/null +++ b/security/mozilla-rootcerts/DESCR @@ -0,0 +1,5 @@ +This package provides a script which can be used to extract the root +CA certificates distributed by the Mozilla Project into the current +working directory and to rehash the existing certificates. The directory +can be used by most SSL-aware programs that expect a "CA certificate +path". diff --git a/security/mozilla-rootcerts/Makefile b/security/mozilla-rootcerts/Makefile new file mode 100644 index 00000000000..0749e36e076 --- /dev/null +++ b/security/mozilla-rootcerts/Makefile @@ -0,0 +1,39 @@ +# $NetBSD: Makefile,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ + +DISTNAME= mozilla-rootcerts-1.0.${CERTDATA_DATE} +CATEGORIES= security +MASTER_SITES= ${MASTER_SITE_LOCAL} +DISTFILES= ${CERTDATA} +EXTRACT_SUFX= # empty + +MAINTAINER= jlam@pkgsrc.org +HOMEPAGE= http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 +COMMENT= root CA certificates from the Mozilla Project + +USE_TOOLS= awk:run echo:run expr:run ln:run ls:run openssl:run rm:run + +CERTDATA_DATE= 20070713 +CERTDATA= certdata-${CERTDATA_DATE}.txt + +WRKSRC= ${WRKDIR} +BUILD_DIRS= # empty +DATADIR= ${PREFIX}/share/${PKGBASE} + +SUBST_CLASSES= paths +SUBST_MESSAGE.paths= Replacing hard-coded paths. +SUBST_STAGE.paths= post-configure +SUBST_FILES.paths= mozilla-rootcerts.sh +SUBST_VARS.paths= AWK ECHO EXPR LN LS OPENSSL RM DATADIR + +INSTALLATION_DIRS= sbin ${DATADIR} + +do-extract: + ${CP} ${FILESDIR}/mozilla-rootcerts.sh ${WRKSRC} + ${CP} ${DISTDIR}/${CERTDATA} ${WRKSRC} + +do-install: + ${INSTALL_SCRIPT} ${WRKSRC}/mozilla-rootcerts.sh \ + ${PREFIX}/sbin/mozilla-rootcerts + ${INSTALL_DATA} ${WRKSRC}/${CERTDATA} ${DATADIR}/certdata.txt + +.include "../../mk/bsd.pkg.mk" diff --git a/security/mozilla-rootcerts/PLIST b/security/mozilla-rootcerts/PLIST new file mode 100644 index 00000000000..e86ff96b6f2 --- /dev/null +++ b/security/mozilla-rootcerts/PLIST @@ -0,0 +1,4 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ +sbin/mozilla-rootcerts +share/mozilla-rootcerts/certdata.txt +@dirrm share/mozilla-rootcerts diff --git a/security/mozilla-rootcerts/distinfo b/security/mozilla-rootcerts/distinfo new file mode 100644 index 00000000000..f81e78032c5 --- /dev/null +++ b/security/mozilla-rootcerts/distinfo @@ -0,0 +1,5 @@ +$NetBSD: distinfo,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ + +SHA1 (certdata-20070713.txt) = 2f07092e7bceb4354f9255a8455d46671831b2be +RMD160 (certdata-20070713.txt) = c665e7265fb7fc2a04bc4405d4d650f8ff1c182e +Size (certdata-20070713.txt) = 793526 bytes diff --git a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh new file mode 100644 index 00000000000..84ec5ea318c --- /dev/null +++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh @@ -0,0 +1,171 @@ +#!/bin/sh +# +# $NetBSD: mozilla-rootcerts.sh,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $ +# +# This script is meant to be used as follows: +# +# # cd /etc/openssl/certs +# # mozilla-rootcerts extract +# # mozilla-rootcerts rehash +# + +: ${AWK=@AWK@} +: ${ECHO=@ECHO@} +: ${EXPR=@EXPR@} +: ${LN=@LN@} +: ${LS=@LS@} +: ${OPENSSL=@OPENSSL@} +: ${RM=@RM@} + +self="mozilla-rootcerts" +certfile="@DATADIR@/certdata.txt" + +usage() +{ + ${ECHO} 1>&2 "usage: $self [-f certfile] extract|rehash" + exit $1 +} + +while [ $# -gt 0 ]; do + case "$1" in + -f) certfile="$2"; shift 2 ;; + --) shift; break ;; + -*) ${ECHO} 1>&2 "$self: unknown option -- $1" + usage 128 ;; + *) break ;; + esac +done + +[ $# -eq 1 ] || usage 128 + +action="$1"; shift + +# +# link_hash pemtype pemfile +# +# Link a certificate or CRL to its subject name hash value. +# Each hash is of the form <hash>.<n> for certificates and +# <hash>.r<n> for CRLs, where n is an integer. If the hash +# value already exists, then we need to up the value of n, unless +# it's a duplicate, in which case we skip the link. We check +# for duplicates by comparing fingerprints. +# +link_hash() +{ + _pemtype="$1"; _pemfile="$2"; shift 2 + + _hash=`${OPENSSL} "$_pemtype" -hash -noout -in "$_pemfile"` + _fprint=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_pemfile"` + _suffix=0 + while [ 1 = 1 ] ; do + case $_pemtype in + crl) _hashfile="$_hash.r$_suffix" ;; + x509|*) _hashfile="$_hash.$_suffix" ;; + esac + if [ ! -f "$_hashfile" ]; then + ${ECHO} "$_pemfile => $_hashfile" + ${LN} -sf "$_pemfile" "$_hashfile" + break + fi + _fprintold=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_hashfile"` + if [ "$_fprint" = "$_fprintold" ]; then + ${ECHO} 1>&2 "WARNING: Skipping duplicate certificate $_pemfile" + return + fi + suffix=`${EXPR} $suffix + 1` + done +} + +case $action in +rehash) + # Delete any existing symbolic links. + ${LS} | while read entry; do + [ ! -h "$entry" ] || ${RM} -f "$entry" + done + + ${LS} | while read pemfile; do + case $pemfile in + *.pem) ;; + *) continue ;; + esac + pemtype= + while read line; do + case $line in + "-----BEGIN CERTIFICATE-----"|\ + "-----BEGIN X509 CERTIFICATE-----"|\ + "-----BEGIN TRUSTED CERTIFICATE-----") + pemtype=x509 + break + ;; + "-----BEGIN X509 CRL-----") + pemtype=crl + break + ;; + esac + done < "$pemfile" + case $pemtype in + x509|crl) + link_hash "$pemtype" "$pemfile" + ;; + *) + ${ECHO} 1>&2 "WARNING: $pemfile does not contain a certificate or CRL: skipping" + continue + ;; + esac + done + ;; + +extract) + # + # Certificates in octal-encoded DER format are delimited by + # "CKA_VALUE MULTILINE_OCTAL"/"END" pairs. Convert them into + # long character strings and pipe them through openssl to + # convert from DER to PEM format. + # + # The resulting PEM format certificates are saved as + # "mozilla-rootcert-<n>.pem" in the current working directory. + # + cat "$certfile" | ${AWK} -v OPENSSL=${OPENSSL} ' + function join(array, start, end, separator, result, i) { + result = array[start] + for (i = start + 1; i <= end; i++) + result = result separator array[i] + return result + } + + function base8to10(o, octal, decimal, power, i, n) { + decimal = 0 + n = split(o, octal, "") + while (n > 0) { + power = 1 + for (i = 1; i < n; i++) + power *= 8 + decimal += octal[4-n] * power + n-- + } + return decimal + } + + BEGIN { + filenum = 0 + while (getline) { + D = 0 + if ($0 !~ /^CKA_VALUE MULTILINE_OCTAL/) continue + + filename = "mozilla-rootcert-" filenum ".pem" + filenum++ + cmd = OPENSSL " x509 -inform der -outform pem -text >" filename + print filename + while (getline) { + if ($0 ~ /^END/) break + n = split($0, line, "\\") + for (i = 2; i <= n; i++) { + der[D++] = sprintf("%c", base8to10(line[i])) + } + } + printf("%s", join(der, 0, D, "")) | cmd + close(cmd) + } + }' + ;; +esac |