From 909f41a1422cdce8dfd884abb1202d0d3a1848cb Mon Sep 17 00:00:00 2001
From: jlam <jlam@pkgsrc.org>
Date: Thu, 20 Sep 2007 20:02:53 +0000
Subject: Import security/mozilla-rootcerts:

This package provides a script which can be used to extract the root
CA certificates distributed by the Mozilla Project into the current
working directory and to rehash the existing certificates.  The directory
can be used by most SSL-aware programs that expect a "CA certificate
path".
---
 security/mozilla-rootcerts/DESCR                   |   5 +
 security/mozilla-rootcerts/Makefile                |  39 +++++
 security/mozilla-rootcerts/PLIST                   |   4 +
 security/mozilla-rootcerts/distinfo                |   5 +
 .../mozilla-rootcerts/files/mozilla-rootcerts.sh   | 171 +++++++++++++++++++++
 5 files changed, 224 insertions(+)
 create mode 100644 security/mozilla-rootcerts/DESCR
 create mode 100644 security/mozilla-rootcerts/Makefile
 create mode 100644 security/mozilla-rootcerts/PLIST
 create mode 100644 security/mozilla-rootcerts/distinfo
 create mode 100644 security/mozilla-rootcerts/files/mozilla-rootcerts.sh

(limited to 'security/mozilla-rootcerts')

diff --git a/security/mozilla-rootcerts/DESCR b/security/mozilla-rootcerts/DESCR
new file mode 100644
index 00000000000..45f13cd8731
--- /dev/null
+++ b/security/mozilla-rootcerts/DESCR
@@ -0,0 +1,5 @@
+This package provides a script which can be used to extract the root
+CA certificates distributed by the Mozilla Project into the current
+working directory and to rehash the existing certificates.  The directory
+can be used by most SSL-aware programs that expect a "CA certificate
+path".
diff --git a/security/mozilla-rootcerts/Makefile b/security/mozilla-rootcerts/Makefile
new file mode 100644
index 00000000000..0749e36e076
--- /dev/null
+++ b/security/mozilla-rootcerts/Makefile
@@ -0,0 +1,39 @@
+# $NetBSD: Makefile,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+
+DISTNAME=	mozilla-rootcerts-1.0.${CERTDATA_DATE}
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_LOCAL}
+DISTFILES=	${CERTDATA}
+EXTRACT_SUFX=	# empty
+
+MAINTAINER=	jlam@pkgsrc.org
+HOMEPAGE=	http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
+COMMENT=	root CA certificates from the Mozilla Project
+
+USE_TOOLS=	awk:run echo:run expr:run ln:run ls:run openssl:run rm:run
+
+CERTDATA_DATE=	20070713
+CERTDATA=	certdata-${CERTDATA_DATE}.txt
+
+WRKSRC=		${WRKDIR}
+BUILD_DIRS=	# empty
+DATADIR=	${PREFIX}/share/${PKGBASE}
+
+SUBST_CLASSES=		paths
+SUBST_MESSAGE.paths=	Replacing hard-coded paths.
+SUBST_STAGE.paths=	post-configure
+SUBST_FILES.paths=	mozilla-rootcerts.sh
+SUBST_VARS.paths=	AWK ECHO EXPR LN LS OPENSSL RM DATADIR
+
+INSTALLATION_DIRS=	sbin ${DATADIR}
+
+do-extract:
+	${CP} ${FILESDIR}/mozilla-rootcerts.sh ${WRKSRC}
+	${CP} ${DISTDIR}/${CERTDATA} ${WRKSRC}
+
+do-install:
+	${INSTALL_SCRIPT} ${WRKSRC}/mozilla-rootcerts.sh \
+		${PREFIX}/sbin/mozilla-rootcerts
+	${INSTALL_DATA} ${WRKSRC}/${CERTDATA} ${DATADIR}/certdata.txt
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/mozilla-rootcerts/PLIST b/security/mozilla-rootcerts/PLIST
new file mode 100644
index 00000000000..e86ff96b6f2
--- /dev/null
+++ b/security/mozilla-rootcerts/PLIST
@@ -0,0 +1,4 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+sbin/mozilla-rootcerts
+share/mozilla-rootcerts/certdata.txt
+@dirrm share/mozilla-rootcerts
diff --git a/security/mozilla-rootcerts/distinfo b/security/mozilla-rootcerts/distinfo
new file mode 100644
index 00000000000..f81e78032c5
--- /dev/null
+++ b/security/mozilla-rootcerts/distinfo
@@ -0,0 +1,5 @@
+$NetBSD: distinfo,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+
+SHA1 (certdata-20070713.txt) = 2f07092e7bceb4354f9255a8455d46671831b2be
+RMD160 (certdata-20070713.txt) = c665e7265fb7fc2a04bc4405d4d650f8ff1c182e
+Size (certdata-20070713.txt) = 793526 bytes
diff --git a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
new file mode 100644
index 00000000000..84ec5ea318c
--- /dev/null
+++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
@@ -0,0 +1,171 @@
+#!/bin/sh
+#
+# $NetBSD: mozilla-rootcerts.sh,v 1.1.1.1 2007/09/20 20:02:53 jlam Exp $
+#
+# This script is meant to be used as follows:
+#
+#	# cd /etc/openssl/certs
+#	# mozilla-rootcerts extract
+#	# mozilla-rootcerts rehash
+#
+
+: ${AWK=@AWK@}
+: ${ECHO=@ECHO@}
+: ${EXPR=@EXPR@}
+: ${LN=@LN@}
+: ${LS=@LS@}
+: ${OPENSSL=@OPENSSL@}
+: ${RM=@RM@}
+
+self="mozilla-rootcerts"
+certfile="@DATADIR@/certdata.txt"
+
+usage()
+{
+	${ECHO} 1>&2 "usage: $self [-f certfile] extract|rehash"
+	exit $1
+}
+
+while [ $# -gt 0 ]; do
+	case "$1" in
+	-f)	certfile="$2"; shift 2 ;;
+	--)	shift; break ;;
+	-*)	${ECHO} 1>&2 "$self: unknown option -- $1"
+		usage 128 ;;
+	*)	break ;;
+	esac
+done
+
+[ $# -eq 1 ] || usage 128
+
+action="$1"; shift
+
+#
+#	link_hash pemtype pemfile
+#
+#	Link a certificate or CRL to its subject name hash value.
+#	Each hash is of the form <hash>.<n> for certificates and
+#	<hash>.r<n> for CRLs, where n is an integer.  If the hash
+#	value already exists, then we need to up the value of n, unless
+#	it's a duplicate, in which case we skip the link.  We check
+#	for duplicates by comparing fingerprints.
+#
+link_hash()
+{
+	_pemtype="$1"; _pemfile="$2"; shift 2
+
+	_hash=`${OPENSSL} "$_pemtype" -hash -noout -in "$_pemfile"`
+	_fprint=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_pemfile"`
+	_suffix=0
+	while [ 1 = 1 ] ; do
+		case $_pemtype in
+		crl)	_hashfile="$_hash.r$_suffix" ;;
+		x509|*)	_hashfile="$_hash.$_suffix" ;;
+		esac
+		if [ ! -f "$_hashfile" ]; then
+			${ECHO} "$_pemfile => $_hashfile"
+			${LN} -sf "$_pemfile" "$_hashfile"
+			break
+		fi
+		_fprintold=`${OPENSSL} "$_pemtype" -fingerprint -noout -in "$_hashfile"`
+		if [ "$_fprint" = "$_fprintold" ]; then
+			${ECHO} 1>&2 "WARNING: Skipping duplicate certificate $_pemfile"
+			return
+		fi
+		suffix=`${EXPR} $suffix + 1`
+	done
+}
+
+case $action in
+rehash)
+	# Delete any existing symbolic links.
+	${LS} | while read entry; do
+		[ ! -h "$entry" ] || ${RM} -f "$entry"
+	done
+
+	${LS} | while read pemfile; do
+		case $pemfile in
+		*.pem)	;;
+		*)	continue ;;
+		esac
+		pemtype=
+		while read line; do
+			case $line in
+			"-----BEGIN CERTIFICATE-----"|\
+			"-----BEGIN X509 CERTIFICATE-----"|\
+			"-----BEGIN TRUSTED CERTIFICATE-----")
+				pemtype=x509
+				break
+				;;
+			"-----BEGIN X509 CRL-----")
+				pemtype=crl
+				break
+				;;
+			esac
+		done < "$pemfile"
+		case $pemtype in
+		x509|crl)
+			link_hash "$pemtype" "$pemfile"
+			;;
+		*)
+			${ECHO} 1>&2 "WARNING: $pemfile does not contain a certificate or CRL: skipping"
+			continue
+			;;
+		esac
+	done
+	;;
+
+extract)
+	#
+	# Certificates in octal-encoded DER format are delimited by
+	# "CKA_VALUE MULTILINE_OCTAL"/"END" pairs.  Convert them into
+	# long character strings and pipe them through openssl to
+	# convert from DER to PEM format.
+	#
+	# The resulting PEM format certificates are saved as
+	# "mozilla-rootcert-<n>.pem" in the current working directory.
+	#
+	cat "$certfile" | ${AWK} -v OPENSSL=${OPENSSL} '
+	function join(array, start, end, separator,	result, i) {
+		result = array[start]
+		for (i = start + 1; i <= end; i++)
+			result = result separator array[i]
+		return result
+	}
+
+	function base8to10(o,	octal, decimal, power, i, n) {
+		decimal = 0
+		n = split(o, octal, "")
+		while (n > 0) {
+			power = 1
+			for (i = 1; i < n; i++)
+				power *= 8
+			decimal += octal[4-n] * power
+			n--
+		}
+		return decimal
+	}
+
+	BEGIN {
+		filenum = 0
+		while (getline) {
+			D = 0
+			if ($0 !~ /^CKA_VALUE MULTILINE_OCTAL/) continue
+
+			filename = "mozilla-rootcert-" filenum ".pem"
+			filenum++
+			cmd = OPENSSL " x509 -inform der -outform pem -text >" filename
+			print filename
+			while (getline) {
+				if ($0 ~ /^END/) break
+				n = split($0, line, "\\")
+				for (i = 2; i <= n; i++) {
+					der[D++] = sprintf("%c", base8to10(line[i]))
+				}
+			}
+			printf("%s", join(der, 0, D, "")) | cmd
+			close(cmd)
+		}
+	}'
+	;;
+esac
-- 
cgit v1.2.3