|
 |
b62ba6e |
# certdata.txt is generated by extracting it from Mozilla CVS.
|
|
|
b62ba6e |
# This is done by running:
|
|
|
b62ba6e |
#
|
|
|
b62ba6e |
# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
|
|
|
b62ba6e |
# co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
|
|
|
b62ba6e |
# > certdata.txt
|
|
|
b62ba6e |
#
|
|
|
b62ba6e |
# Keep the RCS version in sync with the spec Version.
|
|
|
d01a981 |
|
|
|
d01a981 |
%define pkidir %{_sysconfdir}/pki
|
|
|
d01a981 |
|
|
|
d01a981 |
Summary: The Mozilla CA root certificate bundle
|
|
|
d01a981 |
Name: ca-certificates
|
|
|
b62ba6e |
Version: 2010.63
|
|
|
b62ba6e |
Release: 1%{?dist}
|
|
|
d01a981 |
License: Public Domain
|
|
|
d01a981 |
Group: System Environment/Base
|
|
|
d01a981 |
URL: http://www.mozilla.org/
|
|
|
5f392b3 |
Source0: certdata.txt
|
|
|
5f392b3 |
Source1: blacklist.txt
|
|
|
5f392b3 |
Source2: generate-cacerts.pl
|
|
|
5f392b3 |
Source3: certdata2pem.py
|
|
|
d01a981 |
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
|
|
56a6866 |
BuildRequires: perl, java-openjdk, python, rcs
|
|
|
d01a981 |
BuildArch: noarch
|
|
|
d01a981 |
|
|
|
d01a981 |
%description
|
|
|
d01a981 |
This package contains the set of CA certificates chosen by the
|
|
|
d01a981 |
Mozilla Foundation for use with the Internet PKI.
|
|
|
d01a981 |
|
|
|
d01a981 |
%prep
|
|
|
d01a981 |
rm -rf %{name}
|
|
|
56a6866 |
mkdir %{name} %{name}/certs %{name}/java
|
|
|
d01a981 |
|
|
|
d01a981 |
%build
|
|
|
5f392b3 |
pushd %{name}/certs
|
|
|
5f392b3 |
cp %{SOURCE0} %{SOURCE1} .
|
|
|
5f392b3 |
python %{SOURCE3}
|
|
|
5f392b3 |
popd
|
|
|
d01a981 |
pushd %{name}
|
|
|
5f392b3 |
(
|
|
|
5f392b3 |
cat <
|
|
|
5f392b3 |
# This is a bundle of X.509 certificates of public Certificate
|
|
|
5f392b3 |
# Authorities. It was generated from the Mozilla root CA list.
|
|
|
5f392b3 |
#
|
|
|
5f392b3 |
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
5f392b3 |
#
|
|
|
5f392b3 |
# Generated from:
|
|
|
5f392b3 |
EOF
|
|
|
5f392b3 |
ident -q %{SOURCE0} | sed '1d;s/^/#/';
|
|
|
5f392b3 |
echo '#';
|
|
|
5f392b3 |
) > ca-bundle.crt
|
|
|
708646c |
(
|
|
|
708646c |
cat <
|
|
|
708646c |
# This is a bundle of X.509 certificates of public Certificate
|
|
|
708646c |
# Authorities. It was generated from the Mozilla root CA list.
|
|
|
708646c |
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
|
|
|
708646c |
# format and have trust bits set accordingly.
|
|
|
708646c |
#
|
|
|
708646c |
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
708646c |
#
|
|
|
708646c |
# Generated from:
|
|
|
708646c |
EOF
|
|
|
708646c |
ident -q %{SOURCE0} | sed '1d;s/^/#/';
|
|
|
708646c |
echo '#';
|
|
|
708646c |
) > ca-bundle.trust.crt
|
|
|
708646c |
for f in certs/*.crt; do
|
|
|
708646c |
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
|
|
708646c |
case $tbits in
|
|
|
708646c |
*serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
|
|
|
708646c |
esac
|
|
|
708646c |
if [ -n "$tbits" ]; then
|
|
|
708646c |
targs=""
|
|
|
708646c |
for t in $tbits; do
|
|
|
708646c |
targs="${targs} -addtrust $t"
|
|
|
708646c |
done
|
|
|
708646c |
openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
|
|
|
708646c |
fi
|
|
|
708646c |
done
|
|
|
56a6866 |
popd
|
|
|
56a6866 |
pushd %{name}/java
|
|
|
425940e |
test -s ../ca-bundle.crt || exit 1
|
|
|
425940e |
%{__perl} %{SOURCE2} %{_bindir}/keytool ../ca-bundle.crt
|
|
|
d01a981 |
touch -r %{SOURCE0} cacerts
|
|
|
d01a981 |
popd
|
|
|
d01a981 |
|
|
|
d01a981 |
%install
|
|
|
d01a981 |
rm -rf $RPM_BUILD_ROOT
|
|
|
d01a981 |
|
|
|
d01a981 |
mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
|
|
|
d01a981 |
|
|
|
425940e |
install -p -m 644 %{name}/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
|
|
dc70b1f |
install -p -m 644 %{name}/ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
|
|
|
65c3b04 |
ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
|
|
5f392b3 |
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
|
|
708646c |
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
|
|
|
d01a981 |
|
|
|
d01a981 |
# Install Java cacerts file.
|
|
|
d01a981 |
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
|
|
|
56a6866 |
install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
|
|
|
d01a981 |
|
|
|
d01a981 |
%clean
|
|
|
d01a981 |
rm -rf $RPM_BUILD_ROOT
|
|
|
d01a981 |
|
|
|
d01a981 |
%files
|
|
|
d01a981 |
%defattr(-,root,root,-)
|
|
|
d01a981 |
%dir %{pkidir}/java
|
|
|
d01a981 |
%config(noreplace) %{pkidir}/java/cacerts
|
|
|
d01a981 |
%dir %{pkidir}/tls
|
|
|
d01a981 |
%dir %{pkidir}/tls/certs
|
|
|
708646c |
%config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
|
|
|
866d688 |
%{pkidir}/tls/cert.pem
|
|
|
d01a981 |
|
|
|
d01a981 |
%changelog
|
|
|
b62ba6e |
* Wed Apr 7 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
|
|
|
b62ba6e |
- update to certdata.txt r1.63
|
|
|
b62ba6e |
- use upstream RCS version in Version
|
|
|
b62ba6e |
|
|
|
dc70b1f |
* Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
|
|
|
dc70b1f |
- fix ca-bundle.crt (#575111)
|
|
|
dc70b1f |
|
|
|
708646c |
* Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
|
|
|
708646c |
- update to certdata.txt r1.58
|
|
|
708646c |
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
|
|
|
708646c |
- exclude ECC certs from the Java cacerts database
|
|
|
708646c |
- catch keytool failures
|
|
|
708646c |
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
|
|
|
708646c |
|
|
|
56a6866 |
* Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
|
|
|
56a6866 |
- fix Java cacert database generation: use Subject rather than Issuer
|
|
|
56a6866 |
for alias name; add diagnostics; fix some alias names.
|
|
|
56a6866 |
|
|
|
5f392b3 |
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
|
|
|
5f392b3 |
- adopt Python certdata.txt parsing script from Debian
|
|
|
5f392b3 |
|
|
 |
0bfc15e |
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
|
|
|
0bfc15e |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
|
|
0bfc15e |
|
|
|
5406f40 |
* Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
|
|
|
5406f40 |
- update to certdata.txt r1.53
|
|
|
5406f40 |
|
|
|
a42172d |
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
|
|
|
a42172d |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
|
|
a42172d |
|
|
|
e908127 |
* Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
|
|
|
e908127 |
- update to certdata.txt r1.49
|
|
|
e908127 |
|
|
Thomas Fitzsimmons |
180c47e |
* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
|
|
Thomas Fitzsimmons |
180c47e |
- Change generate-cacerts.pl to produce pretty aliases.
|
|
Thomas Fitzsimmons |
180c47e |
|
|
|
65c3b04 |
* Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
|
|
|
65c3b04 |
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
|
|
|
65c3b04 |
|
|
|
d01a981 |
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
|
|
|
d01a981 |
- use package name for temp dir, recreate it in prep
|
|
|
d01a981 |
|
|
|
d01a981 |
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
|
|
|
d01a981 |
- fix source script perms
|
|
|
d01a981 |
- mark packaged files as config(noreplace)
|
|
|
d01a981 |
|
|
|
d01a981 |
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
|
|
|
d01a981 |
- add (but don't use) mkcabundle.pl
|
|
|
d01a981 |
- tweak description
|
|
|
d01a981 |
- use /usr/bin/keytool directly; BR java-openjdk
|
|
|
d01a981 |
|
|
|
d01a981 |
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
|
|
|
d01a981 |
- Initial build (#448497)
|