[csw-devel] SF.net SVN: gar:[2690] csw/mgar/pkg/ca_certificates/trunk

chninkel at users.sourceforge.net chninkel at users.sourceforge.net
Wed Dec 24 00:31:29 CET 2008 

Revision: 2690
          http://gar.svn.sourceforge.net/gar/?rev=2690&view=rev
Author:   chninkel
Date:     2008-12-23 23:31:29 +0000 (Tue, 23 Dec 2008)

Log Message:
-----------
ca_certificates: improved certification selection configuration

Modified Paths:
--------------
    csw/mgar/pkg/ca_certificates/trunk/Makefile
    csw/mgar/pkg/ca_certificates/trunk/checksums
    csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.depend
    csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.gspec
    csw/mgar/pkg/ca_certificates/trunk/files/certdata2pem.pl
    csw/mgar/pkg/ca_certificates/trunk/files/update-ca-certificates

Modified: csw/mgar/pkg/ca_certificates/trunk/Makefile
===================================================================
--- csw/mgar/pkg/ca_certificates/trunk/Makefile	2008-12-23 15:36:04 UTC (rev 2689)
+++ csw/mgar/pkg/ca_certificates/trunk/Makefile	2008-12-23 23:31:29 UTC (rev 2690)
@@ -8,7 +8,7 @@
 endef
 
 MASTER_SITES = http://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/
-DISTFILES  = certdata.txt certdata2pem.pl update-ca-certificates
+DISTFILES  = certdata.txt certdata2pem.pl update-ca-certificates ca-certificates.conf
 DISTFILES += $(call admfiles,CSWcacertificates,depend postinstall)
 
 # We define upstream file regex so we can be notifed of new upstream software release
@@ -25,12 +25,21 @@
 
 include gar/category.mk
 
+$(WORKDIR)/hash.db: $(WORKDIR)/certdata.txt
+	rm -f $(WORKDIR)/hash.db
+	find "$(DESTDIR)/$(sharedstatedir)/ca-certificates" -name *.pem | while read FILE; do \
+		echo "`basename $$FILE`=`/opt/csw/bin/openssl x509 -hash -fingerprint -noout -in "$$FILE" | head -n 1`.0" >> hash.db; \
+	done
 
-install-custom:
+$(WORKDIR)/LICENSE: $(WORKDIR)/certdata.txt
+	sed -ne '/BEGIN LICENSE BLOCK/,/END LICENSE BLOCK/p' "$(WORKDIR)/certdata.txt" | grep -v "LICENSE BLOCK" \
+		> "$(WORKDIR)/LICENSE"
+
+install-custom: $(WORKDIR)/hash.db $(WORKDIR)/LICENSE
 	ginstall -d "$(DESTDIR)/$(sysconfdir)/ssl/certs"
 	ginstall -d "$(DESTDIR)/$(sharedstatedir)/ca-certificates"
-	ginstall -D "$(CURDIR)/$(WORKDIR)/update-ca-certificates" "$(DESTDIR)/$(sbindir)/update-ca-certificates"
-	cd "$(DESTDIR)/$(sharedstatedir)/ca-certificates" && perl "$(CURDIR)/$(WORKDIR)/certdata2pem.pl" < "$(CURDIR)/$(WORKDIR)/certdata.txt"
-	cd "$(DESTDIR)/$(sharedstatedir)/ca-certificates" && ls -1 > "$(CURDIR)/$(WORKDIR)/ca-certificate.conf"
-	sed -ne '/BEGIN LICENSE BLOCK/,/END LICENSE BLOCK/p' "$(CURDIR)/$(WORKDIR)/certdata.txt" | grep -v "LICENSE BLOCK" \
-		> "$(CURDIR)/$(WORKDIR)/LICENSE"
+	ginstall -D $(WORKDIR)/update-ca-certificates "$(DESTDIR)/$(sbindir)/update-ca-certificates"
+	ginstall -D hash.db "$(DESTDIR)/$(sharedstatedir)/ca-certificates/hash.db"
+	ginstall -d "$(DESTDIR)/$(sharedstatedir)/ca-certificates/mozilla"
+	cd "$(DESTDIR)/$(sharedstatedir)/ca-certificates/mozilla" && perl "$(CURDIR)/$(WORKDIR)/certdata2pem.pl" < "$(CURDIR)/$(WORKDIR)/certdata.txt"
+

Modified: csw/mgar/pkg/ca_certificates/trunk/checksums
===================================================================
--- csw/mgar/pkg/ca_certificates/trunk/checksums	2008-12-23 15:36:04 UTC (rev 2689)
+++ csw/mgar/pkg/ca_certificates/trunk/checksums	2008-12-23 23:31:29 UTC (rev 2690)
@@ -1,6 +1,7 @@
 4dabeaecfd46395da152e51d312107e4  download/certdata.txt
-6087aaa070808190680dcd5cb03c0cb9  download/certdata2pem.pl
-f7b1df4e84e70b1cf7023779ba11698b  download/update-ca-certificates
-3bb0b5d545c0bd8f4381cfd2d500586c  download/CSWcacertificates.gspec
-df81c8c6eb55786ebefd47fc6400b8b6  download/CSWcacertificates.depend
-48e4c60f385981c1430313584f527b50  download/CSWcacertificates.postinstall
+77fe4c8feb1b341814a6ed03d4ff764a  download/certdata2pem.pl
+e4b769f7250ea1c929252a13fe09e4ee  download/update-ca-certificates
+b4f6772525da6772d51eb30f90605d60  download/ca-certificates.conf
+787d361f8d8b8ecf89e83bb813fdaec5  download/CSWcacertificates.gspec
+31227010faaad1c2b9893ba91d6b16bb  download/CSWcacertificates.depend
+32e6ea27867c760d2279330fd4c480d3  download/CSWcacertificates.postinstall

Modified: csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.depend
===================================================================
--- csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.depend	2008-12-23 15:36:04 UTC (rev 2689)
+++ csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.depend	2008-12-23 23:31:29 UTC (rev 2690)
@@ -1,2 +1 @@
 P       CSWcswclassutils
-P	CSWosslutils

Modified: csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.gspec
===================================================================
--- csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.gspec	2008-12-23 15:36:04 UTC (rev 2689)
+++ csw/mgar/pkg/ca_certificates/trunk/files/CSWcacertificates.gspec	2008-12-23 23:31:29 UTC (rev 2690)
@@ -4,4 +4,4 @@
 %include        url file://%{PKGLIB}/csw_dyndepend.gspec
 %copyright      url file://%{WORKDIR}/LICENSE
 %prototype:merge
-e cswpreserveconf /opt/csw/etc/ca-certificates.conf.csw=ca-certificate.conf 0644 root bin
+e cswpreserveconf /opt/csw/etc/ca-certificates.conf.csw=ca-certificates.conf 0644 root bin

Modified: csw/mgar/pkg/ca_certificates/trunk/files/certdata2pem.pl
===================================================================
--- csw/mgar/pkg/ca_certificates/trunk/files/certdata2pem.pl	2008-12-23 15:36:04 UTC (rev 2689)
+++ csw/mgar/pkg/ca_certificates/trunk/files/certdata2pem.pl	2008-12-23 23:31:29 UTC (rev 2690)
@@ -35,7 +35,7 @@
 		$val =~ s/"$//;
 		$val =~ s/[\/\s,]/_/g;
 		$val =~ s/[()]//g;
-		$fname = $val . ".crt";
+		$fname = $val . ".pem";
 		next;
 	}
 

Modified: csw/mgar/pkg/ca_certificates/trunk/files/update-ca-certificates
===================================================================
--- csw/mgar/pkg/ca_certificates/trunk/files/update-ca-certificates	2008-12-23 15:36:04 UTC (rev 2689)
+++ csw/mgar/pkg/ca_certificates/trunk/files/update-ca-certificates	2008-12-23 23:31:29 UTC (rev 2690)
@@ -1,7 +1,7 @@
 #!/bin/sh -e
 #
 # update-ca-certificates
-# Debian script adapted for Solaris by Yann Rouillard
+# Script inspired by debian script update-ca-certificates
 #
 # Copyright (c) 2003 Fumitoshi UKAI <ukai at debian.or.jp>
 # Copyright (c) 2008 Yann Rouillard <yann at pleiades.fr.eu.org>
@@ -21,13 +21,59 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
 
-verbose=0
-fresh=0
-while [ $# -gt 0 ];
-do
+CACERTS_CONF=/opt/csw/etc/ca-certificates.conf
+CACERTS_DIR=/opt/csw/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+CERTSDIR=/opt/csw/etc/ssl/certs
+
+
+# find the certificate files corresponding to the given pattern
+find_certfile ()
+{
+	if [ -f "$CACERTS_DIR/$1" ]; then
+		echo "$CACERTS_DIR/$1"
+	elif [ -f "$1" ]; then
+		echo "$1"
+	else
+		# if the file doesn't exist we suppose it's a find pattern
+		# like *.crt
+		DIRNAME="`dirname "$1"`"
+		if [ "$DIRNAME" = "." ]; then
+			DIRNAME="$CACERTS_DIR"
+		fi
+		BASENAME="`basename "$1"`"
+		find $DIRNAME -name "$BASENAME" 
+	fi
+}
+
+
+# return the full paths of all certificate files
+get_certfile_list ()
+{
+	# first we find all excluded certificates, excluding duplicates
+	sed -ne '/^ *!/s/^ *! *//p' "$CACERTS_CONF" | while read CERTFILE; do
+		[ -n "$CERTFILE" ] && find_certfile "$CERTFILE"
+	done | sort -u > /tmp/update-ca-certificates.tmp.$$
+
+	# then we find all certificates excluding duplicates
+	# and excluded certificates
+	sed -e '/^ *[#!]/d' "$CACERTS_CONF" | while read CERTFILE; do
+		[ -n "$CERTFILE" ] && find_certfile "$CERTFILE"
+	done | sort -u | {
+		while read CERTFILE; do
+			grep -w "$CERTFILE" /tmp/update-ca-certificates.tmp.$$ >/dev/null || echo "$CERTFILE"
+		done
+	}
+
+	rm -f /tmp/update-ca-certificates.tmp.$$
+}
+
+
+VERBOSE=0
+while [ $# -gt 0 ]; do
 	case $1 in
 		--verbose|-v)
-			verbose=1;;
+			VERBOSE=1;;
 
 		--help|-h|*)
 			echo "$0: [--verbose] [--fresh]"
@@ -36,42 +82,59 @@
 	shift
 done
 
-CERTSCONF=/opt/csw/etc/ca-certificates.conf
-CERTSDIR=/opt/csw/share/ca-certificates
-CERTBUNDLE=ca-certificates.crt
-ETCCERTSDIR=/opt/csw/etc/ssl/certs
 
-if [ ! -f "$CERTSCONF" ]; then
-	echo "ERROR: $CERTSCONF doesn't exist !" >&2
+if [ ! -f "$CACERTS_CONF" ]; then
+	echo "ERROR: $CACERTS_CONF doesn't exist !" >&2
 	exit 2
 fi
 
-cd $ETCCERTSDIR
-find . -type l -print | while read SYMLINK; do
-	test -f $SYMLINK || rm -f $SYMLINK
+printf "Updating certificates in $CERTSDIR..."
+
+
+# first we remove the existing symlink
+find "$CERTSDIR" -type l -print | while read SYMLINK; do
+	[ ! -L "$SYMLINK" ] || rm -f "$SYMLINK"
 done
 
-printf "Updating certificates in $ETCCERTSDIR..."
+# then we recreate them
+get_certfile_list | while read CERTFILE; do
+	SYMLINK="`basename "$CERTFILE"`"
+	SYMLINK="`echo $SYMLINK | sed -e 's/\.[^\.]*$//'`.pem"
 
-BUNDLETMP=`mktemp "${CERTBUNDLE}.tmp.XXXXXX"`
-sed -e '/^#/g' "$CERTSCONF" | while read CERTFILE; do
-	if [ ! -f "$CERTFILE" ]; then
-		if [ ! -f "$CERTSDIR/$CERTFILE" ]; then
-			continue
-		fi
-		CERTFILE="$CERTSDIR/$CERTFILE"
-	fi
-
-	cd "$ETCCERTSDIR" && ln -sf "$CERTFILE" "`basename $CERTFILE`.pem"
+	cd "$CERTSDIR" && ln -sf "$CERTFILE" "$SYMLINK"
 done
 
-cd "$ETCCERTSDIR" && cat *.pem > "$BUNDLETMP"
-chmod 0644 "$BUNDLETMP"
-mv -f "$BUNDLETMP" "$ETCCERTSDIR/$CERTBUNDLE"
+# we create the certificate bundle file which contains all the
+# certificate, some software prefer to use this file 
+# (and this is mandatory for software linked with gnutls)
+cat "$CERTSDIR/"*.pem > "$CERTSDIR/$CERTBUNDLE.tmp" 2>/dev/null || true
+chmod 0644 "$CERTSDIR/$CERTBUNDLE.tmp"
+mv -f "$CERTSDIR/$CERTBUNDLE.tmp" "$CERTSDIR/$CERTBUNDLE"
 
-if [ "$verbose" = 0 ]; then
-	OPENSSL=/opt/csw/bin/openssl /opt/csw/bin/c_rehash . >/dev/null 2>&1
-else
-	OPENSSL=/opt/csw/bin/openssl /opt/csw/bin/c_rehash .
+
+# we create the hash links for certificate, openssl library need 
+# this link to be able to find a CA certificate
+if { openssl version; } >/dev/null 2>&1; then
+	c_rehash "$CERTSDIR" >/dev/null 2>&1
+
+elif { /opt/csw/bin/openssl version; } >/dev/null 2>&1; then
+	OPENSSL="/opt/csw/bin/openssl" /opt/csw/bin/c_rehash "$CERTSDIR" >/dev/null 2>&1
+
+# openssl binary isn't available, so we fall back our own provided file containing
+# hash value for certificates provided by this package
+# this way, we don't stricly depend on the openssl_utils package
+elif [ -f "$CACERTS_DIR/hash.db" ]; then
+	cd "$CERTSDIR"
+	for FILE in *.pem; do
+		HASH=`awk -F= " \\\$1 == \"$FILE\" { print \\\$2; exit 0 }" "$CACERTS_DIR/hash.db"`
+		if [ -n "$HASH" ]; then
+			ln -s "$FILE" "$HASH"
+		else
+			echo
+			echo "WARNING: a custom certificate was installed, you need to install openssl_utils so" 
+		        echo "         update-ca-certificates is able to generate the hash of your custom certificate."	
+		fi
+	done
 fi
+	
 echo "done."


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

More information about the devel mailing list