[ipfire-3.x.git] / ca-certificates / ca-certificates.nm

###############################################################################
# IPFire.org    - An Open Source Firewall Solution                            #
# Copyright (C) - IPFire Development Team <info@ipfire.org>                   #
###############################################################################

name       = ca-certificates
version    = 2022.12
release    = 3

groups     = System/Base
url        = https://www.mozilla.org/
license    = Public Domain
summary    = The Mozilla CA root certificate bundle.

description
	This package contains the set of CA certificates chosen by the
	Mozilla Foundation for use with the Internet PKI.
end

# This package has no tarball.
sources    =

build
	arches = noarch

	requires
		openssl
		p11-kit >= 0.25
		python3
	end

	DIR_APP = %{DIR_SOURCE}

	build
		# Create file layout
		mkdir -pv certs
		cp certdata.txt blacklist.txt certs

		pushd certs
		python3 %{DIR_SOURCE}/certdata2pem.py
		popd

		(cat <<EOF
		# This is a bundle of X.509 certificates of public Certificate
		# Authorities.  It was generated from the Mozilla root CA list.
		# 
		# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
		#
		EOF
		) > ca-bundle.crt

		(cat <<EOF
		# This is a bundle of X.509 certificates of public Certificate
		# Authorities.  It was generated from the Mozilla root CA list.
		# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
		# format and have trust bits set accordingly.
		#
		# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
		#
		EOF
		) > ca-bundle.trust.crt

		mkdir -pv /etc/pki/ca-trust/source

		# Collect all certs for p11-kit
		for p in certs/*.tmp-p11-kit; do
			cat "${p}" >> /etc/pki/ca-trust/source/ca-bundle.trust.p11-kit
		done

		trust extract \
			--overwrite \
			--comment \
			--filter=certificates \
			--format=openssl-bundle \
			ca-bundle.trust
		cat ca-bundle.trust >> ca-bundle.trust.crt

		trust extract \
			--overwrite \
			--comment \
			--filter=ca-anchors \
			--format=pem-bundle \
			--purpose=server-auth \
			ca-bundle
		cat ca-bundle >> ca-bundle.crt
	end

	install
		# Create folder layout.
		mkdir -p %{BUILDROOT}/etc/pki/tls/certs/

		# Install files.
		install -p -m 644 ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
		install -p -m 644 ca-bundle.trust.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt

		ln -s certs/ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/cert.pem

		touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
		touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt

		# /etc/ssl/certs symlink for 3rd-party tools
		mkdir -pv -m 755 %{BUILDROOT}%{sysconfdir}/ssl
		ln -s ../pki/tls/certs %{BUILDROOT}%{sysconfdir}/ssl/certs
	end
end

packages
	package %{name}
end
Commit	Line	Data
057303f8 SS	1	###############################################################################
	2	# IPFire.org - An Open Source Firewall Solution #
	3	# Copyright (C) - IPFire Development Team <info@ipfire.org> #
	4	###############################################################################
	5
	6	name = ca-certificates
8f7157c0	7	version = 2022.12
786082f3	8	release = 3
057303f8 SS	9
057303f8 SS	10	groups = System/Base
aec5cbe7	11	url = https://www.mozilla.org/
057303f8 SS	12	license = Public Domain
	13	summary = The Mozilla CA root certificate bundle.
	14
	15	description
	16	This package contains the set of CA certificates chosen by the
	17	Mozilla Foundation for use with the Internet PKI.
	18	end
	19
	20	# This package has no tarball.
	21	sources =
	22
	23	build
5cd803df MT	24	arches = noarch
5cd803df MT	25
057303f8 SS	26	requires
057303f8 SS	27	openssl
786082f3	28	p11-kit >= 0.25
fb152933	29	python3
057303f8 SS	30	end
	31
	32	DIR_APP = %{DIR_SOURCE}
	33
	34	build
fb152933	35	# Create file layout
057303f8 SS	36	mkdir -pv certs
057303f8 SS	37	cp certdata.txt blacklist.txt certs
057303f8	38
fb152933 MT	39	pushd certs
	40	python3 %{DIR_SOURCE}/certdata2pem.py
	41	popd
057303f8	42
057303f8 SS	43	(cat <<EOF
	44	# This is a bundle of X.509 certificates of public Certificate
	45	# Authorities. It was generated from the Mozilla root CA list.
	46	#
	47	# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
	48	#
057303f8	49	EOF
fb152933	50	) > ca-bundle.crt
057303f8 SS	51
	52	(cat <<EOF
	53	# This is a bundle of X.509 certificates of public Certificate
	54	# Authorities. It was generated from the Mozilla root CA list.
	55	# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
	56	# format and have trust bits set accordingly.
	57	#
	58	# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
	59	#
057303f8	60	EOF
fb152933 MT	61	) > ca-bundle.trust.crt
fb152933 MT	62
786082f3 MT	63	mkdir -pv /etc/pki/ca-trust/source
786082f3 MT	64
fb152933 MT	65	# Collect all certs for p11-kit
fb152933 MT	66	for p in certs/*.tmp-p11-kit; do
786082f3	67	cat "${p}" >> /etc/pki/ca-trust/source/ca-bundle.trust.p11-kit
057303f8 SS	68	done
057303f8 SS	69
fb152933 MT	70	trust extract \
	71	--overwrite \
	72	--comment \
	73	--filter=certificates \
	74	--format=openssl-bundle \
	75	ca-bundle.trust
	76	cat ca-bundle.trust >> ca-bundle.trust.crt
	77
	78	trust extract \
	79	--overwrite \
	80	--comment \
	81	--filter=ca-anchors \
	82	--format=pem-bundle \
	83	--purpose=server-auth \
	84	ca-bundle
	85	cat ca-bundle >> ca-bundle.crt
057303f8 SS	86	end
	87
	88	install
	89	# Create folder layout.
	90	mkdir -p %{BUILDROOT}/etc/pki/tls/certs/
	91
	92	# Install files.
	93	install -p -m 644 ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
	94	install -p -m 644 ca-bundle.trust.crt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt
	95
	96	ln -s certs/ca-bundle.crt %{BUILDROOT}%{sysconfdir}/pki/tls/cert.pem
	97
	98	touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.crt
	99	touch -r certdata.txt %{BUILDROOT}%{sysconfdir}/pki/tls/certs/ca-bundle.trust.crt
	100
	101	# /etc/ssl/certs symlink for 3rd-party tools
	102	mkdir -pv -m 755 %{BUILDROOT}%{sysconfdir}/ssl
	103	ln -s ../pki/tls/certs %{BUILDROOT}%{sysconfdir}/ssl/certs
	104	end
	105	end
	106
	107	packages
	108	package %{name}
	109	end