###############################################################################
name = ca-certificates
-version = 2019.11
+version = 2023.09
release = 1
-arch = noarch
groups = System/Base
url = https://www.mozilla.org/
sources =
build
+ arches = noarch
+
requires
openssl
- perl
- rcs
+ p11-kit >= 0.25
+ python3
end
DIR_APP = %{DIR_SOURCE}
build
- # Create file layout.
+ # Create file layout
mkdir -pv certs
cp certdata.txt blacklist.txt certs
- cd certs
- python %{DIR_SOURCE}/certdata2pem.py
+ pushd certs
+ python3 %{DIR_SOURCE}/certdata2pem.py
+ popd
- cd ..
(cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
- # Generated from:
EOF
- ident -q certdata.txt | sed '1d;s/^/#/';
-
- echo '#' ) > ca-bundle.crt
+ ) > ca-bundle.crt
(cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
- # Generated from:
EOF
- ident -q certdata.txt | sed '1d;s/^/#/';
- echo '#' ) > ca-bundle.trust.crt
-
- for f in certs/*.crt; do
- [ -z "${f}" ] && continue
-
- tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' ${f})
- case "${tbits}" in
- *serverAuth*)
- openssl x509 -text -in "${f}" >> ca-bundle.crt
- ;;
- esac
-
- if [ -n "$tbits" ]; then
- targs=""
- for t in ${tbits}; do
- targs="${targs} -addtrust ${t}"
- done
-
- openssl x509 -text -in "${f}" -trustout $targs >> ca-bundle.trust.crt
- fi
+ ) > ca-bundle.trust.crt
+
+ mkdir -pv /etc/pki/ca-trust/source
+
+ # Collect all certs for p11-kit
+ for p in certs/*.tmp-p11-kit; do
+ cat "${p}" >> /etc/pki/ca-trust/source/ca-bundle.trust.p11-kit
done
- perl generate-cacerts.pl /usr/bin/keytool ../ca-bundle.crt
- touch -r certdata.txt cacerts
+ trust extract \
+ --overwrite \
+ --comment \
+ --filter=certificates \
+ --format=openssl-bundle \
+ ca-bundle.trust
+ cat ca-bundle.trust >> ca-bundle.trust.crt
+
+ trust extract \
+ --overwrite \
+ --comment \
+ --filter=ca-anchors \
+ --format=pem-bundle \
+ --purpose=server-auth \
+ ca-bundle
+ cat ca-bundle >> ca-bundle.crt
end
install