ca-certificates-mozilla/ca-certificates-mozilla.spec

#
# spec file for package ca-certificates-mozilla
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


%define certdir %{trustdir_static}
BuildRequires:  p11-kit-devel

BuildRequires:  ca-certificates
BuildRequires:  openssl
BuildRequires:  python

Name:           ca-certificates-mozilla
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
Version:        1.93
Release:        0
Summary:        CA certificates for OpenSSL
License:        MPL-2.0
Group:          Productivity/Networking/Security
Url:            http://www.mozilla.org
# IMPORTANT: procedure to update certificates:
# - Check the log of the cert file:
#   http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
# - download the new certdata.txt
#   wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
# - run compareoldnew to show fingerprints of new and changed certificates
# - check the bugs referenced in cvs log and compare the checksum
#   to output of compareoldnew
# - Watch out that blacklisted or untrusted certificates are not
#   accidentally included!
Source:         https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Source1:        https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
Source10:       certdata2pem.py
Source11:       %{name}.COPYING
Source12:       compareoldnew
# make p11-kit think there are basic constraints in the Entrust
# cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064)
# Remove after the updated cert is accepted into NSS
# https://bugzilla.mozilla.org/show_bug.cgi?id=694536
Source99:       Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildArch:      noarch
# for update-ca-certificates
Requires(post):    ca-certificates
Requires(postun):  ca-certificates
#
Provides:       openssl-certs = 0.9.9
Obsoletes:      openssl-certs < 0.9.9

%description
This package contains some CA root certificates for OpenSSL extracted
from MozillaFirefox



%prep
%setup -qcT
/bin/cp %{SOURCE0} .
install -m 644 %{SOURCE11} COPYING
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
if [ "%{version}" != "$ver" ]; then
	echo "*** Version number mismatch: spec file should be version $ver"
	false
fi

%build
python %{SOURCE10}

%install
mkdir -p %{buildroot}/%{trustdir_static}/anchors
set +x
for i in *.crt; do
	args=()
	trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
	distrust=`sed -n '/^# openssl-distrust=/{s/^.*=//;p;q;}' "$i"`
	alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"`
	args+=('-trustout')
	for t in $trust; do
		args+=("-addtrust" "$t")
	done
	for t in $distrust; do
		args+=("-addreject" "$t")
	done
	[ -z "$alias" ] || args+=('-setalias' "$alias")

	echo "$i ${args[*]}"
	{
		grep '^#' "$i"
		openssl x509 -in "$i" "${args[@]}"
	} > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
done
for i in *.p11-kit %{SOURCE99}; do
	install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
done
set -x

%post
update-ca-certificates || true

%postun
update-ca-certificates || true

%files
%defattr(-, root, root)
%doc COPYING
%{trustdir_static}

%changelog