rpm/ca-certificates
SHA256
1
0
Fork 0
forked from pool/ca-certificates
Code Pull Requests Activity

Accepting request 40676 from Base:System

Browse Source 
checked in (request 40676)

OBS-URL: https://build.opensuse.org/request/show/40676
OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=16
This commit is contained in:
OBS User autobuild 2010-05-28 15:02:25 +00:00 committed by Git OBS Bridge
parent 766ed7db1a
commit 61c123a8c2
5 changed files with 13 additions and 399 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ca-certificates.changes
View File

@ -1,14 +1,3 @@
-------------------------------------------------------------------
Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz
* Use the gcc-java and fastjar for build to avoid dependency problems
* build keystore.class only to allow noarch package
-------------------------------------------------------------------
Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de
- create java bundles
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de

58
ca-certificates.spec
View File

@ -17,13 +17,7 @@
# norootforbuild # norootforbuild
%bcond_without java
BuildRequires: openssl BuildRequires: openssl
%if %{with java}
BuildRequires: gcc-java
BuildRequires: fastjar
%endif
Name: ca-certificates Name: ca-certificates
%define ssletcdir %{_sysconfdir}/ssl %define ssletcdir %{_sysconfdir}/ssl
@ -39,9 +33,8 @@ Source0: update-ca-certificates
Source1: update-ca-certificates.8 Source1: update-ca-certificates.8
Source2: GPL-2.0.txt Source2: GPL-2.0.txt
Source3: certbundle.run Source3: certbundle.run
Source4: keystore.java
Source5: java.run
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
Url: http://gitorious.org/opensuse/ca-certificates Url: http://gitorious.org/opensuse/ca-certificates
# #
Requires: openssl Requires: openssl
@ -50,26 +43,10 @@ Recommends: ca-certificates-mozilla
# gone when a package providing actual certificates gets # gone when a package providing actual certificates gets
# installed (bnc#594434). # installed (bnc#594434).
Obsoletes: openssl-certs < 0.9.9 Obsoletes: openssl-certs < 0.9.9
BuildArch: noarch
%if %{with java}
%package -n java-ca-certificates
Group: Productivity/Networking/Security
Summary: Utilities CA certificate import to gcj
Requires(post): ca-certificates
Supplements: packageand(gcj-compat:ca-certificates)
Supplements: packageand(java-1_6_0-openjdk:ca-certificates)
Supplements: packageand(java-1_6_0-sun:ca-certificates)
%endif
%description %description
Utilities for system wide CA certificate installation Utilities for system wide CA certificate installation
%if %{with java}
%description -n java-ca-certificates
Utilities for CA certificate installation for gcj and openjdk Java
%endif
%prep %prep
%setup -qcT %setup -qcT
install -m 755 %{SOURCE0} . install -m 755 %{SOURCE0} .
@ -77,16 +54,6 @@ install -m 644 %{SOURCE1} .
install -m 644 %{SOURCE2} COPYING install -m 644 %{SOURCE2} COPYING
%build %build
%if %{with java}
gcj -C %SOURCE4 -d .
# emulate -e option of jar for fastjar
cat <<EOF > MANIFEST.MF
Manifest-Version: 1.0
Created-By: 0.98
Main-Class: keystore
EOF
fastjar cfm keystore.jar MANIFEST.MF keystore*.class
%endif
%install %install
mkdir -p %{buildroot}/%{etccadir} mkdir -p %{buildroot}/%{etccadir}
@ -98,18 +65,10 @@ mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d
install -D -m 644 /dev/null %{buildroot}/%{cabundle} install -D -m 644 /dev/null %{buildroot}/%{cabundle}
install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf
install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d
install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d
ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} install -m 755 update-ca-certificates %{buildroot}/%{_sbindir}
install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8
install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem
%if %{with java}
mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java
install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java
install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts
%endif
%post %post
# this is just needed for those updating Factory, # this is just needed for those updating Factory,
@ -122,11 +81,6 @@ fi
# as openssl changed the hash format between 0.9.8 and 1.0 # as openssl changed the hash format between 0.9.8 and 1.0
update-ca-certificates -f || true update-ca-certificates -f || true
%if %{with java}
%post -n java-ca-certificates
update-ca-certificates || true
%endif
%clean %clean
rm -rf %{buildroot} rm -rf %{buildroot}
@ -146,15 +100,5 @@ rm -rf %{buildroot}
%{_prefix}/lib/ca-certificates/update.d/* %{_prefix}/lib/ca-certificates/update.d/*
%{_sbindir}/update-ca-certificates %{_sbindir}/update-ca-certificates
%{_mandir}/man8/update-ca-certificates.8* %{_mandir}/man8/update-ca-certificates.8*
%ghost /var/lib/ca-certificates/ca-bundle.pem
%if %{with java}
%files -n java-ca-certificates
%defattr(-, root, root)
%dir %{_prefix}/lib/ca-certificates/java
%{_prefix}/lib/ca-certificates/java/keystore.jar
%ghost /var/lib/ca-certificates/java-cacerts
%ghost /var/lib/ca-certificates/gcj-cacerts
%endif
%changelog %changelog

85
java.run
View File

@ -1,85 +0,0 @@
#!/bin/bash
unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG
export LANG=en_US
set -e
libexecdir="/usr/lib/ca-certificates/java/"
cafile="/var/lib/ca-certificates/java-cacerts"
cafile_gcj="/var/lib/ca-certificates/gcj-cacerts"
cadir="/etc/ssl/certs"
tmppem="$cafile.tmp"
cleanup()
{
rm -rf "$tmppem"
}
trap cleanup EXIT
for i in "$@"; do
if [ "$i" = "-f" ]; then
fresh=1
elif [ "$i" = "-v" ]; then
verbose=1
fi
done
umask 0022
if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then
. /etc/profile.d/alljava.sh
fi
if [ -n "$JAVA_HOME" ]; then
java="$JAVA_HOME/bin/java"
else
java=`which java`
fi
if [[ $(readlink -f "${java}") =~ gij ]]; then
java=""
fi
if [ ! -e "$libexecdir"/keystore.jar ]; then
# nothing to do
exit 0
fi
mustrun=
if [ -n "$fresh" ]; then
mustrun=1
fi
if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then
mustrun=1
fi
[ -n "$mustrun" ] || exit 0
mkdir -p ${cafile%/*}
mkdir -p "$tmppem"
for i in "$cadir"/*.pem; do
# only include certificates trusted for server auth
if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
case "$trust" in
*serverAuth*) ;;
*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
esac
openssl x509 -in "$i" -out "$tmppem/${i##*/}"
else
ln -s "$i" "$tmppem"
fi
done
if [ -x "$java" ]; then
echo "creating $cafile ..."
$java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@"
fi
if [ -x "/usr/bin/gij" ]; then
echo "creating $cafile_gcj ..."
/usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@"
fi
# vim: syntax=sh

235
keystore.java
View File

@ -1,235 +0,0 @@
/*
* Import system SSL certificates to java keystore
* Copyright (C) 2010 SUSE LINUX Products GmbH
*
* Author: Ludwig Nussel
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*/
import java.security.KeyStore;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.BufferedInputStream;
import java.io.FilenameFilter;
import java.util.HashSet;
import java.util.Enumeration;
import java.util.Iterator;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
public class keystore
{
static HashSet<String> blacklist;
public static void usage() {
System.err.println("Usage: java keystore -keystore <keystore_file> -cadir <directory> [-storepass <password>|-f|-v]");
System.err.println("");
System.err.println(" -keystore <keystore_file>\tname of final keystore (required)");
System.err.println(" -cadir <directory>\t\tdirectory contains certificates (required)");
System.err.println(" -storepass <password>\tthe password");
System.err.println(" -f\t\t\t\tfresh existing keystore");
System.err.println(" -v\t\t\t\tbe verbose");
System.err.println(" -h/--help\t\t\tshow this help");
}
public static void main(String[] args)
throws java.security.KeyStoreException,
java.security.NoSuchAlgorithmException,
java.security.cert.CertificateException,
java.io.FileNotFoundException,
java.io.IOException
{
char[] password = null;
String ksfilename = null;
String cadirname = null;
boolean verbose = false;
boolean fresh = false;
if (args.length == 0) {
usage();
System.exit(1);
}
if (!System.getProperty("java.vendor").equals("Free Software Foundation, Inc.")) {
password = "changeit".toCharArray();
}
for (int i = 0; i < args.length; ++i) {
if (args[i].equals("-keystore")) {
ksfilename = args[++i];
} else if (args[i].equals("-cadir")) {
cadirname = args[++i];
} else if (args[i].equals("-storepass")) {
password = args[++i].toCharArray();
} else if (args[i].equals("-v")) {
verbose = true;
} else if (args[i].equals("-f")) {
fresh = true;
} else if (args[i].equals("-h") || args[i].equals("--help")) {
usage();
System.exit(1);
} else {
System.err.println("invalid argument: " + args[i]);
System.err.println("type -h/--help for help");
System.exit(1);
}
}
if (ksfilename == null) {
System.err.println("must specify -keystore");
return;
}
if (cadirname == null) {
System.err.println("must specify -cadir");
return;
}
File cadir = new File(cadirname);
if (!cadir.isDirectory()) {
System.err.println("cadir is not a directory");
return;
}
blacklist = new HashSet<String>();
// XXX: make a file
// blacklist.add("foo");
String certs[] = cadir.list(new FilenameFilter(){
public boolean accept(File dir, String name)
{
if (!name.endsWith(".pem")) {
return false;
}
if (blacklist.contains(name)) {
return false;
}
return true;
}
});
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream storein = null;
try {
File f = new File(ksfilename);
if (!fresh && f.exists()) {
storein = new FileInputStream(ksfilename);
}
ks.load(storein, password);
} finally {
if (storein != null) {
storein.close();
}
}
HashSet<String> known = new HashSet<String>();
for (Enumeration<String> a = ks.aliases(); a.hasMoreElements();) {
known.add(a.nextElement());
}
CertificateFactory cf = CertificateFactory.getInstance("X509");
int added = 0;
int removed = 0;
for (int i = 0; i < certs.length; ++i) {
BufferedInputStream f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i]));
String marker = "-----BEGIN CERTIFICATE-----";
boolean found = false;
f.mark(80);
String line;
String alias = null;
// we need to parse and skip the "header"
while((line = readline(f)) != null) {
if (line.equals(marker)) {
f.reset();
found = true;
break;
} else if (line.startsWith("# alias=")) {
// FIXME: somehow UTF-8 encoding must be enforced here
alias = line.substring(8);
}
f.mark(80);
}
if (found) {
if (alias == null) {
alias = certs[i].substring(0, certs[i].length()-4); // without .pem
}
alias = alias.toLowerCase();
try {
X509Certificate cert = (X509Certificate)cf.generateCertificate(f);
if (known.contains(alias)) {
if (verbose)
System.out.println("already known: " + alias);
known.remove(alias);
} else {
if (verbose)
System.out.println("adding " + alias);
ks.setCertificateEntry(alias, cert);
++added;
}
} catch (java.security.cert.CertificateException ex) {
System.err.println("imporing " + certs[i] + " failed: " + ex.getCause());
}
} else {
System.out.println("skipping file with unrecognized format: " + certs[i]);
}
}
if (!known.isEmpty()) {
for (Iterator<String> it = known.iterator(); it.hasNext();) {
String alias = it.next();
if (verbose)
System.out.println("removing " + alias);
ks.deleteEntry(alias);
++removed;
}
}
if (added != 0 || removed != 0) {
FileOutputStream storeout = new FileOutputStream(ksfilename);
ks.store(storeout, password);
storeout.close();
}
System.out.println(added + " added, " + removed + " removed.");
}
public static String readline(BufferedInputStream in)
throws java.io.IOException
{
StringBuffer buf = new StringBuffer(80);
int c = in.read();
while(c != -1 && c != '\n' && c != '\r') {
buf.append((char)c);
c = in.read();
}
if (c == '\r') {
in.mark(1);
c = in.read();
if (c != '\n')
in.reset();
}
if (buf.length() == 0)
return null;
return buf.toString();
}
}

23
update-ca-certificates
View File

@ -107,6 +107,8 @@ if (open(F, '<', $certsconf)) {
close F; close F;
} }
print "Updating certificates in $etccertsdir...\n";
if ($opt_fresh || %whitelist) { if ($opt_fresh || %whitelist) {
for my $f (glob "$etccertsdir/*" ) { for my $f (glob "$etccertsdir/*" ) {
next unless -l $f; next unless -l $f;
@ -158,20 +160,19 @@ for my $f (glob "$etccertsdir/*.pem") {
} }
} }
chdir $etccertsdir || die "$!";
if (%added || %removed || $opt_fresh) { if (%added || %removed || $opt_fresh) {
print "Updating certificates in $etccertsdir...\n"; chdir $etccertsdir || die "$!";
my $redir = ($opt_verbose?'':'> /dev/null'); my $redir = ($opt_verbose?'':'> /dev/null');
system("c_rehash . $redir"); system("c_rehash . $redir");
printf("%d added, %d removed.\n", my @args;
(%added?(scalar keys %added):0), push @args, '-f' if $opt_fresh;
(%removed?(scalar keys %removed):0)); push @args, '-v' if $opt_verbose;
for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) {
system($f, @args);
}
} }
my @args; printf("%d added, %d removed.\n",
push @args, '-f' if $opt_fresh; (%added?(scalar keys %added):0),
push @args, '-v' if $opt_verbose; (%removed?(scalar keys %removed):0));
for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) {
system($f, @args);
}