diff --git a/GPL-2.0.txt b/GPL-2.0.txt deleted file mode 100644 index 927f7f2..0000000 --- a/GPL-2.0.txt +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) 19yy - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) 19yy name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/ca-certificates-1_201306200949.tar.xz b/ca-certificates-1_201306200949.tar.xz new file mode 100644 index 0000000..08e13fc --- /dev/null +++ b/ca-certificates-1_201306200949.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc0214c126e171e87907aa61e76f70f2ac3267b262bb775bda2acb36fd6c0e2a +size 13736 diff --git a/ca-certificates.changes b/ca-certificates.changes index b334f99..15284ef 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jun 20 09:15:52 UTC 2013 - lnussel@suse.de + +- use p11-kit to generate the files + ------------------------------------------------------------------- Fri May 4 11:55:14 UTC 2012 - lnussel@suse.de diff --git a/ca-certificates.spec b/ca-certificates.spec index 81dca05..9866802 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,7 @@ # # spec file for package ca-certificates # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,154 +15,109 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild - -%bcond_without java BuildRequires: openssl -%if %{with java} -BuildRequires: gcc-java -BuildRequires: fastjar -%endif +BuildRequires: p11-kit-devel Name: ca-certificates %define ssletcdir %{_sysconfdir}/ssl -%define etccadir %{ssletcdir}/certs %define cabundle /var/lib/ca-certificates/ca-bundle.pem -%define usrcadir %{_datadir}/ca-certificates +%define sslcerts %{ssletcdir}/certs +Version: 1_201306200949 +Release: 0 +Summary: Utilities for system wide CA certificate installation License: GPL-2.0+ Group: Productivity/Networking/Security -Version: 1 -Release: 12 -Summary: Utilities for system wide CA certificate installation -Source0: update-ca-certificates -Source1: update-ca-certificates.8 -Source2: GPL-2.0.txt -Source3: certbundle.run -Source4: keystore.java -Source5: java.run +Source0: ca-certificates-%{version}.tar.xz BuildRoot: %{_tmppath}/%{name}-%{version}-build -Url: http://gitorious.org/opensuse/ca-certificates +Url: https://github.com/openSUSE/ca-certificates # Requires: openssl +Requires: p11-kit-tools # needed for %post -Requires: coreutils +Requires(post): coreutils openssl p11-kit-tools Recommends: ca-certificates-mozilla # we need to obsolete openssl-certs to make sure it's files are # gone when a package providing actual certificates gets # installed (bnc#594434). Obsoletes: openssl-certs < 0.9.9 +# no need for a separate Java package anymore. The bundle is +# created by C code. +Obsoletes: java-ca-certificates = 1 +Provides: java-ca-certificates = %version-%release BuildArch: noarch -%if %{with java} - -%package -n java-ca-certificates -License: GPL-2.0+ -Group: Productivity/Networking/Security -Summary: Utilities CA certificate import to gcj -Requires(post): ca-certificates -Supplements: packageand(gcj-compat:ca-certificates) -Supplements: packageand(java-1_6_0-openjdk:ca-certificates) -Supplements: packageand(java-1_6_0-sun:ca-certificates) -%endif - %description Utilities for system wide CA certificate installation -%if %{with java} - -%description -n java-ca-certificates -Utilities for CA certificate installation for gcj and openjdk Java -%endif - %prep -%setup -qcT -install -m 755 %{SOURCE0} . -install -m 644 %{SOURCE1} . -install -m 644 %{SOURCE2} COPYING +%setup -q %build -%if %{with java} -gcj -C %SOURCE4 -d . -# emulate -e option of jar for fastjar -cat < MANIFEST.MF -Manifest-Version: 1.0 -Created-By: 0.98 -Main-Class: keystore -EOF -fastjar cfm keystore.jar MANIFEST.MF keystore*.class -%endif %install -mkdir -p %{buildroot}/%{etccadir} -mkdir -p %{buildroot}/%{usrcadir} -mkdir -p %{buildroot}/%{_sbindir} -mkdir -p %{buildroot}/%{_mandir}/man8 -mkdir -p %{buildroot}/etc/ca-certificates/update.d -mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d +%make_install +install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist} +install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist} +install -d m 755 %{buildroot}/etc/ssl/certs +install -d m 755 %{buildroot}/etc/ca-certificates/update.d +install -d m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -d m 755 %{buildroot}/var/lib/ca-certificates/pem +install -d m 755 %{buildroot}/var/lib/ca-certificates/openssl install -D -m 644 /dev/null %{buildroot}/%{cabundle} -install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf -install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d -install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d +install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem -install -m 755 update-ca-certificates %{buildroot}/%{_sbindir} -install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8 -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem -%if %{with java} -mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts -install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts -%endif - %post -# this is just needed for those updating Factory, -# can be removed before 11.3 -if [ "$1" -ge 1 ]; then - rm -f /etc/ca-certificates/update.d/certbundle.run +if [ -s /etc/ca-certificates.conf ]; then + while read line; do + [ ${line#\!} != "$line" ] || continue + cert="${line#\!*/}" + ln -s /usr/share/ca-certificates/anchors/"$cert" %{trustdir_cfg}/blacklist + done < /etc/ca-certificates.conf + echo "/etc/ca-certificates.conf converted and saved as /etc/ca-certificates.conf.rpmsave" + mv /etc/ca-certificates.conf /etc/ca-certificates.conf.rpmsave fi # force rebuilding all certificate stores. # This also makes sure we update the hash links in /etc/ssl/certs # as openssl changed the hash format between 0.9.8 and 1.0 update-ca-certificates -f || true -%if %{with java} - -%post -n java-ca-certificates -update-ca-certificates || true -%endif +%postun +if [ "$1" -eq 0 ]; then + rm -rf /var/lib/ca-certificates/{pem,openssl} +fi %clean rm -rf %{buildroot} %files %defattr(-, root, root) -%dir %{usrcadir} -%dir %{etccadir} -%doc COPYING -%ghost %config(noreplace) /etc/ca-certificates.conf +%doc COPYING README +%dir %{pkidir_cfg} +%dir %{trustdir_cfg} +%dir %{trustdir_cfg}/anchors +%dir %{trustdir_cfg}/blacklist +%dir %{pkidir_static} +%dir %{trustdir_static} +%dir %{trustdir_static}/anchors +%dir %{trustdir_static}/blacklist +%dir /etc/ssl/certs %{ssletcdir}/ca-bundle.pem %ghost %{cabundle} +%ghost /var/lib/ca-certificates/java-cacerts %dir /etc/ca-certificates %dir /etc/ca-certificates/update.d %dir %{_prefix}/lib/ca-certificates %dir %{_prefix}/lib/ca-certificates/update.d %dir /var/lib/ca-certificates -%{_prefix}/lib/ca-certificates/update.d/certbundle.run +%dir /var/lib/ca-certificates/pem +%dir /var/lib/ca-certificates/openssl %{_sbindir}/update-ca-certificates %{_mandir}/man8/update-ca-certificates.8* -%ghost /var/lib/ca-certificates/ca-bundle.pem - -%if %{with java} - -%files -n java-ca-certificates -%defattr(-, root, root) -%dir %{_prefix}/lib/ca-certificates/java %{_prefix}/lib/ca-certificates/update.d/java.run -%{_prefix}/lib/ca-certificates/java/keystore.jar -%ghost /var/lib/ca-certificates/java-cacerts -%ghost /var/lib/ca-certificates/gcj-cacerts -%endif +%{_prefix}/lib/ca-certificates/update.d/certbundle.run +%{_prefix}/lib/ca-certificates/update.d/etc_ssl.run +%{_prefix}/lib/ca-certificates/update.d/openssl.run %changelog diff --git a/certbundle.run b/certbundle.run deleted file mode 100644 index 40b0b91..0000000 --- a/certbundle.run +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -# vim: syntax=sh - -shopt -s nullglob - -cafile="/var/lib/ca-certificates/ca-bundle.pem" -cadir="/etc/ssl/certs" - -for i in "$@"; do - if [ "$i" = "-f" ]; then - fresh=1 - elif [ "$i" = "-v" ]; then - verbose=1 - fi -done - -if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then - exit 0 -fi -echo "creating $cafile ..." -cat > "$cafile.new" <&2; continue ;; - esac - fi - openssl x509 -in "$i" -done >> "$cafile.new" -mv "$cafile.new" "$cafile" diff --git a/java.run b/java.run deleted file mode 100644 index 6f703a9..0000000 --- a/java.run +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash - -unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG -export LANG=en_US - -set -e - -libexecdir="/usr/lib/ca-certificates/java/" -cafile="/var/lib/ca-certificates/java-cacerts" -cafile_gcj="/var/lib/ca-certificates/gcj-cacerts" -cadir="/etc/ssl/certs" - -tmppem="$cafile.tmp" - -cleanup() -{ - rm -rf "$tmppem" -} -trap cleanup EXIT - -for i in "$@"; do - if [ "$i" = "-f" ]; then - fresh=1 - elif [ "$i" = "-v" ]; then - verbose=1 - fi -done - -umask 0022 - -if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then - . /etc/profile.d/alljava.sh -fi - -if [ -n "$JAVA_HOME" ]; then - java="$JAVA_HOME/bin/java" -else - java=`type -P java` - if [ -n "$java" -a -L "$java" ]; then - java=`readlink -f "$java"` - if [ "${java//gij}" != "$java" ]; then - java= - fi - fi -fi - -if [ ! -e "$libexecdir"/keystore.jar ]; then - # nothing to do - exit 0 -fi - -mustrun= -if [ -n "$fresh" ]; then - mustrun=1 -fi -if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then - mustrun=1 -fi - -[ -n "$mustrun" ] || exit 0 - -mkdir -p ${cafile%/*} -mkdir -p "$tmppem" -for i in "$cadir"/*.pem; do - # only include certificates trusted for server auth - if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then - trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"` - case "$trust" in - *serverAuth*) ;; - *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;; - esac - openssl x509 -in "$i" -out "$tmppem/${i##*/}" - else - ln -s "$i" "$tmppem" - fi -done - -if [ -n "$java" -a -x "$java" ]; then - echo "creating $cafile ..." - $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@" -fi -if [ -x "/usr/bin/gij" ]; then - echo "creating $cafile_gcj ..." - /usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@" -fi - -# vim: syntax=sh diff --git a/keystore.java b/keystore.java deleted file mode 100644 index c60c491..0000000 --- a/keystore.java +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Import system SSL certificates to java keystore - * Copyright (C) 2010 SUSE LINUX Products GmbH - * - * Author: Ludwig Nussel - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - */ - -import java.security.KeyStore; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.BufferedInputStream; -import java.io.FilenameFilter; -import java.util.HashSet; -import java.util.Enumeration; -import java.util.Iterator; - -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; - -public class keystore -{ - static HashSet blacklist; - - public static void usage() { - System.err.println("Usage: java keystore -keystore -cadir [-storepass |-f|-v]"); - System.err.println(""); - System.err.println(" -keystore \tname of final keystore (required)"); - System.err.println(" -cadir \t\tdirectory contains certificates (required)"); - System.err.println(" -storepass \tthe password"); - System.err.println(" -f\t\t\t\tfresh existing keystore"); - System.err.println(" -v\t\t\t\tbe verbose"); - System.err.println(" -h/--help\t\t\tshow this help"); - } - - public static void main(String[] args) - throws java.security.KeyStoreException, - java.security.NoSuchAlgorithmException, - java.security.cert.CertificateException, - java.io.IOException - { - char[] password = null; - String ksfilename = null; - String cadirname = null; - boolean verbose = false; - boolean fresh = false; - - if (args.length == 0) { - usage(); - System.exit(1); - } - - - if (!System.getProperty("java.vendor").equals("Free Software Foundation, Inc.")) { - password = "changeit".toCharArray(); - } - - for (int i = 0; i < args.length; ++i) { - if (args[i].equals("-keystore")) { - ksfilename = args[++i]; - } else if (args[i].equals("-cadir")) { - cadirname = args[++i]; - } else if (args[i].equals("-storepass")) { - password = args[++i].toCharArray(); - } else if (args[i].equals("-v")) { - verbose = true; - } else if (args[i].equals("-f")) { - fresh = true; - } else if (args[i].equals("-h") || args[i].equals("--help")) { - usage(); - System.exit(1); - } else { - System.err.println("invalid argument: " + args[i]); - System.err.println("type -h/--help for help"); - System.exit(1); - } - } - - if (ksfilename == null) { - System.err.println("must specify -keystore"); - return; - } - - if (cadirname == null) { - System.err.println("must specify -cadir"); - return; - } - - File cadir = new File(cadirname); - if (!cadir.isDirectory()) { - System.err.println("cadir is not a directory"); - return; - } - - blacklist = new HashSet(); - // XXX: make a file -// blacklist.add("foo"); - - String certs[] = cadir.list(new FilenameFilter(){ - public boolean accept(File dir, String name) - { - if (!name.endsWith(".pem")) { - return false; - } - if (blacklist.contains(name)) { - return false; - } - return true; - } - }); - - KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); - - FileInputStream storein = null; - try { - File f = new File(ksfilename); - if (!fresh && f.exists()) { - storein = new FileInputStream(ksfilename); - } - ks.load(storein, password); - } finally { - if (storein != null) { - storein.close(); - } - } - - HashSet known = new HashSet(); - for (Enumeration a = ks.aliases(); a.hasMoreElements();) { - known.add(a.nextElement()); - } - - CertificateFactory cf = CertificateFactory.getInstance("X509"); - int added = 0; - int removed = 0; - - for (int i = 0; i < certs.length; ++i) { - BufferedInputStream f; - try { - f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i])); - } catch (java.io.FileNotFoundException ex) { - System.err.println("skipping " + certs[i] + ": file not found"); - continue; - } - String marker = "-----BEGIN CERTIFICATE-----"; - boolean found = false; - - f.mark(80); - String line; - String alias = null; - // we need to parse and skip the "header" - while((line = readline(f)) != null) { - if (line.equals(marker)) { - f.reset(); - found = true; - break; - } else if (line.startsWith("# alias=")) { - // FIXME: somehow UTF-8 encoding must be enforced here - alias = line.substring(8); - } - f.mark(80); - } - if (found) { - if (alias == null) { - alias = certs[i].substring(0, certs[i].length()-4); // without .pem - } - alias = alias.toLowerCase(); - try { - X509Certificate cert = (X509Certificate)cf.generateCertificate(f); - if (known.contains(alias)) { - if (verbose) - System.out.println("already known: " + alias); - known.remove(alias); - } else { - if (verbose) - System.out.println("adding " + alias); - ks.setCertificateEntry(alias, cert); - ++added; - } - } catch (java.security.cert.CertificateException ex) { - System.err.println("imporing " + certs[i] + " failed: " + ex.getCause()); - } - } else { - System.out.println("skipping file with unrecognized format: " + certs[i]); - } - } - - if (!known.isEmpty()) { - for (Iterator it = known.iterator(); it.hasNext();) { - String alias = it.next(); - if (verbose) - System.out.println("removing " + alias); - ks.deleteEntry(alias); - ++removed; - } - } - - if (added != 0 || removed != 0) { - FileOutputStream storeout = new FileOutputStream(ksfilename); - ks.store(storeout, password); - storeout.close(); - } - - System.out.println(added + " added, " + removed + " removed."); - } - - public static String readline(BufferedInputStream in) - throws java.io.IOException - { - StringBuffer buf = new StringBuffer(80); - int c = in.read(); - while(c != -1 && c != '\n' && c != '\r') { - buf.append((char)c); - c = in.read(); - } - if (c == '\r') { - in.mark(1); - c = in.read(); - if (c != '\n') - in.reset(); - } - if (buf.length() == 0) - return null; - - return buf.toString(); - } -} diff --git a/update-ca-certificates b/update-ca-certificates deleted file mode 100644 index 76b0091..0000000 --- a/update-ca-certificates +++ /dev/null @@ -1,177 +0,0 @@ -#!/usr/bin/perl -w -# -# update-ca-certificates -# -# Copyright (c) 2010 SUSE Linux Products GmbH -# Author: Ludwig Nussel -# -# Inspired by Debian's update-ca-certificates -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301, -# USA. -# - -use strict; - -use File::Basename; -use File::Find; -use Getopt::Long; - -my $certsconf = '/etc/ca-certificates.conf'; -my $hooksdir1 = '/etc/ca-certificates/update.d'; -my $hooksdir2 = '/usr/lib/ca-certificates/update.d'; -my $certsdir = "/usr/share/ca-certificates"; -my $localcertsdir = "/usr/local/share/ca-certificates"; -my $etccertsdir = "/etc/ssl/certs"; - -my (%blacklist, %whitelist, %added, %removed); - -my ($opt_verbose, $opt_fresh, $opt_help); - -sub startswith($$) -{ - return $_[1] eq substr($_[0], 0, length($_[1])); -} - -sub targetfilename($) -{ - my $t = $etccertsdir.'/'.basename($_[0]); - $t =~ s/\.crt$/.pem/; - return $t; -} - -sub addcert($) -{ - my $f = $_[0]; - my $t = targetfilename($f); - return if -e $t; - unlink $t if -l $t; # dangling symlink - if (symlink($f, $t)) { - $added{$t} = 1; - delete $removed{$f} if exists $removed{$f}; - } else { - print STDERR "symlink of $t failed: $!\n"; - } -} - -sub removecert($) -{ - my $t = targetfilename($_[0]); - if (-l $t) { - $removed{$t} = 1; - unlink $t; - } -} - -Getopt::Long::Configure("no_ignore_case"); -GetOptions( - "verbose|v" => \$opt_verbose, - "fresh|f" => \$opt_fresh, - "help|h" => \$opt_help, - ) or die "$!\n"; - -if ($opt_help) -{ - print "USAGE: $0 [OPTIONS]\n"; - print "OPTIIONS:\n"; - print " --verbose, -v verbose output\n"; - print " --fresh, -f start from scratch\n"; - print " --help, -h this screen\n"; - exit 0; -} - -if (open(F, '<', $certsconf)) { - while () { - next if /^#/; - chomp; - next unless length($_); - if (/^!/) { - s/^!//; - $blacklist{$_} = 1; - } else { - $whitelist{$_} = 1; - } - } - close F; -} - -if ($opt_fresh || %whitelist) { - for my $f (glob "$etccertsdir/*" ) { - next unless -l $f; - my $l = readlink $f; - next unless defined $l; - if (startswith($l, $etccertsdir) - || startswith($l, $localcertsdir)) - { - if ($opt_fresh || %whitelist && - !exists($whitelist{basename($l)})) - { - unlink $f; - $removed{$f} = 1; - } - } - } -} - -my @files; -File::Find::find({ - no_chdir => 1, - wanted => sub { - -f && /\.(?:pem|crt)$/ && push @files, $_; - } - }, $certsdir); -for my $f (@files) { - my $n = substr($f, length($certsdir)+1); - if (exists($blacklist{$n})) { - removecert($f); - next; - } - next if %whitelist && !exists($whitelist{$n}); - addcert($f); -} - -for my $f (glob "$localcertsdir/*.{pem,crt}") { - addcert($f); -} - -for my $f (glob "$etccertsdir/*.pem") { - if (-l $f && !-e $f) { - if (startswith($f, $etccertsdir) - || startswith($f, $localcertsdir)) - { - $removed{$f} = 1; - } - # clean dangling symlinks - unlink $f - } -} - -chdir $etccertsdir || die "$!"; -if (%added || %removed || $opt_fresh) { - print "Updating certificates in $etccertsdir...\n"; - my $redir = ($opt_verbose?'':'> /dev/null'); - system("c_rehash . $redir"); - - printf("%d added, %d removed.\n", - (%added?(scalar keys %added):0), - (%removed?(scalar keys %removed):0)); -} - -my @args; -push @args, '-f' if $opt_fresh; -push @args, '-v' if $opt_verbose; -for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) { - system($f, @args); -} diff --git a/update-ca-certificates.8 b/update-ca-certificates.8 deleted file mode 100644 index 694eb6b..0000000 --- a/update-ca-certificates.8 +++ /dev/null @@ -1,73 +0,0 @@ -.\" Hey, EMACS: -*- nroff -*- -.\" First parameter, NAME, should be all caps -.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -.\" other parameters are allowed: see man(7), man(1) -.TH UPDATE-CA-CERTIFICATES 8 "27 April 2010" -.\" Please adjust this date whenever revising the manpage. -.\" -.\" Some roff macros, for reference: -.\" .nh disable hyphenation -.\" .hy enable hyphenation -.\" .ad l left justify -.\" .ad b justify to both left and right margins -.\" .nf disable filling -.\" .fi enable filling -.\" .br insert line break -.\" .sp insert n+1 empty lines -.\" for manpage-specific macros, see man(7) -.SH NAME -update-ca-certificates \- update system CA certificates -.SH SYNOPSIS -.B update-ca-certificates -.RI [ options ] -.SH DESCRIPTION -\fBupdate-ca-certificates\fP updates the directory -/etc/ssl/certs to hold SSL certificates and generates /etc/ssl/ca-bundle.pem, -a concatenated single-file list of certificates. -.PP -It reads the file /etc/ca-certificates.conf. Each line gives a pathname of -a CA certificate under /usr/share/ca-certificates that should be trusted. -Lines that begin with "#" are comment lines and thus ignored. -Lines that begin with "!" are deselected, causing the deactivation -of the CA certificate in question. All certificates are implicitly -trusted if no trusted certificates are listed. -.PP -Furthermore all certificates found below /usr/local/share/ca-certificates -are also included as implicitly trusted. -.PP -After populating /etc/ssl/certs \fBupdate-ca-certificates\fP invokes -custom hooks in /usr/lib/ca-certificates/update.d/*.run and -/etc/ca-certificates/update.d/*.run. The command line options used -for invoking update-ca-certificates are passed to the hooks as well. -.SH OPTIONS -A summary of options is included below. -.TP -.B \-h, \-\-help -Show summary of options. -.TP -.B \-v, \-\-verbose -Be verbose. Output \fBc_rehash\fP. -.TP -.B \-f, \-\-fresh -Fresh updates. Removes symlinks in /etc/ssl/certs directory and -re-creates them from scratch. -.SH FILES -.TP -.I /etc/ca-certificates.conf -A configuration file. -.TP -.I /etc/ssl/ca-bundle.pem -A single-file version of all CA certificates. Use of this file is -deprecated and should only be used as last resort by applications -that cannot parse the /etc/ssl/certs directory. -.TP -.I /usr/share/ca-certificates -Directory of CA certificates. -.I /usr/local/share/ca-certificates -Directory of local CA certificates. -.SH SEE ALSO -.BR c_rehash (1), -.SH AUTHOR -This manual page was written by Fumitoshi UKAI , -for the Debian project and modified by Ludwig Nussel -.