ziggi/bsdports
1
0
Fork 0
mirror of https://github.com/beard7n/bsdports.git synced 2026-04-16 05:21:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

added ca-bundle

Browse Source
This commit is contained in:
Oleg Borodin
2025-11-03 11:03:32 +02:00
parent 419351047f
commit 9d2390f0be
8 changed files with 357 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
crypto/ca-bundle/Makefile Normal file
View File

@@ -0,0 +1,70 @@
# $FreeBSD: head/security/ca_root_nss/Makefile 519266 2019-12-08 00:51:48Z jbeich $
PORTNAME= ca-bundle
DISTNAME= ca_root_nss
PORTVERSION= ${VERSION_NSS}
CATEGORIES= security
MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
MAINTAINER= ports-secteam@FreeBSD.org
COMMENT= Root certificate bundle from the Mozilla Project
#OPTIONS_DEFINE= ETCSYMLINK
#OPTIONS_DEFAULT= ETCSYMLINK
#OPTIONS_SUB= yes
#ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem
#ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]*
USES= perl5 ssl:build
USE_PERL5= build
NO_ARCH= yes
NO_WRKSUBDIR= yes
CERTDIR?= share/certs
PLIST_SUB+= CERTDIR=${CERTDIR}
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!! These versions are intended to track security/nss. !!!
# !!! Please DO NOT submit patches for new version until it has !!!
# !!! been committed there first. !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
VERSION_NSS= 3.115
#NSS_SUFFIX= -with-ckbi-1.98
CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt
BUNDLE_PROCESSOR= MAca-bundle.pl
SUB_FILES= MAca-bundle.pl pkg-message
SUB_LIST= VERSION_NSS=${VERSION_NSS}
PKGDEINSTALL= ${WRKDIR}/pkg-deinstall
PKGINSTALL= ${WRKDIR}/pkg-install
SUB_FILES+= pkg-install pkg-deinstall
do-extract:
${MKDIR} ${WRKDIR}
${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \
${CERTDATA_TXT_PATH}
${CP} ${WRKDIR}/${CERTDATA_TXT_PATH} ${WRKDIR}
${RM} -r ${WRKDIR}/nss-${VERSION_NSS}
do-build: apply-slist
${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \
${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \
< ${WRKDIR}/certdata.txt > \
${WRKDIR}/ca-root-nss.crt
do-install:
${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR}
${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR}
${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem
${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ca-bundle.crt
# ${MKDIR} ${STAGEDIR}/etc/ssl
# ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
.include <bsd.port.mk>

3
crypto/ca-bundle/distinfo Normal file
View File

@@ -0,0 +1,3 @@
TIMESTAMP = 1762160240
SHA256 (nss-3.115.tar.gz) = ac2a47fb33bd79320159144e01c0d4af9a937a2d928c7c77ff06f5d9507861ab
SIZE (nss-3.115.tar.gz) = 76656357

224
crypto/ca-bundle/files/MAca-bundle.pl.in Normal file
View File

@@ -0,0 +1,224 @@
##
## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt
##
## Rewritten in September 2011 by Matthias Andree to heed untrust
##
## Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org>
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions are
## met:
##
## * Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
##
## * Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
##
## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
use strict;
use Carp;
use MIME::Base64;
my $VERSION = '$FreeBSD: head/security/ca_root_nss/files/MAca-bundle.pl.in 325572 2013-08-29 08:10:09Z mandree $';
# configuration
print <<EOH;
##
## ca-root-nss.crt -- Bundle of CA Root Certificates
##
## This is a bundle of X.509 certificates of public Certificate
## Authorities (CA). These were automatically extracted from Mozilla's
## root CA list (the file `certdata.txt').
##
## Extracted from nss-%%VERSION_NSS%%
## with $VERSION
##
EOH
my $debug = 0;
$debug++
if defined $ENV{'WITH_DEBUG'}
and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/;
my %certs;
my %trusts;
sub printcert_plain($$)
{
my ($label, $certdata) = @_;
print "=== $label ===\n" if $label;
print
"-----BEGIN CERTIFICATE-----\n",
MIME::Base64::encode_base64($certdata),
"-----END CERTIFICATE-----\n\n";
}
sub printcert_info($$)
{
my (undef, $certdata) = @_;
return unless $certdata;
open(OUT, "|openssl x509 -text -inform DER -fingerprint")
|| die "could not pipe to openssl x509";
print OUT $certdata;
close(OUT) or die "openssl x509 failed with exit code $?";
}
sub printcert($$) {
my ($a, $b) = @_;
printcert_info($a, $b);
}
sub graboct()
{
my $data;
while (<>) {
last if /^END/;
my (undef,@oct) = split /\\/;
my @bin = map(chr(oct), @oct);
$data .= join('', @bin);
}
return $data;
}
sub grabcert()
{
my $certdata;
my $cka_label;
my $serial;
while (<>) {
chomp;
last if ($_ eq '');
if (/^CKA_LABEL UTF8 "([^"]+)"/) {
$cka_label = $1;
}
if (/^CKA_VALUE MULTILINE_OCTAL/) {
$certdata = graboct();
}
if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
$serial = graboct();
}
}
return ($serial, $cka_label, $certdata);
}
sub grabtrust() {
my $cka_label;
my $serial;
my $maytrust = 0;
my $distrust = 0;
while (<>) {
chomp;
last if ($_ eq '');
if (/^CKA_LABEL UTF8 "([^"]+)"/) {
$cka_label = $1;
}
if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
$serial = graboct();
}
if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
{
if ($2 eq 'CKT_NSS_NOT_TRUSTED') {
$distrust = 1;
} elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
$maytrust = 1;
} elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
confess "Unknown trust setting on line $.:\n"
. "$_\n"
. "Script must be updated:";
}
}
}
if (!$maytrust && !$distrust && $debug) {
print STDERR "line $.: no explicit trust/distrust found for $cka_label\n";
}
my $trust = ($maytrust and not $distrust);
return ($serial, $cka_label, $trust);
}
while (<>) {
if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
my ($serial, $label, $certdata) = grabcert();
if (defined $certs{$label."\0".$serial}) {
warn "Certificate $label duplicated!\n";
}
$certs{$label."\0".$serial} = $certdata;
} elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
my ($serial, $label, $trust) = grabtrust();
if (defined $trusts{$label."\0".$serial}) {
warn "Trust for $label duplicated!\n";
}
$trusts{$label."\0".$serial} = $trust;
} elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n";
}
}
sub printlabel(@) {
my @res = @_;
map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res;
return wantarray ? @res : $res[0];
}
# weed out untrusted certificates
my $untrusted = 0;
foreach my $it (keys %trusts) {
if (!$trusts{$it}) {
if (!exists($certs{$it})) {
warn "Found trust for nonexistent certificate ".printlabel($it)."\n" if $debug;
} else {
delete $certs{$it};
warn "Skipping untrusted ".printlabel($it)."\n" if $debug;
$untrusted++;
}
}
}
print "## Untrusted certificates omitted from this bundle: $untrusted\n\n";
print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n";
my $certcount = 0;
foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
if (!exists($trusts{$it})) {
die "Found certificate without trust block,\naborting";
}
printcert("", $certs{$it});
print "\n\n\n";
$certcount++;
print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
}
if ($certcount < 25) {
die "Certificate count of $certcount is implausibly low.\nAbort";
}
print "## Number of certificates: $certcount\n";
print STDERR "## Number of certificates: $certcount\n";
print "## End of file.\n";

13
crypto/ca-bundle/files/pkg-deinstall.in Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/sh
set -x
case $2 in
DEINSTALL)
;;
POST-DEINSTALL)
certctl rehash
;;
esac
exit 0
#EOF

13
crypto/ca-bundle/files/pkg-install.in Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/sh
set -x
case $2 in
PRE-INSTALL)
;;
POST-INSTALL)
certctl rehash
;;
esac
exit 0
#EOF

26
crypto/ca-bundle/files/pkg-message.in Normal file
View File

@@ -0,0 +1,26 @@
[
{ type: install
message: <<EOM
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* %%PREFIX%%/etc/ssl/cert.pem
* %%PREFIX%%/openssl/cert.pem
EOM
}
]

4
crypto/ca-bundle/pkg-descr Normal file
View File

@@ -0,0 +1,4 @@
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.
This port directly tracks the version of NSS in the security/nss port.

4
crypto/ca-bundle/pkg-plist Normal file
View File

@@ -0,0 +1,4 @@
etc/ca-bundle.crt
etc/ssl/cert.pem
share/certs/ca-root-nss.crt
@dir share/certs