From 9d2390f0be50c80281d9800154b2d0bc6885d3a4 Mon Sep 17 00:00:00 2001 From: Oleg Borodin Date: Mon, 3 Nov 2025 11:03:32 +0200 Subject: [PATCH] added ca-bundle --- crypto/ca-bundle/Makefile | 70 +++++++ crypto/ca-bundle/distinfo | 3 + crypto/ca-bundle/files/MAca-bundle.pl.in | 224 +++++++++++++++++++++++ crypto/ca-bundle/files/pkg-deinstall.in | 13 ++ crypto/ca-bundle/files/pkg-install.in | 13 ++ crypto/ca-bundle/files/pkg-message.in | 26 +++ crypto/ca-bundle/pkg-descr | 4 + crypto/ca-bundle/pkg-plist | 4 + 8 files changed, 357 insertions(+) create mode 100644 crypto/ca-bundle/Makefile create mode 100644 crypto/ca-bundle/distinfo create mode 100644 crypto/ca-bundle/files/MAca-bundle.pl.in create mode 100644 crypto/ca-bundle/files/pkg-deinstall.in create mode 100644 crypto/ca-bundle/files/pkg-install.in create mode 100644 crypto/ca-bundle/files/pkg-message.in create mode 100644 crypto/ca-bundle/pkg-descr create mode 100644 crypto/ca-bundle/pkg-plist diff --git a/crypto/ca-bundle/Makefile b/crypto/ca-bundle/Makefile new file mode 100644 index 00000000..c90d96a6 --- /dev/null +++ b/crypto/ca-bundle/Makefile @@ -0,0 +1,70 @@ +# $FreeBSD: head/security/ca_root_nss/Makefile 519266 2019-12-08 00:51:48Z jbeich $ + +PORTNAME= ca-bundle +DISTNAME= ca_root_nss +PORTVERSION= ${VERSION_NSS} +CATEGORIES= security +MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src +DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} + +MAINTAINER= ports-secteam@FreeBSD.org +COMMENT= Root certificate bundle from the Mozilla Project + +#OPTIONS_DEFINE= ETCSYMLINK +#OPTIONS_DEFAULT= ETCSYMLINK + +#OPTIONS_SUB= yes + +#ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem +#ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* + +USES= perl5 ssl:build +USE_PERL5= build +NO_ARCH= yes +NO_WRKSUBDIR= yes + +CERTDIR?= share/certs +PLIST_SUB+= CERTDIR=${CERTDIR} + +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# !!! These versions are intended to track security/nss. !!! +# !!! Please DO NOT submit patches for new version until it has !!! +# !!! been committed there first. !!! +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +VERSION_NSS= 3.115 +#NSS_SUFFIX= -with-ckbi-1.98 + +CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt +BUNDLE_PROCESSOR= MAca-bundle.pl + +SUB_FILES= MAca-bundle.pl pkg-message +SUB_LIST= VERSION_NSS=${VERSION_NSS} + +PKGDEINSTALL= ${WRKDIR}/pkg-deinstall +PKGINSTALL= ${WRKDIR}/pkg-install +SUB_FILES+= pkg-install pkg-deinstall + + +do-extract: + ${MKDIR} ${WRKDIR} + ${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \ + ${CERTDATA_TXT_PATH} + ${CP} ${WRKDIR}/${CERTDATA_TXT_PATH} ${WRKDIR} + ${RM} -r ${WRKDIR}/nss-${VERSION_NSS} + +do-build: apply-slist + ${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \ + ${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \ + < ${WRKDIR}/certdata.txt > \ + ${WRKDIR}/ca-root-nss.crt + +do-install: + ${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR} + ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR} + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl + ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem + ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ca-bundle.crt +# ${MKDIR} ${STAGEDIR}/etc/ssl +# ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem + +.include diff --git a/crypto/ca-bundle/distinfo b/crypto/ca-bundle/distinfo new file mode 100644 index 00000000..d77b4ae7 --- /dev/null +++ b/crypto/ca-bundle/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1762160240 +SHA256 (nss-3.115.tar.gz) = ac2a47fb33bd79320159144e01c0d4af9a937a2d928c7c77ff06f5d9507861ab +SIZE (nss-3.115.tar.gz) = 76656357 diff --git a/crypto/ca-bundle/files/MAca-bundle.pl.in b/crypto/ca-bundle/files/MAca-bundle.pl.in new file mode 100644 index 00000000..c7b6b0e5 --- /dev/null +++ b/crypto/ca-bundle/files/MAca-bundle.pl.in @@ -0,0 +1,224 @@ +## +## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt +## +## Rewritten in September 2011 by Matthias Andree to heed untrust +## + +## Copyright (c) 2011, 2013 Matthias Andree +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions are +## met: +## +## * Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## +## * Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the distribution. +## +## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +## POSSIBILITY OF SUCH DAMAGE. + +use strict; +use Carp; +use MIME::Base64; + +my $VERSION = '$FreeBSD: head/security/ca_root_nss/files/MAca-bundle.pl.in 325572 2013-08-29 08:10:09Z mandree $'; + +# configuration +print <) { + last if /^END/; + my (undef,@oct) = split /\\/; + my @bin = map(chr(oct), @oct); + $data .= join('', @bin); + } + + return $data; +} + + +sub grabcert() +{ + my $certdata; + my $cka_label; + my $serial; + + while (<>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_VALUE MULTILINE_OCTAL/) { + $certdata = graboct(); + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct(); + } + } + return ($serial, $cka_label, $certdata); +} + +sub grabtrust() { + my $cka_label; + my $serial; + my $maytrust = 0; + my $distrust = 0; + + while (<>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct(); + } + + if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) + { + if ($2 eq 'CKT_NSS_NOT_TRUSTED') { + $distrust = 1; + } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + $maytrust = 1; + } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + confess "Unknown trust setting on line $.:\n" + . "$_\n" + . "Script must be updated:"; + } + } + } + + if (!$maytrust && !$distrust && $debug) { + print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; + } + + my $trust = ($maytrust and not $distrust); + return ($serial, $cka_label, $trust); +} + +while (<>) { + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + my ($serial, $label, $certdata) = grabcert(); + if (defined $certs{$label."\0".$serial}) { + warn "Certificate $label duplicated!\n"; + } + $certs{$label."\0".$serial} = $certdata; + } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { + my ($serial, $label, $trust) = grabtrust(); + if (defined $trusts{$label."\0".$serial}) { + warn "Trust for $label duplicated!\n"; + } + $trusts{$label."\0".$serial} = $trust; + } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { + print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; + } +} + +sub printlabel(@) { + my @res = @_; + map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res; + return wantarray ? @res : $res[0]; +} + +# weed out untrusted certificates +my $untrusted = 0; +foreach my $it (keys %trusts) { + if (!$trusts{$it}) { + if (!exists($certs{$it})) { + warn "Found trust for nonexistent certificate ".printlabel($it)."\n" if $debug; + } else { + delete $certs{$it}; + warn "Skipping untrusted ".printlabel($it)."\n" if $debug; + $untrusted++; + } + } +} + +print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; +print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; + +my $certcount = 0; +foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { + if (!exists($trusts{$it})) { + die "Found certificate without trust block,\naborting"; + } + printcert("", $certs{$it}); + print "\n\n\n"; + $certcount++; + print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug; +} + +if ($certcount < 25) { + die "Certificate count of $certcount is implausibly low.\nAbort"; +} + +print "## Number of certificates: $certcount\n"; +print STDERR "## Number of certificates: $certcount\n"; +print "## End of file.\n"; diff --git a/crypto/ca-bundle/files/pkg-deinstall.in b/crypto/ca-bundle/files/pkg-deinstall.in new file mode 100644 index 00000000..d4bb918e --- /dev/null +++ b/crypto/ca-bundle/files/pkg-deinstall.in @@ -0,0 +1,13 @@ +#!/bin/sh + +set -x + +case $2 in + DEINSTALL) + ;; + POST-DEINSTALL) + certctl rehash + ;; +esac +exit 0 +#EOF diff --git a/crypto/ca-bundle/files/pkg-install.in b/crypto/ca-bundle/files/pkg-install.in new file mode 100644 index 00000000..0c8ed099 --- /dev/null +++ b/crypto/ca-bundle/files/pkg-install.in @@ -0,0 +1,13 @@ +#!/bin/sh + +set -x + +case $2 in + PRE-INSTALL) + ;; + POST-INSTALL) + certctl rehash + ;; +esac +exit 0 +#EOF diff --git a/crypto/ca-bundle/files/pkg-message.in b/crypto/ca-bundle/files/pkg-message.in new file mode 100644 index 00000000..d937df3a --- /dev/null +++ b/crypto/ca-bundle/files/pkg-message.in @@ -0,0 +1,26 @@ +[ +{ type: install + message: <