Update to make-ca-1.1. Complete configuration of P11-Kit trust-extract-compat to utilize both P11-kit and make-ca.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@20900 af4574ff-66df-0310-9fd7-8a98e5e911e0

introduction/welcome/changelog.xml

@@ -44,6 +44,10 @@
     <listitem>
       <para>January 1st, 2019</para>
       <itemizedlist>
+        <listitem>
+          <para>[dj] - Update to make-ca-1.1. Complete configuration of P11-Kit
+          trust-extract-compat to utilize both P11-kit and make-ca.</para>
+        </listitem> 
         <listitem>
           <para>[bdubbs] - Update to nasm-2.14.02. Fixes
           <ulink url="&blfs-ticket-root;11476">#11476</ulink>.</para>

packages.ent

@@ -24,7 +24,7 @@
 <!ENTITY linux-pam-version            "1.3.0">
 <!ENTITY linux-pam-docs-version       "1.2.0">
 <!ENTITY libpwquality-version         "1.4.0">
-<!ENTITY make-ca-version              "1.0">
+<!ENTITY make-ca-version              "1.1">
 <!ENTITY mitkrb-major-version         "1.16">
 <!ENTITY mitkrb-version               "1.16.2">
 <!ENTITY nettle-version               "3.4.1">

postlfs/security/make-ca.xml

@@ -11,7 +11,7 @@
 
   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
   <!ENTITY make-ca-size          "28 KB">
-  <!ENTITY make-ca-md5sum        "b038d38233f970aad60c29dfc0502021">
+  <!ENTITY make-ca-md5sum        "417a8ebfb3d6ac4821c1e508a0a3981f">
 ]>
 
 <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">

postlfs/security/p11-kit.xml

@@ -97,10 +97,41 @@
 
 <screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
 cat &gt;&gt; trust/trust-extract-compat.in &lt;&lt; "EOF"
-echo "Please create an OpenSSL Trusted Certificate with appropriate"
-echo "trust arguments in /etc/ssl/local/ and run '/usr/sbin/make-ca -f'"
-echo "as the root user."
-exit 1
+<literal># LFS uses make-ca to manage certificates
+if [ -f /etc/make-ca.conf ]; then
+    . /etc/make-ca.conf
+else
+    #Use defaults if make-ca.conf does not exist
+    ANCHORDIR="/etc/pki/anchors"
+    ANCHORLIST="/etc/pki/anchors.txt"
+    LOCALDIR="/etc/ssl/local"
+    CERTLIST=""
+fi
+
+# Create a list of certificates not present at previous run
+for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
+    /bin/grep "${ca}" "${ANCHORLIST}" 2>&amp;1>/dev/null || CERTLIST="${CERTLIST} ${ca}"
+done
+
+# Dump to a temporary directory
+TEMPDIR=`mktemp -d`
+/usr/bin/trust extract --filter=certificates --format=openssl-directory --overwrite \
+    "${TEMPDIR}"
+
+# Copy new certificates to LOCALDIR
+for certificate in `echo "${CERTLIST}"` ; do
+    LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
+    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
+    cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
+    unset LABEL LABELNEW
+done
+
+# Clean up
+rm -rf "${TEMPDIR}"
+unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
+
+# Generate a new trust store
+/usr/sbin/make-ca -f</literal>
 EOF</userinput></screen>
 
     <para>
@@ -122,7 +153,9 @@ make</userinput></screen>
       Now, as the <systemitem class="username">root</systemitem> user:
     </para>
 
-<screen role="root"><userinput>make install</userinput></screen>
+<screen role="root"><userinput>make install &amp;&amp;
+ln -s /usr/libexec/p11-kit/trust-extract-compat \
+      /usr/bin/update-ca-certificates</userinput></screen>
 
   </sect2>
 
@@ -224,6 +257,19 @@ fi</userinput></screen>
         </listitem>
       </varlistentry>
 
+      <varlistentry id="update-ca-certificates">
+        <term><command>update-ca-certificates</command></term>
+        <listitem>
+          <para>
+            is a command line tool to both extract local certificates from an
+            upadated anchor store, and regenerate all anchors and certificate
+            stores on the system.
+          </para>
+          <indexterm zone="p11-kit update-ca-certificates">
+            <primary sortas="b-trust">update-ca-certificates</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
 
       <varlistentry id="libp11-kit">
         <term><filename class="libraryfile">libp11-kit.so</filename></term>