From a7e42de2a702e734af8e1a1947811864320cb043 Mon Sep 17 00:00:00 2001 From: YellowJacketLinux Date: Sun, 27 Oct 2024 07:59:49 -0700 Subject: [PATCH] make make-ca portable to other distros --- SOURCES/make-ca-1.14-curl.patch | 79 ++++++++++++++++++++ SOURCES/make-ca-1.14-libressl.patch | 112 ---------------------------- SPECS/make-ca.spec | 59 +++++++++++++-- 3 files changed, 130 insertions(+), 120 deletions(-) create mode 100644 SOURCES/make-ca-1.14-curl.patch delete mode 100644 SOURCES/make-ca-1.14-libressl.patch diff --git a/SOURCES/make-ca-1.14-curl.patch b/SOURCES/make-ca-1.14-curl.patch new file mode 100644 index 0000000..ccaa6fd --- /dev/null +++ b/SOURCES/make-ca-1.14-curl.patch @@ -0,0 +1,79 @@ +diff -ur make-ca-1.14.orig/CHANGELOG make-ca-1.14/CHANGELOG +--- make-ca-1.14.orig/CHANGELOG 2024-07-13 20:34:30.000000000 -0700 ++++ make-ca-1.14/CHANGELOG 2024-10-27 06:35:48.675438023 -0700 +@@ -1,3 +1,4 @@ ++1.14yjl - Use curl instead of OpenSSL s_client, remove proxy switch. + 1.14 - Silence a warning from OpenSSL 3.2.x + - Stop using statically named temporary files + - Prevent translated date in the man page +diff -ur make-ca-1.14.orig/make-ca make-ca-1.14/make-ca +--- make-ca-1.14.orig/make-ca 2024-07-13 20:34:30.000000000 -0700 ++++ make-ca-1.14/make-ca 2024-10-27 06:33:50.893915654 -0700 +@@ -28,6 +28,7 @@ + KEYTOOL="${JAVA_HOME}/bin/keytool" + MD5SUM="/usr/bin/md5sum" + OPENSSL="/usr/bin/openssl" ++ CURL="/usr/bin/curl" + TRUST="/usr/bin/trust" + ANCHORDIR="${PKIDIR}/anchors" + ANCHORLIST="${PKIDIR}/anchors.md5sums" +@@ -186,11 +187,6 @@ + shift 2 + fi + ;; +- -p | --proxy) +- check_arg $1 $2 +- PROXY="${2}" +- shift 2 +- ;; + -r | --rebuild) + if test "${CERTDATAY}" == "0" -a "${GET}" == "0"; then + REBUILD="1" +@@ -310,9 +306,6 @@ + echo " -n, --nssdb {\$PKIDIR/nssdb}" + echo " The output path for the shared NSS DB" + echo "" +- echo " -p, --proxy [URI:PORT]" +- echo " Use proxy server for download" +- echo "" + echo " -k, --keytool [\$JAVA_HOME/bin/keytool]" + echo " The path of the Java keytool utility" + echo "" +@@ -673,16 +666,8 @@ + echo -n "Checking for new version of certdata.txt..." + HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3) + _url=$(echo "${URL}" | sed 's@raw-file@log@') +- SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}" +- if test -d /etc/ssl/certs; then +- SARGS="${SARGS} -verifyCApath ${CERTDIR}" +- fi +- SARGS="${SARGS} -verify_return_error" +- if test "${PROXY}x" != "x"; then +- SARGS="${SARGS} -proxy ${PROXY}" +- fi + echo GET ${_url} | \ +- ${OPENSSL} s_client ${SARGS} 2> /dev/null > "${TEMPDIR}/certdata.txt.log" ++ ${CURL} ${_url} 2> /dev/null > "${TEMPDIR}/certdata.txt.log" + unset _url + echo "done." + +@@ -707,7 +692,7 @@ + # Download the new file + echo -n "Downloading certdata.txt..." + echo GET ${URL} | \ +- ${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}" ++ ${CURL} ${URL} 2> /dev/null >> "${CERTDATA}" + _line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1)) + sed -e "1,${_line}d" -i "${CERTDATA}" + sed "1i # Revision:${REVISION}" -i "${CERTDATA}" +diff -ur make-ca-1.14.orig/make-ca.conf.dist make-ca-1.14/make-ca.conf.dist +--- make-ca-1.14.orig/make-ca.conf.dist 2024-07-13 20:34:30.000000000 -0700 ++++ make-ca-1.14/make-ca.conf.dist 2024-10-27 06:24:38.570883699 -0700 +@@ -7,6 +7,7 @@ + KEYTOOL="${JAVA_HOME}/bin/keytool" + MD5SUM="/usr/bin/md5sum" + OPENSSL="/usr/bin/openssl" ++CURL="/usr/bin/curl" + TRUST="/usr/bin/trust" + ANCHORDIR="${PKIDIR}/anchors" + ANCHORLIST="${PKIDIR}/anchors.md5sums" diff --git a/SOURCES/make-ca-1.14-libressl.patch b/SOURCES/make-ca-1.14-libressl.patch deleted file mode 100644 index f3330f5..0000000 --- a/SOURCES/make-ca-1.14-libressl.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff -ur make-ca-1.14.orig/copy-trust-modifications make-ca-1.14/copy-trust-modifications ---- make-ca-1.14.orig/copy-trust-modifications 2024-07-13 20:34:30.000000000 -0700 -+++ make-ca-1.14/copy-trust-modifications 2024-10-10 01:06:07.204279974 -0700 -@@ -34,7 +34,7 @@ - LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@"@@g' -e 's@ @_@g'` - - # Determine default usage (this can be changed later) -- usage=$(openssl x509 -in ${certificate} -noout -text | \ -+ usage=$(libressl x509 -in ${certificate} -noout -text | \ - grep -A1 "X509v3 Key Usage:") - trust="" - echo ${usage} | grep -q "Certificate Sign" && -@@ -43,7 +43,7 @@ - trust="${trust} -addtrust emailProtection" - - # Place into LOCALDIR -- openssl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \ -+ libressl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \ - ${trust} -out "${LOCALDIR}/${LABELNEW}.pem" - echo -e "${LABELNEW}" - unset LABEL LABELNEW usage trust -diff -ur make-ca-1.14.orig/include.h2m make-ca-1.14/include.h2m ---- make-ca-1.14.orig/include.h2m 2024-07-13 20:34:30.000000000 -0700 -+++ make-ca-1.14/include.h2m 2024-10-10 01:06:54.916281150 -0700 -@@ -33,7 +33,7 @@ - - #\ install -vdm755 /etc/ssl/local \ - #\ wget http://www.cacert.org/certs/root.crt \ -- #\ openssl x509 -in root.crt -text -fingerprint \\ \ -+ #\ libressl x509 -in root.crt -text -fingerprint \\ \ - -setalias "CAcert Class 1 root" \\ \ - -addtrust serverAuth \\ \ - -addtrust emailProtection \\ \ -diff -ur make-ca-1.14.orig/make-ca make-ca-1.14/make-ca ---- make-ca-1.14.orig/make-ca 2024-07-13 20:34:30.000000000 -0700 -+++ make-ca-1.14/make-ca 2024-10-10 01:08:01.212282784 -0700 -@@ -27,7 +27,7 @@ - CERTUTIL="/usr/bin/certutil" - KEYTOOL="${JAVA_HOME}/bin/keytool" - MD5SUM="/usr/bin/md5sum" -- OPENSSL="/usr/bin/openssl" -+ OPENSSL="/usr/bin/libressl" - TRUST="/usr/bin/trust" - ANCHORDIR="${PKIDIR}/anchors" - ANCHORLIST="${PKIDIR}/anchors.md5sums" -@@ -41,6 +41,7 @@ - LOCALDIR="${SSLDIR}/local" - DESTDIR="" - URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt" -+ CURL="/usr/bin/curl" - fi - - # Some data in the certs have UTF-8 characters -@@ -316,7 +317,7 @@ - echo " -k, --keytool [\$JAVA_HOME/bin/keytool]" - echo " The path of the Java keytool utility" - echo "" -- echo " -s, --openssl [/usr/bin/openssl]" -+ echo " -s, --openssl [/usr/bin/libressl]" - echo " The path of the openssl utility" - echo "" - echo " -t, --certutil [/usr/bin/certutil]" -@@ -682,7 +683,7 @@ - SARGS="${SARGS} -proxy ${PROXY}" - fi - echo GET ${_url} | \ -- ${OPENSSL} s_client ${SARGS} 2> /dev/null > "${TEMPDIR}/certdata.txt.log" -+ ${CURL} ${_url} 2> /dev/null > "${TEMPDIR}/certdata.txt.log" - unset _url - echo "done." - -@@ -707,7 +708,7 @@ - # Download the new file - echo -n "Downloading certdata.txt..." - echo GET ${URL} | \ -- ${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}" -+ ${CURL} ${URL} 2> /dev/null >> "${CERTDATA}" - _line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1)) - sed -e "1,${_line}d" -i "${CERTDATA}" - sed "1i # Revision:${REVISION}" -i "${CERTDATA}" -diff -ur make-ca-1.14.orig/make-ca.conf.dist make-ca-1.14/make-ca.conf.dist ---- make-ca-1.14.orig/make-ca.conf.dist 2024-07-13 20:34:30.000000000 -0700 -+++ make-ca-1.14/make-ca.conf.dist 2024-10-10 01:03:38.949276320 -0700 -@@ -6,7 +6,7 @@ - CERTUTIL="/usr/bin/certutil" - KEYTOOL="${JAVA_HOME}/bin/keytool" - MD5SUM="/usr/bin/md5sum" --OPENSSL="/usr/bin/openssl" -+OPENSSL="/usr/bin/libressl" - TRUST="/usr/bin/trust" - ANCHORDIR="${PKIDIR}/anchors" - ANCHORLIST="${PKIDIR}/anchors.md5sums" -@@ -20,6 +20,7 @@ - LOCALDIR="${SSLDIR}/local" - DESTDIR="" - URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt" -+CURL="/usr/bin/curl" - - # Source must be downloaded over https - # Valid urls for download are below -diff -ur make-ca-1.14.orig/update-mscertsign.sh make-ca-1.14/update-mscertsign.sh ---- make-ca-1.14.orig/update-mscertsign.sh 2024-07-13 20:34:30.000000000 -0700 -+++ make-ca-1.14/update-mscertsign.sh 2024-10-10 01:09:07.772284424 -0700 -@@ -26,7 +26,7 @@ - for certbegin in ${startlist}; do - awk "NR==$certbegin,/^-----END CERTIFICATE-----/" mscertsign.txt \ - > ${certbegin}.crt -- openssl x509 -noout -in ${certbegin}.crt -hash >> CS.txt -+ libressl x509 -noout -in ${certbegin}.crt -hash >> CS.txt - rm ${certbegin}.crt - done - rm -r mscertsign.txt diff --git a/SPECS/make-ca.spec b/SPECS/make-ca.spec index b17f2e1..514a348 100644 --- a/SPECS/make-ca.spec +++ b/SPECS/make-ca.spec @@ -2,9 +2,18 @@ %global _unitdir /usr/lib/systemd/system %endif +%global certdata_date 20241020 +%if 0%{?libresslAPI:1} == 1 +%global __openssl %{_bindir}/libressl +%else +%if 0%{?!__openssl:1} == 1 +%global __openssl %{_bindir}/openssl +%endif +%endif + Name: make-ca Version: 1.14 -Release: %{?repo}0.rc1%{?dist} +Release: %{?repo}0.rc2%{?dist} Summary: Maintains PKI certificate store BuildArch: noarch @@ -12,10 +21,11 @@ Group: System Administration/Utilities License: MIT, GPLv3 URL: https://github.com/lfs-book/make-ca Source0: https://github.com/lfs-book/make-ca/archive/v%{version}/make-ca-%{version}.tar.gz -Source1: certdata-20241020.txt -Patch0: make-ca-1.14-libressl.patch +Source1: certdata-%{certdata_date}.txt +#Patch0: make-ca-1.14-libressl.patch +Patch0: make-ca-1.14-curl.patch -Requires: %{_bindir}/libressl +Requires: %{__openssl} Requires: %{_bindir}/curl Requires: /bin/mktemp Requires: %{_bindir}/certutil @@ -27,6 +37,7 @@ Requires(post): /bin/mktemp Requires(post): %{_bindir}/certutil Requires(post): %{_bindir}/trust Requires(post): %{_bindir}/md5sum +Requires(post): %{_sysconfdir}/make-ca/certdata-dist.txt %description This package maintains the PKI certificate bundles needed to establish a chain @@ -34,10 +45,33 @@ of trust between a signed certificate and the certificate authority that signed the certificate. The trust list can be configured by a system administrator with root privileges, although in most cases that is not needed. +%package -n pki-certdata +Group: System Administration/Utilities +Summary: A default certdata.txt file from Mozilla. +Version: %{certdata_date} +BuildArch: noarch + +%description -n pki-certdata +This package contains a default certdata.txt file that can be +used to generate the initial certificate bundle. The version is +the date the certdata.txt file was retrieved, which is likely +different than the date it was first published. + +The file is installed as: + %{_sysconfdir}/make-ca/certdata-dist.txt + %prep %setup -q %patch 0 -p1 +%if 0%{?libresslAPI:1} == 1 +sed -i 's?openssl x509?libressl x509?g' copy-trust-modifications +sed -i 's?openssl x509?libressl x509?g' include.h2m +sed -i 's?openssl x509?libressl x509?g' update-mscertsign.sh +sed -i 's?openssl x509?libressl x509?g' README +%endif +sed -i 's?/usr/bin/openssl?%{__openssl}?g' make-ca +sed -i 's?/usr/bin/openssl?%{__openssl}?g' make-ca.conf.dist cp %{SOURCE1} ./certdata-dist.txt @@ -67,7 +101,6 @@ fi %dir %{_sysconfdir}/ssl/local %dir %{_sysconfdir}/make-ca %attr(0644,root,root) %{_sysconfdir}/make-ca/CS.txt -%attr(0644,root,root) %{_sysconfdir}/make-ca/certdata-dist.txt %attr(0644,root,root) %{_sysconfdir}/make-ca/make-ca.conf.dist %exclude %{_sysconfdir}/make-ca/mozilla-ca-root.pem %dir %{_libexecdir}/make-ca @@ -77,11 +110,21 @@ fi %attr(0644,root,root) %config(noreplace) %{_unitdir}/update-pki.timer %attr(0644,root,root) %{_mandir}/man8/make-ca.8* %license LICENSE LICENSE.GPLv3 LICENSE.MIT -%doc README +%doc CHANGELOG README LICENSE LICENSE.GPLv3 LICENSE.MIT + +%files -n pki-certdata +%defattr(0644,root,root) +%dir %{_libexecdir}/make-ca +%{_sysconfdir}/make-ca/certdata-dist.txt %changelog +* Sun Oct 27 2024 Michael A. Peters - 1.14-0.rc2 +- Make spec file portable, so it works on systems without /usr/bin/libressl +- but that do have /usr/bin/openssl +- Remove the proxy switch that does not work with curl +- Separate default certdata.txt file into a different package so it can be + updated separately as needed or even uninstalled. + * Sun Oct 20 2024 Michael A. Peters - 1.14-0.rc1 - Initial RPM spec file for YJL 6.6 (LFS 12.2) -- TODO: Update patch to remove MOZILLA_CA_ROOT and SARGS as they are not -- needed w/ distributed certdata.txt.