make make-ca portable to other distros

SOURCES/make-ca-1.14-curl.patch

@@ -0,0 +1,79 @@
+diff -ur make-ca-1.14.orig/CHANGELOG make-ca-1.14/CHANGELOG
+--- make-ca-1.14.orig/CHANGELOG	2024-07-13 20:34:30.000000000 -0700
++++ make-ca-1.14/CHANGELOG	2024-10-27 06:35:48.675438023 -0700
+@@ -1,3 +1,4 @@
++1.14yjl  - Use curl instead of OpenSSL s_client, remove proxy switch.
+ 1.14     - Silence a warning from OpenSSL 3.2.x
+          - Stop using statically named temporary files
+          - Prevent translated date in the man page
+diff -ur make-ca-1.14.orig/make-ca make-ca-1.14/make-ca
+--- make-ca-1.14.orig/make-ca	2024-07-13 20:34:30.000000000 -0700
++++ make-ca-1.14/make-ca	2024-10-27 06:33:50.893915654 -0700
+@@ -28,6 +28,7 @@
+     KEYTOOL="${JAVA_HOME}/bin/keytool"
+     MD5SUM="/usr/bin/md5sum"
+     OPENSSL="/usr/bin/openssl"
++    CURL="/usr/bin/curl"
+     TRUST="/usr/bin/trust"
+     ANCHORDIR="${PKIDIR}/anchors"
+     ANCHORLIST="${PKIDIR}/anchors.md5sums"
+@@ -186,11 +187,6 @@
+           shift 2
+         fi
+       ;;
+-      -p | --proxy)
+-        check_arg $1 $2
+-        PROXY="${2}"
+-        shift 2
+-      ;;
+       -r | --rebuild)
+         if test "${CERTDATAY}" == "0" -a "${GET}" == "0"; then
+           REBUILD="1"
+@@ -310,9 +306,6 @@
+   echo "        -n, --nssdb {\$PKIDIR/nssdb}"
+   echo "                         The output path for the shared NSS DB"
+   echo ""
+-  echo "        -p, --proxy [URI:PORT]"
+-  echo "                         Use proxy server for download"
+-  echo ""
+   echo "        -k, --keytool [\$JAVA_HOME/bin/keytool]"
+   echo "                         The path of the Java keytool utility"
+   echo ""
+@@ -673,16 +666,8 @@
+   echo -n "Checking for new version of certdata.txt..."
+   HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
+   _url=$(echo "${URL}" | sed 's@raw-file@log@')
+-  SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}"
+-  if test -d /etc/ssl/certs; then
+-    SARGS="${SARGS} -verifyCApath ${CERTDIR}"
+-  fi
+-  SARGS="${SARGS} -verify_return_error"
+-  if test "${PROXY}x" != "x"; then
+-    SARGS="${SARGS} -proxy ${PROXY}"
+-  fi
+   echo GET ${_url} | \
+-  ${OPENSSL} s_client ${SARGS} 2> /dev/null > "${TEMPDIR}/certdata.txt.log"
++  ${CURL} ${_url} 2> /dev/null > "${TEMPDIR}/certdata.txt.log"
+   unset _url
+   echo "done."
+ 
+@@ -707,7 +692,7 @@
+   # Download the new file
+   echo -n "Downloading certdata.txt..."
+   echo GET ${URL} | \
+-  ${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}"
++  ${CURL} ${URL} 2> /dev/null >> "${CERTDATA}"
+   _line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1))
+   sed -e "1,${_line}d" -i "${CERTDATA}"
+   sed "1i # Revision:${REVISION}" -i "${CERTDATA}"
+diff -ur make-ca-1.14.orig/make-ca.conf.dist make-ca-1.14/make-ca.conf.dist
+--- make-ca-1.14.orig/make-ca.conf.dist	2024-07-13 20:34:30.000000000 -0700
++++ make-ca-1.14/make-ca.conf.dist	2024-10-27 06:24:38.570883699 -0700
+@@ -7,6 +7,7 @@
+ KEYTOOL="${JAVA_HOME}/bin/keytool"
+ MD5SUM="/usr/bin/md5sum"
+ OPENSSL="/usr/bin/openssl"
++CURL="/usr/bin/curl"
+ TRUST="/usr/bin/trust"
+ ANCHORDIR="${PKIDIR}/anchors"
+ ANCHORLIST="${PKIDIR}/anchors.md5sums"

SOURCES/make-ca-1.14-libressl.patch

@@ -1,112 +0,0 @@
-diff -ur make-ca-1.14.orig/copy-trust-modifications make-ca-1.14/copy-trust-modifications
---- make-ca-1.14.orig/copy-trust-modifications	2024-07-13 20:34:30.000000000 -0700
-+++ make-ca-1.14/copy-trust-modifications	2024-10-10 01:06:07.204279974 -0700
-@@ -34,7 +34,7 @@
-     LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@"@@g' -e 's@ @_@g'`
- 
-     # Determine default usage (this can be changed later)
--    usage=$(openssl x509 -in ${certificate} -noout -text | \
-+    usage=$(libressl x509 -in ${certificate} -noout -text | \
-                 grep -A1 "X509v3 Key Usage:")
-     trust=""
-     echo ${usage} | grep -q "Certificate Sign" &&
-@@ -43,7 +43,7 @@
-          trust="${trust} -addtrust emailProtection"
- 
-     # Place into LOCALDIR
--    openssl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \
-+    libressl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \
-             ${trust} -out "${LOCALDIR}/${LABELNEW}.pem"
-     echo -e "${LABELNEW}"
-     unset LABEL LABELNEW usage trust
-diff -ur make-ca-1.14.orig/include.h2m make-ca-1.14/include.h2m
---- make-ca-1.14.orig/include.h2m	2024-07-13 20:34:30.000000000 -0700
-+++ make-ca-1.14/include.h2m	2024-10-10 01:06:54.916281150 -0700
-@@ -33,7 +33,7 @@
- 
-   #\ install -vdm755 /etc/ssl/local \                                 
-   #\ wget http://www.cacert.org/certs/root.crt \                      
--  #\ openssl x509 -in root.crt -text -fingerprint \\ \                
-+  #\ libressl x509 -in root.crt -text -fingerprint \\ \                
-                  -setalias "CAcert Class 1 root" \\ \                 
-                  -addtrust serverAuth \\ \                            
-                  -addtrust emailProtection \\ \                       
-diff -ur make-ca-1.14.orig/make-ca make-ca-1.14/make-ca
---- make-ca-1.14.orig/make-ca	2024-07-13 20:34:30.000000000 -0700
-+++ make-ca-1.14/make-ca	2024-10-10 01:08:01.212282784 -0700
-@@ -27,7 +27,7 @@
-     CERTUTIL="/usr/bin/certutil"
-     KEYTOOL="${JAVA_HOME}/bin/keytool"
-     MD5SUM="/usr/bin/md5sum"
--    OPENSSL="/usr/bin/openssl"
-+    OPENSSL="/usr/bin/libressl"
-     TRUST="/usr/bin/trust"
-     ANCHORDIR="${PKIDIR}/anchors"
-     ANCHORLIST="${PKIDIR}/anchors.md5sums"
-@@ -41,6 +41,7 @@
-     LOCALDIR="${SSLDIR}/local"
-     DESTDIR=""
-     URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
-+    CURL="/usr/bin/curl"
- fi
- 
- # Some data in the certs have UTF-8 characters
-@@ -316,7 +317,7 @@
-   echo "        -k, --keytool [\$JAVA_HOME/bin/keytool]"
-   echo "                         The path of the Java keytool utility"
-   echo ""
--  echo "        -s, --openssl [/usr/bin/openssl]"
-+  echo "        -s, --openssl [/usr/bin/libressl]"
-   echo "                         The path of the openssl utility"
-   echo ""
-   echo "        -t, --certutil [/usr/bin/certutil]"
-@@ -682,7 +683,7 @@
-     SARGS="${SARGS} -proxy ${PROXY}"
-   fi
-   echo GET ${_url} | \
--  ${OPENSSL} s_client ${SARGS} 2> /dev/null > "${TEMPDIR}/certdata.txt.log"
-+  ${CURL} ${_url} 2> /dev/null > "${TEMPDIR}/certdata.txt.log"
-   unset _url
-   echo "done."
- 
-@@ -707,7 +708,7 @@
-   # Download the new file
-   echo -n "Downloading certdata.txt..."
-   echo GET ${URL} | \
--  ${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}"
-+  ${CURL} ${URL} 2> /dev/null >> "${CERTDATA}"
-   _line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1))
-   sed -e "1,${_line}d" -i "${CERTDATA}"
-   sed "1i # Revision:${REVISION}" -i "${CERTDATA}"
-diff -ur make-ca-1.14.orig/make-ca.conf.dist make-ca-1.14/make-ca.conf.dist
---- make-ca-1.14.orig/make-ca.conf.dist	2024-07-13 20:34:30.000000000 -0700
-+++ make-ca-1.14/make-ca.conf.dist	2024-10-10 01:03:38.949276320 -0700
-@@ -6,7 +6,7 @@
- CERTUTIL="/usr/bin/certutil"
- KEYTOOL="${JAVA_HOME}/bin/keytool"
- MD5SUM="/usr/bin/md5sum"
--OPENSSL="/usr/bin/openssl"
-+OPENSSL="/usr/bin/libressl"
- TRUST="/usr/bin/trust"
- ANCHORDIR="${PKIDIR}/anchors"
- ANCHORLIST="${PKIDIR}/anchors.md5sums"
-@@ -20,6 +20,7 @@
- LOCALDIR="${SSLDIR}/local"
- DESTDIR=""
- URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
-+CURL="/usr/bin/curl"
- 
- # Source must be downloaded over https
- # Valid urls for download are below
-diff -ur make-ca-1.14.orig/update-mscertsign.sh make-ca-1.14/update-mscertsign.sh
---- make-ca-1.14.orig/update-mscertsign.sh	2024-07-13 20:34:30.000000000 -0700
-+++ make-ca-1.14/update-mscertsign.sh	2024-10-10 01:09:07.772284424 -0700
-@@ -26,7 +26,7 @@
- for certbegin in ${startlist}; do
-     awk "NR==$certbegin,/^-----END CERTIFICATE-----/" mscertsign.txt \
-         > ${certbegin}.crt
--    openssl x509 -noout -in ${certbegin}.crt -hash >> CS.txt
-+    libressl x509 -noout -in ${certbegin}.crt -hash >> CS.txt
-     rm ${certbegin}.crt
- done
- rm -r mscertsign.txt

SPECS/make-ca.spec

@@ -2,9 +2,18 @@
 %global _unitdir /usr/lib/systemd/system
 %endif
 
+%global certdata_date 20241020
+%if 0%{?libresslAPI:1} == 1
+%global __openssl %{_bindir}/libressl
+%else
+%if 0%{?!__openssl:1} == 1
+%global __openssl %{_bindir}/openssl
+%endif
+%endif
+
 Name:     make-ca
 Version:  1.14
-Release:  %{?repo}0.rc1%{?dist}
+Release:  %{?repo}0.rc2%{?dist}
 Summary:  Maintains PKI certificate store
 BuildArch: noarch
 
@@ -12,10 +21,11 @@ Group:    System Administration/Utilities
 License:  MIT, GPLv3
 URL:      https://github.com/lfs-book/make-ca
 Source0:  https://github.com/lfs-book/make-ca/archive/v%{version}/make-ca-%{version}.tar.gz
-Source1:  certdata-20241020.txt
+Source1:  certdata-%{certdata_date}.txt
-Patch0:   make-ca-1.14-libressl.patch
+#Patch0:   make-ca-1.14-libressl.patch
+Patch0:   make-ca-1.14-curl.patch
 
-Requires: %{_bindir}/libressl
+Requires: %{__openssl}
 Requires: %{_bindir}/curl
 Requires: /bin/mktemp
 Requires: %{_bindir}/certutil
@@ -27,6 +37,7 @@ Requires(post): /bin/mktemp
 Requires(post): %{_bindir}/certutil
 Requires(post): %{_bindir}/trust
 Requires(post): %{_bindir}/md5sum
+Requires(post): %{_sysconfdir}/make-ca/certdata-dist.txt
 
 %description
 This package maintains the PKI certificate bundles needed to establish a chain
@@ -34,10 +45,33 @@ of trust between a signed certificate and the certificate authority that signed
 the certificate. The trust list can be configured by a system administrator with
 root privileges, although in most cases that is not needed.
 
+%package -n pki-certdata
+Group: System Administration/Utilities
+Summary: A default certdata.txt file from Mozilla.
+Version: %{certdata_date}
+BuildArch: noarch
+
+%description -n pki-certdata
+This package contains a default certdata.txt file that can be
+used to generate the initial certificate bundle. The version is
+the date the certdata.txt file was retrieved, which is likely
+different than the date it was first published.
+
+The file is installed as:
+  %{_sysconfdir}/make-ca/certdata-dist.txt 
+
 
 %prep
 %setup -q
 %patch 0 -p1
+%if 0%{?libresslAPI:1} == 1
+sed -i 's?openssl x509?libressl x509?g' copy-trust-modifications
+sed -i 's?openssl x509?libressl x509?g' include.h2m
+sed -i 's?openssl x509?libressl x509?g' update-mscertsign.sh
+sed -i 's?openssl x509?libressl x509?g' README
+%endif
+sed -i 's?/usr/bin/openssl?%{__openssl}?g' make-ca
+sed -i 's?/usr/bin/openssl?%{__openssl}?g' make-ca.conf.dist
 cp %{SOURCE1} ./certdata-dist.txt
 
 
@@ -67,7 +101,6 @@ fi
 %dir %{_sysconfdir}/ssl/local
 %dir %{_sysconfdir}/make-ca
 %attr(0644,root,root) %{_sysconfdir}/make-ca/CS.txt
-%attr(0644,root,root) %{_sysconfdir}/make-ca/certdata-dist.txt
 %attr(0644,root,root) %{_sysconfdir}/make-ca/make-ca.conf.dist
 %exclude %{_sysconfdir}/make-ca/mozilla-ca-root.pem
 %dir %{_libexecdir}/make-ca
@@ -77,11 +110,21 @@ fi
 %attr(0644,root,root) %config(noreplace) %{_unitdir}/update-pki.timer
 %attr(0644,root,root) %{_mandir}/man8/make-ca.8*
 %license LICENSE LICENSE.GPLv3 LICENSE.MIT
-%doc README
+%doc CHANGELOG README LICENSE LICENSE.GPLv3 LICENSE.MIT
+
+%files -n pki-certdata
+%defattr(0644,root,root)
+%dir %{_libexecdir}/make-ca
+%{_sysconfdir}/make-ca/certdata-dist.txt
 
 
 %changelog
+* Sun Oct 27 2024 Michael A. Peters <anymouseprophet@gmail.com> - 1.14-0.rc2
+- Make spec file portable, so it works on systems without /usr/bin/libressl
+-   but that do have /usr/bin/openssl
+- Remove the proxy switch that does not work with curl
+- Separate default certdata.txt file into a different package so it can be
+    updated separately as needed or even uninstalled.
+
 * Sun Oct 20 2024 Michael A. Peters <anymouseprophet@gmail.com> - 1.14-0.rc1
 - Initial RPM spec file for YJL 6.6 (LFS 12.2)
-- TODO: Update patch to remove MOZILLA_CA_ROOT and SARGS as they are not
--       needed w/ distributed certdata.txt.