Index: ftp/curl/Makefile =================================================================== --- ftp/curl/Makefile +++ ftp/curl/Makefile @@ -4,6 +4,7 @@ PORTNAME= curl PORTVERSION= 7.61.0 PORTREVISION= 1 +PORTREVISION= 1 CATEGORIES= ftp net www MASTER_SITES= https://curl.haxx.se/download/ \ LOCAL/sunpoet @@ -71,7 +72,7 @@ BROTLI_CONFIGURE_WITH= brotli BROTLI_LIB_DEPENDS= libbrotlidec.so:archivers/brotli -CA_BUNDLE_CONFIGURE_WITH= ca-bundle=${LOCALBASE}/share/certs/ca-root-nss.crt +CA_BUNDLE_CONFIGURE_WITH= ca-bundle=${LOCALBASE}/etc/ssl/cert.pem CA_BUNDLE_RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss CARES_CONFIGURE_ENABLE= ares CARES_LIB_DEPENDS= libcares.so:dns/c-ares Index: security/ca_root_nss/Makefile =================================================================== --- security/ca_root_nss/Makefile +++ security/ca_root_nss/Makefile @@ -2,6 +2,7 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} @@ -37,8 +38,8 @@ CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt BUNDLE_PROCESSOR= MAca-bundle.pl -SUB_FILES= MAca-bundle.pl pkg-message -SUB_LIST= VERSION_NSS=${VERSION_NSS} +SUB_FILES= MAca-bundle.pl ca-merge.sh pkg-message +SUB_LIST= VERSION_NSS=${VERSION_NSS} CERTDIR=${CERTDIR} .include @@ -60,11 +61,14 @@ ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR} .if ${PORT_OPTIONS:METCSYMLINK} ${MKDIR} ${STAGEDIR}/etc/ssl - ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem + ${LN} -sf ${PREFIX}/etc/ssl/cert.pem ${STAGEDIR}/etc/ssl/cert.pem .endif - ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl - ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample + ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl ${STAGEDIR}${PREFIX}/etc/ssl/ca-trust/source/anchors + # ${PREFIX}/etc/ssl/cert.pem is the canonical system CA root now and + # will be generated at pkg install time via ca-merge utility. + ${INSTALL} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample ${MKDIR} ${STAGEDIR}${PREFIX}/openssl - ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample + ${LN} -sf ${PREFIX}/etc/ssl/cert.pem ${STAGEDIR}${PREFIX}/openssl/cert.pem + ${INSTALL_SCRIPT} ${WRKDIR}/ca-merge.sh ${STAGEDIR}${PREFIX}/sbin/ca-merge .include Index: security/ca_root_nss/files/ca-merge.sh.in =================================================================== --- /dev/null +++ security/ca_root_nss/files/ca-merge.sh.in @@ -0,0 +1,162 @@ +#!/bin/sh +# Utility to merge internal CAs into system trust stores +# Created By: Mark Felder + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin +DEBUG=0 +FAILED=0 +: ${CAPATH=%%PREFIX%%/etc/ssl/ca-trust/source/anchors} +TMPDIR=$(mktemp -d -t ca-merge) + +trap _clean EXIT INT KILL + +if [ $(id -u) -ne 0 ]; then + echo "Error: $0 requires root access to run." > /dev/stderr + exit 1 +fi + +_usage() +{ + cat <&1 >/dev/null + if [ $? -eq 0 ]; then + echo "Appending ${i} to trusted roots" + echo "### Internal CA from ${i} below here ###" >> ${TMPDIR}/cert.pem + openssl x509 -in ${i} -text >> ${TMPDIR}/cert.pem + else + echo "${i} is invalid. Skipping." > /dev/stderr + fi + done + fi + + # Merging complete. Now validate final root before installing. + # Note, this does not validate each cert within is valid. We have + # to trust that our earlier validation caught those issues. + # This merely validates that the format of the final concatenated + # ca-root-nss.crt is valid. + [ ${DEBUG} -eq 1 ] && echo "Verifying final root CA file" + openssl verify ${TMPDIR}/cert.pem 2>&1 >/dev/null + + # If verify passes and file does not match, install new cert.pem + if [ $? -eq 0 ]; then + cmp -s ${TMPDIR}/cert.pem %%PREFIX%%/etc/ssl/cert.pem || \ + install -o root -g wheel -m 644 ${TMPDIR}/cert.pem %%PREFIX%%/etc/ssl/cert.pem + else + # Something went wrong. If an existing root CA exists we will fall back to using that + # so as to not remove any local root CAs or customizations. If no root CA is installed + # we have no choice but to install the default roots and report an error happened. + # We must overwrite ${TMPDIR}/cert.pem with either the existing CA or the package's CA + # so Mono and Java rebuild their keystores off of a known good root and not a broken root. + if [ -f %%PREFIX%%/etc/ssl/cert.pem ]; then + cp -f %%PREFIX%%/etc/ssl/cert.pem ${TMPDIR}/cert.pem + else + cp -f %%PREFIX%%/%%CERTDIR%%/ca-root-nss.crt ${TMPDIR}/cert.pem + install -o root -g wheel -m 644 ${TMPDIR}/cert.pem %%PREFIX%%/etc/ssl/cert.pem + fi + FAILED=1 + fi +} + +_merge_mono() +{ + if [ -x %%PREFIX%%/bin/cert-sync ]; then + echo "Building the Mono trust store from cert.pem..." + %%PREFIX%%/bin/cert-sync --quiet %%PREFIX%%/etc/ssl/cert.pem + fi +} + +_merge_jks() +{ + if [ -x %%PREFIX%%/bin/keytool ]; then + echo "Building the Java cacerts keystore from cert.pem..." + # Split the cert.pem into individual files. Java cannot + # recognize the roots if they are imported from a single file. + mkdir ${TMPDIR}/java; cd ${TMPDIR}/java + sed '/BEGIN/,/END/!d' ${TMPDIR}/cert.pem | split -p "-----BEGIN CERTIFICATE-----" + + # wc on FreeBSD is stupidly indented; use egrep instead + TOTAL=$(ls ${TMPDIR}/java | egrep -c '*') + COUNT=1 + + # Build the Java keystore from files split out of cert.pem + for i in $(find ${TMPDIR}/java -type f); do + echo "Java: importing ${COUNT} of ${TOTAL} certs..." + ( env LC_ALL=C %%PREFIX%%/bin/keytool -import -noprompt \ + -alias $(basename "${i}") \ + -keystore "${TMPDIR}/cacerts" \ + -storepass 'changeit' \ + -file "${i}" 2>&1 ) > /dev/null + COUNT=$((COUNT+1)) + done + + # Install new cacerts if the file has changed + cmp -s ${TMPDIR}/cacerts %%PREFIX%%/etc/ssl/cacerts || \ + install -o root -g wheel -m 644 ${TMPDIR}/cacerts %%PREFIX%%/etc/ssl/cacerts + fi +} + +_clean() +{ + # Cleanup + if [ -d "${TMPDIR}" ] && [ ${DEBUG} -ne 1 ]; then + rm -rf "${TMPDIR}" + fi + + if [ ${DEBUG} -eq 1 ]; then + echo "Temporary files can be found in ${TMPDIR}" + fi + + if [ ${FAILED} -eq 1 ]; then + echo "WARNING: an error occurred merging the CAs. The default trusted CAs have been installed." > /dev/stderr + exit 1 + fi +} + +while getopts "dhp:" opt; do + case ${opt} in + d) DEBUG=1 + ;; + h) _usage + exit 0 + ;; + p) CAPATH=${OPTARG} + ;; + esac +done + +shift $(($OPTIND - 1)) + +_merge + +exit 0 Index: security/ca_root_nss/pkg-plist =================================================================== --- security/ca_root_nss/pkg-plist +++ security/ca_root_nss/pkg-plist @@ -1,6 +1,9 @@ %%CERTDIR%%/ca-root-nss.crt @sample etc/ssl/cert.pem.sample -@sample openssl/cert.pem.sample +openssl/cert.pem %%ETCSYMLINK%%/etc/ssl/cert.pem %%ETCSYMLINK%%@dir /etc/ssl -@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt +sbin/ca-merge +@dir etc/ssl/ca-trust/source/anchors +@dir etc/ssl +@postexec %%LOCALBASE%%/sbin/ca-merge