D16352.id45551.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D16352.id45551.diff
View Options

	Index: ftp/curl/Makefile
	===================================================================
	--- ftp/curl/Makefile
	+++ ftp/curl/Makefile
	@@ -3,6 +3,7 @@

	PORTNAME= curl
	PORTVERSION= 7.60.0
	+PORTREVISION= 1
	CATEGORIES= ftp net www
	MASTER_SITES= https://curl.haxx.se/download/ \
	LOCAL/sunpoet
	@@ -70,7 +71,7 @@

	BROTLI_CONFIGURE_WITH= brotli
	BROTLI_LIB_DEPENDS= libbrotlidec.so:archivers/brotli
	-CA_BUNDLE_CONFIGURE_WITH= ca-bundle=${LOCALBASE}/share/certs/ca-root-nss.crt
	+CA_BUNDLE_CONFIGURE_WITH= ca-bundle=${LOCALBASE}/etc/ssl/cert.pem
	CA_BUNDLE_RUN_DEPENDS= ${LOCALBASE}/share/certs/ca-root-nss.crt:security/ca_root_nss
	CARES_CONFIGURE_ENABLE= ares
	CARES_LIB_DEPENDS= libcares.so:dns/c-ares
	Index: security/ca_root_nss/Makefile
	===================================================================
	--- security/ca_root_nss/Makefile
	+++ security/ca_root_nss/Makefile
	@@ -2,6 +2,7 @@

	PORTNAME= ca_root_nss
	PORTVERSION= ${VERSION_NSS}
	+PORTREVISION= 1
	CATEGORIES= security
	MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
	DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
	@@ -37,8 +38,8 @@
	CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt
	BUNDLE_PROCESSOR= MAca-bundle.pl

	-SUB_FILES= MAca-bundle.pl pkg-message
	-SUB_LIST= VERSION_NSS=${VERSION_NSS}
	+SUB_FILES= MAca-bundle.pl ca-merge.sh pkg-message
	+SUB_LIST= VERSION_NSS=${VERSION_NSS} CERTDIR=${CERTDIR}

	.include <bsd.port.options.mk>

	@@ -60,11 +61,14 @@
	${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR}
	.if ${PORT_OPTIONS:METCSYMLINK}
	${MKDIR} ${STAGEDIR}/etc/ssl
	- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
	+ ${LN} -sf ${PREFIX}/etc/ssl/cert.pem ${STAGEDIR}/etc/ssl/cert.pem
	.endif
	${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
	- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
	+ # ${PREFIX}/etc/ssl/cert.pem is the canonical system CA root now and
	+ # will be generated at pkg install time via ca-merge utility.
	+ ${TOUCH} ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem
	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
	- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
	+ ${LN} -sf ${PREFIX}/etc/ssl/cert.pem ${STAGEDIR}${PREFIX}/openssl/cert.pem
	+ ${INSTALL_SCRIPT} ${WRKDIR}/ca-merge.sh ${STAGEDIR}${PREFIX}/sbin/ca-merge

	.include <bsd.port.mk>
	Index: security/ca_root_nss/files/ca-merge.sh.in
	===================================================================
	--- /dev/null
	+++ security/ca_root_nss/files/ca-merge.sh.in
	@@ -0,0 +1,122 @@
	+#!/bin/sh
	+# Utility to merge internal CAs into system trust stores
	+# Created By: Mark Felder <feld@FreeBSD.org>
	+
	+CAPATH=%%PREFIX%%/etc/ssl/ca-trust/source
	+TMPDIR=$(mktemp -d -t ca-merge)
	+
	+if [ $(id -u) -ne 0 ]; then
	+ echo "Error: $0 requires root access to run."
	+ exit 1
	+fi
	+
	+_usage()
	+{
	+ cat <<HELP
	+usage: ${0}
	+
	+Options:
	+-d Debugging enabled
	+-h Help
	+-p Specify a custom CA file search path (ignores default)
	+
	+This utility automatically merges CA files of PEM or DER format found in
	+the %%PREFIX%%/etc/ssl/ca-trust/source/ search path.
	+
	+${0}: 2018, feld@FreeBSD.org
	+
	+HELP
	+}
	+
	+_merge()
	+{
	+ # OpenSSL runs first as Mono and Java
	+ # utilize the resulting PEM.
	+ _merge_openssl
	+ _merge_mono
	+ _merge_jks
	+ _clean
	+
	+ exit $?
	+}
	+
	+_merge_openssl()
	+{
	+ cp %%PREFIX%%/%%CERTDIR%%/ca-root-nss.crt ${TMPDIR}
	+ # Merge in a temporary directory if we have work to do
	+ if [ -d "${CAPATH}" ]; then
	+ for i in "${CAPATH}"/*; do
	+ openssl verify ${i} 2>&1 >/dev/null
	+ if [ $? -eq 0 ]; then
	+ echo "Appending ${i} to trusted roots"
	+ echo "### Internal CA from ${i} below here ###" >> ${TMPDIR}/ca-root-nss.crt
	+ openssl x509 -in ${i} -text >> ${TMPDIR}/ca-root-nss.crt
	+ else
	+ echo "${i} is invalid. Skipping."
	+ fi
	+ done
	+ fi
	+
	+ # Merging complete. Now validate final root before installing.
	+ # Note, this does not validate each cert within is valid. We have
	+ # to trust that our earlier validation caught those issues.
	+ # This merely validates that the format of the final concatenated
	+ # ca-root-nss.crt is valid.
	+ [ ${DEBUG} ] && echo "Verifying final root CA file"
	+ openssl verify ${TMPDIR}/ca-root-nss.crt 2>&1 >/dev/null
	+ if [ $? -eq 0 ]; then
	+ # OK, passed the smell test.
	+ install -o root -g wheel -m 644 ${TMPDIR}/ca-root-nss.crt %%PREFIX%%/etc/ssl/cert.pem
	+ else
	+ # Something went wrong. We have no choice but to install the default roots and report
	+ # and error happened.
	+ install -o root -g wheel -m 644 %%PREFIX%%/%%CERTDIR%%/ca-root-nss.crt %%PREFIX%%/etc/ssl/cert.pem
	+ export FAILED=1
	+ fi
	+}
	+
	+_merge_mono()
	+{
	+ if [ -x %%LOCALBASE%%/bin/cert-sync ]; then
	+ %%LOCALBASE%%/bin/cert-sync --quiet /etc/ssl/cert.pem
	+ fi
	+}
	+
	+_merge_jks()
	+{
	+ # Do nothing yet
	+}
	+
	+_clean()
	+{
	+ # Cleanup
	+ if [ -d "${TMPDIR}" ] && [ ! ${DEBUG} ]; then
	+ rm -rf "${TMPDIR}"
	+ fi
	+
	+ if [ ${DEBUG} ]; then
	+ echo "Temporary files can be found in ${TMPDIR}"
	+ fi
	+
	+ if [ ${FAILED} ]; then
	+ echo "WARNING: an error occurred merging the CAs. The default trusted CAs have been installed."
	+ exit 1
	+ fi
	+}
	+
	+while getopts "dhp:" opt; do
	+ case ${opt} in
	+ d) DEBUG=1
	+ ;;
	+ h) _usage
	+ exit 0
	+ ;;
	+ p) CAPATH=${OPTARG}
	+ _merge
	+ ;;
	+ esac
	+done
	+
	+shift $(($OPTIND - 1))
	+
	+_merge
	Index: security/ca_root_nss/pkg-plist
	===================================================================
	--- security/ca_root_nss/pkg-plist
	+++ security/ca_root_nss/pkg-plist
	@@ -1,6 +1,8 @@
	%%CERTDIR%%/ca-root-nss.crt
	-@sample etc/ssl/cert.pem.sample
	-@sample openssl/cert.pem.sample
	+etc/ssl/cert.pem
	+openssl/cert.pem
	%%ETCSYMLINK%%/etc/ssl/cert.pem
	%%ETCSYMLINK%%@dir /etc/ssl
	-@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] \|\| %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
	+sbin/ca-merge
	+@dir etc/ssl
	+@postexec %%LOCALBASE%%/sbin/ca-merge

File Metadata

Mime Type: text/plain
Expires: Mon, Mar 3, 12:27 PM (6 h, 5 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 16945488
Default Alt Text: D16352.id45551.diff (6 KB)

D16352.id45551.diffNo OneTemporaryActions

D16352.id45551.diffView Options

File Metadata

Event Timeline

D16352.id45551.diff
No OneTemporary
Actions

D16352.id45551.diff
View Options