Page MenuHomeFreeBSD
Files F4272701

enterprise-cas.patch
michaelo (Michael Osipov)
Actions

Authored By
michaelo
Feb 25 2019, 3:33 PM
Size
8 KB
Referenced Files
None
Subscribers
None

enterprise-cas.patch
View Options

Index: Makefile
===================================================================
--- Makefile (revision 493616)
+++ Makefile (working copy)
@@ -2,6 +2,7 @@
PORTNAME= ca_root_nss
PORTVERSION= ${VERSION_NSS}
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -37,8 +38,8 @@
CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt
BUNDLE_PROCESSOR= MAca-bundle.pl
-SUB_FILES= MAca-bundle.pl pkg-message
-SUB_LIST= VERSION_NSS=${VERSION_NSS}
+SUB_FILES= MAca-bundle.pl ca-merge.sh pkg-message
+SUB_LIST= VERSION_NSS=${VERSION_NSS} CERTDIR=${CERTDIR}
do-extract:
@${MKDIR} ${WRKDIR}
@@ -56,13 +57,16 @@
do-install:
${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR}
${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR}
- ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl
- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
+ ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl ${STAGEDIR}${PREFIX}/etc/ssl/ca-trust/source/anchors
+ # ${PREFIX}/etc/ssl/cert.pem is the canonical system CA root now and
+ # will be generated at pkg install time via ca-merge utility.
+ ${INSTALL} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample
${MKDIR} ${STAGEDIR}${PREFIX}/openssl
- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
+ ${LN} -sf ${PREFIX}/etc/ssl/cert.pem ${STAGEDIR}${PREFIX}/openssl/cert.pem
+ ${INSTALL_SCRIPT} ${WRKDIR}/ca-merge.sh ${STAGEDIR}${PREFIX}/sbin/ca-merge
do-install-ETCSYMLINK-on:
${MKDIR} ${STAGEDIR}/etc/ssl
- ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
+ ${LN} -sf ${PREFIX}/etc/ssl/cert.pem ${STAGEDIR}/etc/ssl/cert.pem
.include <bsd.port.mk>
Index: files/ca-merge.sh.in
===================================================================
--- files/ca-merge.sh.in (nonexistent)
+++ files/ca-merge.sh.in (working copy)
@@ -0,0 +1,162 @@
+#!/bin/sh
+# Utility to merge internal CAs into system trust stores
+# Created By: Mark Felder <feld@FreeBSD.org>
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+DEBUG=0
+FAILED=0
+: ${CAPATH=%%PREFIX%%/etc/ssl/ca-trust/source/anchors}
+TMPDIR=$(mktemp -d -t ca-merge)
+
+trap _clean EXIT INT KILL
+
+if [ $(id -u) -ne 0 ]; then
+ echo "Error: $0 requires root access to run." > /dev/stderr
+ exit 1
+fi
+
+_usage()
+{
+ cat <<HELP
+usage: ${0}
+
+Options:
+-d Debugging enabled
+-h Help
+-p Specify a custom CA file search path (ignores default)
+
+This utility automatically merges CA files of PEM or DER format found in
+the %%PREFIX%%/etc/ssl/ca-trust/source/ search path.
+
+${0}: 2018, feld@FreeBSD.org
+
+HELP
+}
+
+_merge()
+{
+ # OpenSSL runs first as Mono and Java
+ # utilize the resulting PEM.
+ _merge_openssl
+ _merge_mono
+ _merge_jks
+}
+
+_merge_openssl()
+{
+ cp -f %%PREFIX%%/%%CERTDIR%%/ca-root-nss.crt ${TMPDIR}/cert.pem
+ echo "Building OpenSSL cert.pem..."
+ # Merge in a temporary directory if we have work to do
+ if [ -d "${CAPATH}" ]; then
+ for i in $(find ${CAPATH} -type f); do
+ openssl verify -no-CAfile -trusted ${i} ${i} 2>&1 >/dev/null
+ if [ $? -eq 0 ]; then
+ echo "Appending ${i} to trusted roots"
+ echo "### Internal CA(s) from ${i} below here ###" >> ${TMPDIR}/cert.pem
+ openssl crl2pkcs7 -nocrl -certfile ${i} | openssl pkcs7 -print_certs -text >> ${TMPDIR}/cert.pem
+ else
+ echo "${i} is invalid. Skipping." > /dev/stderr
+ fi
+ done
+ fi
+
+ # Merging complete. Now validate final root before installing.
+ # Note, this does not validate each cert within is valid. We have
+ # to trust that our earlier validation caught those issues.
+ # This merely validates that the format of the final concatenated
+ # ca-root-nss.crt is valid.
+ [ ${DEBUG} -eq 1 ] && echo "Verifying final root CA file"
+ openssl verify -no-CAfile -trusted ${TMPDIR}/cert.pem ${TMPDIR}/cert.pem 2>&1 >/dev/null
+
+ # If verify passes and file does not match, install new cert.pem
+ if [ $? -eq 0 ]; then
+ cmp -s ${TMPDIR}/cert.pem %%PREFIX%%/etc/ssl/cert.pem || \
+ install -o root -g wheel -m 644 ${TMPDIR}/cert.pem %%PREFIX%%/etc/ssl/cert.pem
+ else
+ # Something went wrong. If an existing root CA exists we will fall back to using that
+ # so as to not remove any local root CAs or customizations. If no root CA is installed
+ # we have no choice but to install the default roots and report an error happened.
+ # We must overwrite ${TMPDIR}/cert.pem with either the existing CA or the package's CA
+ # so Mono and Java rebuild their keystores off of a known good root and not a broken root.
+ if [ -f %%PREFIX%%/etc/ssl/cert.pem ]; then
+ cp -f %%PREFIX%%/etc/ssl/cert.pem ${TMPDIR}/cert.pem
+ else
+ cp -f %%PREFIX%%/%%CERTDIR%%/ca-root-nss.crt ${TMPDIR}/cert.pem
+ install -o root -g wheel -m 644 ${TMPDIR}/cert.pem %%PREFIX%%/etc/ssl/cert.pem
+ fi
+ FAILED=1
+ fi
+}
+
+_merge_mono()
+{
+ if [ -x %%PREFIX%%/bin/cert-sync ]; then
+ echo "Building the Mono trust store from cert.pem..."
+ %%PREFIX%%/bin/cert-sync --quiet %%PREFIX%%/etc/ssl/cert.pem
+ fi
+}
+
+_merge_jks()
+{
+ if [ -x %%PREFIX%%/bin/keytool ]; then
+ echo "Building the Java cacerts keystore from cert.pem..."
+ # Split the cert.pem into individual files. Java cannot
+ # recognize the roots if they are imported from a single file.
+ mkdir ${TMPDIR}/java; cd ${TMPDIR}/java
+ sed '/BEGIN/,/END/!d' ${TMPDIR}/cert.pem | split -p "-----BEGIN CERTIFICATE-----"
+
+ # wc on FreeBSD is stupidly indented; use egrep instead
+ TOTAL=$(ls ${TMPDIR}/java | egrep -c '*')
+ COUNT=1
+
+ # Build the Java keystore from files split out of cert.pem
+ for i in $(find ${TMPDIR}/java -type f); do
+ echo "Java: importing ${COUNT} of ${TOTAL} certs..."
+ ( env LC_ALL=C %%PREFIX%%/bin/keytool -import -noprompt \
+ -alias $(basename "${i}") \
+ -keystore "${TMPDIR}/cacerts" \
+ -storepass 'changeit' \
+ -file "${i}" 2>&1 ) > /dev/null
+ COUNT=$((COUNT+1))
+ done
+
+ # Install new cacerts if the file has changed
+ cmp -s ${TMPDIR}/cacerts %%PREFIX%%/etc/ssl/cacerts || \
+ install -o root -g wheel -m 644 ${TMPDIR}/cacerts %%PREFIX%%/etc/ssl/cacerts
+ fi
+}
+
+_clean()
+{
+ # Cleanup
+ if [ -d "${TMPDIR}" ] && [ ${DEBUG} -ne 1 ]; then
+ rm -rf "${TMPDIR}"
+ fi
+
+ if [ ${DEBUG} -eq 1 ]; then
+ echo "Temporary files can be found in ${TMPDIR}"
+ fi
+
+ if [ ${FAILED} -eq 1 ]; then
+ echo "WARNING: an error occurred merging the CAs. The default trusted CAs have been installed." > /dev/stderr
+ exit 1
+ fi
+}
+
+while getopts "dhp:" opt; do
+ case ${opt} in
+ d) DEBUG=1
+ ;;
+ h) _usage
+ exit 0
+ ;;
+ p) CAPATH=${OPTARG}
+ ;;
+ esac
+done
+
+shift $(($OPTIND - 1))
+
+_merge
+
+exit 0
Property changes on: files/ca-merge.sh.in
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: pkg-plist
===================================================================
--- pkg-plist (revision 493616)
+++ pkg-plist (working copy)
@@ -1,6 +1,10 @@
%%CERTDIR%%/ca-root-nss.crt
@sample etc/ssl/cert.pem.sample
-@sample openssl/cert.pem.sample
+openssl/cert.pem
%%ETCSYMLINK%%/etc/ssl/cert.pem
%%ETCSYMLINK%%@dir /etc/ssl
-@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
+sbin/ca-merge
+@rmtry %%LOCALBASE%%/etc/ssl/cacerts
+@dir etc/ssl/ca-trust/source/anchors
+@dir etc/ssl
+@postexec %%LOCALBASE%%/sbin/ca-merge

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1762164
Default Alt Text
enterprise-cas.patch (8 KB)

Event Timeline