From 5171353bc89bab1f4717c11cacd1ab2463b58a99 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 17 Jan 2012 14:56:56 -0500
Subject: [PATCH] Implement GNOME build API

See http://people.gnome.org/~walters/docs/build-api.txt
---
 Makefile          |   22 ++++++++++++++++++
 certdata2pem.py   |   12 ++++++---
 configure         |   63 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 make-ca-bundle.sh |   45 +++++++++++++++++++++++++++++++++++++
 4 files changed, 138 insertions(+), 4 deletions(-)
 create mode 100644 Makefile
 create mode 100755 configure
 create mode 100755 make-ca-bundle.sh

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..422c8c2
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,22 @@
+include Makefile.inc
+
+pkidir=$(sysconfdir)/pki
+
+stamp-certs-created:
+	mkdir -p ca-certificates/certs
+	python $(srcdir)/certdata2pem.py $(srcdir)/certdata.txt $(srcdir)/blacklist.txt ca-certificates/certs
+	$(srcdir)/make-ca-bundle.sh $(srcdir)/certdata.txt ca-certificates
+	touch stamp-certs-created
+
+install: stamp-certs-created
+	mkdir -p $(DESTDIR)$(sysconfdir)/pki/tls/certs
+	install -p -m 644 ca-certificates/ca-bundle.crt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.crt
+	install -p -m 644 ca-certificates/ca-bundle.trust.crt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.trust.crt
+	rm -f $(DESTDIR)$(pkidir)/tls/cert.pem
+	ln -s certs/ca-bundle.crt $(DESTDIR)$(pkidir)/tls/cert.pem
+	touch -r $(srcdir)/certdata.txt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.crt
+	touch -r $(srcdir)/certdata.txt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.trust.crt
+
+	mkdir -p -m 755 $(DESTDIR)$(sysconfdir)/ssl
+	rm -f $(DESTDIR)$(sysconfdir)/ssl/certs
+	ln -s ../pki/tls/certs $(DESTDIR)$(sysconfdir)/ssl/certs
diff --git a/certdata2pem.py b/certdata2pem.py
index c22946d..b0d6259 100644
--- a/certdata2pem.py
+++ b/certdata2pem.py
@@ -28,10 +28,14 @@ import textwrap
 
 objects = []
 
+certdata_path = sys.argv[1]
+blacklist_path = sys.argv[2]
+outdir=sys.argv[3]
+
 # Dirty file parser.
 in_data, in_multiline, in_obj = False, False, False
 field, type, value, obj = None, None, None, dict()
-for line in open('certdata.txt', 'r'):
+for line in open(certdata_path, 'r'):
     # Ignore the file header.
     if not in_data:
         if line.startswith('BEGINDATA'):
@@ -81,8 +85,8 @@ if len(obj.items()) > 0:
 
 # Read blacklist.
 blacklist = []
-if os.path.exists('blacklist.txt'):
-    for line in open('blacklist.txt', 'r'):
+if os.path.exists(blacklist_path):
+    for line in open(blacklist_path, 'r'):
         line = line.strip()
         if line.startswith('#') or len(line) == 0:
             continue
@@ -161,7 +165,7 @@ for obj in objects:
             print " -> untrusted, ignoring"
             continue
         fname = obj_to_filename(obj)
-        f = open(fname, 'w')
+        f = open(os.path.join(outdir, fname), 'w')
         trustbits = []
         openssl_trustflags = []
         tobj = trustmap[obj['CKA_LABEL']]
diff --git a/configure b/configure
new file mode 100755
index 0000000..88752a9
--- /dev/null
+++ b/configure
@@ -0,0 +1,63 @@
+#!/bin/bash
+# -*- mode: sh -*-
+# Minimal configure script which writes out a Makefile.inc
+# Copyright 2010, 2011 Colin Walters <walters@verbum.org>
+# Licensed under the new-BSD license (http://www.opensource.org/licenses/bsd-license.php)
+
+prefix=/usr
+
+# Little helper function for reading args from the commandline.
+# it automatically handles -a b and -a=b variants, and returns 1 if
+# we need to shift $3.
+read_arg() {
+    # $1 = arg name
+    # $2 = arg value
+    # $3 = arg parameter
+    local rematch='^[^=]*=(.*)$'
+    if [[ $2 =~ $rematch ]]; then
+        read "$1" <<< "${BASH_REMATCH[1]}"
+    else
+        read "$1" <<< "$3"
+        # There is no way to shift our callers args, so
+        # return 1 to indicate they should do it instead.
+        return 1
+    fi
+}
+
+while (($# > 0)); do
+    case "${1%%=*}" in
+      	--prefix) read_arg prefix "$@" || shift;;
+      	--bindir) read_arg bindir "$@" || shift;;
+      	--sbindir) read_arg sbindir "$@" || shift;;
+      	--libexecdir) read_arg libexecdir "$@" || shift;;
+      	--datarootdir) read_arg datarootdir "$@" || shift;;
+      	--datadir) read_arg datadir "$@" || shift;;
+      	--sysconfdir) read_arg sysconfdir "$@" || shift;;
+      	--libdir) read_arg libdir "$@" || shift;;
+      	--mandir) read_arg mandir "$@" || shift;;
+	*) echo "Ignoring unknown option '$1'";;
+    esac
+    shift
+done
+
+# Handle srcdir != builddir
+srcdir=$(dirname $0)
+if ! test -f Makefile; then
+    ln -s ${srcdir}/Makefile Makefile
+fi
+
+cat > Makefile.inc.tmp <<EOF
+srcdir = ${srcdir}
+top_srcdir = ${srcdir}
+
+prefix ?= ${prefix}
+bindir ?= ${bindir:-${prefix}/bin}
+sbindir ?= ${sbindir:-${prefix}/sbin}
+libexecdir ?= ${libexecdir:-${prefix}/libexec}
+datarootdir ?= ${datarootdir:-${prefix}/share}
+datadir ?= ${datadir:-${prefix}/share}
+sysconfdir ?= ${sysconfdir:-${prefix}/etc}
+libdir ?= ${libdir:-${prefix}/lib}
+mandir ?= ${mandir:-${prefix}/share/man}
+EOF
+mv Makefile.inc.tmp Makefile.inc
diff --git a/make-ca-bundle.sh b/make-ca-bundle.sh
new file mode 100755
index 0000000..9c57bef
--- /dev/null
+++ b/make-ca-bundle.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+src=$1
+out=$2
+
+(cat <<EOF 
+# This is a bundle of X.509 certificates of public Certificate
+# Authorities.  It was generated from the Mozilla root CA list.
+#
+# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+# Generated from:
+EOF
+   ident -q "$src" | sed '1d;s/^/#/';
+   echo '#';
+) > $out/ca-bundle.crt
+
+(
+   cat <<EOF
+# This is a bundle of X.509 certificates of public Certificate
+# Authorities.  It was generated from the Mozilla root CA list.
+# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
+# format and have trust bits set accordingly.
+#
+# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+# Generated from:
+EOF
+   ident -q "$1" | sed '1d;s/^/#/';
+   echo '#';
+) > $out/ca-bundle.trust.crt
+for f in $out/certs/*.crt; do 
+    tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
+    case $tbits in
+	*serverAuth*) openssl x509 -text -in "$f" >> $out/ca-bundle.crt ;;
+    esac
+    if [ -n "$tbits" ]; then
+	targs=""
+	for t in $tbits; do
+            targs="${targs} -addtrust $t"
+	done
+	openssl x509 -text -in "$f" -trustout $targs >> $out/ca-bundle.trust.crt
+    fi
+done
+
-- 
1.7.6.5