208 lines
6.3 KiB
Diff
208 lines
6.3 KiB
Diff
From 5171353bc89bab1f4717c11cacd1ab2463b58a99 Mon Sep 17 00:00:00 2001
|
|
From: Colin Walters <walters@verbum.org>
|
|
Date: Tue, 17 Jan 2012 14:56:56 -0500
|
|
Subject: [PATCH] Implement GNOME build API
|
|
|
|
See http://people.gnome.org/~walters/docs/build-api.txt
|
|
---
|
|
Makefile | 22 ++++++++++++++++++
|
|
certdata2pem.py | 12 ++++++---
|
|
configure | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
make-ca-bundle.sh | 45 +++++++++++++++++++++++++++++++++++++
|
|
4 files changed, 138 insertions(+), 4 deletions(-)
|
|
create mode 100644 Makefile
|
|
create mode 100755 configure
|
|
create mode 100755 make-ca-bundle.sh
|
|
|
|
diff --git a/Makefile b/Makefile
|
|
new file mode 100644
|
|
index 0000000..422c8c2
|
|
--- /dev/null
|
|
+++ b/Makefile
|
|
@@ -0,0 +1,22 @@
|
|
+include Makefile.inc
|
|
+
|
|
+pkidir=$(sysconfdir)/pki
|
|
+
|
|
+stamp-certs-created:
|
|
+ mkdir -p ca-certificates/certs
|
|
+ python $(srcdir)/certdata2pem.py $(srcdir)/certdata.txt $(srcdir)/blacklist.txt ca-certificates/certs
|
|
+ $(srcdir)/make-ca-bundle.sh $(srcdir)/certdata.txt ca-certificates
|
|
+ touch stamp-certs-created
|
|
+
|
|
+install: stamp-certs-created
|
|
+ mkdir -p $(DESTDIR)$(sysconfdir)/pki/tls/certs
|
|
+ install -p -m 644 ca-certificates/ca-bundle.crt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.crt
|
|
+ install -p -m 644 ca-certificates/ca-bundle.trust.crt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.trust.crt
|
|
+ rm -f $(DESTDIR)$(pkidir)/tls/cert.pem
|
|
+ ln -s certs/ca-bundle.crt $(DESTDIR)$(pkidir)/tls/cert.pem
|
|
+ touch -r $(srcdir)/certdata.txt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.crt
|
|
+ touch -r $(srcdir)/certdata.txt $(DESTDIR)$(pkidir)/tls/certs/ca-bundle.trust.crt
|
|
+
|
|
+ mkdir -p -m 755 $(DESTDIR)$(sysconfdir)/ssl
|
|
+ rm -f $(DESTDIR)$(sysconfdir)/ssl/certs
|
|
+ ln -s ../pki/tls/certs $(DESTDIR)$(sysconfdir)/ssl/certs
|
|
diff --git a/certdata2pem.py b/certdata2pem.py
|
|
index c22946d..b0d6259 100644
|
|
--- a/certdata2pem.py
|
|
+++ b/certdata2pem.py
|
|
@@ -28,10 +28,14 @@ import textwrap
|
|
|
|
objects = []
|
|
|
|
+certdata_path = sys.argv[1]
|
|
+blacklist_path = sys.argv[2]
|
|
+outdir=sys.argv[3]
|
|
+
|
|
# Dirty file parser.
|
|
in_data, in_multiline, in_obj = False, False, False
|
|
field, type, value, obj = None, None, None, dict()
|
|
-for line in open('certdata.txt', 'r'):
|
|
+for line in open(certdata_path, 'r'):
|
|
# Ignore the file header.
|
|
if not in_data:
|
|
if line.startswith('BEGINDATA'):
|
|
@@ -81,8 +85,8 @@ if len(obj.items()) > 0:
|
|
|
|
# Read blacklist.
|
|
blacklist = []
|
|
-if os.path.exists('blacklist.txt'):
|
|
- for line in open('blacklist.txt', 'r'):
|
|
+if os.path.exists(blacklist_path):
|
|
+ for line in open(blacklist_path, 'r'):
|
|
line = line.strip()
|
|
if line.startswith('#') or len(line) == 0:
|
|
continue
|
|
@@ -161,7 +165,7 @@ for obj in objects:
|
|
print " -> untrusted, ignoring"
|
|
continue
|
|
fname = obj_to_filename(obj)
|
|
- f = open(fname, 'w')
|
|
+ f = open(os.path.join(outdir, fname), 'w')
|
|
trustbits = []
|
|
openssl_trustflags = []
|
|
tobj = trustmap[obj['CKA_LABEL']]
|
|
diff --git a/configure b/configure
|
|
new file mode 100755
|
|
index 0000000..88752a9
|
|
--- /dev/null
|
|
+++ b/configure
|
|
@@ -0,0 +1,63 @@
|
|
+#!/bin/bash
|
|
+# -*- mode: sh -*-
|
|
+# Minimal configure script which writes out a Makefile.inc
|
|
+# Copyright 2010, 2011 Colin Walters <walters@verbum.org>
|
|
+# Licensed under the new-BSD license (http://www.opensource.org/licenses/bsd-license.php)
|
|
+
|
|
+prefix=/usr
|
|
+
|
|
+# Little helper function for reading args from the commandline.
|
|
+# it automatically handles -a b and -a=b variants, and returns 1 if
|
|
+# we need to shift $3.
|
|
+read_arg() {
|
|
+ # $1 = arg name
|
|
+ # $2 = arg value
|
|
+ # $3 = arg parameter
|
|
+ local rematch='^[^=]*=(.*)$'
|
|
+ if [[ $2 =~ $rematch ]]; then
|
|
+ read "$1" <<< "${BASH_REMATCH[1]}"
|
|
+ else
|
|
+ read "$1" <<< "$3"
|
|
+ # There is no way to shift our callers args, so
|
|
+ # return 1 to indicate they should do it instead.
|
|
+ return 1
|
|
+ fi
|
|
+}
|
|
+
|
|
+while (($# > 0)); do
|
|
+ case "${1%%=*}" in
|
|
+ --prefix) read_arg prefix "$@" || shift;;
|
|
+ --bindir) read_arg bindir "$@" || shift;;
|
|
+ --sbindir) read_arg sbindir "$@" || shift;;
|
|
+ --libexecdir) read_arg libexecdir "$@" || shift;;
|
|
+ --datarootdir) read_arg datarootdir "$@" || shift;;
|
|
+ --datadir) read_arg datadir "$@" || shift;;
|
|
+ --sysconfdir) read_arg sysconfdir "$@" || shift;;
|
|
+ --libdir) read_arg libdir "$@" || shift;;
|
|
+ --mandir) read_arg mandir "$@" || shift;;
|
|
+ *) echo "Ignoring unknown option '$1'";;
|
|
+ esac
|
|
+ shift
|
|
+done
|
|
+
|
|
+# Handle srcdir != builddir
|
|
+srcdir=$(dirname $0)
|
|
+if ! test -f Makefile; then
|
|
+ ln -s ${srcdir}/Makefile Makefile
|
|
+fi
|
|
+
|
|
+cat > Makefile.inc.tmp <<EOF
|
|
+srcdir = ${srcdir}
|
|
+top_srcdir = ${srcdir}
|
|
+
|
|
+prefix ?= ${prefix}
|
|
+bindir ?= ${bindir:-${prefix}/bin}
|
|
+sbindir ?= ${sbindir:-${prefix}/sbin}
|
|
+libexecdir ?= ${libexecdir:-${prefix}/libexec}
|
|
+datarootdir ?= ${datarootdir:-${prefix}/share}
|
|
+datadir ?= ${datadir:-${prefix}/share}
|
|
+sysconfdir ?= ${sysconfdir:-${prefix}/etc}
|
|
+libdir ?= ${libdir:-${prefix}/lib}
|
|
+mandir ?= ${mandir:-${prefix}/share/man}
|
|
+EOF
|
|
+mv Makefile.inc.tmp Makefile.inc
|
|
diff --git a/make-ca-bundle.sh b/make-ca-bundle.sh
|
|
new file mode 100755
|
|
index 0000000..9c57bef
|
|
--- /dev/null
|
|
+++ b/make-ca-bundle.sh
|
|
@@ -0,0 +1,45 @@
|
|
+#!/bin/sh
|
|
+
|
|
+src=$1
|
|
+out=$2
|
|
+
|
|
+(cat <<EOF
|
|
+# This is a bundle of X.509 certificates of public Certificate
|
|
+# Authorities. It was generated from the Mozilla root CA list.
|
|
+#
|
|
+# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
|
+#
|
|
+# Generated from:
|
|
+EOF
|
|
+ ident -q "$src" | sed '1d;s/^/#/';
|
|
+ echo '#';
|
|
+) > $out/ca-bundle.crt
|
|
+
|
|
+(
|
|
+ cat <<EOF
|
|
+# This is a bundle of X.509 certificates of public Certificate
|
|
+# Authorities. It was generated from the Mozilla root CA list.
|
|
+# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
|
|
+# format and have trust bits set accordingly.
|
|
+#
|
|
+# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
|
+#
|
|
+# Generated from:
|
|
+EOF
|
|
+ ident -q "$1" | sed '1d;s/^/#/';
|
|
+ echo '#';
|
|
+) > $out/ca-bundle.trust.crt
|
|
+for f in $out/certs/*.crt; do
|
|
+ tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
|
+ case $tbits in
|
|
+ *serverAuth*) openssl x509 -text -in "$f" >> $out/ca-bundle.crt ;;
|
|
+ esac
|
|
+ if [ -n "$tbits" ]; then
|
|
+ targs=""
|
|
+ for t in $tbits; do
|
|
+ targs="${targs} -addtrust $t"
|
|
+ done
|
|
+ openssl x509 -text -in "$f" -trustout $targs >> $out/ca-bundle.trust.crt
|
|
+ fi
|
|
+done
|
|
+
|
|
--
|
|
1.7.6.5
|
|
|