new package ca-certificates

"Oh boy, here it comes ..."

package/Config.in

@@ -316,6 +316,7 @@ menu "Security"
 source "package/arpwatch/Config.in"
 source "package/autossh/Config.in"
 source "package/axtls/Config.in"
+source "package/ca-certificates/Config.in"
 source "package/dropbear/Config.in"
 source "package/httptunnel/Config.in"
 source "package/ipsec-tools/Config.in"

package/Makefile

@@ -32,6 +32,7 @@ package-$(ADK_COMPILE_AVAHI) += avahi
 package-$(ADK_COMPILE_AXTLS) += axtls
 package-$(ADK_PACKAGE_BASH) += bash
 package-$(ADK_COMPILE_BC) += bc
+package-$(ADK_PACKAGE_CA_CERTS) += ca-certificates
 package-$(ADK_PACKAGE_CFGFS) += cfgfs
 package-$(ADK_PACKAGE_BIGREQSPROTO) += bigreqsproto
 package-$(ADK_COMPILE_BIND) += bind

package/ca-certificates/Config.in

@@ -0,0 +1,17 @@
+config ADK_PACKAGE_CA_CERTS
+	prompt "ca-certificates................... Collection of common CA certificates"
+	tristate
+	default n
+	select ADK_PACKAGE_LIBOPENSSL
+	select ADK_PACKAGE_LIBOPENSSL_UTIL
+	help
+	  Collection of CA certificates to validate internet certificates against.
+	  
+	  http://packages.debian.org/sid/ca-certificates
+
+config ADK_DO_MINIMAL_CA_CERTS
+	prompt "save space........................ Install only a very minimal version"
+	boolean
+	default n
+	depends on ADK_PACKAGE_CA_CERTS
+

package/ca-certificates/Makefile

@@ -0,0 +1,40 @@
+# This file is part of the OpenADK project. OpenADK is copyrighted
+# material, please see the LICENCE file in the top-level directory.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=		ca-certificates
+PKG_VERSION:=		20090814
+PKG_RELEASE:=		1
+PKG_MD5SUM:=		307052c985bec7f9a00eb84293eef779
+PKG_DESCR:=		Collection of common CA certificates
+PKG_SECTION:=		shells
+PKG_URL:=		http://packages.debian.org/sid/ca-certificates
+PKG_SITES:=		http://ftp.debian.org/debian/pool/main/c/ca-certificates/
+
+DISTFILES:=		${PKG_NAME}_${PKG_VERSION}.tar.gz
+
+include $(TOPDIR)/mk/package.mk
+
+$(eval $(call PKG_template,CA_CERTS,${PKG_NAME},${PKG_VERSION}-${PKG_RELEASE},${PKG_DEPENDS},${PKG_DESCR},${PKG_SECTION}))
+
+BUILD_STYLE=		auto
+INSTALL_STYLE=		auto
+
+
+post-install:
+ifeq (${ADK_DO_MINIMAL_CA_CERTS},n)
+	$(INSTALL_DIR) $(IDIR_CA_CERTS)/{etc/ssl/certs,usr/share,usr/sbin}
+	$(CP) $(WRKINST)/usr/share/ca-certificates $(IDIR_CA_CERTS)/usr/share/
+	( cd ${IDIR_CA_CERTS}/usr/share/ca-certificates && \
+		ls */*.crt >${IDIR_CA_CERTS}/etc/ca-certificates.conf \
+	)
+	${INSTALL_BIN} ./extra/update-ca-certificates ${IDIR_CA_CERTS}/usr/sbin/
+	-DESTDIR=${IDIR_CA_CERTS} sh ./extra/update-ca-certificates
+else
+	${INSTALL_DIR} ${IDIR_CA_CERTS}/etc/ssl
+	${INSTALL_DATA} ./cert.pem ${IDIR_CA_CERTS}/etc/ssl/
+endif
+
+
+include ${TOPDIR}/mk/pkg-bottom.mk

package/ca-certificates/extra/update-ca-certificates

@@ -0,0 +1,80 @@
+#!/bin/sh
+#
+# update-ca-certificates script for embedded systems.
+#
+# Copyright (C) 2009  Phil Sutter <phil@nwl.cc>
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+CRTCONF=/etc/ca-certificates.conf
+CRTDIR=/usr/share/ca-certificates
+LNKDIR=/etc/ssl/certs
+OPENSSL="openssl"
+
+cert_type() { # (certfile)
+	grep -qE '^-----BEGIN (X509 |TRUSTED |)CERTIFICATE-----' $1 && {
+		echo "cert"
+		return 0
+	}
+	grep -qE '^-----BEGIN X509 CRL-----' $1 && {
+		echo "crl"
+		return 0
+	}
+	echo "unknown"
+	return 1
+}
+
+${OPENSSL} version >/dev/null 2>&1 || {
+	echo "Fatal: no openssl executable found, bailing out"
+	exit 1
+}
+
+for l in $(ls ${DESTDIR}${LNKDIR}/* 2>/dev/null); do
+	[ -L "$l" ] && rm -f "$l"
+done
+
+cat ${DESTDIR}$CRTCONF | while read crt; do
+	[ -n "$crt" ] || continue
+	[[ "$crt" = -* ]] && continue
+
+	cname="$(basename $crt)"
+
+	ln -s ${CRTDIR}/$crt ${DESTDIR}${LNKDIR}/$cname
+
+	ctype="$(cert_type ${DESTDIR}${CRTDIR}/$crt)"
+	case $ctype in
+		cert)
+			sslcmd="x509"
+			pfx=""
+		;;
+		crl)
+			sslcmd="crl"
+			pfx="r"
+		;;
+		*)
+			echo "Warning: ignoring unknown filetype ${DESTDIR}${CRTDIR}/$crt"
+			continue
+		;;
+	esac
+
+	hsh="$(${OPENSSL} $sslcmd -hash -noout -in ${DESTDIR}${CRTDIR}/$crt)"
+	idx=0
+	while [ -e ${DESTDIR}${LNKDIR}/${hsh}.${pfx}${idx} ]; do
+		let "idx++"
+	done
+	ln -s ${CRTDIR}/$crt ${DESTDIR}${LNKDIR}/${hsh}.${pfx}${idx}
+done
+
+exit 0

package/ca-certificates/patches/patch-Makefile

@@ -0,0 +1,12 @@
+	fix for the completely empty DESTDIR
+--- ca-certificates-20090814.orig/Makefile	2009-07-08 23:18:57.000000000 +0200
++++ ca-certificates-20090814/Makefile	2009-08-22 20:36:42.614405912 +0200
+@@ -17,7 +17,7 @@ clean:
+ 
+ install:
+ 	for dir in $(SUBDIRS); do \
+-	  mkdir $(DESTDIR)/$(CERTSDIR)/$$dir; \
++	  mkdir -p $(DESTDIR)/$(CERTSDIR)/$$dir; \
+ 	  $(MAKE) -C $$dir install CERTSDIR=$(DESTDIR)/$(CERTSDIR)/$$dir; \
+ 	done
+ 	for dir in sbin; do \

package/ca-certificates/patches/patch-sbin_Makefile

@@ -0,0 +1,9 @@
+	fix for the completely empty DESTDIR
+--- ca-certificates-20090814.orig/sbin/Makefile	2007-02-02 07:23:19.000000000 +0100
++++ ca-certificates-20090814/sbin/Makefile	2009-08-22 20:37:17.581921717 +0200
+@@ -8,4 +8,5 @@ all:
+ clean:
+ 
+ install:
++	mkdir -p $(DESTDIR)/usr/sbin
+ 	install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/

package/ca-certificates/patches/patch-sbin_update-ca-certificates

@@ -0,0 +1,48 @@
+	- prefix absolute paths with $DESTDIR
+	- subtract DESTDIR from the link name when linking
+	- add DESTDIR again when catting certs together (Yay.)
+--- ca-certificates-20090814.orig/sbin/update-ca-certificates	2009-07-08 23:23:12.000000000 +0200
++++ ca-certificates-20090814/sbin/update-ca-certificates	2009-08-22 21:10:24.210186675 +0200
+@@ -37,11 +37,11 @@ do
+   shift
+ done
+ 
+-CERTSCONF=/etc/ca-certificates.conf
+-CERTSDIR=/usr/share/ca-certificates
+-LOCALCERTSDIR=/usr/local/share/ca-certificates
++CERTSCONF=${DESTDIR}/etc/ca-certificates.conf
++CERTSDIR=${DESTDIR}/usr/share/ca-certificates
++LOCALCERTSDIR=${DESTDIR}/usr/local/share/ca-certificates
+ CERTBUNDLE=ca-certificates.crt
+-ETCCERTSDIR=/etc/ssl/certs
++ETCCERTSDIR=${DESTDIR}/etc/ssl/certs
+ 
+ cleanup() {
+   rm -f "$TEMPBUNDLE"
+@@ -60,7 +60,7 @@ REMOVED="$(mktemp -t "ca-certificates.tm
+ # in /etc/ssl/certs to the certificate file and its inclusion into the
+ # bundle.
+ add() {
+-  CERT="$1"
++  CERT="${1##${DESTDIR}}"
+   PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+                                                   -e 's/[()]/=/g' \
+                                                   -e 's/,/_/g').pem"
+@@ -69,7 +69,7 @@ add() {
+     ln -sf "$CERT" "$PEM"
+     echo +$PEM >> "$ADDED"
+   fi
+-  cat "$CERT" >> "$TEMPBUNDLE"
++  cat "${DESTDIR}/$CERT" >> "$TEMPBUNDLE"
+ }
+ 
+ remove() {
+@@ -146,7 +146,7 @@ fi
+ 
+ echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
+ 
+-HOOKSDIR=/etc/ca-certificates/update.d
++HOOKSDIR=${DESTDIR}/etc/ca-certificates/update.d
+ echo -n "Running hooks in $HOOKSDIR...."
+ VERBOSE_ARG=
+ [ "$verbose" = 0 ] || VERBOSE_ARG=--verbose

package/openssl/Config.in

@@ -33,9 +33,3 @@ config ADK_PACKAGE_OPENSSL_UTIL
 	  http://www.openssl.org/
 	  
 	  This package contains the multi-purpose OpenSSL binary tool.
-
-config ADK_PACKAGE_CA_CERTS
-	prompt "ca-certificates................... X.509 Root CA Certs of common CAs"
-	tristate
-	default n
-	depends on ADK_COMPILE_OPENSSL

package/openssl/Makefile

@@ -72,7 +72,5 @@ post-install:
 	${INSTALL_DIR} ${IDIR_OPENSSL_UTIL}/etc/ssl/{,certs,private}
 	${CP} ${WRKSRC}/apps/openssl.cnf ${IDIR_OPENSSL_UTIL}/etc/ssl/
 	chmod 0700 ${IDIR_OPENSSL_UTIL}/etc/ssl/private
-	${INSTALL_DIR} ${IDIR_CA_CERTS}/etc/ssl
-	${INSTALL_DATA} cert.pem ${IDIR_CA_CERTS}/etc/ssl/
 
 include ${TOPDIR}/mk/pkg-bottom.mk