ca-certificates: use C certdata2pem impl from sabotage.

Get rid of python to generate the certificates. xbps-0.48 will depend
on ca-certificates because has gained support to verify the https certs.
This commit is contained in:
Juan RP 2015-10-24 08:42:36 +02:00
parent df1bf72f9c
commit e158852684
2 changed files with 147 additions and 2 deletions

View file

@ -0,0 +1,142 @@
/* Copyright (C) 2013, Felix Janda <felix.janda@posteo.de>
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>
void xwrite(FILE *f, void *p, size_t size)
{
if (fwrite(p, 1, size, f) != size) err(1, 0);
}
int main(void)
{
FILE *f;
char cert[4096], ecert[4096*4/3 + 100];
char *line = 0, *tmp, *filename, *label, *pcert = 0;
ssize_t len;
size_t size, certsize;
int trust;
char **blacklist = 0, **node;
filename = "./blacklist.txt";
if (!(f = fopen(filename, "r"))) err(1, "%s", filename);
while ((len = getline(&line, &size, f)) != -1) {
if ((line[0] != '#') && (len > 1)) {
if (!(node = malloc(sizeof(void*) + len))) err(1, 0);
*node = (char*)blacklist;
memcpy(node + 1, line, len);
blacklist = node;
}
}
fclose(f);
filename = "./certdata.txt";
if (!(f = fopen(filename, "r"))) err(1, "%s", filename);
while ((len = getline(&line, &size, f)) != -1) {
tmp = line;
if (line[0] == '#') continue;
if (pcert) {
if (!strcmp(line, "END\n")) {
char *base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz0123456789+/";
size_t i, j, k, val;
for (i = 0, val = 0, tmp = ecert; i < (size_t)(pcert - cert); i++) {
val = (val << 8) + (unsigned char)cert[i];
if (i % 3 == 2) {
for (j = 0; j < 4; j++, val >>= 6) tmp[3 - j] = base64[val & 0x3f];
tmp += 4;
}
if (i && !(i % 48)) {
*tmp = '\n';
tmp++;
}
}
if (k = i % 3) {
tmp[2] = '=';
tmp[3] = '=';
val <<= 6 - 2*k;
for (j = 0; j < k + 1; j++, val >>= 6) tmp[k - j] = base64[val & 0x3f];
tmp += 4;
}
certsize = tmp - ecert;
pcert = 0;
} else while (sscanf(tmp, "\\%hho", pcert) == 1) pcert++, tmp += 4;
} else if (!memcmp(line, "CKA_LABEL UTF8 ", 15)) {
char *p2, *tmp2;
len -= 15;
if (!(label = malloc(len))) err(1, 0);
memcpy(label, line + 15, len);
trust = 0;
for (node = blacklist; node; node = (char**)*node)
if (!strcmp(label, (char*)(node + 1))) trust = 4;
if (!(p2 = malloc(len + 2))) err(1, 0);
for (tmp = label + 1, tmp2 = p2; *tmp != '"'; tmp++, tmp2++) {
switch (*tmp) {
case '\\':
if (sscanf(tmp, "\\x%hhx", tmp2)!=1) errx(1, "Bad triple: %s\n", tmp);
tmp += 3;
break;
case '/':
case ' ':
*tmp2 = '_';
break;
case '(':
case ')':
*tmp2 = '=';
break;
default:
*tmp2 = *tmp;
}
}
strcpy(tmp2, ".crt");
free(label);
label = p2;
} else if (!strcmp(line, "CKA_VALUE MULTILINE_OCTAL\n")) pcert = cert;
else if (!memcmp(line, "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_", 39)) {
tmp += 39;
if (!strcmp(tmp, "TRUSTED_DELEGATOR\n")) trust |= 1;
else if (!strcmp(tmp, "NOT_TRUSTED\n")) trust |= 2;
} else if (!memcmp(line,
"CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_", 44)) {
tmp += 44;
if (!strcmp(tmp, "TRUSTED_DELEGATOR\n")) trust |= 1;
else if (!strcmp(tmp, "NOT_TRUSTED\n")) trust |= 2;
if (!trust) printf("Ignoring %s\n", label);
if (trust == 1) {
FILE *out;
if (!(out = fopen(label, "w"))) err(1, "%s", label);
xwrite(out, "-----BEGIN CERTIFICATE-----\n", 28);
xwrite(out, ecert, certsize);
xwrite(out, "\n-----END CERTIFICATE-----\n", 27);
fclose(out);
}
}
}
fclose(f);
while (blacklist) {
node = (char**)*blacklist;
free(blacklist);
blacklist = node;
}
free(line);
free(label);
return 0;
}

View file

@ -1,9 +1,9 @@
# Template file for 'ca-certificates'
pkgname=ca-certificates
version=20150426
revision=3
revision=4
noarch="yes"
hostmakedepends="libressl-openssl python"
hostmakedepends="libressl-openssl"
depends="virtual?openssl run-parts"
conf_files="/etc/ca-certificates.conf"
short_desc="Common CA certificates for SSL/TLS"
@ -14,7 +14,10 @@ distfiles="${DEBIAN_SITE}/main/c/${pkgname}/${pkgname}_${version}.tar.xz"
checksum=37dbaa93ed64cc4ae93ac295f9248fbc741bd51376438cfb1257f17efab5494f
post_extract() {
$BUILD_CC $BUILD_CFLAGS ${FILESDIR}/certdata2pem.c -o ${wrksrc}/mozilla/certdata2pem
cp ${FILESDIR}/remove-expired-certs.sh ${wrksrc}/mozilla
sed -i ${wrksrc}/mozilla/Makefile \
-e 's,python certdata2pem.py,./certdata2pem,g'
sed -i ${wrksrc}/mozilla/Makefile \
-e "s;\(.*\)\(python .*\);\1\2\n\1./remove-expired-certs.sh;"
}