From e1588526845b4005bceaf72b57333183e2e03793 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Sat, 24 Oct 2015 08:42:36 +0200 Subject: [PATCH] ca-certificates: use C certdata2pem impl from sabotage. Get rid of python to generate the certificates. xbps-0.48 will depend on ca-certificates because has gained support to verify the https certs. --- srcpkgs/ca-certificates/files/certdata2pem.c | 142 +++++++++++++++++++ srcpkgs/ca-certificates/template | 7 +- 2 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/ca-certificates/files/certdata2pem.c diff --git a/srcpkgs/ca-certificates/files/certdata2pem.c b/srcpkgs/ca-certificates/files/certdata2pem.c new file mode 100644 index 00000000000..9eae70526e5 --- /dev/null +++ b/srcpkgs/ca-certificates/files/certdata2pem.c @@ -0,0 +1,142 @@ +/* Copyright (C) 2013, Felix Janda + +Permission to use, copy, modify, and/or distribute this software for +any purpose with or without fee is hereby granted, provided that the +above copyright notice and this permission notice appear in all copies. + +SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +*/ + +#include +#include +#include +#include + +void xwrite(FILE *f, void *p, size_t size) +{ + if (fwrite(p, 1, size, f) != size) err(1, 0); +} + +int main(void) +{ + FILE *f; + char cert[4096], ecert[4096*4/3 + 100]; + char *line = 0, *tmp, *filename, *label, *pcert = 0; + ssize_t len; + size_t size, certsize; + int trust; + char **blacklist = 0, **node; + + filename = "./blacklist.txt"; + if (!(f = fopen(filename, "r"))) err(1, "%s", filename); + while ((len = getline(&line, &size, f)) != -1) { + if ((line[0] != '#') && (len > 1)) { + if (!(node = malloc(sizeof(void*) + len))) err(1, 0); + *node = (char*)blacklist; + memcpy(node + 1, line, len); + blacklist = node; + } + } + fclose(f); + + filename = "./certdata.txt"; + if (!(f = fopen(filename, "r"))) err(1, "%s", filename); + while ((len = getline(&line, &size, f)) != -1) { + tmp = line; + if (line[0] == '#') continue; + if (pcert) { + if (!strcmp(line, "END\n")) { + char *base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz0123456789+/"; + size_t i, j, k, val; + + for (i = 0, val = 0, tmp = ecert; i < (size_t)(pcert - cert); i++) { + val = (val << 8) + (unsigned char)cert[i]; + if (i % 3 == 2) { + for (j = 0; j < 4; j++, val >>= 6) tmp[3 - j] = base64[val & 0x3f]; + tmp += 4; + } + if (i && !(i % 48)) { + *tmp = '\n'; + tmp++; + } + } + if (k = i % 3) { + tmp[2] = '='; + tmp[3] = '='; + val <<= 6 - 2*k; + for (j = 0; j < k + 1; j++, val >>= 6) tmp[k - j] = base64[val & 0x3f]; + tmp += 4; + } + certsize = tmp - ecert; + pcert = 0; + } else while (sscanf(tmp, "\\%hho", pcert) == 1) pcert++, tmp += 4; + } else if (!memcmp(line, "CKA_LABEL UTF8 ", 15)) { + + char *p2, *tmp2; + len -= 15; + if (!(label = malloc(len))) err(1, 0); + memcpy(label, line + 15, len); + trust = 0; + for (node = blacklist; node; node = (char**)*node) + if (!strcmp(label, (char*)(node + 1))) trust = 4; + if (!(p2 = malloc(len + 2))) err(1, 0); + for (tmp = label + 1, tmp2 = p2; *tmp != '"'; tmp++, tmp2++) { + switch (*tmp) { + case '\\': + if (sscanf(tmp, "\\x%hhx", tmp2)!=1) errx(1, "Bad triple: %s\n", tmp); + tmp += 3; + break; + case '/': + case ' ': + *tmp2 = '_'; + break; + case '(': + case ')': + *tmp2 = '='; + break; + default: + *tmp2 = *tmp; + } + } + strcpy(tmp2, ".crt"); + free(label); + label = p2; + } else if (!strcmp(line, "CKA_VALUE MULTILINE_OCTAL\n")) pcert = cert; + else if (!memcmp(line, "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_", 39)) { + tmp += 39; + if (!strcmp(tmp, "TRUSTED_DELEGATOR\n")) trust |= 1; + else if (!strcmp(tmp, "NOT_TRUSTED\n")) trust |= 2; + } else if (!memcmp(line, + "CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_", 44)) { + tmp += 44; + if (!strcmp(tmp, "TRUSTED_DELEGATOR\n")) trust |= 1; + else if (!strcmp(tmp, "NOT_TRUSTED\n")) trust |= 2; + if (!trust) printf("Ignoring %s\n", label); + if (trust == 1) { + FILE *out; + if (!(out = fopen(label, "w"))) err(1, "%s", label); + xwrite(out, "-----BEGIN CERTIFICATE-----\n", 28); + xwrite(out, ecert, certsize); + xwrite(out, "\n-----END CERTIFICATE-----\n", 27); + fclose(out); + } + } + } + fclose(f); + + while (blacklist) { + node = (char**)*blacklist; + free(blacklist); + blacklist = node; + } + free(line); + free(label); + return 0; +} \ No newline at end of file diff --git a/srcpkgs/ca-certificates/template b/srcpkgs/ca-certificates/template index 6f1a16dfe3a..52dea6e0d8a 100644 --- a/srcpkgs/ca-certificates/template +++ b/srcpkgs/ca-certificates/template @@ -1,9 +1,9 @@ # Template file for 'ca-certificates' pkgname=ca-certificates version=20150426 -revision=3 +revision=4 noarch="yes" -hostmakedepends="libressl-openssl python" +hostmakedepends="libressl-openssl" depends="virtual?openssl run-parts" conf_files="/etc/ca-certificates.conf" short_desc="Common CA certificates for SSL/TLS" @@ -14,7 +14,10 @@ distfiles="${DEBIAN_SITE}/main/c/${pkgname}/${pkgname}_${version}.tar.xz" checksum=37dbaa93ed64cc4ae93ac295f9248fbc741bd51376438cfb1257f17efab5494f post_extract() { + $BUILD_CC $BUILD_CFLAGS ${FILESDIR}/certdata2pem.c -o ${wrksrc}/mozilla/certdata2pem cp ${FILESDIR}/remove-expired-certs.sh ${wrksrc}/mozilla + sed -i ${wrksrc}/mozilla/Makefile \ + -e 's,python certdata2pem.py,./certdata2pem,g' sed -i ${wrksrc}/mozilla/Makefile \ -e "s;\(.*\)\(python .*\);\1\2\n\1./remove-expired-certs.sh;" }