# HG changeset patch # User Stanislas Leduc # Date 1677917716 0 # Node ID c9eb1de0c7dfd4cd95475428bd9a8f319b1c3691 # Parent bb72317ca4646c03ecf00133d23f9d0970a0fe31 Up openssl 1.0.2u, zlib 1.2.13, tar 1.34, add cacerts, fix git receipt diff -r bb72317ca464 -r c9eb1de0c7df .hgignore --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/.hgignore Sat Mar 04 08:15:16 2023 +0000 @@ -0,0 +1,4 @@ +syntax: glob +./*/taz/* +./*/source/* +./*/install/* diff -r bb72317ca464 -r c9eb1de0c7df cacerts/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cacerts/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -0,0 +1,57 @@ +# SliTaz package receipt. + +PACKAGE="cacerts" +VERSION="20230303" +CATEGORY="security" +SHORT_DESC="Certificate Authority Certificates" +MAINTAINER="al.bobylev@gmail.com" +LICENSE="MPL2" +WEB_SITE="http://www.linuxfromscratch.org/blfs/view/svn/postlfs/cacerts.html" +TARBALL="$PACKAGE-$VERSION.txt" +WGET_URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt" + +DEPENDS="openssl" +BUILD_DEPENDS="openssl" + +# Rules to configure and make the package. +compile_rules() +{ + mv -f *.txt certdata.txt + # Insert header + sed -i "1i\#CVS_ID @# \$ RCSfile: certdata.txt \$ \$Revision: $data_Ymd \$ \$Date: \$" certdata.txt + + cp -a $stuff/* $src + ./make-ca.sh && + ./remove-expired-certs.sh $src/certs +} + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/etc/ssl/certs + cp -a $src/certs/*.pem $fs/etc/ssl/certs + cp -a $src/ca-bundle.crt $fs/etc/ssl + ln -s ../ca-bundle.crt $fs/etc/ssl/certs/ca-certificates.crt +} + +post_install() +{ + case "$1" in + /cross*) return + esac + + # Keep silence, for example, when installed on cook as build dependency + if [ -z "$quiet" ]; then + echo "Rehash certificates:" + out='&1' + else + out='/dev/null' + fi + + if [ -d "$1/$INSTALLED/perl" ]; then + chroot "$1/" c_rehash >$out + else + tazpkg -gi microperl --root="${1:-/}" + chroot "$1/" microperl /usr/bin/c_rehash >$out + fi +} diff -r bb72317ca464 -r c9eb1de0c7df cacerts/stuff/make-ca.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cacerts/stuff/make-ca.sh Sat Mar 04 08:15:16 2023 +0000 @@ -0,0 +1,99 @@ +#!/bin/sh +# Begin make-ca.sh +# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs +# +# The file certdata.txt must exist in the local directory +# Version number is obtained from the version of the data. +# +# Authors: DJ Lucas +# Bruce Dubbs +# +# Version 20120211 + +# Some data in the certs have UTF-8 characters +export LANG=en_US.utf8 + +certdata="certdata.txt" + +if [ ! -r $certdata ]; then + echo "$certdata must be in the local directory" + exit 1 +fi + +REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') + +if [ -z "${REVISION}" ]; then + echo "$certfile has no 'Revision' in CVS_ID" + exit 1 +fi + +VERSION=$(echo $REVISION | cut -f2 -d" ") + +TEMPDIR=$(mktemp -d) +TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" +BUNDLE="ca-bundle.crt" +CONVERTSCRIPT="./make-cert.pl" +SSLDIR="${DESTDIR}/etc/ssl" + +mkdir "${TEMPDIR}/certs" + +# Get a list of starting lines for each cert +CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) + +# Get a list of ending lines for each cert +CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` + +# Start a loop +for certbegin in ${CERTBEGINLIST}; do + for certend in ${CERTENDLIST}; do + if test "${certend}" -gt "${certbegin}"; then + break + fi + done + + # Dump to a temp file with the name of the file as the beginning line number + sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" +done + +unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend + +mkdir -p certs +rm -f certs/* # Make sure the directory is clean + +for tempfile in ${TEMPDIR}/certs/*.tmp; do + # Make sure that the cert is trusted... + grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ + egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null + + if test "${?}" = "0"; then + # Throw a meaningful error and remove the file + cp "${tempfile}" tempfile.cer + perl ${CONVERTSCRIPT} > tempfile.crt + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) + echo "Certificate ${keyhash} is not trusted! Removing..." + rm -f tempfile.cer tempfile.crt "${tempfile}" + continue + fi + + # If execution made it to here in the loop, the temp cert is trusted + # Find the cert data and generate a cert file for it + + cp "${tempfile}" tempfile.cer + perl ${CONVERTSCRIPT} > tempfile.crt + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) + mv tempfile.crt "certs/${keyhash}.pem" + rm -f tempfile.cer "${tempfile}" + echo "Created ${keyhash}.pem" +done + +# Remove blacklisted files +# MD5 Collision Proof of Concept CA +if test -f certs/8f111d69.pem; then + echo "Certificate 8f111d69 is not trusted! Removing..." + rm -f certs/8f111d69.pem +fi + +# Finally, generate the bundle and clean up. +cat certs/*.pem > ${BUNDLE} +rm -r "${TEMPDIR}" + diff -r bb72317ca464 -r c9eb1de0c7df cacerts/stuff/make-cert.pl --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cacerts/stuff/make-cert.pl Sat Mar 04 08:15:16 2023 +0000 @@ -0,0 +1,49 @@ +#!/usr/bin/perl -w + +# Used to generate PEM encoded files from Mozilla certdata.txt. +# Run as ./make-cert.pl > certificate.crt +# +# Parts of this script courtesy of RedHat (mkcabundle.pl) +# +# This script modified for use with single file data (tempfile.cer) extracted +# from certdata.txt, taken from the latest version in the Mozilla NSS source. +# mozilla/security/nss/lib/ckfw/builtins/certdata.txt +# +# Authors: DJ Lucas +# Bruce Dubbs +# +# Version 20120211 + +my $certdata = './tempfile.cer'; + +open( IN, "cat $certdata|" ) + || die "could not open $certdata"; + +my $incert = 0; + +while ( ) +{ + if ( /^CKA_VALUE MULTILINE_OCTAL/ ) + { + $incert = 1; + open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) + || die "could not pipe to openssl x509"; + } + + elsif ( /^END/ && $incert ) + { + close( OUT ); + $incert = 0; + print "\n\n"; + } + + elsif ($incert) + { + my @bs = split( /\\/ ); + foreach my $b (@bs) + { + chomp $b; + printf( OUT "%c", oct($b) ) unless $b eq ''; + } + } +} diff -r bb72317ca464 -r c9eb1de0c7df cacerts/stuff/remove-expired-certs.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cacerts/stuff/remove-expired-certs.sh Sat Mar 04 08:15:16 2023 +0000 @@ -0,0 +1,53 @@ +#!/bin/sh +# Begin remove-expired-certs.sh +# +# Version 20120211 + +# Make sure the date is parsed correctly on all systems +mydate() +{ + local y=$( echo $1 | cut -d" " -f4 ) + local M=$( echo $1 | cut -d" " -f1 ) + local d=$( echo $1 | cut -d" " -f2 ) + local m + + if [ ${d} -lt 10 ]; then d="0${d}"; fi + + case $M in + Jan) m="01";; + Feb) m="02";; + Mar) m="03";; + Apr) m="04";; + May) m="05";; + Jun) m="06";; + Jul) m="07";; + Aug) m="08";; + Sep) m="09";; + Oct) m="10";; + Nov) m="11";; + Dec) m="12";; + esac + + certdate="${y}${m}${d}" +} + +OPENSSL=/usr/bin/openssl +DIR=$DESTDIR/etc/ssl/certs + +if [ $# -gt 0 ]; then + DIR="$1" +fi + +certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) +today=$( date +%Y%m%d ) + +for cert in $certs; do + notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) + date=$( echo ${notafter} | sed 's/^notAfter=//' ) + mydate "$date" + + if [ ${certdate} -lt ${today} ]; then + echo "${cert} expired on ${certdate}! Removing..." + rm -f "${cert}" + fi +done diff -r bb72317ca464 -r c9eb1de0c7df cacerts/stuff/remove_cnnic.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/cacerts/stuff/remove_cnnic.patch Sat Mar 04 08:15:16 2023 +0000 @@ -0,0 +1,7 @@ +# Remove CNNIC Root certificate (temporarily) +# http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html +--- a/certdata.txt ++++ b/certdata.txt +@@ -14889 +14889 @@ +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR ++CKA_TRUST_SERVER_AUTH TRUST_UNKNOWN diff -r bb72317ca464 -r c9eb1de0c7df git/receipt --- a/git/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/git/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -11,13 +11,12 @@ WGET_URL="http://mirror.slitaz.org/sources/packages-4.0/g/$TARBALL" DEPENDS="zlib openssl curl expat" -BUILD_DEPENDS="zlib-dev openssl-dev curl-dev expat-dev perl python-dev tar bzip2" +BUILD_DEPENDS="zlib-dev openssl-dev curl-dev expat-dev perl python-dev bzip2" # Rules to configure and make the package. compile_rules() { cd $src - [ -L /bin/tar ] && tazpkg get-install tar --forced ./configure \ --prefix=/usr \ --libexecdir=/usr/lib \ diff -r bb72317ca464 -r c9eb1de0c7df libcrypto-dev/receipt --- a/libcrypto-dev/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/libcrypto-dev/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="libcrypto-dev" -VERSION="1.0.0g" +VERSION="1.0.2u" CATEGORY="development" SHORT_DESC="General purpose cryptographic shared library devel files." MAINTAINER="pascal.bellard@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df libcrypto/receipt --- a/libcrypto/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/libcrypto/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="libcrypto" -VERSION="1.0.0g" +VERSION="1.0.2u" CATEGORY="security" SHORT_DESC="General purpose cryptographic shared library." MAINTAINER="pascal.bellard@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df libssl/receipt --- a/libssl/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/libssl/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="libssl" -VERSION="1.0.0g" +VERSION="1.0.2u" CATEGORY="development" SHORT_DESC="OpenSSL libraries." MAINTAINER="pascal.bellard@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df openssl-dev/receipt --- a/openssl-dev/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/openssl-dev/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="openssl-dev" -VERSION="1.0.0g" +VERSION="1.0.2u" CATEGORY="development" SHORT_DESC="Open source Secure Sockets Layer devel files." MAINTAINER="pascal.bellard@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df openssl/receipt --- a/openssl/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/openssl/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="openssl" -VERSION="1.0.0g" +VERSION="1.0.2u" CATEGORY="security" SHORT_DESC="Open source Secure Sockets Layer." MAINTAINER="pascal.bellard@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df tar/receipt --- a/tar/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/tar/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="tar" -VERSION="1.33" +VERSION="1.34" CATEGORY="utilities" SHORT_DESC="GNU tar archiving tools." MAINTAINER="pankso@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df zlib-dev/receipt --- a/zlib-dev/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/zlib-dev/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="zlib-dev" -VERSION="1.2.12" +VERSION="1.2.13" CATEGORY="development" SHORT_DESC="Zlib compression library devel files." MAINTAINER="pankso@slitaz.org" diff -r bb72317ca464 -r c9eb1de0c7df zlib/receipt --- a/zlib/receipt Fri Mar 03 09:44:37 2023 +0000 +++ b/zlib/receipt Sat Mar 04 08:15:16 2023 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="zlib" -VERSION="1.2.12" +VERSION="1.2.13" CATEGORY="base-system" SHORT_DESC="Compression library." MAINTAINER="pankso@slitaz.org"