CDRTOOLS="cdrtools-3.00"
CDRDAO="cdrdao-1.2.3"
CELESTIA="celestia-1.6.1"
+CERTDATA="certdata"
CKERMIT="ckermit-8.0.211"
CHORDPACK="chordpack-0.8.2"
CLAMAV="clamav-0.97.5"
GAWK="gawk-4.1.0"
GCC="gcc-4.8.3"
GCONF="GConf-3.2.6"
+GCR="gcr-3.14.0"
GDB="gdb-6.4"
GDBM="gdbm-1.10"
GDK_PIXBUF="gdk-pixbuf-2.31.1"
OPENSP="OpenSP-1.5.2"
OPENSSH="openssh-6.7p1"
OPENSSL="openssl-1.0.1j"
-OPENSSL_ROOT_CERTS="BLFS-ca-bundle-3.12.8.0"
PAM="Linux-PAM-1.1.8"
PANGO="pango-1.36.8"
PYGOBJECT="pygobject-2.28.6"
PYGTK="pygtk-2.24.0"
PYTHON="Python-2.7.3"
+P11KIT="p11-kit-0.22.1"
QEMU="qemu-2.2.0"
QT="qt-everywhere-opensource-src-4.8.5"
fpkg ${PAM} "https://fedorahosted.org/releases/l/i/linux-pam"
fpkg -e "tar.gz" -f "${FCRON}.src" ${FCRON} "http://fcron.free.fr/archives"
fpkg -e "tar.gz" ${OPENSSL} "ftp://ftp.openssl.org/source"
-fpkg ${OPENSSL_ROOT_CERTS} "http://anduin.linuxfromscratch.org/files/BLFS"
fpkg -e "tar.gz" ${OPENSSH} "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable"
fpkg ${LYNX} "ftp://lynx.isc.org/current"
fpkg -m sf ${EXPAT}
#!/bin/bash
-hvconfig_pre()
-{
- cd ${LFS_TMP}/${PACKAGE}
- decompress_package ${OPENSSL_ROOT_CERTS} ./
-}
-
hvbuild()
{
cd ${LFS_TMP}/${PACKAGE}
MAKEDEPPROG=gcc CC=gcc ./config \
--prefix=/usr \
--openssldir=/etc/ssl \
+ --libdir=lib \
shared \
zlib-dynamic
install -v -d -m755 /usr/share/doc/${PACKAGE}
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
/usr/share/doc/${PACKAGE}
-
- cp -rv certs /etc/ssl
-
- # Create a single file that contains all of the installed certificates:
- for pem in /etc/ssl/certs/*.pem; do
- cat $pem
- echo ""
- done > /etc/ssl/ca-bundle.crt
}
ipkg ${LIBXKLAVIER}
ipkg ${LIBGLADE}
ipkg -m acnb ${GCONF}
+ ipkg -c -m noac ${CERTDATA}
+ ipkg ${P11KIT}
+ ipkg ${GCR} "--without-gtk" # Needs Gtk3
ipkg ${GNOME_KEYRING}
ipkg ${LIBSOUP} "--disable-static --without-gnome"
--- /dev/null
+#!/bin/sh
+# Begin make-ca.sh
+# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
+#
+# The file certdata.txt must exist in the local directory
+# Version number is obtained from the version of the data.
+#
+# Authors: DJ Lucas
+# Bruce Dubbs
+#
+# Version 20120211
+
+if [ ${#} -ne 1 ]; then
+ echo "Missing certdata source file"
+ exit 1
+fi
+
+certdata="${1}"
+
+if [ ! -r $certdata ]; then
+ echo "Unable to read certdata source file: ${certdata}"
+ exit 1
+fi
+
+REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
+
+if [ -z "${REVISION}" ]; then
+ echo "$certfile has no 'Revision' in CVS_ID"
+ exit 1
+fi
+
+VERSION=$(echo $REVISION | cut -f2 -d" ")
+
+TEMPDIR=$(mktemp -d)
+TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
+BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
+CONVERTSCRIPT="/usr/bin/make-cert.pl"
+SSLDIR="/etc/ssl"
+
+mkdir "${TEMPDIR}/certs"
+
+# Get a list of starting lines for each cert
+CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
+
+# Get a list of ending lines for each cert
+CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
+
+# Start a loop
+for certbegin in ${CERTBEGINLIST}; do
+ for certend in ${CERTENDLIST}; do
+ if test "${certend}" -gt "${certbegin}"; then
+ break
+ fi
+ done
+
+ # Dump to a temp file with the name of the file as the beginning line number
+ sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
+done
+
+unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
+
+mkdir -p certs
+rm -f certs/* # Make sure the directory is clean
+
+for tempfile in ${TEMPDIR}/certs/*.tmp; do
+ # Make sure that the cert is trusted...
+ grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
+ egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
+
+ if test "${?}" = "0"; then
+ # Throw a meaningful error and remove the file
+ cp "${tempfile}" tempfile.cer
+ perl ${CONVERTSCRIPT} > tempfile.crt
+ keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+ echo "Certificate ${keyhash} is not trusted! Removing..."
+ rm -f tempfile.cer tempfile.crt "${tempfile}"
+ continue
+ fi
+
+ # If execution made it to here in the loop, the temp cert is trusted
+ # Find the cert data and generate a cert file for it
+
+ cp "${tempfile}" tempfile.cer
+ perl ${CONVERTSCRIPT} > tempfile.crt
+ keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+ mv tempfile.crt "certs/${keyhash}.pem"
+ rm -f tempfile.cer "${tempfile}"
+ echo "Created ${keyhash}.pem"
+done
+
+# Remove blacklisted files
+# MD5 Collision Proof of Concept CA
+if test -f certs/8f111d69.pem; then
+ echo "Certificate 8f111d69 is not trusted! Removing..."
+ rm -f certs/8f111d69.pem
+fi
+
+# Finally, generate the bundle and clean up.
+cat certs/*.pem > ${BUNDLE}
+rm -r "${TEMPDIR}"
--- /dev/null
+#!/usr/bin/perl -w
+
+# Used to generate PEM encoded files from Mozilla certdata.txt.
+# Run as ./make-cert.pl > certificate.crt
+#
+# Parts of this script courtesy of RedHat (mkcabundle.pl)
+#
+# This script modified for use with single file data (tempfile.cer) extracted
+# from certdata.txt, taken from the latest version in the Mozilla NSS source.
+# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+# Authors: DJ Lucas
+# Bruce Dubbs
+#
+# Version 20120211
+
+my $certdata = './tempfile.cer';
+
+open( IN, "cat $certdata|" )
+ || die "could not open $certdata";
+
+my $incert = 0;
+
+while ( <IN> )
+{
+ if ( /^CKA_VALUE MULTILINE_OCTAL/ )
+ {
+ $incert = 1;
+ open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
+ || die "could not pipe to openssl x509";
+ }
+
+ elsif ( /^END/ && $incert )
+ {
+ close( OUT );
+ $incert = 0;
+ print "\n\n";
+ }
+
+ elsif ($incert)
+ {
+ my @bs = split( /\\/ );
+ foreach my $b (@bs)
+ {
+ chomp $b;
+ printf( OUT "%c", oct($b) ) unless $b eq '';
+ }
+ }
+}
--- /dev/null
+#!/bin/sh
+# Begin /usr/bin/remove-expired-certs.sh
+#
+# Version 20120211
+
+# Make sure the date is parsed correctly on all systems
+mydate()
+{
+ local y=$( echo $1 | cut -d" " -f4 )
+ local M=$( echo $1 | cut -d" " -f1 )
+ local d=$( echo $1 | cut -d" " -f2 )
+ local m
+
+ if [ ${d} -lt 10 ]; then d="0${d}"; fi
+
+ case $M in
+ Jan) m="01";;
+ Feb) m="02";;
+ Mar) m="03";;
+ Apr) m="04";;
+ May) m="05";;
+ Jun) m="06";;
+ Jul) m="07";;
+ Aug) m="08";;
+ Sep) m="09";;
+ Oct) m="10";;
+ Nov) m="11";;
+ Dec) m="12";;
+ esac
+
+ certdate="${y}${m}${d}"
+}
+
+OPENSSL=/usr/bin/openssl
+DIR=/etc/ssl/certs
+
+if [ $# -gt 0 ]; then
+ DIR="$1"
+fi
+
+certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
+today=$( date +%Y%m%d )
+
+for cert in $certs; do
+ notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
+ date=$( echo ${notafter} | sed 's/^notAfter=//' )
+ mydate "$date"
+
+ if [ ${certdate} -lt ${today} ]; then
+ echo "${cert} expired on ${certdate}! Removing..."
+ rm -f "${cert}"
+ fi
+done
fpkg -m gnome ${LIBXKLAVIER}
fpkg -m gnome ${LIBGLADE}
fpkg -m gnome ${GCONF}
+
+fpkg -e "txt" ${CERTDATA} "http://anduin.linuxfromscratch.org/sources/other"
+fpkg -e "tar.gz" ${P11KIT} "http://p11-glue.freedesktop.org/releases"
+fpkg -m gnome ${GCR}
fpkg -m gnome ${GNOME_KEYRING}
fpkg -m gnome ${LIBSOUP}
fpkg -e "tar.gz" ${XSCREENSAVER} "http://www.jwz.org/xscreensaver"
--- /dev/null
+#!/bin/bash
+
+hvbuild()
+{
+ CD_TMP=$(mktemp -d)
+ SSLDIR=/etc/ssl
+
+ mkdir -p ${CD_TMP}
+ cd ${CD_TMP}
+
+ # Install scripts
+ install -v -m755 ${SCRDIR}/misc/certdata/* /usr/bin
+
+ make-ca.sh ${LFS_PKG_DIR}/${PACKAGE}.txt
+ remove-expired-certs.sh certs
+
+ install -d ${SSLDIR}/certs
+ cp -v certs/*.pem ${SSLDIR}/certs
+ c_rehash
+ install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt
+ ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt
+
+ # Clean up
+ rm -r certs BLFS-ca-bundle*
+ cd /tmp
+ rmdir ${CD_TMP}
+
+ unset CD_TMP
+ unset SSLDIR
+}
--- /dev/null
+#!/bin/bash
+
+hvbuild_post()
+{
+ # Gnome-keyring try to include gcr.h, so create a symbolic link:
+ ln -s gcr-base.h /usr/include/gcr-3/gcr/gcr.h
+}
projects / hvlinux.git / commitdiff