From: Hugo Villeneuve Date: Sat, 13 Dec 2014 18:56:39 +0000 (-0500) Subject: Add gcr, p11kit and certdata packages X-Git-Url: http://gitweb.hugovil.com/?p=hvlinux.git;a=commitdiff_plain;h=0a06f07a9134afb9018e5a8922b475d0d39aebc4 Add gcr, p11kit and certdata packages --- diff --git a/config/packages-list b/config/packages-list index c4bcdbc..ee0c8cd 100644 --- a/config/packages-list +++ b/config/packages-list @@ -40,6 +40,7 @@ CDPARANOIA="cdparanoia-III-10.2" CDRTOOLS="cdrtools-3.00" CDRDAO="cdrdao-1.2.3" CELESTIA="celestia-1.6.1" +CERTDATA="certdata" CKERMIT="ckermit-8.0.211" CHORDPACK="chordpack-0.8.2" CLAMAV="clamav-0.97.5" @@ -108,6 +109,7 @@ B43_FWCUTTER="b43-fwcutter-015" GAWK="gawk-4.1.0" GCC="gcc-4.8.3" GCONF="GConf-3.2.6" +GCR="gcr-3.14.0" GDB="gdb-6.4" GDBM="gdbm-1.10" GDK_PIXBUF="gdk-pixbuf-2.31.1" @@ -301,7 +303,6 @@ OPENLDAP="openldap-2.4.23" OPENSP="OpenSP-1.5.2" OPENSSH="openssh-6.7p1" OPENSSL="openssl-1.0.1j" -OPENSSL_ROOT_CERTS="BLFS-ca-bundle-3.12.8.0" PAM="Linux-PAM-1.1.8" PANGO="pango-1.36.8" @@ -340,6 +341,7 @@ PYCAIRO="py2cairo-1.10.0" PYGOBJECT="pygobject-2.28.6" PYGTK="pygtk-2.24.0" PYTHON="Python-2.7.3" +P11KIT="p11-kit-0.22.1" QEMU="qemu-2.2.0" QT="qt-everywhere-opensource-src-4.8.5" diff --git a/stage3/packages-update b/stage3/packages-update index 5e04d09..9881187 100755 --- a/stage3/packages-update +++ b/stage3/packages-update @@ -23,7 +23,6 @@ fpkg ${RPCNIS_HEADERS} "http://anduin.linuxfromscratch.org/other" fpkg ${PAM} "https://fedorahosted.org/releases/l/i/linux-pam" fpkg -e "tar.gz" -f "${FCRON}.src" ${FCRON} "http://fcron.free.fr/archives" fpkg -e "tar.gz" ${OPENSSL} "ftp://ftp.openssl.org/source" -fpkg ${OPENSSL_ROOT_CERTS} "http://anduin.linuxfromscratch.org/files/BLFS" fpkg -e "tar.gz" ${OPENSSH} "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable" fpkg ${LYNX} "ftp://lynx.isc.org/current" fpkg -m sf ${EXPAT} diff --git a/stage3/pkg/openssl b/stage3/pkg/openssl index 715d37f..863696e 100644 --- a/stage3/pkg/openssl +++ b/stage3/pkg/openssl @@ -1,11 +1,5 @@ #!/bin/bash -hvconfig_pre() -{ - cd ${LFS_TMP}/${PACKAGE} - decompress_package ${OPENSSL_ROOT_CERTS} ./ -} - hvbuild() { cd ${LFS_TMP}/${PACKAGE} @@ -13,6 +7,7 @@ hvbuild() MAKEDEPPROG=gcc CC=gcc ./config \ --prefix=/usr \ --openssldir=/etc/ssl \ + --libdir=lib \ shared \ zlib-dynamic @@ -23,12 +18,4 @@ hvbuild() install -v -d -m755 /usr/share/doc/${PACKAGE} cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \ /usr/share/doc/${PACKAGE} - - cp -rv certs /etc/ssl - - # Create a single file that contains all of the installed certificates: - for pem in /etc/ssl/certs/*.pem; do - cat $pem - echo "" - done > /etc/ssl/ca-bundle.crt } diff --git a/stage5/hv-install-1 b/stage5/hv-install-1 index 0a9a5d1..3fac0bf 100755 --- a/stage5/hv-install-1 +++ b/stage5/hv-install-1 @@ -60,6 +60,9 @@ if [ "x${INST_TYPE}" = "xworkstation" -o \ ipkg ${LIBXKLAVIER} ipkg ${LIBGLADE} ipkg -m acnb ${GCONF} + ipkg -c -m noac ${CERTDATA} + ipkg ${P11KIT} + ipkg ${GCR} "--without-gtk" # Needs Gtk3 ipkg ${GNOME_KEYRING} ipkg ${LIBSOUP} "--disable-static --without-gnome" diff --git a/stage5/misc/certdata/make-ca.sh b/stage5/misc/certdata/make-ca.sh new file mode 100755 index 0000000..0f4e756 --- /dev/null +++ b/stage5/misc/certdata/make-ca.sh @@ -0,0 +1,100 @@ +#!/bin/sh +# Begin make-ca.sh +# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs +# +# The file certdata.txt must exist in the local directory +# Version number is obtained from the version of the data. +# +# Authors: DJ Lucas +# Bruce Dubbs +# +# Version 20120211 + +if [ ${#} -ne 1 ]; then + echo "Missing certdata source file" + exit 1 +fi + +certdata="${1}" + +if [ ! -r $certdata ]; then + echo "Unable to read certdata source file: ${certdata}" + exit 1 +fi + +REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') + +if [ -z "${REVISION}" ]; then + echo "$certfile has no 'Revision' in CVS_ID" + exit 1 +fi + +VERSION=$(echo $REVISION | cut -f2 -d" ") + +TEMPDIR=$(mktemp -d) +TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" +BUNDLE="BLFS-ca-bundle-${VERSION}.crt" +CONVERTSCRIPT="/usr/bin/make-cert.pl" +SSLDIR="/etc/ssl" + +mkdir "${TEMPDIR}/certs" + +# Get a list of starting lines for each cert +CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) + +# Get a list of ending lines for each cert +CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` + +# Start a loop +for certbegin in ${CERTBEGINLIST}; do + for certend in ${CERTENDLIST}; do + if test "${certend}" -gt "${certbegin}"; then + break + fi + done + + # Dump to a temp file with the name of the file as the beginning line number + sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" +done + +unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend + +mkdir -p certs +rm -f certs/* # Make sure the directory is clean + +for tempfile in ${TEMPDIR}/certs/*.tmp; do + # Make sure that the cert is trusted... + grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ + egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null + + if test "${?}" = "0"; then + # Throw a meaningful error and remove the file + cp "${tempfile}" tempfile.cer + perl ${CONVERTSCRIPT} > tempfile.crt + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) + echo "Certificate ${keyhash} is not trusted! Removing..." + rm -f tempfile.cer tempfile.crt "${tempfile}" + continue + fi + + # If execution made it to here in the loop, the temp cert is trusted + # Find the cert data and generate a cert file for it + + cp "${tempfile}" tempfile.cer + perl ${CONVERTSCRIPT} > tempfile.crt + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) + mv tempfile.crt "certs/${keyhash}.pem" + rm -f tempfile.cer "${tempfile}" + echo "Created ${keyhash}.pem" +done + +# Remove blacklisted files +# MD5 Collision Proof of Concept CA +if test -f certs/8f111d69.pem; then + echo "Certificate 8f111d69 is not trusted! Removing..." + rm -f certs/8f111d69.pem +fi + +# Finally, generate the bundle and clean up. +cat certs/*.pem > ${BUNDLE} +rm -r "${TEMPDIR}" diff --git a/stage5/misc/certdata/make-cert.pl b/stage5/misc/certdata/make-cert.pl new file mode 100755 index 0000000..60b6fea --- /dev/null +++ b/stage5/misc/certdata/make-cert.pl @@ -0,0 +1,49 @@ +#!/usr/bin/perl -w + +# Used to generate PEM encoded files from Mozilla certdata.txt. +# Run as ./make-cert.pl > certificate.crt +# +# Parts of this script courtesy of RedHat (mkcabundle.pl) +# +# This script modified for use with single file data (tempfile.cer) extracted +# from certdata.txt, taken from the latest version in the Mozilla NSS source. +# mozilla/security/nss/lib/ckfw/builtins/certdata.txt +# +# Authors: DJ Lucas +# Bruce Dubbs +# +# Version 20120211 + +my $certdata = './tempfile.cer'; + +open( IN, "cat $certdata|" ) + || die "could not open $certdata"; + +my $incert = 0; + +while ( ) +{ + if ( /^CKA_VALUE MULTILINE_OCTAL/ ) + { + $incert = 1; + open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) + || die "could not pipe to openssl x509"; + } + + elsif ( /^END/ && $incert ) + { + close( OUT ); + $incert = 0; + print "\n\n"; + } + + elsif ($incert) + { + my @bs = split( /\\/ ); + foreach my $b (@bs) + { + chomp $b; + printf( OUT "%c", oct($b) ) unless $b eq ''; + } + } +} diff --git a/stage5/misc/certdata/remove-expired-certs.sh b/stage5/misc/certdata/remove-expired-certs.sh new file mode 100755 index 0000000..078b9cc --- /dev/null +++ b/stage5/misc/certdata/remove-expired-certs.sh @@ -0,0 +1,53 @@ +#!/bin/sh +# Begin /usr/bin/remove-expired-certs.sh +# +# Version 20120211 + +# Make sure the date is parsed correctly on all systems +mydate() +{ + local y=$( echo $1 | cut -d" " -f4 ) + local M=$( echo $1 | cut -d" " -f1 ) + local d=$( echo $1 | cut -d" " -f2 ) + local m + + if [ ${d} -lt 10 ]; then d="0${d}"; fi + + case $M in + Jan) m="01";; + Feb) m="02";; + Mar) m="03";; + Apr) m="04";; + May) m="05";; + Jun) m="06";; + Jul) m="07";; + Aug) m="08";; + Sep) m="09";; + Oct) m="10";; + Nov) m="11";; + Dec) m="12";; + esac + + certdate="${y}${m}${d}" +} + +OPENSSL=/usr/bin/openssl +DIR=/etc/ssl/certs + +if [ $# -gt 0 ]; then + DIR="$1" +fi + +certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) +today=$( date +%Y%m%d ) + +for cert in $certs; do + notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) + date=$( echo ${notafter} | sed 's/^notAfter=//' ) + mydate "$date" + + if [ ${certdate} -lt ${today} ]; then + echo "${cert} expired on ${certdate}! Removing..." + rm -f "${cert}" + fi +done diff --git a/stage5/packages-update b/stage5/packages-update index 4dd669a..1c71f33 100755 --- a/stage5/packages-update +++ b/stage5/packages-update @@ -54,6 +54,10 @@ fpkg -e "tar.xz" ${ISO_CODES} "http://pkg-isocodes.alioth.debian.org/downloads" fpkg -m gnome ${LIBXKLAVIER} fpkg -m gnome ${LIBGLADE} fpkg -m gnome ${GCONF} + +fpkg -e "txt" ${CERTDATA} "http://anduin.linuxfromscratch.org/sources/other" +fpkg -e "tar.gz" ${P11KIT} "http://p11-glue.freedesktop.org/releases" +fpkg -m gnome ${GCR} fpkg -m gnome ${GNOME_KEYRING} fpkg -m gnome ${LIBSOUP} fpkg -e "tar.gz" ${XSCREENSAVER} "http://www.jwz.org/xscreensaver" diff --git a/stage5/pkg/certdata b/stage5/pkg/certdata new file mode 100644 index 0000000..d9f5d97 --- /dev/null +++ b/stage5/pkg/certdata @@ -0,0 +1,30 @@ +#!/bin/bash + +hvbuild() +{ + CD_TMP=$(mktemp -d) + SSLDIR=/etc/ssl + + mkdir -p ${CD_TMP} + cd ${CD_TMP} + + # Install scripts + install -v -m755 ${SCRDIR}/misc/certdata/* /usr/bin + + make-ca.sh ${LFS_PKG_DIR}/${PACKAGE}.txt + remove-expired-certs.sh certs + + install -d ${SSLDIR}/certs + cp -v certs/*.pem ${SSLDIR}/certs + c_rehash + install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt + ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt + + # Clean up + rm -r certs BLFS-ca-bundle* + cd /tmp + rmdir ${CD_TMP} + + unset CD_TMP + unset SSLDIR +} diff --git a/stage5/pkg/gcr b/stage5/pkg/gcr new file mode 100644 index 0000000..a635ac4 --- /dev/null +++ b/stage5/pkg/gcr @@ -0,0 +1,7 @@ +#!/bin/bash + +hvbuild_post() +{ + # Gnome-keyring try to include gcr.h, so create a symbolic link: + ln -s gcr-base.h /usr/include/gcr-3/gcr/gcr.h +}