X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=ca-certificates.spec;h=ed7d196fb24ebf06c29a907fc9b54bec0d6fd897;hb=0818a4328225cca2d41e43f0fa816f38bb3cbe69;hp=97dee1b432d94c81184cca36c57f969e93517ddd;hpb=6b55707d8466979f8016819e8ddf2bcf2423d1a7;p=packages%2Fca-certificates.git diff --git a/ca-certificates.spec b/ca-certificates.spec index 97dee1b..ed7d196 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -13,7 +13,7 @@ Summary(pl.UTF-8): Pliki PEM popularnych certyfikatów CA Name: ca-certificates %define ver_date 20210119 Version: %{ver_date} -Release: 2 +Release: 6 License: GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs) Group: Base Source0: http://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz @@ -150,6 +150,32 @@ sed 's/\r//' %{SOURCE36} > terena/$(basename %{SOURCE36} .pem).crt # We have those and more in specific dirs %{__rm} mozilla/Certum*.crt +make_sure_expired_and_rm() { + cert="$1" + rm -rf pld-tests + install -d pld-tests + cat "$cert" | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > "pld-tests/" i ".extracted.crt" }' + for tmpcert in pld-tests/*.extracted.crt; do + # check expiration date + EXPDATE=$(openssl x509 -enddate -noout -in "$tmpcert") + EXPDATE=${EXPDATE#notAfter=} + EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE") + NOWTIMESTAMP=$(date +"%s") + # mksh is 32bit only + if /usr/bin/test "$EXPDATETIMESTAMP" -ge "$NOWTIMESTAMP"; then + echo "$cert ($tmpcert): not expired! ${EXPDATE}" + return 1 + fi + done + rm "$cert" + return 0 +} + +# expired +make_sure_expired_and_rm mozilla/Sonera_Class_2_Root_CA.crt +make_sure_expired_and_rm mozilla/DST_Root_CA_X3.crt +make_sure_expired_and_rm mozilla/QuoVadis_Root_CA.crt + # See TODO # %{__rm} mozilla/RSA_Security_1024_v3.crt @@ -182,7 +208,23 @@ cd pld-tests cat $RPM_BUILD_ROOT%{certsdir}/ca-certificates.crt | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > i ".extracted.crt" }' for cert in *.extracted.crt; do openssl x509 -in "$cert" -noout -sha1 -fingerprint > "$cert.fingerprint" + + + # check expiration date + EXPDATE=$(openssl x509 -enddate -noout -in "$cert") + EXPDATE=${EXPDATE#notAfter=} + EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE") + NOWTIMESTAMP=$(date +"%s") + # mksh is 32bit only + if /usr/bin/test "$EXPDATETIMESTAMP" -lt "$NOWTIMESTAMP"; then + echo "!!! Expired certificate: $cert" + openssl x509 -subject -issuer -startdate -enddate -email -alias -noout -in "$cert" + echo "Fingerprint: $(cat "$cert.fingerprint")" + echo "\n\n" + exit 1 + fi done + DUPLICATES=$(sort *.fingerprint | uniq -c | sort -nr | awk ' { if ($1 != 1) { print $0; } } ') if [ -n "$DUPLICATES" ]; then echo -e "\n\nFound duplicates for certificates (count, type, fingerprint):\n\n$DUPLICATES\n\nFailing..." @@ -205,6 +247,11 @@ rm -rf $RPM_BUILD_ROOT %postun update /usr/bin/find "%{openssldir}" -xtype l -delete || : +%pretrans +if [ -L /etc/ssl/certs ]; then + rm -f /etc/ssl/certs +fi + %files %defattr(644,root,root,755) %doc work/debian/{README.Debian,changelog}