--- /dev/null
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+\f
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+\f
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+\f
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+\f
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+\f
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- /dev/null
+-------------------------------------------------------------------
+Fri May 4 11:55:14 UTC 2012 - lnussel@suse.de
+
+- give hint about SSL_CTX_set_default_verify_paths in cert bundle
+
+-------------------------------------------------------------------
+Mon Oct 24 11:57:53 UTC 2011 - coolo@suse.com
+
+- require coreutils for %post script
+
+-------------------------------------------------------------------
+Mon Jun 20 12:49:52 UTC 2011 - lnussel@suse.de
+
+- fix spurious rpm warning if no java exists (bnc#634793)
+- move java.run to java-ca-certificates
+
+-------------------------------------------------------------------
+Mon Sep 27 14:58:03 UTC 2010 - lnussel@suse.de
+
+- catch FileNotFoundException (bnc#623365)
+
+-------------------------------------------------------------------
+Fri May 21 12:46:55 UTC 2010 - mvyskocil@suse.cz
+
+* Use the gcc-java and fastjar for build to avoid dependency problems
+* build keystore.class only to allow noarch package
+
+-------------------------------------------------------------------
+Wed May 19 09:57:41 UTC 2010 - lnussel@suse.de
+
+- create java bundles
+
+-------------------------------------------------------------------
+Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de
+
+- also use hooks from /usr/lib/ca-certificates/update.d
+- replace bundle file with symlink to file in /var as it's auto
+ generated
+
+-------------------------------------------------------------------
+Wed Apr 21 13:20:07 UTC 2010 - lnussel@suse.de
+
+- force rebuilding all certificate stores in %post
+ This also makes sure we update the hash links in /etc/ssl/certs
+ as openssl changed the hash format between 0.9.8 and 1.0
+
+-------------------------------------------------------------------
+Thu Apr 8 13:16:43 UTC 2010 - lnussel@suse.de
+
+- actually install certbundle.run (bnc#594501)
+
+-------------------------------------------------------------------
+Thu Apr 8 09:15:28 UTC 2010 - lnussel@suse.de
+
+- it's ca-bundle.pem rather than cert.pem
+
+-------------------------------------------------------------------
+Thu Apr 8 07:51:25 UTC 2010 - lnussel@suse.de
+
+- obsolete openssl-certs (bnc#594434)
+- update manpage (bnc#594501)
+
+-------------------------------------------------------------------
+Thu Apr 1 13:00:37 UTC 2010 - lnussel@suse.de
+
+- include /etc/ca-certificates.conf as %ghost
+
+-------------------------------------------------------------------
+Fri Mar 26 15:26:01 UTC 2010 - lnussel@suse.de
+
+- generate ca-bundle with hook script
+- don't use trusted certificates in ca-bundle file for compatibility
+ with gnutls
+
+-------------------------------------------------------------------
+Wed Mar 24 10:31:47 UTC 2010 - lnussel@suse.de
+
+- new package
+
--- /dev/null
+%bcond_with java
+
+BuildRequires: openssl
+%if %{with java}
+BuildRequires: gcc-java
+BuildRequires: fastjar
+%endif
+
+Name: ca-certificates
+%define ssletcdir %{_sysconfdir}/ssl
+%define etccadir %{ssletcdir}/certs
+%define cabundle /var/lib/ca-certificates/ca-bundle.pem
+%define usrcadir %{_datadir}/ca-certificates
+License: GPL-2.0+
+Group: Productivity/Networking/Security
+Version: 1
+Release: 12
+Summary: Utilities for system wide CA certificate installation
+Source0: update-ca-certificates
+Source1: update-ca-certificates.8
+Source2: GPL-2.0.txt
+Source3: certbundle.run
+Source4: keystore.java
+Source5: java.run
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
+Url: http://gitorious.org/opensuse/ca-certificates
+#
+Requires: openssl
+# needed for %post
+Requires: coreutils
+Recommends: ca-certificates-mozilla
+# we need to obsolete openssl-certs to make sure it's files are
+# gone when a package providing actual certificates gets
+# installed (bnc#594434).
+Obsoletes: openssl-certs < 0.9.9
+BuildArch: noarch
+
+%if %{with java}
+
+%package -n java-ca-certificates
+License: GPL-2.0+
+Group: Productivity/Networking/Security
+Summary: Utilities CA certificate import to gcj
+Requires(post): ca-certificates
+Supplements: packageand(gcj-compat:ca-certificates)
+Supplements: packageand(java-1_6_0-openjdk:ca-certificates)
+Supplements: packageand(java-1_6_0-sun:ca-certificates)
+%endif
+
+%description
+Utilities for system wide CA certificate installation
+
+%if %{with java}
+
+%description -n java-ca-certificates
+Utilities for CA certificate installation for gcj and openjdk Java
+%endif
+
+%prep
+%setup -qcT
+install -m 755 %{SOURCE0} .
+install -m 644 %{SOURCE1} .
+install -m 644 %{SOURCE2} COPYING
+
+%build
+%if %{with java}
+gcj -C %SOURCE4 -d .
+# emulate -e option of jar for fastjar
+cat <<EOF > MANIFEST.MF
+Manifest-Version: 1.0
+Created-By: 0.98
+Main-Class: keystore
+EOF
+fastjar cfm keystore.jar MANIFEST.MF keystore*.class
+%endif
+
+%install
+mkdir -p %{buildroot}/%{etccadir}
+mkdir -p %{buildroot}/%{usrcadir}
+mkdir -p %{buildroot}/%{_sbindir}
+mkdir -p %{buildroot}/%{_mandir}/man8
+mkdir -p %{buildroot}/etc/ca-certificates/update.d
+mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d
+install -D -m 644 /dev/null %{buildroot}/%{cabundle}
+install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf
+install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d
+%if %{with java}
+install -m 755 %{SOURCE5} %{buildroot}%{_prefix}/lib/ca-certificates/update.d
+%endif
+ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
+
+install -m 755 update-ca-certificates %{buildroot}/%{_sbindir}
+install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8
+install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/ca-bundle.pem
+%if %{with java}
+mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/java
+install -m 644 keystore.jar %{buildroot}%{_prefix}/lib/ca-certificates/java
+install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
+install -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/gcj-cacerts
+%endif
+
+%post
+# this is just needed for those updating Factory,
+# can be removed before 11.3
+if [ "$1" -ge 1 ]; then
+ rm -f /etc/ca-certificates/update.d/certbundle.run
+fi
+# force rebuilding all certificate stores.
+# This also makes sure we update the hash links in /etc/ssl/certs
+# as openssl changed the hash format between 0.9.8 and 1.0
+update-ca-certificates -f || true
+
+%if %{with java}
+
+%post -n java-ca-certificates
+update-ca-certificates || true
+%endif
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%defattr(-, root, root)
+%dir %{usrcadir}
+%dir %{etccadir}
+%doc COPYING
+%ghost %config(noreplace) /etc/ca-certificates.conf
+%{ssletcdir}/ca-bundle.pem
+%ghost %{cabundle}
+%dir /etc/ca-certificates
+%dir /etc/ca-certificates/update.d
+%dir %{_prefix}/lib/ca-certificates
+%dir %{_prefix}/lib/ca-certificates/update.d
+%dir /var/lib/ca-certificates
+%{_prefix}/lib/ca-certificates/update.d/certbundle.run
+%{_sbindir}/update-ca-certificates
+%{_mandir}/man8/update-ca-certificates.8*
+%ghost /var/lib/ca-certificates/ca-bundle.pem
+
+%if %{with java}
+
+%files -n java-ca-certificates
+%defattr(-, root, root)
+%dir %{_prefix}/lib/ca-certificates/java
+%{_prefix}/lib/ca-certificates/update.d/java.run
+%{_prefix}/lib/ca-certificates/java/keystore.jar
+%ghost /var/lib/ca-certificates/java-cacerts
+%ghost /var/lib/ca-certificates/gcj-cacerts
+%endif
+
+%changelog
--- /dev/null
+#!/bin/bash
+# vim: syntax=sh
+
+shopt -s nullglob
+
+cafile="/var/lib/ca-certificates/ca-bundle.pem"
+cadir="/etc/ssl/certs"
+
+for i in "$@"; do
+ if [ "$i" = "-f" ]; then
+ fresh=1
+ elif [ "$i" = "-v" ]; then
+ verbose=1
+ fi
+done
+
+if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
+ exit 0
+fi
+echo "creating $cafile ..."
+cat > "$cafile.new" <<EOF
+#
+# automatically created by $0. Do not edit!
+#
+# Use of this file is deprecated and should only be used as last
+# resort by applications that cannot parse the $cadir directory.
+# You should avoid hardcoding any paths in applications anyways though.
+# Use e.g.
+# SSL_CTX_set_default_verify_paths() instead.
+#
+EOF
+for i in "$cadir"/*.pem; do
+ # only include certificates trusted for server auth
+ if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
+ trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
+ case "$trust" in
+ *serverAuth*) ;;
+ *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
+ esac
+ fi
+ openssl x509 -in "$i"
+done >> "$cafile.new"
+mv "$cafile.new" "$cafile"
--- /dev/null
+#!/bin/bash
+
+unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG
+export LANG=en_US
+
+set -e
+
+libexecdir="/usr/lib/ca-certificates/java/"
+cafile="/var/lib/ca-certificates/java-cacerts"
+cafile_gcj="/var/lib/ca-certificates/gcj-cacerts"
+cadir="/etc/ssl/certs"
+
+tmppem="$cafile.tmp"
+
+cleanup()
+{
+ rm -rf "$tmppem"
+}
+trap cleanup EXIT
+
+for i in "$@"; do
+ if [ "$i" = "-f" ]; then
+ fresh=1
+ elif [ "$i" = "-v" ]; then
+ verbose=1
+ fi
+done
+
+umask 0022
+
+if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then
+ . /etc/profile.d/alljava.sh
+fi
+
+if [ -n "$JAVA_HOME" ]; then
+ java="$JAVA_HOME/bin/java"
+else
+ java=`type -P java`
+ if [ -n "$java" -a -L "$java" ]; then
+ java=`readlink -f "$java"`
+ if [ "${java//gij}" != "$java" ]; then
+ java=
+ fi
+ fi
+fi
+
+if [ ! -e "$libexecdir"/keystore.jar ]; then
+ # nothing to do
+ exit 0
+fi
+
+mustrun=
+if [ -n "$fresh" ]; then
+ mustrun=1
+fi
+if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then
+ mustrun=1
+fi
+
+[ -n "$mustrun" ] || exit 0
+
+mkdir -p ${cafile%/*}
+mkdir -p "$tmppem"
+for i in "$cadir"/*.pem; do
+ # only include certificates trusted for server auth
+ if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
+ trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
+ case "$trust" in
+ *serverAuth*) ;;
+ *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
+ esac
+ openssl x509 -in "$i" -out "$tmppem/${i##*/}"
+ else
+ ln -s "$i" "$tmppem"
+ fi
+done
+
+if [ -n "$java" -a -x "$java" ]; then
+ echo "creating $cafile ..."
+ $java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@"
+fi
+if [ -x "/usr/bin/gij" ]; then
+ echo "creating $cafile_gcj ..."
+ /usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@"
+fi
+
+# vim: syntax=sh
--- /dev/null
+/*
+ * Import system SSL certificates to java keystore
+ * Copyright (C) 2010 SUSE LINUX Products GmbH
+ *
+ * Author: Ludwig Nussel
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+import java.security.KeyStore;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.BufferedInputStream;
+import java.io.FilenameFilter;
+import java.util.HashSet;
+import java.util.Enumeration;
+import java.util.Iterator;
+
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+public class keystore
+{
+ static HashSet<String> blacklist;
+
+ public static void usage() {
+ System.err.println("Usage: java keystore -keystore <keystore_file> -cadir <directory> [-storepass <password>|-f|-v]");
+ System.err.println("");
+ System.err.println(" -keystore <keystore_file>\tname of final keystore (required)");
+ System.err.println(" -cadir <directory>\t\tdirectory contains certificates (required)");
+ System.err.println(" -storepass <password>\tthe password");
+ System.err.println(" -f\t\t\t\tfresh existing keystore");
+ System.err.println(" -v\t\t\t\tbe verbose");
+ System.err.println(" -h/--help\t\t\tshow this help");
+ }
+
+ public static void main(String[] args)
+ throws java.security.KeyStoreException,
+ java.security.NoSuchAlgorithmException,
+ java.security.cert.CertificateException,
+ java.io.IOException
+ {
+ char[] password = null;
+ String ksfilename = null;
+ String cadirname = null;
+ boolean verbose = false;
+ boolean fresh = false;
+
+ if (args.length == 0) {
+ usage();
+ System.exit(1);
+ }
+
+
+ if (!System.getProperty("java.vendor").equals("Free Software Foundation, Inc.")) {
+ password = "changeit".toCharArray();
+ }
+
+ for (int i = 0; i < args.length; ++i) {
+ if (args[i].equals("-keystore")) {
+ ksfilename = args[++i];
+ } else if (args[i].equals("-cadir")) {
+ cadirname = args[++i];
+ } else if (args[i].equals("-storepass")) {
+ password = args[++i].toCharArray();
+ } else if (args[i].equals("-v")) {
+ verbose = true;
+ } else if (args[i].equals("-f")) {
+ fresh = true;
+ } else if (args[i].equals("-h") || args[i].equals("--help")) {
+ usage();
+ System.exit(1);
+ } else {
+ System.err.println("invalid argument: " + args[i]);
+ System.err.println("type -h/--help for help");
+ System.exit(1);
+ }
+ }
+
+ if (ksfilename == null) {
+ System.err.println("must specify -keystore");
+ return;
+ }
+
+ if (cadirname == null) {
+ System.err.println("must specify -cadir");
+ return;
+ }
+
+ File cadir = new File(cadirname);
+ if (!cadir.isDirectory()) {
+ System.err.println("cadir is not a directory");
+ return;
+ }
+
+ blacklist = new HashSet<String>();
+ // XXX: make a file
+// blacklist.add("foo");
+
+ String certs[] = cadir.list(new FilenameFilter(){
+ public boolean accept(File dir, String name)
+ {
+ if (!name.endsWith(".pem")) {
+ return false;
+ }
+ if (blacklist.contains(name)) {
+ return false;
+ }
+ return true;
+ }
+ });
+
+ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+
+ FileInputStream storein = null;
+ try {
+ File f = new File(ksfilename);
+ if (!fresh && f.exists()) {
+ storein = new FileInputStream(ksfilename);
+ }
+ ks.load(storein, password);
+ } finally {
+ if (storein != null) {
+ storein.close();
+ }
+ }
+
+ HashSet<String> known = new HashSet<String>();
+ for (Enumeration<String> a = ks.aliases(); a.hasMoreElements();) {
+ known.add(a.nextElement());
+ }
+
+ CertificateFactory cf = CertificateFactory.getInstance("X509");
+ int added = 0;
+ int removed = 0;
+
+ for (int i = 0; i < certs.length; ++i) {
+ BufferedInputStream f;
+ try {
+ f = new BufferedInputStream(new FileInputStream(cadirname+"/"+certs[i]));
+ } catch (java.io.FileNotFoundException ex) {
+ System.err.println("skipping " + certs[i] + ": file not found");
+ continue;
+ }
+ String marker = "-----BEGIN CERTIFICATE-----";
+ boolean found = false;
+
+ f.mark(80);
+ String line;
+ String alias = null;
+ // we need to parse and skip the "header"
+ while((line = readline(f)) != null) {
+ if (line.equals(marker)) {
+ f.reset();
+ found = true;
+ break;
+ } else if (line.startsWith("# alias=")) {
+ // FIXME: somehow UTF-8 encoding must be enforced here
+ alias = line.substring(8);
+ }
+ f.mark(80);
+ }
+ if (found) {
+ if (alias == null) {
+ alias = certs[i].substring(0, certs[i].length()-4); // without .pem
+ }
+ alias = alias.toLowerCase();
+ try {
+ X509Certificate cert = (X509Certificate)cf.generateCertificate(f);
+ if (known.contains(alias)) {
+ if (verbose)
+ System.out.println("already known: " + alias);
+ known.remove(alias);
+ } else {
+ if (verbose)
+ System.out.println("adding " + alias);
+ ks.setCertificateEntry(alias, cert);
+ ++added;
+ }
+ } catch (java.security.cert.CertificateException ex) {
+ System.err.println("imporing " + certs[i] + " failed: " + ex.getCause());
+ }
+ } else {
+ System.out.println("skipping file with unrecognized format: " + certs[i]);
+ }
+ }
+
+ if (!known.isEmpty()) {
+ for (Iterator<String> it = known.iterator(); it.hasNext();) {
+ String alias = it.next();
+ if (verbose)
+ System.out.println("removing " + alias);
+ ks.deleteEntry(alias);
+ ++removed;
+ }
+ }
+
+ if (added != 0 || removed != 0) {
+ FileOutputStream storeout = new FileOutputStream(ksfilename);
+ ks.store(storeout, password);
+ storeout.close();
+ }
+
+ System.out.println(added + " added, " + removed + " removed.");
+ }
+
+ public static String readline(BufferedInputStream in)
+ throws java.io.IOException
+ {
+ StringBuffer buf = new StringBuffer(80);
+ int c = in.read();
+ while(c != -1 && c != '\n' && c != '\r') {
+ buf.append((char)c);
+ c = in.read();
+ }
+ if (c == '\r') {
+ in.mark(1);
+ c = in.read();
+ if (c != '\n')
+ in.reset();
+ }
+ if (buf.length() == 0)
+ return null;
+
+ return buf.toString();
+ }
+}
--- /dev/null
+#!/usr/bin/perl -w
+#
+# update-ca-certificates
+#
+# Copyright (c) 2010 SUSE Linux Products GmbH
+# Author: Ludwig Nussel
+#
+# Inspired by Debian's update-ca-certificates
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
+# USA.
+#
+
+use strict;
+
+use File::Basename;
+use File::Find;
+use Getopt::Long;
+
+my $certsconf = '/etc/ca-certificates.conf';
+my $hooksdir1 = '/etc/ca-certificates/update.d';
+my $hooksdir2 = '/usr/lib/ca-certificates/update.d';
+my $certsdir = "/usr/share/ca-certificates";
+my $localcertsdir = "/usr/local/share/ca-certificates";
+my $etccertsdir = "/etc/ssl/certs";
+
+my (%blacklist, %whitelist, %added, %removed);
+
+my ($opt_verbose, $opt_fresh, $opt_help);
+
+sub startswith($$)
+{
+ return $_[1] eq substr($_[0], 0, length($_[1]));
+}
+
+sub targetfilename($)
+{
+ my $t = $etccertsdir.'/'.basename($_[0]);
+ $t =~ s/\.crt$/.pem/;
+ return $t;
+}
+
+sub addcert($)
+{
+ my $f = $_[0];
+ my $t = targetfilename($f);
+ return if -e $t;
+ unlink $t if -l $t; # dangling symlink
+ if (symlink($f, $t)) {
+ $added{$t} = 1;
+ delete $removed{$f} if exists $removed{$f};
+ } else {
+ print STDERR "symlink of $t failed: $!\n";
+ }
+}
+
+sub removecert($)
+{
+ my $t = targetfilename($_[0]);
+ if (-l $t) {
+ $removed{$t} = 1;
+ unlink $t;
+ }
+}
+
+Getopt::Long::Configure("no_ignore_case");
+GetOptions(
+ "verbose|v" => \$opt_verbose,
+ "fresh|f" => \$opt_fresh,
+ "help|h" => \$opt_help,
+ ) or die "$!\n";
+
+if ($opt_help)
+{
+ print "USAGE: $0 [OPTIONS]\n";
+ print "OPTIIONS:\n";
+ print " --verbose, -v verbose output\n";
+ print " --fresh, -f start from scratch\n";
+ print " --help, -h this screen\n";
+ exit 0;
+}
+
+if (open(F, '<', $certsconf)) {
+ while (<F>) {
+ next if /^#/;
+ chomp;
+ next unless length($_);
+ if (/^!/) {
+ s/^!//;
+ $blacklist{$_} = 1;
+ } else {
+ $whitelist{$_} = 1;
+ }
+ }
+ close F;
+}
+
+if ($opt_fresh || %whitelist) {
+ for my $f (glob "$etccertsdir/*" ) {
+ next unless -l $f;
+ my $l = readlink $f;
+ next unless defined $l;
+ if (startswith($l, $etccertsdir)
+ || startswith($l, $localcertsdir))
+ {
+ if ($opt_fresh || %whitelist &&
+ !exists($whitelist{basename($l)}))
+ {
+ unlink $f;
+ $removed{$f} = 1;
+ }
+ }
+ }
+}
+
+my @files;
+File::Find::find({
+ no_chdir => 1,
+ wanted => sub {
+ -f && /\.(?:pem|crt)$/ && push @files, $_;
+ }
+ }, $certsdir);
+for my $f (@files) {
+ my $n = substr($f, length($certsdir)+1);
+ if (exists($blacklist{$n})) {
+ removecert($f);
+ next;
+ }
+ next if %whitelist && !exists($whitelist{$n});
+ addcert($f);
+}
+
+for my $f (glob "$localcertsdir/*.{pem,crt}") {
+ addcert($f);
+}
+
+for my $f (glob "$etccertsdir/*.pem") {
+ if (-l $f && !-e $f) {
+ if (startswith($f, $etccertsdir)
+ || startswith($f, $localcertsdir))
+ {
+ $removed{$f} = 1;
+ }
+ # clean dangling symlinks
+ unlink $f
+ }
+}
+
+chdir $etccertsdir || die "$!";
+if (%added || %removed || $opt_fresh) {
+ print "Updating certificates in $etccertsdir...\n";
+ my $redir = ($opt_verbose?'':'> /dev/null');
+ system("c_rehash . $redir");
+
+ printf("%d added, %d removed.\n",
+ (%added?(scalar keys %added):0),
+ (%removed?(scalar keys %removed):0));
+}
+
+my @args;
+push @args, '-f' if $opt_fresh;
+push @args, '-v' if $opt_verbose;
+for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) {
+ system($f, @args);
+}
--- /dev/null
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH UPDATE-CA-CERTIFICATES 8 "27 April 2010"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+update-ca-certificates \- update system CA certificates
+.SH SYNOPSIS
+.B update-ca-certificates
+.RI [ options ]
+.SH DESCRIPTION
+\fBupdate-ca-certificates\fP updates the directory
+/etc/ssl/certs to hold SSL certificates and generates /etc/ssl/ca-bundle.pem,
+a concatenated single-file list of certificates.
+.PP
+It reads the file /etc/ca-certificates.conf. Each line gives a pathname of
+a CA certificate under /usr/share/ca-certificates that should be trusted.
+Lines that begin with "#" are comment lines and thus ignored.
+Lines that begin with "!" are deselected, causing the deactivation
+of the CA certificate in question. All certificates are implicitly
+trusted if no trusted certificates are listed.
+.PP
+Furthermore all certificates found below /usr/local/share/ca-certificates
+are also included as implicitly trusted.
+.PP
+After populating /etc/ssl/certs \fBupdate-ca-certificates\fP invokes
+custom hooks in /usr/lib/ca-certificates/update.d/*.run and
+/etc/ca-certificates/update.d/*.run. The command line options used
+for invoking update-ca-certificates are passed to the hooks as well.
+.SH OPTIONS
+A summary of options is included below.
+.TP
+.B \-h, \-\-help
+Show summary of options.
+.TP
+.B \-v, \-\-verbose
+Be verbose. Output \fBc_rehash\fP.
+.TP
+.B \-f, \-\-fresh
+Fresh updates. Removes symlinks in /etc/ssl/certs directory and
+re-creates them from scratch.
+.SH FILES
+.TP
+.I /etc/ca-certificates.conf
+A configuration file.
+.TP
+.I /etc/ssl/ca-bundle.pem
+A single-file version of all CA certificates. Use of this file is
+deprecated and should only be used as last resort by applications
+that cannot parse the /etc/ssl/certs directory.
+.TP
+.I /usr/share/ca-certificates
+Directory of CA certificates.
+.I /usr/local/share/ca-certificates
+Directory of local CA certificates.
+.SH SEE ALSO
+.BR c_rehash (1),
+.SH AUTHOR
+This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
+for the Debian project and modified by Ludwig Nussel
+<ludwig.nussel@suse.de>.