#
# YD must point to local java installation!
%define java_dir e:/os2/java160

# certdata.txt is generated by extracting it from Mozilla HG.
# This is done by downloading latest certdata.txt from:
#
#  https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

%define pkidir %{_sysconfdir}/pki

Summary: The Mozilla CA root certificate bundle
Name: ca-certificates
Version: 2017.11
Release: 1%{?dist}
License: Public Domain
Group: System Environment/Base
URL: http://www.mozilla.org/

Source0: ca-certificates.zip

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
#BuildRequires: java-openjdk, rcs
BuildRequires: perl, python
BuildArch: noarch

%description
This package contains the set of CA certificates chosen by the
Mozilla Foundation for use with the Internet PKI.

%prep
%setup -c
mkdir certs java

%build

cp certdata.txt certs
cp blacklist.txt certs
cd certs
python ../certdata2pem.py 
cd ..

 (
   cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
EOF
   ident -q certdata.txt | sed '1d;s/^/#/';
   echo '#';
 ) > ca-bundle.crt
 (
   cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
# format and have trust bits set accordingly.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
EOF
   ident -q certdata.txt | sed '1d;s/^/#/';
   echo '#';
 ) > ca-bundle.trust.crt
 for f in certs/*.crt; do 
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
   case $tbits in
   *serverAuth*) openssl x509 -text -in "$f" >> ca-bundle.crt ;;
   esac
   if [ -n "$tbits" ]; then
      targs=""
      for t in $tbits; do
         targs="${targs} -addtrust $t"
      done
      openssl x509 -text -in "$f" -trustout $targs >> ca-bundle.trust.crt
   fi
 done

 export PATH="%{java_dir}/bin${PATH:+;$PATH}"
 export BEGINLIBPATH="%{java_dir}/bin${BEGINLIBPATH:+;$BEGINLIBPATH}"

 cd java
 test -s ../ca-bundle.crt || exit 1
 %{__perl} ../generate-cacerts.pl %{java_dir}/bin/keytool.exe ../ca-bundle.crt
 touch -r ../certdata.txt cacerts
 cd ..

%install
rm -rf $RPM_BUILD_ROOT

mkdir -p $RPM_BUILD_ROOT%{pkidir}/tls/certs
mkdir -p $RPM_BUILD_ROOT%{pkidir}/java

install -p -m 644 ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
install -p -m 644 ca-bundle.trust.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt
ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
touch -r certdata.txt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
touch -r certdata.txt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.trust.crt

# Install Java cacerts file.
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
install -p -m 644 java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/

# /etc/ssl/certs symlink for 3rd-party tools
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
ln -s ../pki/tls/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root,-)
%dir %{pkidir}/java
%config(noreplace) %{pkidir}/java/cacerts
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
%config(noreplace) %{pkidir}/tls/certs/ca-bundle.*crt
%{pkidir}/tls/cert.pem
%dir %{_sysconfdir}/ssl
%{_sysconfdir}/ssl/certs

%changelog
* Thu Nov 09 2017 yd <yd@os2power.com> 2017.11-1
- update with latest certificates from Mozilla.

* Tue Jun 14 2016 yd <yd@os2power.com> 2016.06-1
- update with latest certificates from Mozilla.

* Thu Jan 5 2012 yd
- initial build