Fix empty Release tag

Merge CI-CD Changes

.copr/Makefile

@@ -0,0 +1,12 @@
+#!/usr/bin/make
+
+SHELL := bash
+
+source:
+	dnf -y install cmake gcc gcc-c++ openssl
+	cmake --fresh -DBUILD_RPMS=ON -B build -S .
+	cmake --build build --target srpm
+
+srpm: source
+	mkdir -p $(outdir)
+	cp dist/*.src.rpm $(outdir)

.github/workflows/ci.yml

@@ -0,0 +1,55 @@
+name: Build and Release CI
+on:
+  push:
+  schedule:
+    - cron: '30 4 1,15 * *'
+  workflow_dispatch:
+
+jobs:
+  release-ci:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Local checkout
+        uses: actions/checkout@v4
+
+      - name: Install CI dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y -qq install cmake openssl g++ gcc
+
+      - name: Get latest package metadata
+        id: get_metadata
+        run: |
+          cmake --fresh -B build -S .
+          echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT
+          echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT
+          
+      - name: Check if package version has corresponding git tag
+        id: tagged
+        shell: bash
+        run: |
+          git show-ref \
+            --tags --verify --quiet -- \
+            "refs/tags/${{ steps.get_metadata.outputs.tag }}" \
+          && echo tagged=1 >> $GITHUB_OUTPUT \
+          || echo tagged=0 >> $GITHUB_OUTPUT
+
+      - name: Create new tag and set to_release
+        id: newtag
+        if: steps.tagged.outputs.tagged == 0
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -a ${{ steps.get_metadata.outputs.tag }} \
+            -m "New cert chain was released" \
+            --trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
+          && echo to_release=1 >> $GITHUB_OUTPUT \
+          && git push origin ${{ steps.get_metadata.outputs.tag  }} \
+          || exit 0
+
+      - name: Create and publish GitHub release
+        if: steps.newtag.outputs.to_release == 1
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.get_metadata.outputs.tag }}

.gitignore

@@ -0,0 +1,18 @@
+.cache
+.clang-format
+.clangd
+.idea
+
+cmake-build*
+build/
+ _CPack_Packages/
+ CMakeFiles/
+ Makefile
+ cmake_install.cmake
+ CPackConfig.cmake
+ CPackSourceConfig.cmake
+ CTestTestfile.cmake
+ CMakeCache.txt
+
+dist/
+temp/

CMakeLists.txt

@@ -0,0 +1,136 @@
+cmake_minimum_required(VERSION 3.16)
+
+project(ca-certificates-brazil)
+set(HASH_FILE "hashsha512.txt")
+
+execute_process(
+  COMMAND bash -c 
+    "date +%Y.%m.%d \
+      -d \"$( \
+      curl -ksI $(grep ${HASH_FILE} ${CMAKE_SOURCE_DIR}/sources) \
+        | grep -iPo '^Last-Modified: \\K[\\S ]*'
+      )\"
+    "
+  OUTPUT_VARIABLE PROJECT_VERSION
+  OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+
+execute_process(
+  COMMAND echo ${PROJECT_VERSION}
+  OUTPUT_FILE ${CMAKE_BINARY_DIR}/version
+)
+
+set(SourceFiles 
+  "${CMAKE_SOURCE_DIR}/cmake"
+  "${CMAKE_SOURCE_DIR}/CMakeLists.txt"
+  "${CMAKE_SOURCE_DIR}/CPackLists.txt"
+  "${CMAKE_SOURCE_DIR}/sources"
+)
+
+include(CPackLists.txt)
+
+add_custom_target(clear-cache
+  COMMAND rm -rf cache/
+)
+
+add_custom_target(clear-certs
+  COMMAND rm -rf certs/
+)
+
+add_custom_target(clear-anchors
+  COMMAND rm -rf pki/
+)
+
+add_custom_target(clear-docs
+  COMMAND rm -rf docs/
+)
+
+add_custom_target(clear-all
+  DEPENDS
+    clear-anchors
+    clear-cache
+    clear-certs
+    clear-docs
+)
+
+add_custom_target(sources
+  COMMAND xargs -n1
+    curl
+      --create-dirs
+      --output-dir cache
+      -ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
+  DEPENDS
+    clear-cache
+)
+
+add_custom_target(certs
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool extract
+    && ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool classify
+  DEPENDS
+    clear-certs
+    sources
+)
+
+add_custom_target(anchors ALL
+  COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool anchors
+  DEPENDS
+    clear-anchors
+    certs
+)
+
+add_custom_target(docs ALL
+  COMMAND mkdir docs
+    && cp cache/*.pdf docs/
+  DEPENDS
+    clear-docs
+    sources
+)
+
+# Checks for OpeSSL utility
+find_program(OPENSSL
+  NAMES openssl openssl3
+  REQUIRED
+)
+message("-- Check for OpenSSL utility: ${OPENSSL}")
+
+# Checks which tool is used to update certificate keyring
+find_program(UPDATE_CACERTS_TOOL
+  NAMES
+    update-ca-certificates
+    update-ca-trust
+  REQUIRED
+)
+message("-- Check for CA certificates update tool: ${UPDATE_CACERTS_TOOL}")
+string(REGEX MATCH "update-ca-trust" P11KIT UPDATE_CACERTS_TOOL)
+string(REGEX MATCH "update-ca-certificates" LEGACY UPDATE_CACERTS_TOOL)
+
+# Set install destination directory according the used tool
+if(DEFINED P11KIT)
+  set(CACERT_INSTALL_DIR "share/pki/ca-trust-source/anchors")
+else()
+  set(CACERT_INSTALL_DIR "share/ca-certificates/extra")
+endif()
+message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
+
+install(
+  DIRECTORY 
+    ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/.
+  DESTINATION
+    ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
+  FILES_MATCHING
+    PATTERN "*.crt"
+)
+
+set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
+install(
+  FILES
+  ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
+    ${CMAKE_CURRENT_SOURCE_DIR}/README.md
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
+    ${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
+  DESTINATION
+    ${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
+)
+
+# vim: ts=2:sw=2:sts=2:et

CPackLists.txt

@@ -0,0 +1,171 @@
+cmake_minimum_required(VERSION 3.16)
+
+set(CPACK_PACKAGE_VERSION "${PROJECT_VERSION}")
+set(CPACK_OUTPUT_FILE_PREFIX "${PROJECT_SOURCE_DIR}/dist")
+set(CPACK_VERBATIM_VARIABLES YES)
+
+set(SourceIgnoreFiles 
+  ".cache"
+  ".copr"
+  ".clang-format"
+  ".clangd"
+  ".git/"
+  ".gitea/"
+  ".github/"
+  ".gitignore"
+  ".idea"
+  "CMakeCache.txt"
+  "CMakeFiles/"
+  "CPackConfig.cmake$"
+  "CPackSourceConfig.cmake"
+  "CTestTestfile.cmake"
+  "Makefile"
+  "_CPack_Packages/"
+  "build/"
+  "cmake-build*"
+  "cmake_install.cmake"
+  "dist/"
+  "temp/"
+)
+
+# Escape any '.' and '/' characters
+string(REPLACE "." "\\\." SourceIgnoreFiles "${SourceIgnoreFiles}")
+string(REPLACE "/" "\\\/" SourceIgnoreFiles "${SourceIgnoreFiles}")
+
+# Override install prefix for package target
+string(REGEX REPLACE "^/(.*)" "\\1" 
+  CPACK_PACKAGING_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}"
+)
+set(CPACK_SET_DESTDIR ON)
+
+set(CPACK_GENERATOR "TGZ")
+set(CPACK_PACKAGE_TOPLEVEL_TAG "noarch")
+set(CPACK_INCLUDE_TOPLEVEL_DIRECTORY 0)
+set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}.${CPACK_PACKAGE_TOPLEVEL_TAG}")
+set(CPACK_IGNORE_FILES "${SourceIgnoreFiles}")
+set(CPACK_OUTPUT_CONFIG_FILE "${PROJECT_BINARY_DIR}/CPackConfig.cmake")
+configure_file(
+  "${PROJECT_SOURCE_DIR}/cmake/CPackConfig.cmake.in"
+  "${PROJECT_BINARY_DIR}/CPackConfig.cmake"
+  @ONLY
+)
+
+set(CPACK_SOURCE_GENERATOR "TGZ")
+set(CPACK_SOURCE_TOPLEVEL_TAG "src")
+set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PROJECT_NAME}-${PROJECT_VERSION}.${CPACK_SOURCE_TOPLEVEL_TAG}")
+set(CPACK_SOURCE_IGNORE_FILES "${SourceIgnoreFiles}")
+set(CPACK_SOURCE_OUTPUT_CONFIG_FILE "${PROJECT_BINARY_DIR}/CPackSourceConfig.cmake")
+configure_file(
+  "${PROJECT_SOURCE_DIR}/cmake/CPackConfig.cmake.in"
+  "${PROJECT_BINARY_DIR}/CPackSourceConfig.cmake"
+  @ONLY
+)
+
+if(BUILD_RPMS)
+execute_process(
+  COMMAND cat "${CMAKE_CURRENT_SOURCE_DIR}/changelog.txt"
+  OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
+)
+
+execute_process(
+  COMMAND bash -c
+    "head -1 \"${CMAKE_CURRENT_SOURCE_DIR}/changelog.txt\" \
+      | grep -iPo '.*${CPACK_PACKAGE_VERSION}-\\K[\\d]' \
+      | tr -d '\\n' \
+      | grep -P '\\d' \
+    || echo -n 1 \
+    "
+  OUTPUT_VARIABLE CPACK_RPM_PACKAGE_RELEASE
+)
+
+CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
+  "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
+  @ONLY 
+  IMMEDIATE
+)
+
+set(CPACK_GENERATOR "RPM")
+set(CPACK_SOURCE_GENERATOR "RPM")
+set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
+set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
+set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
+endif()
+
+include(CPack)
+
+add_custom_target(build-rpms)
+add_custom_target(no-build-rpms)
+
+add_custom_command(
+  TARGET build-rpms
+  POST_BUILD
+  COMMAND "${CMAKE_COMMAND}"
+    -DBUILD_RPMS=ON
+    -B "${CMAKE_BINARY_DIR}"
+    -S "${CMAKE_SOURCE_DIR}"
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_command(
+  TARGET no-build-rpms
+  POST_BUILD
+  COMMAND "${CMAKE_COMMAND}"
+    -DBUILD_RPMS=OFF
+    -B "${CMAKE_BINARY_DIR}"
+    -S "${CMAKE_SOURCE_DIR}"
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(srpm
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package_source
+  DEPENDS build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(rpms
+  COMMAND rpmbuild
+    --rebuild
+    --define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
+    "${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
+  DEPENDS build-rpms srpm
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_command(
+  TARGET rpms
+  POST_BUILD
+  COMMAND /bin/sh -c "find \
+    \"${CPACK_OUTPUT_FILE_PREFIX}/\" \
+    -mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
+    && find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
+    -type d -empty -delete \
+  "
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(sdist
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package_source
+  DEPENDS no-build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+add_custom_target(bdist
+  COMMAND "${CMAKE_COMMAND}"
+    --build "${CMAKE_BINARY_DIR}"
+    --target package
+  DEPENDS no-build-rpms
+  VERBATIM
+  USES_TERMINAL
+)
+
+# vim: ts=2:sw=2:sts=2:et:syntax=cmake

README.md

@@ -1,2 +1,28 @@
 # ca-certificates-brazil
+---
 The Brazilian Public Key Infrastructure:  ICP-Brasil
+
+## Description
+The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain
+of trust that enables the issuance of digital certificates for the virtual
+identification of citizens.
+
+It is observed that the model adopted by Brazil was single-root certification,
+and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
+also has the role of accrediting and discrediting the other participants in the
+chain, supervise and audit the processes.
+
+## Documentation
+
+* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
+    https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
+  )
+* [Certification Practice Statement Root Certification Authority of Brazil](
+    https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
+  )
+* [Security Policy of Root-CA (in Portuguese)](
+    https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
+  )
+
+These files may also have been distributed within the installation package provided
+by your distribution.

changelog.txt

@@ -0,0 +1,2 @@
+* Fri Jul 04 2025 Christian Tosta <7252968+christiantosta@users.noreply.github.com> 2025.07.04-1
+- This is an automatically built package (See our Git URL for more info).

cmake/CPackConfig.cmake.in

@@ -0,0 +1,29 @@
+# This file will be configured to contain variables for CPack. These variables
+# should be set in the CMake list file of the project before CPack module is
+# included. Example variables are:
+#   CPACK_GENERATOR                     - Generator used to create package
+#   CPACK_INSTALL_CMAKE_PROJECTS        - For each project (path, name, component)
+#   CPACK_CMAKE_GENERATOR               - CMake Generator used for the projects
+#   CPACK_INSTALL_COMMANDS              - Extra commands to install components
+#   CPACK_INSTALL_DIRECTORIES           - Extra directories to install
+#   CPACK_PACKAGE_DESCRIPTION_FILE      - Description file for the package
+#   CPACK_PACKAGE_DESCRIPTION_SUMMARY   - Summary of the package
+#   CPACK_PACKAGE_EXECUTABLES           - List of pairs of executables and labels
+#   CPACK_PACKAGE_FILE_NAME             - Name of the package generated
+#   CPACK_PACKAGE_ICON                  - Icon used for the package
+#   CPACK_PACKAGE_INSTALL_DIRECTORY     - Name of directory for the installer
+#   CPACK_PACKAGE_NAME                  - Package project name
+#   CPACK_PACKAGE_VENDOR                - Package project vendor
+#   CPACK_PACKAGE_VERSION               - Package project version
+#   CPACK_PACKAGE_VERSION_MAJOR         - Package project version (major)
+#   CPACK_PACKAGE_VERSION_MINOR         - Package project version (minor)
+#   CPACK_PACKAGE_VERSION_PATCH         - Package project version (patch)
+
+# There are certain generator specific ones
+
+# NSIS Generator:
+#   CPACK_PACKAGE_INSTALL_REGISTRY_KEY  - Name of the registry key for the installer
+#   CPACK_NSIS_EXTRA_UNINSTALL_COMMANDS - Extra commands used during uninstall
+#   CPACK_NSIS_EXTRA_INSTALL_COMMANDS   - Extra commands used during install
+
+@_CPACK_OTHER_VARIABLES_@

packaging/pkg.spec.in

@@ -0,0 +1,80 @@
+%global debug_package %{nil}
+%global source_date_epoch_from_changelog 0
+%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>
+
+%define __openssl   %{_bindir}/openssl
+
+Name:               ca-certificates-brazil
+Version:            @CPACK_PACKAGE_VERSION@
+Release:            @CPACK_RPM_PACKAGE_RELEASE@%{?dist}
+Summary:            The ICP-Brasil root certificate bundle
+
+License:            MIT AND Public Domain
+URL:                https://www.gov.br/iti/pt-br/assuntos/certificado-digital
+Source0:            %{name}-%{version}.tar.gz
+
+BuildArch:          noarch
+BuildRequires:      %{__openssl}
+BuildRequires:      %{_bindir}/cmake
+BuildRequires:      %{_bindir}/mktemp
+BuildRequires:      %{_bindir}/unzip
+BuildRequires:      gcc
+BuildRequires:      gcc-c++
+Provides:           ca-certificates(ICP-Brasil) = %{version}-%{release}
+Provides:           config(ICP-Brasil) = %{version}-%{release}
+Requires:           %{name}-extras
+
+%description
+The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain 
+of trust that enables the issuance of digital certificates for the virtual 
+identification of citizens.
+
+It is observed that the model adopted by Brazil was single-root certification,
+and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
+also has the role of accrediting and discrediting the other participants in the 
+chain, supervise and audit the processes.
+
+%prep
+%autosetup -n %{name}-%{version}.src
+%{cmake}
+
+%build
+BUILD_SHARED_LIBS= \
+CMAKE_CXX_FLAGS_RELEASE= \
+CMAKE_C_FLAGS_RELEASE= \
+CMAKE_Fortran_FLAGS_RELEASE= \
+CMAKE_INSTALL_DO_STRIP= \
+CMAKE_INSTALL_FULL_SBINDIR= \
+CMAKE_INSTALL_SBINDIR= \
+INCLUDE_INSTALL_DIR= \
+LIB_INSTALL_DIR= \
+SHARE_INSTALL_PREFIX= \
+SYSCONF_INSTALL_DIR= \
+%{cmake_build}
+
+%install
+%{__rm} -rf %{buildroot}
+%{cmake_install}
+
+%files 
+%doc %{_datadir}/doc/%{name}/*.pdf
+%doc %{_datadir}/doc/%{name}/README.md
+%license %{_datadir}/doc/%{name}/LICENSE
+%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+%post -p %{_bindir}/update-ca-trust
+%postun -p %{_bindir}/update-ca-trust
+
+%package extras
+Summary: Extra Root and Intermediate certificates used by ICP-Brasil
+%description extras
+%{summary}
+
+%files extras
+%license %{_datadir}/doc/%{name}/LICENSE
+%{_datadir}/pki/ca-trust-source/anchors/*.crt
+%exclude %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
+%post extras -p %{_bindir}/update-ca-trust
+%postun extras -p %{_bindir}/update-ca-trust
+
+%changelog
+@CPACK_RPM_CHANGELOG@

sources

@@ -0,0 +1,10 @@
+https://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil/ACcompactado.zip
+https://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil/hashsha512.txt
+https://letsencrypt.org/certs/isrg-root-x2.pem
+https://letsencrypt.org/certs/lets-encrypt-e1.pem
+https://letsencrypt.org/certs/lets-encrypt-e2.pem
+https://letsencrypt.org/certs/lets-encrypt-r3.pem
+https://letsencrypt.org/certs/lets-encrypt-r4.pem
+https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
+https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
+https://acraiz.icpbrasil.gov.br/PSacraiz.pdf

utils/cert-tool

@@ -0,0 +1,176 @@
+#!/bin/bash
+set -euo pipefail
+
+check_cert_validity() {
+  local cert=("${@}")
+
+  # Get validity dates of certificate
+  local expire=$(printf "%s\\n" "${cert[@]:1}" \
+    | openssl x509 \
+      -noout \
+      -dates \
+    | sed '/notAfter/!d;s/notAfter=//g;s/ /\\ /g' \
+    | xargs date +%s -d
+  )
+
+  # Checks if certificate is valid at this date
+  if [[ ${expire} -gt $(date +%s -d now) ]]; then
+    return 0
+  else
+    printf "%s: %s [%s %s]\\n" \
+      $"-- WARNING" \
+      $"Certificate was expired" \
+      $"Fingerprint=(SHA256)" \
+      ${cert[0]}
+    return 1
+  fi
+}
+
+unzip_fingerprint() {
+  local zip_source=${1:-}
+  local fp_algo=sha256
+
+  local files=$(
+      [[ -f "${zip_source}" ]] && \
+        (unzip -qql ${zip_source} | awk '{print $4}')
+    )
+
+  # Unzip cert into array and compute their fingerprint
+  printf "%s: %s\\n" $"Archive" "${zip_source}"
+  local file; for file in ${files}; do
+    readarray -t cert < <(
+      unzip -p ${zip_source} ${file} \
+      | openssl x509 \
+        -fingerprint \
+	      -${fp_algo} \
+      | sed 's/.*Fingerprint=//g;s/://g'
+    )
+
+    # Check validity dates of certificate then writes it to disk
+    if check_cert_validity "${cert[@]}"; then
+      local cert_file="certs/${cert[0]}.crt"
+      printf "  %s %s\\n" $"Inflating" "certs/${file}"
+      #printf "  %s %s\\n" $"Inflating" "certs/${cert[0]}.crt"
+      #printf "  - %s=(%s) %s\\n" "Fingerprint" "${fp_algo^^}" "${cert[0]}"
+      printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
+    fi
+  done
+}
+
+copy_fingerprint() {
+  local cert_source=${1:-}
+  local fp_algo=sha256
+
+  readarray -t cert < <(
+    cat ${cert_source} \
+      | openssl x509 \
+        -fingerprint \
+        -${fp_algo} \
+      | sed 's/.*Fingerprint=//g;s/://g'
+  )
+
+  # Check validity dates of certificate then writes it to disk
+  if check_cert_validity "${cert[@]}"; then
+    local cert_file="certs/${cert[0]}.crt"
+    printf "%s %s\\n" $"Copying" "certs/${cert_source}"
+    printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
+  fi
+}
+
+#split() {
+#  local certs=("${@}")
+#
+#  printf "%s\\n" "${certs[@]}" \
+#  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
+#  | csplit \
+#    --quiet \
+#    --elide-empty-files \
+#    --prefix ${random_prefix:-}-cert \
+#    --suffix-format=-%02d.crt \
+#    - '/-END CERTIFICATE-/1' \
+#   '{*}'
+#}
+
+function extract() {
+  local file
+  mkdir -p certs
+  find cache -type f | while read file; do
+    case "$(file -b --mime-type ${file})" in
+      application/zip) unzip_fingerprint "${file}" ;;
+      application/x-pem-file) copy_fingerprint ${file} ;;
+    esac
+  done
+}
+
+
+function classify() {
+  # Create classified output directories
+  mkdir -p certs/{ca-root,ca-trust,servers}
+
+  # Process and classify generated files
+  echo -e "\n-- CLASSIFYING CACHED CERTIFICATES\n"
+  count=0
+  cert_files=$(find certs/ -maxdepth 1 -type f)
+  for cert_file in ${cert_files}; do
+    fingerprint="(SHA256) ${cert_file}"
+    echo "+ Processing certificate [Fingerprint: ${fingerprint}]"
+    issuer=$(openssl x509 -in "${cert_file}" -noout -issuer | sed 's/^issuer=//g')
+    issuer_o=$(echo "${issuer}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
+    subject=$(openssl x509 -in "${cert_file}" -noout -subject | sed 's/^subject=//g')
+    subject_o=$(echo "${subject}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
+    subject_cn=$(echo "${subject}" | grep -iPo 'CN\s*=\s*\K[^,]+' || :)
+    cert_o=$(echo "${subject_o^^}" | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g")
+    cert_cn=$(echo "${subject_cn}" | sed -E "s/\s/_/g;s/\/.*//g;s/^\*\./wildcard-/g")
+
+    # save temporary pem file to .CRT file
+    if [[  "${subject_cn}" =~ "gov.br" ]]; then # it's a server certificate
+      cert_crt_file="${issuer_o^^}-${cert_cn}.crt"
+      openssl x509 -in "${cert_file}" -out "certs/servers/${cert_crt_file}"
+      let count=count+1
+    elif [[ "${subject}" == "${issuer}" ]]; then # it's a root certificate (self-signed)
+      cert_crt_file="${cert_o}-${cert_cn}.crt"
+      openssl x509 -in "${cert_file}" -out "certs/ca-root/${cert_crt_file}"
+      let count=count+1
+    else # it's an intermediate certificate
+      cert_crt_file="${cert_o}-${cert_cn}.crt"
+      openssl x509 -in "${cert_file}" -out "certs/ca-trust/${cert_crt_file}"
+      let count=count+1
+    fi
+  done
+  echo "-- Processed certificates: ${count}"
+}
+
+function anchors() {
+  echo -e "\n-- GENERATING P11-KIT SOURCE ANCHORS"
+  
+  local ca_list=$(
+    (for cert in certs/{ca-root,ca-trust}/*.crt; do
+      openssl x509 -in ${cert} -noout -subject \
+        | grep -iPo 'O\s*=\s*\K[^,]+' \
+        | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
+     done;
+    for cert in certs/servers/*.crt; do
+      openssl x509 -in ${cert} -noout -issuer \
+        | grep -iPo 'O\s*=\s*\K[^,]+' \
+        | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
+    done;) | sort -u)
+
+  for ca in ${ca_list}; do
+    echo -e "\n-> Generating p11-kit source anchors for CA \"${ca}\""
+    local out=pki/ca-trust-source/anchors/${ca,,}-ca-bundle.crt
+    mkdir -p $(dirname ${out}); in=
+    for c in $(find certs/{ca-root,ca-trust,servers}/ -name ${ca}*); do
+      echo "+ Loading CA certificate: ${c}"
+      in="${in} -certfile ${c}"
+    done \
+      && openssl crl2pkcs7 -nocrl ${in} \
+        | openssl pkcs7 -print_certs -out ${out}
+  done
+}
+
+cmd=${@:1}; shift
+${cmd} ${@}
+
+exit 0
+
+# vim: ts=2:sw=2:sts=2:et