sigsolucoes/ca-certificates-brazil
3
0
Fork 0
mirror of https://github.com/ekaaty/ca-certificates-brazil.git synced 2025-12-06 01:22:38 -03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: sigsolucoes:v2025.08.01
Branches Tags
sigsolucoes:main
sigsolucoes:v2025.11.25 sigsolucoes:v2025.10.07 sigsolucoes:v2025.08.22 sigsolucoes:v2025.08.01 sigsolucoes:v2025.07.04 sigsolucoes:v2025.05.28
..
compare: sigsolucoes:e82c47bd4964f308d2e48627dbc6e1fd69456eca
Branches Tags
sigsolucoes:main
sigsolucoes:v2025.11.25 sigsolucoes:v2025.10.07 sigsolucoes:v2025.08.22 sigsolucoes:v2025.08.01 sigsolucoes:v2025.07.04 sigsolucoes:v2025.05.28

25 Commits
v2025.08.0 ... e82c47bd49

Author SHA1 Message Date
Christian Tosta
e82c47bd49 Updated Fedora build CI
Some checks failed
Build and Release CI / release-ci (push) Has been cancelled
Details
Build and Release CI / build-fedora (push) Has been cancelled
Details
2025-04-18 14:49:45 -03:00
Christian Tosta
52b949232f Updated Fedora build CI 2025-04-18 14:44:33 -03:00
Christian Tosta
39ebc58474 Updated Fedora build CI 2025-04-18 14:36:56 -03:00
Christian Tosta
582cc027e8 Updated Fedora build CI 2025-04-18 14:34:38 -03:00
Christian Tosta
4eb3f5c61a Updated Fedora build CI 2025-04-18 14:23:42 -03:00
Christian Tosta
34d45a47d2 Updated Fedora build CI 2025-04-18 14:23:27 -03:00
Christian Tosta
94912593f0 Added Fedora build CI 2025-04-18 13:37:13 -03:00
Christian Tosta
bfe09d01e9 Added Fedora build CI 2025-04-18 13:31:40 -03:00
Christian Tosta
adca4dcde3 Added Fedora build CI 2025-04-18 13:29:47 -03:00
Christian Tosta
6fb0bf2ddc Replace workflows for CI workflow 2025-04-18 13:18:54 -03:00
Christian Tosta
003a05b17a Replace workflows for CI workflow 2025-04-18 13:17:24 -03:00
Christian Tosta
2a1c30ea74 Updated build RPM workflow 2025-04-18 11:57:12 -03:00
Christian Tosta
4bc89cd26b Updated build RPM workflow 2025-04-18 11:53:21 -03:00
Christian Tosta
f3c14cd2f6 Updated build RPM workflow 2025-04-18 11:47:34 -03:00
Christian Tosta
229fd03b51 Updated build RPM workflow 2025-04-18 11:43:12 -03:00
Christian Tosta
af6642198d Updated build RPM workflow 2025-04-18 11:40:07 -03:00
Christian Tosta
0604d891f1 Updated build RPM workflow 2025-04-18 11:34:12 -03:00
Christian Tosta
db7e33ce50 Added build RPM workflow 2025-04-18 11:32:00 -03:00
Christian Tosta
0e6cc7f9a4 Updated auto-tagging workflow 2025-04-18 11:01:33 -03:00
Christian Tosta
a008f27813 Added auto-tagging workflow 2025-04-18 10:51:42 -03:00
Christian Tosta
47529209d4 Add RPM packaging support 2025-04-18 10:22:15 -03:00
Christian Tosta
3df218f8e7 Save version on file 2025-04-18 10:18:48 -03:00
Christian Tosta
4b2bdb47bf CA PKI update tool autodetection (legacy/p11kit) 2025-04-16 08:39:53 -03:00
Christian Tosta
921cab191b Update README.md 2025-03-27 05:22:55 -03:00
Christian Tosta
bdc70acaaf Initial commit 2025-03-27 05:20:04 -03:00
12 changed files with 162 additions and 422 deletions
Expand all files Collapse all files

12
.copr/Makefile
View File

@@ -1,12 +0,0 @@
#!/usr/bin/make
SHELL := bash
source:
dnf -y install cmake gcc gcc-c++ openssl
cmake --fresh -DBUILD_RPMS=ON -B build -S .
cmake --build build --target srpm
srpm: source
mkdir -p $(outdir)
cp dist/*.src.rpm $(outdir)

35
.github/workflows/ci.yml vendored
View File

@@ -2,12 +2,14 @@ name: Build and Release CI
on: on:
push: push:
schedule: schedule:
- cron: '30 4 1,15 * *' - cron: '30 3 * * *'
workflow_dispatch: workflow_dispatch:
jobs: jobs:
release-ci: release-ci:
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs:
VERSION: ${{ steps.get_metadata.outputs.VERSION }}
steps: steps:
- name: Local checkout - name: Local checkout
@@ -16,14 +18,14 @@ jobs:
- name: Install CI dependencies - name: Install CI dependencies
run: | run: |
sudo apt-get update sudo apt-get update
sudo apt-get -y -qq install cmake openssl g++ gcc sudo apt-get -y -qq install cmake g++ gcc
- name: Get latest package metadata - name: Get latest package metadata
id: get_metadata id: get_metadata
run: | run: |
cmake --fresh -B build -S . cmake --fresh -B build -S .
echo "tag=v$(cat build/version)" >> $GITHUB_OUTPUT echo "TAG=v$(cat build/version)" >> $GITHUB_OUTPUT
echo "hash=$(sha256sum build/hash | sed 's/\s.*//g')" >> $GITHUB_OUTPUT echo "VERSION=$(cat build/version)" >> $GITHUB_OUTPUT
- name: Check if package version has corresponding git tag - name: Check if package version has corresponding git tag
id: tagged id: tagged
@@ -31,25 +33,20 @@ jobs:
run: | run: |
git show-ref \ git show-ref \
--tags --verify --quiet -- \ --tags --verify --quiet -- \
"refs/tags/${{ steps.get_metadata.outputs.tag }}" \ "refs/tags/${{ steps.get_metadata.outputs.TAG }}" \
&& echo tagged=1 >> $GITHUB_OUTPUT \ && echo tagged=1 >> $GITHUB_OUTPUT \
|| echo tagged=0 >> $GITHUB_OUTPUT || echo tagged=0 >> $GITHUB_OUTPUT
- name: Create new tag and set to_release - name: Create new tag
id: newtag
if: steps.tagged.outputs.tagged == 0 if: steps.tagged.outputs.tagged == 0
run: | run: |
git config --global user.name "github-actions[bot]" git tag ${{ steps.get_metadata.outputs.TAG }} \
git config --global user.email "github-actions[bot]@users.noreply.github.com" && git push origin ${{ steps.get_metadata.outputs.TAG }} \
git tag -a ${{ steps.get_metadata.outputs.tag }} \
-m "New cert chain was released" \
--trailer "SHA256:${{ steps.get_metadata.outputs.hash }}" \
&& echo to_release=1 >> $GITHUB_OUTPUT \
&& git push origin ${{ steps.get_metadata.outputs.tag }} \
|| exit 0 || exit 0
- name: Create and publish GitHub release build-fedora:
if: steps.newtag.outputs.to_release == 1 needs: release-ci
uses: softprops/action-gh-release@v2 uses: ./.github/workflows/fedora.yml
with: with:
tag_name: ${{ steps.get_metadata.outputs.tag }} containers: "['fedora:latest', 'fedora:41']"
version: ${{ needs.release-ci.outputs.VERSION }}

79
.github/workflows/fedora.yml vendored Normal file
View File

@@ -0,0 +1,79 @@
#name: build-rpm
on:
workflow_call:
inputs:
containers:
required: true
type: string
version:
required: false
type: string
jobs:
build:
strategy:
max-parallel: 2
matrix:
image: ${{ fromJson(inputs.containers) }}
runs-on: ubuntu-latest
container: ${{ matrix.image }}
steps:
- name: Local checkout
uses: actions/checkout@v4
- name: install RPM build dependencies
run: |
dnf -y install \
cmake \
gcc \
gcc-c++ \
git \
rpm-build \
rpmdevtools \
tar
- name: Setup RPM build tree
run: |
rpmdev-setuptree
- name: Create source tarball
run: |
cmake --fresh -B build -S .
cmake --build build --target sdist
- name: Set environment variables
run: |
echo "PKG_VERSION=$(cat build/version)" >> $GITHUB_ENV
echo "PKG_NAME=$(grep -Po 'Name:\ *\K[\S ]*' \
packaging/pkg.spec.in)" >> $GITHUB_ENV
- name: Copy SOURCES and SPEC file
run: |
cp packaging/pkg.spec.in ~/rpmbuild/SPECS/${PKG_NAME}.spec
rpmdev-bumpspec -n ${PKG_VERSION} ~/rpmbuild/SPECS/${PKG_NAME}.spec
cp dist/*.src.tar.gz ~/rpmbuild/SOURCES/
- name: Build RPM packages
run: |
dnf -y builddep ~/rpmbuild/SPECS/${PKG_NAME}.spec
rpmbuild -ba ~/rpmbuild/SPECS/${PKG_NAME}.spec
- name: Check if package version has corresponding git tag
id: tagged
shell: bash
run: |
git show-ref \
--tags --verify --quiet -- \
"refs/tags/${NEW_TAG}" \
&& echo tagged=1 >> $GITHUB_OUTPUT \
|| echo tagged=0 >> $GITHUB_OUTPUT
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
if: github.ref_type == 'tag' && steps.tagged.output.tagged == 1
with:
files: |
~/rpmbuild/RPMS/*/*.rpm
~/rpmbuild/SRPMS/*.rpm

1
.gitignore vendored
View File

@@ -15,4 +15,3 @@ build/
CMakeCache.txt CMakeCache.txt
dist/ dist/
temp/

103
CMakeLists.txt
View File

@@ -29,69 +29,58 @@ set(SourceFiles
include(CPackLists.txt) include(CPackLists.txt)
add_custom_target(clear-cache
COMMAND rm -rf cache/
)
add_custom_target(clear-certs add_custom_target(clear-certs
COMMAND rm -rf certs/ COMMAND rm -rf
) certs/
pki/
add_custom_target(clear-anchors
COMMAND rm -rf pki/
)
add_custom_target(clear-docs
COMMAND rm -rf docs/
)
add_custom_target(clear-all
DEPENDS
clear-anchors
clear-cache
clear-certs
clear-docs
)
add_custom_target(sources
COMMAND xargs -n1
curl
--create-dirs
--output-dir cache
-ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
DEPENDS
clear-cache
) )
add_custom_target(certs add_custom_target(certs
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool extract COMMAND xargs -n1
&& ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool classify curl
--create-dirs
--output-dir certs
-ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
&& cd certs
&& (sha512sum -c --quiet ${HASH_FILE} || exit -1)
&& unzip ACcompactado.zip
DEPENDS DEPENDS
clear-certs clear-certs
sources
) )
add_custom_target(anchors ALL add_custom_target(isrg-root-x2.crt
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool anchors COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
pki/ca-trust-source/anchors/isrg-root-x2.crt
certs/isrg-root-x2.pem
DEPENDS DEPENDS
clear-anchors
certs certs
) )
add_custom_target(docs ALL add_custom_target(lets-encrypt-ca-bundle.crt
COMMAND mkdir docs COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
&& cp cache/*.pdf docs/ pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
certs/lets-encrypt-e1.pem
certs/lets-encrypt-e2.pem
certs/lets-encrypt-r3.pem
certs/lets-encrypt-r4.pem
DEPENDS DEPENDS
clear-docs certs
sources
) )
# Checks for OpeSSL utility add_custom_target(icp-brasil-ca-bundle.crt
find_program(OPENSSL COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
NAMES openssl openssl3 pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
REQUIRED certs/*.crt
DEPENDS
certs
)
add_custom_target(anchors ALL
DEPENDS
isrg-root-x2.crt
lets-encrypt-ca-bundle.crt
icp-brasil-ca-bundle.crt
) )
message("-- Check for OpenSSL utility: ${OPENSSL}")
# Checks which tool is used to update certificate keyring # Checks which tool is used to update certificate keyring
find_program(UPDATE_CACERTS_TOOL find_program(UPDATE_CACERTS_TOOL
@@ -113,24 +102,12 @@ endif()
message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}") message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
install( install(
DIRECTORY FILES
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/. ${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/isrg-root-x2.crt
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
DESTINATION DESTINATION
${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR} ${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
FILES_MATCHING
PATTERN "*.crt"
)
set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")
install(
FILES
${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
${CMAKE_CURRENT_SOURCE_DIR}/README.md
${CMAKE_CURRENT_BINARY_DIR}/docs/cpsrootca.pdf
${CMAKE_CURRENT_BINARY_DIR}/docs/DPCacraiz.pdf
${CMAKE_CURRENT_BINARY_DIR}/docs/PSacraiz.pdf
DESTINATION
${CMAKE_INSTALL_PREFIX}/${DOCS_INSTALL_DIR}
) )
# vim: ts=2:sw=2:sts=2:et # vim: ts=2:sw=2:sts=2:et

89
CPackLists.txt
View File

@@ -6,7 +6,6 @@ set(CPACK_VERBATIM_VARIABLES YES)
set(SourceIgnoreFiles set(SourceIgnoreFiles
".cache" ".cache"
".copr"
".clang-format" ".clang-format"
".clangd" ".clangd"
".git/" ".git/"
@@ -25,7 +24,6 @@ set(SourceIgnoreFiles
"cmake-build*" "cmake-build*"
"cmake_install.cmake" "cmake_install.cmake"
"dist/" "dist/"
"temp/"
) )
# Escape any '.' and '/' characters # Escape any '.' and '/' characters
@@ -61,98 +59,12 @@ configure_file(
@ONLY @ONLY
) )
if(BUILD_RPMS)
execute_process(
COMMAND cat "${CMAKE_CURRENT_SOURCE_DIR}/changelog.txt"
OUTPUT_VARIABLE CPACK_RPM_CHANGELOG
)
execute_process(
COMMAND bash -c
"head -1 \"${CMAKE_CURRENT_SOURCE_DIR}/changelog.txt\" \
| grep -iPo '.*${CPACK_PACKAGE_VERSION}-\\K[\\d]' \
| tr -d '\\n' \
"
OUTPUT_VARIABLE CPACK_RPM_PACKAGE_RELEASE
)
CONFIGURE_FILE("${CMAKE_CURRENT_SOURCE_DIR}/packaging/pkg.spec.in"
"${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec"
@ONLY
IMMEDIATE
)
set(CPACK_GENERATOR "RPM")
set(CPACK_SOURCE_GENERATOR "RPM")
set(CPACK_RPM_USER_PACKAGE_SOURCES ON)
set(CPACK_RPM_USER_PACKAGE_SOURCE "${CPACK_OUTPUT_FILE_PREFIX}/${CPACK_SOURCE_PACKAGE_FILE_NAME}")
set(CPACK_RPM_USER_BINARY_SPECFILE "${CMAKE_CURRENT_BINARY_DIR}/${PROJECT_NAME}.spec")
endif()
include(CPack) include(CPack)
add_custom_target(build-rpms)
add_custom_target(no-build-rpms)
add_custom_command(
TARGET build-rpms
POST_BUILD
COMMAND "${CMAKE_COMMAND}"
-DBUILD_RPMS=ON
-B "${CMAKE_BINARY_DIR}"
-S "${CMAKE_SOURCE_DIR}"
VERBATIM
USES_TERMINAL
)
add_custom_command(
TARGET no-build-rpms
POST_BUILD
COMMAND "${CMAKE_COMMAND}"
-DBUILD_RPMS=OFF
-B "${CMAKE_BINARY_DIR}"
-S "${CMAKE_SOURCE_DIR}"
VERBATIM
USES_TERMINAL
)
add_custom_target(srpm
COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}"
--target package_source
DEPENDS build-rpms
VERBATIM
USES_TERMINAL
)
add_custom_target(rpms
COMMAND rpmbuild
--rebuild
--define "_rpmdir ${CPACK_OUTPUT_FILE_PREFIX}"
"${CPACK_OUTPUT_FILE_PREFIX}/${PROJECT_NAME}-${PROJECT_VERSION}-?.fc??.src.rpm"
DEPENDS build-rpms srpm
VERBATIM
USES_TERMINAL
)
add_custom_command(
TARGET rpms
POST_BUILD
COMMAND /bin/sh -c "find \
\"${CPACK_OUTPUT_FILE_PREFIX}/\" \
-mindepth 2 -type f -exec mv {} \"${CPACK_OUTPUT_FILE_PREFIX}/\" \; \
&& find \"${CPACK_OUTPUT_FILE_PREFIX}\" \
-type d -empty -delete \
"
VERBATIM
USES_TERMINAL
)
add_custom_target(sdist add_custom_target(sdist
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}" --build "${CMAKE_BINARY_DIR}"
--target package_source --target package_source
DEPENDS no-build-rpms
VERBATIM VERBATIM
USES_TERMINAL USES_TERMINAL
) )
@@ -161,7 +73,6 @@ add_custom_target(bdist
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
--build "${CMAKE_BINARY_DIR}" --build "${CMAKE_BINARY_DIR}"
--target package --target package
DEPENDS no-build-rpms
VERBATIM VERBATIM
USES_TERMINAL USES_TERMINAL
) )

16
README.md
View File

@@ -1,5 +1,4 @@
# ca-certificates-brazil # ca-certificates-brazil
---
The Brazilian Public Key Infrastructure: ICP-Brasil The Brazilian Public Key Infrastructure: ICP-Brasil
## Description ## Description
@@ -11,18 +10,3 @@ It is observed that the model adopted by Brazil was single-root certification,
and the ITI, in addition to playing the role of Root Certifying Authority - Root AC, and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
also has the role of accrediting and discrediting the other participants in the also has the role of accrediting and discrediting the other participants in the
chain, supervise and audit the processes. chain, supervise and audit the processes.
## Documentation
* [ICP-Brasil Root Certification Authority Certification Practices Statement (in Portuguese)](
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
)
* [Certification Practice Statement Root Certification Authority of Brazil](
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
)
* [Security Policy of Root-CA (in Portuguese)](
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf
)
These files may also have been distributed within the installation package provided
by your distribution.

2
changelog.txt
View File

@@ -1,2 +0,0 @@
* Fri Jul 04 2025 Christian Tosta <7252968+christiantosta@users.noreply.github.com> 2025.07.04-1
- This is an automatically built package (See our Git URL for more info).

14
crt2bundle.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
out=${1}
mkdir -p $(dirname ${out})
shift
in=''
for c in ${*}; do
echo "+ Loading CA certificate: ${c}";
in="${in} -certfile ${c}";
done;
openssl crl2pkcs7 -nocrl ${in} \
| openssl pkcs7 -print_certs -out ${out}

50
packaging/pkg.spec.in
View File

@@ -1,28 +1,21 @@
%global debug_package %{nil} %global debug_package %{nil}
%global source_date_epoch_from_changelog 0 %global source_date_epoch_from_changelog 0
%global packager Christian Tosta <7252968+christiantosta@users.noreply.github.com>
%define __openssl %{_bindir}/openssl %define __openssl %{_bindir}/openssl
Name: ca-certificates-brazil Name: ca-certificates-brazil
Version: @CPACK_PACKAGE_VERSION@ Version: __VERSION__
Release: @CPACK_RPM_PACKAGE_RELEASE@%{?dist} Release: %{autorelease}
Summary: The ICP-Brasil root certificate bundle Summary: The ICP-Brasil root certificate bundle
License: MIT AND Public Domain License: Public Domain
URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital URL: https://www.gov.br/iti/pt-br/assuntos/certificado-digital
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.src.tar.gz
BuildArch: noarch BuildArch: noarch
BuildRequires: %{__openssl} BuildRequires: %{__openssl}
BuildRequires: %{_bindir}/cmake
BuildRequires: %{_bindir}/mktemp BuildRequires: %{_bindir}/mktemp
BuildRequires: %{_bindir}/unzip BuildRequires: %{_bindir}/unzip
BuildRequires: gcc
BuildRequires: gcc-c++
Provides: ca-certificates(ICP-Brasil) = %{version}-%{release}
Provides: config(ICP-Brasil) = %{version}-%{release}
Requires: %{name}-extras
%description %description
The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain
@@ -35,46 +28,25 @@ also has the role of accrediting and discrediting the other participants in the
chain, supervise and audit the processes. chain, supervise and audit the processes.
%prep %prep
%autosetup -n %{name}-%{version}.src %autosetup -c
%{cmake} %{cmake}
%build %build
BUILD_SHARED_LIBS= \
CMAKE_CXX_FLAGS_RELEASE= \
CMAKE_C_FLAGS_RELEASE= \
CMAKE_Fortran_FLAGS_RELEASE= \
CMAKE_INSTALL_DO_STRIP= \
CMAKE_INSTALL_FULL_SBINDIR= \
CMAKE_INSTALL_SBINDIR= \
INCLUDE_INSTALL_DIR= \
LIB_INSTALL_DIR= \
SHARE_INSTALL_PREFIX= \
SYSCONF_INSTALL_DIR= \
%{cmake_build} %{cmake_build}
%install %install
%{__rm} -rf %{buildroot} %{__rm} -rf %{buildroot}
%{cmake_install} %{cmake_install}
%files %files
%doc %{_datadir}/doc/%{name}/*.pdf %{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
%doc %{_datadir}/doc/%{name}/README.md %{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
%license %{_datadir}/doc/%{name}/LICENSE
%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
%post -p %{_bindir}/update-ca-trust %post -p %{_bindir}/update-ca-trust
%postun -p %{_bindir}/update-ca-trust %postun -p %{_bindir}/update-ca-trust
%package extras
Summary: Extra Root and Intermediate certificates used by ICP-Brasil
%description extras
%{summary}
%files extras
%license %{_datadir}/doc/%{name}/LICENSE
%{_datadir}/pki/ca-trust-source/anchors/*.crt
%exclude %{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
%post extras -p %{_bindir}/update-ca-trust
%postun extras -p %{_bindir}/update-ca-trust
%changelog %changelog
@CPACK_RPM_CHANGELOG@ %autochangelog

3
sources
View File

@@ -5,6 +5,3 @@ https://letsencrypt.org/certs/lets-encrypt-e1.pem
https://letsencrypt.org/certs/lets-encrypt-e2.pem https://letsencrypt.org/certs/lets-encrypt-e2.pem
https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-r4.pem https://letsencrypt.org/certs/lets-encrypt-r4.pem
https://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
https://acraiz.icpbrasil.gov.br/cpsrootca.pdf
https://acraiz.icpbrasil.gov.br/PSacraiz.pdf

176
utils/cert-tool
View File

@@ -1,176 +0,0 @@
#!/bin/bash
set -euo pipefail
check_cert_validity() {
local cert=("${@}")
# Get validity dates of certificate
local expire=$(printf "%s\\n" "${cert[@]:1}" \
| openssl x509 \
-noout \
-dates \
| sed '/notAfter/!d;s/notAfter=//g;s/ /\\ /g' \
| xargs date +%s -d
)
# Checks if certificate is valid at this date
if [[ ${expire} -gt $(date +%s -d now) ]]; then
return 0
else
printf "%s: %s [%s %s]\\n" \
$"-- WARNING" \
$"Certificate was expired" \
$"Fingerprint=(SHA256)" \
${cert[0]}
return 1
fi
}
unzip_fingerprint() {
local zip_source=${1:-}
local fp_algo=sha256
local files=$(
[[ -f "${zip_source}" ]] && \
(unzip -qql ${zip_source} | awk '{print $4}')
)
# Unzip cert into array and compute their fingerprint
printf "%s: %s\\n" $"Archive" "${zip_source}"
local file; for file in ${files}; do
readarray -t cert < <(
unzip -p ${zip_source} ${file} \
| openssl x509 \
-fingerprint \
-${fp_algo} \
| sed 's/.*Fingerprint=//g;s/://g'
)
# Check validity dates of certificate then writes it to disk
if check_cert_validity "${cert[@]}"; then
local cert_file="certs/${cert[0]}.crt"
printf " %s %s\\n" $"Inflating" "certs/${file}"
#printf " %s %s\\n" $"Inflating" "certs/${cert[0]}.crt"
#printf " - %s=(%s) %s\\n" "Fingerprint" "${fp_algo^^}" "${cert[0]}"
printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
fi
done
}
copy_fingerprint() {
local cert_source=${1:-}
local fp_algo=sha256
readarray -t cert < <(
cat ${cert_source} \
| openssl x509 \
-fingerprint \
-${fp_algo} \
| sed 's/.*Fingerprint=//g;s/://g'
)
# Check validity dates of certificate then writes it to disk
if check_cert_validity "${cert[@]}"; then
local cert_file="certs/${cert[0]}.crt"
printf "%s %s\\n" $"Copying" "certs/${cert_source}"
printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
fi
}
#split() {
# local certs=("${@}")
#
# printf "%s\\n" "${certs[@]}" \
# | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
# | csplit \
# --quiet \
# --elide-empty-files \
# --prefix ${random_prefix:-}-cert \
# --suffix-format=-%02d.crt \
# - '/-END CERTIFICATE-/1' \
# '{*}'
#}
function extract() {
local file
mkdir -p certs
find cache -type f | while read file; do
case "$(file -b --mime-type ${file})" in
application/zip) unzip_fingerprint "${file}" ;;
application/x-pem-file) copy_fingerprint ${file} ;;
esac
done
}
function classify() {
# Create classified output directories
mkdir -p certs/{ca-root,ca-trust,servers}
# Process and classify generated files
echo -e "\n-- CLASSIFYING CACHED CERTIFICATES\n"
count=0
cert_files=$(find certs/ -maxdepth 1 -type f)
for cert_file in ${cert_files}; do
fingerprint="(SHA256) ${cert_file}"
echo "+ Processing certificate [Fingerprint: ${fingerprint}]"
issuer=$(openssl x509 -in "${cert_file}" -noout -issuer | sed 's/^issuer=//g')
issuer_o=$(echo "${issuer}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
subject=$(openssl x509 -in "${cert_file}" -noout -subject | sed 's/^subject=//g')
subject_o=$(echo "${subject}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
subject_cn=$(echo "${subject}" | grep -iPo 'CN\s*=\s*\K[^,]+' || :)
cert_o=$(echo "${subject_o^^}" | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g")
cert_cn=$(echo "${subject_cn}" | sed -E "s/\s/_/g;s/\/.*//g;s/^\*\./wildcard-/g")
# save temporary pem file to .CRT file
if [[ "${subject_cn}" =~ "gov.br" ]]; then # it's a server certificate
cert_crt_file="${issuer_o^^}-${cert_cn}.crt"
openssl x509 -in "${cert_file}" -out "certs/servers/${cert_crt_file}"
let count=count+1
elif [[ "${subject}" == "${issuer}" ]]; then # it's a root certificate (self-signed)
cert_crt_file="${cert_o}-${cert_cn}.crt"
openssl x509 -in "${cert_file}" -out "certs/ca-root/${cert_crt_file}"
let count=count+1
else # it's an intermediate certificate
cert_crt_file="${cert_o}-${cert_cn}.crt"
openssl x509 -in "${cert_file}" -out "certs/ca-trust/${cert_crt_file}"
let count=count+1
fi
done
echo "-- Processed certificates: ${count}"
}
function anchors() {
echo -e "\n-- GENERATING P11-KIT SOURCE ANCHORS"
local ca_list=$(
(for cert in certs/{ca-root,ca-trust}/*.crt; do
openssl x509 -in ${cert} -noout -subject \
| grep -iPo 'O\s*=\s*\K[^,]+' \
| sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
done;
for cert in certs/servers/*.crt; do
openssl x509 -in ${cert} -noout -issuer \
| grep -iPo 'O\s*=\s*\K[^,]+' \
| sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
done;) | sort -u)
for ca in ${ca_list}; do
echo -e "\n-> Generating p11-kit source anchors for CA \"${ca}\""
local out=pki/ca-trust-source/anchors/${ca,,}-ca-bundle.crt
mkdir -p $(dirname ${out}); in=
for c in $(find certs/{ca-root,ca-trust,servers}/ -name ${ca}*); do
echo "+ Loading CA certificate: ${c}"
in="${in} -certfile ${c}"
done \
&& openssl crl2pkcs7 -nocrl ${in} \
| openssl pkcs7 -print_certs -out ${out}
done
}
cmd=${@:1}; shift
${cmd} ${@}
exit 0
# vim: ts=2:sw=2:sts=2:et