Mail archive
alpine-aports

[alpine-aports] [PATCH] main/ca-certificates: change update-ca-certificates lua script to a shell script

From: Ramon Soares <ramon_at_codecraft63.com>
Date: Sun, 3 May 2015 11:21:36 +0000

---
 main/ca-certificates/APKBUILD               |  10 +-
 main/ca-certificates/update-ca-certificates | 250 ++++++++++++++++++----------
 2 files changed, 168 insertions(+), 92 deletions(-)
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index 2db2af0..8f344f1 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
_at_@ -7,12 +7,12 @@ _nmu="+nmu${pkgver#*_p}"
 [ "$_nmu" = "+nmu${pkgver}" ] && _nmu=""
 _ver=${pkgver}
 
-pkgrel=1
+pkgrel=2
 pkgdesc="Common CA certificates PEM files"
 url="http://packages.debian.org/sid/ca-certificates"
 arch="noarch"
 license="MPL 2.0 GPL2+"
-depends="run-parts openssl lua5.2 lua5.2-posix"
+depends="run-parts openssl"
 makedepends="python"
 subpackages="$pkgname-doc"
 options="!fhs"
_at_@ -62,8 +62,8 @@ EOF
 }
 
 md5sums="f619282081c8bfc65ea64c37fa5285ed  ca-certificates_20141019.tar.xz
-bb24a9e2caf6150053a981e617a209a9  update-ca-certificates"
+5d3218ff481e9236fc217080e325c2ca  update-ca-certificates"
 sha256sums="684902d3f4e9ad27829f4af0d9d2d588afed03667997579b9c2be86fcd1eb73a  ca-certificates_20141019.tar.xz
-4f109a22d74ef36f691933716a83c015b8475ed4e47d21bd0d7f8baef4de046b  update-ca-certificates"
+aa7d262788b36ff786ff94055b3f5d23d588a35e59aecd767fb31f9c75985fa8  update-ca-certificates"
 sha512sums="5b0e8fb917f5642a5a2b4fde46a706db0c652ff3fb31a5053d9123a5b670b50c6e3cf2496915cc01c613dcbe964d6432f393c12d8a697baedfad58f9d13e568b  ca-certificates_20141019.tar.xz
-dadf046999f226cef0b14bd9014e59f04fa05a984339ff84940a2beb0f33f70bc921233d22291a294f9366c67989f5d337febd1832574c2e28317c14de84ff00  update-ca-certificates"
+5104acd36b623a6cf65f13a1ce542d57fa9aeec351d46bc535c220007c876b1d1790a85d3c51da9b723778e8a3dac18f1d90833268a2e4bf2f29a831a64a903b  update-ca-certificates"
diff --git a/main/ca-certificates/update-ca-certificates b/main/ca-certificates/update-ca-certificates
index 53f45df..5375950 100755
--- a/main/ca-certificates/update-ca-certificates
+++ b/main/ca-certificates/update-ca-certificates
_at_@ -1,87 +1,163 @@
-#!/usr/bin/lua5.2
-
-local CERTSDIR='/usr/share/ca-certificates/'
-local LOCALCERTSDIR='/usr/local/share/ca-certificates/'
-local ETCCERTSDIR='/etc/ssl/certs/'
-local CERTBUNDLE='ca-certificates.crt'
-local CERTSCONF='/etc/ca-certificates.conf'
-
-local posix = require 'posix'
-function string.begins(str, prefix) return str:sub(1,#prefix)==prefix end
-
-local function add(fn, out, links)
-	-- Map fn to file in etc
-	local pem = "ca-cert-"..fn:gsub('.*/', ''):gsub('.crt$',''):gsub('[, ]','_'):gsub('[()]','=')..".pem"
-	links[pem] = fn
-	-- Read the certificate for the bundle
-	local f = io.open(fn, "rb")
-	if f ~= nil then
-		local content = f:read("*all")
-		f:close()
-		out:write(content)
-		if content:sub(-1) ~= '\n' then out:write('\n') end
-	end
-end
-
-local calinks = {}
-local cacerts = {}
-
-local fd, tmpfile = posix.mkstemp(ETCCERTSDIR..'bundleXXXXXX')
-if not fd then
-	print("Failed to open temporary file for ca bundle")
-	return 1
-end
-posix.close(fd)
-posix.chmod(tmpfile, "rw-r--r--")
-local bundle = io.open(tmpfile, "wb")
-
--- Handle global CA certs from config file
-for l in io.lines(CERTSCONF) do
-	local firstchar = l:sub(1,1)
-	if firstchar ~= "#" and firstchar ~= "!" then
-		add(CERTSDIR..l, bundle, calinks)
-	end
-end
-
--- Handle local CA certificates
-local certlist = posix.glob(LOCALCERTSDIR..'*.crt')
-if certlist ~= nil then
-	table.sort(certlist)
-	for f in pairs(certlist) do
-		local fn = LOCALCERTSDIR..f
-		if posix.stat(fn, 'type') == 'regular' then
-			add(fn, bundle, calinks)
-		end
-	end
-end
-
--- Update etc cert dir for additions and deletions
-local f, target
-for f in posix.files(ETCCERTSDIR) do
-	local fn = ETCCERTSDIR..f
-	if posix.stat(fn, 'type') == 'link' then
-		local curtgt = posix.readlink(fn)
-		local target = calinks[f]
-		if target == nil then
-			-- Symlink exists but is not wanted
-			-- Delete it if it points to 'our' directory
-			if curtgt:begins(CERTSDIR) or curtgt:begins(LOCALCERTSDIR) then
-				os.remove(fn)
-			end
-		elseif curtgt ~= target then
-			-- Symlink exists but points wrong
-			posix.link(target, ETCCERTSDIR..f, true)
-		else
-			-- Symlink exists and is ok
-			calinks[f] = nil
-		end
-	end
-end
-for f, target in pairs(calinks) do
-	posix.link(target, ETCCERTSDIR..f, true)
-end
-
--- Update hashes and the bundle
-bundle:close()
-os.rename(tmpfile, ETCCERTSDIR..CERTBUNDLE)
-os.execute("c_rehash "..ETCCERTSDIR.." > /dev/null")
+#!/bin/sh -e
+#
+# update-ca-certificates
+#
+# Copyright (c) 2003 Fumitoshi UKAI <ukai_at_debian.or.jp>
+# Copyright (c) 2009 Philipp Kern <pkern_at_debian.org>
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
+# USA.
+#
+
+verbose=0
+fresh=0
+while [ $# -gt 0 ];
+do
+  case $1 in
+  --verbose|-v)
+  	verbose=1;;
+  --fresh|-f)
+	fresh=1;;
+  --help|-h|*)
+	echo "$0: [--verbose] [--fresh]"
+	exit;;
+  esac
+  shift
+done
+
+CERTSCONF=/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=/etc/ssl/certs
+
+cleanup() {
+  rm -f "$TEMPBUNDLE"
+  rm -f "$ADDED"
+  rm -f "$REMOVED"
+}
+trap cleanup 0
+
+# Helper files.  (Some of them are not simple arrays because we spawn
+# subshells later on.)
+TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
+ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+
+# Adds a certificate to the list of trusted ones.  This includes a symlink
+# in /etc/ssl/certs to the certificate file and its inclusion into the
+# bundle.
+add() {
+  CERT="$1"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+                                                  -e 's/[()]/=/g' \
+                                                  -e 's/,/_/g').pem"
+  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+  then
+    ln -sf "$CERT" "$PEM"
+    echo +$PEM >> "$ADDED"
+  fi
+  cat "$CERT" >> "$TEMPBUNDLE"
+}
+
+remove() {
+  CERT="$1"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
+  if test -L "$PEM"
+  then
+    rm -f "$PEM"
+    echo -$PEM >> "$REMOVED"
+  fi
+}
+
+cd $ETCCERTSDIR
+if [ "$fresh" = 1 ]; then
+  echo -n "Clearing symlinks in $ETCCERTSDIR..."
+  find . -type l -print | while read symlink
+  do
+     case $(readlink $symlink) in
+     $CERTSDIR*) rm -f $symlink;;
+     esac
+  done
+  find . -type l -print | while read symlink
+  do
+     test -f $symlink || rm -f $symlink
+  done
+  echo "done."
+fi
+
+echo -n "Updating certificates in $ETCCERTSDIR... "
+
+# Handle certificates that should be removed.  This is an explicit act
+# by prefixing lines in the configuration files with exclamation marks (!).
+sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
+do
+  remove "$CERTSDIR/$crt"
+done
+
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt
+do
+  if ! test -f "$CERTSDIR/$crt"
+  then
+    echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
+    continue
+  fi
+  add "$CERTSDIR/$crt"
+done
+
+# Now process certificate authorities installed by the local system
+# administrator.
+if [ -d "$LOCALCERTSDIR" ]
+then
+  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | while read crt
+  do
+    add "$crt"
+  done
+fi
+
+rm -f "$CERTBUNDLE"
+
+ADDED_CNT=$(wc -l < "$ADDED")
+REMOVED_CNT=$(wc -l < "$REMOVED")
+
+if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
+then
+  # only run if set of files has changed
+  if [ "$verbose" = 0 ]
+  then
+    c_rehash . > /dev/null
+  else
+    c_rehash .
+  fi
+fi
+
+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+
+echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
+
+HOOKSDIR=/etc/ca-certificates/update.d
+echo -n "Running hooks in $HOOKSDIR...."
+VERBOSE_ARG=
+[ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
+eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook
+do
+  ( cat $ADDED
+    cat $REMOVED ) | $hook || echo E: $hook exited with code $?.
+done
+echo "done."
+
+# vim:set et sw=2:
+
-- 
2.3.7
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sun May 03 2015 - 11:21:36 GMT