apple-pki-bundle: Submission

net/apple-pki-bundle/Portfile

@@ -0,0 +1,234 @@
+# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
+
+PortSystem          1.0
+
+name                apple-pki-bundle
+version             2018-09-27
+revision            0
+categories          net www security
+license             OpenSSL
+maintainers         {ieee.org:s.t.smith @essandess} openmaintainer
+supported_archs     noarch
+
+description         Apple PKI certificate bundle
+
+long_description    Installs a bundle of certification authority certificates \
+                    (CA certs) used on Apple devices.
+
+homepage            https://www.apple.com/certificateauthority/
+
+master_sites        https://www.apple.com/appleca:appleca \
+                    https://www.apple.com/certificateauthority:certificateauthority \
+                    https://developer.apple.com/certificationauthority:certificationauthority \
+                    https://geotrust.tbs-certificats.com:geotrust \
+                    https://cacerts.digicert.com:digicert
+
+distfiles           AppleIncRootCertificate.cer:appleca \
+                    AppleComputerRootCertificate.cer:certificateauthority \
+                    AppleRootCA-G2.cer:certificateauthority \
+                    AppleRootCA-G3.cer:certificateauthority \
+                    AppleISTCA2G1.cer:certificateauthority \
+                    AppleISTCA8G1.cer:certificateauthority \
+                    AppleAAICA.cer:certificateauthority \
+                    AppleAAI2CA.cer:certificateauthority \
+                    AppleAAICAG3.cer:certificateauthority \
+                    AppleApplicationIntegrationCA5G1.cer:certificateauthority \
+                    DevAuthCA.cer:certificateauthority \
+                    DeveloperIDCA.cer:certificateauthority \
+                    AppleSoftwareUpdateCertificationAuthority.cer:certificateauthority \
+                    AppleTimestampCA.cer:certificateauthority \
+                    AppleWWDRCA.cer:certificationauthority \
+                    AppleWWDRCAG2.cer:certificateauthority \
+                    AppleWWDRCAG3.cer:certificateauthority \
+                    AppleWWDRCAG5.cer:certificateauthority \
+                    AppleWWDRCAG6.cer:certificateauthority \
+                    GeoTrust_Global_CA.crt:geotrust \
+                    GeoTrustPCA-G2.crt:digicert
+
+checksums           AppleIncRootCertificate.cer \
+                    rmd160  f86e77359a6a61f20fd8eb0deb854ad5a510412a \
+                    sha256  b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 \
+                    size    1215 \
+                    AppleComputerRootCertificate.cer \
+                    rmd160  fb3672c5e3c74df263e193b8e3df845dd6d33c51 \
+                    sha256  0d83b611b648a1a75eb8558400795375cad92e264ed8e9d7a757c1f5ee2bb22d \
+                    size    1470 \
+                    AppleRootCA-G2.cer \
+                    rmd160  300b620e7c4f611e907ae48aebfa8c1858e55a1c \
+                    sha256  c2b9b042dd57830e7d117dac55ac8ae19407d38e41d88f3215bc3a890444a050 \
+                    size    1430 \
+                    AppleRootCA-G3.cer \
+                    rmd160  4b9f77626fc3b924f105f58c99af71e157c6c2d6 \
+                    sha256  63343abfb89a6a03ebb57e9b3f5fa7be7c4f5c756f3017b3a8c488c3653e9179 \
+                    size    583 \
+                    AppleISTCA2G1.cer \
+                    rmd160  7c71ab76630c91228ebc153a20ddb48f74301035 \
+                    sha256  ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b \
+                    size    1092 \
+                    AppleISTCA8G1.cer \
+                    rmd160  49d458253b7801341f6280efb5d46338c4688875 \
+                    sha256  63ed1030fe1001060589f4e8ac955768fc0880bcc42be7d906d590e327a57142 \
+                    size    1216 \
+                    AppleAAICA.cer \
+                    rmd160  b4ccf1798244801aa784b7ff0c049c963a20ca29 \
+                    sha256  2528ba7d9348d6cbc83b169b24860ae7a87a6359c0e5274626edfe8f6c04e2b8 \
+                    size    1489 \
+                    AppleAAI2CA.cer \
+                    rmd160  d623a06611224ea258af9aba8e7f90f5a3dc5b50 \
+                    sha256  d3496f4b73cd67aab9f2fcb1d5aa41f8dc457769c455c792b70ddb19e92023d6 \
+                    size    1052 \
+                    AppleAAICAG3.cer \
+                    rmd160  5cf343caf0c2836cb7c374f4489af1925da544cb \
+                    sha256  a64b099dbd73ebb036b4204e1675e8aa821637d09b84980899104ad59d664a3b \
+                    size    754 \
+                    AppleApplicationIntegrationCA5G1.cer \
+                    rmd160  acea444545ee49c6f7bb852e87aa9cee44cc3546 \
+                    sha256  c0d8efbea821079d1b8a98e1198bfcc669331fa7a9c14f09b969f0af08ce4a43 \
+                    size    765 \
+                    DevAuthCA.cer \
+                    rmd160  130856ebc4cc8503fd3bc253b115f1ad50aafd32 \
+                    sha256  341ff0b1753889eb5f36921a7386129f302ce4ff603fabaebf06e01fdb236860 \
+                    size    1051 \
+                    DeveloperIDCA.cer \
+                    rmd160  829a7ac0b3daab8b8ab7c5252599b1491aa9d987 \
+                    sha256  7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f \
+                    size    1032 \
+                    AppleSoftwareUpdateCertificationAuthority.cer \
+                    rmd160  969679b4511ae94133497c0014e9a95154336ff0 \
+                    sha256  1299e9bfe776a29ff452f8c4f5e55f3b4dfd2934349dd1850b8274f35c71745c \
+                    size    1136 \
+                    AppleTimestampCA.cer \
+                    rmd160  414a1dc61e313c238adc47f1d8380aa5bb400173 \
+                    sha256  5eb2b6f76a173e6876ccaca696817bf1a0575e8d5f2a81653e1ddf8dafb751fc \
+                    size    1456 \
+                    AppleWWDRCA.cer \
+                    rmd160  56edfda4fc5664a5431c4fef431d60ac43c5e872 \
+                    sha256  ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2 \
+                    size    1062 \
+                    AppleWWDRCAG2.cer \
+                    rmd160  0d4330029e28cb238e264d3bc238d4b1798e9385 \
+                    sha256  9ed4b3b88c6a339cf1387895bda9ca6ea31a6b5ce9edf7511845923b0c8ac94c \
+                    size    763 \
+                    AppleWWDRCAG3.cer \
+                    rmd160  17665bab909900697ee8a9c558b56d986dd8e3e4 \
+                    sha256  dcf21878c77f4198e4b4614f03d696d89c66c66008d4244e1b99161aac91601f \
+                    size    1109 \
+                    AppleWWDRCAG5.cer \
+                    rmd160  b20a437bdd39e2d960a51164badb7124094e083e \
+                    sha256  53fd008278e5a595fe1e908ae9c5e5675f26243264a5a6438c023e3ce2870760 \
+                    size    1113 \
+                    AppleWWDRCAG6.cer \
+                    rmd160  505ae3637933095ddf6cb40aa12bf0b1ded0ab09 \
+                    sha256  bdd4ed6e74691f0c2bfd01be0296197af1379e0418e2d300efa9c3bef642ca30 \
+                    size    794 \
+                    GeoTrust_Global_CA.crt \
+                    rmd160  b481fa4b7532b3d6b353463267df2eafeea8a043 \
+                    sha256  9bde21d1c3414421fc6ff9ae79f1688c0193bc1cd0f1417f9adf0cdbed3b6250 \
+                    size    1236 \
+                    GeoTrustPCA-G2.crt \
+                    rmd160  fc4e5fc888b926cd12871ac9b650cf68b028736e \
+                    sha256  5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766 \
+                    size    690
+
+# non-Apple CAs in the bundle
+# for f in ${worksrcpath}/*.pem; do openssl x509 -inform pem -text -noout -in ${f}; done | grep 'CN = ' | grep -v Apple
+
+variant additional_pki_bundle \
+    description {Add PKI bundle used by GitHub assets, possibly others.} {
+    # openssl s_client -showcerts github.githubassets.com:443 | sed -E '1,/^---$/d' | sed '/^---$/,$d' 1> cert.pem
+    # openssl x509 -text -noout -in cert.pem
+    # openssl verify -CAfile trustedCAs.pem cert.pem
+
+    distfiles-append \
+                    DigiCertHighAssuranceEVRootCA.crt:digicert \
+                    DigiCertSHA2HighAssuranceServerCA.crt:digicert \
+                    DigiCertTLSHybridECCSHA3842020CA1-1.crt:digicert \
+                    DigiCertTLSRSASHA2562020CA1-1.crt:digicert
+
+    checksums-append \
+                    DigiCertHighAssuranceEVRootCA.crt \
+                    rmd160  96b6f2d9f8e1ad3fa1868b3b9053160ef8b282c8 \
+                    sha256  7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf \
+                    size    969 \
+                    DigiCertSHA2HighAssuranceServerCA.crt \
+                    rmd160  a2f7fc7707f0ff19f19c85070e1ab1e29793793d \
+                    sha256  19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0 \
+                    size    1205 \
+                    DigiCertTLSHybridECCSHA3842020CA1-1.crt \
+                    rmd160  1343b2ded7573c390e5f1405e1044ff5774b5afd \
+                    sha256  f7a9a1b2fd964a3f2670bd668d561fb7c55d3aa9ab8391e7e169702db8a3dbcf \
+                    size    1051 \
+                    DigiCertTLSRSASHA2562020CA1-1.crt \
+                    rmd160  68d5f2b0e1dd6cf8a96d0b4d23a9de5aba203265 \
+                    sha256  52274c57ce4dee3b49db7a7ff708c040f771898b3be88725a86fb4430182fe14 \
+                    size    1218
+}
+
+default_variants    +additional_pki_bundle
+
+set pki_dir         ${prefix}/share/${name}
+set pki_bundle      ${name}.pem
+
+proc url_to_pem {url pem} {
+    global worksrcpath
+    system -W ${worksrcpath} \
+        "curl -L ${url} 2>&1 | uu-tac | sed '/^-----BEGIN CERTIFICATE-----$/q' | uu-tac | sed '/^-----END CERTIFICATE-----$/q' > ${pem}"
+}
+
+depends_build-append \
+                    port:coreutils-uutils \
+                    port:file \
+                    path:bin/openssl:openssl
+
+extract.only
+extract.mkdir       yes
+
+post-extract {
+    # https://www.apple.com/certificateauthority/public/
+    foreach {url pem} {
+        https://valid-aaa-rsa.apple.com/ apsrsa12g1.pem
+        https://valid-aaa-ecc.apple.com/ apsecc12g1.pem
+        https://valid-gr2-rsa.apple.com/ apevsrsa1g1.pem
+        https://valid-har-rsa.apple.com/ apevsrsa2g1.pem
+        https://valid-gr3-ecc.apple.com/ apevsecc1g1.pem
+    } {
+        url_to_pem ${url} ${pem}
+    }
+}
+
+use_configure       no
+
+build {
+    foreach f [glob ${distpath}/*.{cer,crt,der,pem}] {
+        if { [file isfile ${f}] } {
+            regsub {\.(cer|crt|der|pem)$} [file tail ${f}] .pem pem
+            set file_type [exec /bin/sh -c \
+                "file ${f} | sed -E 's|^.+: ||' 2>/dev/null || true"]
+            if {[regexp {^(PEM certificate|ASCII text)$} ${file_type}]} {
+                file copy ${f} ${worksrcpath}/${pem}
+            } else {
+                system -W ${worksrcpath} \
+                    "openssl x509 -inform der -outform pem -text -in ${f} -out ${pem}"
+            }
+        }
+    }
+}
+
+destroot {
+    xinstall -d ${destroot}${pki_dir}
+
+    # cat all pem files to a single file
+    set outfile [open ${destroot}${pki_dir}/${pki_bundle} w]
+    foreach f [glob ${worksrcpath}/*.pem] {
+        set file_type [exec /bin/sh -c \
+                           "file ${f} | sed -E 's|^.+: ||' 2>/dev/null || true"]
+        if {[regexp {^(PEM certificate|ASCII text)$} ${file_type}]} {
+            set sourcefile [open ${f} r]
+            chan copy ${sourcefile} ${outfile}
+            close ${sourcefile}
+        } else {
+            ui_warn "Not installing ${f} because it is not a PEM file."
+        }
+    }
+    close ${outfile}
+}