Add example ca-certificates-local source package for local CAs

12 files changed, 257 insertions, 0 deletions

diff --git a/examples/ca-certificates-local/Makefile b/examples/ca-certificates-local/Makefile
new file mode 100644
index 0000000..a872252
--- /dev/null
+++ b/examples/ca-certificates-local/Makefile
@@ -0,0 +1,14 @@
+#
+# Makefile
+#
+
+LOCALCERTSDIR = /usr/local/share/ca-certificates
+
+all:
+
+clean:
+
+install:
+	mkdir -p $(DESTDIR)/$(LOCALCERTSDIR); \
+	$(MAKE) -C local install LOCALCERTSDIR=$(DESTDIR)/$(LOCALCERTSDIR)
+
diff --git a/examples/ca-certificates-local/debian/README.Debian b/examples/ca-certificates-local/debian/README.Debian
new file mode 100644
index 0000000..2b00b5a
--- /dev/null
+++ b/examples/ca-certificates-local/debian/README.Debian
@@ -0,0 +1,103 @@
+The Debian Package ca-certificates-local
+----------------------------
+
+This package includes local CA certificates to be installed in
+/usr/local/share/ca-certificates. The CA certificates installed by this
+package will be implicitly trusted.
+
+This is an example stub source package that includes a dummy CA
+certificate in the local/ directory. Remove the dummy certificate, copy
+your trusted local root CA (in PEM format with the filename ending in
+.crt) to the local/ directory, edit files in the debian/ directory as
+desired, and build your custom package.
+
+----------------------------
+
+Steps to build your custom local root CA package from this example:
+
+- First, check that your local root CA is in PEM file format, the
+  filename ends in .crt, and that it is properly usable by openssl. This
+  example uses the included dummy CA certificate. Check that your local
+  root CA certificate produces similar output:
+
+  $ openssl x509 -text -in local/Deep_Thought_Dummy_Root_CA.crt
+  Certificate:
+      Data:
+          Version: 3 (0x2)
+          Serial Number: 66 (0x42)
+      Signature Algorithm: sha1WithRSAEncryption
+          Issuer: CN=Deep Thought Dummy Root CA
+          Validity
+              Not Before: Aug 29 00:00:00 2013 GMT
+              Not After : Aug 28 23:59:59 2042 GMT
+          Subject: CN=Deep Thought Dummy Root CA
+          Subject Public Key Info:
+              Public Key Algorithm: rsaEncryption
+                  Public-Key: (1024 bit)
+                  Modulus:
+                      00:a2:e3:00:b0:d2:fa:92:57:02:97:5e:80:e0:1a:
+                      68:ee:2f:d0:1d:d2:57:fa:b8:52:8d:50:82:a7:2c:
+                      fb:b7:fa:23:94:a2:b4:20:52:a9:aa:c1:28:f9:28:
+                      5e:5f:10:e1:9c:b0:10:ec:f4:82:0f:67:f9:f1:f7:
+                      2f:78:70:42:f3:87:c0:b8:c7:c1:80:e8:28:74:d9:
+                      15:66:c5:17:3b:f9:56:03:f9:91:00:a3:72:75:f6:
+                      53:d9:1e:25:48:82:e5:5a:0e:47:35:6f:08:37:21:
+                      04:46:3e:ff:fe:04:a7:70:c0:b5:19:cc:91:24:ae:
+                      c5:6e:dc:50:7f:3f:34:b8:29
+                  Exponent: 65537 (0x10001)
+          X509v3 extensions:
+              X509v3 Basic Constraints: critical
+                  CA:TRUE
+              X509v3 Subject Key Identifier:
+                  C3:FF:DB:49:E2:8A:A4:26:62:19:74:F0:66:41:E1:5F:F7:4B:3F:A7
+              X509v3 Key Usage:
+                  Certificate Sign, CRL Sign
+              Netscape Cert Type:
+                  SSL CA, S/MIME CA, Object Signing CA
+      Signature Algorithm: sha1WithRSAEncryption
+           1f:32:49:f2:7f:ed:80:62:2e:49:b7:ce:84:b9:c1:c5:1a:f6:
+           59:6e:78:0e:70:13:10:71:80:23:36:c8:6c:34:5f:03:e8:93:
+           06:51:5d:9a:4f:8b:fc:18:ce:06:c1:f5:ff:f8:82:a5:88:0d:
+           2e:97:c6:c5:57:b2:c5:08:0a:11:17:74:21:9c:68:fd:e3:a1:
+           d3:75:87:c5:32:f9:b3:d6:89:03:6e:9d:d4:59:45:55:bb:14:
+           31:05:cf:63:03:89:57:42:c1:04:a5:89:27:ec:97:30:f3:de:
+           c9:cb:d0:f2:af:8b:42:2b:2d:31:5b:bb:b8:46:c9:3c:61:8c:
+           32:2d
+  -----BEGIN CERTIFICATE-----
+  MIICEjCCAXugAwIBAgIBQjANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpEZWVw
+  IFRob3VnaHQgRHVtbXkgUm9vdCBDQTAeFw0xMzA4MjkwMDAwMDBaFw00MjA4Mjgy
+  MzU5NTlaMCUxIzAhBgNVBAMTGkRlZXAgVGhvdWdodCBEdW1teSBSb290IENBMIGf
+  MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi4wCw0vqSVwKXXoDgGmjuL9Ad0lf6
+  uFKNUIKnLPu3+iOUorQgUqmqwSj5KF5fEOGcsBDs9IIPZ/nx9y94cELzh8C4x8GA
+  6Ch02RVmxRc7+VYD+ZEAo3J19lPZHiVIguVaDkc1bwg3IQRGPv/+BKdwwLUZzJEk
+  rsVu3FB/PzS4KQIDAQABo1IwUDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTD
+  /9tJ4oqkJmIZdPBmQeFf90s/pzALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD
+  AgAHMA0GCSqGSIb3DQEBBQUAA4GBAB8ySfJ/7YBiLkm3zoS5wcUa9llueA5wExBx
+  gCM2yGw0XwPokwZRXZpPi/wYzgbB9f/4gqWIDS6XxsVXssUIChEXdCGcaP3jodN1
+  h8Uy+bPWiQNundRZRVW7FDEFz2MDiVdCwQSliSfslzDz3snL0PKvi0IrLTFbu7hG
+  yTxhjDIt
+  -----END CERTIFICATE-----
+
+- Next copy this example source package somewhere to build as a normal
+  user, for instance your home directory:
+
+  $ cp -a /usr/share/doc/ca-certificates/examples/ca-certificates-local-0.1 ~/
+  $ cd ~/ca-certificates-local-0.1/
+
+- Next, remove the dummy CA certificate, copy your local root CA
+  certificate(s) to the local/ directory, and build the package:
+
+  $ rm local/Deep_Thought_Dummy_Root_CA.crt
+  $ cp /path/to/Your_Local_Root_CA.crt local/
+  $ dpkg-buildpackage -b
+
+- Install the package (or copy it to your local apt repository for
+  installation on lots of machines):
+
+  $ sudo dpkg -i ../ca-certificates-local_0.1_all.deb
+
+- Feel free to edit the files under the debian/ directory for items like
+  the maintainer name and email address, version, etc. to better reflect
+  your own organization. This is just an example to get you started with
+  a proper local root CA package.
+
diff --git a/examples/ca-certificates-local/debian/ca-certificates-local.triggers b/examples/ca-certificates-local/debian/ca-certificates-local.triggers
new file mode 100644
index 0000000..2508bbf
--- /dev/null
+++ b/examples/ca-certificates-local/debian/ca-certificates-local.triggers
@@ -0,0 +1 @@
+activate update-ca-certificates-fresh
diff --git a/examples/ca-certificates-local/debian/changelog b/examples/ca-certificates-local/debian/changelog
new file mode 100644
index 0000000..dccdbf6
--- /dev/null
+++ b/examples/ca-certificates-local/debian/changelog
@@ -0,0 +1,5 @@
+ca-certificates-local (0.1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- System Administrator <root@localhost.localdomain>  Thu, 29 Aug 2013 00:42:42 -0000
diff --git a/examples/ca-certificates-local/debian/compat b/examples/ca-certificates-local/debian/compat
new file mode 100644
index 0000000..45a4fb7
--- /dev/null
+++ b/examples/ca-certificates-local/debian/compat
@@ -0,0 +1 @@
+8
diff --git a/examples/ca-certificates-local/debian/control b/examples/ca-certificates-local/debian/control
new file mode 100644
index 0000000..91cecf5
--- /dev/null
+++ b/examples/ca-certificates-local/debian/control
@@ -0,0 +1,20 @@
+Source: ca-certificates-local
+Section: misc
+Priority: extra
+Maintainer: System Administrator <root@localhost.localdomain>
+Build-Depends: debhelper (>= 8.0.0)
+Standards-Version: 3.9.4
+
+Package: ca-certificates-local
+Architecture: all
+Depends: ca-certificates (>= 20130119), ${misc:Depends}
+Description: Local CA certificates
+ This package includes local CA certificates to be installed in
+ /usr/local/share/ca-certificates. The CA certificates installed by this
+ package will be implicitly trusted.
+ .
+ This is an example stub source package that includes a dummy CA
+ certificate in the local/ directory. Remove the dummy certificate, copy
+ your trusted local root CA (in PEM format with the filename ending in
+ ".crt") to the local/ directory, edit files in the debian/ directory as
+ desired, and build your custom package.
diff --git a/examples/ca-certificates-local/debian/copyright b/examples/ca-certificates-local/debian/copyright
new file mode 100644
index 0000000..5ffaab9
--- /dev/null
+++ b/examples/ca-certificates-local/debian/copyright
@@ -0,0 +1,28 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+Files: *
+Copyright: 2013 System Administrator <root@localhost.localdomain>
+License: MIT
+
+Files: debian/*
+Copyright: 2013 System Administrator <root@localhost.localdomain>
+License: MIT
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the "Software"),
+ to deal in the Software without restriction, including without limitation
+ the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/examples/ca-certificates-local/debian/postrm b/examples/ca-certificates-local/debian/postrm
new file mode 100644
index 0000000..beaf187
--- /dev/null
+++ b/examples/ca-certificates-local/debian/postrm
@@ -0,0 +1,46 @@
+#!/bin/sh
+# postrm script for ca-certificates-local
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # recreate the /usr/local/share/ca-certificates directory, since we are
+        # ignoring Debian Policy by intentionally installing here. Removal of
+        # ca-certificates-local removes this directory if empty.
+        if [ ! -e /usr/local/share/ca-certificates ]; then
+            if mkdir /usr/local/share/ca-certificates 2>/dev/null; then
+                chown root:staff /usr/local/share/ca-certificates
+                chmod 2775 /usr/local/share/ca-certificates
+            fi
+        fi
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/examples/ca-certificates-local/debian/rules b/examples/ca-certificates-local/debian/rules
new file mode 100755
index 0000000..857806f
--- /dev/null
+++ b/examples/ca-certificates-local/debian/rules
@@ -0,0 +1,11 @@
+#!/usr/bin/make -f
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+%:
+	dh $@
+
+# override_dh_usrlocal to do nothing
+override_dh_usrlocal:
+
diff --git a/examples/ca-certificates-local/debian/source/format b/examples/ca-certificates-local/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/examples/ca-certificates-local/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt b/examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt
new file mode 100644
index 0000000..2a46175
--- /dev/null
+++ b/examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICEjCCAXugAwIBAgIBQjANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpEZWVw
+IFRob3VnaHQgRHVtbXkgUm9vdCBDQTAeFw0xMzA4MjkwMDAwMDBaFw00MjA4Mjgy
+MzU5NTlaMCUxIzAhBgNVBAMTGkRlZXAgVGhvdWdodCBEdW1teSBSb290IENBMIGf
+MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi4wCw0vqSVwKXXoDgGmjuL9Ad0lf6
+uFKNUIKnLPu3+iOUorQgUqmqwSj5KF5fEOGcsBDs9IIPZ/nx9y94cELzh8C4x8GA
+6Ch02RVmxRc7+VYD+ZEAo3J19lPZHiVIguVaDkc1bwg3IQRGPv/+BKdwwLUZzJEk
+rsVu3FB/PzS4KQIDAQABo1IwUDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTD
+/9tJ4oqkJmIZdPBmQeFf90s/pzALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD
+AgAHMA0GCSqGSIb3DQEBBQUAA4GBAB8ySfJ/7YBiLkm3zoS5wcUa9llueA5wExBx
+gCM2yGw0XwPokwZRXZpPi/wYzgbB9f/4gqWIDS6XxsVXssUIChEXdCGcaP3jodN1
+h8Uy+bPWiQNundRZRVW7FDEFz2MDiVdCwQSliSfslzDz3snL0PKvi0IrLTFbu7hG
+yTxhjDIt
+-----END CERTIFICATE-----
diff --git a/examples/ca-certificates-local/local/Makefile b/examples/ca-certificates-local/local/Makefile
new file mode 100644
index 0000000..996cb12
--- /dev/null
+++ b/examples/ca-certificates-local/local/Makefile
@@ -0,0 +1,13 @@
+#
+# Makefile
+#
+
+all:
+
+clean:
+
+install:
+	for p in *.crt; do \
+	 install -m 644 $$p $(LOCALCERTSDIR)/$$p ; \
+	done
+