From 54ab2a2c7508d484d7585b9389d35d80424940ba Mon Sep 17 00:00:00 2001 From: Michael Shuler Date: Thu, 29 Aug 2013 15:45:22 -0500 Subject: Add example ca-certificates-local source package for local CAs --- examples/ca-certificates-local/Makefile | 14 +++ .../ca-certificates-local/debian/README.Debian | 103 +++++++++++++++++++++ .../debian/ca-certificates-local.triggers | 1 + examples/ca-certificates-local/debian/changelog | 5 + examples/ca-certificates-local/debian/compat | 1 + examples/ca-certificates-local/debian/control | 20 ++++ examples/ca-certificates-local/debian/copyright | 28 ++++++ examples/ca-certificates-local/debian/postrm | 46 +++++++++ examples/ca-certificates-local/debian/rules | 11 +++ .../ca-certificates-local/debian/source/format | 1 + .../local/Deep_Thought_Dummy_Root_CA.crt | 14 +++ examples/ca-certificates-local/local/Makefile | 13 +++ 12 files changed, 257 insertions(+) create mode 100644 examples/ca-certificates-local/Makefile create mode 100644 examples/ca-certificates-local/debian/README.Debian create mode 100644 examples/ca-certificates-local/debian/ca-certificates-local.triggers create mode 100644 examples/ca-certificates-local/debian/changelog create mode 100644 examples/ca-certificates-local/debian/compat create mode 100644 examples/ca-certificates-local/debian/control create mode 100644 examples/ca-certificates-local/debian/copyright create mode 100644 examples/ca-certificates-local/debian/postrm create mode 100755 examples/ca-certificates-local/debian/rules create mode 100644 examples/ca-certificates-local/debian/source/format create mode 100644 examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt create mode 100644 examples/ca-certificates-local/local/Makefile (limited to 'examples') diff --git a/examples/ca-certificates-local/Makefile b/examples/ca-certificates-local/Makefile new file mode 100644 index 0000000..a872252 --- /dev/null +++ b/examples/ca-certificates-local/Makefile @@ -0,0 +1,14 @@ +# +# Makefile +# + +LOCALCERTSDIR = /usr/local/share/ca-certificates + +all: + +clean: + +install: + mkdir -p $(DESTDIR)/$(LOCALCERTSDIR); \ + $(MAKE) -C local install LOCALCERTSDIR=$(DESTDIR)/$(LOCALCERTSDIR) + diff --git a/examples/ca-certificates-local/debian/README.Debian b/examples/ca-certificates-local/debian/README.Debian new file mode 100644 index 0000000..2b00b5a --- /dev/null +++ b/examples/ca-certificates-local/debian/README.Debian @@ -0,0 +1,103 @@ +The Debian Package ca-certificates-local +---------------------------- + +This package includes local CA certificates to be installed in +/usr/local/share/ca-certificates. The CA certificates installed by this +package will be implicitly trusted. + +This is an example stub source package that includes a dummy CA +certificate in the local/ directory. Remove the dummy certificate, copy +your trusted local root CA (in PEM format with the filename ending in +.crt) to the local/ directory, edit files in the debian/ directory as +desired, and build your custom package. + +---------------------------- + +Steps to build your custom local root CA package from this example: + +- First, check that your local root CA is in PEM file format, the + filename ends in .crt, and that it is properly usable by openssl. This + example uses the included dummy CA certificate. Check that your local + root CA certificate produces similar output: + + $ openssl x509 -text -in local/Deep_Thought_Dummy_Root_CA.crt + Certificate: + Data: + Version: 3 (0x2) + Serial Number: 66 (0x42) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=Deep Thought Dummy Root CA + Validity + Not Before: Aug 29 00:00:00 2013 GMT + Not After : Aug 28 23:59:59 2042 GMT + Subject: CN=Deep Thought Dummy Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:a2:e3:00:b0:d2:fa:92:57:02:97:5e:80:e0:1a: + 68:ee:2f:d0:1d:d2:57:fa:b8:52:8d:50:82:a7:2c: + fb:b7:fa:23:94:a2:b4:20:52:a9:aa:c1:28:f9:28: + 5e:5f:10:e1:9c:b0:10:ec:f4:82:0f:67:f9:f1:f7: + 2f:78:70:42:f3:87:c0:b8:c7:c1:80:e8:28:74:d9: + 15:66:c5:17:3b:f9:56:03:f9:91:00:a3:72:75:f6: + 53:d9:1e:25:48:82:e5:5a:0e:47:35:6f:08:37:21: + 04:46:3e:ff:fe:04:a7:70:c0:b5:19:cc:91:24:ae: + c5:6e:dc:50:7f:3f:34:b8:29 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C3:FF:DB:49:E2:8A:A4:26:62:19:74:F0:66:41:E1:5F:F7:4B:3F:A7 + X509v3 Key Usage: + Certificate Sign, CRL Sign + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA + Signature Algorithm: sha1WithRSAEncryption + 1f:32:49:f2:7f:ed:80:62:2e:49:b7:ce:84:b9:c1:c5:1a:f6: + 59:6e:78:0e:70:13:10:71:80:23:36:c8:6c:34:5f:03:e8:93: + 06:51:5d:9a:4f:8b:fc:18:ce:06:c1:f5:ff:f8:82:a5:88:0d: + 2e:97:c6:c5:57:b2:c5:08:0a:11:17:74:21:9c:68:fd:e3:a1: + d3:75:87:c5:32:f9:b3:d6:89:03:6e:9d:d4:59:45:55:bb:14: + 31:05:cf:63:03:89:57:42:c1:04:a5:89:27:ec:97:30:f3:de: + c9:cb:d0:f2:af:8b:42:2b:2d:31:5b:bb:b8:46:c9:3c:61:8c: + 32:2d + -----BEGIN CERTIFICATE----- + MIICEjCCAXugAwIBAgIBQjANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpEZWVw + IFRob3VnaHQgRHVtbXkgUm9vdCBDQTAeFw0xMzA4MjkwMDAwMDBaFw00MjA4Mjgy + MzU5NTlaMCUxIzAhBgNVBAMTGkRlZXAgVGhvdWdodCBEdW1teSBSb290IENBMIGf + MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi4wCw0vqSVwKXXoDgGmjuL9Ad0lf6 + uFKNUIKnLPu3+iOUorQgUqmqwSj5KF5fEOGcsBDs9IIPZ/nx9y94cELzh8C4x8GA + 6Ch02RVmxRc7+VYD+ZEAo3J19lPZHiVIguVaDkc1bwg3IQRGPv/+BKdwwLUZzJEk + rsVu3FB/PzS4KQIDAQABo1IwUDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTD + /9tJ4oqkJmIZdPBmQeFf90s/pzALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD + AgAHMA0GCSqGSIb3DQEBBQUAA4GBAB8ySfJ/7YBiLkm3zoS5wcUa9llueA5wExBx + gCM2yGw0XwPokwZRXZpPi/wYzgbB9f/4gqWIDS6XxsVXssUIChEXdCGcaP3jodN1 + h8Uy+bPWiQNundRZRVW7FDEFz2MDiVdCwQSliSfslzDz3snL0PKvi0IrLTFbu7hG + yTxhjDIt + -----END CERTIFICATE----- + +- Next copy this example source package somewhere to build as a normal + user, for instance your home directory: + + $ cp -a /usr/share/doc/ca-certificates/examples/ca-certificates-local-0.1 ~/ + $ cd ~/ca-certificates-local-0.1/ + +- Next, remove the dummy CA certificate, copy your local root CA + certificate(s) to the local/ directory, and build the package: + + $ rm local/Deep_Thought_Dummy_Root_CA.crt + $ cp /path/to/Your_Local_Root_CA.crt local/ + $ dpkg-buildpackage -b + +- Install the package (or copy it to your local apt repository for + installation on lots of machines): + + $ sudo dpkg -i ../ca-certificates-local_0.1_all.deb + +- Feel free to edit the files under the debian/ directory for items like + the maintainer name and email address, version, etc. to better reflect + your own organization. This is just an example to get you started with + a proper local root CA package. + diff --git a/examples/ca-certificates-local/debian/ca-certificates-local.triggers b/examples/ca-certificates-local/debian/ca-certificates-local.triggers new file mode 100644 index 0000000..2508bbf --- /dev/null +++ b/examples/ca-certificates-local/debian/ca-certificates-local.triggers @@ -0,0 +1 @@ +activate update-ca-certificates-fresh diff --git a/examples/ca-certificates-local/debian/changelog b/examples/ca-certificates-local/debian/changelog new file mode 100644 index 0000000..dccdbf6 --- /dev/null +++ b/examples/ca-certificates-local/debian/changelog @@ -0,0 +1,5 @@ +ca-certificates-local (0.1) unstable; urgency=low + + * Initial Release. + + -- System Administrator Thu, 29 Aug 2013 00:42:42 -0000 diff --git a/examples/ca-certificates-local/debian/compat b/examples/ca-certificates-local/debian/compat new file mode 100644 index 0000000..45a4fb7 --- /dev/null +++ b/examples/ca-certificates-local/debian/compat @@ -0,0 +1 @@ +8 diff --git a/examples/ca-certificates-local/debian/control b/examples/ca-certificates-local/debian/control new file mode 100644 index 0000000..91cecf5 --- /dev/null +++ b/examples/ca-certificates-local/debian/control @@ -0,0 +1,20 @@ +Source: ca-certificates-local +Section: misc +Priority: extra +Maintainer: System Administrator +Build-Depends: debhelper (>= 8.0.0) +Standards-Version: 3.9.4 + +Package: ca-certificates-local +Architecture: all +Depends: ca-certificates (>= 20130119), ${misc:Depends} +Description: Local CA certificates + This package includes local CA certificates to be installed in + /usr/local/share/ca-certificates. The CA certificates installed by this + package will be implicitly trusted. + . + This is an example stub source package that includes a dummy CA + certificate in the local/ directory. Remove the dummy certificate, copy + your trusted local root CA (in PEM format with the filename ending in + ".crt") to the local/ directory, edit files in the debian/ directory as + desired, and build your custom package. diff --git a/examples/ca-certificates-local/debian/copyright b/examples/ca-certificates-local/debian/copyright new file mode 100644 index 0000000..5ffaab9 --- /dev/null +++ b/examples/ca-certificates-local/debian/copyright @@ -0,0 +1,28 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ + +Files: * +Copyright: 2013 System Administrator +License: MIT + +Files: debian/* +Copyright: 2013 System Administrator +License: MIT + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the "Software"), + to deal in the Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, sublicense, + and/or sell copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/examples/ca-certificates-local/debian/postrm b/examples/ca-certificates-local/debian/postrm new file mode 100644 index 0000000..beaf187 --- /dev/null +++ b/examples/ca-certificates-local/debian/postrm @@ -0,0 +1,46 @@ +#!/bin/sh +# postrm script for ca-certificates-local +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + # recreate the /usr/local/share/ca-certificates directory, since we are + # ignoring Debian Policy by intentionally installing here. Removal of + # ca-certificates-local removes this directory if empty. + if [ ! -e /usr/local/share/ca-certificates ]; then + if mkdir /usr/local/share/ca-certificates 2>/dev/null; then + chown root:staff /usr/local/share/ca-certificates + chmod 2775 /usr/local/share/ca-certificates + fi + fi + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/examples/ca-certificates-local/debian/rules b/examples/ca-certificates-local/debian/rules new file mode 100755 index 0000000..857806f --- /dev/null +++ b/examples/ca-certificates-local/debian/rules @@ -0,0 +1,11 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ + +# override_dh_usrlocal to do nothing +override_dh_usrlocal: + diff --git a/examples/ca-certificates-local/debian/source/format b/examples/ca-certificates-local/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/examples/ca-certificates-local/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt b/examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt new file mode 100644 index 0000000..2a46175 --- /dev/null +++ b/examples/ca-certificates-local/local/Deep_Thought_Dummy_Root_CA.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICEjCCAXugAwIBAgIBQjANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpEZWVw +IFRob3VnaHQgRHVtbXkgUm9vdCBDQTAeFw0xMzA4MjkwMDAwMDBaFw00MjA4Mjgy +MzU5NTlaMCUxIzAhBgNVBAMTGkRlZXAgVGhvdWdodCBEdW1teSBSb290IENBMIGf +MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi4wCw0vqSVwKXXoDgGmjuL9Ad0lf6 +uFKNUIKnLPu3+iOUorQgUqmqwSj5KF5fEOGcsBDs9IIPZ/nx9y94cELzh8C4x8GA +6Ch02RVmxRc7+VYD+ZEAo3J19lPZHiVIguVaDkc1bwg3IQRGPv/+BKdwwLUZzJEk +rsVu3FB/PzS4KQIDAQABo1IwUDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTD +/9tJ4oqkJmIZdPBmQeFf90s/pzALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQD +AgAHMA0GCSqGSIb3DQEBBQUAA4GBAB8ySfJ/7YBiLkm3zoS5wcUa9llueA5wExBx +gCM2yGw0XwPokwZRXZpPi/wYzgbB9f/4gqWIDS6XxsVXssUIChEXdCGcaP3jodN1 +h8Uy+bPWiQNundRZRVW7FDEFz2MDiVdCwQSliSfslzDz3snL0PKvi0IrLTFbu7hG +yTxhjDIt +-----END CERTIFICATE----- diff --git a/examples/ca-certificates-local/local/Makefile b/examples/ca-certificates-local/local/Makefile new file mode 100644 index 0000000..996cb12 --- /dev/null +++ b/examples/ca-certificates-local/local/Makefile @@ -0,0 +1,13 @@ +# +# Makefile +# + +all: + +clean: + +install: + for p in *.crt; do \ + install -m 644 $$p $(LOCALCERTSDIR)/$$p ; \ + done + -- cgit v1.2.1