# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Contributor: William Pitcock <nenolod@dereferenced.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=ca-certificates
pkgver=20170726
pkgrel=0
pkgdesc="Common CA certificates PEM files"
url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
arch="all"
license="MPL 2.0 GPL2+"
depends=""
makedepends="python3 libressl-dev"
subpackages="$pkgname-doc"
# c_rehash is either in libcrypto1.0 or openssl depending on package, grr.  replace both of them
replaces="libcrypto1.0 openssl"
options="!fhs"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
install="$pkgname.post-deinstall"
source="blacklist.txt
	certdata.txt
	certdata2pem.py
	update-ca-certificates.8
	update-ca.c
	c_rehash.c
	"
builddir="$srcdir"

build () {
	cd "$builddir"
	python3 certdata2pem.py

	${CC:-gcc} ${CFLAGS} -o update-ca-certificates "$srcdir"/update-ca.c ${LDFLAGS}
	${CC:-gcc} ${CFLAGS} -o c_rehash "$srcdir"/c_rehash.c -lcrypto ${LDFLAGS}
}

package() {
	cd "$builddir"

	install -d -m755 "$pkgdir"/etc/ca-certificates/update.d \
		"$pkgdir"/usr/bin \
		"$pkgdir"/usr/sbin \
		"$pkgdir"/usr/share/ca-certificates \
		"$pkgdir"/usr/local/share/ca-certificates \
		"$pkgdir"/etc/ssl/certs

	for cert in *.crt; do
		install -D -m644 $cert "$pkgdir"/usr/share/ca-certificates/mozilla/$cert
	done

	install -D -m644 update-ca-certificates.8 \
		"$pkgdir"/usr/share/man/man8/update-ca-certificates.8

	(
		echo "# Automatically generated by ${pkgname}-${pkgver}-${pkgrel}"
		echo "# $(date -u)"
		echo "# Do not edit."
		cd "$pkgdir"/usr/share/ca-certificates
		find . -name '*.crt' | sort | cut -b3-
	) > "$pkgdir"/etc/ca-certificates.conf

	# http://bugs.alpinelinux.org/issues/2715
	# http://bugs.alpinelinux.org/issues/2846
	install -m755 update-ca-certificates "$pkgdir"/usr/sbin

	install -m755 c_rehash "$pkgdir"/usr/bin

	mkdir -p "$pkgdir"/etc/apk/protected_paths.d
	cat > "$pkgdir"/etc/apk/protected_paths.d/ca-certificates.list <<-EOF
		-etc/ssl/certs/ca-certificates.crt
		-etc/ssl/certs/ca-cert-*.pem
		-etc/ssl/certs/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[r0-9]*
	EOF

	cat > "$pkgdir"/etc/ca-certificates/update.d/certhash <<-EOF
		#!/bin/sh
		exec /usr/bin/c_rehash /etc/ssl/certs
	EOF
	chmod +x "$pkgdir"/etc/ca-certificates/update.d/certhash
}

sha512sums="14cc0a98809080c298ba94e9fec41a8d34d8ea0fca02a9498aa86b9d8f7ae20424dfe2b6dd73e5c9a4d7cc17b30cae052457e88a864419d8d0f4e0059ff0eb26  blacklist.txt
9a12c4dd37c08513acf4269be82a5f5e79d399b5a9fdef9c37a14543fee777d4e8df8778ec0f368b97f775368d4e9f7825817105cde51ee24f401adb2e86e785  certdata.txt
540b1eda64c1774373ca63fe97917218e43462e2ef201a7248288192aa330ae47d1260d916cfee31b292f800d9bc5b73a9ded86dc78863d16d3d8f9f8abdee9d  certdata2pem.py
741bab04ea2a164951cf9338dff1278a3fd8acd500506a5b4c3fbb6ad5a96c533042867b10d927261fb8e08b8026de22fb63440a9ac4360fc0cb5b5572883b06  update-ca-certificates.8
b3122866eabaccab248142a3a0131c763757da0f851941a28741bf2f9b377e3bcea08efa91865d6bec5b3525398a662054b291dd00cf80ad52ab69c3be30f361  update-ca.c
ce32e104f995818f237c21ec09c4252c3c0e7421a6eabaab9a7a82e6abf66814d412db43d16ff51dee119b824e7418334f6919f621afa75e03a23c31dccacfcc  c_rehash.c"