# Maintainer: Alexey Pavlov <alexpux@gmail.com>
# PKGBUILD is done from fedora repository - https://src.fedoraproject.org/cgit/rpms/ca-certificates.git

_realname=ca-certificates
pkgbase=mingw-w64-${_realname}
pkgname="${MINGW_PACKAGE_PREFIX}-${_realname}"
pkgver=20170211
pkgrel=2
pkgdesc='Common CA certificates (mingw-w64)'
arch=('any')
url='https://packages.qa.debian.org/c/ca-certificates.html'
license=('MPL' 'GPL')
install="ca-certificates-${CARCH}.install"
source=("certdata.txt"
        "nssckbi.h"
        'StartSSL.sca.server1.crt'::'https://www.startssl.com/certs/sca.server1.crt'
        'certdata2pem.py'
        'trust-fixes'
        'update-ca-trust'
        'update-ca-trust.8')
depends=("${MINGW_PACKAGE_PREFIX}-p11-kit")
makedepends=("${MINGW_PACKAGE_PREFIX}-openssl"
             "${MINGW_PACKAGE_PREFIX}-p11-kit"
             "${MINGW_PACKAGE_PREFIX}-python2"
             'asciidoc' 'python2' 'libxslt' 'sed' 'grep')
sha256sums=('dffa79e6aa993f558e82884abf7bb54bf440ab66ee91d82a27a627f6f2a4ace4'
            '0de36b9314a6876dcc8e9bf63eee9766d967cdb4735d350376eb40e02bfd0b82'
            'c5b24a798bd87e2fb710ccac374f56991d6939b80de3fe1a5a15211f1f9fca43'
            '4e96bd7424062d365b75247dfc4b3b6510f09ca5161c0f7c3ce76b10edf633aa'
            'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
            '65fc13d01550be7f89046a62605d6203eb68dba7edf5dbb04a2068b4f7cd2e65'
            'a73c6430e734178b9aa4d303709470383bc2b1cfbeb0d44fe34615df812f479d')

prepare() {
  sed "s|/usr/bin/python|${MINGW_PREFIX}/bin/python2|g" -i certdata2pem.py
  mkdir certs
  mkdir certs/legacy-default
  mkdir certs/legacy-disable
  mkdir java
  cp certdata.txt certs/
}

build() {
  cd ${srcdir}

  pushd certs > /dev/null
  ${MINGW_PREFIX}/bin/python2 ../certdata2pem.py >c2p.log 2>c2p.err
  popd > /dev/null

  (
    cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates and trust/distrust attributes use the file format accepted
# by the p11-kit-trust module.
#
# Source: nss/lib/ckfw/builtins/certdata.txt
# Source: nss/lib/ckfw/builtins/nssckbi.h
#
# Generated from:
EOF
    cat nssckbi.h | grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
    echo '#';
  ) > ${srcdir}/ca-bundle.trust.crt

  touch ca-bundle.legacy.default.crt
  local NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l`
  if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
     for f in certs/legacy-default/*.crt; do 
       echo "processing $f"
       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
       targs=""
       if [ -n "$tbits" ]; then
          for t in $tbits; do
             targs="${targs} -addtrust $t"
          done
       fi
       if [ -n "$targs" ]; then
          echo "legacy default flags $targs for $f" >> info.trust
          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.legacy.default.crt
       fi
     done
  fi

  touch ca-bundle.legacy.disable.crt
  NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l`
  if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
     for f in certs/legacy-disable/*.crt; do 
       echo "processing $f"
       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
       targs=""
       if [ -n "$tbits" ]; then
          for t in $tbits; do
             targs="${targs} -addtrust $t"
          done
       fi
       if [ -n "$targs" ]; then
          echo "legacy disable flags $targs for $f" >> info.trust
          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.legacy.disable.crt
       fi
     done
  fi

  # Add custom certificate
  echo '# alias="StartCom Class 1 Primary Intermediate Server CA"' > certs/StartSSL.sca.server1.crt
  echo '# trust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION CKA_TRUST_SERVER_AUTH' >> certs/StartSSL.sca.server1.crt
  echo '# distrust=' >> certs/StartSSL.sca.server1.crt
  echo '# openssl-trust=codeSigning emailProtection serverAuth' >> certs/StartSSL.sca.server1.crt
  cat ${srcdir}/StartSSL.sca.server1.crt >> certs/StartSSL.sca.server1.crt

  local P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`
  if [ $P11FILES -ne 0 ]; then
    for p in certs/*.tmp-p11-kit; do 
      cat "$p" >> ${srcdir}/ca-bundle.trust.crt
    done
  fi

  # Append our trust fixes
  cat trust-fixes >> ${srcdir}/ca-bundle.trust.crt
}

package() {
  cd ${srcdir}

  mkdir -p ${pkgdir}${MINGW_PREFIX}/{bin,lib,share}
  mkdir -p ${pkgdir}${MINGW_PREFIX}/etc
  mkdir -p ${pkgdir}${MINGW_PREFIX}/share/man/man8

  sed -e "s|@PREFIX@|${MINGW_PREFIX}|g" -i update-ca-trust
  cp -f update-ca-trust ${pkgdir}${MINGW_PREFIX}/bin/
  cp -f update-ca-trust.8 ${pkgdir}${MINGW_PREFIX}/share/man/man8/

  # for p11-kit
  mkdir -p ${pkgdir}${MINGW_PREFIX}/lib/p11-kit
  cp -f update-ca-trust ${pkgdir}${MINGW_PREFIX}/lib/p11-kit/p11-kit-extract-trust

  mkdir -p ${pkgdir}${MINGW_PREFIX}/share/pki/ca-trust-{source,legacy}
  install -p -m 644 ca-bundle.trust.crt          ${pkgdir}${MINGW_PREFIX}/share/pki/ca-trust-source/ca-bundle.trust.crt
  install -p -m 644 ca-bundle.legacy.default.crt ${pkgdir}${MINGW_PREFIX}/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
  install -p -m 644 ca-bundle.legacy.disable.crt ${pkgdir}${MINGW_PREFIX}/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt

  # touch all files overwritten by update-ca-trust for easy cleanup
  mkdir -p ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/{extracted,source}
  mkdir -p ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/source/{anchors,blacklist}
  mkdir -p ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/{openssl,pem,java}
  touch ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
  touch ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/pem/{tls,email,objsign}-ca-bundle.pem
  touch ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/java/cacerts

  # for OpenSSL and static ca-certificates consumers
  mkdir -p ${pkgdir}${MINGW_PREFIX}/ssl/certs
  cp -f ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ${pkgdir}${MINGW_PREFIX}/ssl/certs/ca-bundle.crt
  cp -f ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ${pkgdir}${MINGW_PREFIX}/ssl/cert.pem
  cp -f ${pkgdir}${MINGW_PREFIX}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt ${pkgdir}${MINGW_PREFIX}/ssl/certs/ca-bundle.trust.crt
}
