Package init

Makefile.certificate

@@ -0,0 +1,82 @@
+UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
+DAYS=365
+KEYLEN=2048
+TYPE=rsa:$(KEYLEN)
+EXTRA_FLAGS=
+ifdef SERIAL
+	EXTRA_FLAGS+=-set_serial $(SERIAL)
+endif
+
+.PHONY: usage
+.SUFFIXES: .key .csr .crt .pem
+.PRECIOUS: %.key %.csr %.crt %.pem
+
+usage:
+	@echo "This makefile allows you to create:"
+	@echo "  o public/private key pairs"
+	@echo "  o SSL certificate signing requests (CSRs)"
+	@echo "  o self-signed SSL test certificates"
+	@echo
+	@echo "To create a key pair, run \"make SOMETHING.key\"."
+	@echo "To create a CSR, run \"make SOMETHING.csr\"."
+	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
+	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
+	@echo
+	@echo "To create a key for use with Apache, run \"make genkey\"."
+	@echo "To create a CSR for use with Apache, run \"make certreq\"."
+	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
+	@echo
+	@echo "To create a test certificate with serial number other than random, add SERIAL=num"
+	@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
+	@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
+	@echo
+	@echo Examples:
+	@echo "  make server.key"
+	@echo "  make server.csr"
+	@echo "  make server.crt"
+	@echo "  make stunnel.pem"
+	@echo "  make genkey"
+	@echo "  make certreq"
+	@echo "  make testcert"
+	@echo "  make server.crt SERIAL=1"
+	@echo "  make stunnel.pem EXTRA_FLAGS=-sha384"
+	@echo "  make testcert DAYS=600"
+
+%.pem:
+	umask 77 ; \
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
+	/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
+	cat $$PEM1 >  $@ ; \
+	echo ""    >> $@ ; \
+	cat $$PEM2 >> $@ ; \
+	$(RM) $$PEM1 $$PEM2
+
+%.key:
+	umask 77 ; \
+	/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
+
+%.csr: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
+
+%.crt: %.key
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
+
+TLSROOT=/etc/pki/tls
+KEY=$(TLSROOT)/private/localhost.key
+CSR=$(TLSROOT)/certs/localhost.csr
+CRT=$(TLSROOT)/certs/localhost.crt
+
+genkey: $(KEY)
+certreq: $(CSR)
+testcert: $(CRT)
+
+$(CSR): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
+
+$(CRT): $(KEY)
+	umask 77 ; \
+	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)

make-dummy-cert

@@ -0,0 +1,28 @@
+#!/bin/sh
+umask 077
+
+answers() {
+	echo --
+	echo SomeState
+	echo SomeCity
+	echo SomeOrganization
+	echo SomeOrganizationalUnit
+	echo localhost.localdomain
+	echo root@localhost.localdomain
+}
+
+if [ $# -eq 0 ] ; then
+	echo $"Usage: `basename $0` filename [...]"
+	exit 0
+fi
+
+for target in $@ ; do
+	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
+	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
+	trap "rm -f $PEM1 $PEM2" SIGINT
+	answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+	cat $PEM1 >  ${target}
+	echo ""   >> ${target}
+	cat $PEM2 >> ${target}
+	rm -f $PEM1 $PEM2
+done

openssl-1.1.1-build.patch

@@ -0,0 +1,40 @@
+diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build	2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl	2018-07-16 17:15:38.108831031 +0200
+@@ -680,7 +680,7 @@ uninstall_runtime:
+ install_man_docs:
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@$(ECHO) "*** Installing manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
++	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
+ 
+ uninstall_man_docs:
+@@ -692,7 +692,7 @@ uninstall_man_docs:
+ install_html_docs:
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@$(ECHO) "*** Installing HTML manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
++	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		--destdir=$(DESTDIR)$(HTMLDIR) --type=html
+ 
+ uninstall_html_docs:
+diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
+--- openssl-1.1.1-pre8/Configurations/10-main.conf.build	2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/Configurations/10-main.conf	2018-07-16 17:17:10.312045203 +0200
+@@ -693,6 +693,7 @@ my %targets = (
+         cxxflags         => add("-m64"),
+         lib_cppflags     => add("-DL_ENDIAN"),
+         perlasm_scheme   => "linux64le",
++        multilib         => "64",
+     },
+ 
+     "linux-armv4" => {
+@@ -733,6 +734,7 @@ my %targets = (
+     "linux-aarch64" => {
+         inherit_from     => [ "linux-generic64", asm("aarch64_asm") ],
+         perlasm_scheme   => "linux64",
++        multilib         => "64",
+     },
+     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
+         inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],

openssl.spec

@@ -0,0 +1,163 @@
+%define soversion 1.1
+Name:        openssl
+Epoch:       1
+Version:     1.1.1c
+Release:     2
+Summary:     Cryptography and SSL/TLS Toolkit
+License:     OpenSSL and SSLeay
+URL:         https://www.openssl.org/
+Source0:     https://www.openssl.org/source/old/1.1.1/%{name}-%{version}.tar.gz
+Source1:     Makefile.certificate
+Source2:     make-dummy-cert
+Source3:     renew-dummy-cert
+# Support lib64
+Patch1:      openssl-1.1.1-build.patch
+
+BuildRequires: gcc make lksctp-tools-devel coreutils util-linux
+
+Requires:    coreutils perl ca-certificates crypto-policies
+Recommends:  openssl-pkcs11%{?_isa}
+Obsoletes:   openssl-libs oopenssl-libs%{?_isa} penssl-perl penssl-perl%{?_isa}
+Provides:    openssl-libs = %{epoch}:%{version}-%{release} openssl-perl = %{epoch}:%{version}-%{release}
+Provides:    openssl-libs%{?_isa} = %{epoch}:%{version}-%{release} openssl-perl%{_isa} = %{epoch}:%{version}-%{release}
+
+%description
+OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
+Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
+
+%package devel
+Summary:   Development files for openssl
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: krb5-devel zlib-devel pkgconfig
+Obsoletes: openssl-static openssl-static%{?_isa}
+Provides:  openssl-static openssl-static%{?_isa}
+
+%description devel
+%{summary}.
+
+%package help
+Summary: Man pages for openssl
+BuildArch: noarch
+
+%description help
+%{summary}.
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+
+%build
+
+sslarch=%{_os}-%{_target_cpu}
+%ifarch x86_64 aarch64
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
+./Configure \
+    --prefix=%{_prefix} \
+    --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
+    zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
+    enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
+    enable-weak-ssl-ciphers \
+    no-mdc2 no-ec2m no-sm2 no-sm4 \
+    shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
+
+%make_build all
+
+%install
+
+%make_install
+
+# rename so name with actual version
+rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
+# create symbolic link
+for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
+     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
+     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
+done
+
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
+install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
+install -m755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
+install -m755 %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
+
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
+
+
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/{certs,crl,newcerts,private}
+chmod 700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
+
+touch -r %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/{openssl.cnf,ct_log_list.cnf}
+
+
+# rename man pages avoid conflicting with other man pages in system
+%define manpostfix _openssl
+pushd $RPM_BUILD_ROOT%{_mandir}
+ln -s -f config.5 man5/openssl.cnf.5
+for manpage in man*/* ; do
+    if [ -L ${manpage} ]; then
+        targetfile=`ls -l ${manpage} | awk '{print $NF}'`
+        ln -sf ${targetfile}%{manpostfix} ${manpage}%{manpostfix}
+        rm -f ${manpage}
+    else
+        mv ${manpage} ${manpage}%{manpostfix}
+    fi
+done
+popd
+
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/*.dist
+
+%check
+make test || :
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files
+%defattr(-,root,root)
+%license LICENSE
+%doc AUTHORS CHANGES FAQ NEWS README
+%{_pkgdocdir}/Makefile.certificate
+%dir %{_sysconfdir}/pki/tls
+%dir %{_sysconfdir}/pki/tls/certs
+%dir %{_sysconfdir}/pki/tls/misc
+%dir %{_sysconfdir}/pki/tls/private
+%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
+%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
+%dir %{_sysconfdir}/pki/CA
+%dir %{_sysconfdir}/pki/CA/private
+%dir %{_sysconfdir}/pki/CA/certs
+%dir %{_sysconfdir}/pki/CA/crl
+%dir %{_sysconfdir}/pki/CA/newcerts
+%{_bindir}/*
+%{_libdir}/libcrypto.so.%{version}
+%{_libdir}/libcrypto.so.%{soversion}
+%{_libdir}/libssl.so.%{version}
+%{_libdir}/libssl.so.%{soversion}
+%{_libdir}/engines-%{soversion}
+
+%files devel
+%defattr(-,root,root)
+%doc doc/dir-locals.example.el doc/openssl-c-indent.el
+%{_prefix}/include/openssl
+%{_libdir}/pkgconfig/*.pc
+%{_libdir}/*.so
+%{_libdir}/*.a
+
+%files help
+%defattr(-,root,root)
+%{_mandir}/man1/*
+%{_mandir}/man3/*
+%{_mandir}/man5/*
+%{_mandir}/man7/*
+%{_pkgdocdir}/html/
+
+
+%changelog
+* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-2
+- Adjust requires
+
+* Mon Sep 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-1
+- Package init

renew-dummy-cert

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+	echo $"Usage: `basename $0` filename" 1>&2
+	exit 1
+fi
+
+PEM=$1
+REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
+KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
+CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
+NEW=${PEM}_
+
+trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
+
+if [ ! -f $PEM ]; then
+	echo "$PEM: file not found" 1>&2
+	exit 1
+fi
+
+umask 077
+
+OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
+
+openssl rsa -inform pem -in $PEM -out $KEY
+openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
+openssl x509 -req -in $REQ -signkey $KEY -days 365 \
+	-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
+
+(cat $KEY ; echo "" ; cat $CRT) > $NEW
+
+chown $OWNER $NEW
+
+mv -f $NEW $PEM
+
+rm -f $REQ $KEY $CRT
+
+exit 0
+