PKGBUILDs/core/nss/bundle.sh

#!/bin/sh
# From Fedora's ca-certificates.spec

(
  cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
# format and have trust bits set accordingly.
# An exception are auxiliary certificates, without positive or negative
# trust, but are used to assist in finding a preferred trust path.
# Those neutral certificates use the plain BEGIN CERTIFICATE format.
#
# Source: nss/lib/ckfw/builtins/certdata.txt
# Source: nss/lib/ckfw/builtins/nssckbi.h
#
# Generated from:
EOF
  cat certs/nssckbi.h | grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}'
  echo '#'
) > ca-bundle.trust.crt
for f in certs/*.crt; do 
  echo "processing $f"
  tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
  distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
  alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
  targs=""
  if [ -n "$tbits" ]; then
    for t in $tbits; do
       targs="${targs} -addtrust $t"
    done
  fi
  if [ -n "$distbits" ]; then
    for t in $distbits; do
       targs="${targs} -addreject $t"
    done
  fi
  if [ -n "$targs" ]; then
    echo "trust flags $targs for $f" >> info.trust
    openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.trust.crt
  else
    echo "no trust flags for $f" >> info.notrust
    # p11-kit-trust defines empty trust lists as "rejected for all purposes".
    # That's why we use the simple file format
    #   (BEGIN CERTIFICATE, no trust information)
    # because p11-kit-trust will treat it as a certificate with neutral trust.
    # This means we cannot use the -setalias feature for neutral trust certs.
    openssl x509 -text -in "$f" >> ca-bundle.neutral-trust.crt
  fi
done

for p in certs/*.p11-kit; do 
  cat "$p" >> ca-bundle.supplement.p11-kit
done