# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4

PortSystem          1.0

name                apple-pki-bundle
version             2022-11-12
revision            0
categories          net www security
license             OpenSSL
maintainers         {ieee.org:s.t.smith @essandess} openmaintainer
supported_archs     noarch
platforms           {darwin any}

description         Apple PKI certificate bundle

long_description    Installs a bundle of certification authority certificates \
                    (CA certs) used on Apple devices.

homepage            https://www.apple.com/certificateauthority/

master_sites        https://www.apple.com/appleca:appleca \
                    https://www.apple.com/certificateauthority:certificateauthority \
                    https://developer.apple.com/certificationauthority:certificationauthority \
                    https://geotrust.tbs-certificats.com:geotrust \
                    https://cacerts.digicert.com:digicert

distfiles           AppleIncRootCertificate.cer:appleca \
                    AppleComputerRootCertificate.cer:certificateauthority \
                    AppleRootCA-G2.cer:certificateauthority \
                    AppleRootCA-G3.cer:certificateauthority \
                    AppleISTCA2G1.cer:certificateauthority \
                    AppleISTCA8G1.cer:certificateauthority \
                    AppleAAICA.cer:certificateauthority \
                    AppleAAI2CA.cer:certificateauthority \
                    AppleAAICAG3.cer:certificateauthority \
                    AppleApplicationIntegrationCA5G1.cer:certificateauthority \
                    DevAuthCA.cer:certificateauthority \
                    DeveloperIDCA.cer:certificateauthority \
                    AppleSoftwareUpdateCertificationAuthority.cer:certificateauthority \
                    AppleTimestampCA.cer:certificateauthority \
                    AppleWWDRCA.cer:certificationauthority \
                    AppleWWDRCAG2.cer:certificateauthority \
                    AppleWWDRCAG3.cer:certificateauthority \
                    AppleWWDRCAG5.cer:certificateauthority \
                    AppleWWDRCAG6.cer:certificateauthority \
                    GeoTrust_Global_CA.crt:geotrust \
                    GeoTrustPCA-G2.crt:digicert

# all updates of these certs will be "stealth updates";
# see: https://trac.macports.org/wiki/PortfileRecipes#stealth-updates
dist_subdir         ${name}/${version}

checksums           AppleIncRootCertificate.cer \
                    rmd160  f86e77359a6a61f20fd8eb0deb854ad5a510412a \
                    sha256  b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024 \
                    size    1215 \
                    AppleComputerRootCertificate.cer \
                    rmd160  fb3672c5e3c74df263e193b8e3df845dd6d33c51 \
                    sha256  0d83b611b648a1a75eb8558400795375cad92e264ed8e9d7a757c1f5ee2bb22d \
                    size    1470 \
                    AppleRootCA-G2.cer \
                    rmd160  300b620e7c4f611e907ae48aebfa8c1858e55a1c \
                    sha256  c2b9b042dd57830e7d117dac55ac8ae19407d38e41d88f3215bc3a890444a050 \
                    size    1430 \
                    AppleRootCA-G3.cer \
                    rmd160  4b9f77626fc3b924f105f58c99af71e157c6c2d6 \
                    sha256  63343abfb89a6a03ebb57e9b3f5fa7be7c4f5c756f3017b3a8c488c3653e9179 \
                    size    583 \
                    AppleISTCA2G1.cer \
                    rmd160  f6c2ce67929e860f399e26309af603a2e8c942f9 \
                    sha256  b0d40aa5f024f98e7adc0b10f19764f71030cfaf3dcc4ddc6600869499c9baaa \
                    size    1146 \
                    AppleISTCA8G1.cer \
                    rmd160  49d458253b7801341f6280efb5d46338c4688875 \
                    sha256  63ed1030fe1001060589f4e8ac955768fc0880bcc42be7d906d590e327a57142 \
                    size    1216 \
                    AppleAAICA.cer \
                    rmd160  b4ccf1798244801aa784b7ff0c049c963a20ca29 \
                    sha256  2528ba7d9348d6cbc83b169b24860ae7a87a6359c0e5274626edfe8f6c04e2b8 \
                    size    1489 \
                    AppleAAI2CA.cer \
                    rmd160  d623a06611224ea258af9aba8e7f90f5a3dc5b50 \
                    sha256  d3496f4b73cd67aab9f2fcb1d5aa41f8dc457769c455c792b70ddb19e92023d6 \
                    size    1052 \
                    AppleAAICAG3.cer \
                    rmd160  5cf343caf0c2836cb7c374f4489af1925da544cb \
                    sha256  a64b099dbd73ebb036b4204e1675e8aa821637d09b84980899104ad59d664a3b \
                    size    754 \
                    AppleApplicationIntegrationCA5G1.cer \
                    rmd160  acea444545ee49c6f7bb852e87aa9cee44cc3546 \
                    sha256  c0d8efbea821079d1b8a98e1198bfcc669331fa7a9c14f09b969f0af08ce4a43 \
                    size    765 \
                    DevAuthCA.cer \
                    rmd160  130856ebc4cc8503fd3bc253b115f1ad50aafd32 \
                    sha256  341ff0b1753889eb5f36921a7386129f302ce4ff603fabaebf06e01fdb236860 \
                    size    1051 \
                    DeveloperIDCA.cer \
                    rmd160  829a7ac0b3daab8b8ab7c5252599b1491aa9d987 \
                    sha256  7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f \
                    size    1032 \
                    AppleSoftwareUpdateCertificationAuthority.cer \
                    rmd160  969679b4511ae94133497c0014e9a95154336ff0 \
                    sha256  1299e9bfe776a29ff452f8c4f5e55f3b4dfd2934349dd1850b8274f35c71745c \
                    size    1136 \
                    AppleTimestampCA.cer \
                    rmd160  414a1dc61e313c238adc47f1d8380aa5bb400173 \
                    sha256  5eb2b6f76a173e6876ccaca696817bf1a0575e8d5f2a81653e1ddf8dafb751fc \
                    size    1456 \
                    AppleWWDRCA.cer \
                    rmd160  56edfda4fc5664a5431c4fef431d60ac43c5e872 \
                    sha256  ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2 \
                    size    1062 \
                    AppleWWDRCAG2.cer \
                    rmd160  0d4330029e28cb238e264d3bc238d4b1798e9385 \
                    sha256  9ed4b3b88c6a339cf1387895bda9ca6ea31a6b5ce9edf7511845923b0c8ac94c \
                    size    763 \
                    AppleWWDRCAG3.cer \
                    rmd160  17665bab909900697ee8a9c558b56d986dd8e3e4 \
                    sha256  dcf21878c77f4198e4b4614f03d696d89c66c66008d4244e1b99161aac91601f \
                    size    1109 \
                    AppleWWDRCAG5.cer \
                    rmd160  b20a437bdd39e2d960a51164badb7124094e083e \
                    sha256  53fd008278e5a595fe1e908ae9c5e5675f26243264a5a6438c023e3ce2870760 \
                    size    1113 \
                    AppleWWDRCAG6.cer \
                    rmd160  505ae3637933095ddf6cb40aa12bf0b1ded0ab09 \
                    sha256  bdd4ed6e74691f0c2bfd01be0296197af1379e0418e2d300efa9c3bef642ca30 \
                    size    794 \
                    GeoTrust_Global_CA.crt \
                    rmd160  b481fa4b7532b3d6b353463267df2eafeea8a043 \
                    sha256  9bde21d1c3414421fc6ff9ae79f1688c0193bc1cd0f1417f9adf0cdbed3b6250 \
                    size    1236 \
                    GeoTrustPCA-G2.crt \
                    rmd160  fc4e5fc888b926cd12871ac9b650cf68b028736e \
                    sha256  5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766 \
                    size    690

# non-Apple CAs in the bundle
# for f in ${worksrcpath}/*.pem; do openssl x509 -inform pem -text -noout -in ${f}; done | grep 'CN = ' | grep -v Apple

set system_roots_keychain \
                    "${worksrcpath}/macOS System Roots.pem"
set system_roots_keychain_default \
                    "${filespath}/macOS System Roots 20211101.pem"

set pki_dir         ${prefix}/share/${name}
set pki_bundle      ${name}.pem
set pki_bundle_downloaded   ${name}_downloaded.pem

variant system_roots_keychain \
    description {Use /System/Library/Keychains/SystemRootCertificates.keychain.} {
        set system_roots_keychain_default \
                    "${worksrcpath}/macOS System Roots native.pem"
}

variant additional_pki_bundle \
    description {Add PKI bundle used by GitHub assets, possibly others.} {
    # openssl s_client -showcerts github.githubassets.com:443 | sed -E '1,/^---$/d' | sed '/^---$/,$d' 1> cert.pem
    # openssl x509 -text -noout -in cert.pem
    # openssl verify -CAfile trustedCAs.pem cert.pem

    distfiles-append \
                    DigiCertHighAssuranceEVRootCA.crt:digicert \
                    DigiCertSHA2HighAssuranceServerCA.crt:digicert \
                    DigiCertTLSHybridECCSHA3842020CA1-1.crt:digicert \
                    DigiCertTLSRSASHA2562020CA1-1.crt:digicert

    checksums-append \
                    DigiCertHighAssuranceEVRootCA.crt \
                    rmd160  96b6f2d9f8e1ad3fa1868b3b9053160ef8b282c8 \
                    sha256  7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf \
                    size    969 \
                    DigiCertSHA2HighAssuranceServerCA.crt \
                    rmd160  a2f7fc7707f0ff19f19c85070e1ab1e29793793d \
                    sha256  19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0 \
                    size    1205 \
                    DigiCertTLSHybridECCSHA3842020CA1-1.crt \
                    rmd160  1343b2ded7573c390e5f1405e1044ff5774b5afd \
                    sha256  f7a9a1b2fd964a3f2670bd668d561fb7c55d3aa9ab8391e7e169702db8a3dbcf \
                    size    1051 \
                    DigiCertTLSRSASHA2562020CA1-1.crt \
                    rmd160  68d5f2b0e1dd6cf8a96d0b4d23a9de5aba203265 \
                    sha256  52274c57ce4dee3b49db7a7ff708c040f771898b3be88725a86fb4430182fe14 \
                    size    1218
}

default_variants    +system_roots_keychain +additional_pki_bundle

proc url_to_pem {url pem} {
    global worksrcpath
    system -W ${worksrcpath} \
        "curl -L ${url} 2>&1 | uu-tac | sed '/^-----BEGIN CERTIFICATE-----$/q' | uu-tac | sed '/^-----END CERTIFICATE-----$/q' > ${pem}"
}

depends_build-append \
                    path:libexec/coreutils/libstdbuf.so:coreutils \
                    port:coreutils-uutils \
                    port:file \
                    path:bin/openssl:openssl

extract.only
extract.mkdir       yes

post-extract {
    # https://www.apple.com/certificateauthority/public/
    foreach {url pem} {
        https://valid-aaa-rsa.apple.com/ apsrsa12g1.pem
        https://valid-aaa-ecc.apple.com/ apsecc12g1.pem
        https://valid-gr2-rsa.apple.com/ apevsrsa1g1.pem
        https://valid-har-rsa.apple.com/ apevsrsa2g1.pem
        https://valid-gr3-ecc.apple.com/ apevsecc1g1.pem
    } {
        url_to_pem ${url} ${pem}
    }

    xinstall -d     ${workpath}/bin \
                    ${worksrcpath}/pemfiles

    if { [variant_isset "system_roots_keychain"] } {
        system -W ${worksrcpath} \
            "security find-certificate -a -p \
                /System/Library/Keychains/SystemRootCertificates.keychain \
                    > '${system_roots_keychain_default}'"
    }

    xinstall        ${system_roots_keychain_default} \
                    "${system_roots_keychain}"

    xinstall -m 0755 \
                    ${filespath}/pems_not_in_pemfile.sh \
                    ${filespath}/pems_that_wont_expire_soon.sh \
                    ${filespath}/pems_add_to_macOS_System_Keychain.sh \
                    ${workpath}/bin
}

use_configure       no

build {
    foreach f [glob ${distpath}/*.{cer,crt,der,pem}] {
        if { [file isfile ${f}] } {
            regsub {\.(cer|crt|der|pem)$} [file tail ${f}] .pem pem
            set file_type [exec /bin/sh -c \
                "file ${f} | sed -E 's|^.+: ||' 2>/dev/null || true"]
            if {[regexp {^(PEM certificate|ASCII text)$} ${file_type}]} {
                file copy ${f} ${worksrcpath}/pemfiles/${pem}
            } else {
                system -W ${worksrcpath}/pemfiles \
                    "openssl x509 -inform der -outform pem -text -in ${f} -out ${pem}"
            }
        }
    }

    # cat all pem files to a single file
    set outfile [open ${worksrcpath}/${pki_bundle_downloaded} w]
    foreach f [glob ${worksrcpath}/pemfiles/*.pem] {
        set file_type [exec /bin/sh -c \
                           "file ${f} | sed -E 's|^.+: ||' 2>/dev/null || true"]
        if {[regexp {^(PEM certificate|ASCII text)$} ${file_type}]} {
            set sourcefile [open ${f} r]
            chan copy ${sourcefile} ${outfile}
            close ${sourcefile}
        } else {
            ui_warn "Not installing ${f} because it is not a PEM file."
        }
    }
    close ${outfile}

    set outfile [open ${worksrcpath}/${pki_bundle}-temp w]
    close ${outfile}
    system -W ${worksrcpath} \
        "${workpath}/bin/pems_that_wont_expire_soon.sh \
                    '${system_roots_keychain}' \
                        >> ${pki_bundle}-temp"
    copy ${worksrcpath}/${pki_bundle}-temp ${worksrcpath}/${pki_bundle}
    system -W ${worksrcpath} \
        "${workpath}/bin/pems_not_in_pemfile.sh \
                    ${pki_bundle_downloaded} ${pki_bundle}-temp \
                        >> ${pki_bundle}"
}

destroot {
    xinstall -d ${destroot}${pki_dir}/bin
    xinstall ${worksrcpath}/${pki_bundle} ${destroot}${pki_dir}
    foreach f [glob ${workpath}/bin/*.sh] {
        xinstall -m 0755 ${f} ${destroot}${pki_dir}/bin
    }
}

notes "\
    To add trusted certificates to the macOS System Keychain\
    (/Library/Keychains/System.keychain), please see the script\
    ${pki_dir}/bin/pems_add_to_macOS_System_Keychain.sh,\
    and make sure that you have a reliable backup of the keychain\
    before running the script.
"
