%global version     2023.11.23
%global dl_url      http://acraiz.icpbrasil.gov.br/credenciadas/CertificadosAC-ICP-Brasil

%define __openssl   %{_bindir}/openssl

Name:               ca-certificates-brazil
Version:            %{version}
Release:            1%{?dist}
Summary:            The ICP-Brasil root certificate bundle

License:            Public Domain
URL:                https://www.gov.br/iti/pt-br/assuntos/icp-brasil
Source0:            %{dl_url}/ACcompactado.zip
Source1:            %{dl_url}/hashsha512.txt

Source10:           https://letsencrypt.org/certs/isrg-root-x2.pem
Source11:           https://letsencrypt.org/certs/lets-encrypt-e1.pem
Source12:           https://letsencrypt.org/certs/lets-encrypt-e2.pem
Source13:           https://letsencrypt.org/certs/lets-encrypt-r3.pem
Source14:           https://letsencrypt.org/certs/lets-encrypt-r4.pem

BuildArch:          noarch
BuildRequires:      %{__openssl}
BuildRequires:      %{_bindir}/mktemp
BuildRequires:      %{_bindir}/unzip

%description
The Brazilian Public Key Infrastructure - ICP-Brasil is a hierarchical chain 
of trust that enables the issuance of digital certificates for the virtual 
identification of citizens.

It is observed that the model adopted by Brazil was single-root certification,
and the ITI, in addition to playing the role of Root Certifying Authority - Root AC,
also has the role of accrediting and discrediting the other participants in the 
chain, supervise and audit the processes.

%prep
pushd %{_sourcedir}
  sha512sum -c %{SOURCE1} || exit -1
popd
%autosetup -c

%build
set +x

crt2bundle() {
  out=${1}
  shift

  in=''
  for c in ${*}; do 
    echo "+ Loading CA certificate: ${c}";
    in="${in} -certfile ${c}"; 
  done;

  %{__openssl} crl2pkcs7 -nocrl ${in} | openssl pkcs7 -print_certs -out ${out}
}

crt2bundle isrg-root-x2.crt %{SOURCE10}
crt2bundle lets-encrypt-ca-bundle.crt %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14}
crt2bundle icp-brasil-ca-bundle.crt *.crt

set -x


%install
%{__rm} -rf %{buildroot}
%{__install} -d -m0755 %{buildroot}%{_datadir}/pki/ca-trust-source/anchors
%{__install} -D -m0644 isrg-root-x2.crt %{buildroot}%{_datadir}/pki/ca-trust-source/anchors/
%{__install} -D -m0644 lets-encrypt-ca-bundle.crt %{buildroot}%{_datadir}/pki/ca-trust-source/anchors/
%{__install} -D -m0644 icp-brasil-ca-bundle.crt %{buildroot}%{_datadir}/pki/ca-trust-source/anchors/


%files
%{_datadir}/pki/ca-trust-source/anchors/isrg-root-x2.crt
%{_datadir}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
%{_datadir}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt


%post -p %{_bindir}/update-ca-trust
%postun -p %{_bindir}/update-ca-trust

%changelog
* Thu Nov 23 2023 Christian Tosta <devel@cpuhouse.com.br> - 2023.11.23-1
- Updated to 2023.11.23

* Mon May 08 2023 Christian Tosta <devel@cpuhouse.com.br> - 2023.05.02-1
- Updated to 2023.05.02

* Wed Jan 25 2023 Christian Tosta <devel@cpuhouse.com.br> - 2023.03.06-1
- Updated to 2023.03.06

* Wed Jan 25 2023 Christian Tosta <devel@cpuhouse.com.br> - 2023.01.17-1
- Updated to 2023.01.17

* Thu Nov 10 2022 Christian Tosta <devel@cpuhouse.com.br> - 2022.10.24-1
- Updated to 2022.10.24

* Tue Oct 04 2022 Christian Tosta <devel@cpuhouse.com.br> - 2022.09.26-1
- Updated to version 2022.09.26

* Thu Sep 08 2022 Christian Tosta <devel@cpuhouse.com.br> - 2022.09.05-2
- Updated to 2022.09.05

* Mon Jul 18 2022 Christian Tosta <devel@cpuhouse.com.br> - 2022.06.13-1
- Initial package