%global nspr_build_version 4.25.0

%global nspr_version 4.25.0

%global nss_version 3.67.0

%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools

%global saved_files_dir %{_libdir}/nss/saved

%global dracutlibdir %{_prefix}/lib/dracut

%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/

%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d

# The timestamp of our downstream manual pages, e.g., nss-config.1

%global manual_date "Nov 13 2013"

%bcond_without tests

# Produce .chk files for the final stripped binaries

#

# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links

# against the freebl that we just built. This is necessary

# because the signing algorithm changed on 3.14 to DSA2 with SHA256

# whereas we previously signed with DSA and SHA1. We must Keep this line

# until all mock platforms have been updated.

# After %%{__os_install_post} we would add

# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}

%define __spec_install_post \

    %{?__debug_package:%{__debug_install_post}} \

    %{__arch_install_post} \

    %{__os_install_post} \

    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \

    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \

    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \

    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \

%{nil}

# The upstream omits the trailing ".0", while we need it for

# consistency with the pkg-config version:

# https://bugzilla.redhat.com/show_bug.cgi?id=1578106

%{lua:

rpm.define(string.format("nss_archive_version %s",

           string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))

}

%{lua:

rpm.define(string.format("nss_release_tag NSS_%s_RTM",

           string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))

}

Summary:          Network Security Services

Name:             nss

Version:          %{nss_version}

Release:          6%{?dist}

License:          MPLv2.0

URL:              http://www.mozilla.org/projects/security/pki/nss/

Requires:         nspr >= %{nspr_version}

Requires:         nss-util >= %{nss_version}

# TODO: revert to same version as nss once we are done with the merge

Requires:         nss-softokn%{_isa} >= %{nss_version}

Requires:         nss-system-init

Requires:         p11-kit-trust

Requires:         /usr/bin/update-crypto-policies

BuildRequires:    nspr-devel >= %{nspr_build_version}

# for shlibsign

BuildRequires:    nss-softokn

BuildRequires:    sqlite-devel

BuildRequires:    zlib-devel

BuildRequires:    pkgconfig

BuildRequires:    gawk

BuildRequires:    psmisc

BuildRequires:    perl-interpreter

BuildRequires:    gcc-c++

Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz

Source1:          nss-util.pc.in

Source2:          nss-util-config.in

Source3:          nss-softokn.pc.in

Source4:          nss-softokn-config.in

Source6:          nss-softokn-dracut-module-setup.sh

Source7:          nss-softokn-dracut.conf

Source8:          nss.pc.in

Source9:          nss-config.in

Source10:         blank-cert8.db

Source11:         blank-key3.db

Source12:         blank-secmod.db

Source13:         blank-cert9.db

Source14:         blank-key4.db

Source15:         system-pkcs11.txt

Source16:         setup-nsssysinit.sh

Source20:         nss-config.xml

Source21:         setup-nsssysinit.xml

Source22:         pkcs11.txt.xml

Source23:         cert8.db.xml

Source24:         cert9.db.xml

Source25:         key3.db.xml

Source26:         key4.db.xml

Source27:         secmod.db.xml

Source28:         nss-p11-kit.config

Source30:         PayPalEE.cert

# To inject hardening flags for DSO

Patch1:           nss-dso-ldflags.patch

# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723

Patch2:           nss-539183.patch

# This patch uses the GCC -iquote option documented at

# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options

# to give the in-tree headers a higher priority over the system headers,

# when they are included through the quote form (#include "file.h").

#

# This ensures a build even when system headers are older. Such is the

# case when starting an update with API changes or even private export

# changes.

#

# Once the buildroot aha been bootstrapped the patch may be removed

# but it doesn't hurt to keep it.

Patch4:           iquote.patch

# To revert the change in:

# https://bugzilla.mozilla.org/show_bug.cgi?id=818686

Patch9:		  nss-sysinit-userdb.patch

# Disable nss-sysinit test which is solely to test the above change

Patch10:	  nss-skip-sysinit-gtests.patch

# For compatibility reasons, we stick with the old PKCS #11 2.40

# definition of CK_GCM_PARAMS:

%if 0%{?fedora} < 34

%if 0%{?rhel} < 9

Patch20:          nss-gcm-param-default-pkcs11v2.patch

%endif

%endif

# Local patch: disable MD5 (also MD2 and MD4) completely

# https://bugzilla.redhat.com/show_bug.cgi?id=1849938

Patch25:         nss-disable-md5.patch

# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers

Patch30:          rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

# Local patch: disable Delegated Credentials

Patch35:	  nss-disable-dc.patch

# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies

# is updated.

Patch40:          nss-3.66-disable-signature-policies.patch

# Local patch: disable tests that require external reference so brew completes

Patch45:          nss-3.66-disable-external-host-test.patch

# Local patch: restore old pkcs 12 defaults on old version of rhel

Patch50:          nss-3.66-restore-old-pkcs12-default.patch

# Patches that should be upstreamed, and (hopefully) will disappear next

# rebase

# Need upstream bug

Patch219:         nss-3.44-kbkdf-coverity.patch

# no upsteam bug yet

Patch225:         nss-3.67-fix-private-key-mac.patch

# no upstream bug yet

Patch229:         nss-3.53.1-measure-fix.patch

# no upstream bug yet

Patch230:         nss-3.66-no-small-primes.patch

# no upstream bug yet

Patch232:         nss-3.66-fix-gtest-parsing.patch

# no upstream bug yet

Patch233:         nss-3.67-fix-coverity-issues.patch

# no upstream bug yet

Patch234:         nss-3.67-fix-sdb-timeout.patch

# no upstream bug yet

Patch235:         nss-3.67-fix-ssl-alerts.patch

%description

Network Security Services (NSS) is a set of libraries designed to

support cross-platform development of security-enabled client and

server applications. Applications built with NSS can support SSL v2

and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509

v3 certificates, and other security standards.

%package tools

Summary:          Tools for the Network Security Services

Requires:         %{name}%{?_isa} = %{version}-%{release}

%description tools

Network Security Services (NSS) is a set of libraries designed to

support cross-platform development of security-enabled client and

server applications. Applications built with NSS can support SSL v2

and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509

v3 certificates, and other security standards.

Install the nss-tools package if you need command-line tools to

manipulate the NSS certificate and key database.

%package sysinit

Summary:          System NSS Initialization

# providing nss-system-init without version so that it can

# be replaced by a better one, e.g. supplied by the os vendor

Provides:         nss-system-init

Requires:         nss%{?_isa} = %{version}-%{release}

Requires(post):   coreutils, sed

%description sysinit

Default Operating System module that manages applications loading

NSS globally on the system. This module loads the system defined

PKCS #11 modules for NSS and chains with other NSS modules to load

any system or user configured modules.

%package devel

Summary:          Development libraries for Network Security Services

Provides:         nss-static = %{version}-%{release}

Requires:         nss%{?_isa} = %{version}-%{release}

Requires:         nss-util-devel

Requires:         nss-softokn-devel

Requires:         nspr-devel >= %{nspr_version}

Requires:         pkgconfig

BuildRequires:    xmlto

%description devel

Header and Library files for doing development with Network Security Services.

%package pkcs11-devel

Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS

Provides:         nss-pkcs11-devel-static = %{version}-%{release}

Requires:         nss-devel = %{version}-%{release}

Requires:         nss-softokn-freebl-devel = %{version}-%{release}

%description pkcs11-devel

Library files for developing PKCS #11 modules using basic NSS

low level services.

%package util

Summary:          Network Security Services Utilities Library

Requires:         nspr >= %{nspr_version}

%description util

Utilities for Network Security Services and the Softoken module

%package util-devel

Summary:          Development libraries for Network Security Services Utilities

Requires:         nss-util%{?_isa} = %{version}-%{release}

Requires:         nspr-devel >= %{nspr_version}

Requires:         pkgconfig

%description util-devel

Header and library files for doing development with Network Security Services.

%package softokn

Summary:          Network Security Services Softoken Module

Requires:         nspr >= %{nspr_version}

Requires:         nss-util >= %{version}-%{release}

Requires:         nss-softokn-freebl%{_isa} >= %{version}-%{release}

%description softokn

Network Security Services Softoken Cryptographic Module

%package softokn-freebl

Summary:          Freebl library for the Network Security Services

# For PR_GetEnvSecure() from nspr >= 4.12

Requires:         nspr >= 4.12

# For NSS_SecureMemcmpZero() from nss-util >= 3.33

Requires:         nss-util >= 3.33

Conflicts:        nss < 3.12.2.99.3-5

Conflicts:        filesystem < 3

%description softokn-freebl

NSS Softoken Cryptographic Module Freebl Library

Install the nss-softokn-freebl package if you need the freebl library.

%package softokn-freebl-devel

Summary:          Header and Library files for doing development with the Freebl library for NSS

Provides:         nss-softokn-freebl-static = %{version}-%{release}

Requires:         nss-softokn-freebl%{?_isa} = %{version}-%{release}

%description softokn-freebl-devel

NSS Softoken Cryptographic Module Freebl Library Development Tools

This package supports special needs of some PKCS #11 module developers and

is otherwise considered private to NSS. As such, the programming interfaces

may change and the usual NSS binary compatibility commitments do not apply.

Developers should rely only on the officially supported NSS public API.

%package softokn-devel

Summary:          Development libraries for Network Security Services

Requires:         nss-softokn%{?_isa} = %{version}-%{release}

Requires:         nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}

Requires:         nspr-devel >= %{nspr_version}

Requires:         nss-util-devel >= %{version}-%{release}

Requires:         pkgconfig

BuildRequires:    nspr-devel >= %{nspr_build_version}

%description softokn-devel

Header and library files for doing development with Network Security Services.

%prep

%autosetup -N -n %{name}-%{nss_archive_version}

pushd nss

%autopatch -p1

popd

# https://bugzilla.redhat.com/show_bug.cgi?id=1247353

find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;

#update paypal cert (git binary patches don't work with autopatch)

cp %{SOURCE30} nss/tests/libpkix/certs/

%build

export FREEBL_NO_DEPEND=1

# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets

# copied to dist and the rpm install phase can find it

# This due of the upstream changes to fix

# https://bugzilla.mozilla.org/show_bug.cgi?id=717906

export FREEBL_LOWHASH=1

# uncomment if the iquote patch is activated

export IN_TREE_FREEBL_HEADERS_FIRST=1

export NSS_FORCE_FIPS=1

# Enable compiler optimizations and disable debugging code

export BUILD_OPT=1

# Uncomment to disable optimizations

#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`

#export RPM_OPT_FLAGS

# Generate symbolic info for debuggers

export XCFLAGS=$RPM_OPT_FLAGS

export LDFLAGS=$RPM_LD_FLAGS

export DSO_LDFLAGS=$RPM_LD_FLAGS

export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1

export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1

export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`

export NSPR_LIB_DIR=%{_libdir}

export NSS_USE_SYSTEM_SQLITE=1

export NSS_ALLOW_SSLKEYLOGFILE=1

export NSS_SEED_ONLY_DEV_URANDOM=1

%ifnarch noarch

%if 0%{__isa_bits} == 64

export USE_64=1

%endif

%endif

# Set the policy file location

# if set NSS will always check for the policy file and load if it exists

export POLICY_FILE="nss.config"

# location of the policy file

export POLICY_PATH="/etc/crypto-policies/back-ends"

%{__make} -C ./nss all

%{__make} -C ./nss latest

# build the man pages clean

pushd ./nss/doc

rm -rf ./nroff

make clean

echo -n %{manual_date} > date.xml

echo -n %{version} > version.xml

make

popd

# and copy them to the dist directory for %%install to find them

mkdir -p ./dist/docs/nroff

cp ./nss/doc/nroff/* ./dist/docs/nroff

# Set up our package files

mkdir -p ./dist/pkgconfig

cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \

                          -e "s,%%prefix%%,%{_prefix},g" \

                          -e "s,%%exec_prefix%%,%{_prefix},g" \

                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \

                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \

                          -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \

                          ./dist/pkgconfig/nss-util.pc

NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`

NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`

NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`

cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \

                          -e "s,@prefix@,%{_prefix},g" \

                          -e "s,@exec_prefix@,%{_prefix},g" \

                          -e "s,@includedir@,%{_includedir}/nss3,g" \

                          -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \

                          -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \

                          -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \

                          > ./dist/pkgconfig/nss-util-config

chmod 755 ./dist/pkgconfig/nss-util-config

cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \

                          -e "s,%%prefix%%,%{_prefix},g" \

                          -e "s,%%exec_prefix%%,%{_prefix},g" \

                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \

                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \

                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \

                          -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \

                          ./dist/pkgconfig/nss-softokn.pc

SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`

SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`

SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`

cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \

                          -e "s,@prefix@,%{_prefix},g" \

                          -e "s,@exec_prefix@,%{_prefix},g" \

                          -e "s,@includedir@,%{_includedir}/nss3,g" \

                          -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \

                          -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \

                          -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \

                          > ./dist/pkgconfig/nss-softokn-config

chmod 755 ./dist/pkgconfig/nss-softokn-config

cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \

                          -e "s,%%prefix%%,%{_prefix},g" \

                          -e "s,%%exec_prefix%%,%{_prefix},g" \

                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \

                          -e "s,%%NSS_VERSION%%,%{version},g" \

                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \

                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \

                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \

                          ./dist/pkgconfig/nss.pc

NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`

NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`

NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`

cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \

                          -e "s,@prefix@,%{_prefix},g" \

                          -e "s,@exec_prefix@,%{_prefix},g" \

                          -e "s,@includedir@,%{_includedir}/nss3,g" \

                          -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \

                          -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \

                          -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \

                          > ./dist/pkgconfig/nss-config

chmod 755 ./dist/pkgconfig/nss-config

cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh

chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh

cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/

date +"%e %B %Y" | tr -d '\n' > date.xml

echo -n %{version} > version.xml

# configuration files and setup script

for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do

  cp ${m} .

done

for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do

  xmlto man ${m}

done

# nss databases considered to be configuration files

for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do

  cp ${m} .

done

for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do

  xmlto man ${m}

done

%check

%if %{with tests}

# Begin -- copied from the build section

export FREEBL_NO_DEPEND=1

export BUILD_OPT=1

%ifnarch noarch

%if 0%{__isa_bits} == 64

export USE_64=1

%endif

%endif

# End -- copied from the build section

# This is necessary because the test suite tests algorithms that are

# disabled by the system policy.

export NSS_IGNORE_SYSTEM_POLICY=1

# enable the following line to force a test failure

# find ./nss -name \*.chk | xargs rm -f

# Run test suite.

# In order to support multiple concurrent executions of the test suite

# (caused by concurrent RPM builds) on a single host,

# we'll use a random port. Also, we want to clean up any stuck

# selfserv processes. If process name "selfserv" is used everywhere,

# we can't simply do a "killall selfserv", because it could disturb

# concurrent builds. Therefore we'll do a search and replace and use

# a different process name.

# Using xargs doesn't mix well with spaces in filenames, in order to

# avoid weird quoting we'll require that no spaces are being used.

SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:

if [ $SPACEISBAD -ne 0 ]; then

  echo "error: filenames containing space are not supported (xargs)"

  exit 1

fi

MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:

RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:

DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:

pushd "$DISTBINDIR"

ln -s selfserv $RANDSERV

popd

# man perlrun, man perlrequick

# replace word-occurrences of selfserv with selfserv_$MYRAND

find ./nss/tests -type f |\

  grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\

  grep -vw CVS  |xargs grep -lw selfserv |\

  xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:

killall $RANDSERV || :

rm -rf ./tests_results

pushd nss/tests

# all.sh is the test suite script

#  don't need to run all the tests when testing packaging

export NSS_DEFAULT_DB_TYPE=dbm  #in RHEL 8, the default db is sql, but we want

                                # standard to test dbm, or upgradedb will fail

%define nss_cycles "standard pkix upgradedb sharedb threadunsafe"

#  the full list from all.sh is:

#  "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"

%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"

#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy

#  nss_ssl_run: cov auth stapling stress

#

# Uncomment these lines if you need to temporarily

# disable some test suites for faster test builds

# % define nss_ssl_tests "normal_fips"

# % define nss_ssl_run "cov"

HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh

popd

%endif

%install

# There is no make install target so we'll do it ourselves.

mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3

mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates

mkdir -p $RPM_BUILD_ROOT/%{_bindir}

mkdir -p $RPM_BUILD_ROOT/%{_libdir}

mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}

mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig

mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}

mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}

mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}

mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d

%if %{defined rhel}

# not needed for rhel and its derivatives only fedora

%else

# because of the pp.1 conflict with perl-PAR-Packer

mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools

%endif

install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh

install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf

mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1

mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5

# Copy the binary libraries we want

for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so

do

  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}

done

# Install the empty NSS db files

# Legacy db

mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb

install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db

install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db

install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db

# Shared db

install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db

install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db

install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt

# Copy the development libraries we want

for file in libcrmf.a libnssb.a libnssckfw.a

do

  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}

done

# Copy the binaries we want

for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap

do

  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}

done

# Copy the binaries we ship as unsupported

for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain

do

  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}

done

# Copy the include files we want

for file in dist/public/nss/*.h

do

  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3

done

# Copy some freebl include files we also want

for file in blapi.h alghmac.h cmac.h

do

  install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3

done

# Copy the static freebl library

for file in libfreebl.a

do

install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}

done

# Copy the template files we want

for file in dist/private/nss/templates.c dist/private/nss/nssck.api

do

  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates

done

# Copy the package configuration files

install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc

install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config

install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc

install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config

install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc

install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config

# Copy the pkcs #11 configuration script

install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh

# install a symbolic link to it, without the ".sh" suffix,

# that matches the man page documentation

ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit

# Copy the man pages for scripts

for f in nss-config setup-nsssysinit; do

   install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1

done

# Copy the man pages for the nss tools

for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do

  install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1

done

%if %{defined rhel}

install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1

%else

install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1

%endif

# Copy the man pages for the configuration files

for f in pkcs11.txt; do

   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5

done

# Copy the man pages for the nss databases

for f in cert8.db cert9.db key3.db key4.db secmod.db; do

   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5

done

# Copy the crypto-policies configuration file

install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d

%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3

# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet

# from previous versions of nss.spec

/usr/bin/setup-nsssysinit.sh on

%posttrans

update-crypto-policies --no-reload &> /dev/null || :

%files

%{!?_licensedir:%global license %%doc}

%license nss/COPYING

%{_libdir}/libnss3.so

%{_libdir}/libssl3.so

%{_libdir}/libsmime3.so

%dir %{_sysconfdir}/pki/nssdb

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt

%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config

%doc %{_mandir}/man5/cert8.db.5*

%doc %{_mandir}/man5/key3.db.5*

%doc %{_mandir}/man5/secmod.db.5*

%doc %{_mandir}/man5/cert9.db.5*

%doc %{_mandir}/man5/key4.db.5*

%doc %{_mandir}/man5/pkcs11.txt.5*

%files sysinit

%{_libdir}/libnsssysinit.so

%{_bindir}/setup-nsssysinit.sh

# symbolic link to setup-nsssysinit.sh

%{_bindir}/setup-nsssysinit

%doc %{_mandir}/man1/setup-nsssysinit.1*

%files tools

%{_bindir}/certutil

%{_bindir}/cmsutil

%{_bindir}/crlutil

%{_bindir}/modutil

%{_bindir}/nss-policy-check

%{_bindir}/pk12util

%{_bindir}/signver

%{_bindir}/ssltap

%{unsupported_tools_directory}/atob

%{unsupported_tools_directory}/btoa

%{unsupported_tools_directory}/derdump

%{unsupported_tools_directory}/listsuites