From 1602b195c552444cef7065c1540150abdb35cd9d Mon Sep 17 00:00:00 2001
From: Bananymous <oskari.alaranta@bananymous.com>
Date: Tue, 28 Apr 2026 02:19:57 +0300
Subject: [PATCH] ports: Rework ssl certificates

ca-certificates:
 - update to 2026.03.19
 - install to /etc/cacert
 - extract individual ceritificates from the bundle

openssl:
 - depend on ca-certificates
 - install hashed symlinks to individual certs

curl:
 - don't depend on ca-certificates; openssl handles this
 - set both ca-bundle and ca-path
---
 ports/ca-certificates/build.sh | 13 ++++++++-----
 ports/curl/build.sh            |  6 +++---
 ports/openssl/build.sh         | 17 ++++++++++++++++-
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/ports/ca-certificates/build.sh b/ports/ca-certificates/build.sh
index 62bd7f20..9a583ab8 100755
--- a/ports/ca-certificates/build.sh
+++ b/ports/ca-certificates/build.sh
@@ -1,8 +1,8 @@
 #!/bin/bash ../install.sh
 
 NAME='ca-certificates'
-VERSION='2025-12-02'
-DOWNLOAD_URL="https://curl.se/ca/cacert-$VERSION.pem#f1407d974c5ed87d544bd931a278232e13925177e239fca370619aba63c757b4"
+VERSION='2026.03.19'
+DOWNLOAD_URL="https://curl.se/ca/cacert-${VERSION//./-}.pem#b6e66569cc3d438dd5abe514d0df50005d570bfc96c14dca8f768d020cb96171"
 
 configure() {
 	:
@@ -13,7 +13,10 @@ build() {
 }
 
 install() {
-	mkdir -p "$BANAN_SYSROOT/etc/ssl/certs"
-	cp -v "../cacert-$VERSION.pem" "$BANAN_SYSROOT/etc/ssl/certs/ca-certificates.crt"
-	ln -svf "certs/ca-certificates.crt" "$BANAN_SYSROOT/etc/ssl/cert.pem"
+	rm -rf "$BANAN_SYSROOT/etc/cacert/extracted"
+	mkdir -p "$BANAN_SYSROOT/etc/cacert/extracted"
+
+	cp -vf "../cacert-${VERSION//./-}.pem" "$BANAN_SYSROOT/etc/cacert/cacert.pem"
+	awk '/-----BEGIN CERTIFICATE-----/ {c=1;n++} c {print > sprintf("cert%03d.pem", n)} /-----END CERTIFICATE-----/ {c=0}' "../cacert-${VERSION//./-}.pem"
+	mv cert*.pem "$BANAN_SYSROOT/etc/cacert/extracted/"
 }
diff --git a/ports/curl/build.sh b/ports/curl/build.sh
index d4845126..e567d8a2 100755
--- a/ports/curl/build.sh
+++ b/ports/curl/build.sh
@@ -3,7 +3,7 @@
 NAME='curl'
 VERSION='8.17.0'
 DOWNLOAD_URL="https://curl.se/download/curl-$VERSION.tar.xz#955f6e729ad6b3566260e8fef68620e76ba3c31acf0a18524416a185acf77992"
-DEPENDENCIES=('ca-certificates' 'openssl' 'zlib' 'zstd')
+DEPENDENCIES=('openssl' 'zlib' 'zstd')
 CONFIG_SUB=('config.sub')
 CONFIGURE_OPTIONS=(
 	'--disable-threaded-resolver'
@@ -16,6 +16,6 @@ CONFIGURE_OPTIONS=(
 	'--with-zlib'
 	'--with-zstd'
 	'--without-libpsl'
-	'--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt'
-	'--without-ca-path'
+	'--with-ca-path=/etc/ssl/certs'
+	'--with-ca-bundle=/etc/ssl/certs/ca-bundle.crt'
 )
diff --git a/ports/openssl/build.sh b/ports/openssl/build.sh
index 481067ba..03d74c75 100755
--- a/ports/openssl/build.sh
+++ b/ports/openssl/build.sh
@@ -3,9 +3,24 @@
 NAME='openssl'
 VERSION='3.6.0'
 DOWNLOAD_URL="https://github.com/openssl/openssl/releases/download/openssl-$VERSION/openssl-$VERSION.tar.gz#b6a5f44b7eb69e3fa35dbf15524405b44837a481d43d81daddde3ff21fcbb8e9"
-DEPENDENCIES=('zlib')
+DEPENDENCIES=('ca-certificates' 'zlib')
 MAKE_INSTALL_TARGETS=('install_sw' 'install_ssldirs')
 
 configure() {
 	./Configure --prefix=/usr --openssldir=/etc/ssl -DOPENSSL_USE_IPV6=0 no-asm no-tests banan_os-generic threads zlib
 }
+
+post_install() {
+	rm -f "$BANAN_SYSROOT/etc/ssl/certs"/*
+
+	ln -svf "../cacert/cacert.pem" "$BANAN_SYSROOT/etc/ssl/cert.pem"
+	ln -svf "../../cacert/cacert.pem" "$BANAN_SYSROOT/etc/ssl/certs/ca-certificates.crt"
+	ln -svf "../../cacert/cacert.pem" "$BANAN_SYSROOT/etc/ssl/certs/ca-bundle.crt"
+
+	openssl rehash "$BANAN_SYSROOT/etc/cacert/extracted"
+	find "$BANAN_SYSROOT/etc/cacert/extracted" -type l -print0 |
+	while IFS= read -r -d '' link; do
+		ln -s "../../cacert/extracted/$(readlink "$link")" "$BANAN_SYSROOT/etc/ssl/certs/${link##*/}"
+		rm "$link"
+	done
+}