From 22dfdf251521a568eb1dc00351a0917d98995862 Mon Sep 17 00:00:00 2001
From: Jian-Hong Pan <chienhung.pan@gmail.com>
Date: Fri, 4 Feb 2022 16:09:41 +0800
Subject: [PATCH] install: Trust NHI root CA cert

The original nhiicc service keeps showing the error:

mLNHIICC[6737]: 140048003425856:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46

Then, the HTTPs/wss server fails to start, until the NHI root cert is
trusted manually. The NHI root cert is installed as
/usr/share/NHIICC/cert/ca.crt by the package.

This patch trusts the self generated NHI root CA cert when post_install
and removes the trust when pre_remove. Also, adds the p11-kit as the
dependency for the trust command.
---
 .SRCINFO       | 3 ++-
 PKGBUILD       | 4 ++--
 nhiicc.install | 6 ++++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.SRCINFO b/.SRCINFO
index bf8e5ab..1489687 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,12 +1,13 @@
 pkgbase = nhiicc
 	pkgdesc = 台灣健保卡網路註冊憑證元件 (National Health Insurance IC Card)
 	pkgver = 20210824.02
-	pkgrel = 1
+	pkgrel = 2
 	epoch = 1
 	url = https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm
 	install = nhiicc.install
 	arch = x86_64
 	license = custom
+	depends = p11-kit
 	depends = pcsclite
 	depends = sed
 	optdepends = lib32-pcsclite: for using card readers with 32-bit driver only
diff --git a/PKGBUILD b/PKGBUILD
index 89fdc93..212a179 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,13 +3,13 @@
 pkgname=nhiicc
 epoch=1
 pkgver=20210824.02
-pkgrel=1
+pkgrel=2
 arch=(x86_64)
 url='https://cloudicweb.nhi.gov.tw/cloudic/system/SMC/mEventesting.htm'
 license=(custom)
 pkgdesc='台灣健保卡網路註冊憑證元件 (National Health Insurance IC Card)'
 # sed is for commands in nhiicc.install
-depends=(pcsclite sed)
+depends=(p11-kit pcsclite sed)
 optdepends=(
   'lib32-pcsclite: for using card readers with 32-bit driver only'
 )
diff --git a/nhiicc.install b/nhiicc.install
index 288422c..35eb8b0 100644
--- a/nhiicc.install
+++ b/nhiicc.install
@@ -1,6 +1,12 @@
 post_install() {
   echo 127.0.0.1 iccert.nhi.gov.tw >> /etc/hosts
   echo /etc/hosts is modified to make NHIICC work. Please review its contents if you wish.
+
+  trust anchor /usr/share/NHIICC/cert/ca.crt
+}
+
+pre_remove() {
+  trust anchor --remove /usr/share/NHIICC/cert/ca.crt
 }
 
 post_remove() {
-- 
2.35.1