community/xrdp: generate key and certificate at runtime

See: #12811

community/xrdp/APKBUILD

@@ -2,11 +2,12 @@
 # Maintainer: Alan Lacerda <alacerda@alpinelinux.org>
 pkgname=xrdp
 pkgver=0.9.15
-pkgrel=0
+pkgrel=1
 pkgdesc="Open source RDP server"
 url="https://www.xrdp.org/"
 arch="all"
 license="Apache-2.0"
+install="$pkgname.post-install"
 makedepends="autoconf automake libtool openssl-dev libx11-dev
 	libxfixes-dev libxrandr-dev libjpeg-turbo-dev fuse-dev linux-headers
 	nasm"
@@ -15,6 +16,7 @@ source="https://github.com/neutrinolabs/xrdp/releases/download/v$pkgver/xrdp-$pk
 	xrdp.initd
 	dynamic-link.patch
 	remove-werror.patch
+	openssl.conf
 	"
 
 # secfixes:
@@ -47,12 +49,23 @@ build() {
 package() {
 	make DESTDIR="$pkgdir" install
 
+	install -Dm0644 "$srcdir"/openssl.conf -t "$pkgdir"/etc/xrdp
+
 	install -m755 -D "$srcdir"/$pkgname.initd \
 		"$pkgdir"/etc/init.d/$pkgname
 	ln -s $pkgname $pkgdir/etc/init.d/$pkgname-sesman
+
+	# Remove keys and its configuration generated during the
+	# build process
+	rm -f \
+		"$pkgdir"/etc/xrdp/*.pem \
+		"$pkgdir"/etc/xrdp/rsakeys.ini
 }
 
-sha512sums="5adc9f1ed2046d0c8c96e3ac4701b2e12b303fcb4ba22708e78398d4be32220b91a38d9425ddfebfad76045e14ed2d7886ed2b644971678101349b0ea0c479a6  xrdp-0.9.15.tar.gz
+sha512sums="
+5adc9f1ed2046d0c8c96e3ac4701b2e12b303fcb4ba22708e78398d4be32220b91a38d9425ddfebfad76045e14ed2d7886ed2b644971678101349b0ea0c479a6  xrdp-0.9.15.tar.gz
 22b44398f4014ee67831051d1a1a859c6f4a601d75a03b33142ce7ea1e3f00082134337efb7da69e964f4a369d2b22114973221be2131f384f9459cc8e82fc13  xrdp.initd
 c20de35c4623bcdeae2ba8a740f965b5f320c506ff9a7b9444ec0c8300af518fd3a84b8c28f6e775b7bab73bdac7433be9261d133fc767d953ac54cb2d3b0afd  dynamic-link.patch
-e22d17ad3d7116707bd4259592960175cf7586637228f8c37d92e60430ae38bf71d10667688e2d1db123709a074480b1f2e4e6f279c6ef421cc1c20688cde816  remove-werror.patch"
+e22d17ad3d7116707bd4259592960175cf7586637228f8c37d92e60430ae38bf71d10667688e2d1db123709a074480b1f2e4e6f279c6ef421cc1c20688cde816  remove-werror.patch
+c06de34e3f926d3d580a54a95a97c0fb3069c9fbade65b23bf424609aabb2a42db68eaeaa9540716b93b8d96bc3e75616612eedfa6cd55e736eee3b79c585d4f  openssl.conf
+"

community/xrdp/openssl.conf

+[req]
+distinguished_name = req_distinguished_name
+# The extensions to add to the self signed cert
+x509_extensions = v3_ca
+# Run non-interactively
+prompt = no
+
+[req_distinguished_name]
+# Certificate subject
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Sunnyvale
+#organizationName = xrdp
+#organizationalUnitName =
+commonName = XRDP
+#emailAddress =
+
+[v3_ca]
+# Extensions for a typical CA - PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical, CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+#keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName = email:copy
+# Copy issuer details
+#issuerAltName = issuer:copy
+
+# DER hex encoding of an extension: experts only!
+#obj = DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+#basicConstraints = critical, DER:30:03:01:01:FF

community/xrdp/xrdp.post-install

+#!/bin/sh
+if [ ! -s /etc/xrdp/rsakeys.ini ]; then
+  (umask 377; touch /etc/xrdp/rsakeys.ini; /usr/bin/xrdp-keygen xrdp /etc/xrdp/rsakeys.ini)
+fi
+
+if [ ! -s /etc/xrdp/cert.pem ]; then
+  (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+    -keyout /etc/xrdp/key.pem \
+    -out /etc/xrdp/cert.pem \
+    -config /etc/xrdp/openssl.conf)
+fi
+
+exit 0