diff options
author | sangwan.kwon <sangwan.kwon@samsung.com> | 2016-08-31 17:58:36 +0900 |
---|---|---|
committer | sangwan.kwon <sangwan.kwon@samsung.com> | 2016-09-02 14:07:25 +0900 |
commit | e1dff866ee124a973d3e1604abb50962dcc528cb (patch) | |
tree | ce4583489337cae618d1b816db4db2dc6a28106b | |
parent | f22a5688bec05a24db4d630658e3cda7d33e6fbe (diff) | |
download | cert-svc-e1dff866ee124a973d3e1604abb50962dcc528cb.tar.gz cert-svc-e1dff866ee124a973d3e1604abb50962dcc528cb.tar.bz2 cert-svc-e1dff866ee124a973d3e1604abb50962dcc528cb.zip |
Add platform upgrade script about system certs
* About Tizen 2.4 -> 3.0
Change-Id: I225fddefe1ee41902576ed628fc9ee62498e8f8d
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
-rw-r--r-- | etc/CMakeLists.txt | 14 | ||||
-rwxr-xr-x | etc/cert-svc-db-upgrade.sh.in | 48 | ||||
-rwxr-xr-x | etc/cert-svc-disabled-certs-upgrade.sh.in | 74 | ||||
-rw-r--r-- | packaging/cert-svc.manifest.in | 2 | ||||
-rw-r--r-- | packaging/cert-svc.spec | 38 |
5 files changed, 165 insertions, 11 deletions
diff --git a/etc/CMakeLists.txt b/etc/CMakeLists.txt index ade8237..40dac00 100644 --- a/etc/CMakeLists.txt +++ b/etc/CMakeLists.txt @@ -33,5 +33,17 @@ ENDIF (ERROR_CODE) INSTALL(FILES ${ETC_DIR}/certs-meta.db - DESTINATION ${CERT_SVC_DB} + DESTINATION ${CERT_SVC_DB_PATH} + ) + +CONFIGURE_FILE(cert-svc-db-upgrade.sh.in cert-svc-db-upgrade.sh @ONLY) +CONFIGURE_FILE( + cert-svc-disabled-certs-upgrade.sh.in + cert-svc-disabled-certs-upgrade.sh @ONLY + ) + +INSTALL(FILES + ${ETC_DIR}/cert-svc-db-upgrade.sh + ${ETC_DIR}/cert-svc-disabled-certs-upgrade.sh + DESTINATION ${UPGRADE_SCRIPT_PATH} ) diff --git a/etc/cert-svc-db-upgrade.sh.in b/etc/cert-svc-db-upgrade.sh.in new file mode 100755 index 0000000..395c42b --- /dev/null +++ b/etc/cert-svc-db-upgrade.sh.in @@ -0,0 +1,48 @@ +#!/bin/bash +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file cert-svc-db-upgrade.sh.in +# @author Sangwan Kwon (sangwan.kwon@samsung.com) +# @brief cert-svc db migration scripts for platform upgrade 2.4 -> 3.0 +# + +OLD_DB=@CERT_SVC_OLD_DB_PATH@/certs-meta-old.db +NEW_DB=@CERT_SVC_DB_PATH@/certs-meta.db + +# backup old database +mv @CERT_SVC_OLD_DB_PATH@/certs-meta.db $OLD_DB +rm -rf @CERT_SVC_OLD_DB_PATH@/certs-meta.db-journal + +# install new database +cp @UPGRADE_DATA_PATH@/certs-meta.db $NEW_DB + +# update disabled certs on db +disabled_certs_cnt=`sqlite3 $OLD_DB "SELECT count(*) FROM disabled_certs;"` +if [ "$disabled_certs_cnt" != "0" ] +then + @UPGRADE_SCRIPT_PATH@/cert-svc-disabled-certs-upgrade.sh $OLD_DB $NEW_DB +fi + +rm -rf $OLD_DB + +# generate blank journal file newly +touch $NEW_DB-journal + +# change permission +chsmack -a @SMACK_DOMAIN_NAME@ @CERT_SVC_DB_PATH@/* +chown @USER_NAME@:@GROUP_NAME@ @CERT_SVC_DB_PATH@/* +chmod 644 @CERT_SVC_DB_PATH@/* diff --git a/etc/cert-svc-disabled-certs-upgrade.sh.in b/etc/cert-svc-disabled-certs-upgrade.sh.in new file mode 100755 index 0000000..91f0805 --- /dev/null +++ b/etc/cert-svc-disabled-certs-upgrade.sh.in @@ -0,0 +1,74 @@ +#!/bin/bash +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file cert-svc-disabled-certs-upgrade.sh.in +# @author Sangwan Kwon (sangwan.kwon@samsung.com) +# @brief cert-svc disabled certs upgrade for platform upgrade 2.4 -> 3.0 +# + +# TODO(sangwan.kwon) Migration user certs(WIFI, VPN, EMAIL) + +# check this script invoked by cert-svc-db-upgrade +if [ "$#" != "2" ] +then + exit 0 +fi + +OLD_DB=$1 +NEW_DB=$2 +OLD_GNAME_LIST=@CERT_SVC_DB_PATH@/old-gname-list +OLD_CERTS_DIR=@CERT_SVC_DB_PATH@/old-certs + +rm -rf $OLD_CERTS_DIR +mkdir -p $OLD_CERTS_DIR + +# get disabled ceritificates list from old db +sqlite3 $OLD_DB "SELECT gname FROM disabled_certs;" > $OLD_GNAME_LIST + +# since gname is different between Tizen 2.4 and 3.0, compare certicate +index=1 +for gname in `cat $OLD_GNAME_LIST` +do + sqlite3 $OLD_DB "SELECT certificate FROM disabled_certs + WHERE gname='$gname';" > $OLD_CERTS_DIR/$index + index=$(expr $index + 1) +done + +# restore disabled certs to new db +for fname in `find $OLD_CERTS_DIR/* | sort` +do + certs=`cat $fname` + # check certificate's existence on new db + ret=`sqlite3 $NEW_DB "SELECT EXISTS ( + SELECT certificate + FROM ssl + WHERE certificate='$certs');"` + + if [ "$ret" == "1" ] + then + # TODO(sangwan.kwon) Consider is_root_app column (it depends on master app) + # update ssl, disabled_certs table + gname=`sqlite3 $NEW_DB "SELECT gname FROM ssl WHERE certificate='$certs';"` + sqlite3 $NEW_DB "INSERT INTO disabled_certs VALUES ('$gname', '$certs');" + sqlite3 $NEW_DB "UPDATE ssl SET enabled=0 WHERE gname='$gname';" + + # TODO(sangwan.kwon) unlink file between rw & ro area + fi +done + +rm -rf $OLD_GNAME_LIST +rm -rf $OLD_CERTS_DIR diff --git a/packaging/cert-svc.manifest.in b/packaging/cert-svc.manifest.in index aed0ebd..0e13460 100644 --- a/packaging/cert-svc.manifest.in +++ b/packaging/cert-svc.manifest.in @@ -3,6 +3,6 @@ <domain name="_" /> </request> <assign> - <filesystem path="@CERT_SVC_PATH@" label="System" type="transmutable" /> + <filesystem path="@CERT_SVC_PATH@" label="@SMACK_DOMAIN_NAME@" type="transmutable" /> </assign> </manifest> diff --git a/packaging/cert-svc.spec b/packaging/cert-svc.spec index 097d105..a3d0d52 100644 --- a/packaging/cert-svc.spec +++ b/packaging/cert-svc.spec @@ -33,6 +33,10 @@ Requires: security-config BuildRequires: pkgconfig(cert-checker) %endif +%global USER_NAME security_fw +%global GROUP_NAME security_fw +%global SMACK_DONMAIN_NAME System + %global TZ_SYS_BIN %{?TZ_SYS_BIN:%TZ_SYS_BIN}%{!?TZ_SYS_BIN:%_bindir} %global TZ_SYS_ETC %{?TZ_SYS_ETC:%TZ_SYS_ETC}%{!?TZ_SYS_ETC:/opt/etc} %global TZ_SYS_SHARE %{?TZ_SYS_SHARE:%TZ_SYS_SHARE}%{!?TZ_SYS_SHARE:/opt/share} @@ -45,11 +49,15 @@ BuildRequires: pkgconfig(cert-checker) %global CERT_SVC_PATH %TZ_SYS_SHARE/cert-svc %global CERT_SVC_RO_PATH %TZ_SYS_RO_SHARE/cert-svc -%global CERT_SVC_DB %CERT_SVC_PATH/dbspace +%global CERT_SVC_DB_PATH %CERT_SVC_PATH/dbspace %global CERT_SVC_PKCS12 %CERT_SVC_PATH/pkcs12 %global CERT_SVC_CA_BUNDLE %CERT_SVC_PATH/ca-certificate.crt %global CERT_SVC_TESTS %TZ_SYS_RW_APP/cert-svc-tests +%global CERT_SVC_OLD_DB_PATH /opt/share/cert-svc/dbspace +%global UPGRADE_SCRIPT_PATH %TZ_SYS_RO_SHARE/upgrade/scripts +%global UPGRADE_DATA_PATH %TZ_SYS_RO_SHARE/upgrade/data + %description Certification service @@ -93,6 +101,9 @@ export FFLAGS="$FFLAGS -DTIZEN_EMULATOR_MODE" %{!?build_type:%define build_type "Release"} %cmake . -DVERSION=%version \ -DINCLUDEDIR=%_includedir \ + -DUSER_NAME=%USER_NAME \ + -DGROUP_NAME=%GROUP_NAME \ + -DSMACK_DOMAIN_NAME=%SMACK_DOMAIN_NAME \ -DTZ_SYS_SHARE=%TZ_SYS_SHARE \ -DTZ_SYS_RO_SHARE=%TZ_SYS_RO_SHARE \ -DTZ_SYS_BIN=%TZ_SYS_BIN \ @@ -102,8 +113,11 @@ export FFLAGS="$FFLAGS -DTIZEN_EMULATOR_MODE" -DFINGERPRINT_LIST_RW_PATH=%TZ_SYS_REVOKED_CERTS_FINGERPRINTS_RUNTIME \ -DCERT_SVC_PATH=%CERT_SVC_PATH \ -DCERT_SVC_RO_PATH=%CERT_SVC_RO_PATH \ - -DCERT_SVC_DB=%CERT_SVC_DB \ -DCERT_SVC_PKCS12=%CERT_SVC_PKCS12 \ + -DCERT_SVC_DB_PATH=%CERT_SVC_DB_PATH \ + -DCERT_SVC_OLD_DB_PATH=%CERT_SVC_OLD_DB_PATH \ + -DUPGRADE_SCRIPT_PATH=%UPGRADE_SCRIPT_PATH \ + -DUPGRADE_DATA_PATH=%UPGRADE_DATA_PATH \ %if "%{?profile}" == "mobile" -DTIZEN_PROFILE_MOBILE:BOOL=ON \ %else @@ -124,7 +138,9 @@ make %{?_smp_mflags} mkdir -p %buildroot%CERT_SVC_PKCS12 -touch %buildroot%CERT_SVC_DB/certs-meta.db-journal +touch %buildroot%CERT_SVC_DB_PATH/certs-meta.db-journal +mkdir -p %buildroot%UPGRADE_DATA_PATH +cp %buildroot%CERT_SVC_DB_PATH/certs-meta.db %buildroot%UPGRADE_DATA_PATH ln -sf %TZ_SYS_CA_BUNDLE %buildroot%CERT_SVC_CA_BUNDLE @@ -156,12 +172,16 @@ fi %_unitdir/sockets.target.wants/cert-server.socket %_libdir/libcert-svc-vcore.so.* %TZ_SYS_BIN/cert-server -%dir %attr(-, security_fw, security_fw) %CERT_SVC_PATH -%dir %attr(-, security_fw, security_fw) %CERT_SVC_PKCS12 -%attr(-, security_fw, security_fw) %CERT_SVC_CA_BUNDLE -%attr(-, security_fw, security_fw) %CERT_SVC_DB/certs-meta.db -%attr(-, security_fw, security_fw) %CERT_SVC_DB/certs-meta.db-journal -%attr(-, security_fw, security_fw) %CERT_SVC_RO_PATH +%dir %attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_PATH +%dir %attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_PKCS12 +%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_CA_BUNDLE +%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_DB_PATH/certs-meta.db +%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_DB_PATH/certs-meta.db-journal +%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_RO_PATH + +%attr(755, root, root) %{UPGRADE_SCRIPT_PATH}/cert-svc-db-upgrade.sh +%attr(755, root, root) %{UPGRADE_SCRIPT_PATH}/cert-svc-disabled-certs-upgrade.sh +%{UPGRADE_DATA_PATH}/certs-meta.db %files devel %_includedir/* |