summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKyungwook Tak <k.tak@samsung.com>2015-11-11 16:05:25 +0900
committerKyungwook Tak <k.tak@samsung.com>2015-11-11 19:30:49 +0900
commita091de33a7f70d9e557dcaac8ac895c7ebc8b6c2 (patch)
tree849db8e2773af8d438ba5a1a1bb9ed8aad593b3c
parent61ba96834fcd87931cc453f9dcc6f9184602c8a5 (diff)
downloadca-certificates-a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2.tar.gz
ca-certificates-a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2.tar.bz2
ca-certificates-a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2.zip
- resource path : /usr/share/ca-certificates/* -> /usr/share/ca-certificates/certs : changed to exclude tizen code-signing root certificates which isn't related with ssl - resource format(filename) : non-format -> <openssl subject hash>.[0-9] : to support backward compatibility - resource permission : root:root(644) label="_" -> root:system(664) label="System::Shared" : to writable for cert-server when ca-certificates enabled/disabled Change-Id: Iadc833adf6aa1d2f63fc2e05f4a21cf8d219235f Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
-rw-r--r--packaging/ca-certificates.spec6
-rw-r--r--packaging/certbundle.run11
-rw-r--r--packaging/update-ca-certificates14
3 files changed, 25 insertions, 6 deletions
diff --git a/packaging/ca-certificates.spec b/packaging/ca-certificates.spec
index ae07cce..83e46b1 100644
--- a/packaging/ca-certificates.spec
+++ b/packaging/ca-certificates.spec
@@ -16,6 +16,8 @@ Source3: certbundle.run
Source1001: ca-certificates.manifest
Url: http://gitorious.org/opensuse/ca-certificates
Requires: openssl
+Requires: smack
+Requires: coreutils
Requires(post): /usr/bin/rm
Requires(post): openssl-misc
Recommends: ca-certificates-mozilla
@@ -61,6 +63,10 @@ fi
# as openssl changed the hash format between 0.9.8 and 1.0
update-ca-certificates -f || true
+chown root:system %{etccadir}
+chmod 775 %{etccadir}
+chsmack -a "System::Shared" %{etccadir}
+chsmack -t %{etccadir}
%files
%manifest %{name}.manifest
diff --git a/packaging/certbundle.run b/packaging/certbundle.run
index 5fd9544..add999e 100644
--- a/packaging/certbundle.run
+++ b/packaging/certbundle.run
@@ -29,7 +29,12 @@ cat > "$cafile.new" <<EOF
# SSL_CTX_set_default_verify_paths() instead.
#
EOF
-for i in "$cadir"/*.pem; do
+for i in `find $cadir/*`; do
+ fname=`echo $i | cut -f 5 -d '/'`
+ if [[ ! $fname =~ ^[0-9a-z]{8}\.[0-9]$ ]]; then
+ continue
+ fi
+
# only include certificates trusted for server auth
if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
@@ -41,3 +46,7 @@ for i in "$cadir"/*.pem; do
openssl x509 -in "$i"
done >> "$cafile.new"
mv "$cafile.new" "$cafile"
+
+chown root:system $cafile
+chmod 664 $cafile
+chsmack -a "System::Shared" $cafile
diff --git a/packaging/update-ca-certificates b/packaging/update-ca-certificates
index 7b1b8a0..84bec89 100644
--- a/packaging/update-ca-certificates
+++ b/packaging/update-ca-certificates
@@ -32,7 +32,8 @@ use Getopt::Long;
my $certsconf = '/etc/ca-certificates.conf';
my $hooksdir1 = '/etc/ca-certificates/update.d';
my $hooksdir2 = '/usr/lib/ca-certificates/update.d';
-my $certsdir = "/usr/share/ca-certificates";
+# only search /usr/share/ca-certificates/certs because of code-signing certs
+my $certsdir = "/usr/share/ca-certificates/certs";
my $localcertsdir = "/usr/local/share/ca-certificates";
my $etccertsdir = "/etc/ssl/certs";
@@ -56,6 +57,7 @@ sub addcert($)
{
my $f = $_[0];
my $t = targetfilename($f);
+
return if -e $t;
unlink $t if -l $t; # dangling symlink
if (symlink($f, $t)) {
@@ -129,7 +131,7 @@ my @files;
File::Find::find({
no_chdir => 1,
wanted => sub {
- -f && /\.(?:pem|crt)$/ && push @files, $_;
+ -f && /\.(?:pem|crt|[0-9])$/ && push @files, $_;
}
}, $certsdir);
for my $f (@files) {
@@ -146,7 +148,7 @@ for my $f (glob "$localcertsdir/*.{pem,crt}") {
addcert($f);
}
-for my $f (glob "$etccertsdir/*.pem") {
+for my $f (glob "$etccertsdir/*.{pem,[0-9]}") {
if (-l $f && !-e $f) {
if (startswith($f, $etccertsdir)
|| startswith($f, $localcertsdir))
@@ -161,8 +163,10 @@ for my $f (glob "$etccertsdir/*.pem") {
chdir $etccertsdir || die "$!";
if (%added || %removed || $opt_fresh) {
print "Updating certificates in $etccertsdir...\n";
- my $redir = ($opt_verbose?'':'> /dev/null');
- system("c_rehash . $redir");
+# tizen ca-certs suffix isn't .pem|.crt|.cer|.crl
+# so c_rehash cannot be used.
+# my $redir = ($opt_verbose?'':'> /dev/null');
+# system("c_rehash . $redir");
printf("%d added, %d removed.\n",
(%added?(scalar keys %added):0),