diff options
author | Kyungwook Tak <k.tak@samsung.com> | 2015-11-11 16:05:25 +0900 |
---|---|---|
committer | Kyungwook Tak <k.tak@samsung.com> | 2015-11-11 19:30:49 +0900 |
commit | a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2 (patch) | |
tree | 849db8e2773af8d438ba5a1a1bb9ed8aad593b3c | |
parent | 61ba96834fcd87931cc453f9dcc6f9184602c8a5 (diff) | |
download | ca-certificates-a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2.tar.gz ca-certificates-a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2.tar.bz2 ca-certificates-a091de33a7f70d9e557dcaac8ac895c7ebc8b6c2.zip |
ca-certs resource path and format changedsubmit/tizen/20151112.113302accepted/tizen/wearable/20151112.232429accepted/tizen/tv/20151112.232414accepted/tizen/mobile/20151112.232405
- resource path : /usr/share/ca-certificates/* -> /usr/share/ca-certificates/certs
: changed to exclude tizen code-signing root certificates which isn't related with ssl
- resource format(filename) : non-format -> <openssl subject hash>.[0-9]
: to support backward compatibility
- resource permission
: root:root(644) label="_" -> root:system(664) label="System::Shared"
: to writable for cert-server when ca-certificates enabled/disabled
Change-Id: Iadc833adf6aa1d2f63fc2e05f4a21cf8d219235f
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
-rw-r--r-- | packaging/ca-certificates.spec | 6 | ||||
-rw-r--r-- | packaging/certbundle.run | 11 | ||||
-rw-r--r-- | packaging/update-ca-certificates | 14 |
3 files changed, 25 insertions, 6 deletions
diff --git a/packaging/ca-certificates.spec b/packaging/ca-certificates.spec index ae07cce..83e46b1 100644 --- a/packaging/ca-certificates.spec +++ b/packaging/ca-certificates.spec @@ -16,6 +16,8 @@ Source3: certbundle.run Source1001: ca-certificates.manifest Url: http://gitorious.org/opensuse/ca-certificates Requires: openssl +Requires: smack +Requires: coreutils Requires(post): /usr/bin/rm Requires(post): openssl-misc Recommends: ca-certificates-mozilla @@ -61,6 +63,10 @@ fi # as openssl changed the hash format between 0.9.8 and 1.0 update-ca-certificates -f || true +chown root:system %{etccadir} +chmod 775 %{etccadir} +chsmack -a "System::Shared" %{etccadir} +chsmack -t %{etccadir} %files %manifest %{name}.manifest diff --git a/packaging/certbundle.run b/packaging/certbundle.run index 5fd9544..add999e 100644 --- a/packaging/certbundle.run +++ b/packaging/certbundle.run @@ -29,7 +29,12 @@ cat > "$cafile.new" <<EOF # SSL_CTX_set_default_verify_paths() instead. # EOF -for i in "$cadir"/*.pem; do +for i in `find $cadir/*`; do + fname=`echo $i | cut -f 5 -d '/'` + if [[ ! $fname =~ ^[0-9a-z]{8}\.[0-9]$ ]]; then + continue + fi + # only include certificates trusted for server auth if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"` @@ -41,3 +46,7 @@ for i in "$cadir"/*.pem; do openssl x509 -in "$i" done >> "$cafile.new" mv "$cafile.new" "$cafile" + +chown root:system $cafile +chmod 664 $cafile +chsmack -a "System::Shared" $cafile diff --git a/packaging/update-ca-certificates b/packaging/update-ca-certificates index 7b1b8a0..84bec89 100644 --- a/packaging/update-ca-certificates +++ b/packaging/update-ca-certificates @@ -32,7 +32,8 @@ use Getopt::Long; my $certsconf = '/etc/ca-certificates.conf'; my $hooksdir1 = '/etc/ca-certificates/update.d'; my $hooksdir2 = '/usr/lib/ca-certificates/update.d'; -my $certsdir = "/usr/share/ca-certificates"; +# only search /usr/share/ca-certificates/certs because of code-signing certs +my $certsdir = "/usr/share/ca-certificates/certs"; my $localcertsdir = "/usr/local/share/ca-certificates"; my $etccertsdir = "/etc/ssl/certs"; @@ -56,6 +57,7 @@ sub addcert($) { my $f = $_[0]; my $t = targetfilename($f); + return if -e $t; unlink $t if -l $t; # dangling symlink if (symlink($f, $t)) { @@ -129,7 +131,7 @@ my @files; File::Find::find({ no_chdir => 1, wanted => sub { - -f && /\.(?:pem|crt)$/ && push @files, $_; + -f && /\.(?:pem|crt|[0-9])$/ && push @files, $_; } }, $certsdir); for my $f (@files) { @@ -146,7 +148,7 @@ for my $f (glob "$localcertsdir/*.{pem,crt}") { addcert($f); } -for my $f (glob "$etccertsdir/*.pem") { +for my $f (glob "$etccertsdir/*.{pem,[0-9]}") { if (-l $f && !-e $f) { if (startswith($f, $etccertsdir) || startswith($f, $localcertsdir)) @@ -161,8 +163,10 @@ for my $f (glob "$etccertsdir/*.pem") { chdir $etccertsdir || die "$!"; if (%added || %removed || $opt_fresh) { print "Updating certificates in $etccertsdir...\n"; - my $redir = ($opt_verbose?'':'> /dev/null'); - system("c_rehash . $redir"); +# tizen ca-certs suffix isn't .pem|.crt|.cer|.crl +# so c_rehash cannot be used. +# my $redir = ($opt_verbose?'':'> /dev/null'); +# system("c_rehash . $redir"); printf("%d added, %d removed.\n", (%added?(scalar keys %added):0), |