Remake bundle file at db migration

* If db migration is done, check to update disabled_certs table
* and remake bundle file.
* Link CERT_SVC_CA_BUNDLE too.

Change-Id: Id7a2495ae2bb4f97cd34eab94d15de3eb8755d81
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>

diff --git a/etc/upgrade/cert-svc-db-upgrade.sh.in b/etc/upgrade/cert-svc-db-upgrade.sh.in
index 395c42b..0fdd3c0 100755 (executable)
--- a/etc/upgrade/cert-svc-db-upgrade.sh.in
+++ b/etc/upgrade/cert-svc-db-upgrade.sh.in
@@ -42,6 +42,10 @@ rm -rf $OLD_DB
 # generate blank journal file newly
 touch $NEW_DB-journal
 
+# support backward compatablity
+ln -sf @TZ_SYS_CA_BUNDLE@ @CERT_SVC_CA_BUNDLE@
+chown -h @USER_NAME@:@GROUP_NAME@ @CERT_SVC_CA_BUNDLE@
+
 # change permission
 chsmack -a @SMACK_DOMAIN_NAME@ @CERT_SVC_DB_PATH@/*
 chown @USER_NAME@:@GROUP_NAME@ @CERT_SVC_DB_PATH@/*

diff --git a/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in b/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in
index 4eacba4..6090624 100755 (executable)
--- a/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in
+++ b/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in
@@ -77,5 +77,16 @@ do
        fi
 done
 
+# re-make bundle file
+if [ -s @TZ_SYS_CA_BUNDLE@ ]
+then
+       rm @TZ_SYS_CA_BUNDLE@
+fi
+
+for i in `find @TZ_SYS_CA_CERTS@ -maxdepth 1 -type l | sort`
+do
+       openssl x509 -in $i -outform PEM >> @TZ_SYS_CA_BUNDLE@
+done
+
 rm -rf $OLD_GNAME_LIST
 rm -rf $OLD_CERTS_DIR

diff --git a/packaging/cert-svc.spec b/packaging/cert-svc.spec
index 62b2b34..d23c8e6 100644 (file)
--- a/packaging/cert-svc.spec
+++ b/packaging/cert-svc.spec
@@ -29,6 +29,7 @@ BuildRequires: ca-certificates-tizen-devel
 Requires: ca-certificates
 Requires: ca-certificates-tizen
 Requires: security-config
+Requires: openssl
 %if "%{?profile}" == "mobile"
 BuildRequires: pkgconfig(cert-checker)
 %endif
@@ -110,6 +111,7 @@ export FFLAGS="$FFLAGS -DTIZEN_EMULATOR_MODE"
          -DTZ_SYS_CA_CERTS=%TZ_SYS_CA_CERTS \
          -DTZ_SYS_CA_CERTS_ORIG=%TZ_SYS_CA_CERTS_ORIG \
          -DTZ_SYS_CA_BUNDLE=%TZ_SYS_CA_BUNDLE \
+         -DCERT_SVC_CA_BUNDLE=%CERT_SVC_CA_BUNDLE \
          -DFINGERPRINT_LIST_RW_PATH=%TZ_SYS_REVOKED_CERTS_FINGERPRINTS_RUNTIME \
          -DCERT_SVC_PATH=%CERT_SVC_PATH \
          -DCERT_SVC_RO_PATH=%CERT_SVC_RO_PATH \

diff --git a/tests/upgrade/cert-svc-test-upgrade.sh.in b/tests/upgrade/cert-svc-test-upgrade.sh.in
index f7ea6b1..bbdce60 100755 (executable)
--- a/tests/upgrade/cert-svc-test-upgrade.sh.in
+++ b/tests/upgrade/cert-svc-test-upgrade.sh.in
@@ -21,12 +21,15 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin
 #
 
 NEW_DB=@CERT_SVC_DB_PATH@/certs-meta.db
+TEST_GNAME1="6410666e.0"
+TEST_GNAME2="790a7190.0"
 
 # set test old database
 rm -rf @CERT_SVC_OLD_DB_PATH@/*
 cp @UPGRADE_DATA_PATH@/certs-meta-old.db @CERT_SVC_OLD_DB_PATH@/certs-meta.db
 
 before_upgrade_certs_cnt=`ls -l @TZ_SYS_CA_CERTS@ | grep ^l | wc -l`
+before_upgrade_bundle_line=`cat @TZ_SYS_CA_BUNDLE@ | wc -l`
 
 # run db upgrade
 @UPGRADE_SCRIPT_PATH@/cert-svc-db-upgrade.sh
@@ -41,14 +44,14 @@ else
 fi
 
 # testcase 2. below gname's enabled column should off
-enabled_column1=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='6410666e.0';"`
+enabled_column1=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='$TEST_GNAME1';"`
 if [ "$enabled_column1" != "0" ]
 then
        echo "[-] Failed to upgrade ssl table."
 else
        echo "[+] Success to upgrade ssl table."
 fi
-enabled_column2=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='790a7190.0';"`
+enabled_column2=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='$TEST_GNAME2';"`
 if [ "$enabled_column2" != "0" ]
 then
        echo "[-] Failed to upgrade ssl table."
@@ -56,15 +59,15 @@ else
        echo "[+] Success to upgrade ssl table."
 fi
 
-# testcase 3. check to exist disabeld certs on rw area
-link_path1="@TZ_SYS_CA_CERTS@/6410666e.0"
+# testcase 3. check to exist disabled certs on rw area
+link_path1="@TZ_SYS_CA_CERTS@/$TEST_GNAME1"
 if [ -f $link_path1 ]
 then
        echo "[-] Failed to unlink disabled certs."
 else
        echo "[+] Success to unlink disabled certs."
 fi
-link_path2="@TZ_SYS_CA_CERTS@/790a7190.0"
+link_path2="@TZ_SYS_CA_CERTS@/$TEST_GNAME2"
 if [ -f $link_path1 ]
 then
        echo "[-] Failed to unlink disabled certs."
@@ -74,11 +77,31 @@ fi
 
 # check certificate's count was reduced
 after_upgrade_certs_cnt=`ls -l @TZ_SYS_CA_CERTS@ | grep ^l | wc -l`
-diff=$(expr $before_upgrade_certs_cnt - $after_upgrade_certs_cnt)
-if [ "$diff" != "2" ]
+diff_cnt=$(expr $before_upgrade_certs_cnt - $after_upgrade_certs_cnt)
+if [ "$diff_cnt" != "2" ]
 then
        echo "[-] Failed to unlink disabled certs."
        echo "[-] Check ca-certificate package's upgrade has done."
 else
        echo "[+] Success to unlink disabled certs."
 fi
+
+# testcase 4. bundle file should update
+after_upgrade_bundle_line=`cat @TZ_SYS_CA_BUNDLE@ | wc -l`
+diff_line1=$(expr $before_upgrade_bundle_line - $after_upgrade_bundle_line)
+if [ "$diff_line1" != "56" ]
+then
+       echo "[-] Failed to update bundle file."
+       echo "[-] Check ca-certificate package's upgrade has done."
+else
+       echo "[+] Success to update bundle file."
+fi
+
+after_symbol_bundle_line=`cat @CERT_SVC_CA_BUNDLE@ | wc -l`
+diff_line2=$(expr $after_upgrade_bundle_line - $after_symbol_bundle_line)
+if [ "$diff_line2" != "0" ]
+then
+       echo "[-] Failed to sync bundle file with CERT_SVC_CA_BUNDLE."
+else
+       echo "[+] Success to sync bundle file with CERT_SVC_CA_BUNDLE."
+fi