INSTALL(FILES
${ETC_DIR}/certs-meta.db
- DESTINATION ${CERT_SVC_DB}
+ DESTINATION ${CERT_SVC_DB_PATH}
+ )
+
+CONFIGURE_FILE(cert-svc-db-upgrade.sh.in cert-svc-db-upgrade.sh @ONLY)
+CONFIGURE_FILE(
+ cert-svc-disabled-certs-upgrade.sh.in
+ cert-svc-disabled-certs-upgrade.sh @ONLY
+ )
+
+INSTALL(FILES
+ ${ETC_DIR}/cert-svc-db-upgrade.sh
+ ${ETC_DIR}/cert-svc-disabled-certs-upgrade.sh
+ DESTINATION ${UPGRADE_SCRIPT_PATH}
)
--- /dev/null
+#!/bin/bash
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @file cert-svc-db-upgrade.sh.in
+# @author Sangwan Kwon (sangwan.kwon@samsung.com)
+# @brief cert-svc db migration scripts for platform upgrade 2.4 -> 3.0
+#
+
+OLD_DB=@CERT_SVC_OLD_DB_PATH@/certs-meta-old.db
+NEW_DB=@CERT_SVC_DB_PATH@/certs-meta.db
+
+# backup old database
+mv @CERT_SVC_OLD_DB_PATH@/certs-meta.db $OLD_DB
+rm -rf @CERT_SVC_OLD_DB_PATH@/certs-meta.db-journal
+
+# install new database
+cp @UPGRADE_DATA_PATH@/certs-meta.db $NEW_DB
+
+# update disabled certs on db
+disabled_certs_cnt=`sqlite3 $OLD_DB "SELECT count(*) FROM disabled_certs;"`
+if [ "$disabled_certs_cnt" != "0" ]
+then
+ @UPGRADE_SCRIPT_PATH@/cert-svc-disabled-certs-upgrade.sh $OLD_DB $NEW_DB
+fi
+
+rm -rf $OLD_DB
+
+# generate blank journal file newly
+touch $NEW_DB-journal
+
+# change permission
+chsmack -a @SMACK_DOMAIN_NAME@ @CERT_SVC_DB_PATH@/*
+chown @USER_NAME@:@GROUP_NAME@ @CERT_SVC_DB_PATH@/*
+chmod 644 @CERT_SVC_DB_PATH@/*
--- /dev/null
+#!/bin/bash
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @file cert-svc-disabled-certs-upgrade.sh.in
+# @author Sangwan Kwon (sangwan.kwon@samsung.com)
+# @brief cert-svc disabled certs upgrade for platform upgrade 2.4 -> 3.0
+#
+
+# TODO(sangwan.kwon) Migration user certs(WIFI, VPN, EMAIL)
+
+# check this script invoked by cert-svc-db-upgrade
+if [ "$#" != "2" ]
+then
+ exit 0
+fi
+
+OLD_DB=$1
+NEW_DB=$2
+OLD_GNAME_LIST=@CERT_SVC_DB_PATH@/old-gname-list
+OLD_CERTS_DIR=@CERT_SVC_DB_PATH@/old-certs
+
+rm -rf $OLD_CERTS_DIR
+mkdir -p $OLD_CERTS_DIR
+
+# get disabled ceritificates list from old db
+sqlite3 $OLD_DB "SELECT gname FROM disabled_certs;" > $OLD_GNAME_LIST
+
+# since gname is different between Tizen 2.4 and 3.0, compare certicate
+index=1
+for gname in `cat $OLD_GNAME_LIST`
+do
+ sqlite3 $OLD_DB "SELECT certificate FROM disabled_certs
+ WHERE gname='$gname';" > $OLD_CERTS_DIR/$index
+ index=$(expr $index + 1)
+done
+
+# restore disabled certs to new db
+for fname in `find $OLD_CERTS_DIR/* | sort`
+do
+ certs=`cat $fname`
+ # check certificate's existence on new db
+ ret=`sqlite3 $NEW_DB "SELECT EXISTS (
+ SELECT certificate
+ FROM ssl
+ WHERE certificate='$certs');"`
+
+ if [ "$ret" == "1" ]
+ then
+ # TODO(sangwan.kwon) Consider is_root_app column (it depends on master app)
+ # update ssl, disabled_certs table
+ gname=`sqlite3 $NEW_DB "SELECT gname FROM ssl WHERE certificate='$certs';"`
+ sqlite3 $NEW_DB "INSERT INTO disabled_certs VALUES ('$gname', '$certs');"
+ sqlite3 $NEW_DB "UPDATE ssl SET enabled=0 WHERE gname='$gname';"
+
+ # TODO(sangwan.kwon) unlink file between rw & ro area
+ fi
+done
+
+rm -rf $OLD_GNAME_LIST
+rm -rf $OLD_CERTS_DIR
<domain name="_" />
</request>
<assign>
- <filesystem path="@CERT_SVC_PATH@" label="System" type="transmutable" />
+ <filesystem path="@CERT_SVC_PATH@" label="@SMACK_DOMAIN_NAME@" type="transmutable" />
</assign>
</manifest>
BuildRequires: pkgconfig(cert-checker)
%endif
+%global USER_NAME security_fw
+%global GROUP_NAME security_fw
+%global SMACK_DONMAIN_NAME System
+
%global TZ_SYS_BIN %{?TZ_SYS_BIN:%TZ_SYS_BIN}%{!?TZ_SYS_BIN:%_bindir}
%global TZ_SYS_ETC %{?TZ_SYS_ETC:%TZ_SYS_ETC}%{!?TZ_SYS_ETC:/opt/etc}
%global TZ_SYS_SHARE %{?TZ_SYS_SHARE:%TZ_SYS_SHARE}%{!?TZ_SYS_SHARE:/opt/share}
%global CERT_SVC_PATH %TZ_SYS_SHARE/cert-svc
%global CERT_SVC_RO_PATH %TZ_SYS_RO_SHARE/cert-svc
-%global CERT_SVC_DB %CERT_SVC_PATH/dbspace
+%global CERT_SVC_DB_PATH %CERT_SVC_PATH/dbspace
%global CERT_SVC_PKCS12 %CERT_SVC_PATH/pkcs12
%global CERT_SVC_CA_BUNDLE %CERT_SVC_PATH/ca-certificate.crt
%global CERT_SVC_TESTS %TZ_SYS_RW_APP/cert-svc-tests
+%global CERT_SVC_OLD_DB_PATH /opt/share/cert-svc/dbspace
+%global UPGRADE_SCRIPT_PATH %TZ_SYS_RO_SHARE/upgrade/scripts
+%global UPGRADE_DATA_PATH %TZ_SYS_RO_SHARE/upgrade/data
+
%description
Certification service
%{!?build_type:%define build_type "Release"}
%cmake . -DVERSION=%version \
-DINCLUDEDIR=%_includedir \
+ -DUSER_NAME=%USER_NAME \
+ -DGROUP_NAME=%GROUP_NAME \
+ -DSMACK_DOMAIN_NAME=%SMACK_DOMAIN_NAME \
-DTZ_SYS_SHARE=%TZ_SYS_SHARE \
-DTZ_SYS_RO_SHARE=%TZ_SYS_RO_SHARE \
-DTZ_SYS_BIN=%TZ_SYS_BIN \
-DFINGERPRINT_LIST_RW_PATH=%TZ_SYS_REVOKED_CERTS_FINGERPRINTS_RUNTIME \
-DCERT_SVC_PATH=%CERT_SVC_PATH \
-DCERT_SVC_RO_PATH=%CERT_SVC_RO_PATH \
- -DCERT_SVC_DB=%CERT_SVC_DB \
-DCERT_SVC_PKCS12=%CERT_SVC_PKCS12 \
+ -DCERT_SVC_DB_PATH=%CERT_SVC_DB_PATH \
+ -DCERT_SVC_OLD_DB_PATH=%CERT_SVC_OLD_DB_PATH \
+ -DUPGRADE_SCRIPT_PATH=%UPGRADE_SCRIPT_PATH \
+ -DUPGRADE_DATA_PATH=%UPGRADE_DATA_PATH \
%if "%{?profile}" == "mobile"
-DTIZEN_PROFILE_MOBILE:BOOL=ON \
%else
mkdir -p %buildroot%CERT_SVC_PKCS12
-touch %buildroot%CERT_SVC_DB/certs-meta.db-journal
+touch %buildroot%CERT_SVC_DB_PATH/certs-meta.db-journal
+mkdir -p %buildroot%UPGRADE_DATA_PATH
+cp %buildroot%CERT_SVC_DB_PATH/certs-meta.db %buildroot%UPGRADE_DATA_PATH
ln -sf %TZ_SYS_CA_BUNDLE %buildroot%CERT_SVC_CA_BUNDLE
%_unitdir/sockets.target.wants/cert-server.socket
%_libdir/libcert-svc-vcore.so.*
%TZ_SYS_BIN/cert-server
-%dir %attr(-, security_fw, security_fw) %CERT_SVC_PATH
-%dir %attr(-, security_fw, security_fw) %CERT_SVC_PKCS12
-%attr(-, security_fw, security_fw) %CERT_SVC_CA_BUNDLE
-%attr(-, security_fw, security_fw) %CERT_SVC_DB/certs-meta.db
-%attr(-, security_fw, security_fw) %CERT_SVC_DB/certs-meta.db-journal
-%attr(-, security_fw, security_fw) %CERT_SVC_RO_PATH
+%dir %attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_PATH
+%dir %attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_PKCS12
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_CA_BUNDLE
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_DB_PATH/certs-meta.db
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_DB_PATH/certs-meta.db-journal
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_RO_PATH
+
+%attr(755, root, root) %{UPGRADE_SCRIPT_PATH}/cert-svc-db-upgrade.sh
+%attr(755, root, root) %{UPGRADE_SCRIPT_PATH}/cert-svc-disabled-certs-upgrade.sh
+%{UPGRADE_DATA_PATH}/certs-meta.db
%files devel
%_includedir/*