projects / platform / upstream / ca-certificates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 61ba968)
ca-certs resource path and format changed 09/51609/4 accepted/tizen/mobile/20151112.232405 accepted/tizen/tv/20151112.232414 accepted/tizen/wearable/20151112.232429 submit/tizen/20151112.113302
authorKyungwook Tak <k.tak@samsung.com>
Wed, 11 Nov 2015 07:05:25 +0000 (16:05 +0900)
committerKyungwook Tak <k.tak@samsung.com>
Wed, 11 Nov 2015 10:30:49 +0000 (19:30 +0900)
 - resource path : /usr/share/ca-certificates/* -> /usr/share/ca-certificates/certs
   : changed to exclude tizen code-signing root certificates which isn't related with ssl

 - resource format(filename) : non-format -> <openssl subject hash>.[0-9]
   : to support backward compatibility

 - resource permission
   : root:root(644) label="_" -> root:system(664) label="System::Shared"
   : to writable for cert-server when ca-certificates enabled/disabled

Change-Id: Iadc833adf6aa1d2f63fc2e05f4a21cf8d219235f
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
packaging/ca-certificates.spec patch | blob | history
packaging/certbundle.run patch | blob | history
packaging/update-ca-certificates patch | blob | history

diff --git a/packaging/ca-certificates.spec b/packaging/ca-certificates.spec
index ae07cce..83e46b1 100644 (file)
--- a/packaging/ca-certificates.spec
+++ b/packaging/ca-certificates.spec
@@ -16,6 +16,8 @@ Source3:        certbundle.run
 Source1001:    ca-certificates.manifest
 Url:            http://gitorious.org/opensuse/ca-certificates
 Requires:       openssl
+Requires:       smack
+Requires:       coreutils
 Requires(post): /usr/bin/rm
 Requires(post): openssl-misc
 Recommends:     ca-certificates-mozilla
@@ -61,6 +63,10 @@ fi
 # as openssl changed the hash format between 0.9.8 and 1.0
 update-ca-certificates -f || true
 
+chown root:system %{etccadir}
+chmod 775 %{etccadir}
+chsmack -a "System::Shared" %{etccadir}
+chsmack -t %{etccadir}
 
 %files
 %manifest %{name}.manifest
diff --git a/packaging/certbundle.run b/packaging/certbundle.run
index 5fd9544..add999e 100644 (file)
--- a/packaging/certbundle.run
+++ b/packaging/certbundle.run
@@ -29,7 +29,12 @@ cat > "$cafile.new" <<EOF
 # SSL_CTX_set_default_verify_paths() instead.
 #
 EOF
-for i in "$cadir"/*.pem; do
+for i in `find $cadir/*`; do
+       fname=`echo $i | cut -f 5 -d '/'`
+       if [[ ! $fname =~ ^[0-9a-z]{8}\.[0-9]$ ]]; then
+               continue
+       fi
+
        # only include certificates trusted for server auth
        if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
                trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
@@ -41,3 +46,7 @@ for i in "$cadir"/*.pem; do
        openssl x509 -in "$i"
 done >> "$cafile.new"
 mv "$cafile.new" "$cafile"
+
+chown root:system $cafile
+chmod 664 $cafile
+chsmack -a "System::Shared" $cafile
diff --git a/packaging/update-ca-certificates b/packaging/update-ca-certificates
index 7b1b8a0..84bec89 100644 (file)
--- a/packaging/update-ca-certificates
+++ b/packaging/update-ca-certificates
@@ -32,7 +32,8 @@ use Getopt::Long;
 my $certsconf = '/etc/ca-certificates.conf';
 my $hooksdir1 = '/etc/ca-certificates/update.d';
 my $hooksdir2 = '/usr/lib/ca-certificates/update.d';
-my $certsdir = "/usr/share/ca-certificates";
+# only search /usr/share/ca-certificates/certs because of code-signing certs
+my $certsdir = "/usr/share/ca-certificates/certs";
 my $localcertsdir = "/usr/local/share/ca-certificates";
 my $etccertsdir = "/etc/ssl/certs";
 
@@ -56,6 +57,7 @@ sub addcert($)
 {
        my $f = $_[0];
        my $t = targetfilename($f);
+
        return if -e $t;
        unlink $t if -l $t; # dangling symlink
        if (symlink($f, $t)) {
@@ -129,7 +131,7 @@ my @files;
 File::Find::find({
        no_chdir => 1,
        wanted => sub {
-               -f && /\.(?:pem|crt)$/ && push @files, $_;
+               -f && /\.(?:pem|crt|[0-9])$/ && push @files, $_;
                }
        }, $certsdir);
 for my $f (@files) {
@@ -146,7 +148,7 @@ for my $f (glob "$localcertsdir/*.{pem,crt}") {
        addcert($f);
 }
 
-for my $f (glob "$etccertsdir/*.pem") {
+for my $f (glob "$etccertsdir/*.{pem,[0-9]}") {
        if (-l $f && !-e $f) {
                if (startswith($f, $etccertsdir)
                || startswith($f, $localcertsdir))
@@ -161,8 +163,10 @@ for my $f (glob "$etccertsdir/*.pem") {
 chdir $etccertsdir || die "$!";
 if (%added || %removed || $opt_fresh) {
        print "Updating certificates in $etccertsdir...\n";
-       my $redir = ($opt_verbose?'':'> /dev/null');
-       system("c_rehash . $redir");
+# tizen ca-certs suffix isn't .pem|.crt|.cer|.crl
+# so c_rehash cannot be used.
+#      my $redir = ($opt_verbose?'':'> /dev/null');
+#      system("c_rehash . $redir");
 
        printf("%d added, %d removed.\n",
                (%added?(scalar keys %added):0),
Domain: Security / Authentication;