From 635c4d71b142896e7519e28b1e5b886bf4d7e7c0 Mon Sep 17 00:00:00 2001 From: Kyungwook Tak Date: Thu, 7 Jul 2016 20:07:51 +0900 Subject: [PATCH] Add revoked category on rw fingerprint list Requirement: Certificate can be revoked without platform upgrade, just by writing some fingerprint in xml which is in RW partition. Change-Id: Ie26f00656645c67da4298efce905660016af0147 Signed-off-by: Kyungwook Tak --- certificates/mobile/emul/CMakeLists.txt | 1 + certificates/mobile/emul/revoked/README | 1 + certificates/mobile/eng/CMakeLists.txt | 1 + certificates/mobile/eng/revoked/README | 1 + certificates/mobile/usr/CMakeLists.txt | 1 + certificates/mobile/usr/revoked/README | 1 + certificates/tv/emul/CMakeLists.txt | 1 + certificates/tv/emul/revoked/README | 1 + certificates/tv/eng/CMakeLists.txt | 1 + certificates/tv/eng/revoked/README | 1 + certificates/tv/usr/CMakeLists.txt | 1 + certificates/tv/usr/revoked/README | 1 + certificates/wearable/emul/CMakeLists.txt | 1 + certificates/wearable/emul/revoked/README | 1 + certificates/wearable/eng/CMakeLists.txt | 1 + certificates/wearable/eng/revoked/README | 1 + certificates/wearable/usr/CMakeLists.txt | 1 + certificates/wearable/usr/revoked/README | 1 + packaging/ca-certificates-tizen.spec | 32 +++++++++++++++++++---- tools/CMakeLists.txt | 28 +++++++++++++++++--- tools/add-fingerprint.sh | 2 +- tools/fingerprint_list_runtime.xml | 4 +++ 22 files changed, 75 insertions(+), 9 deletions(-) create mode 100644 certificates/mobile/emul/revoked/README create mode 100644 certificates/mobile/eng/revoked/README create mode 100644 certificates/mobile/usr/revoked/README create mode 100644 certificates/tv/emul/revoked/README create mode 100644 certificates/tv/eng/revoked/README create mode 100644 certificates/tv/usr/revoked/README create mode 100644 certificates/wearable/emul/revoked/README create mode 100644 certificates/wearable/eng/revoked/README create mode 100644 certificates/wearable/usr/revoked/README create mode 100644 tools/fingerprint_list_runtime.xml diff --git a/certificates/mobile/emul/CMakeLists.txt b/certificates/mobile/emul/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/mobile/emul/CMakeLists.txt +++ b/certificates/mobile/emul/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/mobile/emul/revoked/README b/certificates/mobile/emul/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/mobile/emul/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/mobile/eng/CMakeLists.txt b/certificates/mobile/eng/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/mobile/eng/CMakeLists.txt +++ b/certificates/mobile/eng/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/mobile/eng/revoked/README b/certificates/mobile/eng/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/mobile/eng/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/mobile/usr/CMakeLists.txt b/certificates/mobile/usr/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/mobile/usr/CMakeLists.txt +++ b/certificates/mobile/usr/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/mobile/usr/revoked/README b/certificates/mobile/usr/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/mobile/usr/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/tv/emul/CMakeLists.txt b/certificates/tv/emul/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/tv/emul/CMakeLists.txt +++ b/certificates/tv/emul/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/tv/emul/revoked/README b/certificates/tv/emul/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/tv/emul/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/tv/eng/CMakeLists.txt b/certificates/tv/eng/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/tv/eng/CMakeLists.txt +++ b/certificates/tv/eng/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/tv/eng/revoked/README b/certificates/tv/eng/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/tv/eng/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/tv/usr/CMakeLists.txt b/certificates/tv/usr/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/tv/usr/CMakeLists.txt +++ b/certificates/tv/usr/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/tv/usr/revoked/README b/certificates/tv/usr/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/tv/usr/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/wearable/emul/CMakeLists.txt b/certificates/wearable/emul/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/wearable/emul/CMakeLists.txt +++ b/certificates/wearable/emul/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/wearable/emul/revoked/README b/certificates/wearable/emul/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/wearable/emul/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/wearable/eng/CMakeLists.txt b/certificates/wearable/eng/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/wearable/eng/CMakeLists.txt +++ b/certificates/wearable/eng/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/wearable/eng/revoked/README b/certificates/wearable/eng/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/wearable/eng/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/certificates/wearable/usr/CMakeLists.txt b/certificates/wearable/usr/CMakeLists.txt index 5aa2128..eb5e2b9 100644 --- a/certificates/wearable/usr/CMakeLists.txt +++ b/certificates/wearable/usr/CMakeLists.txt @@ -3,6 +3,7 @@ INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/public/ ${CMAKE_CURRENT_SOURCE_DIR}/partner/ ${CMAKE_CURRENT_SOURCE_DIR}/platform/ + ${CMAKE_CURRENT_SOURCE_DIR}/revoked/ DESTINATION ${TIZEN_DIR} FILES_MATCHING diff --git a/certificates/wearable/usr/revoked/README b/certificates/wearable/usr/revoked/README new file mode 100644 index 0000000..a84bf6a --- /dev/null +++ b/certificates/wearable/usr/revoked/README @@ -0,0 +1 @@ +Add revoked Tizen app-signing root certificate here with "pem" suffix. diff --git a/packaging/ca-certificates-tizen.spec b/packaging/ca-certificates-tizen.spec index 7341aba..d02f3eb 100644 --- a/packaging/ca-certificates-tizen.spec +++ b/packaging/ca-certificates-tizen.spec @@ -9,13 +9,28 @@ Source: %{name}-%{version}.tar.gz Source1001: %{name}.manifest BuildRequires: cmake BuildRequires: openssl +BuildRequires: pkgconfig(libtzplatform-config) + +%description +Used for the installation of Tizen-specific CA certificates. + +%package devel +Summary: Devel package of %{name} which contains RPM macros +Group: Development/Libraries +License: Apache-2.0 +Requires: %name = %version-%release + +%description devel +%{name} devel package which contains RPM macros for runtime revoked certs fingerprint %define ro_data_dir %{?TZ_SYS_RO_SHARE:%TZ_SYS_RO_SHARE}%{!?TZ_SYS_RO_SHARE:%_datadir} +%define rw_data_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE}%{!?TZ_SYS_SHARE:/opt/share} %define tizen_dir %{ro_data_dir}/ca-certificates/tizen %define fingerprint_dir %{ro_data_dir}/ca-certificates/fingerprint +%define fingerprint_rw_dir %{rw_data_dir}/ca-certificates/fingerprint +%define ro_etc_dir %{?TZ_SYS_RO_ETC:%TZ_SYS_RO_ETC}%{!?TZ_SYS_RO_ETC:%_sysconfdir} -%description -Used for the installation of Tizen-specific CA certificates. +%define macro_ca_certificates_tizen %{ro_etc_dir}/rpm/macros.ca-certificates-tizen %prep %setup -q @@ -37,15 +52,18 @@ echo "release engineering mode" %cmake . -DRELMODE=%{REL_MODE} \ -DTIZEN_DIR=%{tizen_dir} \ -DFINGERPRINT_DIR=%{fingerprint_dir} \ + -DFINGERPRINT_RW_DIR=%{fingerprint_rw_dir} \ -DPROFILE_TARGET=%{?profile} make %{?_smp_mflags} %install -rm -fr %{buildroot} %make_install -mkdir -p %{buildroot}%{tizen_dir} -mkdir -p %{buildroot}%{fingerprint_dir} + +mkdir -p %{buildroot}%{ro_etc_dir}/rpm +touch %{buildroot}%{macro_ca_certificates_tizen} +echo "%TZ_SYS_REVOKED_CERTS_FINGERPRINTS_RUNTIME %{fingerprint_rw_dir}/fingerprint_list_runtime.xml" >> %{buildroot}%{macro_ca_certificates_tizen} + %files %defattr(-,root,root,-) @@ -53,3 +71,7 @@ mkdir -p %{buildroot}%{fingerprint_dir} %license LICENSE %{tizen_dir}/* %{fingerprint_dir}/* +%{fingerprint_rw_dir}/fingerprint_list_runtime.xml + +%files devel +%config %{macro_ca_certificates_tizen} diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 95e8b31..8fe0139 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -3,6 +3,11 @@ GET_FILENAME_COMPONENT( ${CMAKE_CURRENT_SOURCE_DIR}/fingerprint_list.xml REALPATH ) +GET_FILENAME_COMPONENT( + FINGERPRINT_LIST_RW_XML + ${CMAKE_CURRENT_SOURCE_DIR}/fingerprint_list_runtime.xml + REALPATH + ) GET_FILENAME_COMPONENT( FINGERPRINT_LIST_XSD ${CMAKE_CURRENT_SOURCE_DIR}/fingerprint_list.xsd @@ -16,10 +21,27 @@ EXECUTE_PROCESS( ${FINGERPRINT_LIST_XML} RESULT_VARIABLE ERROR_CODE ) + IF(ERROR_CODE) MESSAGE(FATAL_ERROR "Failed to generate fingerprint list") ENDIF(ERROR_CODE) -INSTALL(FILES ${FINGERPRINT_LIST_XML} - ${FINGERPRINT_LIST_XSD} - DESTINATION ${FINGERPRINT_DIR}) +EXECUTE_PROCESS( + COMMAND + ${CMAKE_CURRENT_SOURCE_DIR}/add-fingerprint.sh + ${CMAKE_SOURCE_DIR}/certificates/${PROFILE_TARGET}/${RELMODE} + ${FINGERPRINT_LIST_RW_XML} + RESULT_VARIABLE ERROR_CODE +) + +IF(ERROR_CODE) + MESSAGE("Failed to generate fingerprint list rw") +ENDIF(ERROR_CODE) + +INSTALL(FILES ${FINGERPRINT_LIST_XML} ${FINGERPRINT_LIST_XSD} + DESTINATION ${FINGERPRINT_DIR} +) + +INSTALL(FILES ${FINGERPRINT_LIST_RW_XML} + DESTINATION ${FINGERPRINT_RW_DIR} +) diff --git a/tools/add-fingerprint.sh b/tools/add-fingerprint.sh index 65d8804..91bd38c 100755 --- a/tools/add-fingerprint.sh +++ b/tools/add-fingerprint.sh @@ -9,7 +9,7 @@ then exit 2 fi -for CATEGORY in developer public partner platform test verify store +for CATEGORY in developer public partner platform test verify store revoked do if [ -d "$CERT_ROOT/$CATEGORY" ] then diff --git a/tools/fingerprint_list_runtime.xml b/tools/fingerprint_list_runtime.xml new file mode 100644 index 0000000..e71251a --- /dev/null +++ b/tools/fingerprint_list_runtime.xml @@ -0,0 +1,4 @@ + + + + -- 2.34.1