From b58b9697d4b078da9b134ea719a7358d9daf7427 Mon Sep 17 00:00:00 2001
From: "sangwan.kwon" <sangwan.kwon@samsung.com>
Date: Mon, 5 Sep 2016 17:57:05 +0900
Subject: [PATCH] Remake bundle file at db migration

* If db migration is done, check to update disabled_certs table
* and remake bundle file.
* Link CERT_SVC_CA_BUNDLE too.

Change-Id: Id7a2495ae2bb4f97cd34eab94d15de3eb8755d81
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
---
 etc/upgrade/cert-svc-db-upgrade.sh.in             |  4 +++
 etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in | 11 +++++++
 packaging/cert-svc.spec                           |  2 ++
 tests/upgrade/cert-svc-test-upgrade.sh.in         | 37 ++++++++++++++++++-----
 4 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/etc/upgrade/cert-svc-db-upgrade.sh.in b/etc/upgrade/cert-svc-db-upgrade.sh.in
index 395c42b..0fdd3c0 100755
--- a/etc/upgrade/cert-svc-db-upgrade.sh.in
+++ b/etc/upgrade/cert-svc-db-upgrade.sh.in
@@ -42,6 +42,10 @@ rm -rf $OLD_DB
 # generate blank journal file newly
 touch $NEW_DB-journal
 
+# support backward compatablity
+ln -sf @TZ_SYS_CA_BUNDLE@ @CERT_SVC_CA_BUNDLE@
+chown -h @USER_NAME@:@GROUP_NAME@ @CERT_SVC_CA_BUNDLE@
+
 # change permission
 chsmack -a @SMACK_DOMAIN_NAME@ @CERT_SVC_DB_PATH@/*
 chown @USER_NAME@:@GROUP_NAME@ @CERT_SVC_DB_PATH@/*
diff --git a/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in b/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in
index 4eacba4..6090624 100755
--- a/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in
+++ b/etc/upgrade/cert-svc-disabled-certs-upgrade.sh.in
@@ -77,5 +77,16 @@ do
 	fi
 done
 
+# re-make bundle file
+if [ -s @TZ_SYS_CA_BUNDLE@ ]
+then
+	rm @TZ_SYS_CA_BUNDLE@
+fi
+
+for i in `find @TZ_SYS_CA_CERTS@ -maxdepth 1 -type l | sort`
+do
+	openssl x509 -in $i -outform PEM >> @TZ_SYS_CA_BUNDLE@
+done
+
 rm -rf $OLD_GNAME_LIST
 rm -rf $OLD_CERTS_DIR
diff --git a/packaging/cert-svc.spec b/packaging/cert-svc.spec
index 62b2b34..d23c8e6 100644
--- a/packaging/cert-svc.spec
+++ b/packaging/cert-svc.spec
@@ -29,6 +29,7 @@ BuildRequires: ca-certificates-tizen-devel
 Requires: ca-certificates
 Requires: ca-certificates-tizen
 Requires: security-config
+Requires: openssl
 %if "%{?profile}" == "mobile"
 BuildRequires: pkgconfig(cert-checker)
 %endif
@@ -110,6 +111,7 @@ export FFLAGS="$FFLAGS -DTIZEN_EMULATOR_MODE"
          -DTZ_SYS_CA_CERTS=%TZ_SYS_CA_CERTS \
          -DTZ_SYS_CA_CERTS_ORIG=%TZ_SYS_CA_CERTS_ORIG \
          -DTZ_SYS_CA_BUNDLE=%TZ_SYS_CA_BUNDLE \
+         -DCERT_SVC_CA_BUNDLE=%CERT_SVC_CA_BUNDLE \
          -DFINGERPRINT_LIST_RW_PATH=%TZ_SYS_REVOKED_CERTS_FINGERPRINTS_RUNTIME \
          -DCERT_SVC_PATH=%CERT_SVC_PATH \
          -DCERT_SVC_RO_PATH=%CERT_SVC_RO_PATH \
diff --git a/tests/upgrade/cert-svc-test-upgrade.sh.in b/tests/upgrade/cert-svc-test-upgrade.sh.in
index f7ea6b1..bbdce60 100755
--- a/tests/upgrade/cert-svc-test-upgrade.sh.in
+++ b/tests/upgrade/cert-svc-test-upgrade.sh.in
@@ -21,12 +21,15 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin
 #
 
 NEW_DB=@CERT_SVC_DB_PATH@/certs-meta.db
+TEST_GNAME1="6410666e.0"
+TEST_GNAME2="790a7190.0"
 
 # set test old database
 rm -rf @CERT_SVC_OLD_DB_PATH@/*
 cp @UPGRADE_DATA_PATH@/certs-meta-old.db @CERT_SVC_OLD_DB_PATH@/certs-meta.db
 
 before_upgrade_certs_cnt=`ls -l @TZ_SYS_CA_CERTS@ | grep ^l | wc -l`
+before_upgrade_bundle_line=`cat @TZ_SYS_CA_BUNDLE@ | wc -l`
 
 # run db upgrade
 @UPGRADE_SCRIPT_PATH@/cert-svc-db-upgrade.sh
@@ -41,14 +44,14 @@ else
 fi
 
 # testcase 2. below gname's enabled column should off
-enabled_column1=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='6410666e.0';"`
+enabled_column1=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='$TEST_GNAME1';"`
 if [ "$enabled_column1" != "0" ]
 then
 	echo "[-] Failed to upgrade ssl table."
 else
 	echo "[+] Success to upgrade ssl table."
 fi
-enabled_column2=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='790a7190.0';"`
+enabled_column2=`sqlite3 $NEW_DB "SELECT enabled from ssl WHERE gname='$TEST_GNAME2';"`
 if [ "$enabled_column2" != "0" ]
 then
 	echo "[-] Failed to upgrade ssl table."
@@ -56,15 +59,15 @@ else
 	echo "[+] Success to upgrade ssl table."
 fi
 
-# testcase 3. check to exist disabeld certs on rw area
-link_path1="@TZ_SYS_CA_CERTS@/6410666e.0"
+# testcase 3. check to exist disabled certs on rw area
+link_path1="@TZ_SYS_CA_CERTS@/$TEST_GNAME1"
 if [ -f $link_path1 ]
 then
 	echo "[-] Failed to unlink disabled certs."
 else
 	echo "[+] Success to unlink disabled certs."
 fi
-link_path2="@TZ_SYS_CA_CERTS@/790a7190.0"
+link_path2="@TZ_SYS_CA_CERTS@/$TEST_GNAME2"
 if [ -f $link_path1 ]
 then
 	echo "[-] Failed to unlink disabled certs."
@@ -74,11 +77,31 @@ fi
 
 # check certificate's count was reduced
 after_upgrade_certs_cnt=`ls -l @TZ_SYS_CA_CERTS@ | grep ^l | wc -l`
-diff=$(expr $before_upgrade_certs_cnt - $after_upgrade_certs_cnt)
-if [ "$diff" != "2" ]
+diff_cnt=$(expr $before_upgrade_certs_cnt - $after_upgrade_certs_cnt)
+if [ "$diff_cnt" != "2" ]
 then
 	echo "[-] Failed to unlink disabled certs."
 	echo "[-] Check ca-certificate package's upgrade has done."
 else
 	echo "[+] Success to unlink disabled certs."
 fi
+
+# testcase 4. bundle file should update
+after_upgrade_bundle_line=`cat @TZ_SYS_CA_BUNDLE@ | wc -l`
+diff_line1=$(expr $before_upgrade_bundle_line - $after_upgrade_bundle_line)
+if [ "$diff_line1" != "56" ]
+then
+	echo "[-] Failed to update bundle file."
+	echo "[-] Check ca-certificate package's upgrade has done."
+else
+	echo "[+] Success to update bundle file."
+fi
+
+after_symbol_bundle_line=`cat @CERT_SVC_CA_BUNDLE@ | wc -l`
+diff_line2=$(expr $after_upgrade_bundle_line - $after_symbol_bundle_line)
+if [ "$diff_line2" != "0" ]
+then
+	echo "[-] Failed to sync bundle file with CERT_SVC_CA_BUNDLE."
+else
+	echo "[+] Success to sync bundle file with CERT_SVC_CA_BUNDLE."
+fi
-- 
2.7.4