diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest new file mode 100644 index 0000000000..b57272ae02 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -0,0 +1 @@ +DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild new file mode 100644 index 0000000000..3b78ac4b7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild @@ -0,0 +1,58 @@ +# Copyright 2014 The CoreOS Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) +inherit cros-tmpfiles python-any-r1 systemd + +RTM_NAME="NSS_${PV//./_}_RTM" +MY_PN="nss" +MY_P="${MY_PN}-${PV}" +S="${WORKDIR}" + +DESCRIPTION="Mozilla's CA Certificate Store" +HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" +SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz" + +# NSS is licensed under the MPL, files/certdata2pem.py is GPL +LICENSE="MPL-2.0 GPL-2" +SLOT="0" +KEYWORDS="amd64" +IUSE="" + +RDEPEND="dev-libs/openssl + sys-apps/findutils" +DEPEND="${RDEPEND} + ${PYTHON_DEPS}" + +gen_tmpfiles() { + local certfile + echo "d /etc/ssl - - - - -" + echo "d /etc/ssl/certs - - - - -" + for certfile in "$@"; do + local l="/etc/ssl/certs/${certfile##*/}" + local p="../../../usr/share/${PN}/${certfile}" + echo "L ${l} - - - - ${p}" + done +} + +src_compile() { + local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" + ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die + gen_tmpfiles mozilla/*.pem > ${PN}.conf || die +} + +src_install() { + insinto /usr/share/${PN} + doins -r mozilla + + dosbin "${FILESDIR}/update-ca-certificates" + systemd_dounit "${FILESDIR}/update-ca-certificates.service" + systemd_enable_service sysinit.target update-ca-certificates.service + systemd_dotmpfilesd ${PN}.conf + + # Setup initial links in /etc + dodir /etc/ssl/certs + tmpfiles_create + bash "${FILESDIR}/update-ca-certificates" "${D}/etc/ssl/certs" || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py new file mode 100644 index 0000000000..a54b723c0e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py @@ -0,0 +1,123 @@ +#!/usr/bin/python +# vim:set et sw=4: +# +# certdata2pem.py - splits certdata.txt into multiple files +# +# Copyright (C) 2009 Philipp Kern +# Copyright (C) 2014 The CoreOS Authors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +import base64 +import os.path +import re +import sys +import textwrap + +if len(sys.argv) != 3: + sys.stderr.write("Usage: certdata2pem.py certdata.txt output_dir\n") + sys.exit(1) + +certdata = sys.argv[1] +output_dir = sys.argv[2] +objects = [] + +# Dirty file parser. +in_data, in_multiline, in_obj = False, False, False +field, type, value, obj = None, None, None, dict() +for line in open(certdata, 'r'): + # Ignore the file header. + if not in_data: + if line.startswith('BEGINDATA'): + in_data = True + continue + # Ignore comment lines. + if line.startswith('#'): + continue + # Empty lines are significant if we are inside an object. + if in_obj and len(line.strip()) == 0: + objects.append(obj) + obj = dict() + in_obj = False + continue + if len(line.strip()) == 0: + continue + if in_multiline: + if not line.startswith('END'): + if type == 'MULTILINE_OCTAL': + line = line.strip() + for i in re.finditer(r'\\([0-3][0-7][0-7])', line): + value += chr(int(i.group(1), 8)) + else: + value += line + continue + obj[field] = value + in_multiline = False + continue + if line.startswith('CKA_CLASS'): + in_obj = True + line_parts = line.strip().split(' ', 2) + if len(line_parts) > 2: + field, type = line_parts[0:2] + value = ' '.join(line_parts[2:]) + elif len(line_parts) == 2: + field, type = line_parts + value = None + else: + raise NotImplementedError, 'line_parts < 2 not supported.' + if type == 'MULTILINE_OCTAL': + in_multiline = True + value = "" + continue + obj[field] = value +if len(obj.items()) > 0: + objects.append(obj) + +# Build up trust database. +trust = dict() +for obj in objects: + if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'): + continue + elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + else: + print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], + obj['CKA_TRUST_EMAIL_PROTECTION']) + +if not os.path.isdir(output_dir): + os.makedirs(output_dir) +os.chdir(output_dir) + +for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue + fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ + .replace(')', '=')\ + .replace(',', '_') + '.pem' + fname = fname.decode('string_escape') + f = open(fname, 'w') + f.write("-----BEGIN CERTIFICATE-----\n") + f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + f.write("\n-----END CERTIFICATE-----\n") + diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates new file mode 100644 index 0000000000..60840d89ff --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates @@ -0,0 +1,27 @@ +#!/bin/bash + +CERTSDIR="${1:-${ROOT}/etc/ssl/certs}" + +if [[ ! -w "${CERTSDIR}" ]]; then + echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2 + exit 1 +fi + +set -e + +echo "Pruning broken links in ${CERTSDIR}" +find -L "${CERTSDIR}" -type l -delete + +echo "Rehashing certificate files in ${CERTSDIR}" +c_rehash "${CERTSDIR}" + +CERTBUNDLE="${CERTSDIR}/ca-certificates.crt" +if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then + echo "Recreating certificate bundle ${CERTBUNDLE}" + TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX") + trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT + # Use .0 instead of .pem to pull in only what c_rehash validated + cat "${CERTSDIR}"/*.0 > "${TEMPBUNDLE}" + mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}" + trap - EXIT +fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service new file mode 100644 index 0000000000..63b05895d1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update CA Certificates in /etc/ssl/certs +# Since other services depend on the certificate store run this early +DefaultDependencies=no +Wants=systemd-tmpfiles-setup.service +After=systemd-tmpfiles-setup.service +Before=sysinit.target +ConditionPathIsReadWrite=/etc/ssl/certs + +[Service] +Type=oneshot +ExecStart=/usr/sbin/update-ca-certificates diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index f0b69edfad..6bdbde0029 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -140,11 +140,6 @@ RDEPEND="${RDEPEND} sys-fs/squashfs-tools " -# Host dependency used by the chromeos-base/root-certificates ebuild -RDEPEND="${RDEPEND} - >=app-misc/ca-certificates-20090709-r6 - " - # Host dependencies that are needed for delta_generator. RDEPEND="${RDEPEND} coreos-base/update_engine diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 98a3216c36..06a52fde4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -80,9 +80,6 @@ # Really really hoping this fixes our compile issues =dev-lang/python-2.7.6 ~amd64 -# Hopefully includes some certs folks have been missing -=app-misc/ca-certificates-20130906 ~amd64 - # Kills an annoying warning =app-admin/eselect-1.4 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask index 50234ab62f..f4a4e0090b 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask @@ -14,3 +14,7 @@ # Stick with python 2 for now >=dev-lang/python-3 + +# Require our ca-certificates package based directly on Mozilla's +# certificate store provided in NSS rather than the Gentoo/Debian package. +>=app-misc/ca-certificates-20000000