mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-20 05:51:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #681 from marineam/certs

Browse Source 
fix(app-misc/ca-certificates): Never rehash certs during boot.
This commit is contained in:
Michael Marineau 2014-06-12 13:15:54 -07:00
commit 65efddaa85
4 changed files with 61 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16.ebuild → sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r1.ebuild vendored
View File

@ -25,13 +25,25 @@ RDEPEND="dev-libs/openssl
DEPEND="${RDEPEND} DEPEND="${RDEPEND}
${PYTHON_DEPS}" ${PYTHON_DEPS}"
sym_to_usr() {
local l="/etc/ssl/certs/${1##*/}"
local p="../../../usr/share/${PN}/${1}"
echo "L ${l} - - - - ${p}"
}
gen_tmpfiles() { gen_tmpfiles() {
local certfile local certfile
echo "d /etc/ssl - - - - -" echo "d /etc/ssl - - - - -"
echo "d /etc/ssl/certs - - - - -" echo "d /etc/ssl/certs - - - - -"
sym_to_usr ca-certificates.crt
for certfile in "$@"; do for certfile in "$@"; do
local l="/etc/ssl/certs/${certfile##*/}" sym_to_usr "${certfile}"
local p="../../../usr/share/${PN}/${certfile}" done
for certfile in "$@"; do
local certhash=$(openssl x509 -hash -noout -in "${certfile}")
# This assumes the hashes have no collisions
local l="/etc/ssl/certs/${certhash}.0"
local p="${certfile##*/}"
echo "L ${l} - - - - ${p}" echo "L ${l} - - - - ${p}"
done done
} }
@ -39,20 +51,23 @@ gen_tmpfiles() {
src_compile() { src_compile() {
local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt"
${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die
cat mozilla/*.pem > ca-certificates.crt || die
gen_tmpfiles mozilla/*.pem > ${PN}.conf || die gen_tmpfiles mozilla/*.pem > ${PN}.conf || die
} }
src_install() { src_install() {
insinto /usr/share/${PN} insinto /usr/share/${PN}
doins ca-certificates.crt
doins -r mozilla doins -r mozilla
dosbin "${FILESDIR}/update-ca-certificates" dosbin "${FILESDIR}/update-ca-certificates"
systemd_dounit "${FILESDIR}/clean-ca-certificates.service"
systemd_dounit "${FILESDIR}/update-ca-certificates.service" systemd_dounit "${FILESDIR}/update-ca-certificates.service"
systemd_enable_service sysinit.target clean-ca-certificates.service
systemd_enable_service sysinit.target update-ca-certificates.service systemd_enable_service sysinit.target update-ca-certificates.service
systemd_dotmpfilesd ${PN}.conf systemd_dotmpfilesd ${PN}.conf
# Setup initial links in /etc # Setup initial links in /etc
dodir /etc/ssl/certs dodir /etc/ssl/certs
tmpfiles_create tmpfiles_create
bash "${FILESDIR}/update-ca-certificates" "${D}/etc/ssl/certs" || die
} }

12
sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/clean-ca-certificates.service vendored Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Clean up broken links in /etc/ssl/certs
# Since other services depend on the certificate store run this early
DefaultDependencies=no
Wants=systemd-tmpfiles-setup.service
After=systemd-tmpfiles-setup.service
Before=sysinit.target
ConditionPathIsReadWrite=/etc/ssl/certs
[Service]
Type=oneshot
ExecStart=/usr/bin/find -L /etc/ssl/certs -type l -delete

35
sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates vendored
View File

@ -1,27 +1,42 @@
#!/bin/bash #!/bin/bash
CERTSDIR="${1:-${ROOT}/etc/ssl/certs}" set -e
CERTSDIR="${ROOT}/etc/ssl/certs"
CERTBUNDLE="${CERTSDIR}/ca-certificates.crt"
SKIP_REHASH=0
while [[ $# -gt 0 ]]; do
case "$1" in
--skip-rehash)
SKIP_REHASH=1 ;;
--help|-h|*)
echo "$0 [--skip-rehash]"
exit ;;
esac
shift
done
if [[ ! -w "${CERTSDIR}" ]]; then if [[ ! -w "${CERTSDIR}" ]]; then
echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2 echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2
exit 1 exit 1
fi fi
set -e if [[ ${SKIP_REHASH} -ne 1 ]]; then
c_rehash "${CERTSDIR}"
fi
echo "Pruning broken links in ${CERTSDIR}"
find -L "${CERTSDIR}" -type l -delete
echo "Rehashing certificate files in ${CERTSDIR}"
c_rehash "${CERTSDIR}"
CERTBUNDLE="${CERTSDIR}/ca-certificates.crt"
if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then
echo "Recreating certificate bundle ${CERTBUNDLE}" echo "Recreating certificate bundle ${CERTBUNDLE}"
TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX") TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX")
trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT
# Use .0 instead of .pem to pull in only what c_rehash validated # Use .0 instead of .pem to pull in only what c_rehash validated
cat "${CERTSDIR}"/*.0 > "${TEMPBUNDLE}" cat "${CERTSDIR}"/*.[0-9] > "${TEMPBUNDLE}"
chmod 644 "${TEMPBUNDLE}"
mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}" mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}"
trap - EXIT trap - EXIT
# Update the bundle's mtime so future runs know not to regenerate it
touch --reference="${CERTSDIR}" "${CERTBUNDLE}"
fi fi

10
sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service vendored
View File

@ -1,12 +1,14 @@
[Unit] [Unit]
Description=Update CA Certificates in /etc/ssl/certs Description=Update CA bundle at /etc/ssl/certs/ca-certificates.crt
# Since other services depend on the certificate store run this early # Since other services depend on the certificate store run this early
DefaultDependencies=no DefaultDependencies=no
Wants=systemd-tmpfiles-setup.service Wants=systemd-tmpfiles-setup.service clean-ca-certificates.service
After=systemd-tmpfiles-setup.service After=systemd-tmpfiles-setup.service clean-ca-certificates.service
Before=sysinit.target Before=sysinit.target
ConditionPathIsReadWrite=/etc/ssl/certs ConditionPathIsReadWrite=/etc/ssl/certs
# Do nothing if update-ca-certificates has never been run before
ConditionPathIsSymbolicLink=!/etc/ssl/certs/ca-certificates.crt
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates ExecStart=/usr/sbin/update-ca-certificates --skip-rehash