From 3ec4346975559e89bc8f0433dc85d7689dc6fc47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Apr 2014 15:35:28 +0300 Subject: main/ca-certificates: rewrite update-ca-certificates in lua fix also overlay protected paths to exclude generated links. ref #2846 (cherry picked from commit af18a975d8494f923d0ff3754dd250ffc641b6ef) --- main/ca-certificates/APKBUILD | 25 ++++++--- main/ca-certificates/ca-certificates.trigger | 4 +- main/ca-certificates/update-ca-certificates | 84 ++++++++++++++++++++++++++++ 3 files changed, 103 insertions(+), 10 deletions(-) create mode 100755 main/ca-certificates/update-ca-certificates diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD index d4d70a1e16..98685a5979 100644 --- a/main/ca-certificates/APKBUILD +++ b/main/ca-certificates/APKBUILD @@ -7,16 +7,17 @@ _nmu="+nmu${pkgver#*_p}" [ "$_nmu" = "+nmu${pkgver}" ] && _nmu="" _ver=${_date}${_nmu} -pkgrel=0 +pkgrel=1 pkgdesc="Common CA certificates PEM files" url="http://packages.debian.org/sid/ca-certificates" arch="noarch" license="MPL 2.0 GPL2+" -depends="run-parts openssl" +depends="run-parts openssl lua5.2 lua5.2-posix" makedepends="python" subpackages="$pkgname-doc" triggers="ca-certificates.trigger=/usr/share/ca-certificates:/etc/ssl/certs" source="http://ftp.no.debian.org/debian/pool/main/c/$pkgname/${pkgname}_${_ver}.tar.xz + update-ca-certificates " _builddir="$srcdir"/$pkgname @@ -46,11 +47,21 @@ package() { ) > "$pkgdir"/etc/ca-certificates.conf # http://bugs.alpinelinux.org/issues/2715 + # http://bugs.alpinelinux.org/issues/2846 + install -m755 "$srcdir"/update-ca-certificates "$pkgdir"/usr/sbin \ + || return 1 + mkdir -p "$pkgdir"/etc/apk/protected_paths.d - echo "-etc/ssl/certs/*.crt" \ - > "$pkgdir"/etc/apk/protected_paths.d/ca-certificates.list + cat < "$pkgdir"/etc/apk/protected_paths.d/ca-certificates.list +-etc/ssl/certs/ca-certificates.crt +-etc/ssl/certs/ca-cert-*.pem +-etc/ssl/certs/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[r0-9]* +EOF } -md5sums="0436aba482091da310bd762e1deca8b4 ca-certificates_20140325.tar.xz" -sha256sums="c0e3d8c517995db2737f7f1a9b69d654b8823fa6d337871c6ce111fcf083454a ca-certificates_20140325.tar.xz" -sha512sums="6645740d61da78845facce6e3881c64f51e945a454cb26cead6e7df4887f1f3797bea217cebaffaae22a76fa3867ee20dee7b1d5200df20b85878a0c6029c2f8 ca-certificates_20140325.tar.xz" +md5sums="0436aba482091da310bd762e1deca8b4 ca-certificates_20140325.tar.xz +b582c6dfa38edcc0ad324736282ff497 update-ca-certificates" +sha256sums="c0e3d8c517995db2737f7f1a9b69d654b8823fa6d337871c6ce111fcf083454a ca-certificates_20140325.tar.xz +2ea92ac6b35446ddbcd6381a1a2932178e3819125052456a25b0bbc4c36870f0 update-ca-certificates" +sha512sums="6645740d61da78845facce6e3881c64f51e945a454cb26cead6e7df4887f1f3797bea217cebaffaae22a76fa3867ee20dee7b1d5200df20b85878a0c6029c2f8 ca-certificates_20140325.tar.xz +9c4c25ce8a667089ad73c3e494fea1a997bd1a2415c4865dd1a761e103ded44f9b4cd412b9027b28d70b6bf896e7e9ec6f2010c3e059e46b3ddf34f23b5e0815 update-ca-certificates" diff --git a/main/ca-certificates/ca-certificates.trigger b/main/ca-certificates/ca-certificates.trigger index 439cfca52e..eff198163e 100644 --- a/main/ca-certificates/ca-certificates.trigger +++ b/main/ca-certificates/ca-certificates.trigger @@ -1,5 +1,3 @@ #!/bin/sh - /usr/sbin/update-ca-certificates --fresh &> /dev/null - -exit 0; +exit 0 diff --git a/main/ca-certificates/update-ca-certificates b/main/ca-certificates/update-ca-certificates new file mode 100755 index 0000000000..cbd37779a7 --- /dev/null +++ b/main/ca-certificates/update-ca-certificates @@ -0,0 +1,84 @@ +#!/usr/bin/lua5.2 + +local CERTSDIR='/usr/share/ca-certificates/' +local LOCALCERTSDIR='/usr/local/share/ca-certificates/' +local ETCCERTSDIR='/etc/ssl/certs/' +local CERTBUNDLE='ca-certificates.crt' +local CERTSCONF='/etc/ca-certificates.conf' + +local posix = require 'posix' +local calinks = {} +local cacerts = {} + +function string.begins(str, prefix) return str:sub(1,#prefix)==prefix end + +local function add(fn) + -- Map fn to file in etc + local pem = "ca-cert-"..fn:gsub('.*/', ''):gsub('.crt$',''):gsub('[, ]','_'):gsub('[()]','=')..".pem" + calinks[pem] = fn + -- Read the certificate for the bundle + local f = io.open(fn, "rb") + if f ~= nil then + local content = f:read("*all") + f:close() + table.insert(cacerts, content) + if content:sub(-1) ~= '\n' then table.insert(cacerts, '\n') end + end +end + +-- Handle global CA certs from config file +for l in io.lines(CERTSCONF) do + local firstchar = l:sub(1,1) + if firstchar ~= "#" and firstchar ~= "!" then + add(CERTSDIR..l) + end +end + +-- Handle local CA certificates +local certlist = posix.glob(LOCALCERTSDIR..'*.crt') +if certlist ~= nil then + table.sort(certlist) + for f in pairs(certlist) do + local fn = LOCALCERTSDIR..f + if posix.stat(fn, 'type') == 'regular' then + add(fn) + end + end +end + +-- Update etc cert dir for additions and deletions +local f, target +for f in posix.files(ETCCERTSDIR) do + local fn = ETCCERTSDIR..f + if posix.stat(fn, 'type') == 'link' then + local target = calinks[f] + local curtgt = posix.readlink(fn) + if curtgt:begins(CERTSDIR) or curtgt:begins(LOCALCERTSDIR) then + if target == nil then + -- Symlink exists but is unwanted + os.remove(fn) + elseif current_target ~= wanted_target then + -- Symlink exists but points wrong + posix.link(target, ETCCERTSDIR..f, true) + else + -- Symlink exists and is ok + calinks[f] = nil + end + end + end +end +for f, target in pairs(calinks) do + posix.link(target, ETCCERTSDIR..f, true) +end + +-- Update hashes and the bundle +os.execute("c_rehash "..ETCCERTSDIR.." > /dev/null") +local fd, tmpfile = posix.mkstemp(ETCCERTSDIR..'bundleXXXXXX') +if fd >= 0 then + posix.close(fd) + posix.chmod(tmpfile, "a+r") + local file = io.open(tmpfile, "wb") + file:write(table.concat(cacerts)) + file:close() + os.rename(tmpfile, ETCCERTSDIR..CERTBUNDLE) +end -- cgit v1.2.3