aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2014-04-21 15:35:28 +0300
committerTimo Teräs <timo.teras@iki.fi>2014-04-21 17:11:43 +0300
commitaf18a975d8494f923d0ff3754dd250ffc641b6ef (patch)
tree0dc5c0bf33ca9cf426cb1399c81758523e6ad117
parent59830cbdd943f8d2242c2821abf6248a8758557c (diff)
downloadaports-af18a975d8494f923d0ff3754dd250ffc641b6ef.tar.bz2
main/ca-certificates: rewrite update-ca-certificates in lua
fix also overlay protected paths to exclude generated links. ref #2846
-rw-r--r--main/ca-certificates/APKBUILD25
-rw-r--r--main/ca-certificates/ca-certificates.trigger4
-rwxr-xr-xmain/ca-certificates/update-ca-certificates84
3 files changed, 103 insertions, 10 deletions
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index d4d70a1..98685a5 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -7,16 +7,17 @@ _nmu="+nmu${pkgver#*_p}"
[ "$_nmu" = "+nmu${pkgver}" ] && _nmu=""
_ver=${_date}${_nmu}
-pkgrel=0
+pkgrel=1
pkgdesc="Common CA certificates PEM files"
url="http://packages.debian.org/sid/ca-certificates"
arch="noarch"
license="MPL 2.0 GPL2+"
-depends="run-parts openssl"
+depends="run-parts openssl lua5.2 lua5.2-posix"
makedepends="python"
subpackages="$pkgname-doc"
triggers="ca-certificates.trigger=/usr/share/ca-certificates:/etc/ssl/certs"
source="http://ftp.no.debian.org/debian/pool/main/c/$pkgname/${pkgname}_${_ver}.tar.xz
+ update-ca-certificates
"
_builddir="$srcdir"/$pkgname
@@ -46,11 +47,21 @@ package() {
) > "$pkgdir"/etc/ca-certificates.conf
# http://bugs.alpinelinux.org/issues/2715
+ # http://bugs.alpinelinux.org/issues/2846
+ install -m755 "$srcdir"/update-ca-certificates "$pkgdir"/usr/sbin \
+ || return 1
+
mkdir -p "$pkgdir"/etc/apk/protected_paths.d
- echo "-etc/ssl/certs/*.crt" \
- > "$pkgdir"/etc/apk/protected_paths.d/ca-certificates.list
+ cat <<EOF > "$pkgdir"/etc/apk/protected_paths.d/ca-certificates.list
+-etc/ssl/certs/ca-certificates.crt
+-etc/ssl/certs/ca-cert-*.pem
+-etc/ssl/certs/[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[r0-9]*
+EOF
}
-md5sums="0436aba482091da310bd762e1deca8b4 ca-certificates_20140325.tar.xz"
-sha256sums="c0e3d8c517995db2737f7f1a9b69d654b8823fa6d337871c6ce111fcf083454a ca-certificates_20140325.tar.xz"
-sha512sums="6645740d61da78845facce6e3881c64f51e945a454cb26cead6e7df4887f1f3797bea217cebaffaae22a76fa3867ee20dee7b1d5200df20b85878a0c6029c2f8 ca-certificates_20140325.tar.xz"
+md5sums="0436aba482091da310bd762e1deca8b4 ca-certificates_20140325.tar.xz
+b582c6dfa38edcc0ad324736282ff497 update-ca-certificates"
+sha256sums="c0e3d8c517995db2737f7f1a9b69d654b8823fa6d337871c6ce111fcf083454a ca-certificates_20140325.tar.xz
+2ea92ac6b35446ddbcd6381a1a2932178e3819125052456a25b0bbc4c36870f0 update-ca-certificates"
+sha512sums="6645740d61da78845facce6e3881c64f51e945a454cb26cead6e7df4887f1f3797bea217cebaffaae22a76fa3867ee20dee7b1d5200df20b85878a0c6029c2f8 ca-certificates_20140325.tar.xz
+9c4c25ce8a667089ad73c3e494fea1a997bd1a2415c4865dd1a761e103ded44f9b4cd412b9027b28d70b6bf896e7e9ec6f2010c3e059e46b3ddf34f23b5e0815 update-ca-certificates"
diff --git a/main/ca-certificates/ca-certificates.trigger b/main/ca-certificates/ca-certificates.trigger
index 439cfca..eff1981 100644
--- a/main/ca-certificates/ca-certificates.trigger
+++ b/main/ca-certificates/ca-certificates.trigger
@@ -1,5 +1,3 @@
#!/bin/sh
-
/usr/sbin/update-ca-certificates --fresh &> /dev/null
-
-exit 0;
+exit 0
diff --git a/main/ca-certificates/update-ca-certificates b/main/ca-certificates/update-ca-certificates
new file mode 100755
index 0000000..cbd3777
--- /dev/null
+++ b/main/ca-certificates/update-ca-certificates
@@ -0,0 +1,84 @@
+#!/usr/bin/lua5.2
+
+local CERTSDIR='/usr/share/ca-certificates/'
+local LOCALCERTSDIR='/usr/local/share/ca-certificates/'
+local ETCCERTSDIR='/etc/ssl/certs/'
+local CERTBUNDLE='ca-certificates.crt'
+local CERTSCONF='/etc/ca-certificates.conf'
+
+local posix = require 'posix'
+local calinks = {}
+local cacerts = {}
+
+function string.begins(str, prefix) return str:sub(1,#prefix)==prefix end
+
+local function add(fn)
+ -- Map fn to file in etc
+ local pem = "ca-cert-"..fn:gsub('.*/', ''):gsub('.crt$',''):gsub('[, ]','_'):gsub('[()]','=')..".pem"
+ calinks[pem] = fn
+ -- Read the certificate for the bundle
+ local f = io.open(fn, "rb")
+ if f ~= nil then
+ local content = f:read("*all")
+ f:close()
+ table.insert(cacerts, content)
+ if content:sub(-1) ~= '\n' then table.insert(cacerts, '\n') end
+ end
+end
+
+-- Handle global CA certs from config file
+for l in io.lines(CERTSCONF) do
+ local firstchar = l:sub(1,1)
+ if firstchar ~= "#" and firstchar ~= "!" then
+ add(CERTSDIR..l)
+ end
+end
+
+-- Handle local CA certificates
+local certlist = posix.glob(LOCALCERTSDIR..'*.crt')
+if certlist ~= nil then
+ table.sort(certlist)
+ for f in pairs(certlist) do
+ local fn = LOCALCERTSDIR..f
+ if posix.stat(fn, 'type') == 'regular' then
+ add(fn)
+ end
+ end
+end
+
+-- Update etc cert dir for additions and deletions
+local f, target
+for f in posix.files(ETCCERTSDIR) do
+ local fn = ETCCERTSDIR..f
+ if posix.stat(fn, 'type') == 'link' then
+ local target = calinks[f]
+ local curtgt = posix.readlink(fn)
+ if curtgt:begins(CERTSDIR) or curtgt:begins(LOCALCERTSDIR) then
+ if target == nil then
+ -- Symlink exists but is unwanted
+ os.remove(fn)
+ elseif current_target ~= wanted_target then
+ -- Symlink exists but points wrong
+ posix.link(target, ETCCERTSDIR..f, true)
+ else
+ -- Symlink exists and is ok
+ calinks[f] = nil
+ end
+ end
+ end
+end
+for f, target in pairs(calinks) do
+ posix.link(target, ETCCERTSDIR..f, true)
+end
+
+-- Update hashes and the bundle
+os.execute("c_rehash "..ETCCERTSDIR.." > /dev/null")
+local fd, tmpfile = posix.mkstemp(ETCCERTSDIR..'bundleXXXXXX')
+if fd >= 0 then
+ posix.close(fd)
+ posix.chmod(tmpfile, "a+r")
+ local file = io.open(tmpfile, "wb")
+ file:write(table.concat(cacerts))
+ file:close()
+ os.rename(tmpfile, ETCCERTSDIR..CERTBUNDLE)
+end