Fix c_rehash run during image creation

Add support to run c_rehash using SYSROOT environment variable, so that it can create hashes for the certificates during rootfs build phase of image creation. Change-Id: Ib60d4f9c217334ab7abba98dc07efd2ef8d1c7a5 Task-number: QTEE-971 Reviewed-by: Joerg Bornemann <joerg.bornemann@theqtcompany.com>
author: Samuli Piippo <samuli.piippo@theqtcompany.com> 2015-09-09 14:00:35 +0300
committer: Samuli Piippo <samuli.piippo@theqtcompany.com> 2015-09-10 12:42:27 +0000
commit: b54b20eb868b68379c792efab0baf8a15cd8a283 (patch)
tree: 0f4db45fbf606be2bda4ba5cfc43234b0366d01b /recipes
parent: e3b10f658c196d80db975345d9b5ef3eb8751f9c (diff)
download: meta-boot2qt-b54b20eb868b68379c792efab0baf8a15cd8a283.tar.gz
2 files changed, 101 insertions, 0 deletions
diff --git a/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch b/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch
new file mode 100644
index 0000000..01775eb
--- /dev/null
+++ b/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch
@@ -0,0 +1,98 @@
+From 6b833a7767c25b60fb0bb8dcc00484df19946288 Mon Sep 17 00:00:00 2001
+From: Samuli Piippo <samuli.piippo@theqtcompany.com>
+Date: Wed, 9 Sep 2015 13:37:28 +0300
+Subject: [PATCH] Support SYSROOT in c_rehash
+update-ca-certificates is ran during image creation, which in turn runs
+c_rehash. Since the symlinks in /etc/ssl/certs/ are pointing to absolute
+location, c_rehash does not find the actual files. Add support for SYSROOT
+environment variable and use it to locate the actual files during image
+creation.
+Upstream-status: Pending
+---
+ tools/c_rehash.in | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index f8d0ce1..e81ec5b 100644
+--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
+@@ -5,6 +5,7 @@
+ # and add symbolic links to their hash values.
+ 
+ my $openssl;
+my $sysroot;
+ 
+ my $dir;
+ my $prefix;
+@@ -16,6 +17,10 @@ if(defined $ENV{OPENSSL}) {
+        $ENV{OPENSSL} = $openssl;
+ }
+ 
+if(defined $ENV{SYSROOT}) {
+       $sysroot = $ENV{SYSROOT};
+}
+
+ my $pwd;
+ eval "require Cwd";
+ if (defined(&Cwd::getcwd)) {
+@@ -76,15 +81,16 @@ sub hash_dir {
+        }
+        closedir DIR;
+        FILE: foreach $fname (grep {/\.pem$/} @flist) {
+       $fullname = $sysroot . readlink($fname);
+                # Check to see if certificates and/or CRLs present.
+-               my ($cert, $crl) = check_file($fname);
+               my ($cert, $crl) = check_file($fullname);
+                if(!$cert && !$crl) {
+                        print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+                        next;
+                }
+-               link_hash_cert($fname) if($cert);
+-               link_hash_cert_old($fname) if($cert);
+-               link_hash_crl($fname) if($crl);
+               link_hash_cert($fname, $fullname) if($cert);
+               link_hash_cert_old($fname, $fullname) if($cert);
+               link_hash_crl($fname, $fullname) if($crl);
+        }
+ }
+ 
+@@ -117,9 +123,10 @@ sub check_file {
+ 
+ sub link_hash_cert {
+                my $fname = $_[0];
+-               my $hashopt = $_[1] || '-subject_hash';
+-               $fname =~ s/'/'\\''/g;
+-               my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
+               my $fullname = $_[1];
+               my $hashopt = $_[2] || '-subject_hash';
+               $fullname =~ s/'/'\\''/g;
+               my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fullname"`;
+                chomp $hash;
+                chomp $fprint;
+                $fprint =~ s/^.*=//;
+@@ -150,15 +157,16 @@ sub link_hash_cert {
+ }
+ 
+ sub link_hash_cert_old {
+-               link_hash_cert($_[0], '-subject_hash_old');
+               link_hash_cert($_[0], $_[1], '-subject_hash_old');
+ }
+ 
+ # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
+ 
+ sub link_hash_crl {
+                my $fname = $_[0];
+-               $fname =~ s/'/'\\''/g;
+-               my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
+               my $fullname = $_[1];
+               $fullname =~ s/'/'\\''/g;
+               my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fullname'`;
+                chomp $hash;
+                chomp $fprint;
+                $fprint =~ s/^.*=//;
+-- 
+1.9.1
diff --git a/recipes/openssl/openssl_1.%.bbappend b/recipes/openssl/openssl_1.%.bbappend
index 461cb45..ce68b59 100644
--- a/recipes/openssl/openssl_1.%.bbappend
+++ b/recipes/openssl/openssl_1.%.bbappend
@@ -20,6 +20,9 @@
 ##
 #############################################################################
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://0001-Support-SYSROOT-in-c_rehash.patch"
 PACKAGECONFIG += "perl"
 do_install_append () {
author	Samuli Piippo <samuli.piippo@theqtcompany.com>	2015-09-09 14:00:35 +0300
committer	Samuli Piippo <samuli.piippo@theqtcompany.com>	2015-09-10 12:42:27 +0000
commit	b54b20eb868b68379c792efab0baf8a15cd8a283 (patch)
tree	0f4db45fbf606be2bda4ba5cfc43234b0366d01b /recipes
parent	e3b10f658c196d80db975345d9b5ef3eb8751f9c (diff)
download	meta-boot2qt-b54b20eb868b68379c792efab0baf8a15cd8a283.tar.gz

diff --git a/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch b/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch new file mode 100644 index 0000000..01775eb --- /dev/null +++ b/recipes/openssl/openssl/0001-Support-SYSROOT-in-c_rehash.patch
@@ -0,0 +1,98 @@
		1	From 6b833a7767c25b60fb0bb8dcc00484df19946288 Mon Sep 17 00:00:00 2001
		2	From: Samuli Piippo <samuli.piippo@theqtcompany.com>
		3	Date: Wed, 9 Sep 2015 13:37:28 +0300
		4	Subject: [PATCH] Support SYSROOT in c_rehash
		5
		6	update-ca-certificates is ran during image creation, which in turn runs
		7	c_rehash. Since the symlinks in /etc/ssl/certs/ are pointing to absolute
		8	location, c_rehash does not find the actual files. Add support for SYSROOT
		9	environment variable and use it to locate the actual files during image
		10	creation.
		11
		12	Upstream-status: Pending
		13
		14	---
		15	tools/c_rehash.in \| 28 ++++++++++++++++++----------
		16	1 file changed, 18 insertions(+), 10 deletions(-)
		17
		18	diff --git a/tools/c_rehash.in b/tools/c_rehash.in
		19	index f8d0ce1..e81ec5b 100644
		20	--- a/tools/c_rehash.in
		21	+++ b/tools/c_rehash.in
		22	@@ -5,6 +5,7 @@
		23	# and add symbolic links to their hash values.
		24
		25	my $openssl;
		26	+my $sysroot;
		27
		28	my $dir;
		29	my $prefix;
		30	@@ -16,6 +17,10 @@ if(defined $ENV{OPENSSL}) {
		31	$ENV{OPENSSL} = $openssl;
		32	}
		33
		34	+if(defined $ENV{SYSROOT}) {
		35	+ $sysroot = $ENV{SYSROOT};
		36	+}
		37	+
		38	my $pwd;
		39	eval "require Cwd";
		40	if (defined(&Cwd::getcwd)) {
		41	@@ -76,15 +81,16 @@ sub hash_dir {
		42	}
		43	closedir DIR;
		44	FILE: foreach $fname (grep {/\.pem$/} @flist) {
		45	+ $fullname = $sysroot . readlink($fname);
		46	# Check to see if certificates and/or CRLs present.
		47	- my ($cert, $crl) = check_file($fname);
		48	+ my ($cert, $crl) = check_file($fullname);
		49	if(!$cert && !$crl) {
		50	print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
		51	next;
		52	}
		53	- link_hash_cert($fname) if($cert);
		54	- link_hash_cert_old($fname) if($cert);
		55	- link_hash_crl($fname) if($crl);
		56	+ link_hash_cert($fname, $fullname) if($cert);
		57	+ link_hash_cert_old($fname, $fullname) if($cert);
		58	+ link_hash_crl($fname, $fullname) if($crl);
		59	}
		60	}
		61
		62	@@ -117,9 +123,10 @@ sub check_file {
		63
		64	sub link_hash_cert {
		65	my $fname = $_[0];
		66	- my $hashopt = $_[1] \|\| '-subject_hash';
		67	- $fname =~ s/'/'\\''/g;
		68	- my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
		69	+ my $fullname = $_[1];
		70	+ my $hashopt = $_[2] \|\| '-subject_hash';
		71	+ $fullname =~ s/'/'\\''/g;
		72	+ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fullname"`;
		73	chomp $hash;
		74	chomp $fprint;
		75	$fprint =~ s/^.*=//;
		76	@@ -150,15 +157,16 @@ sub link_hash_cert {
		77	}
		78
		79	sub link_hash_cert_old {
		80	- link_hash_cert($_[0], '-subject_hash_old');
		81	+ link_hash_cert($_[0], $_[1], '-subject_hash_old');
		82	}
		83
		84	# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
		85
		86	sub link_hash_crl {
		87	my $fname = $_[0];
		88	- $fname =~ s/'/'\\''/g;
		89	- my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
		90	+ my $fullname = $_[1];
		91	+ $fullname =~ s/'/'\\''/g;
		92	+ my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fullname'`;
		93	chomp $hash;
		94	chomp $fprint;
		95	$fprint =~ s/^.*=//;
		96	--
		97	1.9.1
		98


diff --git a/recipes/openssl/openssl_1.%.bbappend b/recipes/openssl/openssl_1.%.bbappend index 461cb45..ce68b59 100644 --- a/recipes/openssl/openssl_1.%.bbappend +++ b/recipes/openssl/openssl_1.%.bbappend
@@ -20,6 +20,9 @@
20	##	20	##
21	#############################################################################	21	#############################################################################
22		22
		23	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
		24	SRC_URI += "file://0001-Support-SYSROOT-in-c_rehash.patch"
		25
23	PACKAGECONFIG += "perl"	26	PACKAGECONFIG += "perl"
24		27
25	do_install_append () {	28	do_install_append () {