summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Rozhkov <dmitry.rozhkov@linux.intel.com>2016-10-28 10:22:35 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-11-06 23:35:32 +0000
commitef1fa14260b98fde89ad82a211461c7ccfe63d2d (patch)
tree6af5cfac47fc85769ebabba0b0192aca6844f0c4
parent3d4c896b2a7585539fc60a465dd3781e93e4cc24 (diff)
downloadpoky-ef1fa14260b98fde89ad82a211461c7ccfe63d2d.tar.gz
openssl: rehash actual mozilla certificates inside rootfs
The c_rehash utility is supposed to be run in the folder /etc/ssl/certs of a rootfs where the package ca-certificates puts symlinks to various CA certificates stored in /usr/share/ca-certificates/mozilla/. These symlinks are absolute. This means that when c_rehash is run at rootfs creation time it can't hash the actual files since they actually reside in the build host's directory $SYSROOT/usr/share/ca-certificates/mozilla/. This problem doesn't reproduce when building on Debian or Ubuntu hosts though, because these OSs have the certificates installed in the same /usr/share/ca-certificates/mozilla/ folder. Images built in other distros, e.g. Fedora, have problems with connecting to https servers when using e.g. python's http lib. The patch fixes c_rehash to check if it runs on a build host by testing $SYSROOT and to translate the paths to certificates accordingly. (From OE-Core rev: 5199b990edf4d9784c19137d0ce9ef141cd85e46) Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh20
1 files changed, 16 insertions, 4 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
index f67f415544..25ea729ac1 100644
--- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
@@ -114,11 +114,11 @@ link_hash()
114 LINKFILE=${HASH}.${TAG}${SUFFIX} 114 LINKFILE=${HASH}.${TAG}${SUFFIX}
115 done 115 done
116 116
117 echo "${1} => ${LINKFILE}" 117 echo "${3} => ${LINKFILE}"
118 118
119 # assume any system with a POSIX shell will either support symlinks or 119 # assume any system with a POSIX shell will either support symlinks or
120 # do something to handle this gracefully 120 # do something to handle this gracefully
121 ln -s ${1} ${LINKFILE} 121 ln -s ${3} ${LINKFILE}
122 122
123 return 0 123 return 0
124} 124}
@@ -142,7 +142,19 @@ hash_dir()
142 142
143 ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE 143 ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
144 do 144 do
145 check_file ${FILE} 145 REAL_FILE=${FILE}
146 # if we run on build host then get to the real files in rootfs
147 if [ -n "${SYSROOT}" -a -h ${FILE} ]
148 then
149 FILE=$( readlink ${FILE} )
150 # check the symlink is absolute (or dangling in other word)
151 if [ "x/" == "x$( echo ${FILE} | cut -c1 -)" ]
152 then
153 REAL_FILE=${SYSROOT}/${FILE}
154 fi
155 fi
156
157 check_file ${REAL_FILE}
146 local FILE_TYPE=${?} 158 local FILE_TYPE=${?}
147 local TYPE_STR='' 159 local TYPE_STR=''
148 160
@@ -157,7 +169,7 @@ hash_dir()
157 continue 169 continue
158 fi 170 fi
159 171
160 link_hash ${FILE} ${TYPE_STR} 172 link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
161 done 173 done
162} 174}
163 175