openssl: rehash actual mozilla certificates inside rootfs

The c_rehash utility is supposed to be run in the folder /etc/ssl/certs of a rootfs where the package ca-certificates puts symlinks to various CA certificates stored in /usr/share/ca-certificates/mozilla/. These symlinks are absolute. This means that when c_rehash is run at rootfs creation time it can't hash the actual files since they actually reside in the build host's directory $SYSROOT/usr/share/ca-certificates/mozilla/. This problem doesn't reproduce when building on Debian or Ubuntu hosts though, because these OSs have the certificates installed in the same /usr/share/ca-certificates/mozilla/ folder. Images built in other distros, e.g. Fedora, have problems with connecting to https servers when using e.g. python's http lib. The patch fixes c_rehash to check if it runs on a build host by testing $SYSROOT and to translate the paths to certificates accordingly. (From OE-Core rev: 5199b990edf4d9784c19137d0ce9ef141cd85e46) (From OE-Core rev: 9ab0cba49d9ab67aacfcfb47689f4a77a72a0866) Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> 2016-10-28 10:22:35 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-11-16 10:37:56 +0000
commit: 25fa4e9e8fa891e9759a921743e16097378eefb3 (patch)
tree: 3c6c74dcc09015dd63a5f53e3cc99e1c25a01ee0 /meta/recipes-connectivity
parent: 3d471b811dca0894a49da746b6e2e3203d66dae0 (diff)
download: poky-25fa4e9e8fa891e9759a921743e16097378eefb3.tar.gz
1 files changed, 16 insertions, 4 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
index f67f415544..25ea729ac1 100644
--- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
@@ -114,11 +114,11 @@ link_hash()
        LINKFILE=${HASH}.${TAG}${SUFFIX}
    done
-    echo "${1} => ${LINKFILE}"
+    echo "${3} => ${LINKFILE}"
    # assume any system with a POSIX shell will either support symlinks or
    # do something to handle this gracefully
-    ln -s ${1} ${LINKFILE}
+    ln -s ${3} ${LINKFILE}
    return 0
 }
@@ -142,7 +142,19 @@ hash_dir()
    ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
    do
-        check_file ${FILE}
+        REAL_FILE=${FILE}
+        # if we run on build host then get to the real files in rootfs
+        if [ -n "${SYSROOT}" -a -h ${FILE} ]
+        then
+            FILE=$( readlink ${FILE} )
+            # check the symlink is absolute (or dangling in other word)
+            if [ "x/" == "x$( echo ${FILE} | cut -c1 -)" ]
+            then
+                REAL_FILE=${SYSROOT}/${FILE}
+            fi
+        fi
+        check_file ${REAL_FILE}
        local FILE_TYPE=${?}
        local TYPE_STR=''
@@ -157,7 +169,7 @@ hash_dir()
            continue
        fi
-        link_hash ${FILE} ${TYPE_STR}
+        link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
    done
 }
author	Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>	2016-10-28 10:22:35 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-11-16 10:37:56 +0000
commit	25fa4e9e8fa891e9759a921743e16097378eefb3 (patch)
tree	3c6c74dcc09015dd63a5f53e3cc99e1c25a01ee0 /meta/recipes-connectivity
parent	3d471b811dca0894a49da746b6e2e3203d66dae0 (diff)
download	poky-25fa4e9e8fa891e9759a921743e16097378eefb3.tar.gz