Use CA certificates from standard location in Brillo.
Brillo images have all the CA certificates for the whole system in
/system/etc/security/cacerts. For update_engine, we would like to
accept only a sub-set of those, but we will start by accepting all
the installed certs.
Bug: 25089263
Test: `mm`, deployed on a -userdebug build and updated
Change-Id: Ib05e6ea1c5efb98a6320ce6288842e2277f67b1f
diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index 8a3fd3b..5253214 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc
@@ -28,6 +28,7 @@
#include "update_engine/certificate_checker.h"
#include "update_engine/hardware_interface.h"
+#include "update_engine/platform_constants.h"
using base::TimeDelta;
using brillo::MessageLoop;
@@ -41,7 +42,6 @@
namespace {
const int kNoNetworkRetrySeconds = 10;
-const char kCACertificatesPath[] = "/usr/share/chromeos-ca-certificates";
} // namespace
LibcurlHttpFetcher::~LibcurlHttpFetcher() {
@@ -212,7 +212,8 @@
LOG(INFO) << "Setting up curl options for HTTPS";
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1),
CURLE_OK);
- CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),
+ CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH,
+ constants::kCACertificatesPath),
CURLE_OK);
CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS),
CURLE_OK);
diff --git a/platform_constants.h b/platform_constants.h
index 189d134..310eed9 100644
--- a/platform_constants.h
+++ b/platform_constants.h
@@ -38,6 +38,11 @@
// whole payload.
extern const char kUpdatePayloadPublicKeyPath[];
+// Path to the directory containing all the SSL certificates accepted by
+// update_engine when sending requests to Omaha and the download server (if
+// HTTPS is used for that as well).
+extern const char kCACertificatesPath[];
+
// Path to the file used to notify chrome about the deadline of the last omaha
// response. Empty if not supported.
extern const char kOmahaResponseDeadlineFile[];
diff --git a/platform_constants_android.cc b/platform_constants_android.cc
index b6ee29f..02889eb 100644
--- a/platform_constants_android.cc
+++ b/platform_constants_android.cc
@@ -27,6 +27,7 @@
const char kOmahaPlatformName[] = "Brillo";
const char kUpdatePayloadPublicKeyPath[] =
"/etc/update_engine/update-payload-key.pub.pem";
+const char kCACertificatesPath[] = "/system/etc/security/cacerts";
// No deadline file API support on Android.
const char kOmahaResponseDeadlineFile[] = "";
diff --git a/platform_constants_chromeos.cc b/platform_constants_chromeos.cc
index d7aeca5..fe67002 100644
--- a/platform_constants_chromeos.cc
+++ b/platform_constants_chromeos.cc
@@ -27,6 +27,7 @@
const char kOmahaPlatformName[] = "Chrome OS";
const char kUpdatePayloadPublicKeyPath[] =
"/usr/share/update_engine/update-payload-key.pub.pem";
+const char kCACertificatesPath[] = "/usr/share/chromeos-ca-certificates";
const char kOmahaResponseDeadlineFile[] =
"/tmp/update-check-response-deadline";