commit 35b3584ab4041aa32e1d049bd6ddff5941b03df2
author Alex Deymo <deymo@google.com> Tue Oct 20 11:21:56 2015 -0700
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Oct 20 20:52:03 2015 +0000
tree 3c5a3a2ba44af82cf0ba6b86089bcce5706db3ed
parent 6eddf26ce30989c0f4812b3b9de17760a40fdea7

Use CA certificates from standard location in Brillo.

Brillo images have all the CA certificates for the whole system in
/system/etc/security/cacerts. For update_engine, we would like to
accept only a sub-set of those, but we will start by accepting all
the installed certs.

Bug: 25089263
Test: `mm`, deployed on a -userdebug build and updated

Change-Id: Ib05e6ea1c5efb98a6320ce6288842e2277f67b1f

libcurl_http_fetcher.cc

diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index 8a3fd3b..5253214 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc
@@ -28,6 +28,7 @@
 
 #include "update_engine/certificate_checker.h"
 #include "update_engine/hardware_interface.h"
+#include "update_engine/platform_constants.h"
 
 using base::TimeDelta;
 using brillo::MessageLoop;
@@ -41,7 +42,6 @@
 
 namespace {
 const int kNoNetworkRetrySeconds = 10;
-const char kCACertificatesPath[] = "/usr/share/chromeos-ca-certificates";
 }  // namespace
 
 LibcurlHttpFetcher::~LibcurlHttpFetcher() {
@@ -212,7 +212,8 @@
   LOG(INFO) << "Setting up curl options for HTTPS";
   CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_SSL_VERIFYPEER, 1),
            CURLE_OK);
-  CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH, kCACertificatesPath),
+  CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_CAPATH,
+                            constants::kCACertificatesPath),
            CURLE_OK);
   CHECK_EQ(curl_easy_setopt(curl_handle_, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS),
            CURLE_OK);

platform_constants.h

diff --git a/platform_constants.h b/platform_constants.h
index 189d134..310eed9 100644
--- a/platform_constants.h
+++ b/platform_constants.h
@@ -38,6 +38,11 @@
 // whole payload.
 extern const char kUpdatePayloadPublicKeyPath[];
 
+// Path to the directory containing all the SSL certificates accepted by
+// update_engine when sending requests to Omaha and the download server (if
+// HTTPS is used for that as well).
+extern const char kCACertificatesPath[];
+
 // Path to the file used to notify chrome about the deadline of the last omaha
 // response. Empty if not supported.
 extern const char kOmahaResponseDeadlineFile[];

platform_constants_android.cc

diff --git a/platform_constants_android.cc b/platform_constants_android.cc
index b6ee29f..02889eb 100644
--- a/platform_constants_android.cc
+++ b/platform_constants_android.cc
@@ -27,6 +27,7 @@
 const char kOmahaPlatformName[] = "Brillo";
 const char kUpdatePayloadPublicKeyPath[] =
     "/etc/update_engine/update-payload-key.pub.pem";
+const char kCACertificatesPath[] = "/system/etc/security/cacerts";
 // No deadline file API support on Android.
 const char kOmahaResponseDeadlineFile[] = "";
 

platform_constants_chromeos.cc

diff --git a/platform_constants_chromeos.cc b/platform_constants_chromeos.cc
index d7aeca5..fe67002 100644
--- a/platform_constants_chromeos.cc
+++ b/platform_constants_chromeos.cc
@@ -27,6 +27,7 @@
 const char kOmahaPlatformName[] = "Chrome OS";
 const char kUpdatePayloadPublicKeyPath[] =
     "/usr/share/update_engine/update-payload-key.pub.pem";
+const char kCACertificatesPath[] = "/usr/share/chromeos-ca-certificates";
 const char kOmahaResponseDeadlineFile[] =
     "/tmp/update-check-response-deadline";