Restrict update_engine SSL certs.
update_engine connects over SSL only with Google servers, so we
restrict the list of SSL certificates to a smaller list, used by
Google.
Bug: 25089263
Test: mma
Change-Id: I73dbbd18dd99a61fa3bd66dbb57d0ff1ab78160d
diff --git a/Android.mk b/Android.mk
index 936feba..6270772 100644
--- a/Android.mk
+++ b/Android.mk
@@ -314,7 +314,8 @@
LOCAL_MODULE := update_engine
LOCAL_MODULE_CLASS := EXECUTABLES
LOCAL_REQUIRED_MODULES := \
- bspatch
+ bspatch \
+ cacerts_google
LOCAL_CPP_EXTENSION := .cc
LOCAL_CLANG := true
LOCAL_CFLAGS := $(ue_common_cflags)
diff --git a/common/platform_constants_android.cc b/common/platform_constants_android.cc
index f35d7ef..4f55106 100644
--- a/common/platform_constants_android.cc
+++ b/common/platform_constants_android.cc
@@ -27,7 +27,7 @@
const char kOmahaPlatformName[] = "Brillo";
const char kUpdatePayloadPublicKeyPath[] =
"/etc/update_engine/update-payload-key.pub.pem";
-const char kCACertificatesPath[] = "/system/etc/security/cacerts";
+const char kCACertificatesPath[] = "/system/etc/security/cacerts_google";
// No deadline file API support on Android.
const char kOmahaResponseDeadlineFile[] = "";
const char kNonVolatileDirectory[] = "/data/misc/update_engine";