From 5d161f701c15d91ff8dedeece442267f547eb04e Mon Sep 17 00:00:00 2001
From: Stepan Henek <stepan.henek@nic.cz>
Date: Mon, 12 Dec 2016 09:38:37 +0100
Subject: [PATCH 1/2] download: certificate pinning update

---
 firewall-turris-download.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/firewall-turris-download.sh b/firewall-turris-download.sh
index 1373f85..d591d37 100755
--- a/firewall-turris-download.sh
+++ b/firewall-turris-download.sh
@@ -96,6 +96,7 @@ TEST_IPSETS_SIGN_URL="${TEST_IPSETS_URL}.sign"
 
 CRL_FILE_PERSISTENT="/etc/ssl/crl.pem"
 CRL_FILE_TEMPORAL="/tmp/crl.pem"
+CACERT_FILE="/etc/ssl/turris.pem"
 
 BIN_DIR="/usr/share/firewall"
 
@@ -130,7 +131,7 @@ download() {
         url="$master_url"
     fi
 
-    curl -fs --cacert /etc/ssl/startcom.pem --crlfile "${CRL_FILE}" "${url}" -o "${destination}"
+    curl -fs --cacert ${CACERT_FILE} --crlfile "${CRL_FILE}" "${url}" -o "${destination}"
     if [ $? -eq 0 ]; then
         return 0
     else
@@ -236,7 +237,7 @@ mkdir -p "${DOWNLOAD_DIR}"
 
 if test_branch ; then
     if [ ! -f "${TEST_SIGN_KEY}" ] ; then
-        curl -fs --cacert /etc/ssl/startcom.pem --crlfile "${CRL_FILE}" "${TEST_SIGN_KEY_URL}" -o "${TEST_SIGN_KEY}"
+        curl -fs --cacert ${CACERT_FILE} --crlfile "${CRL_FILE}" "${TEST_SIGN_KEY_URL}" -o "${TEST_SIGN_KEY}"
     fi
     test="true"
 else
-- 
GitLab


From 485034184c10cfba1dbbecd3fa5654439e8a7610 Mon Sep 17 00:00:00 2001
From: Stepan Henek <stepan.henek@nic.cz>
Date: Tue, 13 Dec 2016 16:51:23 +0100
Subject: [PATCH 2/2] download: crl cleanup

---
 firewall-turris-download.sh | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/firewall-turris-download.sh b/firewall-turris-download.sh
index d591d37..d0d3f0b 100755
--- a/firewall-turris-download.sh
+++ b/firewall-turris-download.sh
@@ -94,19 +94,11 @@ TEST_SIGN_KEY_URL="https://api.turris.cz/firewall-test/turris-rules.pub"
 TEST_IPSETS_URL="https://api.turris.cz/firewall-test/turris-ipsets.gz"
 TEST_IPSETS_SIGN_URL="${TEST_IPSETS_URL}.sign"
 
-CRL_FILE_PERSISTENT="/etc/ssl/crl.pem"
-CRL_FILE_TEMPORAL="/tmp/crl.pem"
+CRL_FILE="/etc/ssl/crl.pem"
 CACERT_FILE="/etc/ssl/turris.pem"
 
 BIN_DIR="/usr/share/firewall"
 
-# Temporal crl file should be up-to date
-if [ -f "${CRL_FILE_TEMPORAL}" ]; then
-    CRL_FILE="${CRL_FILE_TEMPORAL}"
-else
-    CRL_FILE="${CRL_FILE_PERSISTENT}"
-fi
-
 # Return md5 of a file the file should exist
 file_md5() {
     local file="$1"
-- 
GitLab