diff mbox

[v3] ca-certificates: new package

Message ID 1389368384-1332-1-git-send-email-martin@barkynet.com
State Accepted
Headers show

Commit Message

Martin Bark Jan. 10, 2014, 3:39 p.m. UTC 
CA certificates used for SSL based applications.  The package installs CA
certificates to /usr/share/ca-certificates and creates symbolic links under
/etc/ssl/certs.  For example, the existing libcurl package will use these
certificates for https urls.  Based on the debian ca-certifcates package.

Signed-off-by: Martin Bark <martin@barkynet.com>
---
Changes v2 -> v3
    - Fixed missing tabs (suggested by Thomas Petazzoni)
    - Added upstream url to Config.in (suggested by Thomas Petazzoni)
    - Changed CA_CERTIFICATES_SITE to use snapshot.debian.org (suggested by Thomas Petazzoni)
    - Changed PATH=$(HOST_PATH) to $(TARGET_MAKE_ENV) in build cmd (suggested by Thomas Petazzoni)
    - Removed parenthesis and fixed use of basename in install cmd (suggested by Yann E. MORIN)

Changes v1 -> v2
    - Change CA_CERTIFICATES_SITE to use $(BR2_DEBIAN_MIRROR) (suggested by Baruch Siach)
    - Clarify license usage in CA_CERTIFICATES_LICENSE (suggested by Baruch Siach)
---
 package/Config.in                          |    1 +
 package/ca-certificates/Config.in          |   11 +++++++++
 package/ca-certificates/ca-certificates.mk |   37 ++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 package/ca-certificates/Config.in
 create mode 100644 package/ca-certificates/ca-certificates.mk

Comments

Yann E. MORIN Jan. 11, 2014, 11:48 p.m. UTC | #1 
Martin, All,

On 2014-01-10 15:39 +0000, Martin Bark spake thusly:
[--SNIP--]
> diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
> new file mode 100644
> index 0000000..37ed746
> --- /dev/null
> +++ b/package/ca-certificates/ca-certificates.mk
> @@ -0,0 +1,37 @@
> +################################################################################
> +#
> +# ca-certificates
> +#
> +################################################################################
> +
> +CA_CERTIFICATES_VERSION = 20130906
> +CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz
> +CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20130907T154615Z/pool/main/c/ca-certificates

It's a pity we can't get that from a trusted channel (ie. https instead
of plain http). Sigh... :-(

I know we do not do that for the other packages, but I'd like that we
check the authenticity of that specific one. There's no point in adding
a security-related package that we can validate in the first place.

I'd suggest we do that with a _POST_DOWNLOAD_HOOKS, something like:

CA_CERTIFICATES_CHECKSUM = SHA1-hash
define CA_CERTIFICATES_VERIFY_CHECKSUM
    hash=$$( sha1sum $(DL_DIR)/$(CA_CERTIFICATES_SOURCE) |cut -d ' ' -f 1 )
    if [ ! $${hash} = $(CA_CERTIFICATES_CHECKSUM) ]; then
        printf "ERROR: $(CA_CERTIFICATES_SOURCE) has wrong SHA1\n"
        printf "ERROR: Maybe the download was MITMed\n"
        exit 1
    fi
endef
CA_CERTIFICATES_POST_DOWNLOAD_HOOKS += CA_CERTIFICATES_VERIFY_CHECKSUM

I don't know what others think of it. Peter, Thomas, others?

> +define CA_CERTIFICATES_INSTALL_TARGET_CMDS
> +   $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates
> +   $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs
> +   $(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
> +   rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates
> +
> +   #remove any existing certificates under /etc/ssl/certs

Usually, we add a space after the sharp symbol, and we start comments
with an uppercase letter, as for all sentences:
    # Remove any existing certificates under /etc/ssl/certs

> +   rm -f  $(TARGET_DIR)/etc/ssl/certs/*

[--SNIP--]
> +	#create symlinks to certificates under /etc/ssl/certs

Comment: ditto.

> +	cd $(TARGET_DIR) ;\
> +	for i in `find usr/share/ca-certificates -name "*.crt"` ; do \
> +		ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\
> +	done ;\

That last trailing  ';\' is unneeded. It works because you have a empty
line below.

> +	#create symlinks to the certificates by their hash values

Comment: ditto.

Regards,
Yann E. MORIN.
Peter Korsgaard Jan. 12, 2014, 8:38 a.m. UTC | #2 
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 > It's a pity we can't get that from a trusted channel (ie. https instead
 > of plain http). Sigh... :-(

 > I know we do not do that for the other packages, but I'd like that we
 > check the authenticity of that specific one. There's no point in adding
 > a security-related package that we can validate in the first place.

 > I'd suggest we do that with a _POST_DOWNLOAD_HOOKS, something like:

 > CA_CERTIFICATES_CHECKSUM = SHA1-hash
 > define CA_CERTIFICATES_VERIFY_CHECKSUM
 >     hash=$$( sha1sum $(DL_DIR)/$(CA_CERTIFICATES_SOURCE) |cut -d ' ' -f 1 )
 >     if [ ! $${hash} = $(CA_CERTIFICATES_CHECKSUM) ]; then
 >         printf "ERROR: $(CA_CERTIFICATES_SOURCE) has wrong SHA1\n"
 >         printf "ERROR: Maybe the download was MITMed\n"
 >         exit 1
 >     fi
 > endef
 > CA_CERTIFICATES_POST_DOWNLOAD_HOOKS += CA_CERTIFICATES_VERIFY_CHECKSUM

 > I don't know what others think of it. Peter, Thomas, others?

If we want to do something like this, then I would much prefer to move
it into the package infrastructure and do it for all packages (but not
require it, similar to how we're progressively adding licensing info to
packages).
Yann E. MORIN Jan. 12, 2014, 11:27 a.m. UTC | #3 
Peter, All,

On 2014-01-12 09:38 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>  > It's a pity we can't get that from a trusted channel (ie. https instead
>  > of plain http). Sigh... :-(
> 
>  > I know we do not do that for the other packages, but I'd like that we
>  > check the authenticity of that specific one. There's no point in adding
>  > a security-related package that we can validate in the first place.
> 
>  > I'd suggest we do that with a _POST_DOWNLOAD_HOOKS, something like:
> 
>  > CA_CERTIFICATES_CHECKSUM = SHA1-hash
>  > define CA_CERTIFICATES_VERIFY_CHECKSUM
>  >     hash=$$( sha1sum $(DL_DIR)/$(CA_CERTIFICATES_SOURCE) |cut -d ' ' -f 1 )
>  >     if [ ! $${hash} = $(CA_CERTIFICATES_CHECKSUM) ]; then
>  >         printf "ERROR: $(CA_CERTIFICATES_SOURCE) has wrong SHA1\n"
>  >         printf "ERROR: Maybe the download was MITMed\n"
>  >         exit 1
>  >     fi
>  > endef
>  > CA_CERTIFICATES_POST_DOWNLOAD_HOOKS += CA_CERTIFICATES_VERIFY_CHECKSUM
> 
>  > I don't know what others think of it. Peter, Thomas, others?
> 
> If we want to do something like this, then I would much prefer to move
> it into the package infrastructure and do it for all packages (but not
> require it, similar to how we're progressively adding licensing info to
> packages).

Eh! I knew you'd say that! :-)

I guess there's no point in adding such a check for git, svn and all
other VCSes. Only 'static' content wouls be elligible to being checked.

Regards,
Yann E. MORIN.
Peter Korsgaard Jan. 12, 2014, 6:23 p.m. UTC | #4 
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 >> If we want to do something like this, then I would much prefer to move
 >> it into the package infrastructure and do it for all packages (but not
 >> require it, similar to how we're progressively adding licensing info to
 >> packages).

 > Eh! I knew you'd say that! :-)

;)

 > I guess there's no point in adding such a check for git, svn and all
 > other VCSes. Only 'static' content wouls be elligible to being checked.

Why not? I know git gives you strong integrity guarantees (if you use
the sha1 atleast), but E.G. svn doesn't.
Yann E. MORIN Jan. 12, 2014, 6:34 p.m. UTC | #5 
Peter, All,

On 2014-01-12 19:23 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>  > I guess there's no point in adding such a check for git, svn and all
>  > other VCSes. Only 'static' content wouls be elligible to being checked.
> 
> Why not? I know git gives you strong integrity guarantees (if you use
> the sha1 atleast), but E.G. svn doesn't.

Because we can't guarantee the reproducibility of an archive generated
by git archive, since at least the file's date may change, end up in the
tarball, and thus generate a different hash, even if the 'content' of
the archive is the same. Also, a different git version may re-order the
files, or whatever.

For a VCS, maybe the list of files and their respective contents are OK,
but we can't say anything about the generated archive.

Regards,
Yann E. MORIN.
Peter Korsgaard Jan. 12, 2014, 7:19 p.m. UTC | #6 
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 >> > I guess there's no point in adding such a check for git, svn and all
 >> > other VCSes. Only 'static' content wouls be elligible to being checked.
 >> 
 >> Why not? I know git gives you strong integrity guarantees (if you use
 >> the sha1 atleast), but E.G. svn doesn't.

 > Because we can't guarantee the reproducibility of an archive generated
 > by git archive, since at least the file's date may change, end up in the
 > tarball, and thus generate a different hash, even if the 'content' of
 > the archive is the same. Also, a different git version may re-order the
 > files, or whatever.

Ahh, yes.

 > For a VCS, maybe the list of files and their respective contents are OK,
 > but we can't say anything about the generated archive.

True. If we implement it like _LICENSE, we can probably just not add
those tags for packages using git/hg/svn/..
Peter Korsgaard Jan. 12, 2014, 8:09 p.m. UTC | #7 
>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:

 > CA certificates used for SSL based applications.  The package installs CA
 > certificates to /usr/share/ca-certificates and creates symbolic links under
 > /etc/ssl/certs.  For example, the existing libcurl package will use these
 > certificates for https urls.  Based on the debian ca-certifcates package.

 > Signed-off-by: Martin Bark <martin@barkynet.com>

Committed with Yann's comment taken into account, thanks.
Yann E. MORIN Jan. 12, 2014, 8:09 p.m. UTC | #8 
Peter, All,

On 2014-01-12 20:19 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>  >> > I guess there's no point in adding such a check for git, svn and all
[--SNIP--]
>  > For a VCS, maybe the list of files and their respective contents are OK,
>  > but we can't say anything about the generated archive.
> 
> True. If we implement it like _LICENSE, we can probably just not add
> those tags for packages using git/hg/svn/..

I've already started implementing that, and it looks like we have a
problem.

The problem is that some packages have more than one download:
  - the tarball itself
  - optional patches, by way of PKG_PATCH
  - additional files, by way of PKG_EXTRA_DOWNLOADS

So, if we want to implement it at all, we have to provide the check for
those other downloads too. And a variable is not enough.

Another solution would be to annotate each file with its hash, someting
like:
    foo-1.2.3.patch:ABCDEF1234567890 bla.patch:ABCDEF1234567890 \
    file.bin:ABCDEF1234567890

This is ugly, and very convenient either.

An third alternative is to add a package/pkg/pkg.hash file, which
contains the list of files, and their hashes; in fact, the output of the
hash util we'd use:
    ABCDEF1234567890  foo-1.2.3.patch
    ABCDEF1234567890  bla.patch
    ABCDEF1234567890  file.bin

So, it indeed adds a third file to the existing pkg.mk and Config.in,
but it looks like it is the cleanest solution to me, and the one I've
started implementing.

Also, we'd have to settle for a hash function. md5 is outdated and
subject to attacks; sha1 is still current, but there are known potential
attacks; sha2/256 is still very strong for the foreseeable future;
sha2/512 seems like a bit overkill, although the time to hash is not
very different between sha2/256 and sha2/512.

This can be very easily changed, so I've settled for sha2/256 for now.

Regards,
Yann E. MORIN.
Peter Korsgaard Jan. 12, 2014, 8:32 p.m. UTC | #9 
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 > An third alternative is to add a package/pkg/pkg.hash file, which
 > contains the list of files, and their hashes; in fact, the output of the
 > hash util we'd use:
 >     ABCDEF1234567890  foo-1.2.3.patch
 >     ABCDEF1234567890  bla.patch
 >     ABCDEF1234567890  file.bin

That sounds good to me, and is easy to handle. Another alternative would
be to make <pkg>_CHECKSUM a list of hashes, in the same order as the
files are handled (_SOURCE, _EXTRA_DOWNLOADS, _PATCH).


 > Also, we'd have to settle for a hash function. md5 is outdated and
 > subject to attacks; sha1 is still current, but there are known potential
 > attacks; sha2/256 is still very strong for the foreseeable future;
 > sha2/512 seems like a bit overkill, although the time to hash is not
 > very different between sha2/256 and sha2/512.

 > This can be very easily changed, so I've settled for sha2/256 for now.

Next to their strength is also the issue about how likely it is that
those tools are available on the build host. As we would like to check
the hash before downloading, it wouldn't work very well if we needed to
build a host-sha2 or similar.

I don't know what's available on E.G. RHEL, but perhaps sha1 is a safer
bet?
Martin Bark Jan. 12, 2014, 8:39 p.m. UTC | #10 
Woo hoo, my first contribution to buildroot.

Thanks Peter.  I was just about to send a v4 patch so you saved me a job :)


On 12/01/14 20:09, Peter Korsgaard wrote:
>>>>>> "Martin" == Martin Bark <martin@barkynet.com> writes:
>
>   > CA certificates used for SSL based applications.  The package installs CA
>   > certificates to /usr/share/ca-certificates and creates symbolic links under
>   > /etc/ssl/certs.  For example, the existing libcurl package will use these
>   > certificates for https urls.  Based on the debian ca-certifcates package.
>
>   > Signed-off-by: Martin Bark <martin@barkynet.com>
>
> Committed with Yann's comment taken into account, thanks.
>
Yann E. MORIN Jan. 12, 2014, 9:01 p.m. UTC | #11 
Peter, All,

On 2014-01-12 21:32 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>  > An third alternative is to add a package/pkg/pkg.hash file, which
>  > contains the list of files, and their hashes; in fact, the output of the
>  > hash util we'd use:
>  >     ABCDEF1234567890  foo-1.2.3.patch
>  >     ABCDEF1234567890  bla.patch
>  >     ABCDEF1234567890  file.bin
> 
> That sounds good to me, and is easy to handle. Another alternative would
> be to make <pkg>_CHECKSUM a list of hashes, in the same order as the
> files are handled (_SOURCE, _EXTRA_DOWNLOADS, _PATCH).

And how do you suggest we correlate the hash from that list to the file
we're actually just downloaded?

The tarball is in one variable, the patches in a second, and the extra
files in a third.

We'd have to look in each of those variables to find the file, and
derive an offset in the list form that, and then extract the n-th
element of that list.

I guess this is not so easy as you think it is. ;-)

>  > Also, we'd have to settle for a hash function.
[--SNIP--]
> Next to their strength is also the issue about how likely it is that
> those tools are available on the build host.

Right, those pesky companies using "Enterprise Editions" and then stuck
back in the 20th century... ;-]

sha1 shall it be, then. ;-)

(Note: sha2 was added to coreutils seven years ago, 2005-10-23)

Regards,
Yann E. MORIN.
Peter Korsgaard Jan. 12, 2014, 9:08 p.m. UTC | #12 
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,

 > And how do you suggest we correlate the hash from that list to the file
 > we're actually just downloaded?

 > The tarball is in one variable, the patches in a second, and the extra
 > files in a third.

 > We'd have to look in each of those variables to find the file, and
 > derive an offset in the list form that, and then extract the n-th
 > element of that list.

 > I guess this is not so easy as you think it is. ;-)

I guess not ;) As I said, a seperate <pkg>.hash is OK as well.


 >> > Also, we'd have to settle for a hash function.
 > [--SNIP--]
 >> Next to their strength is also the issue about how likely it is that
 >> those tools are available on the build host.

 > Right, those pesky companies using "Enterprise Editions" and then stuck
 > back in the 20th century... ;-]

Indeed.

 > sha1 shall it be, then. ;-)

 > (Note: sha2 was added to coreutils seven years ago, 2005-10-23)

Ahh, ok - I didn't realize it was that old.

From a quick look, it seems like it's even present in RHEL5, which is
probably as old as we can sanely support (are people really still using
RHEL4 for development?):

http://rpmfind.net//linux/RPM/centos/5.10/i386/CentOS/coreutils-5.97-34.el5_8.1.i386.html
Bernd Kuhls Jan. 12, 2014, 9:21 p.m. UTC | #13 
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote in
news:20140112200937.GC3374@free.fr: 

> An third alternative is to add a package/pkg/pkg.hash file, which
> contains the list of files, and their hashes; in fact, the output of the
> hash util we'd use:
>     ABCDEF1234567890  foo-1.2.3.patch
>     ABCDEF1234567890  bla.patch
>     ABCDEF1234567890  file.bin

Hi,

FYI: the Gentoo project stores file hashes like this:

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-
certificates/Manifest?view=markup

Regards, Bernd
Yann E. MORIN Jan. 12, 2014, 9:38 p.m. UTC | #14 
Bernd, All,

On 2014-01-12 22:21 +0100, Bernd Kuhls spake thusly:
> "Yann E. MORIN" <yann.morin.1998@free.fr> wrote in
> news:20140112200937.GC3374@free.fr: 
> 
> > An third alternative is to add a package/pkg/pkg.hash file, which
> > contains the list of files, and their hashes; in fact, the output of the
> > hash util we'd use:
> >     ABCDEF1234567890  foo-1.2.3.patch
> >     ABCDEF1234567890  bla.patch
> >     ABCDEF1234567890  file.bin
> FYI: the Gentoo project stores file hashes like this:
> 
> http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-
> certificates/Manifest?view=markup

Woah... That's much too complex for what we need...

Regards,
Yann E. MORIN.
Arnout Vandecappelle Jan. 14, 2014, 7:13 a.m. UTC | #15 
On 12/01/14 19:34, Yann E. MORIN wrote:
> Peter, All,
>
> On 2014-01-12 19:23 +0100, Peter Korsgaard spake thusly:
>>>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>>   > I guess there's no point in adding such a check for git, svn and all
>>   > other VCSes. Only 'static' content wouls be elligible to being checked.
>>
>> Why not? I know git gives you strong integrity guarantees (if you use
>> the sha1 atleast), but E.G. svn doesn't.
>
> Because we can't guarantee the reproducibility of an archive generated
> by git archive, since at least the file's date may change, end up in the
> tarball, and thus generate a different hash, even if the 'content' of
> the archive is the same. Also, a different git version may re-order the
> files, or whatever.
>
> For a VCS, maybe the list of files and their respective contents are OK,
> but we can't say anything about the generated archive.

  FWIW, there exists a tool for SPDX that does exactly this: hash all 
files in an archive, ignoring their order and timestamp but making sure 
there are no more and no less files than required.

  But of course, that tool would have to be built as a host-tool because 
it isn't installed on any build machine. And I'm not even sure if the 
tool really exists or is just something that needs to be implemented for 
SPDX.

  Regards,
  Arnout
diff mbox

Patch

diff --git a/package/Config.in b/package/Config.in
index 38db5de..f9739ba 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -471,6 +471,7 @@  endmenu
 
 menu "Crypto"
 source "package/beecrypt/Config.in"
+source "package/ca-certificates/Config.in"
 source "package/cryptodev/Config.in"
 source "package/gnutls/Config.in"
 source "package/libassuan/Config.in"
diff --git a/package/ca-certificates/Config.in b/package/ca-certificates/Config.in
new file mode 100644
index 0000000..a278a62
--- /dev/null
+++ b/package/ca-certificates/Config.in
@@ -0,0 +1,11 @@ 
+config BR2_PACKAGE_CA_CERTIFICATES
+	bool "CA Certificates"
+	help
+	  This package includes PEM files of CA certificates to allow
+	  SSL-based applications to check for the authenticity of SSL
+	  connections.
+
+	  It includes, among others, certificate authorities used by the
+	  Debian infrastructure and those shipped with Mozilla's browsers.
+
+	  http://anonscm.debian.org/gitweb/?p=collab-maint/ca-certificates.git
diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
new file mode 100644
index 0000000..37ed746
--- /dev/null
+++ b/package/ca-certificates/ca-certificates.mk
@@ -0,0 +1,37 @@ 
+################################################################################
+#
+# ca-certificates
+#
+################################################################################
+
+CA_CERTIFICATES_VERSION = 20130906
+CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.gz
+CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20130907T154615Z/pool/main/c/ca-certificates
+CA_CERTIFICATES_DEPENDENCIES = host-openssl host-python
+CA_CERTIFICATES_LICENSE = GPLv2+ (script), MPLv2.0 (data)
+CA_CERTIFICATES_LICENSE_FILES = debian/copyright
+
+define CA_CERTIFICATES_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) all
+endef
+
+define CA_CERTIFICATES_INSTALL_TARGET_CMDS
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs
+	$(MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
+	rm -f $(TARGET_DIR)/usr/sbin/update-ca-certificates
+
+	#remove any existing certificates under /etc/ssl/certs
+	rm -f  $(TARGET_DIR)/etc/ssl/certs/*
+
+	#create symlinks to certificates under /etc/ssl/certs
+	cd $(TARGET_DIR) ;\
+	for i in `find usr/share/ca-certificates -name "*.crt"` ; do \
+		ln -sf ../../../$$i etc/ssl/certs/`basename $${i} .crt`.pem ;\
+	done ;\
+
+	#create symlinks to the certificates by their hash values
+	$(HOST_DIR)/usr/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
+endef
+
+$(eval $(generic-package))