From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail.kamstrup.com ([93.167.225.188]) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1XycGD-0001J9-Iq for ptxdist@pengutronix.de; Wed, 10 Dec 2014 09:04:38 +0100 From: Bruno Thomsen Date: Wed, 10 Dec 2014 09:04:23 +0100 Message-ID: <1418198663-9539-1-git-send-email-bth@kamstrup.dk> MIME-Version: 1.0 Subject: [ptxdist] [PATCH] curl: install root CA certificates option Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de Cc: bth@kamstrup.dk Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format. The bundle is automatically extracted from one of Mozilla's development channels/trees. Test case 1: openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt Result: Verify return code: 0 (ok) Test case 2: openssl s_client -connect www.google.com:443 Result: Verify return code: 20 (unable to get local issuer certificate) Test case 3: curl https://www.google.com Result: ... Test case 4: rm /usr/share/ca-certificates/curl/ca-bundle.crt curl https://www.google.com Result: curl: (77) error setting certificate verify locations: CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt CApath: none Signed-off-by: Bruno Thomsen --- rules/libcurl.in | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ rules/libcurl.make | 40 +++++++++++++++++++++++++++++++++++++- 2 files changed, 96 insertions(+), 1 deletion(-) diff --git a/rules/libcurl.in b/rules/libcurl.in index 0ad7fb4..e5f25f8 100644 --- a/rules/libcurl.in +++ b/rules/libcurl.in @@ -20,6 +20,63 @@ if LIBCURL config LIBCURL_CURL bool "install curl program" +config LIBCURL_CA_BUNDLE + bool "install CA Root Certificates" + help + Bundle of CA Root Certificates. + + This is a bundle of X.509 certificates of public Certificate Authorities + (CA). These were automatically extracted from Mozilla's root certificates + file (certdata.txt). + + It contains the certificates in PEM format and therefore + can be directly used with curl / libcurl / php_curl / openssl. + +choice + prompt "Mozilla tree" + default LIBCURL_CA_TREE_RELEASE + depends on LIBCURL_CA_BUNDLE + help + Pull certdata.txt from this Mozilla tree. + https://wiki.mozilla.org/Tree_Rules + +config LIBCURL_CA_TREE_CENTRAL + bool + prompt "central" + help + Central is also known as nightly channel. + +config LIBCURL_CA_TREE_AURORA + bool + prompt "aurora" + help + Aurora channel is after central and before beta. + +config LIBCURL_CA_TREE_BETA + bool + prompt "beta" + help + Beta channel is just before release. + +config LIBCURL_CA_TREE_RELEASE + bool + prompt "release" + help + Changes to the release branch are limited to urgent "chemspills" + like zero-day security vulnerabilities and other unplanned emergencies. + In the normal development process, no changes will land on release + except regular merges from beta every six weeks. + +config LIBCURL_CA_TREE_NSS + bool + prompt "nss" + help + Network Security Services (NSS) is a set of libraries designed to support + cross-platform development of security-enabled client and server applications. + Mozilla develops NSS separate from Firefox. + +endchoice + config LIBCURL_HTTP bool "http" default y diff --git a/rules/libcurl.make b/rules/libcurl.make index 5babcb0..9e7b57b 100644 --- a/rules/libcurl.make +++ b/rules/libcurl.make @@ -26,6 +26,36 @@ LIBCURL_SOURCE := $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX) LIBCURL_DIR := $(BUILDDIR)/$(LIBCURL) LIBCURL_LICENSE := MIT +ifdef PTXCONF_LIBCURL_CA_TREE_CENTRAL +MOZ_CA_TREE := central +endif +ifdef PTXCONF_LIBCURL_CA_TREE_AURORA +MOZ_CA_TREE := aurora +endif +ifdef PTXCONF_LIBCURL_CA_TREE_BETA +MOZ_CA_TREE := beta +endif +ifdef PTXCONF_LIBCURL_CA_TREE_RELEASE +MOZ_CA_TREE := release +endif +ifdef PTXCONF_LIBCURL_CA_TREE_NSS +MOZ_CA_TREE := nss +endif + +# ---------------------------------------------------------------------------- +# Extract +# ---------------------------------------------------------------------------- + +$(STATEDIR)/libcurl.extract: + @$(call targetinfo) + @$(call clean, $(LIBCURL_DIR)) + @$(call extract, LIBCURL, $(BUILDDIR)) + @$(call patchin, LIBCURL, $(LIBCURL_DIR)) +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt +endif + @$(call touch) + # ---------------------------------------------------------------------------- # Prepare # ---------------------------------------------------------------------------- @@ -62,7 +92,6 @@ LIBCURL_AUTOCONF := \ --without-gssapi \ --without-gnutls \ --without-nss \ - --without-ca-bundle \ --without-ca-path \ --without-libidn \ --without-axtls \ @@ -82,6 +111,12 @@ else LIBCURL_AUTOCONF += --without-ssl endif +ifdef PTXCONF_LIBCURL_CA_BUNDLE +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt +else +LIBCURL_AUTOCONF += --without-ca-bundle +endif + # ---------------------------------------------------------------------------- # Target-Install # ---------------------------------------------------------------------------- @@ -99,6 +134,9 @@ ifdef PTXCONF_LIBCURL_CURL @$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl) endif @$(call install_lib, libcurl, 0, 0, 0644, libcurl) +ifdef PTXCONF_LIBCURL_CA_BUNDLE + @$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt) +endif @$(call install_finish, libcurl) -- 1.9.1 -- ptxdist mailing list ptxdist@pengutronix.de