From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH] curl: install root CA certificates option
Date: Mon, 12 Jan 2015 17:21:08 +0100 [thread overview]
Message-ID: <20150112162108.GM26436@pengutronix.de> (raw)
In-Reply-To: <1418198663-9539-1-git-send-email-bth@kamstrup.dk>
On Wed, Dec 10, 2014 at 09:04:23AM +0100, Bruno Thomsen wrote:
> Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format.
> The bundle is automatically extracted from one of Mozilla's development channels/trees.
>
> Test case 1:
> openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt
>
> Result:
> Verify return code: 0 (ok)
>
> Test case 2:
> openssl s_client -connect www.google.com:443
>
> Result:
> Verify return code: 20 (unable to get local issuer certificate)
>
> Test case 3:
> curl https://www.google.com
>
> Result:
> <HTML><HEAD>...
>
> Test case 4:
> rm /usr/share/ca-certificates/curl/ca-bundle.crt
> curl https://www.google.com
>
> Result:
> curl: (77) error setting certificate verify locations:
> CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt
> CApath: none
>
> Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
> ---
> rules/libcurl.in | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> rules/libcurl.make | 40 +++++++++++++++++++++++++++++++++++++-
> 2 files changed, 96 insertions(+), 1 deletion(-)
>
> diff --git a/rules/libcurl.in b/rules/libcurl.in
> index 0ad7fb4..e5f25f8 100644
> --- a/rules/libcurl.in
> +++ b/rules/libcurl.in
> @@ -20,6 +20,63 @@ if LIBCURL
> config LIBCURL_CURL
> bool "install curl program"
>
> +config LIBCURL_CA_BUNDLE
> + bool "install CA Root Certificates"
> + help
> + Bundle of CA Root Certificates.
> +
> + This is a bundle of X.509 certificates of public Certificate Authorities
> + (CA). These were automatically extracted from Mozilla's root certificates
> + file (certdata.txt).
> +
> + It contains the certificates in PEM format and therefore
> + can be directly used with curl / libcurl / php_curl / openssl.
> +
> +choice
> + prompt "Mozilla tree"
> + default LIBCURL_CA_TREE_RELEASE
> + depends on LIBCURL_CA_BUNDLE
> + help
> + Pull certdata.txt from this Mozilla tree.
> + https://wiki.mozilla.org/Tree_Rules
> +
> +config LIBCURL_CA_TREE_CENTRAL
> + bool
> + prompt "central"
> + help
> + Central is also known as nightly channel.
> +
> +config LIBCURL_CA_TREE_AURORA
> + bool
> + prompt "aurora"
> + help
> + Aurora channel is after central and before beta.
> +
> +config LIBCURL_CA_TREE_BETA
> + bool
> + prompt "beta"
> + help
> + Beta channel is just before release.
> +
> +config LIBCURL_CA_TREE_RELEASE
> + bool
> + prompt "release"
> + help
> + Changes to the release branch are limited to urgent "chemspills"
> + like zero-day security vulnerabilities and other unplanned emergencies.
> + In the normal development process, no changes will land on release
> + except regular merges from beta every six weeks.
> +
> +config LIBCURL_CA_TREE_NSS
> + bool
> + prompt "nss"
> + help
> + Network Security Services (NSS) is a set of libraries designed to support
> + cross-platform development of security-enabled client and server applications.
> + Mozilla develops NSS separate from Firefox.
> +
> +endchoice
> +
> config LIBCURL_HTTP
> bool "http"
> default y
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 5babcb0..9e7b57b 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -26,6 +26,36 @@ LIBCURL_SOURCE := $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX)
> LIBCURL_DIR := $(BUILDDIR)/$(LIBCURL)
> LIBCURL_LICENSE := MIT
>
> +ifdef PTXCONF_LIBCURL_CA_TREE_CENTRAL
> +MOZ_CA_TREE := central
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_AURORA
> +MOZ_CA_TREE := aurora
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_BETA
> +MOZ_CA_TREE := beta
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_RELEASE
> +MOZ_CA_TREE := release
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_NSS
> +MOZ_CA_TREE := nss
> +endif
> +
> +# ----------------------------------------------------------------------------
> +# Extract
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libcurl.extract:
> + @$(call targetinfo)
> + @$(call clean, $(LIBCURL_DIR))
> + @$(call extract, LIBCURL, $(BUILDDIR))
> + @$(call patchin, LIBCURL, $(LIBCURL_DIR))
> +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt
> +endif
No, not like this. Downloading an undefined version of a file during the
build process is not acceptable.
Add a second file to download (see rules/host-tz-database.make) how to do
this) and use a URL that does not change, maybe the last tag:
http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_35_0_RELEASE/security/nss/lib/ckfw/builtins/certdata.txt
ifdef PTXCONF_LIBCURL_CA_BUNDLE
@cp $(LIBCURL_CERTDATA_SOURCE) $(LIBCURL_DIR)
endif
Also, you need to 'select HOST_SYSTEM_PERL' in the .in file and running
mk-ca-bundle.pl should be in the compile stage. Otherwise the dependencies
are not handled correctly.
Michael
> + @$(call touch)
> +
> # ----------------------------------------------------------------------------
> # Prepare
> # ----------------------------------------------------------------------------
> @@ -62,7 +92,6 @@ LIBCURL_AUTOCONF := \
> --without-gssapi \
> --without-gnutls \
> --without-nss \
> - --without-ca-bundle \
> --without-ca-path \
> --without-libidn \
> --without-axtls \
> @@ -82,6 +111,12 @@ else
> LIBCURL_AUTOCONF += --without-ssl
> endif
>
> +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt
> +else
> +LIBCURL_AUTOCONF += --without-ca-bundle
> +endif
> +
> # ----------------------------------------------------------------------------
> # Target-Install
> # ----------------------------------------------------------------------------
> @@ -99,6 +134,9 @@ ifdef PTXCONF_LIBCURL_CURL
> @$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl)
> endif
> @$(call install_lib, libcurl, 0, 0, 0644, libcurl)
> +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> + @$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt)
> +endif
>
> @$(call install_finish, libcurl)
>
> --
> 1.9.1
>
>
> --
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2015-01-12 16:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-10 8:04 Bruno Thomsen
2015-01-12 16:21 ` Michael Olbrich [this message]
2015-01-16 11:10 ` Bruno Thomsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150112162108.GM26436@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox