From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0] ident=Debian-exim) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1YAhjo-0008EZ-IP for ptxdist@pengutronix.de; Mon, 12 Jan 2015 17:21:08 +0100 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.80) (envelope-from ) id 1YAhjo-0007TE-Gr for ptxdist@pengutronix.de; Mon, 12 Jan 2015 17:21:08 +0100 Date: Mon, 12 Jan 2015 17:21:08 +0100 From: Michael Olbrich Message-ID: <20150112162108.GM26436@pengutronix.de> References: <1418198663-9539-1-git-send-email-bth@kamstrup.dk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1418198663-9539-1-git-send-email-bth@kamstrup.dk> Subject: Re: [ptxdist] [PATCH] curl: install root CA certificates option Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de On Wed, Dec 10, 2014 at 09:04:23AM +0100, Bruno Thomsen wrote: > Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format. > The bundle is automatically extracted from one of Mozilla's development channels/trees. > > Test case 1: > openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt > > Result: > Verify return code: 0 (ok) > > Test case 2: > openssl s_client -connect www.google.com:443 > > Result: > Verify return code: 20 (unable to get local issuer certificate) > > Test case 3: > curl https://www.google.com > > Result: > ... > > Test case 4: > rm /usr/share/ca-certificates/curl/ca-bundle.crt > curl https://www.google.com > > Result: > curl: (77) error setting certificate verify locations: > CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt > CApath: none > > Signed-off-by: Bruno Thomsen > --- > rules/libcurl.in | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ > rules/libcurl.make | 40 +++++++++++++++++++++++++++++++++++++- > 2 files changed, 96 insertions(+), 1 deletion(-) > > diff --git a/rules/libcurl.in b/rules/libcurl.in > index 0ad7fb4..e5f25f8 100644 > --- a/rules/libcurl.in > +++ b/rules/libcurl.in > @@ -20,6 +20,63 @@ if LIBCURL > config LIBCURL_CURL > bool "install curl program" > > +config LIBCURL_CA_BUNDLE > + bool "install CA Root Certificates" > + help > + Bundle of CA Root Certificates. > + > + This is a bundle of X.509 certificates of public Certificate Authorities > + (CA). These were automatically extracted from Mozilla's root certificates > + file (certdata.txt). > + > + It contains the certificates in PEM format and therefore > + can be directly used with curl / libcurl / php_curl / openssl. > + > +choice > + prompt "Mozilla tree" > + default LIBCURL_CA_TREE_RELEASE > + depends on LIBCURL_CA_BUNDLE > + help > + Pull certdata.txt from this Mozilla tree. > + https://wiki.mozilla.org/Tree_Rules > + > +config LIBCURL_CA_TREE_CENTRAL > + bool > + prompt "central" > + help > + Central is also known as nightly channel. > + > +config LIBCURL_CA_TREE_AURORA > + bool > + prompt "aurora" > + help > + Aurora channel is after central and before beta. > + > +config LIBCURL_CA_TREE_BETA > + bool > + prompt "beta" > + help > + Beta channel is just before release. > + > +config LIBCURL_CA_TREE_RELEASE > + bool > + prompt "release" > + help > + Changes to the release branch are limited to urgent "chemspills" > + like zero-day security vulnerabilities and other unplanned emergencies. > + In the normal development process, no changes will land on release > + except regular merges from beta every six weeks. > + > +config LIBCURL_CA_TREE_NSS > + bool > + prompt "nss" > + help > + Network Security Services (NSS) is a set of libraries designed to support > + cross-platform development of security-enabled client and server applications. > + Mozilla develops NSS separate from Firefox. > + > +endchoice > + > config LIBCURL_HTTP > bool "http" > default y > diff --git a/rules/libcurl.make b/rules/libcurl.make > index 5babcb0..9e7b57b 100644 > --- a/rules/libcurl.make > +++ b/rules/libcurl.make > @@ -26,6 +26,36 @@ LIBCURL_SOURCE := $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX) > LIBCURL_DIR := $(BUILDDIR)/$(LIBCURL) > LIBCURL_LICENSE := MIT > > +ifdef PTXCONF_LIBCURL_CA_TREE_CENTRAL > +MOZ_CA_TREE := central > +endif > +ifdef PTXCONF_LIBCURL_CA_TREE_AURORA > +MOZ_CA_TREE := aurora > +endif > +ifdef PTXCONF_LIBCURL_CA_TREE_BETA > +MOZ_CA_TREE := beta > +endif > +ifdef PTXCONF_LIBCURL_CA_TREE_RELEASE > +MOZ_CA_TREE := release > +endif > +ifdef PTXCONF_LIBCURL_CA_TREE_NSS > +MOZ_CA_TREE := nss > +endif > + > +# ---------------------------------------------------------------------------- > +# Extract > +# ---------------------------------------------------------------------------- > + > +$(STATEDIR)/libcurl.extract: > + @$(call targetinfo) > + @$(call clean, $(LIBCURL_DIR)) > + @$(call extract, LIBCURL, $(BUILDDIR)) > + @$(call patchin, LIBCURL, $(LIBCURL_DIR)) > +ifdef PTXCONF_LIBCURL_CA_BUNDLE > + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt > +endif No, not like this. Downloading an undefined version of a file during the build process is not acceptable. Add a second file to download (see rules/host-tz-database.make) how to do this) and use a URL that does not change, maybe the last tag: http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_35_0_RELEASE/security/nss/lib/ckfw/builtins/certdata.txt ifdef PTXCONF_LIBCURL_CA_BUNDLE @cp $(LIBCURL_CERTDATA_SOURCE) $(LIBCURL_DIR) endif Also, you need to 'select HOST_SYSTEM_PERL' in the .in file and running mk-ca-bundle.pl should be in the compile stage. Otherwise the dependencies are not handled correctly. Michael > + @$(call touch) > + > # ---------------------------------------------------------------------------- > # Prepare > # ---------------------------------------------------------------------------- > @@ -62,7 +92,6 @@ LIBCURL_AUTOCONF := \ > --without-gssapi \ > --without-gnutls \ > --without-nss \ > - --without-ca-bundle \ > --without-ca-path \ > --without-libidn \ > --without-axtls \ > @@ -82,6 +111,12 @@ else > LIBCURL_AUTOCONF += --without-ssl > endif > > +ifdef PTXCONF_LIBCURL_CA_BUNDLE > +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt > +else > +LIBCURL_AUTOCONF += --without-ca-bundle > +endif > + > # ---------------------------------------------------------------------------- > # Target-Install > # ---------------------------------------------------------------------------- > @@ -99,6 +134,9 @@ ifdef PTXCONF_LIBCURL_CURL > @$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl) > endif > @$(call install_lib, libcurl, 0, 0, 0644, libcurl) > +ifdef PTXCONF_LIBCURL_CA_BUNDLE > + @$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt) > +endif > > @$(call install_finish, libcurl) > > -- > 1.9.1 > > > -- > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de