From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0] ident=Debian-exim) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1Yb4g6-0000m6-RA for ptxdist@pengutronix.de; Thu, 26 Mar 2015 11:06:18 +0100 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.80) (envelope-from ) id 1Yb4g6-0001gE-Q5 for ptxdist@pengutronix.de; Thu, 26 Mar 2015 11:06:18 +0100 Date: Thu, 26 Mar 2015 11:06:18 +0100 From: Michael Olbrich Message-ID: <20150326100618.GB13271@pengutronix.de> References: <1421409525-13713-1-git-send-email-bth@kamstrup.dk> <1421409525-13713-2-git-send-email-bth@kamstrup.dk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1421409525-13713-2-git-send-email-bth@kamstrup.dk> Subject: Re: [ptxdist] [PATCH 2/2] curl: install root CA certificates option Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de On Fri, Jan 16, 2015 at 12:58:45PM +0100, Bruno Thomsen wrote: > From: Bruno Thomsen > > Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format. > The bundle is extracted from Mozilla's release tree by a host package called certdata. > > Test case 1: > openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt > > Result: > Verify return code: 0 (ok) > > Test case 2: > openssl s_client -connect www.google.com:443 > > Result: > Verify return code: 20 (unable to get local issuer certificate) > > Test case 3: > curl https://www.google.com > > Result: > ... > > Test case 4: > rm /usr/share/ca-certificates/curl/ca-bundle.crt > curl https://www.google.com > > Result: > curl: (77) error setting certificate verify locations: > CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt > CApath: none > > Signed-off-by: Bruno Thomsen > --- > rules/libcurl.in | 18 ++++++++++++++++-- > rules/libcurl.make | 23 ++++++++++++++++++++++- > 2 files changed, 38 insertions(+), 3 deletions(-) > > diff --git a/rules/libcurl.in b/rules/libcurl.in > index 0ad7fb4..11c3698 100644 > --- a/rules/libcurl.in > +++ b/rules/libcurl.in > @@ -5,8 +5,10 @@ menuconfig LIBCURL > prompt "libcurl " > select LIBC_RT > select ZLIB > - select OPENSSL if LIBCURL_SSL > - select LIBSSH2 if LIBCURL_LIBSSH2 > + select HOST_SYSTEM_PERL if LIBCURL_CA_BUNDLE > + select HOST_CERTDATA if LIBCURL_CA_BUNDLE > + select OPENSSL if LIBCURL_SSL > + select LIBSSH2 if LIBCURL_LIBSSH2 > help > curl is a command line tool for transferring files with URL syntax, supporting > FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. > @@ -20,6 +22,18 @@ if LIBCURL > config LIBCURL_CURL > bool "install curl program" > > +config LIBCURL_CA_BUNDLE > + bool "install root CA certificates" > + help > + Bundle of Root CA Certificates. > + > + This is a bundle of X.509 certificates of public Certificate Authorities (CA). > + These were automatically extracted from Mozilla's root certificates > + file (certdata.txt). > + > + It contains the certificates in PEM format and therefore > + can be directly used with curl / libcurl / php_curl / strongswan. > + > config LIBCURL_HTTP > bool "http" > default y > diff --git a/rules/libcurl.make b/rules/libcurl.make > index 5babcb0..7f83ca4 100644 > --- a/rules/libcurl.make > +++ b/rules/libcurl.make > @@ -62,7 +62,6 @@ LIBCURL_AUTOCONF := \ > --without-gssapi \ > --without-gnutls \ > --without-nss \ > - --without-ca-bundle \ > --without-ca-path \ > --without-libidn \ > --without-axtls \ > @@ -82,6 +81,25 @@ else > LIBCURL_AUTOCONF += --without-ssl > endif > > +ifdef PTXCONF_LIBCURL_CA_BUNDLE > +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt > +else > +LIBCURL_AUTOCONF += --without-ca-bundle > +endif > + > +# ---------------------------------------------------------------------------- > +# Compile > +# ---------------------------------------------------------------------------- > + > +$(STATEDIR)/libcurl.compile: > + @$(call targetinfo) > + > +ifdef PTXCONF_LIBCURL_CA_BUNDLE > + @cd $(HOST_CERTDATA_DIR) > + @$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -n -v $(LIBCURL_DIR)/ca-bundle.crt > +endif This cannot work: 1. you removed the real compile, so nothing will be built 2. each line is separate, so the 'cd ...' is ignored. Also, do this in 'install' to avoid referencing LIBCURL_DIR in targetinstall: $(call world/install, LIBCURL) @cd $(PTXCONF_SYSROOT_HOST)/share/certdata && $(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -n -v $(LIBCURL_PKGDIR)/usr/share/ca-certificates/curl/ca-bundle.crt Untested. You might need to create $(LIBCURL_PKGDIR)/usr/share/ca-certificates/curl/ first. > + @$(call touch) > + > # ---------------------------------------------------------------------------- > # Target-Install > # ---------------------------------------------------------------------------- > @@ -99,6 +117,9 @@ ifdef PTXCONF_LIBCURL_CURL > @$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl) > endif > @$(call install_lib, libcurl, 0, 0, 0644, libcurl) > +ifdef PTXCONF_LIBCURL_CA_BUNDLE > + @$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt) @$(call install_copy, libcurl, 0, 0, 0444, -, \ /usr/share/ca-certificates/curl/ca-bundle.crt) Michael > +endif > > @$(call install_finish, libcurl) > > -- > 1.9.1 > > > -- > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de