[ptxdist] [PATCH] curl: install root CA certificates option

[ptxdist] [PATCH] curl: install root CA certificates option

[Bruno Thomsen]

Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format.
The bundle is automatically extracted from one of Mozilla's development channels/trees.

Test case 1:
openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt

Result:
Verify return code: 0 (ok)

Test case 2:
openssl s_client -connect www.google.com:443

Result:
Verify return code: 20 (unable to get local issuer certificate)

Test case 3:
curl https://www.google.com

Result:
<HTML><HEAD>...

Test case 4:
rm /usr/share/ca-certificates/curl/ca-bundle.crt
curl https://www.google.com

Result:
curl: (77) error setting certificate verify locations:
  CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt
  CApath: none

Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
---
 rules/libcurl.in   | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 rules/libcurl.make | 40 +++++++++++++++++++++++++++++++++++++-
 2 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/rules/libcurl.in b/rules/libcurl.in
index 0ad7fb4..e5f25f8 100644
--- a/rules/libcurl.in
+++ b/rules/libcurl.in
@@ -20,6 +20,63 @@ if LIBCURL
 config LIBCURL_CURL
        bool "install curl program"
 
+config LIBCURL_CA_BUNDLE
+	bool "install CA Root Certificates"
+	help
+	  Bundle of CA Root Certificates.
+
+	  This is a bundle of X.509 certificates of public Certificate Authorities
+	  (CA). These were automatically extracted from Mozilla's root certificates
+	  file (certdata.txt).
+
+	  It contains the certificates in PEM format and therefore
+	  can be directly used with curl / libcurl / php_curl / openssl.
+
+choice
+	prompt "Mozilla tree"
+	default LIBCURL_CA_TREE_RELEASE
+	depends on LIBCURL_CA_BUNDLE
+	help
+	  Pull certdata.txt from this Mozilla tree.
+	  https://wiki.mozilla.org/Tree_Rules
+
+config LIBCURL_CA_TREE_CENTRAL
+	bool
+	prompt "central"
+	help
+	  Central is also known as nightly channel.
+
+config LIBCURL_CA_TREE_AURORA
+	bool
+	prompt "aurora"
+	help
+	  Aurora channel is after central and before beta.
+
+config LIBCURL_CA_TREE_BETA
+	bool
+	prompt "beta"
+	help
+	  Beta channel is just before release.
+
+config LIBCURL_CA_TREE_RELEASE
+	bool
+	prompt "release"
+	help
+	  Changes to the release branch are limited to urgent "chemspills"
+	  like zero-day security vulnerabilities and other unplanned emergencies.
+	  In the normal development process, no changes will land on release
+	  except regular merges from beta every six weeks.
+
+config LIBCURL_CA_TREE_NSS
+	bool
+	prompt "nss"
+	help
+	  Network Security Services (NSS) is a set of libraries designed to support
+	  cross-platform development of security-enabled client and server applications.
+	  Mozilla develops NSS separate from Firefox.
+
+endchoice
+
 config LIBCURL_HTTP
        bool "http"
        default y
diff --git a/rules/libcurl.make b/rules/libcurl.make
index 5babcb0..9e7b57b 100644
--- a/rules/libcurl.make
+++ b/rules/libcurl.make
@@ -26,6 +26,36 @@ LIBCURL_SOURCE	:= $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX)
 LIBCURL_DIR	:= $(BUILDDIR)/$(LIBCURL)
 LIBCURL_LICENSE	:= MIT
 
+ifdef PTXCONF_LIBCURL_CA_TREE_CENTRAL
+MOZ_CA_TREE := central
+endif
+ifdef PTXCONF_LIBCURL_CA_TREE_AURORA
+MOZ_CA_TREE := aurora
+endif
+ifdef PTXCONF_LIBCURL_CA_TREE_BETA
+MOZ_CA_TREE := beta
+endif
+ifdef PTXCONF_LIBCURL_CA_TREE_RELEASE
+MOZ_CA_TREE := release
+endif
+ifdef PTXCONF_LIBCURL_CA_TREE_NSS
+MOZ_CA_TREE := nss
+endif
+
+# ----------------------------------------------------------------------------
+# Extract
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libcurl.extract:
+	@$(call targetinfo)
+	@$(call clean, $(LIBCURL_DIR))
+	@$(call extract, LIBCURL, $(BUILDDIR))
+	@$(call patchin, LIBCURL, $(LIBCURL_DIR))
+ifdef PTXCONF_LIBCURL_CA_BUNDLE
+	@$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt
+endif
+	@$(call touch)
+
 # ----------------------------------------------------------------------------
 # Prepare
 # ----------------------------------------------------------------------------
@@ -62,7 +92,6 @@ LIBCURL_AUTOCONF := \
 	--without-gssapi \
 	--without-gnutls \
 	--without-nss \
-	--without-ca-bundle \
 	--without-ca-path \
 	--without-libidn \
 	--without-axtls \
@@ -82,6 +111,12 @@ else
 LIBCURL_AUTOCONF += --without-ssl
 endif
 
+ifdef PTXCONF_LIBCURL_CA_BUNDLE
+LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt
+else
+LIBCURL_AUTOCONF += --without-ca-bundle
+endif
+
 # ----------------------------------------------------------------------------
 # Target-Install
 # ----------------------------------------------------------------------------
@@ -99,6 +134,9 @@ ifdef PTXCONF_LIBCURL_CURL
 	@$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl)
 endif
 	@$(call install_lib, libcurl, 0, 0, 0644, libcurl)
+ifdef PTXCONF_LIBCURL_CA_BUNDLE
+	@$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt)
+endif
 
 	@$(call install_finish, libcurl)
 
-- 
1.9.1


-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] curl: install root CA certificates option

[Michael Olbrich]

On Wed, Dec 10, 2014 at 09:04:23AM +0100, Bruno Thomsen wrote:
> Install a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format.
> The bundle is automatically extracted from one of Mozilla's development channels/trees.
> 
> Test case 1:
> openssl s_client -connect www.google.com:443 -CAfile /usr/share/ca-certificates/curl/ca-bundle.crt
> 
> Result:
> Verify return code: 0 (ok)
> 
> Test case 2:
> openssl s_client -connect www.google.com:443
> 
> Result:
> Verify return code: 20 (unable to get local issuer certificate)
> 
> Test case 3:
> curl https://www.google.com
> 
> Result:
> <HTML><HEAD>...
> 
> Test case 4:
> rm /usr/share/ca-certificates/curl/ca-bundle.crt
> curl https://www.google.com
> 
> Result:
> curl: (77) error setting certificate verify locations:
>   CAfile: /usr/share/ca-certificates/curl/ca-bundle.crt
>   CApath: none
> 
> Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
> ---
>  rules/libcurl.in   | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  rules/libcurl.make | 40 +++++++++++++++++++++++++++++++++++++-
>  2 files changed, 96 insertions(+), 1 deletion(-)
> 
> diff --git a/rules/libcurl.in b/rules/libcurl.in
> index 0ad7fb4..e5f25f8 100644
> --- a/rules/libcurl.in
> +++ b/rules/libcurl.in
> @@ -20,6 +20,63 @@ if LIBCURL
>  config LIBCURL_CURL
>         bool "install curl program"
>  
> +config LIBCURL_CA_BUNDLE
> +	bool "install CA Root Certificates"
> +	help
> +	  Bundle of CA Root Certificates.
> +
> +	  This is a bundle of X.509 certificates of public Certificate Authorities
> +	  (CA). These were automatically extracted from Mozilla's root certificates
> +	  file (certdata.txt).
> +
> +	  It contains the certificates in PEM format and therefore
> +	  can be directly used with curl / libcurl / php_curl / openssl.
> +
> +choice
> +	prompt "Mozilla tree"
> +	default LIBCURL_CA_TREE_RELEASE
> +	depends on LIBCURL_CA_BUNDLE
> +	help
> +	  Pull certdata.txt from this Mozilla tree.
> +	  https://wiki.mozilla.org/Tree_Rules
> +
> +config LIBCURL_CA_TREE_CENTRAL
> +	bool
> +	prompt "central"
> +	help
> +	  Central is also known as nightly channel.
> +
> +config LIBCURL_CA_TREE_AURORA
> +	bool
> +	prompt "aurora"
> +	help
> +	  Aurora channel is after central and before beta.
> +
> +config LIBCURL_CA_TREE_BETA
> +	bool
> +	prompt "beta"
> +	help
> +	  Beta channel is just before release.
> +
> +config LIBCURL_CA_TREE_RELEASE
> +	bool
> +	prompt "release"
> +	help
> +	  Changes to the release branch are limited to urgent "chemspills"
> +	  like zero-day security vulnerabilities and other unplanned emergencies.
> +	  In the normal development process, no changes will land on release
> +	  except regular merges from beta every six weeks.
> +
> +config LIBCURL_CA_TREE_NSS
> +	bool
> +	prompt "nss"
> +	help
> +	  Network Security Services (NSS) is a set of libraries designed to support
> +	  cross-platform development of security-enabled client and server applications.
> +	  Mozilla develops NSS separate from Firefox.
> +
> +endchoice
> +
>  config LIBCURL_HTTP
>         bool "http"
>         default y
> diff --git a/rules/libcurl.make b/rules/libcurl.make
> index 5babcb0..9e7b57b 100644
> --- a/rules/libcurl.make
> +++ b/rules/libcurl.make
> @@ -26,6 +26,36 @@ LIBCURL_SOURCE	:= $(SRCDIR)/$(LIBCURL).$(LIBCURL_SUFFIX)
>  LIBCURL_DIR	:= $(BUILDDIR)/$(LIBCURL)
>  LIBCURL_LICENSE	:= MIT
>  
> +ifdef PTXCONF_LIBCURL_CA_TREE_CENTRAL
> +MOZ_CA_TREE := central
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_AURORA
> +MOZ_CA_TREE := aurora
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_BETA
> +MOZ_CA_TREE := beta
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_RELEASE
> +MOZ_CA_TREE := release
> +endif
> +ifdef PTXCONF_LIBCURL_CA_TREE_NSS
> +MOZ_CA_TREE := nss
> +endif
> +
> +# ----------------------------------------------------------------------------
> +# Extract
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libcurl.extract:
> +	@$(call targetinfo)
> +	@$(call clean, $(LIBCURL_DIR))
> +	@$(call extract, LIBCURL, $(BUILDDIR))
> +	@$(call patchin, LIBCURL, $(LIBCURL_DIR))
> +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> +	@$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt
> +endif

No, not like this. Downloading an undefined version of a file during the
build process is not acceptable.

Add a second file to download (see rules/host-tz-database.make) how to do
this) and use a URL that does not change, maybe the last tag:
http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_35_0_RELEASE/security/nss/lib/ckfw/builtins/certdata.txt

ifdef PTXCONF_LIBCURL_CA_BUNDLE
	@cp $(LIBCURL_CERTDATA_SOURCE) $(LIBCURL_DIR)
endif

Also, you need to 'select HOST_SYSTEM_PERL' in the .in file and running
mk-ca-bundle.pl should be in the compile stage. Otherwise the dependencies
are not handled correctly.

Michael

> +	@$(call touch)
> +
>  # ----------------------------------------------------------------------------
>  # Prepare
>  # ----------------------------------------------------------------------------
> @@ -62,7 +92,6 @@ LIBCURL_AUTOCONF := \
>  	--without-gssapi \
>  	--without-gnutls \
>  	--without-nss \
> -	--without-ca-bundle \
>  	--without-ca-path \
>  	--without-libidn \
>  	--without-axtls \
> @@ -82,6 +111,12 @@ else
>  LIBCURL_AUTOCONF += --without-ssl
>  endif
>  
> +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> +LIBCURL_AUTOCONF += --with-ca-bundle=/usr/share/ca-certificates/curl/ca-bundle.crt
> +else
> +LIBCURL_AUTOCONF += --without-ca-bundle
> +endif
> +
>  # ----------------------------------------------------------------------------
>  # Target-Install
>  # ----------------------------------------------------------------------------
> @@ -99,6 +134,9 @@ ifdef PTXCONF_LIBCURL_CURL
>  	@$(call install_copy, libcurl, 0, 0, 0755, -, /usr/bin/curl)
>  endif
>  	@$(call install_lib, libcurl, 0, 0, 0644, libcurl)
> +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> +	@$(call install_copy, libcurl, 0, 0, 0444, $(LIBCURL_DIR)/ca-bundle.crt, /usr/share/ca-certificates/curl/ca-bundle.crt)
> +endif
>  
>  	@$(call install_finish, libcurl)
>  
> -- 
> 1.9.1
> 
> 
> -- 
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] curl: install root CA certificates option

[Bruno Thomsen]

Hi Michael

Thanks for feedback. I have created 2 new patches that address the issues you have found.

> > +$(STATEDIR)/libcurl.extract:
> > +	@$(call targetinfo)
> > +	@$(call clean, $(LIBCURL_DIR))
> > +	@$(call extract, LIBCURL, $(BUILDDIR))
> > +	@$(call patchin, LIBCURL, $(LIBCURL_DIR))
> > +ifdef PTXCONF_LIBCURL_CA_BUNDLE
> > +	@$(LIBCURL_DIR)/lib/mk-ca-bundle.pl -i -d$(MOZ_CA_TREE) -v $(LIBCURL_DIR)/ca-bundle.crt
> > +endif
>
> No, not like this. Downloading an undefined version of a file during the
> build process is not acceptable.
>
> Add a second file to download (see rules/host-tz-database.make) how to do
> this) and use a URL that does not change, maybe the last tag:
> http://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_35_0_RELEASE/security/nss/lib/ckfw/builtins/certdata.txt

I have create a new host "certificate bundle downloader"-package (rules/host-certdata.make).

> Also, you need to 'select HOST_SYSTEM_PERL' in the .in file and running
> mk-ca-bundle.pl should be in the compile stage. Otherwise the dependencies
> are not handled correctly.

I have add dependency on HOST_SYSTEM_PERL and HOST_CERTDATA if LIBCURL_CA_BUNDLE is selected.
Moved mk-ca-bundle.pl call from extract to compile stage.

Bruno



-- 
ptxdist mailing list
ptxdist@pengutronix.de