clearlinux / clrtrust Goto Github PK
View Code? Open in Web Editor NEWClear Linux TLS Trust Store Management
License: Other
Clear Linux TLS Trust Store Management
License: Other
By the assumptions in the design, clrtrust
will not handle files which have line feeds and tabs in their names.
Line feed ('\n'
) and tab ('\t'
) characters should not be used internally as field separators. Few places need to be revisited:
Instead of using a variable with multi-line content to store the certificate information (filename and subject hash), an associative array should be used.
Passing filenames to the helper should be done via the command-line instead of pipe.
Commands using find
to find the files and feed them to the subsequent command via pipe should be handling the output properly.
While this issue may not have too much of practical impact, it should be addressed to remove this unnecessary limitation on the filenames.
Provide diagnostics on the trust store state and trust source locations
It would be nice if the clrtrust
automatically ran the appropriate openssl
command to convert certificates into the appropriate PEM format when the clrtrust add
command in run. Right now it just skips the certificate.
As of v0.0.5, it is possible that two concurrent execution will result in an incorrectly generated trust store. Access to the section of clrtrust
which writes the store at its location, by default /var/cache/ca-certs
, must be serialized.
My clearLinux can curl www.google.com, but can't https://cdn.download.clearlinux.org/update, which lead to swupd failling to update.
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ sudo clrtrust check
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ curl -k https://cdn.download.clearlinux.org/update/version/format30/latest
36410
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ curl https://cdn.download.clearlinux.org/update/version/format30/latest
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I've run clrtrust check. But curling ttps://cdn.download.clearlinux.org/update/version/format30/latest failed due to SSL problem, curl with -k is OK. However ,curling google is ok.
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2/home/sepccpu $ curl www.google.com
<!doctype html><meta content="/images/branding/googleg/1x/goog
My installed version is 36010.
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ swupd info
Distribution: Clear Linux OS
Installed version: 36010
Version URL: https://cdn.download.clearlinux.org/update
Content URL: https://cdn.download.clearlinux.org/update
OpenSSL's vanilla c_rehash
is a perl script. There's no good reason to introduce a dependency on perl for what needs to be accomplished in clrtrust
.
Currently the defaults are hard-coded.
The repository needs a README file which would explain the purpose of the tool.
clrtrust
places the combined certs under /var/cache/ca-certs/compat
.
Some scripts and programs are created to expect the ca-certificates in a specific location - steamCMD for example looks at the Ubuntu/Debian location /etc/ssl/certs/ca-certificates.crt
(FreeBSD and other distro users encounter a similar issue here)
A temporarily work around is by doing a ln -s /var/cache/ca-certs/compat/ca-roots.pem /etc/ssl/certs/ca-certificates.crt
However when clrtrust generate
runs again it will be overwritten.
Ideally programs have a more robust method for searching the system locations for trusted certificates, but perhaps this functionality to generate a .crt in alternate locations can be added or a change to the way symlinking is done to allow customization like this with clrtrust
.
Before using openssl
to validate certificates, clrtrust
should look in greater details if openssl
found is really usable (for example, it openssl x509
can load and process a valid certificate). This is related to #10.
clearlinux/distribution#3 reports an issue that clrtrust
(by running openssl x509
) fails to validate any of the certificates installed in /usr/share/ca-certs/trusted
.
Currently, clrtrust
allows invalid certificates in /usr/share/ca-certs/trusted
. It should, instead, fail if any certificate in /usr/share/ca-certs/trusted
cannot be loaded by openssl
. The reason to fail is the following: 1. in Clear Linux /usr
is immutable and should not be modified and 2. Clear Linux never ships an invalid certificate.
Currently if clrtrust
is called with a bad command (e.g: invalid command) clrtrust hangs.
clrtrust should reject the invalid commands instead.
Serialization of the store generation was introduced in #12. However, in case /var/lock
(symlinks to /run/lock
) is absent, clrtrust generate
and other commands modifying the store fail ugly since they are not able to acquire lock properly and do not handle the error.
Reported in clearlinux/mixer-tools#216.
In the container environment, /var (and more specifically /var/cache) may not be present. If it is not, then clrtrust fails to create the store, but incorrectly reports the success:
root@05aa458044d3 / # clrtrust generate
mv: cannot move '/tmp/tmp.SPA2OyVrNc' to '/var/cache/ca-certs': No such file or directory
chmod: cannot access '/var/cache/ca-certs/compat/ca-roots.keystore': No such file or directory
chmod: cannot access '/var/cache/ca-certs/compat/ca-roots.pem': No such file or directory
Trust store generated at /var/cache/ca-certs
root@05aa458044d3 / # echo $?
0
root@05aa458044d3 / # ls /var/
lib lock log run spool tmp
It should diagnose the condition and fail instead.
using the following test.sh
script can be noticed that return code for a processing error (trying to add a duplicate and non-duplicate certs) is the same return code when no new certs are added at all.
This is an issue as user is unable to automate certs handling and notice when a cert was added or when it was not just by using the return code status.
#!/usr/bin/bash
# test.sh
# generate test certs
openssl req -x509 -newkey rsa:4096 -keyout sub1.key.pem -out sub1.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub1.example.com"
openssl req -x509 -newkey rsa:4096 -keyout sub2.key.pem -out sub2.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub2.example.com"
openssl req -x509 -newkey rsa:4096 -keyout sub3.key.pem -out sub3.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub3.example.com"
openssl req -x509 -newkey rsa:4096 -keyout sub4.key.pem -out sub4.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub4.example.com"
openssl req -x509 -newkey rsa:4096 -keyout sub5.key.pem -out sub5.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub5.example.com"
openssl req -x509 -newkey rsa:4096 -keyout sub6.key.pem -out sub6.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub6.example.com"
echo "adding non-repeated certs set"
clrtrust add sub{1,2}.cert.pem
NON_REPEATED_RC=$?
echo " 'clrtrust add sub{1,2}.cert.pem' returned ${NON_REPEATED_RC}"
echo "adding mixed repeated(sub2.cert.pem) and-non-repeated certs set"
clrtrust add sub{2,3,4,5,6}.cert.pem
MIXED_RC=$?
echo " 'clrtrust add sub{2,3,4,5,6}.cert.pem' returned ${MIXED_RC}"
echo "adding all-repeated-certs set"
clrtrust add sub{1,2,3,4,5,6}.cert.pem
REPEATED_RC=$?
echo " 'clrtrust add sub{1,2,3,4,5,6}.cert.pem' returned ${REPEATED_RC}"
echo "Expecting MIXED RC != REPEATED RC..."
echo " MIXED RC : ${MIXED_RC}"
echo " REPEATED RC : ${REPEATED_RC}"
The output of the following script is as follows:
# ./test.sh
Generating a 4096 bit RSA private key
...............................................................................................................++
.....................................++
writing new private key to 'sub1.key.pem'
-----
Generating a 4096 bit RSA private key
.....................................................................................++
......................................++
writing new private key to 'sub2.key.pem'
-----
Generating a 4096 bit RSA private key
...........................++
................................................................................................................................................++
writing new private key to 'sub3.key.pem'
-----
Generating a 4096 bit RSA private key
.................................................++
...................................................++
writing new private key to 'sub4.key.pem'
-----
Generating a 4096 bit RSA private key
.................................................................................................................................................................................................................................................................................++
.....................++
writing new private key to 'sub5.key.pem'
-----
Generating a 4096 bit RSA private key
.......................................................................................................................++
..............................................................................++
writing new private key to 'sub6.key.pem'
-----
adding non-repeated certs set
Trust store generated at /var/cache/ca-certs
'clrtrust add sub{1,2}.cert.pem' returned 0
adding mixed repeated(sub2.cert.pem) and-non-repeated certs set
Certificate sub2.cert.pem is already trusted. Not adding duplicates.
Trust store generated at /var/cache/ca-certs
'clrtrust add sub{2,3,4,5,6}.cert.pem' returned 255
adding all-repeated-certs set
Certificate sub1.cert.pem is already trusted. Not adding duplicates.
Certificate sub2.cert.pem is already trusted. Not adding duplicates.
Certificate sub3.cert.pem is already trusted. Not adding duplicates.
Certificate sub4.cert.pem is already trusted. Not adding duplicates.
Certificate sub5.cert.pem is already trusted. Not adding duplicates.
Certificate sub6.cert.pem is already trusted. Not adding duplicates.
Trust store generated at /var/cache/ca-certs
'clrtrust add sub{1,2,3,4,5,6}.cert.pem' returned 255
Expecting MIXED RC != REPEATED RC...
MIXED RC : 255
REPEATED RC : 255
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.