clearlinux / clrtrust Goto Github PK

By the assumptions in the design, clrtrust will not handle files which have line feeds and tabs in their names.

Line feed ('\n') and tab ('\t') characters should not be used internally as field separators. Few places need to be revisited:

1. Instead of using a variable with multi-line content to store the certificate information (filename and subject hash), an associative array should be used.

2. Passing filenames to the helper should be done via the command-line instead of pipe.

3. Commands using find to find the files and feed them to the subsequent command via pipe should be handling the output properly.

While this issue may not have too much of practical impact, it should be addressed to remove this unnecessary limitation on the filenames.

Provide diagnostics on the trust store state and trust source locations

It would be nice if the clrtrust automatically ran the appropriate openssl command to convert certificates into the appropriate PEM format when the clrtrust add command in run. Right now it just skips the certificate.

As of v0.0.5, it is possible that two concurrent execution will result in an incorrectly generated trust store. Access to the section of clrtrust which writes the store at its location, by default /var/cache/ca-certs, must be serialized.

My clearLinux can curl www.google.com, but can't https://cdn.download.clearlinux.org/update, which lead to swupd failling to update.

xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ sudo clrtrust check
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ curl -k https://cdn.download.clearlinux.org/update/version/format30/latest
36410
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ curl https://cdn.download.clearlinux.org/update/version/format30/latest
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I've run clrtrust check. But curling ttps://cdn.download.clearlinux.org/update/version/format30/latest failed due to SSL problem, curl with -k is OK. However ,curling google is ok.

xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2/home/sepccpu $ curl www.google.com
<!doctype html><meta content="/images/branding/googleg/1x/goog

My installed version is 36010.
xfusion@clr-2e01ad7f0f2f4fbe993a50eeba3fe8f2~ $ swupd info
Distribution: Clear Linux OS
Installed version: 36010
Version URL: https://cdn.download.clearlinux.org/update
Content URL: https://cdn.download.clearlinux.org/update

OpenSSL's vanilla c_rehash is a perl script. There's no good reason to introduce a dependency on perl for what needs to be accomplished in clrtrust.

Currently the defaults are hard-coded.

The repository needs a README file which would explain the purpose of the tool.

clrtrust places the combined certs under /var/cache/ca-certs/compat .

Some scripts and programs are created to expect the ca-certificates in a specific location - steamCMD for example looks at the Ubuntu/Debian location /etc/ssl/certs/ca-certificates.crt (FreeBSD and other distro users encounter a similar issue here)

A temporarily work around is by doing a ln -s /var/cache/ca-certs/compat/ca-roots.pem /etc/ssl/certs/ca-certificates.crt However when clrtrust generate runs again it will be overwritten.

Ideally programs have a more robust method for searching the system locations for trusted certificates, but perhaps this functionality to generate a .crt in alternate locations can be added or a change to the way symlinking is done to allow customization like this with clrtrust.

Before using openssl to validate certificates, clrtrust should look in greater details if openssl found is really usable (for example, it openssl x509 can load and process a valid certificate). This is related to #10.

clearlinux/distribution#3 reports an issue that clrtrust (by running openssl x509) fails to validate any of the certificates installed in /usr/share/ca-certs/trusted.

Currently, clrtrust allows invalid certificates in /usr/share/ca-certs/trusted. It should, instead, fail if any certificate in /usr/share/ca-certs/trusted cannot be loaded by openssl. The reason to fail is the following: 1. in Clear Linux /usr is immutable and should not be modified and 2. Clear Linux never ships an invalid certificate.

Currently if clrtrust is called with a bad command (e.g: invalid command) clrtrust hangs.

clrtrust should reject the invalid commands instead.

Serialization of the store generation was introduced in #12. However, in case /var/lock (symlinks to /run/lock) is absent, clrtrust generate and other commands modifying the store fail ugly since they are not able to acquire lock properly and do not handle the error.

Reported in clearlinux/mixer-tools#216.

In the container environment, /var (and more specifically /var/cache) may not be present. If it is not, then clrtrust fails to create the store, but incorrectly reports the success:

root@05aa458044d3 / # clrtrust generate
mv: cannot move '/tmp/tmp.SPA2OyVrNc' to '/var/cache/ca-certs': No such file or directory
chmod: cannot access '/var/cache/ca-certs/compat/ca-roots.keystore': No such file or directory
chmod: cannot access '/var/cache/ca-certs/compat/ca-roots.pem': No such file or directory
Trust store generated at /var/cache/ca-certs
root@05aa458044d3 / # echo $?
0
root@05aa458044d3 / # ls /var/
lib  lock  log  run  spool  tmp

It should diagnose the condition and fail instead.

using the following test.sh script can be noticed that return code for a processing error (trying to add a duplicate and non-duplicate certs) is the same return code when no new certs are added at all.

This is an issue as user is unable to automate certs handling and notice when a cert was added or when it was not just by using the return code status.

#!/usr/bin/bash
# test.sh

# generate test certs
openssl req -x509 -newkey rsa:4096 -keyout sub1.key.pem -out sub1.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub1.example.com"                                                                 
openssl req -x509 -newkey rsa:4096 -keyout sub2.key.pem -out sub2.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub2.example.com"                                                                 
openssl req -x509 -newkey rsa:4096 -keyout sub3.key.pem -out sub3.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub3.example.com"                                                                 
openssl req -x509 -newkey rsa:4096 -keyout sub4.key.pem -out sub4.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub4.example.com"                                                                 
openssl req -x509 -newkey rsa:4096 -keyout sub5.key.pem -out sub5.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub5.example.com"                                                                 
openssl req -x509 -newkey rsa:4096 -keyout sub6.key.pem -out sub6.cert.pem -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.sub6.example.com"                                                                 

echo "adding non-repeated certs set"
clrtrust add sub{1,2}.cert.pem
NON_REPEATED_RC=$?
echo "    'clrtrust add sub{1,2}.cert.pem' returned ${NON_REPEATED_RC}"


echo "adding mixed repeated(sub2.cert.pem) and-non-repeated certs set"
clrtrust add sub{2,3,4,5,6}.cert.pem
MIXED_RC=$?
echo "    'clrtrust add sub{2,3,4,5,6}.cert.pem' returned ${MIXED_RC}"

echo "adding all-repeated-certs set"
clrtrust add sub{1,2,3,4,5,6}.cert.pem
REPEATED_RC=$?
echo "    'clrtrust add sub{1,2,3,4,5,6}.cert.pem' returned ${REPEATED_RC}"

echo "Expecting MIXED RC != REPEATED RC..."
echo " MIXED RC    : ${MIXED_RC}"
echo " REPEATED RC : ${REPEATED_RC}"

The output of the following script is as follows:

# ./test.sh
Generating a 4096 bit RSA private key
...............................................................................................................++
.....................................++
writing new private key to 'sub1.key.pem'
-----
Generating a 4096 bit RSA private key
.....................................................................................++
......................................++
writing new private key to 'sub2.key.pem'
-----
Generating a 4096 bit RSA private key
...........................++
................................................................................................................................................++                                                                                           
writing new private key to 'sub3.key.pem'
-----
Generating a 4096 bit RSA private key
.................................................++
...................................................++
writing new private key to 'sub4.key.pem'
-----
Generating a 4096 bit RSA private key
.................................................................................................................................................................................................................................................................................++
.....................++
writing new private key to 'sub5.key.pem'
-----
Generating a 4096 bit RSA private key
.......................................................................................................................++                                                                                                                    
..............................................................................++
writing new private key to 'sub6.key.pem'
-----
adding non-repeated certs set
Trust store generated at /var/cache/ca-certs
    'clrtrust add sub{1,2}.cert.pem' returned 0
adding mixed repeated(sub2.cert.pem) and-non-repeated certs set
Certificate sub2.cert.pem is already trusted. Not adding duplicates.
Trust store generated at /var/cache/ca-certs
    'clrtrust add sub{2,3,4,5,6}.cert.pem' returned 255
adding all-repeated-certs set
Certificate sub1.cert.pem is already trusted. Not adding duplicates.
Certificate sub2.cert.pem is already trusted. Not adding duplicates.
Certificate sub3.cert.pem is already trusted. Not adding duplicates.
Certificate sub4.cert.pem is already trusted. Not adding duplicates.
Certificate sub5.cert.pem is already trusted. Not adding duplicates.
Certificate sub6.cert.pem is already trusted. Not adding duplicates.
Trust store generated at /var/cache/ca-certs
    'clrtrust add sub{1,2,3,4,5,6}.cert.pem' returned 255
Expecting MIXED RC != REPEATED RC...
 MIXED RC    : 255
 REPEATED RC : 255