[Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt

From: Arnout Vandecappelle <arnout@mind.be>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt
Date: Sun, 21 Oct 2018 14:15:10 +0100	[thread overview]
Message-ID: <96e0d9ee-e017-9745-4fae-eaa535e77118@mind.be> (raw)
In-Reply-To: <CAFGQKxcC+jryJo8RBHU00ATeRqMqmbTn_+4jcgHqj+_=kH0mLw@mail.gmail.com>

 Hi Martin,

 Sorry for the late reply,

On 21/06/2018 23:04, Martin Bark wrote:
> Thomas,
> 
> On 18 June 2018 at 15:39, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
>> Hello,
>>
>> On Mon, 18 Jun 2018 10:51:34 +0100, Martin Bark wrote:
>>
>>>> output/target$ ls -l etc/ssl/certs/128805a3.0
>>>> lrwxrwxrwx 1 thomas thomas 35 Jun 17 20:58 etc/ssl/certs/128805a3.0 -> EE_Certification_Centre_Root_CA.pem
>>>
>>> Did you check other hashes under etc/ssl/certs/ ? Check for any hashes
>>> that link to ca-certificates.crt. I suspect you have a different hash
>>> pointing to ca-certificates.
>>
>> There are no files in /etc/ssl/certs that are symlinks to
>> ca-certificates.crt:
>>
>> output/target$ ls -l etc/ssl/certs/| grep ca-certificates.crt
>> -rw-r--r-- 1 thomas thomas 207436 Jun 18 15:30 ca-certificates.crt
> 
> I did some more testing and found sometimes by chance it does work,
> however, i was able to reproduce the issue as follows
> 
>  docker run -it --rm buildroot/base:20180318.1724 bash
>  git clone git://git.busybox.net/buildroot
>  cd buildroot
>  make olddefconfig
>  make ca-certificates
> 
> you will see an output like this at the end of the build
> 
>  # Create symlinks to the certificates by their hash values
>  /home/br-user/buildroot/output/host/bin/c_rehash
> /home/br-user/buildroot/output/target/etc/ssl/certs
>  Doing /home/br-user/buildroot/output/target/etc/ssl/certs
>  WARNING: Skipping duplicate certificate OpenTrust_Root_CA_G1.pem
> 
> and one the the hashes will be wrong
> 
>  $ ls -l output/target/etc/ssl/certs/| grep ca-certificates.crt
>  lrwxrwxrwx 1 br-user br-user     19 Jun 21 21:52 87229d21.0 ->
> ca-certificates.crt
> 
> the incorrect hash is the one mentioned in the warning

 So, if I understand correctly, what happens is this:

1. certificates get installed in /etc/ssl/certs.

2. All the certificates are bundled into a ca-certificates.crt file.

3. c_rehash is run. It looks at each certificate, calculates the hash, and
creates a symlink from that hash to the certificate.

 The problem is that if ca-certificates.crt exists already, c_rehash will take
some random certificate from it and create a symlink to ca-certificates.crt
instead of to the real certificate file. But depending on the order of
evaluation of the different certificate files, it may actually make the symlink
point to the real certificate.

 What you propose looks like the good solution for it. Except in case of
rebuild, so you should remove /etc/ssl/ca-certificates.crt before running
c_rehash. That would also remove the need for patch 2 I think.

 Could you check if I'm correct, and if so, resubmit the series with:

- the additional rm -f;
- a commit message that includes the explanation above;
- drops patch 2.

 If patch 2 really is needed, it needs a better explanation.

 Regards,
 Arnout

> 
>  $ ls -l /etc/ssl/certs/87229d21.0
>  lrwxrwxrwx 1 root root 24 Mar 18 16:30 /etc/ssl/certs/87229d21.0 ->
> OpenTrust_Root_CA_G1.pem
> 
> The key issue is the
> 
>   WARNING: Skipping duplicate certificate xxxxx
> 
> where xxxx is the name of one of the files under etc/ssl/certs.
> Sometimes it's ca-certificates.crt and hence you don't see any issue
> (as you found).  Sometime it's one of the CA files which is the bug
> i'm trying to fix.  You can run c_rehash directly
> 
>  ./output/host/bin/c_rehash ./output/target/etc/ssl/certs
> 
> and you will see the warning.  If you rm
> output/target/etc/ssl/certs/ca-certificates.crt and try again then the
> warning will go.
> 
> I had not released quite how random the bug.  It certainly is not
> always EE_Certification_Centre_Root_CA.pem, it can be any CA that goes
> wrong.  The commit message could be changed to make it clearer the bug
> does not allows happen to EE_Certification_Centre_Root_CA.pem but i'm
> 100% sure this is a bug that needs fixing.
> 
> Thanks
> 
> Martin
> 
>>
>> Best regards,
>>
>> Thomas
>> --
>> Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
>> Embedded Linux and Kernel engineering
>> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
> 