[Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt

From: Martin Bark <martin@barkynet.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt
Date: Sun, 21 Oct 2018 15:03:36 +0100	[thread overview]
Message-ID: <CAFGQKxcvLzLzbumZJ7d6WTurK8huQTtCPG94TDns4tW=jQy9gw@mail.gmail.com> (raw)
In-Reply-To: <baa8cebb-20a7-2dc2-a80b-c380721ff0ec@mind.be>

Arnout,

On Sun, 21 Oct 2018 at 14:38, Arnout Vandecappelle <arnout@mind.be> wrote:
>
>
> On 21/10/2018 14:15, Arnout Vandecappelle wrote:
> >  Hi Martin,
> >
> >  Sorry for the late reply,
> >
> > On 21/06/2018 23:04, Martin Bark wrote:
> >> Thomas,
> >>
> >> On 18 June 2018 at 15:39, Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote:
> >>> Hello,
> >>>
> >>> On Mon, 18 Jun 2018 10:51:34 +0100, Martin Bark wrote:
> >>>
> >>>>> output/target$ ls -l etc/ssl/certs/128805a3.0
> >>>>> lrwxrwxrwx 1 thomas thomas 35 Jun 17 20:58 etc/ssl/certs/128805a3.0 -> EE_Certification_Centre_Root_CA.pem
> >>>> Did you check other hashes under etc/ssl/certs/ ? Check for any hashes
> >>>> that link to ca-certificates.crt. I suspect you have a different hash
> >>>> pointing to ca-certificates.
> >>> There are no files in /etc/ssl/certs that are symlinks to
> >>> ca-certificates.crt:
> >>>
> >>> output/target$ ls -l etc/ssl/certs/| grep ca-certificates.crt
> >>> -rw-r--r-- 1 thomas thomas 207436 Jun 18 15:30 ca-certificates.crt
> >> I did some more testing and found sometimes by chance it does work,
> >> however, i was able to reproduce the issue as follows
> >>
> >>  docker run -it --rm buildroot/base:20180318.1724 bash
> >>  git clone git://git.busybox.net/buildroot
> >>  cd buildroot
> >>  make olddefconfig
> >>  make ca-certificates
> >>
> >> you will see an output like this at the end of the build
> >>
> >>  # Create symlinks to the certificates by their hash values
> >>  /home/br-user/buildroot/output/host/bin/c_rehash
> >> /home/br-user/buildroot/output/target/etc/ssl/certs
> >>  Doing /home/br-user/buildroot/output/target/etc/ssl/certs
> >>  WARNING: Skipping duplicate certificate OpenTrust_Root_CA_G1.pem
> >>
> >> and one the the hashes will be wrong
> >>
> >>  $ ls -l output/target/etc/ssl/certs/| grep ca-certificates.crt
> >>  lrwxrwxrwx 1 br-user br-user     19 Jun 21 21:52 87229d21.0 ->
> >> ca-certificates.crt
> >>
> >> the incorrect hash is the one mentioned in the warning
> >  So, if I understand correctly, what happens is this:
> >
> > 1. certificates get installed in /etc/ssl/certs.
> >
> > 2. All the certificates are bundled into a ca-certificates.crt file.
> >
> > 3. c_rehash is run. It looks at each certificate, calculates the hash, and
> > creates a symlink from that hash to the certificate.
> >
> >  The problem is that if ca-certificates.crt exists already, c_rehash will take
> > some random certificate from it and create a symlink to ca-certificates.crt
> > instead of to the real certificate file. But depending on the order of
> > evaluation of the different certificate files, it may actually make the symlink
> > point to the real certificate.
> >
> >  What you propose looks like the good solution for it. Except in case of
> > rebuild, so you should remove /etc/ssl/ca-certificates.crt before running
> > c_rehash. That would also remove the need for patch 2 I think.
> >
> >  Could you check if I'm correct, and if so, resubmit the series with:
> >
> > - the additional rm -f;
> > - a commit message that includes the explanation above;
> > - drops patch 2.
> >
> >  If patch 2 really is needed, it needs a better explanation.
>
>  Investigating a bit more turns out that I was rather wrong. The rm -f is
> already there, as correctly noted in your commit message. And patch 2 really is
> needed, it fixes a completely different set of duplicates.
>
>
>  So I've extended the commit message a little and applied to master, thanks.

Thanks for committing the patches.

Martin

>
>
>  Regards,
>  Arnout
>
>
> >
> >
> >  Regards,
> >  Arnout
> >
> >>  $ ls -l /etc/ssl/certs/87229d21.0
> >>  lrwxrwxrwx 1 root root 24 Mar 18 16:30 /etc/ssl/certs/87229d21.0 ->
> >> OpenTrust_Root_CA_G1.pem
> >>
> >> The key issue is the
> >>
> >>   WARNING: Skipping duplicate certificate xxxxx
> >>
> >> where xxxx is the name of one of the files under etc/ssl/certs.
> >> Sometimes it's ca-certificates.crt and hence you don't see any issue
> >> (as you found).  Sometime it's one of the CA files which is the bug
> >> i'm trying to fix.  You can run c_rehash directly
> >>
> >>  ./output/host/bin/c_rehash ./output/target/etc/ssl/certs
> >>
> >> and you will see the warning.  If you rm
> >> output/target/etc/ssl/certs/ca-certificates.crt and try again then the
> >> warning will go.
> >>
> >> I had not released quite how random the bug.  It certainly is not
> >> always EE_Certification_Centre_Root_CA.pem, it can be any CA that goes
> >> wrong.  The commit message could be changed to make it clearer the bug
> >> does not allows happen to EE_Certification_Centre_Root_CA.pem but i'm
> >> 100% sure this is a bug that needs fixing.
> >>
> >> Thanks
> >>
> >> Martin
> >>
> >>> Best regards,
> >>>
> >>> Thomas
> >>> --
> >>> Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
> >>> Embedded Linux and Kernel engineering
> >>> https://bootlin.com
> >> _______________________________________________
> >> buildroot mailing list
> >> buildroot at busybox.net
> >> http://lists.busybox.net/mailman/listinfo/buildroot
> >>