[PATCH 1/3] libtasn1: Enable nativesdk support

[PATCH 1/3] libtasn1: Enable nativesdk support

[Philippe Normand]

This is required before enabling p11-kit support by default in gnutls.

Signed-off-by: Philippe Normand <philn@igalia.com>
---
 meta/recipes-support/gnutls/libtasn1_4.13.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/gnutls/libtasn1_4.13.bb b/meta/recipes-support/gnutls/libtasn1_4.13.bb
index 9ee1913091..ea2dfe03fd 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.13.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.13.bb
@@ -20,4 +20,4 @@ SRC_URI[sha256sum] = "7e528e8c317ddd156230c4e31d082cd13e7ddeb7a54824be8263220955
 
 inherit autotools texinfo lib_package gtk-doc
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
-- 
2.20.1

[PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option

[Philippe Normand]

This is required before enabling p11-kit support by default in gnutls.

Signed-off-by: Philippe Normand <philn@igalia.com>
---
 meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
index 54455da1bb..c4ed7c34f3 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.23.16.1.bb
@@ -14,7 +14,7 @@ S = "${WORKDIR}/git"
 
 AUTOTOOLS_AUXDIR = "${S}/build/litter"
 
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "trust-paths"
 PACKAGECONFIG[trust-paths] = "--with-trust-paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca-certificates"
 
 # This recipe does not use the standard gtk-doc m4 macros, and so the ./configure flags
@@ -44,3 +44,5 @@ FILES_${PN} += " \
 
 # PN contains p11-kit-proxy.so, a symlink to a loadable module
 INSANE_SKIP_${PN} = "dev-so"
+
+BBCLASSEXTEND = "nativesdk"
-- 
2.20.1

[PATCH 3/3] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

Since version 2.60 the glib-networking TLS database relies on GnuTLS's system
trust store, so not enabling it leads to TLS errors in applications depending on
glib-networking. The raised runtime warning is:

process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
(app:490): ... TLS Error: TLS certificate  has unknown CA.

This new option is enabled by default because it is what glib-networking now
expects. Disabling this option would break certificates validation for all
applications directly or indirectly (via libsoup for instance) depending on glib-networking.
---
 meta/recipes-support/gnutls/gnutls_3.6.7.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
index e05dc2b57d..48684678bb 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "5b3409ad5aaf239808730d1ee12fdcd148c0be00262c7edf157af655a8
 
 inherit autotools texinfo pkgconfig gettext lib_package gtk-doc
 
-PACKAGECONFIG ??= "libidn"
+PACKAGECONFIG ??= "libidn p11-kit pkcs11-trust-store"
 
 # You must also have CONFIG_SECCOMP enabled in the kernel for
 # seccomp to work.
@@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
 PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
 PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
 PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,,"
+
 
 EXTRA_OECONF = " \
     --enable-doc \
-- 
2.20.1

Re: [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option

[Burton, Ross]

On Thu, 30 May 2019 at 14:48, Philippe Normand <philn@igalia.com> wrote:
> +PACKAGECONFIG ??= "trust-paths"
>  PACKAGECONFIG[trust-paths] = "--with-trust-paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca-certificates"

Should that be /etc?  Or $(sysconfdir)?  Especially in native and
nativesdk builds.

Ross

Re: [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option

[Philippe Normand]

Hi Ross,

Thanks for the review!

On Wed, 2019-06-05 at 17:09 +0100, Burton, Ross wrote:
> On Thu, 30 May 2019 at 14:48, Philippe Normand <philn@igalia.com>
> wrote:
> > +PACKAGECONFIG ??= "trust-paths"
> >  PACKAGECONFIG[trust-paths] = "--with-trust-
> > paths=/etc/ssl/certs/ca-certificates.crt,--without-trust-paths,,ca-
> > certificates"
> 
> Should that be /etc?  Or $(sysconfdir)?  Especially in native and
> nativesdk builds.
> 

Yeah you're right, hardcoding /etc might not be a good idea. I kind of
abandoned this patch series though, since it was decided to not make
gnutls depend on p11-kit for the time being. This patch was merged
instead:

https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=4babb468b856f495ef828ee21cefb266ed58bd28

Do you think a follow-up is needed? I'm sorry I didn't know about
$(sysconfdir) before.

Philippe

Re: [PATCH 2/3] p11-kit: Enable nativesdk and trust-paths option

[Burton, Ross]

On Wed, 5 Jun 2019 at 17:33, Philippe Normand <philn@igalia.com> wrote:
> Yeah you're right, hardcoding /etc might not be a good idea. I kind of
> abandoned this patch series though, since it was decided to not make
> gnutls depend on p11-kit for the time being. This patch was merged
> instead:
>
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=4babb468b856f495ef828ee21cefb266ed58bd28
>
> Do you think a follow-up is needed? I'm sorry I didn't know about
> $(sysconfdir) before.

Sorry, my fault for not looking at the patch queue for a while.

Yes that should use ${sysconfdir}.

Ross