add(app-misc/ca-certificates): Add new CA cert package.

This package is based exclusively on the Mozilla certificate store distributed in their NSS library and adopts NSS's version accordingly. It replaces the previous Gentoo package which came directly from Debian. The Debian package package had a couple issues we didn't like: - Trusts the http://cacert.org root CA which isn't the worst thing in the world to do but seems like a really bad default policy to ship. - update-ca-certificates had a confusing configuration/hook scheme which seemed almost useful but completely obnoxious and useless to CoreOS at the same time. systemd-tmpfiles plus a simpler script does a better job for us. The python script certdata2pem.py came from Debian's source package ca-certificates_20130119 and modified slightly. It is only used at build-time to convert the file format used by NSS to PEM files. The old packages used dates as the version, this one uses the NSS library the certificate store came from as the version. This may cause an issue if packages from Gentoo depend on >=ca-certificates-20080809 or similar. Currently the only packages in Gentoo that do so are sci-misc/boinc and www-client/epiphany, neither of which will ever be needed in CoreOS so we should be OK.
2025-08-17 01:46:58 +02:00 · 2014-02-19 17:10:13 -08:00 · 2014-02-19 17:10:13 -08:00 · 1e25d77df7
commit 1e25d77df7
parent f1e075510b
9 changed files with 225 additions and 8 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest
@ -0,0 +1 @@
+DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild
@ -0,0 +1,58 @@
+# Copyright 2014 The CoreOS Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+inherit cros-tmpfiles python-any-r1 systemd
+
+RTM_NAME="NSS_${PV//./_}_RTM"
+MY_PN="nss"
+MY_P="${MY_PN}-${PV}"
+S="${WORKDIR}"
+
+DESCRIPTION="Mozilla's CA Certificate Store"
+HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
+SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz"
+
+# NSS is licensed under the MPL, files/certdata2pem.py is GPL
+LICENSE="MPL-2.0 GPL-2"
+SLOT="0"
+KEYWORDS="amd64"
+IUSE=""
+
+RDEPEND="dev-libs/openssl
+	sys-apps/findutils"
+DEPEND="${RDEPEND}
+	${PYTHON_DEPS}"
+
+gen_tmpfiles() {
+	local certfile
+	echo "d	/etc/ssl		-	-	-	-	-"
+	echo "d	/etc/ssl/certs	-	-	-	-	-"
+	for certfile in "$@"; do
+		local l="/etc/ssl/certs/${certfile##*/}"
+		local p="../../../usr/share/${PN}/${certfile}"
+		echo "L	${l}	-	-	-	-	${p}"
+	done
+}
+
+src_compile() {
+	local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt"
+	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die
+	gen_tmpfiles mozilla/*.pem > ${PN}.conf || die
+}
+
+src_install() {
+	insinto /usr/share/${PN}
+	doins -r mozilla
+
+	dosbin "${FILESDIR}/update-ca-certificates"
+	systemd_dounit "${FILESDIR}/update-ca-certificates.service"
+	systemd_enable_service sysinit.target update-ca-certificates.service
+	systemd_dotmpfilesd ${PN}.conf
+
+	# Setup initial links in /etc
+	dodir /etc/ssl/certs
+	tmpfiles_create
+	bash "${FILESDIR}/update-ca-certificates" "${D}/etc/ssl/certs" || die
+}
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py
@ -0,0 +1,123 @@
+#!/usr/bin/python
+# vim:set et sw=4:
+#
+# certdata2pem.py - splits certdata.txt into multiple files
+#
+# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
+# Copyright (C) 2014 The CoreOS Authors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+import base64
+import os.path
+import re
+import sys
+import textwrap
+
+if len(sys.argv) != 3:
+    sys.stderr.write("Usage: certdata2pem.py certdata.txt output_dir\n")
+    sys.exit(1)
+
+certdata = sys.argv[1]
+output_dir = sys.argv[2]
+objects = []
+
+# Dirty file parser.
+in_data, in_multiline, in_obj = False, False, False
+field, type, value, obj = None, None, None, dict()
+for line in open(certdata, 'r'):
+    # Ignore the file header.
+    if not in_data:
+        if line.startswith('BEGINDATA'):
+            in_data = True
+        continue
+    # Ignore comment lines.
+    if line.startswith('#'):
+        continue
+    # Empty lines are significant if we are inside an object.
+    if in_obj and len(line.strip()) == 0:
+        objects.append(obj)
+        obj = dict()
+        in_obj = False
+        continue
+    if len(line.strip()) == 0:
+        continue
+    if in_multiline:
+        if not line.startswith('END'):
+            if type == 'MULTILINE_OCTAL':
+                line = line.strip()
+                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+                    value += chr(int(i.group(1), 8))
+            else:
+                value += line
+            continue
+        obj[field] = value
+        in_multiline = False
+        continue
+    if line.startswith('CKA_CLASS'):
+        in_obj = True
+    line_parts = line.strip().split(' ', 2)
+    if len(line_parts) > 2:
+        field, type = line_parts[0:2]
+        value = ' '.join(line_parts[2:])
+    elif len(line_parts) == 2:
+        field, type = line_parts
+        value = None
+    else:
+        raise NotImplementedError, 'line_parts < 2 not supported.'
+    if type == 'MULTILINE_OCTAL':
+        in_multiline = True
+        value = ""
+        continue
+    obj[field] = value
+if len(obj.items()) > 0:
+    objects.append(obj)
+
+# Build up trust database.
+trust = dict()
+for obj in objects:
+    if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
+        continue
+    elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
+                                          'CKT_NSS_TRUSTED_DELEGATOR'):
+        trust[obj['CKA_LABEL']] = True
+    elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
+                                               'CKT_NSS_TRUSTED_DELEGATOR'):
+        trust[obj['CKA_LABEL']] = True
+    else:
+        print "Ignoring certificate %s.  SAUTH=%s, EPROT=%s" % \
+              (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
+               obj['CKA_TRUST_EMAIL_PROTECTION'])
+
+if not os.path.isdir(output_dir):
+    os.makedirs(output_dir)
+os.chdir(output_dir)
+
+for obj in objects:
+    if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+        if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+            continue
+        fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                      .replace(' ', '_')\
+                                      .replace('(', '=')\
+                                      .replace(')', '=')\
+                                      .replace(',', '_') + '.pem'
+        fname = fname.decode('string_escape')
+        f = open(fname, 'w')
+        f.write("-----BEGIN CERTIFICATE-----\n")
+        f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+        f.write("\n-----END CERTIFICATE-----\n")
+
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates
@ -0,0 +1,27 @@
+#!/bin/bash
+
+CERTSDIR="${1:-${ROOT}/etc/ssl/certs}"
+
+if [[ ! -w "${CERTSDIR}" ]]; then
+    echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2
+    exit 1
+fi
+
+set -e
+
+echo "Pruning broken links in ${CERTSDIR}"
+find -L "${CERTSDIR}" -type l -delete
+
+echo "Rehashing certificate files in ${CERTSDIR}"
+c_rehash "${CERTSDIR}"
+
+CERTBUNDLE="${CERTSDIR}/ca-certificates.crt"
+if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then
+    echo "Recreating certificate bundle ${CERTBUNDLE}"
+    TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX")
+    trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT
+    # Use .0 instead of .pem to pull in only what c_rehash validated
+    cat "${CERTSDIR}"/*.0 > "${TEMPBUNDLE}"
+    mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}"
+    trap - EXIT
+fi
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service
@ -0,0 +1,12 @@
+[Unit]
+Description=Update CA Certificates in /etc/ssl/certs
+# Since other services depend on the certificate store run this early
+DefaultDependencies=no
+Wants=systemd-tmpfiles-setup.service
+After=systemd-tmpfiles-setup.service
+Before=sysinit.target
+ConditionPathIsReadWrite=/etc/ssl/certs
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/update-ca-certificates
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@ -140,11 +140,6 @@ RDEPEND="${RDEPEND}
 	sys-fs/squashfs-tools
 	"

-# Host dependency used by the chromeos-base/root-certificates ebuild
-RDEPEND="${RDEPEND}
-	>=app-misc/ca-certificates-20090709-r6
-	"
-
 # Host dependencies that are needed for delta_generator.
 RDEPEND="${RDEPEND}
 	coreos-base/update_engine
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@ -80,9 +80,6 @@
 # Really really hoping this fixes our compile issues
 =dev-lang/python-2.7.6 ~amd64

-# Hopefully includes some certs folks have been missing
-=app-misc/ca-certificates-20130906 ~amd64
-
 # Kills an annoying warning
 =app-admin/eselect-1.4

--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask
@ -14,3 +14,7 @@

 # Stick with python 2 for now
 >=dev-lang/python-3
+
+# Require our ca-certificates package based directly on Mozilla's
+# certificate store provided in NSS rather than the Gentoo/Debian package.
+>=app-misc/ca-certificates-20000000
				`@ -0,0 +1 @@`
				`DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee`