From 1e25d77df78705b8aeb71dbbfd592daaa5847de0 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 19 Feb 2014 17:10:13 -0800 Subject: [PATCH] add(app-misc/ca-certificates): Add new CA cert package. This package is based exclusively on the Mozilla certificate store distributed in their NSS library and adopts NSS's version accordingly. It replaces the previous Gentoo package which came directly from Debian. The Debian package package had a couple issues we didn't like: - Trusts the http://cacert.org root CA which isn't the worst thing in the world to do but seems like a really bad default policy to ship. - update-ca-certificates had a confusing configuration/hook scheme which seemed almost useful but completely obnoxious and useless to CoreOS at the same time. systemd-tmpfiles plus a simpler script does a better job for us. The python script certdata2pem.py came from Debian's source package ca-certificates_20130119 and modified slightly. It is only used at build-time to convert the file format used by NSS to PEM files. The old packages used dates as the version, this one uses the NSS library the certificate store came from as the version. This may cause an issue if packages from Gentoo depend on >=ca-certificates-20080809 or similar. Currently the only packages in Gentoo that do so are sci-misc/boinc and www-client/epiphany, neither of which will ever be needed in CoreOS so we should be OK. --- .../app-misc/ca-certificates/Manifest | 1 + .../ca-certificates-3.15.5.ebuild | 58 +++++++++ .../ca-certificates/files/certdata2pem.py | 123 ++++++++++++++++++ .../files/update-ca-certificates | 27 ++++ .../files/update-ca-certificates.service | 12 ++ ...ld => hard-host-depends-0.0.1-r159.ebuild} | 0 .../hard-host-depends-0.0.1.ebuild | 5 - .../coreos/base/package.accept_keywords | 3 - .../profiles/coreos/base/package.mask | 4 + 9 files changed, 225 insertions(+), 8 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates create mode 100644 sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service rename sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/{hard-host-depends-0.0.1-r158.ebuild => hard-host-depends-0.0.1-r159.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest new file mode 100644 index 0000000000..b57272ae02 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/Manifest @@ -0,0 +1 @@ +DIST nss-3.15.5.tar.gz 6367893 SHA256 1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43 SHA512 4db27ea98f17f1a5bc6f513455497945fc35957f573b3ac7e730b166fbe0e8fd741c188187c578faf361d969db63d83ff8ccf15ac2b8ca72a367f33a018695ca WHIRLPOOL c3c687ac53dca571d1c45bdf4a80e192ca58da07e06ef56de7ac9736480c97689dd12d14351860764b70a1d823092a1ddbc471328c4bae4a899edd0e331c8aee diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild new file mode 100644 index 0000000000..3b78ac4b7a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.15.5.ebuild @@ -0,0 +1,58 @@ +# Copyright 2014 The CoreOS Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) +inherit cros-tmpfiles python-any-r1 systemd + +RTM_NAME="NSS_${PV//./_}_RTM" +MY_PN="nss" +MY_P="${MY_PN}-${PV}" +S="${WORKDIR}" + +DESCRIPTION="Mozilla's CA Certificate Store" +HOMEPAGE="http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/" +SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${MY_P}.tar.gz" + +# NSS is licensed under the MPL, files/certdata2pem.py is GPL +LICENSE="MPL-2.0 GPL-2" +SLOT="0" +KEYWORDS="amd64" +IUSE="" + +RDEPEND="dev-libs/openssl + sys-apps/findutils" +DEPEND="${RDEPEND} + ${PYTHON_DEPS}" + +gen_tmpfiles() { + local certfile + echo "d /etc/ssl - - - - -" + echo "d /etc/ssl/certs - - - - -" + for certfile in "$@"; do + local l="/etc/ssl/certs/${certfile##*/}" + local p="../../../usr/share/${PN}/${certfile}" + echo "L ${l} - - - - ${p}" + done +} + +src_compile() { + local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" + ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die + gen_tmpfiles mozilla/*.pem > ${PN}.conf || die +} + +src_install() { + insinto /usr/share/${PN} + doins -r mozilla + + dosbin "${FILESDIR}/update-ca-certificates" + systemd_dounit "${FILESDIR}/update-ca-certificates.service" + systemd_enable_service sysinit.target update-ca-certificates.service + systemd_dotmpfilesd ${PN}.conf + + # Setup initial links in /etc + dodir /etc/ssl/certs + tmpfiles_create + bash "${FILESDIR}/update-ca-certificates" "${D}/etc/ssl/certs" || die +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py new file mode 100644 index 0000000000..a54b723c0e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/certdata2pem.py @@ -0,0 +1,123 @@ +#!/usr/bin/python +# vim:set et sw=4: +# +# certdata2pem.py - splits certdata.txt into multiple files +# +# Copyright (C) 2009 Philipp Kern +# Copyright (C) 2014 The CoreOS Authors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +import base64 +import os.path +import re +import sys +import textwrap + +if len(sys.argv) != 3: + sys.stderr.write("Usage: certdata2pem.py certdata.txt output_dir\n") + sys.exit(1) + +certdata = sys.argv[1] +output_dir = sys.argv[2] +objects = [] + +# Dirty file parser. +in_data, in_multiline, in_obj = False, False, False +field, type, value, obj = None, None, None, dict() +for line in open(certdata, 'r'): + # Ignore the file header. + if not in_data: + if line.startswith('BEGINDATA'): + in_data = True + continue + # Ignore comment lines. + if line.startswith('#'): + continue + # Empty lines are significant if we are inside an object. + if in_obj and len(line.strip()) == 0: + objects.append(obj) + obj = dict() + in_obj = False + continue + if len(line.strip()) == 0: + continue + if in_multiline: + if not line.startswith('END'): + if type == 'MULTILINE_OCTAL': + line = line.strip() + for i in re.finditer(r'\\([0-3][0-7][0-7])', line): + value += chr(int(i.group(1), 8)) + else: + value += line + continue + obj[field] = value + in_multiline = False + continue + if line.startswith('CKA_CLASS'): + in_obj = True + line_parts = line.strip().split(' ', 2) + if len(line_parts) > 2: + field, type = line_parts[0:2] + value = ' '.join(line_parts[2:]) + elif len(line_parts) == 2: + field, type = line_parts + value = None + else: + raise NotImplementedError, 'line_parts < 2 not supported.' + if type == 'MULTILINE_OCTAL': + in_multiline = True + value = "" + continue + obj[field] = value +if len(obj.items()) > 0: + objects.append(obj) + +# Build up trust database. +trust = dict() +for obj in objects: + if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'): + continue + elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', + 'CKT_NSS_TRUSTED_DELEGATOR'): + trust[obj['CKA_LABEL']] = True + else: + print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], + obj['CKA_TRUST_EMAIL_PROTECTION']) + +if not os.path.isdir(output_dir): + os.makedirs(output_dir) +os.chdir(output_dir) + +for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue + fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ + .replace(')', '=')\ + .replace(',', '_') + '.pem' + fname = fname.decode('string_escape') + f = open(fname, 'w') + f.write("-----BEGIN CERTIFICATE-----\n") + f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + f.write("\n-----END CERTIFICATE-----\n") + diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates new file mode 100644 index 0000000000..60840d89ff --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates @@ -0,0 +1,27 @@ +#!/bin/bash + +CERTSDIR="${1:-${ROOT}/etc/ssl/certs}" + +if [[ ! -w "${CERTSDIR}" ]]; then + echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2 + exit 1 +fi + +set -e + +echo "Pruning broken links in ${CERTSDIR}" +find -L "${CERTSDIR}" -type l -delete + +echo "Rehashing certificate files in ${CERTSDIR}" +c_rehash "${CERTSDIR}" + +CERTBUNDLE="${CERTSDIR}/ca-certificates.crt" +if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then + echo "Recreating certificate bundle ${CERTBUNDLE}" + TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX") + trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT + # Use .0 instead of .pem to pull in only what c_rehash validated + cat "${CERTSDIR}"/*.0 > "${TEMPBUNDLE}" + mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}" + trap - EXIT +fi diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service new file mode 100644 index 0000000000..63b05895d1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/files/update-ca-certificates.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update CA Certificates in /etc/ssl/certs +# Since other services depend on the certificate store run this early +DefaultDependencies=no +Wants=systemd-tmpfiles-setup.service +After=systemd-tmpfiles-setup.service +Before=sysinit.target +ConditionPathIsReadWrite=/etc/ssl/certs + +[Service] +Type=oneshot +ExecStart=/usr/sbin/update-ca-certificates diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r158.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1-r159.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index f0b69edfad..6bdbde0029 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -140,11 +140,6 @@ RDEPEND="${RDEPEND} sys-fs/squashfs-tools " -# Host dependency used by the chromeos-base/root-certificates ebuild -RDEPEND="${RDEPEND} - >=app-misc/ca-certificates-20090709-r6 - " - # Host dependencies that are needed for delta_generator. RDEPEND="${RDEPEND} coreos-base/update_engine diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 98a3216c36..06a52fde4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -80,9 +80,6 @@ # Really really hoping this fixes our compile issues =dev-lang/python-2.7.6 ~amd64 -# Hopefully includes some certs folks have been missing -=app-misc/ca-certificates-20130906 ~amd64 - # Kills an annoying warning =app-admin/eselect-1.4 diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask index 50234ab62f..f4a4e0090b 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.mask @@ -14,3 +14,7 @@ # Stick with python 2 for now >=dev-lang/python-3 + +# Require our ca-certificates package based directly on Mozilla's +# certificate store provided in NSS rather than the Gentoo/Debian package. +>=app-misc/ca-certificates-20000000