[Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt

Arnout Vandecappelle arnout at mind.be
Sun Oct 21 13:38:14 UTC 2018


On 21/10/2018 14:15, Arnout Vandecappelle wrote:
>  Hi Martin,
>
>  Sorry for the late reply,
>
> On 21/06/2018 23:04, Martin Bark wrote:
>> Thomas,
>>
>> On 18 June 2018 at 15:39, Thomas Petazzoni <thomas.petazzoni at bootlin.com> wrote:
>>> Hello,
>>>
>>> On Mon, 18 Jun 2018 10:51:34 +0100, Martin Bark wrote:
>>>
>>>>> output/target$ ls -l etc/ssl/certs/128805a3.0
>>>>> lrwxrwxrwx 1 thomas thomas 35 Jun 17 20:58 etc/ssl/certs/128805a3.0 -> EE_Certification_Centre_Root_CA.pem
>>>> Did you check other hashes under etc/ssl/certs/ ? Check for any hashes
>>>> that link to ca-certificates.crt. I suspect you have a different hash
>>>> pointing to ca-certificates.
>>> There are no files in /etc/ssl/certs that are symlinks to
>>> ca-certificates.crt:
>>>
>>> output/target$ ls -l etc/ssl/certs/| grep ca-certificates.crt
>>> -rw-r--r-- 1 thomas thomas 207436 Jun 18 15:30 ca-certificates.crt
>> I did some more testing and found sometimes by chance it does work,
>> however, i was able to reproduce the issue as follows
>>
>>  docker run -it --rm buildroot/base:20180318.1724 bash
>>  git clone git://git.busybox.net/buildroot
>>  cd buildroot
>>  make olddefconfig
>>  make ca-certificates
>>
>> you will see an output like this at the end of the build
>>
>>  # Create symlinks to the certificates by their hash values
>>  /home/br-user/buildroot/output/host/bin/c_rehash
>> /home/br-user/buildroot/output/target/etc/ssl/certs
>>  Doing /home/br-user/buildroot/output/target/etc/ssl/certs
>>  WARNING: Skipping duplicate certificate OpenTrust_Root_CA_G1.pem
>>
>> and one the the hashes will be wrong
>>
>>  $ ls -l output/target/etc/ssl/certs/| grep ca-certificates.crt
>>  lrwxrwxrwx 1 br-user br-user     19 Jun 21 21:52 87229d21.0 ->
>> ca-certificates.crt
>>
>> the incorrect hash is the one mentioned in the warning
>  So, if I understand correctly, what happens is this:
>
> 1. certificates get installed in /etc/ssl/certs.
>
> 2. All the certificates are bundled into a ca-certificates.crt file.
>
> 3. c_rehash is run. It looks at each certificate, calculates the hash, and
> creates a symlink from that hash to the certificate.
>
>  The problem is that if ca-certificates.crt exists already, c_rehash will take
> some random certificate from it and create a symlink to ca-certificates.crt
> instead of to the real certificate file. But depending on the order of
> evaluation of the different certificate files, it may actually make the symlink
> point to the real certificate.
>
>  What you propose looks like the good solution for it. Except in case of
> rebuild, so you should remove /etc/ssl/ca-certificates.crt before running
> c_rehash. That would also remove the need for patch 2 I think.
>
>  Could you check if I'm correct, and if so, resubmit the series with:
>
> - the additional rm -f;
> - a commit message that includes the explanation above;
> - drops patch 2.
>
>  If patch 2 really is needed, it needs a better explanation.

 Investigating a bit more turns out that I was rather wrong. The rm -f is
already there, as correctly noted in your commit message. And patch 2 really is
needed, it fixes a completely different set of duplicates.


 So I've extended the commit message a little and applied to master, thanks.


 Regards,
 Arnout


>
>
>  Regards,
>  Arnout
>
>>  $ ls -l /etc/ssl/certs/87229d21.0
>>  lrwxrwxrwx 1 root root 24 Mar 18 16:30 /etc/ssl/certs/87229d21.0 ->
>> OpenTrust_Root_CA_G1.pem
>>
>> The key issue is the
>>
>>   WARNING: Skipping duplicate certificate xxxxx
>>
>> where xxxx is the name of one of the files under etc/ssl/certs.
>> Sometimes it's ca-certificates.crt and hence you don't see any issue
>> (as you found).  Sometime it's one of the CA files which is the bug
>> i'm trying to fix.  You can run c_rehash directly
>>
>>  ./output/host/bin/c_rehash ./output/target/etc/ssl/certs
>>
>> and you will see the warning.  If you rm
>> output/target/etc/ssl/certs/ca-certificates.crt and try again then the
>> warning will go.
>>
>> I had not released quite how random the bug.  It certainly is not
>> always EE_Certification_Centre_Root_CA.pem, it can be any CA that goes
>> wrong.  The commit message could be changed to make it clearer the bug
>> does not allows happen to EE_Certification_Centre_Root_CA.pem but i'm
>> 100% sure this is a bug that needs fixing.
>>
>> Thanks
>>
>> Martin
>>
>>> Best regards,
>>>
>>> Thomas
>>> --
>>> Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
>>> Embedded Linux and Kernel engineering
>>> https://bootlin.com
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>>


More information about the buildroot mailing list