[Buildroot] [PATCH v2 1/3] package/ca-certificates: don't hash certificates.crt
Arnout Vandecappelle
arnout at mind.be
Sun Oct 21 13:38:14 UTC 2018
On 21/10/2018 14:15, Arnout Vandecappelle wrote:
> Hi Martin,
>
> Sorry for the late reply,
>
> On 21/06/2018 23:04, Martin Bark wrote:
>> Thomas,
>>
>> On 18 June 2018 at 15:39, Thomas Petazzoni <thomas.petazzoni at bootlin.com> wrote:
>>> Hello,
>>>
>>> On Mon, 18 Jun 2018 10:51:34 +0100, Martin Bark wrote:
>>>
>>>>> output/target$ ls -l etc/ssl/certs/128805a3.0
>>>>> lrwxrwxrwx 1 thomas thomas 35 Jun 17 20:58 etc/ssl/certs/128805a3.0 -> EE_Certification_Centre_Root_CA.pem
>>>> Did you check other hashes under etc/ssl/certs/ ? Check for any hashes
>>>> that link to ca-certificates.crt. I suspect you have a different hash
>>>> pointing to ca-certificates.
>>> There are no files in /etc/ssl/certs that are symlinks to
>>> ca-certificates.crt:
>>>
>>> output/target$ ls -l etc/ssl/certs/| grep ca-certificates.crt
>>> -rw-r--r-- 1 thomas thomas 207436 Jun 18 15:30 ca-certificates.crt
>> I did some more testing and found sometimes by chance it does work,
>> however, i was able to reproduce the issue as follows
>>
>> docker run -it --rm buildroot/base:20180318.1724 bash
>> git clone git://git.busybox.net/buildroot
>> cd buildroot
>> make olddefconfig
>> make ca-certificates
>>
>> you will see an output like this at the end of the build
>>
>> # Create symlinks to the certificates by their hash values
>> /home/br-user/buildroot/output/host/bin/c_rehash
>> /home/br-user/buildroot/output/target/etc/ssl/certs
>> Doing /home/br-user/buildroot/output/target/etc/ssl/certs
>> WARNING: Skipping duplicate certificate OpenTrust_Root_CA_G1.pem
>>
>> and one the the hashes will be wrong
>>
>> $ ls -l output/target/etc/ssl/certs/| grep ca-certificates.crt
>> lrwxrwxrwx 1 br-user br-user 19 Jun 21 21:52 87229d21.0 ->
>> ca-certificates.crt
>>
>> the incorrect hash is the one mentioned in the warning
> So, if I understand correctly, what happens is this:
>
> 1. certificates get installed in /etc/ssl/certs.
>
> 2. All the certificates are bundled into a ca-certificates.crt file.
>
> 3. c_rehash is run. It looks at each certificate, calculates the hash, and
> creates a symlink from that hash to the certificate.
>
> The problem is that if ca-certificates.crt exists already, c_rehash will take
> some random certificate from it and create a symlink to ca-certificates.crt
> instead of to the real certificate file. But depending on the order of
> evaluation of the different certificate files, it may actually make the symlink
> point to the real certificate.
>
> What you propose looks like the good solution for it. Except in case of
> rebuild, so you should remove /etc/ssl/ca-certificates.crt before running
> c_rehash. That would also remove the need for patch 2 I think.
>
> Could you check if I'm correct, and if so, resubmit the series with:
>
> - the additional rm -f;
> - a commit message that includes the explanation above;
> - drops patch 2.
>
> If patch 2 really is needed, it needs a better explanation.
Investigating a bit more turns out that I was rather wrong. The rm -f is
already there, as correctly noted in your commit message. And patch 2 really is
needed, it fixes a completely different set of duplicates.
So I've extended the commit message a little and applied to master, thanks.
Regards,
Arnout
>
>
> Regards,
> Arnout
>
>> $ ls -l /etc/ssl/certs/87229d21.0
>> lrwxrwxrwx 1 root root 24 Mar 18 16:30 /etc/ssl/certs/87229d21.0 ->
>> OpenTrust_Root_CA_G1.pem
>>
>> The key issue is the
>>
>> WARNING: Skipping duplicate certificate xxxxx
>>
>> where xxxx is the name of one of the files under etc/ssl/certs.
>> Sometimes it's ca-certificates.crt and hence you don't see any issue
>> (as you found). Sometime it's one of the CA files which is the bug
>> i'm trying to fix. You can run c_rehash directly
>>
>> ./output/host/bin/c_rehash ./output/target/etc/ssl/certs
>>
>> and you will see the warning. If you rm
>> output/target/etc/ssl/certs/ca-certificates.crt and try again then the
>> warning will go.
>>
>> I had not released quite how random the bug. It certainly is not
>> always EE_Certification_Centre_Root_CA.pem, it can be any CA that goes
>> wrong. The commit message could be changed to make it clearer the bug
>> does not allows happen to EE_Certification_Centre_Root_CA.pem but i'm
>> 100% sure this is a bug that needs fixing.
>>
>> Thanks
>>
>> Martin
>>
>>> Best regards,
>>>
>>> Thomas
>>> --
>>> Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
>>> Embedded Linux and Kernel engineering
>>> https://bootlin.com
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>>
More information about the buildroot
mailing list