From 9bf988861be113a7068a71d86dd3ddb9eeffd43c Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Wed, 28 Aug 2024 15:32:17 +0200 Subject: [PATCH] update-ca-trust: make a copy of directory-hash symlinks in ../tls/certs Resolves: RHEL-50293 - update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs - Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default --- ca-certificates.spec | 82 +++++++++++++++++++------------------------ update-ca-trust | 37 ++++++++++--------- update-ca-trust.8.txt | 6 +++- 3 files changed, 60 insertions(+), 65 deletions(-) diff --git a/ca-certificates.spec b/ca-certificates.spec index 8354361..de69340 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,6 @@ %define pkidir %{_sysconfdir}/pki %define catrustdir %{_sysconfdir}/pki/ca-trust %define classic_tls_bundle ca-bundle.crt -%define openssl_format_trust_bundle ca-bundle.trust.crt %define p11_format_bundle ca-bundle.trust.p11-kit %define legacy_default_bundle ca-bundle.legacy.default.crt %define legacy_disable_bundle ca-bundle.legacy.disable.crt @@ -38,7 +37,7 @@ Name: ca-certificates Version: 2024.2.69_v8.0.303 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 101.1%{?dist} +Release: 101.2%{?dist} License: MIT AND GPL-2.0-or-later URL: https://fedoraproject.org/wiki/CA-Certificates @@ -235,33 +234,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem -touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} -chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin -# /etc/ssl is provided in a Debian compatible form for (bad) code that -# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 -ln -s %{catrustdir}/extracted/pem/directory-hash \ - $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem -ln -s /etc/pki/tls/openssl.cnf \ - $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf -ln -s /etc/pki/tls/ct_log_list.cnf \ - $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf -# legacy filenames -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} -ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle} -ln -s %{catrustdir}/extracted/%{java_bundle} \ - $RPM_BUILD_ROOT%{pkidir}/%{java_bundle} - # Populate %%{catrustdir}/extracted/pem/directory-hash. # # First direct p11-kit-trust.so to the generated bundle (not the one @@ -291,16 +268,39 @@ trust-policy: yes x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source' EOF +# Extract the trust anchors to the directory-hash format. trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \ - --purpose server-auth \ - $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash + --purpose server-auth \ + $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -# Create a temporary file with the list of (%ghost )files in the directory-hash. -find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt -sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt # Clean up the temporary module config. rm -f "$trust_module_config" +find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \ + -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \ + -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \; +# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies +find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt +find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt + +sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt + +# /etc/ssl is provided in a Debian compatible form for (bad) code that +# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 +ln -s %{pkidir}/tls/certs \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem +ln -s /etc/pki/tls/openssl.cnf \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf +ln -s /etc/pki/tls/ct_log_list.cnf \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf +# legacy filenames +ln -s %{catrustdir}/extracted/%{java_bundle} \ + $RPM_BUILD_ROOT%{pkidir}/%{java_bundle} +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} %clean /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash @@ -308,6 +308,10 @@ rm -rf $RPM_BUILD_ROOT %pre if [ $1 -gt 1 ] ; then + # Remove the old symlinks + rm -f %{pkidir}/tls/cert.pem + rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt + # Upgrade or Downgrade. # If the classic filename is a regular file, then we are upgrading # from an old package and we will move it to an .rpmsave backup file. @@ -339,17 +343,6 @@ if [ $1 -gt 1 ] ; then fi fi fi - - if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then - # no backup yet - if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # a file exists - if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # it's an old regular file, not a link - mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave - fi - fi - fi fi @@ -413,9 +406,7 @@ fi %{catrustdir}/source/README # symlinks for old locations -%{pkidir}/tls/cert.pem %{pkidir}/tls/certs/%{classic_tls_bundle} -%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/%{java_bundle} # Hybrid hash directory with bundle file for Debian compatibility # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 @@ -438,13 +429,14 @@ fi %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem -%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/edk2/cacerts.bin -%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt -%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt %changelog +*Wed Aug 28 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.2 +- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs +- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default + *Tue Aug 27 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.1 - update-ca-trust: return warnings on a unsupported argument instead of error diff --git a/update-ca-trust b/update-ca-trust index e27bc5a..fffd2c9 100755 --- a/update-ca-trust +++ b/update-ca-trust @@ -8,6 +8,7 @@ set -eu # files in $DEST. DEST=/etc/pki/ca-trust/extracted +DEST_CERTS=/etc/pki/tls/certs # Prevent p11-kit from reading user configuration files. export P11_KIT_NO_USER_CONFIG=1 @@ -28,7 +29,8 @@ usage() { EXTRACT OPTIONS -o DIR, --output=DIR: Write the extracted trust store into the given - directory instead of updating $DEST. + directory instead of updating $DEST. (Note: This option will not + populate the ../pki/tls/certs with the directory-hash symbolic links.) EOF } @@ -73,9 +75,15 @@ extract() { "$DEST"/edk2 fi + + # Delete all directory hash symlinks from the cert directory + if [ -z "$USER_DEST" ]; then + find "$DEST_CERTS" -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \; + fi + # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) - /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" @@ -85,25 +93,16 @@ extract() { # by GnuTLS) /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" - # p11-kit extract will have made this directory unwritable; when run with - # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may - # not be the case. See rhbz#2241240. - if [ -n "$USER_DEST" ]; then - /usr/bin/chmod u+w "$DEST/pem/directory-hash" - fi - # Debian compatibility: their /etc/ssl/certs has this bundle - /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt" - # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt - # since https://bugzilla.redhat.com/show_bug.cgi?id=572725 - /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt" - - # Remove write permissions again - if [ -n "$USER_DEST" ]; then - /usr/bin/chmod u-w "$DEST/pem/directory-hash" - fi + if [ -z "$USER_DEST" ]; then + find "$DEST/pem/directory-hash" -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do + target=$(readlink -f "$link") + new_link="$DEST_CERTS/$(basename "$link")" + ln -s "$target" "$new_link" + done + fi } - if [ $# -lt 1 ]; then set -- extract fi diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt index 51ed02b..a8c381c 100644 --- a/update-ca-trust.8.txt +++ b/update-ca-trust.8.txt @@ -230,7 +230,8 @@ EXTRACT OPTIONS ^^^^^^^^^^^^^^^ *-o DIR*, *--output=DIR*:: Write the extracted trust store into the given directory instead of - updating /etc/pki/ca-trust/extracted. + updating /etc/pki/ca-trust/extracted. (Note: This option will not + populate the ../pki/tls/certs with the directory-hash symbolic links.) FILES ----- @@ -257,6 +258,9 @@ FILES which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. See section <> for additional details. +/etc/pki/tls/certs:: + Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command. + AUTHOR ------ Written by Kai Engert and Stef Walter.