native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

[Patrick Ohly <patrick.ohly@intel.com>]

On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> Native libcurl looks for CA certs in the wrong place by
> default.
> * Add patch that allows overriding the default CA certificate
>   location. Patch is originally from meta-security-isafw.
> * Use the new --cacert to set the correct CA bundle path
> 
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
>  .../cve-check-tool/cve-check-tool_5.6.4.bb         |   4 +-
>  ...ow-overriding-default-CA-certificate-file.patch | 215
> +++++++++++++++++++++
>  2 files changed, 218 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-
> curl-allow-overriding-default-CA-certificate-file.patch
> 
> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-
> tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-
> tool_5.6.4.bb
> index c78af67..fcd3182 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3
> c34974bc0be3a03ed6"
>  SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v
> ${PV}/${BP}.tar.xz \
>             file://check-for-malloc_trim-before-using-it.patch \
>             file://0001-print-progress-in-percent-when-downloading-
> CVE-db.patch \
> +           file://0001-curl-allow-overriding-default-CA-certificate-
> file.patch \
>            "
>  
>  SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> @@ -39,7 +40,8 @@ do_populate_cve_db() {
>      [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
>  
>      bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
> -    if cve-check-update -d "$cve_dir" ; then
> +    # --cacert works around curl-native not finding the CA bundle
> +    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-
> certificates.crt -d "$cve_dir" ; then

I went back to this patch to see how the problem was solved, because I
am facing it again elsewhere. Now that I think about it again, I'm
starting to wonder which SSL certificates the native tools really
should trust. Tools like Python or  wget are taken from the host, which
means they use the host defaults for SSL. That native tools built with
bitbake then try to use ca-certificates-native looks inconsistent to
me.

There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open
about some aspect of this, but it doesn't actually address the
underlying question about what the right behavior should be. It's based
on the assumption that libcurl-native should always use ca-
certificates-native.

Thoughts anyone?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.