[PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

Since version 2.60 the glib-networking TLS database relies on GnuTLS's system
trust store, so not enabling it leads to TLS errors in applications depending on
glib-networking. The raised runtime warning is:

process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
(app:490): ... TLS Error: TLS certificate  has unknown CA.
---
 meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
index e05dc2b57d..3ad6e56579 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
@@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
 PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
 PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
 PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
+PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,,"
+
 
 EXTRA_OECONF = " \
     --enable-doc \
-- 
2.20.1

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Richard Purdie]

On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote:
> Since version 2.60 the glib-networking TLS database relies on GnuTLS's system
> trust store, so not enabling it leads to TLS errors in applications depending on
> glib-networking. The raised runtime warning is:
>
> process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
> (app:490): ... TLS Error: TLS certificate  has unknown CA.

Doesn't this mean we should enable it by default as well?

Cheers,

Richard

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote:
> On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote:
> > Since version 2.60 the glib-networking TLS database relies on
> > GnuTLS's system
> > trust store, so not enabling it leads to TLS errors in applications
> > depending on
> > glib-networking. The raised runtime warning is:
> > 
> > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS
> > database: Failed to load system trust store: GnuTLS was not
> > configured with a system trust
> > (app:490): ... TLS Error: TLS certificate  has unknown CA.
> 
> Doesn't this mean we should enable it by default as well?
> 

Yes, I would likely support this decision. :)

I didn't do it in the patch because I don't know all the consequences
of enabling this by default. I would rather defer the decision to the
recipe maintainer.

Philippe

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[richard.purdie]

On Thu, 2019-05-30 at 12:43 +0100, Philippe Normand wrote:
> On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote:
> > On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote:
> > > Since version 2.60 the glib-networking TLS database relies on
> > > GnuTLS's system
> > > trust store, so not enabling it leads to TLS errors in
> > > applications
> > > depending on
> > > glib-networking. The raised runtime warning is:
> > > 
> > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load
> > > TLS
> > > database: Failed to load system trust store: GnuTLS was not
> > > configured with a system trust
> > > (app:490): ... TLS Error: TLS certificate  has unknown CA.
> > 
> > Doesn't this mean we should enable it by default as well?
> > 
> 
> Yes, I would likely support this decision. :)
> 
> I didn't do it in the patch because I don't know all the consequences
> of enabling this by default. I would rather defer the decision to the
> recipe maintainer.

Given we're seeing issues without it enabled, can you send a v2 with it
being enabled by default please? 

We try not to do that where it adds dependencies we don't need but it
seems to make sense here to me (I can take repsonsibilty for asking for
it!).

Cheers,

Richard

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

On Thu, 2019-05-30 at 12:46 +0100, richard.purdie@linuxfoundation.org
wrote:
> On Thu, 2019-05-30 at 12:43 +0100, Philippe Normand wrote:
> > On Thu, 2019-05-30 at 12:38 +0100, Richard Purdie wrote:
> > > On Thu, 2019-05-30 at 11:12 +0100, Philippe Normand wrote:
> > > > Since version 2.60 the glib-networking TLS database relies on
> > > > GnuTLS's system
> > > > trust store, so not enabling it leads to TLS errors in
> > > > applications
> > > > depending on
> > > > glib-networking. The raised runtime warning is:
> > > > 
> > > > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load
> > > > TLS
> > > > database: Failed to load system trust store: GnuTLS was not
> > > > configured with a system trust
> > > > (app:490): ... TLS Error: TLS certificate  has unknown CA.
> > > 
> > > Doesn't this mean we should enable it by default as well?
> > > 
> > 
> > Yes, I would likely support this decision. :)
> > 
> > I didn't do it in the patch because I don't know all the
> > consequences
> > of enabling this by default. I would rather defer the decision to
> > the
> > recipe maintainer.
> 
> Given we're seeing issues without it enabled, can you send a v2 with
> it
> being enabled by default please? 
> 
> We try not to do that where it adds dependencies we don't need but it
> seems to make sense here to me (I can take repsonsibilty for asking
> for
> it!).
> 

Alright, I'll update the patch then. Enabling this new option requires
the p11-kit option to be enabled as well though.

Philippe

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Adrian Bunk]

On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote:
> Since version 2.60 the glib-networking TLS database relies on GnuTLS's system
> trust store, so not enabling it leads to TLS errors in applications depending on
> glib-networking. The raised runtime warning is:
> 
> process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS database: Failed to load system trust store: GnuTLS was not configured with a system trust
> (app:490): ... TLS Error: TLS certificate  has unknown CA.
> ---
>  meta/recipes-support/gnutls/gnutls_3.6.7.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.7.bb b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
> index e05dc2b57d..3ad6e56579 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.7.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.7.bb
> @@ -35,6 +35,8 @@ PACKAGECONFIG[libidn] = "--with-idn,--without-idn,libidn2"
>  PACKAGECONFIG[libtasn1] = "--with-included-libtasn1=no,--with-included-libtasn1,libtasn1"
>  PACKAGECONFIG[p11-kit] = "--with-p11-kit,--without-p11-kit,p11-kit"
>  PACKAGECONFIG[tpm] = "--with-tpm,--without-tpm,trousers"
> +PACKAGECONFIG[pkcs11-trust-store] = "--with-default-trust-store-pkcs11=pkcs11:,,"
>...

Two questions:

1. Is this a valid pkcs11 URI?

AC_ARG_WITH([default-trust-store-pkcs11],
  [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
    [use the given pkcs11 uri as default trust store])])

2. Wouldn't the more common case be to use the ca-certificates
package instead of PKCS #11?

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

Hi Adrian,

On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
> On Thu, May 30, 2019 at 11:12:21AM +0100, Philippe Normand wrote:
> > Since version 2.60 the glib-networking TLS database relies on
> > GnuTLS's system
> > trust store, so not enabling it leads to TLS errors in applications
> > depending on
> > glib-networking. The raised runtime warning is:
> > 
> > process:500): GLib-Net-WARNING **: 09:14:09.321: Failed to load TLS
> > database: Failed to load system trust store: GnuTLS was not
> > configured with a system trust
> > (app:490): ... TLS Error: TLS certificate  has unknown CA.
> > 
...
> Two questions:
> 
> 1. Is this a valid pkcs11 URI?
> 
> AC_ARG_WITH([default-trust-store-pkcs11],
>   [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
>     [use the given pkcs11 uri as default trust store])])
> 

Yes, I believe so. I simply used the same option as in the Freedesktop
Flatpak SDK:
https://gitlab.com/freedesktop-sdk/freedesktop-sdk/blob/master/elements/components/gnutls.bst


> 2. Wouldn't the more common case be to use the ca-certificates
> package instead of PKCS #11?
> 

I don't know why glib-networking needs to go through gnutls which then
needs to query p11-kit. I suppose p11-kit could directly be used, but
this is not my call to make.

For reference, this is the relevant glib-networking commit:
https://gitlab.gnome.org/GNOME/glib-networking/commit/f1c8feee014007cc913b71357acb609f8d1200df

Anyway, in my local config I had this:

PACKAGECONFIG_append_pn-gnutls = " p11-kit pkcs11-trust-store"
PACKAGECONFIG_append_pn-p11-kit = " trust-paths"

Without those I would still get TLS errors at runtime.
So these 3 options would need to be enabled by default, I'll send a
follow-up patch series.

Philippe

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Adrian Bunk]

On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote:
> Hi Adrian,

Hi Philippe,

> On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
>...
> > 2. Wouldn't the more common case be to use the ca-certificates
> > package instead of PKCS #11?
> 
> I don't know why glib-networking needs to go through gnutls which then 
> needs to query p11-kit. I suppose p11-kit could directly be used, but 
> this is not my call to make.
>...

I think your "which then needs to query p11-kit" is not correct.

My reading of configure.ac is that ca-certificates could be used
instead, and this also makes a lot more sense in the default case.

> Philippe

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote:
> On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote:
> > Hi Adrian,
> 
> Hi Philippe,
> 
> > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
> > ...
> > > 2. Wouldn't the more common case be to use the ca-certificates
> > > package instead of PKCS #11?
> > 
> > I don't know why glib-networking needs to go through gnutls which
> > then 
> > needs to query p11-kit. I suppose p11-kit could directly be used,
> > but 
> > this is not my call to make.
> > ...
> 
> I think your "which then needs to query p11-kit" is not correct.
> 
> My reading of configure.ac is that ca-certificates could be used
> instead, and this also makes a lot more sense in the default case.
> 

I've asked Michael Catanzaro about this, he's not subscribed to this
list so he can't reply to the thread. Here's his reply:

The GnuTLS default trust store can be a certificate file bundle or a
certificate directory (provided by ca-certificates), or a PKCS#11 URI,
but PKCS#11 is a better default. If you do not use PKCS#11, then
expected functionality like trusting and distrusting certificates using
the 'trust' command or applications like seahorse will not work. Most
modern Linux distributions are now using PKCS#11 URIs; the only major
holdouts are Debian and Ubuntu. So I would definitely recommend the
PKCS#11 URI. Of course, basic functionality will work whichever way you
choose; glib-networking only requires that GnuTLS has a default trust
store, one way or the other, so using a bundle would be OK if you want
to avoid the dependency on p11-kit.

---

So, do you agree about depending on p11-kit from now on?

Philippe

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Richard Purdie]

On Thu, 2019-05-30 at 15:47 +0100, Philippe Normand wrote:
> On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote:
> > On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote:
> > > Hi Adrian,
> > 
> > Hi Philippe,
> > 
> > > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
> > > ...
> > > > 2. Wouldn't the more common case be to use the ca-certificates
> > > > package instead of PKCS #11?
> > > 
> > > I don't know why glib-networking needs to go through gnutls which
> > > then 
> > > needs to query p11-kit. I suppose p11-kit could directly be used,
> > > but 
> > > this is not my call to make.
> > > ...
> > 
> > I think your "which then needs to query p11-kit" is not correct.
> > 
> > My reading of configure.ac is that ca-certificates could be used
> > instead, and this also makes a lot more sense in the default case.
> > 
> 
> I've asked Michael Catanzaro about this, he's not subscribed to this
> list so he can't reply to the thread. Here's his reply:
> 
> The GnuTLS default trust store can be a certificate file bundle or a
> certificate directory (provided by ca-certificates), or a PKCS#11
> URI,
> but PKCS#11 is a better default. If you do not use PKCS#11, then
> expected functionality like trusting and distrusting certificates
> using
> the 'trust' command or applications like seahorse will not work. Most
> modern Linux distributions are now using PKCS#11 URIs; the only major
> holdouts are Debian and Ubuntu. So I would definitely recommend the
> PKCS#11 URI. Of course, basic functionality will work whichever way
> you
> choose; glib-networking only requires that GnuTLS has a default trust
> store, one way or the other, so using a bundle would be OK if you
> want to avoid the dependency on p11-kit.

I think most of our system is already using ca-certificates at this
point so consistency here might make sense.

If you use a PKCS#11 URI does that mean the systems would need network
access to obtain the trust store?

Ultimately we may want this to be a global config selection but using
ca-certs and then having a wider discussion about a global option might
make most sense.

Cheers,

Richard

Re: [PATCH] gnutls: Add a config option to enable the pkcs11 trust store

[Philippe Normand]

On Thu, 2019-05-30 at 16:50 +0100, Richard Purdie wrote:
> On Thu, 2019-05-30 at 15:47 +0100, Philippe Normand wrote:
> > On Thu, 2019-05-30 at 17:06 +0300, Adrian Bunk wrote:
> > > On Thu, May 30, 2019 at 02:30:14PM +0100, Philippe Normand wrote:
> > > > Hi Adrian,
> > > 
> > > Hi Philippe,
> > > 
> > > > On Thu, 2019-05-30 at 15:17 +0300, Adrian Bunk wrote:
> > > > ...
> > > > > 2. Wouldn't the more common case be to use the ca-
> > > > > certificates
> > > > > package instead of PKCS #11?
> > > > 
> > > > I don't know why glib-networking needs to go through gnutls
> > > > which
> > > > then 
> > > > needs to query p11-kit. I suppose p11-kit could directly be
> > > > used,
> > > > but 
> > > > this is not my call to make.
> > > > ...
> > > 
> > > I think your "which then needs to query p11-kit" is not correct.
> > > 
> > > My reading of configure.ac is that ca-certificates could be used
> > > instead, and this also makes a lot more sense in the default
> > > case.
> > > 
> > 
> > I've asked Michael Catanzaro about this, he's not subscribed to
> > this
> > list so he can't reply to the thread. Here's his reply:
> > 
> > The GnuTLS default trust store can be a certificate file bundle or
> > a
> > certificate directory (provided by ca-certificates), or a PKCS#11
> > URI,
> > but PKCS#11 is a better default. If you do not use PKCS#11, then
> > expected functionality like trusting and distrusting certificates
> > using
> > the 'trust' command or applications like seahorse will not work.
> > Most
> > modern Linux distributions are now using PKCS#11 URIs; the only
> > major
> > holdouts are Debian and Ubuntu. So I would definitely recommend the
> > PKCS#11 URI. Of course, basic functionality will work whichever way
> > you
> > choose; glib-networking only requires that GnuTLS has a default
> > trust
> > store, one way or the other, so using a bundle would be OK if you
> > want to avoid the dependency on p11-kit.
> 
> I think most of our system is already using ca-certificates at this
> point so consistency here might make sense.
> 

I think this is the most sensible approach for now indeed.

> If you use a PKCS#11 URI does that mean the systems would need
> network
> access to obtain the trust store?
> 

The ca-certificates will still be used with a PKCS#11 trust store, just
indirectly, via p11-kit. It doesn't require network access.

> Ultimately we may want this to be a global config selection but using
> ca-certs and then having a wider discussion about a global option
> might
> make most sense.
> 

OK, I'll prepare a new patch then for gnutls to directly rely on ca-
certificates, for the time being :)

Thanks Richard and Adrian!
Philippe