CAC modules

Mcclelland, Michael B Mr CTR USN USA michael.b.mcclelland at us.army.mil
Thu Jul 19 10:49:54 EDT 2012 

I might be oversimplifying but couldn't I get away with simply doing a
symlink?  Something like this?

sudo ln -s /etc/ssl/certs/ca-certificates.crt
/etc/pki/tls/certs/ca-bundle.crt

Worked when I tested.  I'd hate to have you guys have to burdened with extra
code on my account when the blame should rest on the dated gnutls28 library
in the repos, which should be resolved when 12.10 hits.

-----Original Message-----
From: Mike Miller [mailto:mike.t.miller at gmail.com] On Behalf Of Mike Miller
Sent: Thursday, July 19, 2012 1:11 AM
To: David Woodhouse
Cc: Mcclelland, Michael B Mr CTR USN USA;
openconnect-devel at lists.infradead.org
Subject: Re: CAC modules

On Wed, Jul 18, 2012 at 09:43:38PM +0100, David Woodhouse wrote:
> Newer versions of GnuTLS (3.0.20+) have a function which adds the 
> "system" trust file, gnutls_certificate_set_x509_system_trust(). But 
> your GnuTLS is older than that, so the OpenConnect code just falls 
> back to adding /etc/pki/tls/certs/ca-bundle.crt manually. And that 
> isn't where it is on your distribution.
> 
> I suppose we ought to add some magic in the configure script to *find* 
> the file in the appropriate location. In the meantime, Mike may wish 
> to patch it to change the hard-coded location. Sorry, I knew that was 
> wrong when I did it, but it was part of the *first* commit adding 
> GnuTLS support (which didn't actually use it to do any verification 
> yet anyway) and I meant to come back to revisit it... but forgot.

Good catch both of you, I'll fix my Debian and Ubuntu builds to use the
correct ca-certificates path.

So how about something like this for the configure script? Could probably
use some polishing but I think it's functionally correct.

>From a460a7672f6a011b54e5ffc60bc8372ed9a43d0e Mon Sep 17 00:00:00 2001
From: Mike Miller <mtmiller at ieee.org>
Date: Thu, 19 Jul 2012 00:47:32 -0400
Subject: [PATCH] Check for system CA certificate file for GnuTLS

Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required.  Auto-detection is
based on the GnuTLS configure script.

Signed-off-by: Mike Miller <mtmiller at ieee.org>
---
 configure.ac |   32 ++++++++++++++++++++++++++++++++
 gnutls.c     |    2 +-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac index c067276..30ed5c8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -179,6 +179,10 @@ if test "$USE_NLS" = "yes"; then  fi
AM_CONDITIONAL(USE_NLS, [test "$USE_NLS" = "yes"])
 
+AC_ARG_WITH([system-cafile],
+	    AS_HELP_STRING([--with-system-cafile],
+			   [Location of the default system CA certificate
file]))
+
 # We will use GnuTLS if it's requested, and if GnuTLS doesn't have DTLS  #
support then we'll *also* use OpenSSL for that, but it appears *only*  #
only in the openconnect executable and not the library (hence shouldn't @@
-209,6 +213,34 @@ if test "$with_gnutls" = "yes"; then
 		 [AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1)], [])
     AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
 		 [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST,
1)], [])
+    if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" !=
"yes"; then
+	# We will need to tell GnuTLS the path to the system CA file.
+	if test "$with_system_cafile" = "yes" || test "$with_system_cafile"
= ""; then
+	    # Auto-detect path to the system CA file, based on GnuTLS.
+	    with_system_cafile=
+	    for i in \
+		/etc/ssl/certs/ca-certificates.crt \
+		/etc/pki/tls/cert.pem \
+		/usr/local/share/certs/ca-root-nss.crt
+		do
+		if test -e $i; then
+		    with_system_cafile="$i"
+		    break
+		fi
+	    done
+	elif test "$with_system_cafile" = "no"; then
+	    AC_MSG_ERROR([You cannot disable the system CA certificate
file.])
+	fi
+	if test "$with_system_cafile" = ""; then
+	    AC_MSG_ERROR([Unable to find a standard system CA certificate
file.]
+    [Your GnuTLS requires a path to a CA certificate store. Most
distributions]
+    [ship with a CA certificate file in a standard location. None of the
known]
+    [standard locations exist on your system. You should provide a]
+    [--with-system-cafile= argument to this configure script, giving the
full]
+    [path to a default CA certificate file for GnuTLS to use.])
+	fi
+	AC_DEFINE_UNQUOTED([DEFAULT_SYSTEM_CAFILE], ["$with_system_cafile"])
+    fi
     AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
 		 [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], [])
     AC_CHECK_FUNC(gnutls_certificate_set_key,
diff --git a/gnutls.c b/gnutls.c
index 42f709a..d9e550d 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1751,7 +1751,7 @@ int openconnect_open_https(struct openconnect_info
*vpninfo)
 
gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
 #else
 		gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
-
"/etc/pki/tls/certs/ca-bundle.crt",
+
DEFAULT_SYSTEM_CAFILE,
 						       GNUTLS_X509_FMT_PEM);
 #endif
 		gnutls_certificate_set_verify_function (vpninfo->https_cred,
--
1.7.10.4

More information about the openconnect-devel mailing list