From 0a9b3250cf703e1de2885fe72a42a8760dc4fe62 Mon Sep 17 00:00:00 2001 From: "Gerd v. Egidy" Date: Sun, 16 Jan 2022 17:54:29 +0100 Subject: [PATCH] Support for adding Certification Authorities (CAs) via YAML config This allows to add additional CAs as trust anchors via the root key "ca-trust" in the YAML config files. Why is this helpful and can't be done for example with SRMs? After the CA files are copied, "update-ca-trust" must be called. This updates *all* ca trust files. This means your SRM will override all trust files with the ones used when creating the SRM. When you then use the SRM with a newer version of SystemRescue, you will still use the old ca trust files from when the SRM was built. --- ChangeLog | 5 +++++ .../systemd/scripts/sysrescue-initialize.py | 22 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/ChangeLog b/ChangeLog index f1b7948..f5377fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,11 @@ SystemRescue ChangeLog ====================== +------------------------------------------------------------------------------- +9.01 (YYYY-MM-DD): +------------------------------------------------------------------------------- +* Support for adding Certification Authorities (CAs) via YAML config (Gerd v. Egidy) + ------------------------------------------------------------------------------- 9.00 (2022-01-16): ------------------------------------------------------------------------------- diff --git a/airootfs/etc/systemd/scripts/sysrescue-initialize.py b/airootfs/etc/systemd/scripts/sysrescue-initialize.py index 9e8337b..0ebb3f4 100755 --- a/airootfs/etc/systemd/scripts/sysrescue-initialize.py +++ b/airootfs/etc/systemd/scripts/sysrescue-initialize.py @@ -30,6 +30,8 @@ config_global = { 'vncpass': None, } +config_ca_trust = { } + # ============================================================================== # Load configuration from the yaml files # ============================================================================== @@ -46,6 +48,10 @@ def parse_config_file(yamlfile): for entry in config_global: if entry in curglobal: config_global[entry] = curglobal[entry] + if 'ca-trust' in curconfig: + # later yaml files take precedence, overwrite if existing + for key, value in curconfig['ca-trust'].items(): + config_ca_trust[key] = value return True except yaml.YAMLError as err: print(err) @@ -227,6 +233,22 @@ if config_global['dovnc'] == True: file.write("""x11vnc $pwopt -nevershared -forever -logfile /var/log/x11vnc.log &\n""") file.close() +# ============================================================================== +# Configure custom CA certificates +# ============================================================================== +ca_anchor_path = "/etc/ca-certificates/trust-source/anchors/" + +if config_ca_trust: + print(f"====> Adding trusted CA certificates ...") + + for name, cert in sorted(config_ca_trust.items()): + print (f"Adding certificate '{name}' ...") + with open(os.path.join(ca_anchor_path, name + ".pem"), "w") as certfile: + certfile.write(cert) + + print(f"Updating CA trust configuration ...") + p = subprocess.run(["update-ca-trust"], text=True) + # ============================================================================== # End of the script # ==============================================================================