1

[alpine-devel] Notes on fetch-crl apk

Nathan Angelacos
Details
Message ID
<499DD2EE.6090803@nothome.org>
Sender timestamp
1235079918
DKIM signature
missing
Download raw message
Patch: +17 -0
These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine


If you just want the "what needs to be fixed" bit, skip to the bottom.

The test system is using racoon with a cert bundle and a client cert
(all in pem format, all in /etc/racoon) - they should probably be
somewhere else .. but whatever.



apk_add http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0-r0.apk

It needs the hashes of all the certs; here's a quick awk script to do it:


--- /dev/null   Thu Feb 19 21:20:21 2009
+++ split.awk   Thu Feb 19 20:27:33 2009
@@ -0,0 +1,17 @@
+# split a certificate bundle into individual certificates
+
+{ content = content  $0 "\n" }
+
+/^subject=/ {
+	subject=$0
+	sub("^.*CN=", "", subject)
+	}
+
+/^-----END/ {
+	x=subject ".pem"
+	print content > x
+	close(x)
+	system("ln -s " x " `openssl x509 -noout -hash -in " x "`.0 2>/dev/null")
+	content = ""
+	}
+


The client cert needs a hash as well:

ln -s mycert.pem `openssl x509 -in mycert.pem -noout -hash`.0 


Create the fetch-crl.crl_url files.  The files go where the certs are.
To find the crl location, you can try this:

for a in *.pem; do echo In $a:; openssl x509 -in $a -text -noout 2>/dev/null| grep crl ; done

The files can have any name, as long as they end in ".crl_url"  So I chose mycert.crl_url, my_ca.crl_url, etc.
But you could use the hash as well.


edit /etc/conf.d/fetch-crl.  The minimum is:

CRLDIR=/etc/racoon
QUIET=yes
CACHEDIR=/tmp


Fetch-crl *requires* real wget because of the -t -T -N options. 

(replacing wget binary with a shell script #!/bin/echo $0 $@" shows the following)


/usr/bin/wget -t -T 10 -q -N 2 -P /tmp/3e25f602d2aedb251e08f79e3e1db34dc388927a  <location of crl>


Setting the Timeout and Retry options in the fetch-crl config file does not seem to make things better.




Once all that is done, run fetch-crl, and it will retrieve the crls and put them in the same directory as the certs, with the same name as the hash, but a .r0 extension.  



-----------------------
Things that need fixing 
-----------------------


If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0)


the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl


Other than that, it works well!



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<1235644183.17189.78.camel@nc>
In-Reply-To
<499DD2EE.6090803@nothome.org> (view parent)
Sender timestamp
1235644183
DKIM signature
missing
Download raw message
On Thu, 2009-02-19 at 16:45 -0500, Nathan Angelacos wrote:
> These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine
> 
> 
> If you just want the "what needs to be fixed" bit, skip to the bottom.

...

> -----------------------
> Things that need fixing 
> -----------------------
> 
> 
> If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0)
> 
> 
> the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl
> 
> 
> Other than that, it works well!

I added a patch that

* only add -t if WGET_RETRIES is set
* only add -T if WGET_TIMEOUT is set
* only add -N if WGET_TIMESTAMPING is set and is not equal "no". This is
a new an undocumented "feature".

Also moved the config file to /etc/fetch-crl/ as requested.

I have an apk that is scheduled for 1.8.1 here:
http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0.apk

and for 1.9.x here:
http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0-r1.apk
http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-doc-2.7.0-r1.apk

since there are 2 differnt build environments both would need to be
tested. Could you please help me with that? 

Thanks alot!

btw... im not sure if we maybe should just let the script be unpacthed
and just add GNU wget as a depend. what do you think?

-nc




---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---