Add linux certificates management

Signed-off-by: David Cassany <dcassany@suse.com>
2021-10-13 00:04:06 +03:00 · 2021-09-17 16:19:15 +02:00
parent 374f15e9f5
commit cf0150272e
6 changed files with 111 additions and 21 deletions
--- a/flatpak/io.rancherdesktop.app.yml
+++ b/flatpak/io.rancherdesktop.app.yml
@@ -45,22 +45,22 @@ modules:
      config-opts:
      - "--disable-user"
      - "--enable-kvm"
-      - "--enable-vde"
-      - "--target-list=x86_64-softmmu,i386-softmmu"
+      #- "--enable-vde"
+      - "--target-list=x86_64-softmmu"
      sources:
      - type: archive
        url: https://download.qemu.org/qemu-6.1.0.tar.xz
        sha256: eebc089db3414bbeedf1e464beda0a7515aad30f73261abc246c9b27503a3c96
-      modules:
-      - name: vde-2
-        sources:
-        - type: git
-          url: https://github.com/virtualsquare/vde-2
-          tag: vde-2
-        buildsystem: simple
-        build-commands:
-        - | 
-            cd 2.3.2
-            autoreconf --install
-            ./configure --prefix=/app --disable-python --disable-cryptcab
-            make install
+      #modules:
+      #- name: vde-2
+      #  sources:
+      #  - type: git
+      #    url: https://github.com/virtualsquare/vde-2
+      #    tag: vde-2
+      #  buildsystem: simple
+      #  build-commands:
+      #  - | 
+      #      cd 2.3.2
+      #      autoreconf --install
+      #      ./configure --prefix=/app --disable-python --disable-cryptcab
+      #      make install
--- a/package-lock.json
+++ b/package-lock.json
@@ -8037,8 +8037,7 @@
    "duplexer": {
      "version": "0.1.2",
      "resolved": "https://registry.npmjs.org/duplexer/-/duplexer-0.1.2.tgz",
-      "integrity": "sha512-jtD6YG370ZCIi/9GTaJKQxWTZD045+4R4hTk/x1UyoqadyJ9x9CgSi1RlVDQF8U2sxLLSnFkCaMihqljHIWgMg==",
-      "dev": true
+      "integrity": "sha512-jtD6YG370ZCIi/9GTaJKQxWTZD045+4R4hTk/x1UyoqadyJ9x9CgSi1RlVDQF8U2sxLLSnFkCaMihqljHIWgMg=="
    },
    "duplexer3": {
      "version": "0.1.4",
@@ -9311,6 +9310,20 @@
      "integrity": "sha1-Qa4u62XvpiJorr/qg6x9eSmbCIc=",
      "dev": true
    },
+    "event-stream": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/event-stream/-/event-stream-4.0.1.tgz",
+      "integrity": "sha512-qACXdu/9VHPBzcyhdOWR5/IahhGMf0roTeZJfzz077GwylcDd90yOHLouhmv7GJ5XzPi6ekaQWd8AvPP2nOvpA==",
+      "requires": {
+        "duplexer": "^0.1.1",
+        "from": "^0.1.7",
+        "map-stream": "0.0.7",
+        "pause-stream": "^0.0.11",
+        "split": "^1.0.1",
+        "stream-combiner": "^0.2.2",
+        "through": "^2.3.8"
+      }
+    },
    "events": {
      "version": "3.3.0",
      "resolved": "https://registry.npmjs.org/events/-/events-3.3.0.tgz",
@@ -10205,6 +10218,11 @@
      "integrity": "sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac=",
      "dev": true
    },
+    "from": {
+      "version": "0.1.7",
+      "resolved": "https://registry.npmjs.org/from/-/from-0.1.7.tgz",
+      "integrity": "sha1-g8YK/Fi5xWmXAH7Rp2izqzA6RP4="
+    },
    "from2": {
      "version": "2.3.0",
      "resolved": "https://registry.npmjs.org/from2/-/from2-2.3.0.tgz",
@@ -12946,6 +12964,22 @@
      "integrity": "sha1-HADHQ7QzzQpOgHWPe2SldEDZ/wA=",
      "dev": true
    },
+    "linux-ca": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/linux-ca/-/linux-ca-1.0.0.tgz",
+      "integrity": "sha512-Dg5Zh/IehfqiJ0QAy0MGdgWXYXjUinsz6+aHe2y9FI01GJEHxlqzJIsg2mfC/VDVLEB0tM5m8bxzwV7kPGkAhQ==",
+      "requires": {
+        "event-stream": "^4.0.1",
+        "node-forge": "^0.9.1"
+      },
+      "dependencies": {
+        "node-forge": {
+          "version": "0.9.2",
+          "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-0.9.2.tgz",
+          "integrity": "sha512-naKSScof4Wn+aoHU6HBsifh92Zeicm1GDQKd1vp3Y/kOi8ub0DozCa9KpvYNCXslFHYRmLNiqRopGdTGwNLpNw=="
+        }
+      }
+    },
    "loader-runner": {
      "version": "2.4.0",
      "resolved": "https://registry.npmjs.org/loader-runner/-/loader-runner-2.4.0.tgz",
@@ -13216,6 +13250,11 @@
      "integrity": "sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=",
      "dev": true
    },
+    "map-stream": {
+      "version": "0.0.7",
+      "resolved": "https://registry.npmjs.org/map-stream/-/map-stream-0.0.7.tgz",
+      "integrity": "sha1-ih8HiW2CsQkmvTdEokIACfiJdKg="
+    },
    "map-visit": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/map-visit/-/map-visit-1.0.0.tgz",
@@ -14586,6 +14625,14 @@
      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
      "dev": true
    },
+    "pause-stream": {
+      "version": "0.0.11",
+      "resolved": "https://registry.npmjs.org/pause-stream/-/pause-stream-0.0.11.tgz",
+      "integrity": "sha1-/lo0sMvOErWqaitAPuLnO2AvFEU=",
+      "requires": {
+        "through": "~2.3"
+      }
+    },
    "pbkdf2": {
      "version": "3.1.1",
      "resolved": "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.1.tgz",
@@ -18156,6 +18203,15 @@
      "resolved": "https://registry.npmjs.org/stream-buffers/-/stream-buffers-3.0.2.tgz",
      "integrity": "sha512-DQi1h8VEBA/lURbSwFtEHnSTb9s2/pwLEaFuNhXwy1Dx3Sa0lOuYT2yNUr4/j2fs8oCAMANtrZ5OrPZtyVs3MQ=="
    },
+    "stream-combiner": {
+      "version": "0.2.2",
+      "resolved": "https://registry.npmjs.org/stream-combiner/-/stream-combiner-0.2.2.tgz",
+      "integrity": "sha1-rsjLrBd7Vrb0+kec7YwZEs7lKFg=",
+      "requires": {
+        "duplexer": "~0.1.1",
+        "through": "~2.3.4"
+      }
+    },
    "stream-each": {
      "version": "1.2.3",
      "resolved": "https://registry.npmjs.org/stream-each/-/stream-each-1.2.3.tgz",
--- a/package.json
+++ b/package.json
@@ -61,6 +61,7 @@
    "vue-shortkey": "^3.1.7",
    "vue-slider-component": "^3.2.11",
    "win-ca": "^3.4.5",
+    "linux-ca": "^1.0.0",
    "xdg-app-paths": "^5.4.1",
    "yaml": "^1.10.2"
  },
--- a/scripts/download/lima.mjs
+++ b/scripts/download/lima.mjs
@@ -10,7 +10,7 @@ const limaRepo = 'https://github.com/rancher-sandbox/lima-and-qemu';
 const limaTag = 'v1.5';

 const limaLinuxRepo = 'https://github.com/lima-vm/lima';
-const limaLinuxVersion = '0.6.3';
+const limaLinuxVersion = '0.6.4';

 const alpineLimaRepo = 'https://github.com/lima-vm/alpine-lima';
 const alpineLimaTag = 'v0.1.4';
--- a/src/main/networking/index.ts
+++ b/src/main/networking/index.ts
@@ -5,6 +5,7 @@ import os from 'os';
 import Electron from 'electron';
 import MacCA from 'mac-ca';
 import WinCA from 'win-ca';
+import LinuxCA from 'linux-ca';

 import mainEvents from '@/main/mainEvents';
 import ElectronProxyAgent from './proxy';
@@ -29,7 +30,7 @@ export default function setupNetworking() {
 }

 // Set up certificate handling for system certificates on Windows and macOS
-Electron.app.on('certificate-error', (event, webContents, url, error, certificate, callback) => {
+Electron.app.on('certificate-error', async(event, webContents, url, error, certificate, callback) => {
  if (error === 'net::ERR_CERT_INVALID') {
    // If we're getting *this* particular error, it means it's an untrusted cert.
    // Ask the system store.
@@ -52,7 +53,7 @@ Electron.app.on('certificate-error', (event, webContents, url, error, certificat
          return;
        }
      }
-    } else if (os.platform() === 'darwin' || os.platform() === 'linux') {
+    } else if (os.platform() === 'darwin') {
      for (const cert of MacCA.all(MacCA.der2.pem)) {
        // For now, just check that the PEM data matches exactly; this is
        // probably a little more strict than necessary, but avoids issues like
@@ -65,6 +66,21 @@ Electron.app.on('certificate-error', (event, webContents, url, error, certificat
          return;
        }
      }
+    } else if (os.platform() === 'linux') {
+      // Not sure if this is a feature or bug, linux-ca returns certs
+      // in a nested array
+      for (const certs of await LinuxCA.getAllCerts(true)) {
+        for (const cert of certs) {
+          // For now, just check that the PEM data matches exactly
+          if (certificate.data === cert) {
+            console.log(`Accepting system certificate for ${ certificate.subjectName } (${ certificate.fingerprint })`);
+            // eslint-disable-next-line node/no-callback-literal
+            callback(true);
+
+            return;
+          }
+        }
+      }
    }
  }

@@ -78,7 +94,7 @@ function defined<T>(input: T | undefined | null): input is T {
  return typeof input !== 'undefined' && input !== null;
 }

-mainEvents.on('cert-get-ca-certificates', () => {
+mainEvents.on('cert-get-ca-certificates', async() => {
  let certs = https.globalAgent.options.ca;

  if (!Array.isArray(certs)) {
@@ -90,6 +106,13 @@ mainEvents.on('cert-get-ca-certificates', () => {
    // `tls.createSecureContext()` instead, so we don't have a list of CAs here.
    // We need to fetch it manually.
    certs.push(...WinCA({ generator: true, format: WinCA.der2.pem }));
+  } else if (os.platform() === 'linux') {
+    // On Linux, linux-ca doesn't add CAs into the agent; so we add them manually.
+    // Not sure if this is a bug or a feature, but linux-cA returns a nested
+    // array with certs
+    for (const crts of await LinuxCA.getAllCerts(true)) {
+      certs.push(...crts);
+    }
  }

  mainEvents.emit('cert-ca-certificates', certs);
--- a/src/typings/linux-ca.d.ts
+++ b/src/typings/linux-ca.d.ts
@@ -0,0 +1,10 @@
+declare module 'linux-ca' {
+  // eslint-disable-next-line import/no-duplicates
+  import * as forge from 'node-forge';
+
+  export function getAllCerts(readSync?: boolean): Promise<string[]>;
+  export function getFilteredCerts(filterAttribute: string, filterMethod?: (cert: forge.pki.Certificate, attribute) => boolean): Promise<string[]>;
+  export function pemToCert(pem: string): forge.pki.Certificate;
+  export function certToPem(cert: forge.pki.Certificate): string;
+  export function defaultFilter(cert: forge.pki.Certificate, subject: string): boolean;
+}