introduce CA single-file bundle support

- smithproxy must be reconfigured, settings/ca_bundle_file must contain file with the CA bundle. The value is by default empty. Using this bundle is preferred, **if set** (non-default). - add `sx_download_ca_bundle` helper script, which will download curl CA bundle. (distilled Mozilla CA bundle). - patch for new feature request issue #33
astibal · Dec 7, 2022 · cdfa705 · cdfa705
1 parent 1cd9ba1
commit cdfa705
Show file tree

Hide file tree

Showing 8 changed files with 50 additions and 8 deletions.
diff --git a/install.cmake b/install.cmake
@@ -66,6 +66,12 @@ if(UNIX)
             WORLD_READ WORLD_EXECUTE
             )
 
+    install(FILES tools/sx_download_ca_bundle DESTINATION bin
+            PERMISSIONS
+            OWNER_READ OWNER_WRITE OWNER_EXECUTE
+            GROUP_READ GROUP_EXECUTE
+            WORLD_READ WORLD_EXECUTE
+            )
 
     install(FILES man/TESTING_README.txt DESTINATION share/smithproxy/docs)
 

diff --git a/snapcraft.yaml b/snapcraft.yaml
@@ -147,6 +147,12 @@ apps:
     plugs:
       - network
 
+  download-ca-bundle:
+    command: usr/bin/sx_download_ca_bundle
+    plugs:
+      - network
+
+
   net:
     command: usr/bin/sx_network
     plugs:

diff --git a/socle b/socle
diff --git a/src/service/cfgapi/cfgapi.cpp b/src/service/cfgapi/cfgapi.cpp
@@ -386,9 +386,10 @@ bool CfgFactory::upgrade_schema(int upgrade_to_num) {
 
         return true;
     }
-
-
-
+    else if(upgrade_to_num == 1013) {
+        log.event(INF, "added settings.certs_ca_file");
+        return true;
+    }
 
     return false;
 }
@@ -642,9 +643,8 @@ bool CfgFactory::load_settings () {
     }
 
 
-    if(! load_if_exists(cfgapi.getRoot()["settings"], "ca_bundle_path",SSLFactory::factory().ca_path())) {
-        load_if_exists(cfgapi.getRoot()["settings"], "certs_ca_path", SSLFactory::factory().ca_path());
-    }
+    load_if_exists(cfgapi.getRoot()["settings"], "ca_bundle_path",SSLFactory::factory().ca_path());
+    load_if_exists(cfgapi.getRoot()["settings"], "ca_bundle_file", SSLFactory::factory().ca_file());
 
     load_if_exists(cfgapi.getRoot()["settings"], "ssl_autodetect",MitmMasterProxy::ssl_autodetect);
     load_if_exists(cfgapi.getRoot()["settings"], "ssl_autodetect_harder",MitmMasterProxy::ssl_autodetect_harder);
@@ -4565,6 +4565,7 @@ int save_settings(Config& ex) {
     objects.add("certs_ca_key_password", Setting::TypeString) = SSLFactory::factory().certs_password();
     objects.add("certs_ctlog", Setting::TypeString) = SSLFactory::factory().ctlogfile();
     objects.add("ca_bundle_path", Setting::TypeString) = SSLFactory::factory().ca_path();
+    objects.add("ca_bundle_file", Setting::TypeString) = SSLFactory::factory().ca_file();
 
     objects.add("plaintext_port", Setting::TypeString) = CfgFactory::get()->listen_tcp_port_base;
     objects.add("plaintext_workers", Setting::TypeInt) = CfgFactory::get()->num_workers_tcp;

diff --git a/src/service/cfgapi/cfgapi.hpp b/src/service/cfgapi/cfgapi.hpp
@@ -203,7 +203,7 @@ class CfgFactory : public CfgFactoryBase {
 //    static inline bool config_changed_flag = false;
 
     // Each version bump implies a config upgrade - we start on 1000
-    constexpr static inline const int SCHEMA_VERSION  = 1012;
+    constexpr static inline const int SCHEMA_VERSION  = 1013;
 
     CfgFactory() = default;
     CfgFactory(CfgFactory const &) = delete;

diff --git a/src/service/cfgapi/cfgvalue.cpp b/src/service/cfgapi/cfgvalue.cpp
@@ -136,6 +136,11 @@ void CfgValueHelp::init() {
             .may_be_empty(false)
             .value_filter(CfgValue::VALUE_DIR);
 
+    add("settings.ca_bundle_file", "trusted CA bundle file (preferred over directory)")
+            .help_quick("<string>: enter valid path to file")
+            .may_be_empty(true)
+            .value_filter(CfgValue::VALUE_FILE);
+
     // listening ports
 
     add("settings.plaintext_port", "base divert port for non-SSL TCP traffic")

diff --git a/src/service/cmd/diag/diag_cmds.cpp b/src/service/cmd/diag/diag_cmds.cpp
@@ -106,6 +106,9 @@ int cli_diag_ssl_cache_stats(struct cli_def *cli, const char *command, char *arg
 
     size_t n_cache = 0;
     int n_maxsize = 0;
+    bool ver_bundle = store->stats.ca_verify_use_file;
+    bool sto_bundle = store->stats.ca_store_use_file;
+
     {
         auto lc_ = std::scoped_lock(store->lock());
         n_cache = store->cache().cache().size();
@@ -116,6 +119,9 @@ int cli_diag_ssl_cache_stats(struct cli_def *cli, const char *command, char *arg
     cli_print(cli,"certificate store stats: ");
     cli_print(cli,"    cache size: %zu ", n_cache);
     cli_print(cli,"      max size: %d ", n_maxsize);
+    cli_print(cli,"    cert verify from bundle: %d", ver_bundle);
+    cli_print(cli,"    cert store from bundle: %d", sto_bundle);
+
 
     return CLI_OK;
 }

diff --git a/tools/sx_download_ca_bundle b/tools/sx_download_ca_bundle
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+FILE_PATH="/etc/smithproxy/certs/ca_curl_bundle.pem"
+FILE_URL="https://curl.se/ca/cacert.pem"
+
+wget ${FILE_URL} -O ${FILE_PATH}
+
+if [ $? -ne 0 ]; then
+    echo "   !!! Sorry, something went wrong..."
+else
+    echo
+    echo "       => file saved here: ${FILE_PATH}"
+    echo "   !!! Smithproxy must be reconfigured to use this CA bundle and then restarted."
+    echo
+fi
+
+
+