Search only canonical paths on FreeBSD

[michael-o]

FreeBSD contains a canonical certstore managed by certctl(8) located in the base system (/etc/ssl), search there first. Alternatively, a user can populate a custom store in distbase (/usr/local/etc/ssl) with certctl(8) which shall be queried if the former does not exist. At last, there is a store for OpenSSL from the ports (/usr/local/openssl) outside of certctl(8)'s reach.

This fixes #20 and fixes #37

FreeBSD port maintainer here.

Solution approach: Instead of trying to shuffle around the actual arrays and causing regressions in other places I can never test I have intentionally introduced #cfg which I know for sure works on FreeBSD throughout the bank. I have patched rust-1.90.0 and uv-0.9.6 which both include openssl-probe-0.1.6 and built both in a jail.

Verification in a standalone application while removing and adding potential candidates:

cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
result.cert_file: None
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
result.cert_file: None
result.cert_dir: None
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
result.cert_file: /etc/ssl/cert.pem
result.cert_dir: None
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
result.cert_file: None
result.cert_dir: None
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.03s
     Running `target/debug/openssl-probe-tester`
result.cert_file: /usr/local/etc/ssl/cert.pem
result.cert_dir: None
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/openssl-probe-tester`
result.cert_file: /usr/local/etc/ssl/cert.pem
result.cert_dir: /usr/local/etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
result.cert_file: None
result.cert_dir: /usr/local/etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
result.cert_file: None
result.cert_dir: None
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
cert_file: /usr/local/openssl/cert.pem
result.cert_file: /usr/local/openssl/cert.pem
result.cert_dir: /etc/ssl/certs
cafe-custom-uis@deblndw013x3j:/usr/home/cafe-custom-uis/openssl-probe-tester
$ cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.00s
     Running `target/debug/openssl-probe-tester`
cert_file: /usr/local/openssl/cert.pem
result.cert_file: /usr/local/openssl/cert.pem
result.cert_dir: None

Running against publically available servers as well as in-house with enterprise CA structure.

uv initially:

$ NETRC=../native-deps-test/.netrc truss -f -o out uv --native-tls  --cache-dir=uv-cache sync --index-strategy unsafe-best-match
  × Failed to download and build `requests-negotiate-sspi @ git+https://github.com/michael-o/requests-negotiate-sspi.git@auth-done-right`
  ├─▶ Failed to resolve requirements from `setup.py` build
  ├─▶ No solution found when resolving: `setuptools>=40.8.0`
  ├─▶ Failed to fetch: `https://dw-eng-rsc.innomotics.net/FreeBSD/python-wheels/FreeBSD:13:amd64/cafe-custom-uis-latest/simple/setuptools/`
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://dw-eng-rsc.innomotics.net/FreeBSD/python-wheels/FreeBSD:13:amd64/cafe-custom-uis-latest/simple/setuptools/)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

cargo after patch:

fstatat(AT_FDCWD,"/etc/ssl",{ mode=drwxr-xr-x ,inode=127,size=7,blksize=4096 },0x0) = 0 (0x0)
fstatat(AT_FDCWD,"/etc/ssl/cert.pem",0xc3508e24290,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl/ca-root-nss.crt",0xc3508e24290,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl/certs",{ mode=drwxr-xr-x ,inode=541,size=196,blksize=12800 },0x0) = 0 (0x0)
fstatat(AT_FDCWD,"/usr/local/etc/ssl",{ mode=drwxr-xr-x ,inode=52300,size=4,blksize=4096 },0x0) = 0 (0x0)
fstatat(AT_FDCWD,"/usr/local/etc/ssl/cert.pem",0xc3508e24290,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/usr/local/etc/ssl/ca-root-nss.crt",0xc3508e24290,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/usr/local/openssl",{ mode=drwxr-xr-x ,inode=2179799,size=3,blksize=4096 },0x0) = 0 (0x0)
fstatat(AT_FDCWD,"/usr/local/openssl/cert.pem",0xc3508e24290,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/usr/local/openssl/ca-root-nss.crt",0xc3508e24290,0x0) ERR#2 'No such file or directory'

...
fstatat(AT_FDCWD,"/etc/ssl/certs/940ae196.0",{ mode=-rw-r--r-- ,inode=1987121,size=3985,blksize=4096 },0x0) = 0 (0x0)
open("/etc/ssl/certs/940ae196.0",O_RDONLY,0666)  = 6 (0x6)
fstatat(AT_FDCWD,"/etc/ssl/certs/940ae196.1",0x35857ac12d0,0x0) ERR#2 'No such file or directory'
43738: read(6,"subject: CN=Siemens Issuing CA I"...,4096) = 3985 (0xf91)
43738: read(6,0x11f29c8aa000,4096)       = 0 (0x0)
43738: close(6)                  = 0 (0x0)
43738: fstatat(AT_FDCWD,"/etc/ssl/certs/940ae196.1",0x11f291c2fb10,0x0) ERR#2 'No such file or directory'
...

uv after patch:

13681: fstatat(AT_FDCWD,"/etc/ssl",{ mode=drwxr-xr-x ,inode=127,size=7,blksize=4096 },0x0) = 0 (0x0)
13681: fstatat(AT_FDCWD,"/etc/ssl/cert.pem",0x389b290dd050,0x0) ERR#2 'No such file or directory'
13681: fstatat(AT_FDCWD,"/etc/ssl/ca-root-nss.crt",0x389b290dd050,0x0) ERR#2 'No such file or directory'
13681: fstatat(AT_FDCWD,"/etc/ssl/certs",{ mode=drwxr-xr-x ,inode=541,size=196,blksize=12800 },0x0) = 0 (0x0)
13681: fstatat(AT_FDCWD,"/usr/local/etc/ssl",{ mode=drwxr-xr-x ,inode=52300,size=4,blksize=4096 },0x0) = 0 (0x0)
13681: fstatat(AT_FDCWD,"/usr/local/etc/ssl/cert.pem",0x389b290dd050,0x0) ERR#2 'No such file or directory'
13681: fstatat(AT_FDCWD,"/usr/local/etc/ssl/ca-root-nss.crt",0x389b290dd050,0x0) ERR#2 'No such file or directory'
13681: fstatat(AT_FDCWD,"/usr/local/openssl",{ mode=drwxr-xr-x ,inode=2179799,size=3,blksize=4096 },0x0) = 0 (0x0)
13681: fstatat(AT_FDCWD,"/usr/local/openssl/cert.pem",0x389b290dd050,0x0) ERR#2 'No such file or directory'
13681: fstatat(AT_FDCWD,"/usr/local/openssl/ca-root-nss.crt",0x389b290dd050,0x0) ERR#2 'No such file or directory'
13681: open("/etc/ssl/certs",O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC,014335062457) = 11 (0xb)
13681: fcntl(11,F_ISUNIONSTACK,0x0)      = 0 (0x0)
13681: getdirentries(11,"\^]\^B\0\0\0\0\0\0\^A\0\0\0\0\0"...,4096,{ 0x0 }) = 4064 (0xfe0)
13681: fstatat(AT_FDCWD,"/etc/ssl/certs/3bde41ac.0",{ mode=-r--r--r-- ,inode=7585,size=7919,blksize=8192 },0x0) = 0 (0x0)
13681: openat(AT_FDCWD,"/etc/ssl/certs/3bde41ac.0",O_RDONLY|O_CLOEXEC,00) = 12 (0xc)
13681: read(12,"##\n##  Autoridad de Certificaci"...,8192) = 7919 (0x1eef)
13681: read(12,0x389b2a7b5000,8192)      = 0 (0x0)
13681: close(12)                 = 0 (0x0)
13681: fstatat(AT_FDCWD,"/etc/ssl/certs/14bc7599.0",{ mode=-r--r--r-- ,inode=7695,size=3136,blksize=4096 },0x0) = 0 (0x0)
13681: openat(AT_FDCWD,"/etc/ssl/certs/14bc7599.0",O_RDONLY|O_CLOEXEC,00) = 12 (0xc)
13681: read(12,"##\n##  emSign ECC Root CA - G3"...,8192) = 3136 (0xc40)
13681: read(12,0x389b2a7b5000,8192)      = 0 (0x0)
13681: close(12)                 = 0 (0x0)
...

Temporary downstream patches for the FreeBSD ports system: freebsd/freebsd-ports@main...michael-o:freebsd-ports:openssl-probe-freebsd

FreeBSD ports which will potentially benefit from in the long run:

osipovmi@deblndw011x:~/var/Projekte/freebsd/ports (openssl-probe-freebsd =)
$ grep -r --include=Makefile.crates openssl-probe- . -l | cut -f 2-3 -d /
audio/gnome-podcasts
audio/lewton
audio/ncspot
audio/shortwave
audio/spotify-player
audio/spotifyd
cad/surfer
databases/py-datafusion
databases/qdrant
deskutils/tatuin
deskutils/readur
devel/cargo-c
devel/cargo-generate
devel/gitui
devel/libdatadog
devel/uv
devel/py-maturin
devel/cargo-make
devel/dorst
devel/sccache
devel/cargo-tarpaulin
devel/sentry-cli
devel/rustup-init
devel/wasmer
devel/tree-sitter-cli
devel/py-uv-build08
editors/lapce
editors/kakoune-lsp
finance/tickrs
games/anki
games/jumpy
games/veloren-weekly
graphics/asciinema-agg
irc/halloy
japanese/cskk
lang/scryer-prolog
mail/imap-tools
mail/stalwart
misc/py-hf-xet
misc/codex
multimedia/gstreamer1-plugins-rust
multimedia/librespot
net-im/conduit
net-im/fractal
net-im/libsignal-node
net-im/py-matrix-synapse
net-im/iamb
net-mgmt/bandwhich
net-p2p/oura
net/lldap
net/s3m
net/krill
net/sendme
net/oha
net/deltachat-rpc-server
net/ntpd-rs
net/routinator
net/dumbpipe
net/rabbitmqadmin
net/rustdesk-server
net/shadowsocks-rust
net/sniffnet
www/deno
www/dezoomify-rs
www/garage
www/hurl
www/lychee
www/miniserve
www/monolith
www/so
www/xh
www/loco
www/rustypaste-cli
www/wiki-tui
www/zola
www/sqlpage
www/wasm-bindgen-cli
security/acmed
security/arti
security/authenticator
security/cargo-audit
security/rustls-ffi
security/sequoia-sq
security/kanidm
security/vaultwarden
security/sequoia-chameleon-gnupg
shells/nu_plugin_gstat
shells/nu_plugin_polars
shells/nu_plugin_query
shells/sheldon
sysutils/tldr
sysutils/mdcat
sysutils/kubie
sysutils/tealdeer
sysutils/zellij
textproc/mdbook-linkcheck
textproc/quickwit
textproc/feluda
textproc/typst
textproc/gitlab-code-parser
x11/wezterm
filesystems/zerofs

Note: I am not a Rust developer at all. If you know this can be done more elegently, please tell!

@emaste @MikaelUrankar @dag-erling

[djc]

I don't think we want to "duplicate" as much API as you've done here -- we can probably scope it down a fair bit. For example, we could name the slice within candidate_cert_dirs() and use a different defintion for FreeBSD.

Is the main issue that prevents it from working right today the different order?

[djc]

Note: it's better not to refer to GitHub entities (whether users or PRs) in commit messages, as they will generate a lot of backreferences (as can be seen above). Instead, suggest linking to the PR in the upstream PR description.

[michael-o]

Note: it's better not to refer to GitHub entities (whether users or PRs) in commit messages, as they will generate a lot of backreferences (as can be seen above). Instead, suggest linking to the PR in the upstream PR description.

I see, I did it not purpose not to nag people, but to establish context between upstream and downstream. I want tracebility for all participants.

[michael-o]

I don't think we want to "duplicate" as much API as you've done here -- we can probably scope it down a fair bit. For example, we could name the slice within candidate_cert_dirs() and use a different defintion for FreeBSD.

Is the main issue that prevents it from working right today the different order?

Yes, at the end it boils down to order and a narrower list. If the wrong one comes first your actual store is never seen. This is why I have done a new method, we can add the #cfg into the method to the array. My Rust knowledge isn't existing so I didn't know better.

[michael-o]

Here is a patch which uses getlocalbase(3):

$ ldd target/debug/openssl-probe-tester
target/debug/openssl-probe-tester:
        libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0xa8417754000)
        libutil.so.9 => /lib/libutil.so.9 (0xa8417ea3000)
        libthr.so.3 => /lib/libthr.so.3 (0xa8419876000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xa841ab94000)
        libc.so.7 => /lib/libc.so.7 (0xa841c1fa000)
        libnghttp2.so.14 => /usr/local/lib/libnghttp2.so.14 (0xa8419d15000)
        libssl.so.111 => /usr/lib/libssl.so.111 (0xa841b585000)
        libcrypto.so.111 => /lib/libcrypto.so.111 (0xa841c9e0000)
        libk5crypto.so.3.1 => /usr/local/lib/libk5crypto.so.3.1 (0xa841d536000)
        libcom_err.so.3.0 => /usr/local/lib/libcom_err.so.3.0 (0xa841e1ee000)
        libz.so.6 => /lib/libz.so.6 (0xa841f5e8000)
        libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0xa841ee95000)
        libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0xa841fcb8000)
        libkrb5support.so.0.1 => /usr/local/lib/libkrb5support.so.0.1 (0xa84208a2000)
        libintl.so.8 => /usr/local/lib/libintl.so.8 (0xa8420b8c000)
        [vdso] (0x7ffffffff650)


$ LOCALBASE=/your/momma truss -o out ./target/debug/openssl-probe-tester

$ grep fstatat out
fstatat(AT_FDCWD,"/usr/share/nls/C/libc.cat",0x277ee3f319a0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/usr/share/nls/libc/C",0x277ee3f319a0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/usr/local/share/nls/C/libc.cat",0x277ee3f319a0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/usr/local/share/nls/libc/C",0x277ee3f319a0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl",{ mode=drwxr-xr-x ,inode=127,size=7,blksize=4096 },0x0) = 0 (0x0)
fstatat(AT_FDCWD,"/etc/ssl/cert.pem",0x277ee3f320b0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl/ca-root-nss.crt",0x277ee3f320b0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl/certs",0x277ee3f32310,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/your/momma/etc/ssl",0x277ee3f31f80,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/your/momma/openssl",0x277ee3f31f80,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl",{ mode=drwxr-xr-x ,inode=127,size=7,blksize=4096 },0x0) = 0 (0x0)
fstatat(AT_FDCWD,"/etc/ssl/cert.pem",0x277ee3f31fe0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl/ca-root-nss.crt",0x277ee3f31fe0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/etc/ssl/certs",0x277ee3f32240,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/your/momma/etc/ssl",0x277ee3f31eb0,0x0) ERR#2 'No such file or directory'
fstatat(AT_FDCWD,"/your/momma/openssl",0x277ee3f31eb0,0x0) ERR#2 'No such file or directory'

The problem I have is that is is basically incompatible with the static Path thing and the function is public, so cannot change to PathBuf. It leaks memory. Don't know where to go from here.

[djc]

Do you actually need these? Why?

[michael-o]

Not necessarily, it just reduces the list because the other files will never exist by default with the other dirs I have supplied. "ca-root-nss.crt" is missing. I can it and collapse the list.

Sake of completeness.

[djc]

How do you know they will never exist? Aren't users allowed to put stuff there?

[michael-o]

In theory you are right, but

• vast majority will use certlctl(8)
• outside of depicted default paths you can always resort to the env vars (home grown)