Blob Blame History Raw
From fc56c987058558d47d6bfe64ec11d2819b7886fe Mon Sep 17 00:00:00 2001
From: Matej Habrnal <mhabrnal@redhat.com>
Date: Thu, 3 Sep 2015 13:55:07 +0200
Subject: [PATCH] ureport: use Red Hat Certificate Authority to make rhsm cert
 trusted

In the case we use authenticated auto reporting by rhsm the cert is not trusted
and it breaks Auto-reporting feature. This commit feeds curl with the
cert-api.access.redhat.com.pem file which make the cert trusted.

Related to rhbz#1223805

Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
---
 src/include/ureport.h |  1 +
 src/lib/ureport.c     | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/src/include/ureport.h b/src/include/ureport.h
index 780b898..a1d03f6 100644
--- a/src/include/ureport.h
+++ b/src/include/ureport.h
@@ -52,6 +52,7 @@ struct ureport_server_config
     char *ur_client_cert; ///< Path to certificate used for client
                           ///< authentication (or NULL)
     char *ur_client_key;  ///< Private key for the certificate
+    char *ur_cert_authority_cert; ///< Certificate authority certificate
     char *ur_username;    ///< username for basic HTTP auth
     char *ur_password;    ///< password for basic HTTP auth
     map_string_t *ur_http_headers; ///< Additional HTTP headers
diff --git a/src/lib/ureport.c b/src/lib/ureport.c
index 990ace6..76bcc95 100644
--- a/src/lib/ureport.c
+++ b/src/lib/ureport.c
@@ -37,6 +37,12 @@
 #define RHSMCON_CERT_NAME "cert.pem"
 #define RHSMCON_KEY_NAME "key.pem"
 
+/* Using the same template as for RHSM certificate, macro for cert dir path and
+ * macro for cert name. Cert path can be easily modified for example by reading
+ * an environment variable LIBREPORT_DEBUG_AUTHORITY_CERT_DIR_PATH
+ */
+#define CERT_AUTHORITY_CERT_PATH "/etc/redhat-access-insights"
+#define CERT_AUTHORITY_CERT_NAME "cert-api.access.redhat.com.pem"
 
 static char *
 puppet_config_print(const char *key)
@@ -106,6 +112,17 @@ certificate_exist(char *cert_name)
     return true;
 }
 
+static bool
+cert_authority_cert_exist(char *cert_name)
+{
+    if (access(cert_name, F_OK) != 0)
+    {
+        log_notice("Certs validating the server '%s' does not exist.", cert_name);
+        return false;
+    }
+    return true;
+}
+
 void
 ureport_server_config_set_client_auth(struct ureport_server_config *config,
                                       const char *client_auth)
@@ -134,6 +151,16 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
         char *cert_full_name = concat_path_file(rhsm_dir, RHSMCON_CERT_NAME);
         char *key_full_name = concat_path_file(rhsm_dir, RHSMCON_KEY_NAME);
 
+        /* get authority certificate dir path from environment variable, if it
+         * is not set, use CERT_AUTHORITY_CERT_PATH
+         */
+        const char *authority_cert_dir_path = getenv("LIBREPORT_DEBUG_AUTHORITY_CERT_DIR_PATH");
+        if (authority_cert_dir_path == NULL)
+           authority_cert_dir_path = CERT_AUTHORITY_CERT_PATH;
+
+        char *cert_authority_cert_full_name = concat_path_file(authority_cert_dir_path,
+                                                                 CERT_AUTHORITY_CERT_NAME);
+
         if (certificate_exist(cert_full_name) && certificate_exist(key_full_name))
         {
             config->ur_client_cert = cert_full_name;
@@ -147,6 +174,16 @@ ureport_server_config_set_client_auth(struct ureport_server_config *config,
             log_notice("Using the default configuration for uReports.");
         }
 
+        if (cert_authority_cert_exist(cert_authority_cert_full_name))
+        {
+            config->ur_cert_authority_cert = cert_authority_cert_full_name;
+            log_debug("Using validating server cert: '%s'", config->ur_cert_authority_cert);
+        }
+        else
+        {
+            free(cert_authority_cert_full_name);
+        }
+
         free(rhsm_dir);
 
     }
@@ -286,6 +323,7 @@ ureport_server_config_init(struct ureport_server_config *config)
     config->ur_ssl_verify = true;
     config->ur_client_cert = NULL;
     config->ur_client_key = NULL;
+    config->ur_cert_authority_cert = NULL;
     config->ur_username = NULL;
     config->ur_password = NULL;
     config->ur_http_headers = new_map_string();
@@ -304,6 +342,9 @@ ureport_server_config_destroy(struct ureport_server_config *config)
     free(config->ur_client_key);
     config->ur_client_key = DESTROYED_POINTER;
 
+    free(config->ur_cert_authority_cert);
+    config->ur_cert_authority_cert = DESTROYED_POINTER;
+
     free(config->ur_username);
     config->ur_username = DESTROYED_POINTER;
 
@@ -701,6 +742,7 @@ ureport_do_post(const char *json, struct ureport_server_config *config,
     {
         post_state->client_cert_path = config->ur_client_cert;
         post_state->client_key_path = config->ur_client_key;
+        post_state->cert_authority_cert_path = config->ur_cert_authority_cert;
     }
     else if (config->ur_username && config->ur_password)
     {
-- 
2.4.3