From a46cd30b9aacff7387c17d62c9cd294942e7fb85 Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:25:32 -0300 Subject: [PATCH 1/7] Add SystemRootCA for macOS and support other OSes to Mozilla:CA in ssl-keystore As discussed in https://github.com/glpi-project/glpi-agent/pull/823, this PR adds the SystemRootCA for macOS and remove the ``ssl-keystore`` limitation on other systems as they could rely at least on Mozilla CA store. --- lib/GLPI/Agent/HTTP/Client.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index c28320bd9..d54469b46 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -553,9 +553,6 @@ sub _setSSLOptions { sub _KeyChain_or_KeyStore_Export { my ($self) = @_; - # Only MacOSX and MSWin32 are supported - return unless $OSNAME =~ /^darwin|MSWin32$/; - # But we don't need to extract anything if we still use an option to authenticate server certificate return if $self->{ca_cert_file} || $self->{ca_cert_dir} || (ref($self->{ssl_fingerprint}) eq 'ARRAY' && @{$self->{ssl_fingerprint}}); @@ -607,7 +604,11 @@ sub _KeyChain_or_KeyStore_Export { command => "security find-certificate -a -p > '$file'", logger => $logger ); - @certs = IO::Socket::SSL::Utils::PEM_file2certs($file) + getAllLines( + command => "security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> '$file'", + logger => $logger + ); + push @certs, IO::Socket::SSL::Utils::PEM_file2certs($file) if -s $file; } else { my @certCommands; From 7dd35dba4f4a02c4d43cf6e7939c5e6fcd21116a Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:58:58 -0300 Subject: [PATCH 2/7] Add Unix/Linux keystore support --- lib/GLPI/Agent/HTTP/Client.pm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index d54469b46..b43a181b2 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -692,6 +692,13 @@ sub _KeyChain_or_KeyStore_Export { } } + # Like Mozilla::CA, but using certs from /etc/ssl/certs + if ($OSNAME !~ /^darwin|MSWin32$/) { + my $cacert = "/etc/ssl/certs/ca-certificates.crt"; + push @certs, IO::Socket::SSL::Utils::PEM_file2certs($cacert) + if -e $cacert; + } + # Always include default CA file from Mozilla::CA if (Mozilla::CA->require()) { my $cacert = Mozilla::CA::SSL_ca_file(); From 8ccb5073c11fa297ae0995d465a5aa902bc84d6c Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 14:01:24 -0300 Subject: [PATCH 3/7] Fix typo --- lib/GLPI/Agent/HTTP/Client.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index b43a181b2..17fe201b2 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -694,9 +694,9 @@ sub _KeyChain_or_KeyStore_Export { # Like Mozilla::CA, but using certs from /etc/ssl/certs if ($OSNAME !~ /^darwin|MSWin32$/) { - my $cacert = "/etc/ssl/certs/ca-certificates.crt"; - push @certs, IO::Socket::SSL::Utils::PEM_file2certs($cacert) - if -e $cacert; + my $sslcacert = "/etc/ssl/certs/ca-certificates.crt"; + push @certs, IO::Socket::SSL::Utils::PEM_file2certs($sslcacert) + if -e $sslcacert; } # Always include default CA file from Mozilla::CA From df97ac72156002b9e6c0c651b8a96b58330093a1 Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:05:17 -0300 Subject: [PATCH 4/7] Allow loading macOS system CA store --- lib/GLPI/Agent/HTTP/Client.pm | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index 17fe201b2..c9eb2bbdc 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -600,13 +600,12 @@ sub _KeyChain_or_KeyStore_Export { SUFFIX => ".pem", ); my $file = $tmpfile->filename; + my $command = "security find-certificate -a -p"; + $command .= " /System/Library/Keychains/SystemRootCertificates.keychain" + if $self->{ssl_keystore} =~ /^system-ssl-ca$/i; getAllLines( - command => "security find-certificate -a -p > '$file'", - logger => $logger - ); - getAllLines( - command => "security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> '$file'", - logger => $logger + command => "$command > '$file'", + logger => $logger ); push @certs, IO::Socket::SSL::Utils::PEM_file2certs($file) if -s $file; From 22fc53b0354dc240bd4fd70fcb0f452926827989 Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:10:42 -0300 Subject: [PATCH 5/7] Load Mozilla::CA only if not loaded certs from other stores --- lib/GLPI/Agent/HTTP/Client.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index c9eb2bbdc..dfa8f1a4f 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -698,8 +698,8 @@ sub _KeyChain_or_KeyStore_Export { if -e $sslcacert; } - # Always include default CA file from Mozilla::CA - if (Mozilla::CA->require()) { + # Include default CA file from Mozilla::CA if @certs is empty + if (!@certs && Mozilla::CA->require()) { my $cacert = Mozilla::CA::SSL_ca_file(); push @certs, IO::Socket::SSL::Utils::PEM_file2certs($cacert) if -e $cacert; From a57c19d14763a79293b246ed65d6884b8fd28a82 Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:12:10 -0300 Subject: [PATCH 6/7] Update Client.pm --- lib/GLPI/Agent/HTTP/Client.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index dfa8f1a4f..d77c7a0a7 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -699,7 +699,7 @@ sub _KeyChain_or_KeyStore_Export { } # Include default CA file from Mozilla::CA if @certs is empty - if (!@certs && Mozilla::CA->require()) { + if ((!@certs || $self->{ssl_keystore} !~ /^system-ssl-ca$/i) && Mozilla::CA->require()) { my $cacert = Mozilla::CA::SSL_ca_file(); push @certs, IO::Socket::SSL::Utils::PEM_file2certs($cacert) if -e $cacert; From 7de97c1d85a3c9a2f479947501fd72bd3bafa715 Mon Sep 17 00:00:00 2001 From: Eduardo Mozart de Oliveira <2974895+eduardomozart@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:14:58 -0300 Subject: [PATCH 7/7] Update Client.pm --- lib/GLPI/Agent/HTTP/Client.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/GLPI/Agent/HTTP/Client.pm b/lib/GLPI/Agent/HTTP/Client.pm index d77c7a0a7..8520aa9f4 100644 --- a/lib/GLPI/Agent/HTTP/Client.pm +++ b/lib/GLPI/Agent/HTTP/Client.pm @@ -699,7 +699,7 @@ sub _KeyChain_or_KeyStore_Export { } # Include default CA file from Mozilla::CA if @certs is empty - if ((!@certs || $self->{ssl_keystore} !~ /^system-ssl-ca$/i) && Mozilla::CA->require()) { + if ((!@certs || $OSNAME eq 'darwin' && $self->{ssl_keystore} !~ /^system-ssl-ca$/i) && Mozilla::CA->require()) { my $cacert = Mozilla::CA::SSL_ca_file(); push @certs, IO::Socket::SSL::Utils::PEM_file2certs($cacert) if -e $cacert;