(feature) (types) Add Trusted CA

[lucymhdavies]

I can do this with the following for now:
lucymhdavies/dev_utils@19ca331

#
# Trust Vault Generated Certs
#

ok download /tmp/lmhd_root.pem https://vault.lmhd.me/v1/pki_root/ca/pem
ok check "sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem"

but this feels like the sort of thing which would be useful to have a dedicated Type for.

(especially for things like checking if the cert already exists in the keychain)

[lucymhdavies]

My updated borkfile, now checks if the CA is already trusted:

# Check if this cert is already in the keychain
ok check "security dump-trust-settings -s -d | grep lmhd.me"
if check_failed && satisfying; then
	# If not, download and trust
	ok download /tmp/lmhd_root.pem https://vault.lmhd.me/v1/pki_root/ca/pem
	ok check "sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem"
fi

First bork satisfy:

failed: check security dump-trust-settings -s -d | grep lmhd.me

ok: download /tmp/lmhd_root.pem https://vault.lmhd.me/v1/pki_root/ca/pem
Password: check sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem
ok: check sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem

Second:

ok: check security dump-trust-settings -s -d | grep lmhd.me

Making that generic could be awkward.

I'm envisioning this part being a generic ok trustRoot <filename>:

	ok check "sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem"

So you'd first need to do some openssl tomfoolery to determine the CA's CN:

$ openssl verify /tmp/lmhd_root.pem
/tmp/lmhd_root.pem: CN = lmhd.me
error 18 at 0 depth lookup:self signed certificate
OK

And then from there, grep the output of:

$ security dump-trust-settings -s -d
Number of trusted certs = 1
Cert 0: lmhd.me
   Number of trust settings : 0

So... doable. But possibly awkward, unless there's a better way of doing this. And doesn't take into account the CA expiring, or another CA existing with the same name.

My current method is good enough for me, but if other people would find a use for this, then I'll see if I can make a more foolproof method, and maybe wrap it up into a Type.

[skylarmacdonald]

This would be nice to have. If you get it working as a custom type (with tests!), submit a PR for potential inclusion in core. ☺️

I haven't added it to the 1.0 release project board for the time being, but I've added the 1.0.x milestone for it, because I would like to have it in theory if we can — but I don't think it's a must for the first 'official' release, personally.

[lucymhdavies]

My main issue I'd need to solve as part of getting a custom type working is that I would need some way of figuring out if a CA is already trusted.

My previous solution:

# Check if this cert is already in the keychain
ok check "security dump-trust-settings -s -d | grep lmhd.me"
if check_failed && satisfying; then
	# If not, download and trust
	ok download /tmp/lmhd_root.pem https://vault.lmhd.me/v1/pki_root/ca/pem
	ok check "sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem"
fi

failed the moment I wanted to add a second trusted CA for lmhd.me certs.

The JFDI method:

ok download /tmp/lmhd_root.pem https://vault.lmhd.me/v1/pki_root/ca/pem
ok check "sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/lmhd_root.pem"

requires me to enter my password every time I do a bork satisfy, regardless of whether the cert is already trusted or not.

A workaround could be to have some directory external to the Keychain where I keep the CAs, and Bork will check in that directory to see if the CA is already trusted... but that's kinda hacky, and prone to issues.

[skylarmacdonald]

OK — so if you take the output of security dump-trust-settings -s -d | grep lmhd.me (replacing lmhd.me with an argument variable, of course 😉), you can process that in the status) operation of your type definition. Grab the CN from openssl verify $CERT_PATH and chuck that in a variable, and see if it matches the (greped/seded) output from the security command. Then your status) can tell you whether you need to execute the install|upgrade) step, which would be the sudo security add-trusted-cert part.

I am, however, hesitant to include anything that involves grabbing a cert from an arbitrary URL and then auto-trusting it. Personally I would prefer that to be two steps, so that you can do whatever protection against MITM attacks you deem appropriate for your environment.

[lucymhdavies]

Ah! Nice :) And yep. For sure. I want it to be a “grab CA from a file you’ve downloaded previously” instead.