Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IDEA] TLS CA Certificates manager #29

Open
1 of 2 tasks
Informatic opened this issue Jan 2, 2022 · 4 comments
Open
1 of 2 tasks

[IDEA] TLS CA Certificates manager #29

Informatic opened this issue Jan 2, 2022 · 4 comments
Labels
idea App idea

Comments

@Informatic
Copy link
Member

Informatic commented Jan 2, 2022
edited
Loading

Please read conditions below carefully, and don't delete this part. Invalid issues will be closed.

  • No apps related to piracy or intellectual property infringement is allowed.
  • We can't guarantee if the app will be developed by anyone.
  • We encourage you to develop the app by yourself. This would be a great contribution to webOS homebrew community.
  • I understand conditions above
  • (Optional) I'd like to develop this app by myself

Issue content starts below this line

The case of TLS CA management on webOS is all over the place. Random scripts shared around that mangle our glorious startup.sh, and still don't actually work properly.

The biggest issue is that just bindmounting over rootfs is not enough for these to apply properly for app jails as well - jailer configuration needs to be adjusted as well, preferably early during boot (or we need a daemon to detect new jails and update certs there as well...)
@Informatic Informatic added the idea App idea label Jan 2, 2022
@Informatic
Copy link
Member Author

Informatic commented Jan 2, 2022
edited
Loading

webOS 3.8 / K3LP:

This works when dropped into /var/lib/webosbrew/init.d and made executable:
https://gist.github.com/Informatic/d7bcdd59eac16ffbffd3a5b5c24b4195

Works for WebAppMgr apps, though may need initctl restart WebAppMgr (or systemd equivalent), since it seems they cache these during startup. Does not work on com.webos.app.browser at all (probably it has its own store hidden somewhere)

Even though these bindmounts/overlays are propagated down to native app jails, RetroArch seems to not like that setup. Seems like I was mistaken, and RetroArch works fine (just all the downloads were marked as experimental...)

@Informatic Informatic mentioned this issue Jan 11, 2022
Closed
@DpunktKpunkt
Copy link

DpunktKpunkt commented Jan 14, 2022
edited
Loading

Does not work on com.webos.app.browser at all (probably it has its own store hidden somewhere)

Presumably in /media/system/apps/usr/palm/applications/com.webos.app.browser/lib/libnssckbi.so
(or any other folder containing libnssckbi.so)

@Informatic
Copy link
Member Author

Informatic commented Feb 20, 2022
edited
Loading

That is indeed the case - certs can be added to read-only nss database via:

certutil -d /etc/pki/nssdb/ -A -t 'C,,' -n CA -i /usr/share/ca-certificates/...

/etc/pki/nssdb needs to be writable (ie. overlay). WebAppMgr also seems to use that database on webOS 5.x.

Additionally, that directory is missing from native app jail config, and thus, as a quick workaround, it needs to be copied over to a respective jail directory:

cp -r /etc/pki /var/palm/jail/com.webos.app.browser/etc/pki

@alexbakker
Copy link

Some additional info from my own research, in case it's useful: The "sdx" process that runs on the TV gets its CA certificates from /usr/share/ca-certificates/sdp/sdp-ca.pem, not from the NSS DB or ca-certificates.crt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
idea App idea
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Informatic @alexbakker @DpunktKpunkt