Accessing Host Trusted Certificates

[LorbusChris]

Linux distribution and version

Fedora Silverblue 29

Flatpak version

v1.2.3

Description of the problem

Flatpaks apps do not pick up PEM certificates placed in /etc/pki/ca-trust/source/anchors/ on the host.

Steps to reproduce

• Place custom trusted cert in /etc/pki/ca-trust/source/anchors/
• Install Riot.im or Firefox Nightly flatpak
• In Riot.im: Try to log in to a Matrix server that uses that cert -> not possible
• In Firefox Nightly: Navigate to an URL that uses that cert -> 'Warning: Potential Security Risk Ahead' page is shown

[LorbusChris]

Confirmed not to work on Fedora 29 standard as well.

[TingPing]

Riot probably uses OpenSSL which doesn't respect PKI anyway AFIAK. Firefox should though.

[LorbusChris]

Right, that could be, as I only reproduced it with Riot this time. Firefox Nightlies aren't up to date at the moment, so I didn't test that.

Any idea how this could be made compatible with OpenSSL?

[TingPing]

Hmm, it looks like Fedora builds openssl with --openssldir=/etc/pki/tls while freedesktop-sdk has the default /etc/ssl. So that is probably relevant.

EDIT: Grepping around Flatpak doesn't seem to expose the pki dirs anyway. I thought there was some work on doing so though...

[matthiasclasen]

@amigadave is this something you could look into for our fedora flatpak builds ?

[mcatanzaro]

I think Firefox should be fixed nowadays, since https://gitlab.com/freedesktop-sdk/freedesktop-sdk/commit/a11bd7c94e163b34e4ac209361c47f914997932f, which is in 18.08. Can you confirm?

Then Riot.im is an Electron app, right? So you would need to add p11-kit support to Chromium (CrNet) if you expect it to be able to access host certificates. I don't think it uses OpenSSL.

Accessing host certificates requires use of the p11-kit server running on the host OS, so if your TLS library doesn't support using p11-kit as its trust store, this is simply not expected to work. So you should report a bug to Chrome (good luck with that) for Riot.im, not here.

It's true that OpenSSL is not expected to work either, though I think neither of your example apps use OpenSSL. Eventually, OpenSSL will be improved to support p11-kit. Once that happens, we will need to change freedesktop-sdk to build OpenSSL with p11-kit configured as its default trust, like we already do for GnuTLS. freedesktop-sdk also has NSS patched to use p11-kit, like Fedora does, so NSS should work too. (I think OpenSSL is the last remaining significant holdout that doesn't support using p11-kit as its trust store; eventually it will get fixed.)

So, expected to work:

• Anything using GnuTLS, including all GNOME stuff and anything else that uses GLib sockets (glib-networking)
• Anything using NSS, including Firefox
• freedesktop-sdk only: libcurl (configured to use GnuTLS), and anything using libcurl

Not expected to work and not our problem:

• Chrome/Electron stuff
• Anything using OpenSSL
• Fedora runtime only: libcurl (configured to use OpenSSL), and anything using libcurl

TL;DR: this bug should be closed, unless Firefox is still broken. (It should not be broken anymore.)

[mcatanzaro]

• Chrome/Electron stuff

Note: this will be using CrNet, and beneath that, BoringSSL. It's probably bundled in the Chromium source code under third_party/.

[mcatanzaro]

OK one last tip. If you want a workaround, then instead of Riot.im you can use Revolt, which just uses WebKitGTK to display the Riot website instead of Electron. That means you get GLib sockets -> glib-networking -> GnuTLS -> p11-kit which should have access to the host certificates.

[AdrianVovk]

There seem to be mechanisms to generate CA bundles for openssl & java & everything else in p11-kit: trust extract --format=openssl-bundle --filter=ca-anchors --overwrite /tmp/openssl-bundle.pem

As a distributor, the fd.o sdk can override /usr/libexec/p11-kit/trust-extact-compat, and then just run trust extract-compat. p11-kit runs this automatically whenever trust anchor is run, but I'm not sure how it handles the daemon/client relationship used by Flatpak.

[mcatanzaro]

Not sure I understand. How could that help?

[AdrianVovk]

@mcatanzaro All the SDKs have to do is run trust extract [...] at some point and then OpenSSL will use the system's CA certs, right? Or am I missing something. Just extract it into the correct place for OpenSSL inside of the runtime will pick it up

Edit: Or Flatpak can extract these on the host side and place them into, i.e. /run/flatpak/openssl-bundle.pem, and then bind-mount this into the runtime env

[mcatanzaro]

Yes, that would work, but it would conflict with the certificates provided by the runtime itself. The runtime would have to stop shipping its own certificates. I'm not sure whether that would be desirable or not. There would be... implications. :)

Proper fix is to finish and land openssl/openssl#8200 to bring openssl out of certificate dark ages and into modern times.

[AdrianVovk]

@mcatanzaro That's fair