feat(firmware): verify git-push TLS chain against embedded GitHub CAs
Retire the cert-check bypass. Embed GitHub's root CAs (github_roots.pem: USERTrust ECC/RSA + DigiCert G2/Global Root CA), write them to /spiflash/ca.pem at boot, and point libgit2's mbedTLS stream at them via GIT_OPT_SET_SSL_CERT_LOCATIONS (CONFIG_MBEDTLS_FS_IO is on). The push callback now returns CertificatePassthrough instead of CertificateOk, so the http transport maps it to `is_valid ? 0 : -1` (httpclient.c:805) -- an untrusted or MITM cert fails the push (fail-closed), no blanket-accept. Hardware-verified 2026-07-06: `TLS trust store installed`, chain validated against the embedded USERTrust ECC root, push accepted (branch device/1783372683 on jcalixte/typoena-test). Roots must be refreshed if GitHub rotates CAs; a product would prefer esp-idf's bundle via a custom subtransport.
This commit is contained in:
@@ -24,17 +24,23 @@
|
||||
//! The product will hold a *persistent clone* so real publishes fast-forward;
|
||||
//! proving clone/fetch on device is a clean follow-up.
|
||||
//!
|
||||
//! ## Cert verification — SPIKE SHORTCUT
|
||||
//! ## Cert verification
|
||||
//!
|
||||
//! libgit2's mbedTLS stream defaults to `GIT_DEFAULT_CERT_LOCATION = NULL` with
|
||||
//! `MBEDTLS_SSL_VERIFY_OPTIONAL`, and the http transport treats the resulting
|
||||
//! `GIT_ECERTIFICATE` as non-fatal, deferring the trust decision to the app's
|
||||
//! `certificate_check` callback (httpclient.c:834, smart.c:461). So esp-idf's
|
||||
//! validated cert bundle (Spike 6) is NOT wired into libgit2. Here the callback
|
||||
//! ACCEPTS the cert with a WARN — enough to prove transport + auth + pack upload.
|
||||
//! Real trust-store wiring (`GIT_OPT_SET_SSL_CERT_LOCATIONS` → an embedded CA
|
||||
//! PEM on FAT, or a custom subtransport delegating to esp-idf's bundle) is a
|
||||
//! separable hardening task and MUST land before this leaves the bench.
|
||||
//! libgit2's mbedTLS stream verifies the server chain against whatever CA is set
|
||||
//! via `GIT_OPT_SET_SSL_CERT_LOCATIONS`: the handshake is `VERIFY_OPTIONAL`, then
|
||||
//! `verify_server_cert` turns a bad/untrusted chain into `GIT_ECERTIFICATE`. We
|
||||
//! embed GitHub's root CAs (`github_roots.pem`), write them to `/spiflash/ca.pem`
|
||||
//! and point libgit2 there (`install_tls_trust_store`). The `certificate_check`
|
||||
//! callback then returns PASSTHROUGH — "honor libgit2's own result" — which the
|
||||
//! http transport maps to `is_valid ? 0 : -1` (httpclient.c:805), so an
|
||||
//! untrusted / MITM cert FAILS the push. Fail-closed, no blanket-accept.
|
||||
//!
|
||||
//! Scope note: esp-idf ships a full CA bundle (Spike 6), but it's attached to
|
||||
//! esp-idf's own mbedtls config, not libgit2's private one — bridging it would
|
||||
//! mean touching libgit2 sources. Embedding GitHub's roots is the minimal,
|
||||
//! source-clean trust store; refresh it if GitHub rotates CAs (a product would
|
||||
//! prefer esp-idf's bundle via a custom subtransport, or fetch roots at
|
||||
//! provisioning). See ADR-005 / the Spike 7 postmortem.
|
||||
//!
|
||||
//! Build/flash with `just flash-git-push` (needs the git TW_* vars in .env).
|
||||
|
||||
@@ -76,6 +82,14 @@ const FAT_LABEL: &CStr = c"storage";
|
||||
const MOUNT: &CStr = c"/spiflash";
|
||||
const MOUNT_STR: &str = "/spiflash";
|
||||
|
||||
/// GitHub's root CAs, embedded so the push can verify the server's TLS chain
|
||||
/// (see the "Cert verification" module docs). Written to FAT at runtime and
|
||||
/// handed to libgit2 via GIT_OPT_SET_SSL_CERT_LOCATIONS.
|
||||
const GITHUB_ROOTS_PEM: &str = include_str!("github_roots.pem");
|
||||
/// Where install_tls_trust_store drops the bundle for libgit2's mbedTLS stream
|
||||
/// to parse (needs a real path — CONFIG_MBEDTLS_FS_IO is on).
|
||||
const CA_BUNDLE_PATH: &str = "/spiflash/ca.pem";
|
||||
|
||||
/// SNTP first-sync budget (same as Spike 6).
|
||||
const SNTP_TIMEOUT: Duration = Duration::from_secs(20);
|
||||
|
||||
@@ -127,6 +141,7 @@ fn run() -> Result<()> {
|
||||
|
||||
sync_clock()?;
|
||||
mount_fat().context("mounting flash-FAT")?;
|
||||
install_tls_trust_store().context("installing TLS trust store")?;
|
||||
|
||||
// Git work runs on the MAIN task, not a spawned thread. libgit2 (via mbedTLS
|
||||
// cert validation and FATFS timestamping) calls time()/gettimeofday, whose
|
||||
@@ -218,6 +233,24 @@ fn mount_fat() -> Result<()> {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Write the embedded GitHub root CAs to FAT and point libgit2's mbedTLS stream
|
||||
/// at them (GIT_OPT_SET_SSL_CERT_LOCATIONS). Must run after the FAT mount and
|
||||
/// before the push. Once set, libgit2 verifies the server chain itself, so the
|
||||
/// push fails closed on an untrusted cert (the push callback returns PASSTHROUGH
|
||||
/// to honor that result — see the module docs).
|
||||
fn install_tls_trust_store() -> Result<()> {
|
||||
fs::write(CA_BUNDLE_PATH, GITHUB_ROOTS_PEM)
|
||||
.with_context(|| format!("writing CA bundle to {CA_BUNDLE_PATH}"))?;
|
||||
// SAFETY: sets a process-global libgit2 option once, before any TLS work.
|
||||
unsafe { git2::opts::set_ssl_cert_file(CA_BUNDLE_PATH) }
|
||||
.context("git2::opts::set_ssl_cert_file")?;
|
||||
log::info!(
|
||||
"TLS trust store installed — {} B of GitHub roots at {CA_BUNDLE_PATH}",
|
||||
GITHUB_ROOTS_PEM.len()
|
||||
);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// The whole publish (on the main task): init a fresh working copy, write a
|
||||
/// file, commit, and push to a fresh remote branch. Returns a one-line summary.
|
||||
fn git_publish() -> Result<String> {
|
||||
@@ -304,13 +337,14 @@ fn push(repo: &Repository, refspec: &str) -> Result<()> {
|
||||
))
|
||||
});
|
||||
|
||||
// SPIKE SHORTCUT — see module docs. libgit2 can't verify the chain (no CA
|
||||
// wired in), so it asks us; we accept. Real verification is a follow-up.
|
||||
// Real verification: libgit2's mbedTLS stream checks the server chain
|
||||
// against the CA bundle install_tls_trust_store() loaded. PASSTHROUGH tells
|
||||
// libgit2 to honor that result — the http transport maps it to
|
||||
// `is_valid ? 0 : -1` (httpclient.c:805), so an untrusted cert FAILS the
|
||||
// push (fail-closed). No blanket-accept.
|
||||
cbs.certificate_check(|_cert, host| {
|
||||
log::warn!(
|
||||
"cert-check BYPASSED for {host} — libgit2 mbedTLS stream has no CA (spike shortcut)"
|
||||
);
|
||||
Ok(CertificateCheckStatus::CertificateOk)
|
||||
log::info!("verifying {host} TLS chain against embedded GitHub CA bundle");
|
||||
Ok(CertificateCheckStatus::CertificatePassthrough)
|
||||
});
|
||||
|
||||
{
|
||||
|
||||
110
firmware/src/bin/github_roots.pem
Normal file
110
firmware/src/bin/github_roots.pem
Normal file
@@ -0,0 +1,110 @@
|
||||
# GitHub HTTPS trust anchors for the on-device git push (Spike 7).
|
||||
# Extracted from the macOS system root store 2026-07-06.
|
||||
# github.com currently chains: leaf -> Sectigo E36 -> Sectigo E46 ->
|
||||
# USERTrust ECC. The others cover GitHub's known RSA / DigiCert chains.
|
||||
# Roots only: the server sends the intermediates during the handshake.
|
||||
#
|
||||
# Regenerate: security find-certificate -a -c <CN> -p \
|
||||
# /System/Library/Keychains/SystemRootCertificates.keychain
|
||||
|
||||
# USERTrust ECC Certification Authority
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL
|
||||
MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
|
||||
eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
|
||||
JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAx
|
||||
MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
|
||||
Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg
|
||||
VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlm
|
||||
aWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqflo
|
||||
I+d61SRvU8Za2EurxtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinng
|
||||
o4N+LZfQYcTxmdwlkWOrfzCjtHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0G
|
||||
A1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYD
|
||||
VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBBHU6+4WMB
|
||||
zzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbW
|
||||
RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# USERTrust RSA Certification Authority
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
|
||||
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
|
||||
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
|
||||
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
|
||||
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
|
||||
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
|
||||
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
|
||||
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
|
||||
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
|
||||
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
|
||||
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
|
||||
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
|
||||
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
|
||||
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
|
||||
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
|
||||
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
|
||||
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
|
||||
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
|
||||
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
|
||||
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
|
||||
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
|
||||
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
|
||||
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
|
||||
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
|
||||
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
|
||||
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
|
||||
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
|
||||
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
|
||||
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
|
||||
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
|
||||
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
|
||||
jjxDah2nGN59PRbxYvnKkKj9
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# DigiCert Global Root G2
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
|
||||
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
|
||||
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
|
||||
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
|
||||
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
|
||||
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
|
||||
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
|
||||
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
|
||||
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
|
||||
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
|
||||
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
|
||||
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
|
||||
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
|
||||
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
|
||||
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
|
||||
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
|
||||
MrY=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
# DigiCert Global Root CA
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
|
||||
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
|
||||
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
|
||||
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
|
||||
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
|
||||
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
|
||||
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
|
||||
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
|
||||
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
|
||||
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
|
||||
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
|
||||
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
|
||||
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
|
||||
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
|
||||
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
|
||||
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
|
||||
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
|
||||
-----END CERTIFICATE-----
|
||||
Reference in New Issue
Block a user