Load TLS root CA directly from /config instead of /persist/certs

This change fixes the security issue where TLS root certificates were
copied from the integrity-protected /config partition to the mutable
/persist/certs directory and referenced via SHA256 indirection.

Changes:
- Remove certificate copy logic from InitializeCertDir() - now only
  creates the certs directory without copying files
- Update GetTLSConfig() to read certificates directly from
  types.V2TLSBaseFile (/config/v2tlsbaseroot-certificates.pem)
- Update UpdateTLSProxyCerts() to read from V2TLSBaseFile instead of
  V2TLSCertShaFilename
- Remove V2TLSCertShaFilename constant from locationconsts.go as it's
  no longer needed
- Update getSecurityInfo() in handlemetrics.go to compute SHA256 hash
  directly from the V2TLSBaseFile content instead of reading a
  pre-computed SHA from persist

Signed-off-by: Shahriyar Jalayeri <shahriyar@posteo.de>

Author: shjala

pkg/pillar/cmd/zedagent/handlemetrics.go

@@ -8,8 +8,8 @@ package zedagent
 import (
 	"bytes"
 	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"os"
@@ -898,19 +898,16 @@ func getSecurityInfo(ctx *zedagentContext) *info.SecurityInfo {
 		hasher.Write(caCert1)
 		si.ShaRootCa = hasher.Sum(nil)
 	}
-	// Add the sha of the root CAs used for TLS
-	// Note that we have the sha in a logical symlink so we
-	// just read that file.
-	line, err := os.ReadFile(types.V2TLSCertShaFilename)
+	// Add the sha of the root CAs used for TLS, loaded from config directory (integrity protected)
+	f, err := os.Open(types.V2TLSBaseFile)
 	if err != nil {
 		log.Error(err)
 	} else {
-		shaStr := strings.TrimSpace(string(line))
-		sha, err := hex.DecodeString(shaStr)
-		if err != nil {
-			log.Errorf("DecodeString %s failed: %s", shaStr, err)
+		h := sha256.New()
+		if _, err := io.Copy(h, f); err != nil {
+			log.Errorf("failed to get sha256 of %s: %v", types.V2TLSBaseFile, err)
 		} else {
-			si.ShaTlsRootCa = sha
+			si.ShaTlsRootCa = h.Sum(nil)
 		}
 	}
 	log.Tracef("getSecurityInfo returns %+v", si)

pkg/pillar/controllerconn/tls.go

@@ -7,13 +7,11 @@ package controllerconn
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -28,52 +26,14 @@ import (
 )
 
 // InitializeCertDir is called by zedbox to make sure we have the initial
-// files in /persist/certs from /config/ under a sha-based name.
-// Also, the currently used base file is indicated by the content of
-// /persist/certs/v2tlsbaseroot-certificates.sha256. This is to prepare for a
-// future feature where the controller can update the base file.
-// Note that programmatically we add any proxy certificates to the list of roots
-// we trust separately from the file content.
+// certs directory created.
 func InitializeCertDir(log *base.LogObject) error {
 	if _, err := os.Stat(types.CertificateDirname); err != nil {
 		log.Tracef("Create %s", types.CertificateDirname)
 		if err := os.MkdirAll(types.CertificateDirname, 0700); err != nil {
 			return err
 		}
 	}
-	f, err := os.Open(types.V2TLSBaseFile)
-	if err != nil {
-		return err
-	}
-	h := sha256.New()
-	if _, err := io.Copy(h, f); err != nil {
-		err = fmt.Errorf("Failed sha256 of %s: %w",
-			types.V2TLSBaseFile, err)
-		return err
-	}
-	sha := fmt.Sprintf("%x", h.Sum(nil))
-	// Copy base file to /persist/certs/<sha> if not exist or zero length
-	dstfile := fmt.Sprintf("%s/%s", types.CertificateDirname, sha)
-	st, err := os.Stat(dstfile)
-	if err != nil || st.Size() == 0 {
-		log.Noticef("Adding /config/v2tlsbaseroot-certificates.pem to %s",
-			dstfile)
-		err := fileutils.CopyFile("/config/v2tlsbaseroot-certificates.pem", dstfile)
-		if err != nil {
-			return err
-		}
-	}
-	// Write sha to types.V2TLSCertShaFilename if not exist or zero length
-	dstfile = types.V2TLSCertShaFilename
-	st, err = os.Stat(dstfile)
-	if err != nil || st.Size() == 0 {
-		log.Noticef("Setting /config/v2tlsbaseroot-certificates.pem as current")
-		line := sha + "\n"
-		err = fileutils.WriteRename(dstfile, []byte(line))
-		if err != nil {
-			return err
-		}
-	}
 	return nil
 }
 
@@ -143,25 +103,14 @@ func (c *Client) GetTLSConfig(clientCert *tls.Certificate) (*tls.Config, error)
 	caCertPool := x509.NewCertPool()
 
 	if c.v2API {
-		// Load the well-known CAs
-		line, err := os.ReadFile(types.V2TLSCertShaFilename)
-		if err != nil {
-			return nil, err
-		}
-		sha := strings.TrimSpace(string(line))
-		if len(sha) == 0 {
-			errStr := fmt.Sprintf("Read zero byte from sha file")
-			c.log.Error(errStr)
-			return nil, errors.New(errStr)
-		}
-		v2RootFilename := types.CertificateDirname + "/" + sha
-		caCert, err := os.ReadFile(v2RootFilename)
+		// Load the well-known CAs from config directory (integrity protected)
+		caCert, err := os.ReadFile(types.V2TLSBaseFile)
 		if err != nil {
 			return nil, err
 		}
 		if !caCertPool.AppendCertsFromPEM(caCert) {
 			errStr := fmt.Sprintf("Failed to append certs from %s",
-				v2RootFilename)
+				types.V2TLSBaseFile)
 			c.log.Error(errStr)
 			return nil, errors.New(errStr)
 		}
@@ -295,30 +244,17 @@ func (c *Client) UpdateTLSProxyCerts() bool {
 
 	var caCertPool *x509.CertPool
 	if len(c.prevCertPEM) > 0 {
-
 		// previous certs we have are different, lets rebuild from beginning
 		caCertPool = x509.NewCertPool()
-		line, err := os.ReadFile(types.V2TLSCertShaFilename)
-		if err != nil {
-			errStr := fmt.Sprintf("Failed to read V2TLSCertShaFilename")
-			c.log.Error(errStr)
-			return false
-		}
-		sha := strings.TrimSpace(string(line))
-		if len(sha) == 0 {
-			errStr := fmt.Sprintf("Read zero byte from sha file")
-			c.log.Error(errStr)
-			return false
-		}
-		v2RootFilename := types.CertificateDirname + "/" + sha
-		caCert, err := os.ReadFile(v2RootFilename)
+		// Load the well-known CAs from config directory (integrity protected)
+		caCert, err := os.ReadFile(types.V2TLSBaseFile)
 		if err != nil {
-			errStr := fmt.Sprintf("Failed to read v2RootFilename")
+			errStr := fmt.Sprintf("Failed to read %s", types.V2TLSBaseFile)
 			c.log.Error(errStr)
 			return false
 		}
 		if !caCertPool.AppendCertsFromPEM(caCert) {
-			errStr := fmt.Sprintf("Failed to append certs from %s", v2RootFilename)
+			errStr := fmt.Sprintf("Failed to append certs from %s", types.V2TLSBaseFile)
 			c.log.Error(errStr)
 			return false
 		}

pkg/pillar/types/locationconsts.go

@@ -60,8 +60,6 @@ const (
 	OnboardKeyName = IdentityDirname + "/onboard.key.pem"
 	// RootCertFileName - what we trust for signatures and object encryption
 	RootCertFileName = IdentityDirname + "/root-certificate.pem"
-	// V2TLSCertShaFilename - find TLS root cert for API V2 based on this sha
-	V2TLSCertShaFilename = CertificateDirname + "/v2tlsbaseroot-certificates.sha256"
 	// V2TLSBaseFile is where the initial file
 	V2TLSBaseFile = IdentityDirname + "/v2tlsbaseroot-certificates.pem"
 	// APIV1FileName - user can statically allow for API v1