fix ca loading for alpine

2025-11-16 01:12:18 +03:00 · 2025-09-21 12:39:45 +03:00
parent 0c0da6d91b
commit d1418516eb
3 changed files with 39 additions and 5 deletions
--- a/core/include/internal/messaging.h
+++ b/core/include/internal/messaging.h
@@ -28,6 +28,7 @@
 #include "i_shell_cmd.h"
 #include "i_rest_api.h"
 #include "i_instance_awareness.h"
+#include "i_details_resolver.h"

 #include "config.h"

@@ -43,7 +44,8 @@ class Messaging
    Singleton::Consume<I_ShellCmd>,
    Singleton::Consume<I_MainLoop>,
    Singleton::Consume<I_RestApi>,
-    Singleton::Consume<I_InstanceAwareness>
+    Singleton::Consume<I_InstanceAwareness>,
+    Singleton::Consume<I_DetailsResolver>
 {
 public:
    Messaging();
--- a/core/include/services_sdk/interfaces/i_details_resolver.h
+++ b/core/include/services_sdk/interfaces/i_details_resolver.h
@@ -0,0 +1,45 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __I_DETAILS_RESOLVER_H__
+#define __I_DETAILS_RESOLVER_H__
+
+#include "maybe_res.h"
+
+#include <string>
+
+class I_DetailsResolver
+{
+public:
+    virtual Maybe<std::string> getHostname() = 0;
+    virtual Maybe<std::string> getPlatform() = 0;
+    virtual Maybe<std::string> getArch() = 0;
+    virtual std::string getAgentVersion() = 0;
+    virtual bool isKernelVersion3OrHigher() = 0;
+    virtual bool isGw() = 0;
+    virtual bool isGwNotVsx() = 0;
+    virtual bool isVersionAboveR8110() = 0;
+    virtual bool isReverseProxy() = 0;
+    virtual bool isCloudStorageEnabled() = 0;
+    virtual Maybe<std::tuple<std::string, std::string, std::string, std::string>> parseNginxMetadata() = 0;
+    virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
+    virtual std::map<std::string, std::string> getResolvedDetails() = 0;
+#if defined(gaia) || defined(smb)
+    virtual bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const = 0;
+#endif // gaia || smb
+
+protected:
+    virtual ~I_DetailsResolver() {}
+};
+
+#endif // __I_DETAILS_RESOLVER_H__
--- a/core/messaging/connection/connection.cc
+++ b/core/messaging/connection/connection.cc
@@ -262,6 +262,37 @@ public:
    }

 private:
+    string
+    getCertificateDirectory()
+    {
+        auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
+
+        if (details_ssl_dir.ok()) {
+            return *details_ssl_dir;
+        }
+
+        // Use detail_resolver to determine platform-specific certificate directory
+        auto maybe_platform = Singleton::Consume<I_DetailsResolver>::by<Messaging>()->getPlatform();
+
+        if (!maybe_platform.ok()) {
+            dbgTrace(D_CONNECTION)
+                << "Failed to get platform for default certificate directory: "
+                << maybe_platform.getErr();
+            return "/usr/lib/ssl/certs/"; // Fallback for failed platform detection
+        }
+
+        auto platform = maybe_platform.unpack();
+        if (platform == "alpine") {
+            return "/etc/ssl/certs/";
+        }
+
+        if (platform == "linux") {
+            return "/usr/lib/ssl/certs/";
+        }
+
+        return "/usr/lib/ssl/certs/";
+    }
+
    Maybe<void>
    setSSLContext()
    {
@@ -296,10 +327,11 @@ private:
        }

        dbgTrace(D_CONNECTION) << "Setting CA authentication";
-        auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
-        auto openssl_dir = details_ssl_dir.ok() ? *details_ssl_dir : "/usr/lib/ssl/certs/";
-        auto configured_ssl_dir = getConfigurationWithDefault(openssl_dir, "message", "Trusted CA directory");
-        const char *ca_dir = configured_ssl_dir.empty() ? nullptr : configured_ssl_dir.c_str();
+
+        auto default_ssl_dir = getCertificateDirectory();
+        auto configured_ssl_dir =
+            getProfileAgentSettingWithDefault<string>(default_ssl_dir, "agent.config.message.capath");
+        const char *ca_dir = configured_ssl_dir.empty() ? "/usr/lib/ssl/certs/" : configured_ssl_dir.c_str();

        if (SSL_CTX_load_verify_locations(ssl_ctx.get(), ca_path.c_str(), ca_dir) != 1) {
            return genError("Failed to load certificate locations");