Page MenuHomeFreeBSD

Initial proposed patch for SSL root bundle in base
Needs ReviewPublic

Authored by kevans on Aug 23 2018, 2:26 AM.

Details

Summary

This adds the trusted certificates from the Mozilla NSS bundle to base

It includes a test of tools to update the certificates from time to time.
This is envisioned to be done by secteam@ and the results committed to the tree.

A follow-on patch adds a trustctl(8) utility to give the user control over what they trust

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 22594

Event Timeline

allanjude created this revision.Aug 23 2018, 2:26 AM
rgrimes accepted this revision.Aug 23 2018, 3:13 PM
rgrimes added a subscriber: rgrimes.

Looks ok, though I wonder about a shell script that writes a Makefile, it should be possible to do that in a Makefile by itself, there is the .for/.endfor operator to make which can duplicate what the shell script does.

secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
1 ↗(On Diff #47147)

This file is being detected as a binary for some reason by Phabricator

This revision is now accepted and ready to land.Aug 23 2018, 3:13 PM
cem added a subscriber: cem.Aug 25 2018, 6:48 AM
cem added inline comments.
secure/caroot/Makefile
16

--no-sslv3, --no-tlsv1?

secure/caroot/gen_trusted_makefile.sh
35 ↗(On Diff #47147)

do we anticipate shipping a CRL snapshot as well?

allanjude marked an inline comment as done.Aug 31 2018, 2:49 AM
allanjude added inline comments.
secure/caroot/gen_trusted_makefile.sh
35 ↗(On Diff #47147)

It is not currently something that the ca_root_nss package includes, but it is a good idea.

allanjude updated this revision to Diff 47516.Aug 31 2018, 2:50 AM

Be extra strict when downloading the source-of-truth root certificate chain

This revision now requires review to proceed.Aug 31 2018, 2:50 AM
imp added a comment.Oct 3 2018, 2:45 PM

My quick eyeball doesn't detect any issues. however, I'll look at the distribute issues.

bdrewery requested changes to this revision.Oct 3 2018, 9:24 PM

Please also don't checkin generated files in the initial commit. As-is it makes it hard to review.

secure/caroot/Makefile
15

Needs .PHONY

18

Needs .PHONY

21

Needs .PHONY

secure/caroot/blacklisted/Makefile
4

Needs an entry in _etc/mtree/BSD.usr.dist_

This revision now requires changes to proceed.Oct 3 2018, 9:24 PM
kevans added a subscriber: kevans.Jan 13 2019, 5:12 AM
garga added a subscriber: garga.Jan 17 2019, 11:46 AM
kevans commandeered this revision.
kevans updated this revision to Diff 54106.Feb 20 2019, 2:22 AM

Main changes:

  • Drop initial certs from this review
  • Sprinkled some .PHONY
  • mtree update
  • Rewrote secure/caroot/trusted/Makefile to just shell out and grab all certs in the current dir instead of makefile churn*
  • I don't know how high-value the explicit listing of certs in the Makefile was, or if the churn was worth discussing/debating. I'm assuming that listing the certs in the Makefile offers little to no value for end-users as it's effectively the same as what I've changed it to (give or take me having goobered it up), and I'm not sure how much value it added for secteam review.
cem added a comment.Mar 8 2019, 8:40 PM

The build system mechanics look good to me. I haven't looked at the Perl script, and frankly, I find Perl pretty inscrutable and may not be best at spotting bugs in it.

secure/caroot/Makefile
15

FWIW, Curl defaults to the 'release' version of the file, at URL https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

I don't know Mozilla's policy on when tip is updated, or when release is updated (presumably from tip). Currently the (only) difference is that tip has the following CAs not present in release:

  1. "emSign Root CA - G1" (valid starting 2018-02-18)
  2. "emSign ECC Root CA - G3" (ditto)
  3. "emSign Root CA - C1" (ditto)
  4. "emSign ECC Root CA - C3" (ditto)
  5. "Hongkong Post Root CA 3" (valid starting 2017-06-03)