Details

Reviewers

emaste
imp
cperciva
rgrimes
bdrewery
allanjude

Group Reviewers

secteam
Core Team

Commits

rS352948: [1/3] Initial infrastructure for SSL root bundle in base

Summary

This adds the trusted certificates from the Mozilla NSS bundle to base

It includes a test of tools to update the certificates from time to time.
This is envisioned to be done by secteam@ and the results committed to the tree.

A follow-on patch adds a trustctl(8) utility to give the user control over what they trust

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 22594

Event Timeline

allanjude created this revision.Aug 23 2018, 2:26 AM

Herald added a subscriber: bdrewery. · View Herald TranscriptAug 23 2018, 2:26 AM

Harbormaster completed remote builds in B19079: Diff 47147.Aug 23 2018, 2:26 AM

kbowling added a subscriber: kbowling.Aug 23 2018, 7:44 AM

Looks ok, though I wonder about a shell script that writes a Makefile, it should be possible to do that in a Makefile by itself, there is the .for/.endfor operator to make which can duplicate what the shell script does.

secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
1 ↗	(On Diff #47147)	This file is being detected as a binary for some reason by Phabricator

This revision is now accepted and ready to land.Aug 23 2018, 3:13 PM

cem added a subscriber: cem.Aug 25 2018, 6:48 AM

cem added inline comments.

secure/caroot/Makefile
16	--no-sslv3, --no-tlsv1?
secure/caroot/gen_trusted_makefile.sh
35 ↗	(On Diff #47147)	do we anticipate shipping a CRL snapshot as well?

allanjude marked an inline comment as done.Aug 31 2018, 2:49 AM

allanjude added inline comments.

secure/caroot/gen_trusted_makefile.sh
35 ↗	(On Diff #47147)	It is not currently something that the ca_root_nss package includes, but it is a good idea.

Be extra strict when downloading the source-of-truth root certificate chain

This revision now requires review to proceed.Aug 31 2018, 2:50 AM

Harbormaster completed remote builds in B19314: Diff 47516.Aug 31 2018, 2:50 AM

My quick eyeball doesn't detect any issues. however, I'll look at the distribute issues.

Please also don't checkin generated files in the initial commit. As-is it makes it hard to review.

secure/caroot/Makefile
15	Needs `.PHONY`
18	Needs `.PHONY`
21	Needs `.PHONY`
secure/caroot/blacklisted/Makefile
4	Needs an entry in _etc/mtree/BSD.usr.dist_

This revision now requires changes to proceed.Oct 3 2018, 9:24 PM

kevans added a subscriber: kevans.Jan 13 2019, 5:12 AM

garga added a subscriber: garga.Jan 17 2019, 11:46 AM

egypcio added a subscriber: egypcio.Jan 17 2019, 7:14 PM

kevans commandeered this revision.Feb 20 2019, 2:14 AM

kevans added a reviewer: allanjude.

Main changes:

Drop initial certs from this review
Sprinkled some .PHONY
mtree update
Rewrote secure/caroot/trusted/Makefile to just shell out and grab all certs in the current dir instead of makefile churn*

I don't know how high-value the explicit listing of certs in the Makefile was, or if the churn was worth discussing/debating. I'm assuming that listing the certs in the Makefile offers little to no value for end-users as it's effectively the same as what I've changed it to (give or take me having goobered it up), and I'm not sure how much value it added for secteam review.

Harbormaster completed remote builds in B22594: Diff 54106.Feb 20 2019, 2:23 AM

The build system mechanics look good to me. I haven't looked at the Perl script, and frankly, I find Perl pretty inscrutable and may not be best at spotting bugs in it.

secure/caroot/Makefile
15	FWIW, Curl defaults to the 'release' version of the file, at URL `https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt` I don't know Mozilla's policy on when tip is updated, or when release is updated (presumably from tip). Currently the (only) difference is that tip has the following CAs not present in release: "emSign Root CA - G1" (valid starting 2018-02-18) "emSign ECC Root CA - G3" (ditto) "emSign Root CA - C1" (ditto) "emSign ECC Root CA - C3" (ditto) "Hongkong Post Root CA 3" (valid starting 2017-06-03)

Noticed while working on freebsd-update; no /usr/share/certs/trusted in the mtree.

Harbormaster completed remote builds in B26720: Diff 62606.Sep 26 2019, 5:33 PM

This revision was not accepted when it landed; it landed in state Needs Review.Oct 2 2019, 1:06 AM

Closed by commit rS352948: [1/3] Initial infrastructure for SSL root bundle in base (authored by kevans). · Explain Why

This revision was automatically updated to reflect the committed changes.

kevans added a commit: rS352948: [1/3] Initial infrastructure for SSL root bundle in base.

Initial proposed patch for SSL root bundle in base
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 54106

etc/mtree/BSD.usr.dist

secure/Makefile

secure/caroot/MAca-bundle.pl

secure/caroot/Makefile

secure/caroot/README

secure/caroot/blacklisted/Makefile

secure/caroot/trusted/Makefile

share/mk/src.opts.mk

Initial proposed patch for SSL root bundle in baseClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 54106

etc/mtree/BSD.usr.dist

secure/Makefile

secure/caroot/MAca-bundle.pl

secure/caroot/Makefile

secure/caroot/README

secure/caroot/blacklisted/Makefile

secure/caroot/trusted/Makefile

share/mk/src.opts.mk

Initial proposed patch for SSL root bundle in base
ClosedPublic
Actions

Revision Contents
Changeset List