Page MenuHomeFreeBSD

Initial proposed patch for SSL root bundle in base
ClosedPublic

Authored by kevans on Aug 23 2018, 2:26 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 11, 10:07 AM
Unknown Object (File)
Mon, Mar 11, 10:07 AM
Unknown Object (File)
Mon, Mar 11, 10:07 AM
Unknown Object (File)
Mon, Mar 11, 10:07 AM
Unknown Object (File)
Mon, Mar 11, 10:07 AM
Unknown Object (File)
Mon, Mar 11, 10:07 AM
Unknown Object (File)
Fri, Mar 8, 12:05 AM
Unknown Object (File)
Feb 10 2024, 2:31 PM

Details

Summary

This adds the trusted certificates from the Mozilla NSS bundle to base

It includes a test of tools to update the certificates from time to time.
This is envisioned to be done by secteam@ and the results committed to the tree.

A follow-on patch adds a trustctl(8) utility to give the user control over what they trust

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 22594

Event Timeline

rgrimes added a subscriber: rgrimes.

Looks ok, though I wonder about a shell script that writes a Makefile, it should be possible to do that in a Makefile by itself, there is the .for/.endfor operator to make which can duplicate what the shell script does.

secure/caroot/trusted/Actalis_Authentication_Root_CA.pem
1 ↗(On Diff #47147)

This file is being detected as a binary for some reason by Phabricator

This revision is now accepted and ready to land.Aug 23 2018, 3:13 PM
cem added inline comments.
secure/caroot/Makefile
16

--no-sslv3, --no-tlsv1?

secure/caroot/gen_trusted_makefile.sh
35 ↗(On Diff #47147)

do we anticipate shipping a CRL snapshot as well?

allanjude added inline comments.
secure/caroot/gen_trusted_makefile.sh
35 ↗(On Diff #47147)

It is not currently something that the ca_root_nss package includes, but it is a good idea.

Be extra strict when downloading the source-of-truth root certificate chain

This revision now requires review to proceed.Aug 31 2018, 2:50 AM

My quick eyeball doesn't detect any issues. however, I'll look at the distribute issues.

bdrewery requested changes to this revision.Oct 3 2018, 9:24 PM

Please also don't checkin generated files in the initial commit. As-is it makes it hard to review.

secure/caroot/Makefile
15

Needs .PHONY

18

Needs .PHONY

21

Needs .PHONY

secure/caroot/blacklisted/Makefile
4

Needs an entry in _etc/mtree/BSD.usr.dist_

This revision now requires changes to proceed.Oct 3 2018, 9:24 PM
kevans added a reviewer: allanjude.

Main changes:

  • Drop initial certs from this review
  • Sprinkled some .PHONY
  • mtree update
  • Rewrote secure/caroot/trusted/Makefile to just shell out and grab all certs in the current dir instead of makefile churn*
  • I don't know how high-value the explicit listing of certs in the Makefile was, or if the churn was worth discussing/debating. I'm assuming that listing the certs in the Makefile offers little to no value for end-users as it's effectively the same as what I've changed it to (give or take me having goobered it up), and I'm not sure how much value it added for secteam review.

The build system mechanics look good to me. I haven't looked at the Perl script, and frankly, I find Perl pretty inscrutable and may not be best at spotting bugs in it.

secure/caroot/Makefile
15

FWIW, Curl defaults to the 'release' version of the file, at URL https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

I don't know Mozilla's policy on when tip is updated, or when release is updated (presumably from tip). Currently the (only) difference is that tip has the following CAs not present in release:

  1. "emSign Root CA - G1" (valid starting 2018-02-18)
  2. "emSign ECC Root CA - G3" (ditto)
  3. "emSign Root CA - C1" (ditto)
  4. "emSign ECC Root CA - C3" (ditto)
  5. "Hongkong Post Root CA 3" (valid starting 2017-06-03)

Noticed while working on freebsd-update; no /usr/share/certs/trusted in the mtree.

This revision was not accepted when it landed; it landed in state Needs Review.Oct 2 2019, 1:06 AM
This revision was automatically updated to reflect the committed changes.