Bug 228913

Summary: Include a root certificate bundle in the base system
Product: Base System Reporter: Rodney W. Grimes <rgrimes>
Component: binAssignee: Kyle Evans <kevans>
Status: In Progress ---    
Severity: Affects Many People CC: cem, emaste, michael.osipov, pi, ps.ports, rgrimes, thierry
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Bug Depends on: 246190, 246614    
Bug Blocks:    

Description Rodney W. Grimes freebsd_committer freebsd_triage 2018-06-12 08:08:44 UTC 
Add the/a root CA to the base system
Comment 1 Allan Jude freebsd_committer freebsd_triage 2018-08-20 20:37:36 UTC 
This item is progressing

This script will allow secteam@ to convert the NSS bundle into the per-CA files to be installed in /usr/share/certs

https://reviews.freebsd.org/D15713


There is a second part, trustctl(8), that creates the hashed symlinks in /etc/ssl/certs that is almost finished.
Comment 2 Allan Jude freebsd_committer freebsd_triage 2018-08-20 20:41:21 UTC 
(In reply to Allan Jude from comment #1)
That link should be: https://reviews.freebsd.org/D16684
Comment 3 Allan Jude freebsd_committer freebsd_triage 2018-08-23 03:48:47 UTC 
Actual certificates for base:
https://reviews.freebsd.org/D16856

trustctl(8):
https://reviews.freebsd.org/D16857
Comment 4 Michael Osipov 2020-05-20 20:11:43 UTC 
Allan, I think there is still room for improvement. I'd like add value to the issue because I desperately need it.
Comment 5 Allan Jude freebsd_committer freebsd_triage 2020-05-21 16:34:38 UTC 
(In reply to Michael Osipov from comment #4)
Kyle Evans has completed most of the work here. I don't know that there is much left to do. What ideas did you have?
Comment 6 Michael Osipov 2020-05-21 16:43:53 UTC 
(In reply to Allan Jude from comment #5)

From the top of my head two issues, for the rest I need to review at least the script:

* Subject hash collisions are not handled at all, see bug 246614
* It would be very helpful for non-OpenSSL users/other apps to distill a crt file from all certs in the certs/ dir to a wellknown location.
* As soon as this will be available consider what will happens with ca_root_nss because I am certain it will cause confusion that two stores are availabe and spread locations
Comment 7 Michael Osipov 2020-06-16 10:09:15 UTC 
Is this going to be backported to 11.4 or 11.5?
Comment 8 Kyle Evans freebsd_committer freebsd_triage 2020-06-16 11:22:53 UTC 
(In reply to Michael Osipov from comment #7)

AFAIK stable/11 will go EOL before an 11.5 would typically be cut. 11.4 has all the infrastructure, but I backed out actually including the root bundle due to the glaring issues you pointed out remaining with certctl. 12.2 will be the earliest release to ship it.

I'm hoping to have time to circle back to the certctl problems soon.
Comment 9 Michael Osipov 2020-06-16 12:07:33 UTC 
Alright, I was already discussing with koobs@ how this could be intergrated into py-certifi.
Comment 10 Kyle Evans freebsd_committer freebsd_triage 2020-06-16 12:44:46 UTC 
(In reply to Michael Osipov from comment #9)

Yeah, so unfortunately this will be a little more complicated. If it's not too hard to do so, then once 12.1 goes EOL, you could (in the interim) do it differently contingent on __FreeBSD_version >= 1104500 so that folks building it on 11.4 will get the current behavior while stable/11 users after 11.4 branched + >= 12.2 will get the proper integration.