228913 – Include a root certificate bundle in the base system

Bug 228913 - Include a root certificate bundle in the base system

Summary: Include a root certificate bundle in the base system

Status:	In Progress

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Kyle Evans

URL:
Keywords:

Depends on:	246190 246614
Blocks:
	Show dependency tree / graph

Reported:	2018-06-12 08:08 UTC by Rodney W. Grimes
Modified:	2022-02-08 20:47 UTC (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rodney W. Grimes freebsd_committer

2018-06-12 08:08:44 UTC

Add the/a root CA to the base system

Comment 1 Allan Jude freebsd_committer

2018-08-20 20:37:36 UTC

This item is progressing

This script will allow secteam@ to convert the NSS bundle into the per-CA files to be installed in /usr/share/certs

https://reviews.freebsd.org/D15713


There is a second part, trustctl(8), that creates the hashed symlinks in /etc/ssl/certs that is almost finished.

Comment 2 Allan Jude freebsd_committer

2018-08-20 20:41:21 UTC

(In reply to Allan Jude from comment #1)
That link should be: https://reviews.freebsd.org/D16684

Comment 3 Allan Jude freebsd_committer

2018-08-23 03:48:47 UTC

Actual certificates for base:
https://reviews.freebsd.org/D16856

trustctl(8):
https://reviews.freebsd.org/D16857

Comment 4 Michael Osipov 2020-05-20 20:11:43 UTC

Allan, I think there is still room for improvement. I'd like add value to the issue because I desperately need it.

Comment 5 Allan Jude freebsd_committer

2020-05-21 16:34:38 UTC

(In reply to Michael Osipov from comment #4)
Kyle Evans has completed most of the work here. I don't know that there is much left to do. What ideas did you have?

Comment 6 Michael Osipov 2020-05-21 16:43:53 UTC

(In reply to Allan Jude from comment #5)

From the top of my head two issues, for the rest I need to review at least the script:

* Subject hash collisions are not handled at all, see bug 246614
* It would be very helpful for non-OpenSSL users/other apps to distill a crt file from all certs in the certs/ dir to a wellknown location.
* As soon as this will be available consider what will happens with ca_root_nss because I am certain it will cause confusion that two stores are availabe and spread locations

Comment 7 Michael Osipov 2020-06-16 10:09:15 UTC

Is this going to be backported to 11.4 or 11.5?

Comment 8 Kyle Evans freebsd_committer

2020-06-16 11:22:53 UTC

(In reply to Michael Osipov from comment #7)

AFAIK stable/11 will go EOL before an 11.5 would typically be cut. 11.4 has all the infrastructure, but I backed out actually including the root bundle due to the glaring issues you pointed out remaining with certctl. 12.2 will be the earliest release to ship it.

I'm hoping to have time to circle back to the certctl problems soon.

Comment 9 Michael Osipov 2020-06-16 12:07:33 UTC

Alright, I was already discussing with koobs@ how this could be intergrated into py-certifi.

Comment 10 Kyle Evans freebsd_committer

2020-06-16 12:44:46 UTC

(In reply to Michael Osipov from comment #9)

Yeah, so unfortunately this will be a little more complicated. If it's not too hard to do so, then once 12.1 goes EOL, you could (in the interim) do it differently contingent on __FreeBSD_version >= 1104500 so that folks building it on 11.4 will get the current behavior while stable/11 users after 11.4 branched + >= 12.2 will get the proper integration.