Date: Fri, 20 Jul 2018 12:24:23 -0500 From: Mark Felder <feld@FreeBSD.org> To: port-secteam@freebsd.org, "portmgr@FreeBSD.org" <portmgr@FreeBSD.org>, "java@freebsd.org" <java@freebsd.org>, mono@FreeBSD.org Subject: security/ca_root_nss: Add a ca-merge utility to permit including private CAs Message-ID: <44C404E7-2C4E-47A7-8E38-1721495D84B1@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
--Apple-Mail=_E32DFD88-2F76-4489-AA9F-A3F8DB6F5CD0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello, I am writing you all about my review https://reviews.freebsd.org/D16352. = It's very messy at this point, so it's easier to re-compose myself here = and provide the complete plan. Problem: FreeBSD has no way to include private CAs in the trust store in = a persistent, reliable manner. Additionally we cannot blacklist CAs = easily either. Solution: Write a tool to do it. RHEL/CentOS already have this tool = called update-ca-trust(8) = https://www.unix.com/man-page/centos/8/update-ca-trust/ I have attempted to write a tool to be included with = security/ca_root_nss which is currently called "ca-merge". Phase one of = this tool should cover the ability to include private CAs easily. A = future revision should include blacklisting capabilities, but that is = going to be more complex to accomplish. This tool is written in posix sh = using only utilities in base. The following is the proposed change in = our ports/packages: The ca-root-nss.crt is no longer trusted root; we now generate = %%PREFIX%%/etc/ssl/cert.pem. All roads point to this file now. @postexec = of security/ca_root_nss will generate this file from the contents of = ca-root-nss.crt and do the required work if Java or Mono are installed = so they get the same trusted CAs. Currently Java ships their own trust = store which creates a very undesirable inconsistency. Additionally we = would include @postexec in Mono and Java packages to run ca-merge so the = instant they are installed they immediately have their trust stores = updated and ready for use. These are the proposed steps: 1) Get ca_root_nss with ca-merge committed in the tree 2) lang/mono needs only the @postexec added in pkg-plist so it's ready = at install time 3) Java ports will need updates to not install their cacerts keystore = file, but instead symlink to %%PREFIX%%/etc/ssl/cacerts 4) A somewhat large commit to the tree will be needed to update every = port that is compiled with special flags to make the software look at = %%PREFIX%%/etc/ssl/certs.pem instead of ca-root-nss.crt Known problems: I am concerned about Java. The process of building the cacerts keystore = is very annoying. You have to manually import every certificate file = with the keytool command and it is slow. The ca-merge command takes a = little while to churn through all the certs to build the keystore before = comparing with the one on-disk to decide if it needs to be updated. This = will slow down pkg build runs and pkg installs. The end result is that we should have working out of the box trust store = that is consistent across all software *and* permits you to include = private CAs. Please provide feedback. I don't want to bikeshed about it too much, = though. Let's get something in that works. We can always improve it = later. --Apple-Mail=_E32DFD88-2F76-4489-AA9F-A3F8DB6F5CD0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEzBAEBCgAdFiEEVTp08j41/a0LK3IYqgNgwT+IDgUFAltSGscACgkQqgNgwT+I DgXqWwf7B9LcDQJnLUMFk/R9wYLfLU+GwAd3P9gn+GKrqbxEYAlUkG6PiMnCdOqD yXduHu0Iy1E0m3l5vGpyGobv5estisznuBhbwlQugLNOuxzQzKXpLNu1eZz0jU/4 194vLWmI43E1+q1onGkKDx80X0OYUlFYPWkzN71Bp+uKL5kempieMt2rkY5o7ySh E/jY8jtqInV/QieYyeA7kEiV5ZX9215LCM2b+Te2vmWGMX7lY235sv+2B9CDJMwd SYbtrlCA+ALrWZO47TdETy6U91jKlHVnZ/7nKT24zdjP6vkaOHoZiuucXAxBcX5j iOEAqBSOD5AwHFEhxPhtSRoXL5O1OQ== =cUug -----END PGP SIGNATURE----- --Apple-Mail=_E32DFD88-2F76-4489-AA9F-A3F8DB6F5CD0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44C404E7-2C4E-47A7-8E38-1721495D84B1>