[Bug 272479] security/ca_root_nss: Add option to install as individual PEM files

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 13 Jul 2023 03:56:29 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272479

            Bug ID: 272479
           Summary: security/ca_root_nss: Add option to install as
                    individual PEM files
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: ports.maintainer@evilphi.com
          Assignee: ports-secteam@FreeBSD.org
             Flags: maintainer-feedback?(ports-secteam@FreeBSD.org)

Created attachment 243367
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=243367&action=edit
Patch to add UNBUNDLED option, includes new certdata.txt manipulation script

Problem description:

By using the predecence behaviour of OpenSSL to override the CApath trust store
managed by the certctl utility with a CAfile-style store, ca_root_nss creates a
local trust store management problem that would not exist if ca_root_nss was
installed as a set of individual PEM files.

Because both the ca_root_nss.crt file and the cert.pem links are under pkg
control, it's not possible to modify them without auditing errors. 
Additionally, removing (or building a local pkg with ETCSYMLINK disabled) means
ca_root_nss doesn't get used at all without further sysadmin intervention
(i.e., compiling a customized bundle).

Solution:

Install ca_root_nss as a collection of individual PEM files that certctl can
then index into /etc/ssl/certs.  The supplied patch adds an option to install
in that format.

For the typical user, the default behaviour of the port has not changed.

For a system administrator with a managed trust store, the steps of setting
aside /usr/share/certs and building a local version of ca_root_nss with
ETCSYMLINK off would be something they're already doing.

Notes:

files/MAca-bundle-UNBUNDLED.pl.in is a copy of src/secure/caroot/MAca-bundle.pl
from 13-STABLE with a minor edit to match the output comment format generated
by files/MAca-bundle.pl.in.

Validated with portlint/portclippy.

-- 
You are receiving this mail because:
You are the assignee for the bug.