security/ca_root_nss: Add a ca-merge utility to permit including private CAs

[Mark Felder]

Hello,

I am writing you all about my review https://reviews.freebsd.org/D16352. It's very messy at this point, so it's easier to re-compose myself here and provide the complete plan.


Problem: FreeBSD has no way to include private CAs in the trust store in a persistent, reliable manner. Additionally we cannot blacklist CAs easily either.

Solution: Write a tool to do it. RHEL/CentOS already have this tool called update-ca-trust(8) https://www.unix.com/man-page/centos/8/update-ca-trust/


I have attempted to write a tool to be included with security/ca_root_nss which is currently called "ca-merge". Phase one of this tool should cover the ability to include private CAs easily. A future revision should include blacklisting capabilities, but that is going to be more complex to accomplish. This tool is written in posix sh using only utilities in base. The following is the proposed change in our ports/packages:


The ca-root-nss.crt is no longer trusted root; we now generate %%PREFIX%%/etc/ssl/cert.pem. All roads point to this file now. @postexec of security/ca_root_nss will generate this file from the contents of ca-root-nss.crt and do the required work if Java or Mono are installed so they get the same trusted CAs. Currently Java ships their own trust store which creates a very undesirable inconsistency. Additionally we would include @postexec in Mono and Java packages to run ca-merge so the instant they are installed they immediately have their trust stores updated and ready for use.

These are the proposed steps:

1) Get ca_root_nss with ca-merge committed in the tree
2) lang/mono needs only the @postexec added in pkg-plist so it's ready at install time
3) Java ports will need updates to not install their cacerts keystore file, but instead symlink to %%PREFIX%%/etc/ssl/cacerts
4) A somewhat large commit to the tree will be needed to update every port that is compiled with special flags to make the software look at %%PREFIX%%/etc/ssl/certs.pem instead of ca-root-nss.crt


Known problems:
I am concerned about Java. The process of building the cacerts keystore is very annoying. You have to manually import every certificate file with the keytool command and it is slow. The ca-merge command takes a little while to churn through all the certs to build the keystore before comparing with the one on-disk to decide if it needs to be updated. This will slow down pkg build runs and pkg installs.


The end result is that we should have working out of the box trust store that is consistent across all software *and* permits you to include private CAs.


Please provide feedback. I don't want to bikeshed about it too much, though. Let's get something in that works. We can always improve it later.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 529 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-mono/attachments/20180720/99ee5ce0/attachment.sig>