From nobody Thu Jul 13 03:56:29 2023 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R1glL2Cvpz4n7HN for ; Thu, 13 Jul 2023 03:56:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R1glL0JRtz3FMv for ; Thu, 13 Jul 2023 03:56:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689220590; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KWHjOt/mCUf8FHj2Sj1wwRCbWFpZZSgRRdqXHR0eGnw=; b=JUXL5m5eQXga4mq2aNzCNa3jgW93J+1rWgAxSjKX/g6fp2OSA7oM2+C4Sbl4sJAUMxDcnw u9Y+PlbGHh45pfTb3S0gBjDrltbQnOtSPNrmy9zVHoB+zBdnTeebK+Pqcv6ObSBo9kDDe4 xWRKeXA9etgyVw5vkPnHKKJVlsVVRFOZNaMqhrbruc9qiBs1zS5MUjN2sRPmS3MP9qMQER Y0fcfivsI8u4M1QrQLLv7RT+eSLioDkqyToUzWSSSBezsKMUkefaMOYf5iwTvgFyQKhpDR hMBaQHGFok2/TiAm90EonhPM9Qzt6IZxtfMz+3GJogv8Ir3dr5nfjUFEXbcBRw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689220590; a=rsa-sha256; cv=none; b=v4cjgCQVQCOtlt01m6dv7jIbRYFjysP0v2VIGJf6gvkHtJq8Xixsobg6/n3UP6nNUGVbkA eNzpGsj2pygKTduhTxnxtnkLyh82AqLraO9rklLAASVHrqajijkKspwQe3CDaIP4A6r1jb HaTG1yFBxMnJgc2h7xOkiEZL+GAeTKD4d1m0kIalM3kU7oIYfv/4qLUX9XHG2eRrSfqDME Lgl3pRL1F0lJuwWIJl127cfbR5lPCTKDvwJ6N1RuL/Z1gAq3jitcR9i7s5oJGW9Eu/04YK qXnSQXpJQrWHnZJNGhctmVBgoNmNcPU9I9URFxnaTBZRq2ea+AmpP8DZ9Ady/A== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R1glK6V3Rzc9R for ; Thu, 13 Jul 2023 03:56:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 36D3uT4m075099 for ; Thu, 13 Jul 2023 03:56:29 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 36D3uTMf075098 for ports-bugs@FreeBSD.org; Thu, 13 Jul 2023 03:56:29 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 272479] security/ca_root_nss: Add option to install as individual PEM files Date: Thu, 13 Jul 2023 03:56:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: ports.maintainer@evilphi.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-secteam@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272479 Bug ID: 272479 Summary: security/ca_root_nss: Add option to install as individual PEM files Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: ports.maintainer@evilphi.com Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Created attachment 243367 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D243367&action= =3Dedit Patch to add UNBUNDLED option, includes new certdata.txt manipulation script Problem description: By using the predecence behaviour of OpenSSL to override the CApath trust s= tore managed by the certctl utility with a CAfile-style store, ca_root_nss creat= es a local trust store management problem that would not exist if ca_root_nss was installed as a set of individual PEM files. Because both the ca_root_nss.crt file and the cert.pem links are under pkg control, it's not possible to modify them without auditing errors.=20 Additionally, removing (or building a local pkg with ETCSYMLINK disabled) m= eans ca_root_nss doesn't get used at all without further sysadmin intervention (i.e., compiling a customized bundle). Solution: Install ca_root_nss as a collection of individual PEM files that certctl can then index into /etc/ssl/certs. The supplied patch adds an option to insta= ll in that format. For the typical user, the default behaviour of the port has not changed. For a system administrator with a managed trust store, the steps of setting aside /usr/share/certs and building a local version of ca_root_nss with ETCSYMLINK off would be something they're already doing. Notes: files/MAca-bundle-UNBUNDLED.pl.in is a copy of src/secure/caroot/MAca-bundl= e.pl from 13-STABLE with a minor edit to match the output comment format generat= ed by files/MAca-bundle.pl.in. Validated with portlint/portclippy. --=20 You are receiving this mail because: You are the assignee for the bug.=