[arch-dev-public] Rethinking our CA certificate setup

Sun Nov 16 14:54:53 UTC 2014

On 26 August 2014 21:15, Jan Alexander Steffens <jan.steffens at gmail.com> wrote:
> On Sun, Aug 24, 2014 at 11:47 AM, Jan Alexander Steffens
> <jan.steffens at gmail.com> wrote:
>> Hi guys,
>>
>> I'm currently at FrOSCon with Pierre and an expert from CAcert.org and
>> we're thinking of changes to our certificate setup.
>>
>>
>> The current issues are:
>> - Mozilla NSS uses its own root store and not /etc/ssl/certs
>> - ca-certificates ships outdated Mozilla roots
>> - Shipping additional roots outside ca-certificates is difficult,
>> requiring patching /etc/ca-certificates.conf
>>
>>
>> To solve these issues, we thought of making the following changes:
>>
>> - Attach NSS to p11-kit so it uses our root store (easily done by
>> replacing /usr/lib/libnssckbi.so with a symlink to p11-kit-proxy.so)
>> - Patch the update-ca-certificates script to read
>> /etc/ca-certificates/conf.d instead of /etc/ca-certificates.conf
>> - Split the current Mozilla roots from the NSS package in the
>> ca-certificates format, shipping
>> /etc/ca-certificates/conf.d/mozilla.conf
>> - Create a package shipping the CAcert.org roots in a similar way
>> - Ship the update-ca-certificates script in a ca-certificates-utils
>> package, which the certificate packages depend on
>> - ca-certificates becomes a metapackage depending on the -mozilla and
>> -cacert packages
>>
>> Comments are welcome. Unless we get objections, we're going to start
>> making these changes. Hopefully we can be done today and push the
>> result to [testing].
>>
>> Greetings,
>> Jan
>
> Firefox isn't quite happy yet with the change, see
> https://bugs.archlinux.org/task/41689: Addons fail to install or
> update.
>
> It seems this is due to Firefox depending on NSS internals -
> specifically, addons must be signed by certificates validated by the
> built-in trusted root store, which is matched by name.
>
> Fedora was affected as well: https://bugzilla.redhat.com/show_bug.cgi?id=966424
> Upstream report, arguing for the check to be removed:
> https://bugzilla.mozilla.org/show_bug.cgi?id=880269
>
> Now we can:
> a. Patch p11-kit to rename the store; the easy way.
> b. Patch Firefox and Thunderbird and SeaMonkey to not require the name
> to match; the hard way, and the one Fedora chose.
> c. Revert the change that links NSS to p11-kit; rather not, as it
> makes it really hard to control the root store.
>
> Opinions?

Hi Pierre, hi Jan,

So the "ca-certificates-utils" from testing (20140923-5) declares a
"provides" and "conflict" on "ca-certificates-java". Unfortunately jre
and jdk packages use a "init-jks-keystore" script provided by
"ca-certificates-java" but not "ca-certificates-utils". This scripts
only computes file /etc/ssl/certs/java/cacerts which is actually also
computed by "update-ca-trust".

So I could just make jre and jdk packages depend on
ca-certificates-utils and then "ca-certificates-java" could be
dropped: is that the whole plan?