ship root SSL certificates along with ziglang.org-vendored tarballs

[andrewrk]

Normally, it is best for applications to rely on their system for providing root SSL certificates. However, Zig is a bit of a special case because it aims to be "Dependency Zero" - a self-contained binary that one can use to build & install other things.

In order to do this consistently across the many different platforms that Zig aims to target, dependencies must be eliminated. There are environments where we want the zig package manager to work, for example, that will not necessarily have any root certificates installed.

Other notable applications that ship their own certificates:

• curl (as with Zig, curl is often "dependency zero")
• Firefox, Chromium (as with Zig, they want the user experience to be consistent across operating systems)

These certificates would be file(s) inside of a sub-directory in lib. Any std lib code that needs a std.Certificate.Bundle would use @embedFile to obtain this set, and then at runtime augment it with the ones found locally on the OS, if any.

Open questions:

• where to get the set of root certificates for distribution?

[Ristovski]

where to get the set of root certificates for distribution?

Curl seems to host a CA bundle (~221K) extracted from Mozilla: https://curl.se/docs/caextract.html

Direct link: https://curl.se/ca/cacert.pem

##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Tue Oct 11 03:12:05 2022 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.29.
## SHA256: 3ff8bd209b5f2e739b9f2b96eacb694a774114685b02978257824f37ff528f71
##

The upstream sources for this are over at Mozillas VCS: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

Tool in question is here: https://curl.se/docs/mk-ca-bundle.html

Click to expand CA list

$ awk '/===/ {print line} {line = $0}' /tmp/cacert.pem 
GlobalSign Root CA
Entrust.net Premium 2048 Secure Server CA
Baltimore CyberTrust Root
Entrust Root Certification Authority
Comodo AAA Services root
QuoVadis Root CA 2
QuoVadis Root CA 3
Security Communication Root CA
XRamp Global CA Root
Go Daddy Class 2 CA
Starfield Class 2 CA
DigiCert Assured ID Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA
SwissSign Gold CA - G2
SwissSign Silver CA - G2
SecureTrust CA
Secure Global CA
COMODO Certification Authority
Network Solutions Certificate Authority
COMODO ECC Certification Authority
Certigna
ePKI Root Certification Authority
certSIGN ROOT CA
NetLock Arany (Class Gold) Főtanúsítvány
Hongkong Post Root CA 1
SecureSign RootCA11
Microsec e-Szigno Root CA 2009
GlobalSign Root CA - R3
Autoridad de Certificacion Firmaprofesional CIF A62634068
Izenpe.com
Go Daddy Root Certificate Authority - G2
Starfield Root Certificate Authority - G2
Starfield Services Root Certificate Authority - G2
AffirmTrust Commercial
AffirmTrust Networking
AffirmTrust Premium
AffirmTrust Premium ECC
Certum Trusted Network CA
TWCA Root Certification Authority
Security Communication RootCA2
Actalis Authentication Root CA
Buypass Class 2 Root CA
Buypass Class 3 Root CA
T-TeleSec GlobalRoot Class 3
D-TRUST Root Class 3 CA 2 2009
D-TRUST Root Class 3 CA 2 EV 2009
CA Disig Root R2
ACCVRAIZ1
TWCA Global Root CA
TeliaSonera Root CA v1
E-Tugra Certification Authority
T-TeleSec GlobalRoot Class 2
Atos TrustedRoot 2011
QuoVadis Root CA 1 G3
QuoVadis Root CA 2 G3
QuoVadis Root CA 3 G3
DigiCert Assured ID Root G2
DigiCert Assured ID Root G3
DigiCert Global Root G2
DigiCert Global Root G3
DigiCert Trusted Root G4
COMODO RSA Certification Authority
USERTrust RSA Certification Authority
USERTrust ECC Certification Authority
GlobalSign ECC Root CA - R5
Staat der Nederlanden EV Root CA
IdenTrust Commercial Root CA 1
IdenTrust Public Sector Root CA 1
Entrust Root Certification Authority - G2
Entrust Root Certification Authority - EC1
CFCA EV ROOT
OISTE WISeKey Global Root GB CA
SZAFIR ROOT CA2
Certum Trusted Network CA 2
Hellenic Academic and Research Institutions RootCA 2015
Hellenic Academic and Research Institutions ECC RootCA 2015
ISRG Root X1
AC RAIZ FNMT-RCM
Amazon Root CA 1
Amazon Root CA 2
Amazon Root CA 3
Amazon Root CA 4
TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
GDCA TrustAUTH R5 ROOT
TrustCor RootCert CA-1
TrustCor RootCert CA-2
TrustCor ECA-1
SSL.com Root Certification Authority RSA
SSL.com Root Certification Authority ECC
SSL.com EV Root Certification Authority RSA R2
SSL.com EV Root Certification Authority ECC
GlobalSign Root CA - R6
OISTE WISeKey Global Root GC CA
UCA Global G2 Root
UCA Extended Validation Root
Certigna Root CA
emSign Root CA - G1
emSign ECC Root CA - G3
emSign Root CA - C1
emSign ECC Root CA - C3
Hongkong Post Root CA 3
Entrust Root Certification Authority - G4
Microsoft ECC Root Certificate Authority 2017
Microsoft RSA Root Certificate Authority 2017
e-Szigno Root CA 2017
certSIGN Root CA G2
Trustwave Global Certification Authority
Trustwave Global ECC P256 Certification Authority
Trustwave Global ECC P384 Certification Authority
NAVER Global Root Certification Authority
AC RAIZ FNMT-RCM SERVIDORES SEGUROS
GlobalSign Root R46
GlobalSign Root E46
GLOBALTRUST 2020
ANF Secure Server Root CA
Certum EC-384 CA
Certum Trusted Root CA
TunTrust Root CA
HARICA TLS RSA Root CA 2021
HARICA TLS ECC Root CA 2021
Autoridad de Certificacion Firmaprofesional CIF A62634068
vTrus ECC Root CA
vTrus Root CA
ISRG Root X2
HiPKI Root CA - G1
GlobalSign ECC Root CA - R4
GTS Root R1
GTS Root R2
GTS Root R3
GTS Root R4
Telia Root CA v2
D-TRUST BR Root CA 1 2020
D-TRUST EV Root CA 1 2020
DigiCert TLS ECC P384 Root G5
DigiCert TLS RSA4096 Root G5
Certainly Root R1
Certainly Root E1
E-Tugra Global Root CA RSA v3
E-Tugra Global Root CA ECC v3
Security Communication RootCA3
Security Communication ECC RootCA1

[iacore]

Does it even matter? If the hash is correct, we don't care about the identity of the domain in valid.

TLS certificates also need to be checked for update regularly, due to potential CA security breach.

[mateusz834]

Normally, it is best for applications to rely on their system for providing root SSL certificates. However, Zig is a bit of a special case because it aims to be "Dependency Zero" - a self-contained binary that one can use to build & install other things.

Wouldn't it be better to try to use the system root CAs, but when they are unavail fallback to the embeded roots?

[notcancername]

Wouldn't it be better to try to use the system root CAs, but when they are unavail fallback to the embeded roots?

In my opinion, this should be a compile-time option, to avoid bloating the binary in cases where it would be harmful.