Download and convert the Mozilla root store as part of the build

[GoogleCodeExporter]

Oracle's management of the Java root CA set is questionable. It'd be better to 
use Mozilla's set, as their policies are way more transparent and they have 
more roots also. To do this means:

1) Download the root store file from the Mozilla source tree, probably using 
wget pointed at LXR or equivalent.

2) Use the mk-ca-bundle.pl script from the curl source tree to convert the 
Mozilla format to a PEM file (concatenated base64).

3) Convert the PEM to the JKS format.

We could use a script either invoked from the build, or simpler, just check in 
the output and anyone who wants to audit can run the script and check they get 
the same file.

Original issue reported on code.google.com by mh.in.en...@gmail.com on 25 Feb 2014 at 11:15

[GoogleCodeExporter]

I would prefer to split the process into the non-deterministic (download) and 
the deterministic (bundling) parts. Mozillas set will be checked into our 
repository as-is, and the bundling happens as part of the build process.

That way, auditing (comparing with Mozilla) would be easier: Run the download 
manually, then do a "git diff".

Original comment by andreas....@gmail.com on 25 Feb 2014 at 11:34

[GoogleCodeExporter]

Good idea. We should do it that way.

Original comment by mh.in.en...@gmail.com on 25 Feb 2014 at 11:41