ship root SSL certificates along with ziglang.org-vendored tarballs

[andrewrk]

Normally, it is best for applications to rely on their system for providing root SSL certificates. However, Zig is a bit of a special case because it aims to be "Dependency Zero" - a self-contained binary that one can use to build & install other things.

In order to do this consistently across the many different platforms that Zig aims to target, dependencies must be eliminated. There are environments where we want the zig package manager to work, for example, that will not necessarily have any root certificates installed.

Other notable applications that ship their own certificates:

• curl (as with Zig, curl is often "dependency zero")
• Firefox, Chromium (as with Zig, they want the user experience to be consistent across operating systems)

These certificates would be file(s) inside of a sub-directory in lib. Any std lib code that needs a std.Certificate.Bundle would use @embedFile to obtain this set, and then at runtime augment it with the ones found locally on the OS, if any.

Open questions:

• where to get the set of root certificates for distribution?

[Ristovski]

where to get the set of root certificates for distribution?

Curl seems to host a CA bundle (~221K) extracted from Mozilla: https://curl.se/docs/caextract.html

Direct link: https://curl.se/ca/cacert.pem

##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Tue Oct 11 03:12:05 2022 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.29.
## SHA256: 3ff8bd209b5f2e739b9f2b96eacb694a774114685b02978257824f37ff528f71
##

The upstream sources for this are over at Mozillas VCS: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

Tool in question is here: https://curl.se/docs/mk-ca-bundle.html

Click to expand CA list

``` $ awk '/===/ {print line} {line = $0}' /tmp/cacert.pem GlobalSign Root CA Entrust.net Premium 2048 Secure Server CA Baltimore CyberTrust Root Entrust Root Certification Authority Comodo AAA Services root QuoVadis Root CA 2 QuoVadis Root CA 3 Security Communication Root CA XRamp Global CA Root Go Daddy Class 2 CA Starfield Class 2 CA DigiCert Assured ID Root CA DigiCert Global Root CA DigiCert High Assurance EV Root CA SwissSign Gold CA - G2 SwissSign Silver CA - G2 SecureTrust CA Secure Global CA COMODO Certification Authority Network Solutions Certificate Authority COMODO ECC Certification Authority Certigna ePKI Root Certification Authority certSIGN ROOT CA NetLock Arany (Class Gold) Főtanúsítvány Hongkong Post Root CA 1 SecureSign RootCA11 Microsec e-Szigno Root CA 2009 GlobalSign Root CA - R3 Autoridad de Certificacion Firmaprofesional CIF A62634068 Izenpe.com Go Daddy Root Certificate Authority - G2 Starfield Root Certificate Authority - G2 Starfield Services Root Certificate Authority - G2 AffirmTrust Commercial AffirmTrust Networking AffirmTrust Premium AffirmTrust Premium ECC Certum Trusted Network CA TWCA Root Certification Authority Security Communication RootCA2 Actalis Authentication Root CA Buypass Class 2 Root CA Buypass Class 3 Root CA T-TeleSec GlobalRoot Class 3 D-TRUST Root Class 3 CA 2 2009 D-TRUST Root Class 3 CA 2 EV 2009 CA Disig Root R2 ACCVRAIZ1 TWCA Global Root CA TeliaSonera Root CA v1 E-Tugra Certification Authority T-TeleSec GlobalRoot Class 2 Atos TrustedRoot 2011 QuoVadis Root CA 1 G3 QuoVadis Root CA 2 G3 QuoVadis Root CA 3 G3 DigiCert Assured ID Root G2 DigiCert Assured ID Root G3 DigiCert Global Root G2 DigiCert Global Root G3 DigiCert Trusted Root G4 COMODO RSA Certification Authority USERTrust RSA Certification Authority USERTrust ECC Certification Authority GlobalSign ECC Root CA - R5 Staat der Nederlanden EV Root CA IdenTrust Commercial Root CA 1 IdenTrust Public Sector Root CA 1 Entrust Root Certification Authority - G2 Entrust Root Certification Authority - EC1 CFCA EV ROOT OISTE WISeKey Global Root GB CA SZAFIR ROOT CA2 Certum Trusted Network CA 2 Hellenic Academic and Research Institutions RootCA 2015 Hellenic Academic and Research Institutions ECC RootCA 2015 ISRG Root X1 AC RAIZ FNMT-RCM Amazon Root CA 1 Amazon Root CA 2 Amazon Root CA 3 Amazon Root CA 4 TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 GDCA TrustAUTH R5 ROOT TrustCor RootCert CA-1 TrustCor RootCert CA-2 TrustCor ECA-1 SSL.com Root Certification Authority RSA SSL.com Root Certification Authority ECC SSL.com EV Root Certification Authority RSA R2 SSL.com EV Root Certification Authority ECC GlobalSign Root CA - R6 OISTE WISeKey Global Root GC CA UCA Global G2 Root UCA Extended Validation Root Certigna Root CA emSign Root CA - G1 emSign ECC Root CA - G3 emSign Root CA - C1 emSign ECC Root CA - C3 Hongkong Post Root CA 3 Entrust Root Certification Authority - G4 Microsoft ECC Root Certificate Authority 2017 Microsoft RSA Root Certificate Authority 2017 e-Szigno Root CA 2017 certSIGN Root CA G2 Trustwave Global Certification Authority Trustwave Global ECC P256 Certification Authority Trustwave Global ECC P384 Certification Authority NAVER Global Root Certification Authority AC RAIZ FNMT-RCM SERVIDORES SEGUROS GlobalSign Root R46 GlobalSign Root E46 GLOBALTRUST 2020 ANF Secure Server Root CA Certum EC-384 CA Certum Trusted Root CA TunTrust Root CA HARICA TLS RSA Root CA 2021 HARICA TLS ECC Root CA 2021 Autoridad de Certificacion Firmaprofesional CIF A62634068 vTrus ECC Root CA vTrus Root CA ISRG Root X2 HiPKI Root CA - G1 GlobalSign ECC Root CA - R4 GTS Root R1 GTS Root R2 GTS Root R3 GTS Root R4 Telia Root CA v2 D-TRUST BR Root CA 1 2020 D-TRUST EV Root CA 1 2020 DigiCert TLS ECC P384 Root G5 DigiCert TLS RSA4096 Root G5 Certainly Root R1 Certainly Root E1 E-Tugra Global Root CA RSA v3 E-Tugra Global Root CA ECC v3 Security Communication RootCA3 Security Communication ECC RootCA1 ```

[iacore]

Does it even matter? If the hash is correct, we don't care about the identity of the domain in valid.

TLS certificates also need to be checked for update regularly, due to potential CA security breach.

[mateusz834]

Normally, it is best for applications to rely on their system for providing root SSL certificates. However, Zig is a bit of a special case because it aims to be "Dependency Zero" - a self-contained binary that one can use to build & install other things.

Wouldn't it be better to try to use the system root CAs, but when they are unavail fallback to the embeded roots?

[notcancername]

Wouldn't it be better to try to use the system root CAs, but when they are unavail fallback to the embeded roots?

In my opinion, this should be a compile-time option, to avoid bloating the binary in cases where it would be harmful.