From nobody Mon Aug 15 08:17:02 2022
X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M5nFF0mVQz4YswC
	for <freebsd-ports@mlmmj.nyi.freebsd.org>; Mon, 15 Aug 2022 08:17:05 +0000 (UTC)
	(envelope-from tijl@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4M5nFF0K39z3sBp;
	Mon, 15 Aug 2022 08:17:05 +0000 (UTC)
	(envelope-from tijl@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1660551425;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=g0Ngeci4gdtJWWdCuIhWPhKhcZADt03fdA8kO9vxI24=;
	b=HbRoi11q/N1VYgqsK4N/p/iEDXyLZuEOrsKnUq53d8Ybs8bRPuFWNjL2KFZmM4HmIcvCA9
	tg9jyjTQIhuBlOwNJlL5FjxI5S82bFL+MdrYgtc4/JQ+oaNh1M7hLknUl9llzkkNudv/aU
	GgTKoTtA/Z98iCj1yZtUw2PJdpGGd3qEi6ex5ds4oecjgL62j+s/8wkuj6sCQIId/lM+Em
	vyzvRvcR3RBwbrkD5ae1XbGdTFqd6ADf1bm6MCcfnNwHVp2o+pvfADyxcDCSC6w4t6ne1k
	OSKrrOaHbGyOUi+neoITZKeV6jDGLsRGg2zjZw4r5/LnbioyvYiIFZ0y+sjq3A==
Received: from localhost (unknown [IPv6:2a02:a03f:894b:4700:25e9:af07:ef83:b333])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: tijl)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4M5nFD2Jmwz1SVX;
	Mon, 15 Aug 2022 08:17:04 +0000 (UTC)
	(envelope-from tijl@FreeBSD.org)
Date: Mon, 15 Aug 2022 10:17:02 +0200
From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org>
To: Tatsuki Makino <tatsuki_makino@hotmail.com>
Cc: Andrea Venturoli <ml@netfence.it>, novel@FreeBSD.org,
 freebsd-ports@freebsd.org
Subject: Re: Again on security/gnutls certificate store
Message-ID: <20220815101702.7e2a97fa@FreeBSD.org>
In-Reply-To: <PSAPR03MB563911D05F103AABBC0383DEFA699@PSAPR03MB5639.apcprd03.prod.outlook.com>
References: <02cb8bc2-8d91-8d58-e764-baab240680bf@netfence.it>
	<20220813115126.2deda35d@FreeBSD.org>
	<PSAPR03MB563911D05F103AABBC0383DEFA699@PSAPR03MB5639.apcprd03.prod.outlook.com>
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ports
List-Help: <mailto:ports+help@freebsd.org>
List-Post: <mailto:ports@freebsd.org>
List-Subscribe: <mailto:ports+subscribe@freebsd.org>
List-Unsubscribe: <mailto:ports+unsubscribe@freebsd.org>
Sender: owner-freebsd-ports@freebsd.org
X-BeenThere: freebsd-ports@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1660551425;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=g0Ngeci4gdtJWWdCuIhWPhKhcZADt03fdA8kO9vxI24=;
	b=bxlphDekAEG5XRhTAgEalF0U+OIZQay+eWf0zvYgP8UBreXDhl/LtEBfAAHV7tyPOIwk/8
	eaVjHO9HYCaWxaNEnv/Iqe4id69Q+dyqlncKu8S0Cb93nAr20ET0u8BuH2wVhajjW/kD0x
	9hsV2retkQSdll2fEK5qnzvhHCsYP3xBh/Il9MxjvJTK+0dwiLkB8DhTNc9Zw93SAG01ze
	sA1Un/M7hIREXWbUGVx+m2YvOgRmS/Oe45mn+I9GmKIcdnWjT+ocSY9MWF0rvS+e6lvEQa
	MVID7yviAJ1N3c1/3mzKmFLGpdpmt2VtBKltlC1prxVv4b5ClL4WSwzfGLQuBw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660551425; a=rsa-sha256; cv=none;
	b=uSNd2qMBWZbkswki+Om0AuKyljqTreRAMmhOMmk85z+s+M3jfOcV8aMXIXyJ/3uHEddJ+k
	18HTeWIyngYxveeRq4PRhoAdyyxq9rQYGG8AyF183IMa/nDKvQ0whqhKO2IANTrcsBOEp4
	tU5ooAS4nN+1Y4U8YTQUeduG7G/k1A4ZLBNwIGooIociRVTWw4kbyOjEaCIie0qS0ZLu+B
	u8KRBEKl1IQeb71zxew9KNm1JFgVf47SijpYGbGTmDc6XiPPCT1xq2SP0BipVuASzuBjOZ
	ocnaYGyP5rGUTizEHJarfmgpAK4JSJ3Z3m8SkSIFZodA822Gx2siQ6PL4PleWA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

On Mon, 15 Aug 2022 08:18:36 +0900 Tatsuki Makino
<tatsuki_makino@hotmail.com> wrote:
> T=C4=B3l Coosemans wrote on 2022/08/13 18:51:
>> Try this patch for p11-kit.  If it works you can file a bug against
>> p11-kit, because I believe ports are supposed to move away from
>> ca_root_nss.
>>=20
>> --- a/security/p11-kit/Makefile
>> +++ b/security/p11-kit/Makefile
>> @@ -25,7 +25,7 @@ MESON_ARGS=3D   -Dbash_completion=3Denabled \
>>                 -Dlibffi=3Denabled \
>>                 -Dnls=3Dfalse \
>>                 -Dtrust_module=3Denabled \
>> -               -Dtrust_paths=3D${LOCALBASE}/share/certs/ca-root-nss.crt
>> +               -Dtrust_paths=3D/etc/ssl/certs
>> =20
>>  OPTIONS_DEFINE=3D                DOCS MANPAGES TEST
>>  OPTIONS_SUB=3D           yes
>=20
> When ./configure
> --with-trust-paths=3D/usr/local/share/certs/ca-root-nss.crt:/etc/ssl/certs
> is used, TRUST_PATHS is defined as
> "/usr/local/share/certs/ca-root-nss.crt:/etc/ssl/certs" in
> ${WRKSRC}/config.h.
> When meson, TRUST_PATHS is defined in ${WRKSRC}/_build/config.h as
> defined by
> MESON_ARGS=3D-Dtrust_paths=3D${LOCALBASE}/share/certs/ca-root-nss.crt:/et=
c/ssl/certs.
>=20
> Since these would be the same value, why not just specify multiple
> paths in meson, separated by a colon?

It would be duplication because /etc/ssl/certs contains the same NSS
certificates.

> Also, is there something wrong with omitting ca-root-nss.crt filename,
> since the directories seem to be handled properly?

It turns out directories and files are treated differently.  Files are
automatically marked as trusted.  With directories the certificates have
to be in a subdirectory named "anchors" to be marked trusted.  See
https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html