Google Summer of Code/2019/Ideas/X509 Trust Store

From Gentoo Wiki
Jump to:navigation Jump to:search

X509 Trust Store

Currently, there is not centralized X.509 trust store in Gentoo to allow easy control of the various of cryptographic frameworks:

  • OpenSSL
  • NSS
  • Java
  • Probably Python and Go

Fedora has a mechanism of having `/etc/pki/anchors` to be source of truth and `update-ca-certificates` scripts to generate the various of framework specific structure, for example each JVM JAVA_HOME/lib/security/cacerts is a synlink to a file at /etc which is generated by the script.

We should have a similar mechanism in Gentoo, as these certificates are system width configuration and not part of a specific package. However, we should have this smarter, so that packages can extend support by using drop-in scriptlet.

Contacts Required Skills
  • X.509
  • OpenSSL
  • NSS
  • GnuTLS
  • Java Keytool(crypto)
  • Go (crypto)
  • Python (crypto)
  • Python, Shell programming
  • eselect tool