Make it easier to update bundled certificates

[desrosj]

The ca-bundle.crt file is a combination of the upstream Mozilla certificate bundle and some legacy 1024-bit certificates that remain for backwards compatibility (see [35919]).

#50828 was opened to update the certificate bundle for the 5.5 release, and discussion overflowed into how to make this process easier. This ticket is to continue the second part of the discussion.

[SergeyBiryukov]

Referencing comment:ticket:50828:7 and comment:ticket:50828:8 as a potential implementation here.

Adds exact copies of Mozilla certificates, splits out the legacy 1024-bit certificates included for backwards compatibility, and introduces a Grunt task that combines the two for shipping.

Trac ticket: https://core.trac.wordpress.org/ticket/62812

[desrosj]

I've ​created a PR that takes the same approach as detailed by @ayeshrajans on #50828 and adds a Grunt task for combining the files into the current file.

Still to do:

• Confirm that the order of the certificates is not important (the legacy ones previously were included near the top).
• Add a way to pull in updates to the files automatically.

[desrosj]

Updated the PR. It now pulls the latest certificate files when running npm run grunt update-certificates.

Ooh we could add ​https://github.com/composer/ca-bundle as a dev dependency, extract the cert bundle from that, and keep it updated via Dependabot. No need to roll our own solution.

Thanks @johnbillion, hadn't thought of checking Composer. Updated the PR to utilize that package as a dependency.

I think composer/ca-bundle will need to be pinned to protect us against a theoretical future problem. My understanding is that the build server on dotorg doesn't use Composer, but if a change was made so that it _does_ then there's a chance that a newer version of composer/ca-bundle would get pulled in and deployed during the build.

0. Latest version of `composer/ca-bundle is currently 1.5.6
1. Build server runs composer install and pulls in a theoretical version 1.5.6
2. Build server runs npm run build which calls grunt build which calls grunt build:certificates which calls grunt concat:certificates which concatenates version 1.5.6 of vendor/composer/ca-bundle/res/cacert.pem into wp-includes/certificates/cacert.pem
3. Build server deploys WordPress with version 1.5.6 of the cert despite 1.5.5 being present in the source

Does that make sense?

It does. I have set up the script to only copy the cert files from vendor when running grunt update-certificates, though.

If I have done it correctly, then when build is run it should not have any impact if the version of the Composer package is changed some how. It should only use the versioned revision of the file in the src/wp-includes/certificates folder.

This was mainly to ensure someone could still run npm build without also having to run composer (install|update). But this shoudl also cover the scenario you are describing, if I understand correctly.

Ah yes you are correct. copy:certificates is what copies the cert from the vendor directory, and that doesn't get run during the build. All good.

[desrosj]

In 59740:

Security: Introduce Grunt task for updating Root Certificates.

The Root Certificate bundle maintained by Mozilla ships in WordPress to allow SSL certificates to be verified on hosts with incomplete, outdated, or invalid local SSL configurations. To date, updates have only been merged into Core when problems arise using a highly manual process.

This introduces the certificates:upgrade Grunt task to automate the process of updating the included bundle with upstream changes using Composer to manage versioning.

The legacy 1024bit certificates included for backwards compatibility are now maintained in a separate file that is prepended to the built version of the bundle during the relevant Grunt tasks. Some expired certificates from this list have been removed:

• Cybertrust Global Root (expired 2021-12-15)
• Thawte Server CA (expired 2020-12-31)
• Thawte Premium Server CA (expired 2020-12-31)

The Dependabot configuration has also been updated to open pull requests when new releases occur upstream. Going forward, the recommendation is to create a task ticket for updating these certificates with each release when an update is published. See #62811 for an example of this.

Props johnbillion, desrosj, whyisjake, ayeshrajans, SergeyBiryukov, swissspidy, skithund, barry.
Fixes #62812. See #62811, 50828.