tools: fix release URL computation in update-root-certs.mjs

[joyeecheung]

Previously this would compute the release tag to be something like FIREFOX_134_0.2_RELEASE which would not lead to a valid URL, failing to pull the latest NSS updates from the Firefox release. It should replace all the dots with underscores to compute something like FIREFOX_134_0_2_RELEASE instead.

Before when I ran it locally:

Fetching Firefox release data from https://nucleus.mozilla.org/rna/all-releases.json.
Fetching NSS tag from https://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_134_0.2_RELEASE/security/nss/TAG-INFO.
Failed to fetch https://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_134_0.2_RELEASE/security/nss/TAG-INFO: 404: Not Found

After:

Fetching Firefox release data from https://nucleus.mozilla.org/rna/all-releases.json.
Fetching NSS tag from https://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_134_0_2_RELEASE/security/nss/TAG-INFO.
Found tag NSS_3_107_RTM.
Updating to NSS version 3.107
Fetching https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_107_RTM/lib/ckfw/builtins/certdata.txt

# logs from actually parsing and computing the update

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[richardlau]

FWIW the failing GHA workflow is #56063 (comment).

[joyeecheung]

By the way I wonder what we think about migrating away from tools/mk-ca-bundle.pl, I am thinking about updating it to output the certificate data in octal literals in #56832 to skip the unnecessary serdes cost, but then if we are changing it substantially, we might as well just rewrite it in JavaScript instead of invoking a Perl script from JavaScript (and the Perl script already has some modifications from our side, like omitting TrustCor CAs)

[richardlau]

By the way I wonder what we think about migrating away from tools/mk-ca-bundle.pl, I am thinking about updating it to output the certificate data in octal literals in #56832 to skip the unnecessary serdes cost, but then if we are changing it substantially, we might as well just rewrite it in JavaScript instead of invoking a Perl script from JavaScript (and the Perl script already has some modifications from our side, like omitting TrustCor CAs)

I think if we're not planning to resync to upstream curl's version of the tool at any point in the future (I think it was tried once and abandoned) then rewriting in something other than Perl would be a plus.

[richardlau]

By the way I wonder what we think about migrating away from tools/mk-ca-bundle.pl, I am thinking about updating it to output the certificate data in octal literals in #56832 to skip the unnecessary serdes cost, but then if we are changing it substantially, we might as well just rewrite it in JavaScript instead of invoking a Perl script from JavaScript (and the Perl script already has some modifications from our side, like omitting TrustCor CAs)

I think if we're not planning to resync to upstream curl's version of the tool at any point in the future (I think it was tried once and abandoned) then rewriting in something other than Perl would be a plus.

Maybe this discussion should be an issue to itself. FWIW https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/ recommends https://www.ccadb.org/resources rather than parsing certdata.txt.

[joyeecheung]

There is an old issue about the storing as DER idea #45768 - I added a comment to reference the conversations here.

[bnoordhuis]

The actual download is https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites which is a domain name that doesn't exactly instill a warm fuzzy sense of security.