Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mk-ca-bundle.pl does not handle CKA_NSS_SERVER_DISTRUST_AFTER properly #15547

Closed
AGWA opened this issue Nov 11, 2024 · 0 comments
Closed

mk-ca-bundle.pl does not handle CKA_NSS_SERVER_DISTRUST_AFTER properly #15547

AGWA opened this issue Nov 11, 2024 · 0 comments
Assignees

Comments

@AGWA
Copy link

AGWA commented Nov 11, 2024

I did this

No response

I expected the following

When parsing certdata.txt, mk-ca-bundle.pl excludes roots whose CKA_NSS_SERVER_DISTRUST_AFTER time is after the current time.

This is incorrect behavior. CKA_NSS_SERVER_DISTRUST_AFTER is supposed to be compared against the leaf certificate's NotBefore time, not the current time:

If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it.

Source

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 and https://bugzilla.mozilla.org/show_bug.cgi?id=1621159

Mozilla intends to set the CKA_NSS_SERVER_DISTRUST_AFTER date of Entrust roots to November 30, 2024. mk-ca-bundle.pl's current behavior will cause consumers of mk-ca-bundle.pl to reject Entrust certificates that Firefox would have accepted, causing breakage that Mozilla did not intend.

Instead, mk-ca-bundle.pl should just ignore the CKA_NSS_SERVER_DISTRUST_AFTER date. Although this would cause consumers of mk-ca-bundle.pl to accept certificates that Firefox would have rejected, in practice this is not any less secure than Firefox. This is because roots with a CKA_NSS_SERVER_DISTRUST_AFTER date still have the ability to issue new certificates that are accepted by Firefox, by simply backdating the certificate's NotBefore date. The point of CKA_NSS_SERVER_DISTRUST_AFTER is not to provide security from an untrustworthy root, but to gracefully sunset trust in a root. When Mozilla adds CKA_NSS_SERVER_DISTRUST_AFTER to a root, they're not saying that certificates issued after that date are untrustworthy. Instead, they are saying that they would like to remove the root at some point in the future. Combined with enforcement of the 398 day maximum certificate lifetime, CKA_NSS_SERVER_DISTRUST_AFTER ensures that all certificates issued by a root are expired 398 days after the CKA_NSS_SERVER_DISTRUST_AFTER date, allowing for the root's removal without breakage. Consequentially, it is appropriate for mk-ca-bundle.pl to ignore CKA_NSS_SERVER_DISTRUST_AFTER and wait for Mozilla to fully remove the root.

curl/libcurl version

N/A

operating system

N/A

@bagder bagder self-assigned this Nov 11, 2024
bagder added a commit that referenced this issue Nov 11, 2024
The script's previous treatment of this meta-data was a
misunderstanding. (Added in 1ebc53d) The mistrust is not for
the root cert at this date (it would simply be removed from the bundle
then instead) but for created server certificates:

    If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER
    timestamp before the SCT or NotBefore date of a certificate that
    builtin issued, then clients can elect not to trust it.

That is however information that cannot be provided in the generated PEM
output.

Fixes #15547
Reported-by: Andrew Ayer
@bagder bagder closed this as completed in 448df98 Nov 12, 2024
talregev pushed a commit to talregev/curl that referenced this issue Nov 13, 2024
The script's previous treatment of this meta-data was a
misunderstanding. (Added in 1ebc53d) The mistrust is not for
the root cert at this date (it would simply be removed from the bundle
then instead) but for created server certificates:

    If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER
    timestamp before the SCT or NotBefore date of a certificate that
    builtin issued, then clients can elect not to trust it.

That is however information that cannot be provided in the generated PEM
output.

Fixes curl#15547
Reported-by: Andrew Ayer
Closes curl#15552
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants