The script mk-ca-bundle.pl generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fields CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER encode a date after which the certificates are considered distrusted.
mk-ca-bundle.pl should not add certs that have CKA_NSS_SERVER_DISTRUST_AFTER after the current date. The field is either a CK_BBOOL with value CK_FALSE or a MULTILINE_OCTAL that encodes the date as octal string "YYMMDDHHMMSSZ", e.g. \062\060\060\066\061\067\060\060\060\060\060\060\132 == 200617000000Z == 2020-06-17 00:00:00Z.
My gosh that file format is obscure! =) I also note that no certificate so far has CKA_NSS_SERVER_DISTRUST_AFTER set. I have a patch coming that I think is okay.
Yeah, certdata.txt wasn't designed with 3rd party parsers in mind. You could use a complete different approach and interface the PKCS#11 interface of the nssckbi token. You can do this either directly or with p11-kit.
Pros:
You would use the designated API to get a list of trust anchors for a specific purpose.
The script
mk-ca-bundle.pl
generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fieldsCKA_NSS_SERVER_DISTRUST_AFTER
andCKA_NSS_EMAIL_DISTRUST_AFTER
encode a date after which the certificates are considered distrusted.mk-ca-bundle.pl
should not add certs that haveCKA_NSS_SERVER_DISTRUST_AFTER
after the current date. The field is either aCK_BBOOL
with valueCK_FALSE
or aMULTILINE_OCTAL
that encodes the date as octal string "YYMMDDHHMMSSZ", e.g.\062\060\060\066\061\067\060\060\060\060\060\060\132
==200617000000Z
== 2020-06-17 00:00:00Z.https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
The text was updated successfully, but these errors were encountered: