Support CKA_NSS_SERVER_DISTRUST_AFTER in mk-ca-bundle.pl

[tiran]

The script mk-ca-bundle.pl generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fields CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER encode a date after which the certificates are considered distrusted.

mk-ca-bundle.pl should not add certs that have CKA_NSS_SERVER_DISTRUST_AFTER after the current date. The field is either a CK_BBOOL with value CK_FALSE or a MULTILINE_OCTAL that encodes the date as octal string "YYMMDDHHMMSSZ", e.g. \062\060\060\066\061\067\060\060\060\060\060\060\132 == 200617000000Z == 2020-06-17 00:00:00Z.

https://bugzilla.mozilla.org/show_bug.cgi?id=1465613

[bagder]

My gosh that file format is obscure! =) I also note that no certificate so far has CKA_NSS_SERVER_DISTRUST_AFTER set. I have a patch coming that I think is okay.

[tiran]

Yeah, certdata.txt wasn't designed with 3rd party parsers in mind. You could use a complete different approach and interface the PKCS#11 interface of the nssckbi token. You can do this either directly or with p11-kit.

Pros:

• You would use the designated API to get a list of trust anchors for a specific purpose.

Cons:

• It's PKCS#11 :(