You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The script mk-ca-bundle.pl generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fields CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER encode a date after which the certificates are considered distrusted.
mk-ca-bundle.pl should not add certs that have CKA_NSS_SERVER_DISTRUST_AFTER after the current date. The field is either a CK_BBOOL with value CK_FALSE or a MULTILINE_OCTAL that encodes the date as octal string "YYMMDDHHMMSSZ", e.g. \062\060\060\066\061\067\060\060\060\060\060\060\132 == 200617000000Z == 2020-06-17 00:00:00Z.
Yeah, certdata.txt wasn't designed with 3rd party parsers in mind. You could use a complete different approach and interface the PKCS#11 interface of the nssckbi token. You can do this either directly or with p11-kit.
You would use the designated API to get a list of trust anchors for a specific purpose.