Skip to content

/ curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support CKA_NSS_SERVER_DISTRUST_AFTER in mk-ca-bundle.pl #4834

Closed
tiran opened this issue Jan 20, 2020 · 2 comments · Fixed by sthagen/curl#58
Closed

Support CKA_NSS_SERVER_DISTRUST_AFTER in mk-ca-bundle.pl #4834

tiran opened this issue Jan 20, 2020 · 2 comments · Fixed by sthagen/curl#58
Assignees
@bagder
Labels
SSL/TLS

Comments

@tiran
Copy link
Contributor

@tiran tiran commented Jan 20, 2020

The script mk-ca-bundle.pl generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fields CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER encode a date after which the certificates are considered distrusted.

mk-ca-bundle.pl should not add certs that have CKA_NSS_SERVER_DISTRUST_AFTER after the current date. The field is either a CK_BBOOL with value CK_FALSE or a MULTILINE_OCTAL that encodes the date as octal string "YYMMDDHHMMSSZ", e.g. \062\060\060\066\061\067\060\060\060\060\060\060\132 == 200617000000Z == 2020-06-17 00:00:00Z.

https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
@bagder bagder added the SSL/TLS label Jan 20, 2020
@tiran tiran mentioned this issue Jan 20, 2020
Closed
@bagder bagder self-assigned this Jan 20, 2020
@bagder

This comment has been minimized.

Sign in to view
Copy link
Member

@bagder bagder commented Jan 20, 2020

My gosh that file format is obscure! =) I also note that no certificate so far has CKA_NSS_SERVER_DISTRUST_AFTER set. I have a patch coming that I think is okay.
@tiran

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

@tiran tiran commented Jan 20, 2020

Yeah, certdata.txt wasn't designed with 3rd party parsers in mind. You could use a complete different approach and interface the PKCS#11 interface of the nssckbi token. You can do this either directly or with p11-kit.

Pros:

  • You would use the designated API to get a list of trust anchors for a specific purpose.

Cons:

  • It's PKCS#11 :(
bagder added a commit that referenced this issue Jan 20, 2020
@bagder
mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
Verified
This commit was signed with a verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
aabc492 
For now, no cert in the bundle actually sets a date there...

Reported-by: Christian Heimes
Fixes #4834
@bagder bagder mentioned this issue Jan 20, 2020
Closed
@bagder bagder closed this in 1ebc53d Jan 22, 2020
@sthagen sthagen mentioned this issue Jan 22, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
SSL/TLS
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
2 participants
@tiran @bagder
You can’t perform that action at this time.