Replace mkcert.org with ccadb.org as the source of truth
#41
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpu
force-pushed
the
cpu-ccadb-generator
branch
from
0fbc3f4
to
f1769df
Compare
djc
reviewed
Aug 9, 2023
cpu
force-pushed
the
cpu-ccadb-generator
branch
from
f1769df
to
b459ca9
Compare
djc
reviewed
Aug 9, 2023
|
Awesome! |
djc
reviewed
Aug 9, 2023
FWIW this is totally fine -- these comments were coming from mkcert's output, and we just wrapped them in a block comment. So we were always somewhat at risk of the output changing under our feet. It's a big improvement alone that the comments are now generated in our code, so it becomes more deterministic. |
Small convenience for CLion users.
cpu
force-pushed
the
cpu-ccadb-generator
branch
from
b459ca9
to
f75b638
Compare
|
@djc I think this is ready for another 🔍 pass when you have a chance. I'd like to get your +1 before I merge. Thanks! |
djc
approved these changes
Aug 10, 2023
These digest algorithms are not recommended for use. To avoid needing to take unnecessary dependencies in the CCADB tooling that will replace the mkcert data source that provides these fingerprints we choose to remove them, leaving only the SHA256 FP.
Prior to this commit the `tests/codegen.rs` generator used https://mkcert.org as its source of truth for trusted root metadata. This commit replaces that source of truth (and accompanying generator code) to use https://ccadb.org instead. The Common CA Database (CCADB) has emerged as a multi-stakeholder repository for information about certificate authorities participating in the trust stores maintained by CCADB root store operators. The `IncludedCACertificateReportPEMCSV` report made available by CCADB is a great replacement for the needs of webpki-roots: * it allows us to filter by roots that are trusted for TLS. * it allows us to filter by "distrust after" dates. * it allows us to generate imposed name constraints automatically. This removes the need to maintain a separate distrust list in webpki-roots, or a separate manually curated imposed name constraints set. To minimize the trust surface of webpki-roots we take care to pin the trust anchor used to fetch the CCADB CSV to the trust anchor in use today for serving https://ccadb-public.secure.force.com/, helping minimize the risk of person-in-the-middle attack. Note that we are not pinning the leaf/intermediates in use, just the expected root.
cpu
force-pushed
the
cpu-ccadb-generator
branch
from
f75b638
to
9f48dd9
Compare
This was referenced Aug 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This branch resolves #37, switching from the third party mkcert.org service to consuming the IncludedCACertificateReportPEMCSV report directly from the Common CA Database (CCADB).
misc: add jetbrains .idea to git ignore.
Small convenience for CLion users.
tests: clippy fixes for verify.
We weren't running clippy in CI so a couple of small nits slipped through that are fixed in this commit.
ci: add clippy to build workflow.
This prevents backsliding on the above.
lib: remove MD5 and SHA1 fingerprint metadata.
These digest algorithms are not recommended for use. To avoid needing to take unnecessary dependencies in the CCADB tooling that will replace the mkcert data source that provides these fingerprints we choose to remove them, leaving only the SHA256 FP. This will also minimize the diff that must be reviewed when
src/lib.rsis regenerated with the new tooling in the subsequent commit.codegen: use CCADB as the source of truth.
Prior to this commit the
tests/codegen.rsgenerator used https://mkcert.org/ as its source of truth for trusted root metadata. This commit replaces that source of truth (and accompanying generator code) to use https://ccadb.org/ instead.The Common CA Database (CCADB) has emerged as a multi-stakeholder repository for information about certificate authorities participating in the trust stores maintained by CCADB root store operators.
The
IncludedCACertificateReportPEMCSVreport made available by CCADB is a great replacement for the needs of webpki-roots:This removes the need to maintain a separate distrust list in webpki-roots, or a separate manually curated imposed name constraints set.
To minimize the trust surface of webpki-roots we take care to pin the trust anchor used to fetch the CCADB CSV to the trust anchor in use today for serving https://ccadb-public.secure.force.com/, helping minimize the risk of person-in-the-middle attack. Note that we are not pinning the leaf/intermediates in use, just the expected root.
Included in this commit is the regeneration of
src/lib.rswith the new tooling, ensuring tests pass. The set of trust anchors remains unchanged, but there are some slight metadata differences to note in review:The file header was updated to reflect the new data source.
The mkcert.org "label" and the CCADB "Common Name or Certificate Name" field used in some of the comment content differ in some cases, e.g. "GlobalSign Root CA - R6" vs "GlobalSign".
In one case the "issuer" and "subject" fields used in a comment differ based on how we use x509_parser to reconstitute the
issuer/subject string from the DER content instead of what mkcert.org provided:
All of the above are metadata only changes. The PEM, DER, and name constraints content that are the functional parts of this library remain unchanged.