Page MenuHomeFreeBSD
Differential D49075

caroot: Ignore soft distrust of server CA certificates after 398 days
ClosedPublic
Actions

Authored by michaelo on Thu, Feb 20, 9:55 AM.
Tags
None
Referenced Files
F112547933: D49075.diff
Wed, Mar 19, 4:56 PM
Unknown Object (File)
Mon, Mar 10, 4:52 PM
Unknown Object (File)
Mon, Mar 10, 4:00 PM
Unknown Object (File)
Mon, Mar 10, 11:09 AM
Unknown Object (File)
Sat, Mar 8, 3:34 PM
Unknown Object (File)
Fri, Mar 7, 5:40 AM
Unknown Object (File)
Tue, Mar 4, 3:47 PM
Unknown Object (File)
Tue, Mar 4, 12:34 PM
View All 19 Files
Subscribers
imp

Details

Reviewers
jrm
otis
des
emaste
kevans
Commits
rGd3e5558d3168: caroot: Ignore soft distrust of server CA certificates after 398 days
rG4fd560bc94f0: caroot: Ignore soft distrust of server CA certificates after 398 days
rG457c03b397c8: caroot: Ignore soft distrust of server CA certificates after 398 days
Summary

Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
a CA certificate will be distrusted in the future before its NotAfter time.
This means that the CA stops issuing new certificates, but previous ones are
still valid, but at most for 398 days after the distrust date.

See also:

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 62540
Build 59424: arc lint + arc unit

Event Timeline

michaelo created this revision.Thu, Feb 20, 9:55 AM
Herald added a subscriber: imp. · View Herald TranscriptThu, Feb 20, 9:55 AM
michaelo requested review of this revision.Thu, Feb 20, 9:55 AM
Harbormaster completed remote builds in B62540: Diff 151237.Thu, Feb 20, 9:55 AM
michaelo added a comment.Thu, Feb 20, 9:56 AM

Please add other reviewers as you think appropriate.

michaelo added a comment.Thu, Feb 20, 11:00 AM

Here it is: https://bugzilla.mozilla.org/show_bug.cgi?id=1465613

michaelo added a reviewer: kevans.Thu, Feb 20, 11:10 AM
michaelo retitled this revision from secure/caroot: Ignore soft distrust of server CA certificates to caroot: Ignore soft distrust of server CA certificates.Thu, Feb 20, 11:14 AM
michaelo added a comment.Tue, Mar 4, 8:05 AM

Folks, any objections? I'd like to update the system trust store after that.

emaste added a comment.Tue, Mar 4, 7:38 PM

What about the approach in https://github.com/Lukasa/mkcert/pull/20/commits/bbd91ec48a8e0d97bc550a310019acfad4480a4a

michaelo added a comment.Wed, Mar 5, 6:22 AM
In D49075#1122850, @emaste wrote:

What about the approach in https://github.com/Lukasa/mkcert/pull/20/commits/bbd91ec48a8e0d97bc550a310019acfad4480a4a

Yes, this is a rather sophisticated one. I need to figure out how to implement this in perl especially whether it requires additional packages from CPAN or not. Go has the magic built in, Perl has not. I believe that Mozilla will remove the CA beyond that date anyway. I wonder why should bother. If you want to, I can try implement, will take a bit of time. My Perl skills are very rusty (no pun intended).

michaelo updated this revision to Diff 151904.Wed, Mar 5, 10:00 AM

Distrust after 398 days as requested by @emaste

Harbormaster completed remote builds in B62764: Diff 151904.Wed, Mar 5, 10:00 AM
michaelo retitled this revision from caroot: Ignore soft distrust of server CA certificates to caroot: Ignore soft distrust of server CA certificates after 398 days.Wed, Mar 5, 10:03 AM
michaelo edited the summary of this revision. (Show Details)
michaelo added a comment.Wed, Mar 5, 10:06 AM

I'd like to MFC it after a week.

Current output:

perl /var/osipovmi/Projekte/freebsd/src/secure/caroot/MAca-bundle.pl -i certdata.txt -o /var/osipovmi/Projekte/freebsd/src/secure/caroot/trusted
line : Entrust.net Premium 2048 Secure Server CA ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line : Entrust Root Certification Authority ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 801: no explicit trust/distrust found for Certum Root CA
line 3062: no explicit trust/distrust found for OISTE WISeKey Global Root GA CA
line 3062: AffirmTrust Commercial ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 3062: AffirmTrust Networking ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 3062: AffirmTrust Premium ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 3062: AffirmTrust Premium ECC ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 9537: no explicit trust/distrust found for Staat der Nederlanden Root CA - G3
line 9537: Entrust Root Certification Authority - G2 ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 9537: Entrust Root Certification Authority - EC1 ser #0: distrust 398 days after 2024-11-30T23:59:59Z, now: 2025-03-05T09:58:29Z -> distrust 0
line 12109: no explicit trust/distrust found for D-TRUST Root CA 3 2013
line 14743: no explicit trust/distrust found for Entrust Root Certification Authority - G4
line 16230: no explicit trust/distrust found for GlobalSign Secure Mail Root R45
line 16345: no explicit trust/distrust found for GlobalSign Secure Mail Root E45
line 16345: GLOBALTRUST 2020 ser #0: distrust 398 days after 2024-06-30T00:00:00Z, now: 2025-03-05T09:58:29Z -> distrust 0
...
michaelo updated this revision to Diff 151905.Wed, Mar 5, 10:14 AM

Fix formatting

Harbormaster completed remote builds in B62765: Diff 151905.Wed, Mar 5, 10:14 AM
emaste accepted this revision.Wed, Mar 5, 2:27 PM

I wonder why should bother.

Wasn't sure it was necessary, just looked at the links for more context and thought that was an elegant way to handle it.

$year + 100 makes me sad :(

This revision is now accepted and ready to land.Wed, Mar 5, 2:27 PM
michaelo added a comment.Wed, Mar 5, 2:29 PM
In D49075#1123105, @emaste wrote:

$year + 100 makes me sad :(

Why? gmtime/localtime is a offset of 1900 and the certdata.txt uses unfortunately a two-digit year.

michaelo added a comment.Wed, Mar 5, 2:53 PM

I will leave other a few more days to review.

emaste added a comment.Wed, Mar 5, 2:56 PM

certdata.txt uses unfortunately a two-digit year

Yeah, that's the sad part

michaelo added a comment.Wed, Mar 5, 2:58 PM
In D49075#1123116, @emaste wrote:

certdata.txt uses unfortunately a two-digit year

Yeah, that's the sad part

People tend to reinvent the wheel although there is ISO 8601...

Closed by commit rG457c03b397c8: caroot: Ignore soft distrust of server CA certificates after 398 days (authored by michaelo). · Explain WhySat, Mar 8, 3:35 PM
This revision was automatically updated to reflect the committed changes.
michaelo added a commit: rG457c03b397c8: caroot: Ignore soft distrust of server CA certificates after 398 days.
michaelo added a commit: rG4fd560bc94f0: caroot: Ignore soft distrust of server CA certificates after 398 days.Sat, Mar 15, 1:52 PM
michaelo added a commit: rGd3e5558d3168: caroot: Ignore soft distrust of server CA certificates after 398 days.Sat, Mar 15, 1:57 PM

Revision Contents
Changeset List

PathSize
secure/
caroot/
12 lines

Diff 151237

View Options

secure/caroot/MAca-bundle.pl

Loading...