Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mk-ca-bundle.pl: Use stricter logic to process the certificates #8411

Closed
wants to merge 1 commit into from

Conversation

jay
Copy link
Member

@jay jay commented Feb 9, 2022

.. and bump version to 1.29.

This change makes the script properly ignore unknown blocks and
otherwise fail when Mozilla changes the certdata format in ways we
don't expect. Though this is less flexible behavior it makes it far less
likely that an invalid certificate can slip through.

Prior to this change the state machine did not always properly reset,
and it was possible that a certificate marked as invalid could then
later be marked as valid when there was conflicting trust info or
an unknown block was erroneously processed as part of the certificate.

Ref: #7801 (review)

Closes #xxxx

.. and bump version to 1.29.

This change makes the script properly ignore unknown blocks and
otherwise fail when Mozilla changes the certdata format in ways we
don't expect. Though this is less flexible behavior it makes it far less
likely that an invalid certificate can slip through.

Prior to this change the state machine did not always properly reset,
and it was possible that a certificate marked as invalid could then
later be marked as valid when there was conflicting trust info or
an unknown block was erroneously processed as part of the certificate.

Ref: curl#7801 (review)

Closes #xxxx
@jay jay closed this in 45cb662 Mar 18, 2022
@jay jay deleted the fix_mk-ca-bundle branch March 18, 2022 07:28
@ydroneaud
Copy link

This removes EC-ACC '88:49:7f:01:60:2f:31:54:24:6a:e2:8c:4d:5a:ef:10:f1:d8:7e:bb:76:62:6f:4a:e0:b7:f9:5b:a7:96:87:99' certificate from the list of certificates exported by mk-ca-bundle.pl. What's the reason ?

@ydroneaud
Copy link

ydroneaud commented Mar 18, 2022

OK, certdata.txt contains:

# For Server Distrust After: Sat Dec 28 00:00:00 2019
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\061\071\061\062\062\070\060\060\060\060\060\060\132
END

(It's not obvious it's distrusted from within Firefox CA certificate tool)

@ydroneaud
Copy link

It's going to be difficult to process:
EC-ACC is to be trusted until Tue Jan 07 22:59:59 2031, but certificates issued from this CA after Sat Dec 28 00:00:00 2019 shouldn't be trusted.
https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
https://hg.mozilla.org/projects/nss/rev/4d1b7bbeebfe12cb16b2af74cfec4183637014cc

@jay
Copy link
Member Author

jay commented Mar 22, 2022

curl does not have any logic for validating server certificates that way, either the CA is valid or it isn't.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

None yet

3 participants