You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The script mk-ca-bundle.pl generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fields CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER encode a date after which the certificates are considered distrusted.
mk-ca-bundle.pl should not add certs that have CKA_NSS_SERVER_DISTRUST_AFTER after the current date. The field is either a CK_BBOOL with value CK_FALSE or a MULTILINE_OCTAL that encodes the date as octal string "YYMMDDHHMMSSZ", e.g. \062\060\060\066\061\067\060\060\060\060\060\060\132 == 200617000000Z == 2020-06-17 00:00:00Z.
My gosh that file format is obscure! =) I also note that no certificate so far has CKA_NSS_SERVER_DISTRUST_AFTER set. I have a patch coming that I think is okay.
Yeah, certdata.txt wasn't designed with 3rd party parsers in mind. You could use a complete different approach and interface the PKCS#11 interface of the nssckbi token. You can do this either directly or with p11-kit.
Pros:
You would use the designated API to get a list of trust anchors for a specific purpose.
The script
mk-ca-bundle.pl
generates a CA bundle from Mozilla NSS's certdata.txt. Recently Mozilla has introduced two new fields. The new fieldsCKA_NSS_SERVER_DISTRUST_AFTER
andCKA_NSS_EMAIL_DISTRUST_AFTER
encode a date after which the certificates are considered distrusted.mk-ca-bundle.pl
should not add certs that haveCKA_NSS_SERVER_DISTRUST_AFTER
after the current date. The field is either aCK_BBOOL
with valueCK_FALSE
or aMULTILINE_OCTAL
that encodes the date as octal string "YYMMDDHHMMSSZ", e.g.\062\060\060\066\061\067\060\060\060\060\060\060\132
==200617000000Z
== 2020-06-17 00:00:00Z.https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
The text was updated successfully, but these errors were encountered: