diff options
| author | Michael Osipov <michaelo@FreeBSD.org> | 2025-02-20 10:48:48 +0100 |
|---|---|---|
| committer | Michael Osipov <michaelo@FreeBSD.org> | 2025-03-08 16:33:44 +0100 |
| commit | 457c03b397c80d44da92684d417a58b3ca1fed02 (patch) | |
| tree | 45e49c66acde9923789dbd70117ac3ef7be53a55 /secure | |
| parent | 780a4667bbde0daa90db900bb0f93f6337d6208b (diff) | |
caroot: Ignore soft distrust of server CA certificates after 398 days
Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
a CA certificate will be distrusted in the future before its NotAfter time.
This means that the CA stops issuing new certificates, but previous ones are
still valid, but at most for 398 days after the distrust date.
See also:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
* https://github.com/Lukasa/mkcert/issues/19
* https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
* https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c
Tested by: michaelo
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D49075
Diffstat (limited to 'secure')
| -rwxr-xr-x | secure/caroot/MAca-bundle.pl | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl index 4feced90d782..58cfe1cbf6fa 100755 --- a/secure/caroot/MAca-bundle.pl +++ b/secure/caroot/MAca-bundle.pl @@ -37,6 +37,8 @@ use strict; use Carp; use MIME::Base64; use Getopt::Long; +use Time::Local qw( timegm_posix ); +use POSIX qw( strftime ); my $generated = '@' . 'generated'; my $inputfh = *STDIN; @@ -101,13 +103,6 @@ EOH } } -# returns a string like YYMMDDhhmmssZ of current time in GMT zone -sub timenow() -{ - my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time); - return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec; -} - sub printcert($$$) { my ($fh, $label, $certdata) = @_; @@ -162,10 +157,15 @@ sub grabcert($) if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/) { my $distrust_after = graboct($ifh); - my $time_now = timenow(); - if ($time_now >= $distrust_after) { $distrust = 1; } + my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after; + $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100); + my $time_now = time; + # When a CA is distrusted before its NotAfter date, issued certificates + # are valid for a maximum of 398 days after that date. + if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; } if ($debug) { - printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow(); + printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial, + strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now)); } if ($distrust) { return undef; |