Closed Bug 1615438 Opened 6 years ago Closed 5 years ago

Certificate validation should respect CKA_NSS_SERVER_DISTRUST_AFTER

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla78

Tracking Flags:

Tracking

Status

firefox78

---

fixed

People

(Reporter: jcj, Assigned: beurdouche)

References

(Depends on 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler 5 years ago Benjamin Beurdouche [:beurdouche] 47 bytes, text/x-phabricator-request		Details \| Review

J.C. Jones [:jcj] (he/they)

Reporter

Description

•

6 years ago

Since Bug 1465613, NSS provides CKA_NSS_SERVER_DISTRUST_AFTER as a date to be compared with certificates' NotBefore dates to indicate distrust.

As just a straw-person idea, NSSCertDBTrustDomain::IsChainValid would return invalid if the root certificate was builtin, and if the end entity NotBefore date was after the root's CKA_NSS_SERVER_DISTRUST_AFTER date.

Kathleen Wilson

Updated

•

6 years ago

Blocks: 1615687

Dana Keeler (she/her) [:keeler]

Updated

•

6 years ago

Priority: -- → P2

Whiteboard: [psm-backlog]

Kathleen Wilson

Updated

•

6 years ago

Blocks: 1618404

Kathleen Wilson

Updated

•

6 years ago

Blocks: 1621159

Dana Keeler (she/her) [:keeler]

Updated

•

6 years ago

Assignee: nobody → bbeurdouche

Priority: P2 → P1

Whiteboard: [psm-backlog] → [psm-assigned]

Benjamin Beurdouche [:beurdouche]

Assignee

Updated

•

6 years ago

Flags: needinfo?(bbeurdouche)

Benjamin Beurdouche [:beurdouche]

Assignee

Updated

•

5 years ago

Status: NEW → ASSIGNED

Flags: needinfo?(bbeurdouche)

Benjamin Beurdouche [:beurdouche]

Assignee

Comment 1

•

5 years ago

Should I create a new error value for this or do we think reusing ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED is ok ?

Flags: needinfo?(dkeeler)

Dana Keeler (she/her) [:keeler]

Comment 2

•

5 years ago

To me it feels more like the active distrust records from the built-in root module, so I think we should use Result::ERROR_UNTRUSTED_CERT (which would turn into Result::ERROR_UNTRUSTED_ISSUER when that result gets processed).

Flags: needinfo?(dkeeler)

Kathleen Wilson

Updated

•

5 years ago

Blocks: 1634584

Benjamin Beurdouche [:beurdouche]

Assignee

Comment 3

•

5 years ago

Attached file Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler — Details

Phabricator Automation

Updated

•

5 years ago

Attachment #9147269 - Attachment description: Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. → Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler

Pulsebot

Comment 4

•

5 years ago

Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/adb3e4385840 Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler

Raul Gurzau (:RaulG)

Comment 5

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/adb3e4385840

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox78: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla78

Dana Keeler (she/her) [:keeler]

Updated

•

5 years ago

Depends on: 1642010

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Certificate validation should respect CKA_NSS_SERVER_DISTRUST_AFTER

Categories

(Core :: Security: PSM, enhancement, P1)

Tracking

()

People

(Reporter: jcj, Assigned: beurdouche)

References

(Depends on 1 open bug)

Details

(Whiteboard: [psm-assigned])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Updated

Updated

Updated

Updated

Updated

Comment 1

Comment 2

Updated

Comment 3

Updated

Comment 4

Comment 5

Updated

Attachment

General

Description

File Name

Content Type