Closed Bug 1679803 Opened 4 years ago Closed 3 years ago

Update the builtin entries with a SHA2-256 hash (old entries do not necessarily have one)

Categories

(NSS :: CA Certificates Code, enhancement, P3)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: beurdouche, Assigned: jschanck)

References

Details

(Whiteboard: [nss-fx])

Attachments

(1 file)

No description provided.
Severity: -- → N/A
Type: task → enhancement
Flags: needinfo?(bbeurdouche)
Priority: -- → P3
QA Contact: jc
Component: Libraries → CA Certificates Code
Flags: needinfo?(bbeurdouche)

Any opinion here? we should probably remove the SHA1 hash from certdata.txt at the same time.

Flags: needinfo?(rrelyea)
Flags: needinfo?(kwilson)
Flags: needinfo?(jschanck)
Flags: needinfo?(dkeeler)

The should overlap. We ship certdata.txt to on platforms with old versions of NSS, so we can't have SHA1 just disappear from them. I think the MD5 hashes could go away, though.

bob

Flags: needinfo?(rrelyea)

Sounds like it might be beneficial to separate the data itself from how NSS uses it, but based on where we are and that old versions of NSS apparently need the SHA1 hashes, looks like we shouldn't remove them yet.

Flags: needinfo?(dkeeler)

I'm fine with keeping both the SHA1 and SHA256 hashes in certdata.txt.

Flags: needinfo?(kwilson)
Flags: needinfo?(jschanck)
Assignee: nobody → jschanck

The patch I just attached was produced by reading certificates out of the builtin token and re-processing them with the current version of addbuiltin. I've copied the script I used below (you'll need to set NSS_LIB appropriately if you want to reproduce). I ran into Bug 456858 for the two certificates that have the nickname "Autoridad de Certificacion Firmaprofesional CIF A62634068".

I don't think there will be any backwards compatibility issues here. NSS does not use the fingerprint comments, and any scripts (like those maintained by curl) that read certdata.txt already have to handle the SHA256 hashes in recent additions.

A separate question is whether we want a SHA256 hash stored in the token itself, or if we want to remove the MD5 and SHA1 hashes from the token. I don't think that is worth our time at the moment.

#!/bin/bash

NSS_LIB=/home/john/repos/dist/Debug/lib

WORK=/tmp/nssdb/
LIST=${WORK}/list.txt
OUT=${WORK}/certdata.txt

rm -rf ${WORK}
mkdir -p ${WORK}
modutil -force -dbdir "sql:${WORK}" -create
modutil -force -dbdir "sql:${WORK}" -add "nssckbi" -libfile "${NSS_LIB}/libnssckbi.so"

certutil -d "sql:${WORK}" -L -h "Builtin Object Token" | grep Builtin > ${LIST}
sed -i 's/\s*\(C\?,C\?,C\?\)\s*$/;\1/' ${LIST}

while IFS=";" read -r name trust
do
    certutil -d "sql:${WORK}" -L -n "${name}" -r 1> "${WORK}/${name}.der"
    addbuiltin -t "${trust}" -n "${name/Builtin Object Token:/}" -i "${WORK}/${name}.der"
done < ${LIST} >> ${OUT}
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: [nss-fx]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: