Update the builtin entries with a SHA2-256 hash (old entries do not necessarily have one)
Categories
(NSS :: CA Certificates Code, enhancement, P3)
Tracking
(Not tracked)
People
(Reporter: beurdouche, Assigned: jschanck)
References
Details
(Whiteboard: [nss-fx])
Attachments
(1 file)
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 1•4 years ago
|
||
Any opinion here? we should probably remove the SHA1 hash from certdata.txt
at the same time.
Comment 2•4 years ago
|
||
The should overlap. We ship certdata.txt to on platforms with old versions of NSS, so we can't have SHA1 just disappear from them. I think the MD5 hashes could go away, though.
bob
![]() |
||
Comment 3•4 years ago
|
||
Sounds like it might be beneficial to separate the data itself from how NSS uses it, but based on where we are and that old versions of NSS apparently need the SHA1 hashes, looks like we shouldn't remove them yet.
Comment 4•4 years ago
|
||
I'm fine with keeping both the SHA1 and SHA256 hashes in certdata.txt.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
|
||
Assignee | ||
Comment 6•4 years ago
|
||
The patch I just attached was produced by reading certificates out of the builtin token and re-processing them with the current version of addbuiltin. I've copied the script I used below (you'll need to set NSS_LIB
appropriately if you want to reproduce). I ran into Bug 456858 for the two certificates that have the nickname "Autoridad de Certificacion Firmaprofesional CIF A62634068".
I don't think there will be any backwards compatibility issues here. NSS does not use the fingerprint comments, and any scripts (like those maintained by curl) that read certdata.txt already have to handle the SHA256 hashes in recent additions.
A separate question is whether we want a SHA256 hash stored in the token itself, or if we want to remove the MD5 and SHA1 hashes from the token. I don't think that is worth our time at the moment.
#!/bin/bash
NSS_LIB=/home/john/repos/dist/Debug/lib
WORK=/tmp/nssdb/
LIST=${WORK}/list.txt
OUT=${WORK}/certdata.txt
rm -rf ${WORK}
mkdir -p ${WORK}
modutil -force -dbdir "sql:${WORK}" -create
modutil -force -dbdir "sql:${WORK}" -add "nssckbi" -libfile "${NSS_LIB}/libnssckbi.so"
certutil -d "sql:${WORK}" -L -h "Builtin Object Token" | grep Builtin > ${LIST}
sed -i 's/\s*\(C\?,C\?,C\?\)\s*$/;\1/' ${LIST}
while IFS=";" read -r name trust
do
certutil -d "sql:${WORK}" -L -n "${name}" -r 1> "${WORK}/${name}.der"
addbuiltin -t "${trust}" -n "${name/Builtin Object Token:/}" -i "${WORK}/${name}.der"
done < ${LIST} >> ${OUT}
Reporter | ||
Comment 8•3 years ago
|
||
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Description
•