Hi Mozilla Team,
Reporting a regression in the PEM column of
MozillaIntermediateCertsCSVReport (snapshot 2026-05-07) downloaded from
https://ccadb.my.salesforce-sites.com/mozilla/MozillaIntermediateCertsCSVReport
.
18 rows have a blank line directly after the pre-encapsulation boundary —
the byte sequence is -----BEGIN CERTIFICATE-----\n\nMII… instead of -----BEGIN
CERTIFICATE-----\nMII…. This violates RFC 7468 §3 ("There is no blank line
between the pre-encapsulation boundary and the encapsulated text") and is
rejected outright by strict PEM parsers. The same bug also appears to throw
the wrap counter for the rest of the body in those 18 rows, producing
pathological 64/1/62/2/… line widths.
The underlying certificate data is fine — every PEM still decodes to a cert
whose SHA-256 matches the row's SHA256 column — so this is purely a
CSV-generator regression.
Affected rows are all Amazon S-series intermediates:
- Amazon ECDSA 256 S06–S09 (4 certs, issued by Amazon Root CA 4)
- Amazon ECDSA 384 S06–S13 (8 certs, issued by Amazon Root CA 4)
- Amazon RSA 2048 S06–S11 (6 certs, issued by Amazon Root CA 1)
Happy to share the full list of 18 SHA-256s or the analysis script if
useful.
Thanks,
Anupama M
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH1i096XJFQWv_%2BiCnbiwjny0woK9a3GGW4yos%2BZJWVSNB_V1g%40mail.gmail.com.
