Plan to update CCADB PEM extraction tool

Thu, 31 May 2018 15:55:57 -0700 

All,
We are working towards updating the tool that we use in the CCADB to parse PEM data and fill in the corresponding fields in the CCADB. The new tool is in the TLS Observatory: 

https://github.com/mozilla/tls-observatory

Example:

curl https://tls-observatory.services.mozilla.com/api/v1/certificate -F 
certificate=@/tmp/certificate.pem



There are some differences in the data that will result when we switch 
to the new tool. Please let me know if you foresee problems with any of 
these changes.


1) Certificate Serial Number
New value is upper case. (e.g. old: 35def4cf, new: 35DEF4CF)
The new data should be more correct in regards to handling of leading zeros.

2) SHA-1 Fingerprint and SHA-256 Fingerprint
Removing the colons.

OLD: 
08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78

NEW: 08297A4047DBA23680C731DB6E317653CA7848E1BEBD3A0B0179A707F92CF178

3) Certificate ID
OLD: hash(Subject + SPKI), with colons
NEW: hash(SPKI), no colons

OLD: 
4F:31:A6:06:59:45:EA:BC:6A:45:CB:AD:72:D8:0A:20:A4:40:0E:55:05:B9:2A:0C:4C:F1:F6:C1:A3:10:92:9F

NEW: FF5680CD73A5703DA04817A075FD462506A73506C4B81A1583EF549478D26476

4) Signature Hash Algorithm

OLD Values:
ecdsaWithSHA256
ecdsaWithSHA384
md5WithRSAEncryption
sha1WithRSAEncryption
sha256WithRSAEncryption
sha384WithRSAEncryption
sha512WithRSAEncryption


NEW Values:
ecdsaWithSHA256
ecdsaWithSHA384
MD5WithRSA
SHA1WithRSA
SHA256WithRSA
SHA384WithRSA
SHA512WithRSA

5) Key Usage

OLD Values:
cRLSign
digitalSignature
nonRepudiation
keyAgreement
keyEncipherment
keyCertSign

NEW Values:
CRL Sign
Digital Signature
Non Repudiation
Key Encipherment
Certificate Sign
Key Agreement


6) Extended Key Usage

OLD Values:
1.3.6.1.5.5.7.3.9
1.3.6.1.5.5.7.3.5
1.3.6.1.5.5.7.3.6
1.3.6.1.5.5.7.3.7
clientAuth
codeSigning
emailProtection
serverAuth
1.2.840.113583.1.1.5
msSGC
nsSGC

NEW Values:
ExtKeyUsageOCSPSigning
ExtKeyUsageIPSECEndSystem
ExtKeyUsageIPSECTunnel
ExtKeyUsageIPSECUser
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageServerAuth
ExtKeyUsageTimeStamping
ExtKeyUsageMicrosoftServerGatedCrypto
ExtKeyUsageNetscapeServerGatedCrypto


7) Technically Constrained

Checkbox will be updated according to Mozilla's current policy (e.g. EKU 
*and* Name Constraints)


Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to