[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
** Changed in: ca-certificates (Debian) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
** Changed in: ca-certificates (Debian) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
Please request a CVE number for this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
** Changed in: ca-certificates (Ubuntu) Assignee: Marc Deslauriers (mdeslaur) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
** Changed in: ca-certificates (Debian) Status: Unknown = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
So, I've looking into this. The relevant code in certdata2pem.py is: elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', 'CKT_NSS_TRUSTED_DELEGATOR'): trust[obj['CKA_LABEL']] = True elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', 'CKT_NSS_TRUSTED_DELEGATOR'): trust[obj['CKA_LABEL']] = True In Debian and Ubuntu, ca-certificates is not only used for web certificates, but also for email certificates. Even if Verisign_Class_1_Public_Primary_Certification_Authority.pem is marked as CKT_NSS_MUST_VERIFY_TRUST for CKA_TRUST_SERVER_AUTH, it is marked as CKT_NSS_TRUSTED_DELEGATOR for CKA_TRUST_EMAIL_PROTECTION, which is why it is included. I believe omitting certs that are valid for CKA_TRUST_EMAIL_PROTECTION will break email S/MIME verification. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
I had long discussion with Marc-Andre Lemburg about the issue. He maintains the eGenix pyOpenSSL distribution which also contains root CA certs. He did some tests with TRUST settings but apparently OpenSSL ignores them. Eventually we came up with the idea to split the CA bundle into multiple files: a separate file for each purpose. See http://www.egenix.com/products/python/pyOpenSSL/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1207004] Re: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
I've filed an upstream bug with Debian. ** Bug watch added: Debian Bug tracker #721976 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976 ** Also affects: ca-certificates (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976 Importance: Unknown Status: Unknown ** Changed in: ca-certificates (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs