** Changed in: ca-certificates (Debian) Status: New => Fix Committed
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1207004 Title: certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST Status in ca-certificates package in Ubuntu: Confirmed Status in ca-certificates package in Debian: Fix Committed Bug description: Hello, I'm a Python core developer and hobbyist security researcher. While I was working on my own parser for Mozillas certdata.txt [1] I found an issue in curls mk-ca-bundle.pl script. Today I found the same issue in Debian's and Ubuntu's script. The Python script ./mozilla/certdata2pem.py of ca-certificates-20120623 doesn't handle the flag CKT_NSS_MUST_VERIFY_TRUST. The flag was introduced in revision 1.84 of certdata.txt, see [2] The PKCS#11 glue documentation [3] of the freedesktop.org project has some background information on the flag, too. Quote: --- The certificate is not a trusted anchor (even if a later trust record in another PKCS #11 module says this cert should be trusted). If the marked certificate is self-signed, then this is semantically equivalent to CKT_NSS_NOT_TRUSTED, except NSS will return a different error code (unknown CA for CKT_NSS_MUST_VERIFY_TRUST versus untrusted CA for CKT_NSS_NOT_TRUSTED). --- May I suggest that you reverse the check and distrust any certificate unless it was explicitly flagged as a trusted delegator and root CA cert? In the context of cryptography and TLS it more secure to omit a root CA cert than to wrongly ship a bogus cert. By the way Adam Langley [4] uses the same approach [5]. My Ubuntu box has files like Verisign_Class_1_Public_Primary_Certification_Authority.pem in the /etc/ssl/certs/ directory. According to my script "Verisign Class 1 Public Primary Certification Authority" is flagged as CKT_NSS_MUST_VERIFY_TRUST for CKA_TRUST_SERVER_AUTH [6]. $ LC_ALL=C apt-cache policy ca-certificates ca-certificates: Installed: 20120623 Candidate: 20120623 Version table: *** 20120623 0 500 http://de.archive.ubuntu.com/ubuntu/ quantal/main amd64 Packages 100 /var/lib/dpkg/status $ LC_ALL=C lsb_release -a LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch Distributor ID: Ubuntu Description: Ubuntu 12.10 Release: 12.10 Codename: quantal Regards, Christian [1] https://bitbucket.org/tiran/storeroom/ [2] http://lists.debian.org/debian-release/2012/11/msg00411.html [3] http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html [4] https://www.imperialviolet.org/2012/01/30/mozillaroots.html [5] https://github.com/agl/extract-nss-root-certs/blob/master/convert_mozilla_certdata.go#L251 [6] https://bitbucket.org/tiran/storeroom/src/e24eef16ff64041ab7792a907f0d69f7b19cd624/certdata/certs.py?at=default#cl-4411 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp