** Changed in: ca-certificates (Debian)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1207004
Title:
certdata2pem.py doesn't handle CKT_NSS_MUST_VERIFY_TRUST
Status in ca-certificates package in Ubuntu:
Confirmed
Status in ca-certificates package in Debian:
Fix Committed
Bug description:
Hello,
I'm a Python core developer and hobbyist security researcher. While I
was working on my own parser for Mozillas certdata.txt [1] I found
an issue in curls mk-ca-bundle.pl script. Today I found the same issue in
Debian's and Ubuntu's script.
The Python script ./mozilla/certdata2pem.py of ca-certificates-20120623
doesn't handle the flag CKT_NSS_MUST_VERIFY_TRUST.
The flag was introduced in revision 1.84 of certdata.txt, see [2]
The PKCS#11 glue documentation [3] of the freedesktop.org project has
some background information on the flag, too. Quote:
---
The certificate is not a trusted anchor (even if a later trust record
in another PKCS #11 module says this cert should be trusted). If the
marked certificate is self-signed, then this is semantically
equivalent to CKT_NSS_NOT_TRUSTED, except NSS will return a different
error code (unknown CA for CKT_NSS_MUST_VERIFY_TRUST versus untrusted
CA for CKT_NSS_NOT_TRUSTED).
---
May I suggest that you reverse the check and distrust any certificate
unless it was explicitly flagged as a trusted delegator and root CA
cert? In the context of cryptography and TLS it more secure to omit a
root CA cert than to wrongly ship a bogus cert. By the way Adam
Langley [4] uses the same approach [5].
My Ubuntu box has files like
Verisign_Class_1_Public_Primary_Certification_Authority.pem
in the /etc/ssl/certs/ directory. According to my script "Verisign Class 1
Public Primary Certification Authority"
is flagged as CKT_NSS_MUST_VERIFY_TRUST for CKA_TRUST_SERVER_AUTH [6].
$ LC_ALL=C apt-cache policy ca-certificates
ca-certificates:
Installed: 20120623
Candidate: 20120623
Version table:
*** 20120623 0
500 http://de.archive.ubuntu.com/ubuntu/ quantal/main amd64 Packages
100 /var/lib/dpkg/status
$ LC_ALL=C lsb_release -a
LSB Version:
core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch
Distributor ID: Ubuntu
Description: Ubuntu 12.10
Release: 12.10
Codename: quantal
Regards,
Christian
[1] https://bitbucket.org/tiran/storeroom/
[2] http://lists.debian.org/debian-release/2012/11/msg00411.html
[3]
http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html
[4] https://www.imperialviolet.org/2012/01/30/mozillaroots.html
[5]
https://github.com/agl/extract-nss-root-certs/blob/master/convert_mozilla_certdata.go#L251
[6]
https://bitbucket.org/tiran/storeroom/src/e24eef16ff64041ab7792a907f0d69f7b19cd624/certdata/certs.py?at=default#cl-4411
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1207004/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
