Skip to content

Commit

Permalink
x509roots/nss: manually exclude a confusingly constrained root
Browse files Browse the repository at this point in the history
Fixes golang/go#61963

Change-Id: I16920d160af74772ef5aa650d1274e07c3ca9adc
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/562475
Reviewed-by: Filippo Valsorda <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
  • Loading branch information
rolandshoemaker committed Feb 8, 2024
1 parent 405cb3b commit 62c9f17
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 28 deletions.
28 changes: 0 additions & 28 deletions x509roots/fallback/bundle.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions x509roots/nss/parser.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,20 @@ func parseTrustClass(s *bufio.Scanner) ([sha1.Size]byte, *trustObj, error) {
return h, to, nil
}

// manualExclusions contains a map of SHA1 fingerprints of roots that we manually exclude
// from the bundle for various reasons.
var manualExclusions = map[string]bool{
// TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
// We exclude this root because mozilla manually constrains this root to
// issue names under .tr, but this information is only encoded in the CCADB
// IncludedCACertificateReport, in a field the format of which is
// undocumented, and is only used for this particular certificate. Rather
// than adding special parsing for this, we skip it. When code constraint
// support is available, we may also want to simply add a manual constraint,
// rather than a manual exclusion.
"3143649becce27eced3a3f0b8f0de4e891ddeeca": true,
}

// Parse parses a NSS certdata.txt formatted file, returning only
// trusted serverAuth roots, as well as any additional constraints. This parser
// is very opinionated, only returning roots that are currently trusted for
Expand Down Expand Up @@ -248,6 +262,9 @@ func Parse(r io.Reader) ([]*Certificate, error) {
if !e.trust.trusted {
continue
}
if manualExclusions[fmt.Sprintf("%x", h)] {
continue
}
nssCert := &Certificate{X509: e.cert.c}
if e.cert.DistrustAfter != nil {
nssCert.Constraints = append(nssCert.Constraints, DistrustAfter(*e.cert.DistrustAfter))
Expand Down

0 comments on commit 62c9f17

Please sign in to comment.