From 62c9f1799c91aef0744179032e30fda3761e79f7 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Wed, 7 Feb 2024 10:41:04 -0800 Subject: [PATCH] x509roots/nss: manually exclude a confusingly constrained root Fixes golang/go#61963 Change-Id: I16920d160af74772ef5aa650d1274e07c3ca9adc Reviewed-on: https://go-review.googlesource.com/c/crypto/+/562475 Reviewed-by: Filippo Valsorda LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov --- x509roots/fallback/bundle.go | 28 ---------------------------- x509roots/nss/parser.go | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 28 deletions(-) diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle.go index a666f5f742..460c57b4d8 100644 --- a/x509roots/fallback/bundle.go +++ b/x509roots/fallback/bundle.go @@ -3078,34 +3078,6 @@ WL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p TpPDpFQUWw== -----END CERTIFICATE----- -# CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR -# 46edc3689046d53a453fb3104ab80dcaec658b2660ea1629dd7e867990648716 ------BEGIN CERTIFICATE----- -MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIx -GDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxp -bXNlbCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0w -KwYDVQQLEyRLYW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0 -BgNVBAMTLVRVQklUQUsgS2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3Vy -dW0gMTAeFw0xMzExMjUwODI1NTVaFw00MzEwMjUwODI1NTVaMIHSMQswCQYDVQQG -EwJUUjEYMBYGA1UEBxMPR2ViemUgLSBLb2NhZWxpMUIwQAYDVQQKEzlUdXJraXll -IEJpbGltc2VsIHZlIFRla25vbG9qaWsgQXJhc3Rpcm1hIEt1cnVtdSAtIFRVQklU -QUsxLTArBgNVBAsTJEthbXUgU2VydGlmaWthc3lvbiBNZXJrZXppIC0gS2FtdSBT -TTE2MDQGA1UEAxMtVFVCSVRBSyBLYW11IFNNIFNTTCBLb2sgU2VydGlmaWthc2kg -LSBTdXJ1bSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3UwM6q7 -a9OZLBI3hNmNe5eA027n/5tQlT6QlVZC1xl8JoSNkvoBHToP4mQ4t4y86Ij5iySr -LqP1N+RAjhgleYN1Hzv/bKjFxlb4tO2KRKOrbEz8HdDc72i9z+SqzvBV96I01INr -N3wcwv61A+xXzry0tcXtAA9TNypN9E8Mg/uGz8v+jE69h/mniyFXnHrfA2eJLJ2X -YacQuFWQfw4tJzh03+f92k4S400VIgLI4OD8D62K18lUUMw7D8oWgITQUVbDjlZ/ -iSIzL+aFCr2lqBs23tPcLG07xxO9WSMs5uWk99gL7eqQQESolbuT1dCANLZGeA4f -AJNG4e7p+exPFwIDAQABo0IwQDAdBgNVHQ4EFgQUZT/HiobGPN08VFw1+DrtUgxH -V8gwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL -BQADggEBACo/4fEyjq7hmFxLXs9rHmoJ0iKpEsdeV31zVmSAhHqT5Am5EM2fKifh -AHe+SMg1qIGf5LgsyX8OsNJLN13qudULXjS99HMpw+0mFZx+CFOKWI3QSyjfwbPf -IPP54+M638yclNhOT8NrF7f3cuitZjO1JVOr4PhMqZ398g26rrnZqsZr+ZO7rqu4 -lzwDGrpDxpa5RXI4s6ehlj2Re37AIVNMh+3yC1SVUZPVIqUNivGTDj5UDrDYyU7c -8jEyVupk+eq1nRZmQnLzf9OxMUP8pI4X8W0jq5Rm+K37DwhuJi1/FwcJsoz7UMCf -lo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM= ------END CERTIFICATE----- # CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW # 59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b -----BEGIN CERTIFICATE----- diff --git a/x509roots/nss/parser.go b/x509roots/nss/parser.go index 1af3e0ae46..feca766e18 100644 --- a/x509roots/nss/parser.go +++ b/x509roots/nss/parser.go @@ -147,6 +147,20 @@ func parseTrustClass(s *bufio.Scanner) ([sha1.Size]byte, *trustObj, error) { return h, to, nil } +// manualExclusions contains a map of SHA1 fingerprints of roots that we manually exclude +// from the bundle for various reasons. +var manualExclusions = map[string]bool{ + // TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + // We exclude this root because mozilla manually constrains this root to + // issue names under .tr, but this information is only encoded in the CCADB + // IncludedCACertificateReport, in a field the format of which is + // undocumented, and is only used for this particular certificate. Rather + // than adding special parsing for this, we skip it. When code constraint + // support is available, we may also want to simply add a manual constraint, + // rather than a manual exclusion. + "3143649becce27eced3a3f0b8f0de4e891ddeeca": true, +} + // Parse parses a NSS certdata.txt formatted file, returning only // trusted serverAuth roots, as well as any additional constraints. This parser // is very opinionated, only returning roots that are currently trusted for @@ -248,6 +262,9 @@ func Parse(r io.Reader) ([]*Certificate, error) { if !e.trust.trusted { continue } + if manualExclusions[fmt.Sprintf("%x", h)] { + continue + } nssCert := &Certificate{X509: e.cert.c} if e.cert.DistrustAfter != nil { nssCert.Constraints = append(nssCert.Constraints, DistrustAfter(*e.cert.DistrustAfter))