git: d3e5558d3168 - stable/13 - caroot: Ignore soft distrust of server CA certificates after 398 days

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Osipov <michaelo_at_FreeBSD.org>
Date: Sat, 15 Mar 2025 13:56:27 UTC
The branch stable/13 has been updated by michaelo:

URL: https://cgit.FreeBSD.org/src/commit/?id=d3e5558d31688688684533e3fc575bc65d5e4b84

commit d3e5558d31688688684533e3fc575bc65d5e4b84
Author:     Michael Osipov <michaelo@FreeBSD.org>
AuthorDate: 2025-02-20 09:48:48 +0000
Commit:     Michael Osipov <michaelo@FreeBSD.org>
CommitDate: 2025-03-15 13:56:16 +0000

    caroot: Ignore soft distrust of server CA certificates after 398 days
    
    Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
    a CA certificate will be distrusted in the future before its NotAfter time.
    This means that the CA stops issuing new certificates, but previous ones are
    still valid, but at most for 398 days after the distrust date.
    
    See also:
    * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
    * https://github.com/Lukasa/mkcert/issues/19
    * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
    * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c
    
    Tested by:      michaelo
    Reviewed by:    emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D49075
    
    (cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02)
---
 secure/caroot/MAca-bundle.pl | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl
index 4feced90d782..58cfe1cbf6fa 100755
--- a/secure/caroot/MAca-bundle.pl
+++ b/secure/caroot/MAca-bundle.pl
@@ -37,6 +37,8 @@ use strict;
 use Carp;
 use MIME::Base64;
 use Getopt::Long;
+use Time::Local qw( timegm_posix );
+use POSIX qw( strftime );
 
 my $generated = '@' . 'generated';
 my $inputfh = *STDIN;
@@ -101,13 +103,6 @@ EOH
     }
 }
 
-# returns a string like YYMMDDhhmmssZ of current time in GMT zone
-sub timenow()
-{
-	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
-	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
-}
-
 sub printcert($$$)
 {
     my ($fh, $label, $certdata) = @_;
@@ -162,10 +157,15 @@ sub grabcert($)
 	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
 	{
 	    my $distrust_after = graboct($ifh);
-	    my $time_now = timenow();
-	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after;
+	    $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100);
+	    my $time_now = time;
+	    # When a CA is distrusted before its NotAfter date, issued certificates
+	    # are valid for a maximum of 398 days after that date.
+	    if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; }
 	    if ($debug) {
-		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	        printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial,
+	                strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now));
 	    }
 	    if ($distrust) {
 		return undef;