Florian Weimer reported this issue to us. The certdata.txt file in the NSS source tree (http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt) is the master source of the NSS built-in trusted root CA list, so people have written scripts to extract the trusted root CA certificates from this file. Florian Weimer provided us with the following examples: https://atlaswww.hep.anl.gov/twiki/bin/view/UsAtlasTier3/FetchingCA-bundle http://cblfs.cross-lfs.org/index.php/OpenSSL http://curl.haxx.se/docs/parse-certs.txt
Originally certdata.txt contained only trusted root CA certificates, so some of those scripts may have relied on that fact and ignore the trust objects for certificates in that file. After the two CA break-in incidents this year, certdata.txt started to contain several explicitly distrusted certificates. Scripts that extract trusted root CA certificates from certdata.txt must now check the trust objects. Here are the instructions. For each trust object in certdata.txt, you can find the associated certificate object in two ways: 1. By matching the issuer and serial number pair (the CKA_ISSUER and CKA_SERIAL_NUMBER attributes). This method is recommended because this is the method NSS itself uses. 2. By matching the certificate SHA-1 hash (the CKA_CERT_SHA1_HASH attribute). Only the trust objects have this attribute. The certificate objects do not have this attribute, so you'll need to compute SHA-1 over the certificate data yourself. After you match a trust object to a certificate, check the CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, and CKA_TRUST_CODE_SIGNING attributes in the trust object. In the current version of certdata.txt, these attributes may have only three possible values: - CKT_NSS_TRUSTED_DELEGATOR: this means the CA is trusted for that purpose. - CKT_NSS_TRUST_UNKNOWN: this means the CA is not trusted for that purpose, but is trusted for some other purpose. - CKT_NSS_NOT_TRUSTED: this means the certificate (which may not be a CA) is explicitly distrusted. Note: I recommend that the scripts assert that these attributes only have these three values, so that it can detect when this assumption is no longer true. The scripts must exclude the certificates whose trust objects contain CKT_NSS_NOT_TRUSTED in any of the CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, and CKA_TRUST_CODE_SIGNING attributes. Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
