Wan-Teh Chang wrote: > Florian Weimer reported this issue to us. > > The certdata.txt file in the NSS source tree > (http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/builtins/certdata.txt) > is the master source of the NSS built-in trusted root CA list, so > people have written scripts to extract the trusted root CA > certificates from this file. Florian Weimer provided us with the > following examples: > https://atlaswww.hep.anl.gov/twiki/bin/view/UsAtlasTier3/FetchingCA-bundle > http://cblfs.cross-lfs.org/index.php/OpenSSL > http://curl.haxx.se/docs/parse-certs.txt > > Originally certdata.txt contained only trusted root CA certificates, > so some of those scripts may have relied on that fact and ignore the > trust objects for certificates in that file. > > After the two CA break-in incidents this year, certdata.txt started to > contain several explicitly distrusted certificates. Scripts that > extract trusted root CA certificates from certdata.txt must now check > the trust objects.
The MD5 collision cert was there even before those events. Here's the script I use for openSUSE. It optionally exports the trust settings too: http://gitorious.org/opensuse/ca-certificates/blobs/master/extractcerts.pl For processing outside NSS it would be easier if the certificates were available as individual pem files in the first place of course :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
