nss-{email,server}-distrust-after values ignored when generating certificate bundles
DJ Lucas
dj at linuxfromscratch.org
Mon Dec 19 04:58:52 UTC 2022
Given the attached anchor, this certificate is still showing up in my
P11-kit generated bundles for OpenSSL and GNUTLS. I believe this to be
broken behavior, but figured I post here first to make certain that the
trust utility is intended to honor the nss-*-distrust-after flag.
Using the following commands to generate the bundles/directories:
/usr/bin/trust extract --filter=ca-anchors --format=openssl-directory
--overwrite --comment ./certs/
/usr/bin/trust extract --filter=ca-anchors --format=pem-bundle --purpose
server-auth --overwrite --comment ./certs/ca-bundle.pem
FYI, while I'm reasonably certain that this is unrelated, in the event
that there is something wrong with the attached anchor, I do use my own
tools to generate anchors available at:
https://github.com/djlucas/make-ca
or
https://github.com/djlucas/ca-tools.
Thoughts?
--DJ Lucas
-------------- next part --------------
[p11-kit-object-v1]
label: "TrustCor ECA-1"
class: x-certificate-extension
object-id: 2.5.29.37
value: "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
modifiable: false
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz4/gEbWfqHZ2298PVO9z
YymCrUfGo2vt/l8z+ENR6RozkTEXoHTE1KcB5rKSPmqd7Q75dJhA0z8DgAaCQOix
4qdRpx2DJmur3voXkSvYxqwesZ4ZAdWXpuoNt8RVHyd80gjVdh8pFYdAOd04RRF1
0JqnNOC/zchSHblHfg24u8YM9nNXFlp+Q5EfVTrGbUQEqpypnKdMiReDrqMEXlKA
ix4SJREZ1wx9fTFEQerbr7Ac74HQLMWaIZs97UI7UCby7M5xYQZiIVROf8GdPn8g
jIDLKtiXYsiDM5F9sKJaD1foO8zyJbLUfC/sTcahOhV657ZdNfX2SEo2RWbUuphY
wQIDAQAB
-----END PUBLIC KEY-----
[p11-kit-object-v1]
label: "TrustCor ECA-1"
trusted: true
nss-mozilla-ca-policy: true
modifiable: false
nss-server-distrust-after: "221130000000Z"
nss-email-distrust-after: "221130000000Z"
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk
MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U
cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y
IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV
BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw
IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy
dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig
RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb
3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA
BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5
3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou
owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/
wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF
ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf
BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/
MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv
civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2
AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F
hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50
soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI
WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi
tJ/X5g==
-----END CERTIFICATE-----
#Certificate:
# Data:
# Version: 3 (0x2)
# Serial Number:
# 84:82:2c:5f:1c:62:d0:40
# Signature Algorithm: sha256WithRSAEncryption
# Issuer: C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1
# Validity
# Not Before: Feb 4 12:32:33 2016 GMT
# Not After : Dec 31 17:28:07 2029 GMT
# Subject: C = PA, ST = Panama, L = Panama City, O = TrustCor Systems S. de R.L., OU = TrustCor Certificate Authority, CN = TrustCor ECA-1
# Subject Public Key Info:
# Public Key Algorithm: rsaEncryption
# Public-Key: (2048 bit)
# Modulus:
# 00:cf:8f:e0:11:b5:9f:a8:76:76:db:df:0f:54:ef:
# 73:63:29:82:ad:47:c6:a3:6b:ed:fe:5f:33:f8:43:
# 51:e9:1a:33:91:31:17:a0:74:c4:d4:a7:01:e6:b2:
# 92:3e:6a:9d:ed:0e:f9:74:98:40:d3:3f:03:80:06:
# 82:40:e8:b1:e2:a7:51:a7:1d:83:26:6b:ab:de:fa:
# 17:91:2b:d8:c6:ac:1e:b1:9e:19:01:d5:97:a6:ea:
# 0d:b7:c4:55:1f:27:7c:d2:08:d5:76:1f:29:15:87:
# 40:39:dd:38:45:11:75:d0:9a:a7:34:e0:bf:cd:c8:
# 52:1d:b9:47:7e:0d:b8:bb:c6:0c:f6:73:57:16:5a:
# 7e:43:91:1f:55:3a:c6:6d:44:04:aa:9c:a9:9c:a7:
# 4c:89:17:83:ae:a3:04:5e:52:80:8b:1e:12:25:11:
# 19:d7:0c:7d:7d:31:44:41:ea:db:af:b0:1c:ef:81:
# d0:2c:c5:9a:21:9b:3d:ed:42:3b:50:26:f2:ec:ce:
# 71:61:06:62:21:54:4e:7f:c1:9d:3e:7f:20:8c:80:
# cb:2a:d8:97:62:c8:83:33:91:7d:b0:a2:5a:0f:57:
# e8:3b:cc:f2:25:b2:d4:7c:2f:ec:4d:c6:a1:3a:15:
# 7a:e7:b6:5d:35:f5:f6:48:4a:36:45:66:d4:ba:98:
# 58:c1
# Exponent: 65537 (0x10001)
# X509v3 extensions:
# X509v3 Subject Key Identifier:
# 44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86
# X509v3 Authority Key Identifier:
# 44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86
# X509v3 Basic Constraints: critical
# CA:TRUE
# X509v3 Key Usage: critical
# Digital Signature, Certificate Sign, CRL Sign
# Signature Algorithm: sha256WithRSAEncryption
# Signature Value:
# 05:3e:35:5c:15:70:9b:c9:c7:73:61:6f:72:2b:d4:c2:8f:f2:
# 43:5d:02:ce:c4:94:b9:94:11:83:67:5d:e2:67:6c:75:76:bf:
# bb:0c:aa:36:c6:ad:47:93:63:dc:1e:7e:d6:de:2e:fe:e9:19:
# 32:38:03:7f:14:f6:00:73:2c:59:b1:21:06:e1:fb:ac:18:95:
# 0c:a3:ff:99:96:f7:2b:27:9b:d5:24:cc:1d:dd:c1:3a:e0:98:
# 44:b0:c4:e4:3e:77:b1:73:a9:64:2c:f6:1c:01:7c:3f:5d:45:
# 85:c0:85:e7:25:8f:95:dc:17:f3:3c:9f:1a:6e:b0:ca:e3:1d:
# 2a:e9:4c:63:fa:24:61:62:d6:da:7e:b6:1c:6c:f5:02:1d:d4:
# 2a:dd:55:90:eb:2a:11:47:3c:2e:5e:74:b2:82:22:a5:7d:53:
# 1f:45:ec:27:91:7d:e7:22:16:e8:c0:68:36:d8:c6:f1:4f:80:
# 44:32:f9:e1:d1:d1:1d:aa:de:a8:ab:9c:04:af:ad:20:0e:64:
# 98:4d:a5:6b:c0:48:58:96:69:4d:dc:07:8c:51:93:a2:df:9f:
# 0f:3d:8b:60:b4:82:8d:aa:08:4e:62:45:e0:f9:0b:d2:e0:e0:
# 3c:5b:de:5c:71:27:25:c2:e6:03:81:8b:10:53:e3:c7:55:a2:
# b4:9f:d7:e6
More information about the p11-glue
mailing list