nss-{email,server}-distrust-after values ignored when generating certificate bundles

[Daiki Ueno]

Hello,

DJ Lucas <dj at linuxfromscratch.org> writes:

> Given the attached anchor, this certificate is still showing up in my
> P11-kit generated bundles for OpenSSL and GNUTLS. I believe this to be
> broken behavior, but figured I post here first to make certain that
> the trust utility is intended to honor the nss-*-distrust-after flag.
>
> Using the following commands to generate the bundles/directories:
>
> /usr/bin/trust extract --filter=ca-anchors --format=openssl-directory
> --overwrite --comment ./certs/
> /usr/bin/trust extract --filter=ca-anchors --format=pem-bundle
> --purpose server-auth --overwrite --comment ./certs/ca-bundle.pem
>
> FYI, while I'm reasonably certain that this is unrelated, in the event
> that there is something wrong with the attached anchor, I do use my
> own tools to generate anchors available at:
> https://github.com/djlucas/make-ca
> or
> https://github.com/djlucas/ca-tools.
>
> Thoughts?

IMO, those attributes should ideally be handled at run-time, not at
extraction time.

p11-kit's support for nss-*-distrust-after is simply to passthrough
those attributes as PKCS#11 attributes (CKA_NSS_*_DISTRUST_AFTER[1]).
To use that information, there needs to be support from the client
libraries: the trust store is backed by PKCS#11 and those attributes are
respected when enumerating CA certificates from the trust store.

Afaik, currently only NSS supports both, GnuTLS supports the former but
not for the latter[2], and OpenSSL does neither.

If there is an imminent need for disabling certain CA certificates, I
would suggest removing or blocklisting them[3].

Footnotes:
[1]  https://github.com/p11-glue/p11-kit/blob/d39043f7c6e44247b5b1a237888e80b2a4d9c2b2/trust/test-extract.sh#L80

[2]  https://gitlab.com/gnutls/gnutls/-/issues/912

[3]  https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html

Regards,
-- 
Daiki Ueno