search

rustls / webpki-roots

CA certificates for use with webpki
Apache License 2.0
89 stars 47 forks source link

Imposed constraint update #36

Closed djc closed 1 year ago

djc commented 1 year ago

Happened to find this change somewhat randomly:

https://hg.mozilla.org/projects/nss/rev/023f640c52040ff02bdd3c44df2b5ae927fa9e4f https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/DotaWOS0v1E/m/icFj9tAzBQAJ https://bugzilla.mozilla.org/show_bug.cgi?id=1802944

Propose to publish yet another release after this is merged.

cpu commented 1 year ago

I think this is something we could keep in sync mechanically w/ CCADB if we switched to that data source in the future. The IncludedCACertificateReportPEMCSV.csv report has a "Mozilla Applied Constraints" column that lists *.tr presently for this root.

djc commented 1 year ago

I was looking at that earlier. Using that would enable noticing changes, but going from *.tr to the constraints encoding would be a manual step. For now, I've subscribed to https://hg.mozilla.org/projects/nss/atom-log/tip/lib/certdb/genname.c in my RSS reader.

cpu commented 1 year ago

but going from *.tr to the constraints encoding would be a manual step.

Why is that?

ctz commented 1 year ago

Why is that?

I guess we'd need to write an encoder to put these strings into the form of a NameConstraints extension body, but that is definitely doable?

ctz commented 1 year ago

Way back I had a test for this root's constraints -- unfortunately I never landed it because the test failed, because the webpki crate didn't have working name constraints support back then. That is fixed since January. The old commit is here: https://github.com/rustls/webpki-roots/commit/65282d9f07f46d9f272c82034811f9155920844b - unfortunately only a positive test.

cpu commented 1 year ago

I guess we'd need to write an encoder to put these strings into the form of a NameConstraints extension body, but that is definitely doable?

That's what I was thinking but wasn't sure if I was overlooking some inherent ambiguity that would make it harder than it seems.

djc commented 1 year ago

Way back I had a test for this root's constraints -- unfortunately I never landed it because the test failed, because the webpki crate didn't have working name constraints support back then. That is fixed since January. The old commit is here: 65282d9 - unfortunately only a positive test.

Oh great -- that was pretty easy to rebase onto the current state of affairs, and allowed me to verify that your suggested fix works.

djc commented 1 year ago

Published 0.25.1.