Google Git
Sign in
go / crypto / 62c9f1799c91aef0744179032e30fda3761e79f7^! / .
commit62c9f1799c91aef0744179032e30fda3761e79f7[log] [tgz]
authorRoland Shoemaker <roland@golang.org>Wed Feb 07 10:41:04 2024 -0800
committerRoland Shoemaker <roland@golang.org>Thu Feb 08 16:32:26 2024 +0000
tree57e6f7ae719646c2e9240e9e47a650d6e78682c8
parent405cb3bdea78b1b48ee79096733841247a944de0 [diff]
x509roots/nss: manually exclude a confusingly constrained root

Fixes golang/go#61963

Change-Id: I16920d160af74772ef5aa650d1274e07c3ca9adc
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/562475
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

diff --git a/x509roots/fallback/bundle.go b/x509roots/fallback/bundle.go
index a666f5f..460c57b 100644
--- a/x509roots/fallback/bundle.go
+++ b/x509roots/fallback/bundle.go

@@ -3078,34 +3078,6 @@
 e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p
 TpPDpFQUWw==
 -----END CERTIFICATE-----
-# CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR
-# 46edc3689046d53a453fb3104ab80dcaec658b2660ea1629dd7e867990648716
------BEGIN CERTIFICATE-----
-MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIx
-GDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxp
-bXNlbCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0w
-KwYDVQQLEyRLYW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0
-BgNVBAMTLVRVQklUQUsgS2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3Vy
-dW0gMTAeFw0xMzExMjUwODI1NTVaFw00MzEwMjUwODI1NTVaMIHSMQswCQYDVQQG
-EwJUUjEYMBYGA1UEBxMPR2ViemUgLSBLb2NhZWxpMUIwQAYDVQQKEzlUdXJraXll
-IEJpbGltc2VsIHZlIFRla25vbG9qaWsgQXJhc3Rpcm1hIEt1cnVtdSAtIFRVQklU
-QUsxLTArBgNVBAsTJEthbXUgU2VydGlmaWthc3lvbiBNZXJrZXppIC0gS2FtdSBT
-TTE2MDQGA1UEAxMtVFVCSVRBSyBLYW11IFNNIFNTTCBLb2sgU2VydGlmaWthc2kg
-LSBTdXJ1bSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3UwM6q7
-a9OZLBI3hNmNe5eA027n/5tQlT6QlVZC1xl8JoSNkvoBHToP4mQ4t4y86Ij5iySr
-LqP1N+RAjhgleYN1Hzv/bKjFxlb4tO2KRKOrbEz8HdDc72i9z+SqzvBV96I01INr
-N3wcwv61A+xXzry0tcXtAA9TNypN9E8Mg/uGz8v+jE69h/mniyFXnHrfA2eJLJ2X
-YacQuFWQfw4tJzh03+f92k4S400VIgLI4OD8D62K18lUUMw7D8oWgITQUVbDjlZ/
-iSIzL+aFCr2lqBs23tPcLG07xxO9WSMs5uWk99gL7eqQQESolbuT1dCANLZGeA4f
-AJNG4e7p+exPFwIDAQABo0IwQDAdBgNVHQ4EFgQUZT/HiobGPN08VFw1+DrtUgxH
-V8gwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggEBACo/4fEyjq7hmFxLXs9rHmoJ0iKpEsdeV31zVmSAhHqT5Am5EM2fKifh
-AHe+SMg1qIGf5LgsyX8OsNJLN13qudULXjS99HMpw+0mFZx+CFOKWI3QSyjfwbPf
-IPP54+M638yclNhOT8NrF7f3cuitZjO1JVOr4PhMqZ398g26rrnZqsZr+ZO7rqu4
-lzwDGrpDxpa5RXI4s6ehlj2Re37AIVNMh+3yC1SVUZPVIqUNivGTDj5UDrDYyU7c
-8jEyVupk+eq1nRZmQnLzf9OxMUP8pI4X8W0jq5Rm+K37DwhuJi1/FwcJsoz7UMCf
-lo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM=
------END CERTIFICATE-----
 # CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # 59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b
 -----BEGIN CERTIFICATE-----

diff --git a/x509roots/nss/parser.go b/x509roots/nss/parser.go
index 1af3e0a..feca766 100644
--- a/x509roots/nss/parser.go
+++ b/x509roots/nss/parser.go

@@ -147,6 +147,20 @@
 	return h, to, nil
 }
 
+// manualExclusions contains a map of SHA1 fingerprints of roots that we manually exclude
+// from the bundle for various reasons.
+var manualExclusions = map[string]bool{
+	// TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
+	// We exclude this root because mozilla manually constrains this root to
+	// issue names under .tr, but this information is only encoded in the CCADB
+	// IncludedCACertificateReport, in a field the format of which is
+	// undocumented, and is only used for this particular certificate. Rather
+	// than adding special parsing for this, we skip it. When code constraint
+	// support is available, we may also want to simply add a manual constraint,
+	// rather than a manual exclusion.
+	"3143649becce27eced3a3f0b8f0de4e891ddeeca": true,
+}
+
 // Parse parses a NSS certdata.txt formatted file, returning only
 // trusted serverAuth roots, as well as any additional constraints. This parser
 // is very opinionated, only returning roots that are currently trusted for
@@ -248,6 +262,9 @@
 		if !e.trust.trusted {
 			continue
 		}
+		if manualExclusions[fmt.Sprintf("%x", h)] {
+			continue
+		}
 		nssCert := &Certificate{X509: e.cert.c}
 		if e.cert.DistrustAfter != nil {
 			nssCert.Constraints = append(nssCert.Constraints, DistrustAfter(*e.cert.DistrustAfter))