From nobody Sat Mar 15 13:56:27 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZFN7b50MNz5qqN8;
	Sat, 15 Mar 2025 13:56:27 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZFN7b2Ss2z3vZS;
	Sat, 15 Mar 2025 13:56:27 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1742046987;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JEMkUyC15SjMVnsaIH4Lwux/DQ0YV0+20da4nCiVXrA=;
	b=AHrQoLG5N4mptPx3fvdCkUnNltggdi7oAf6NnRxtshzOwd0thuqvV/aCbCuyuoUdilyAgt
	37NISEmbJWFTabSm2Cgl5BurdQTUudTmBr3M0v63Ily+yFvCEtnn6JnoDmXbeyKyFWqTLx
	T/RmvbybzugpNcUe59HmpUREzcjdFDlqlrO3UgE/IEnJIfMlzCOpb9WVVDAVPqg4++hZJj
	MArZMIOWTkjC+R5MeztVES2tyxOxbeDDeUVCs3kn51houZOvgS+BLmEgcBwJVgAG22Dd4C
	cg+oiiUYBVIywUBtCHWWzz0BvqFBH9LhCgRYwy0qwY4sl5gyKo/Ery8PGBkdpA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1742046987; a=rsa-sha256; cv=none;
	b=vU8Op3qx7JCdLWqODfH3FVZQ4Th3TW8jRzSTAZUKPd/ADAyaGVq6lUV9ZvVz6E/1ZqQa30
	yPyOTrNa7Ac+nZye7o5UnEEfCrFfxaAsx2AeMcB91byzgAf+stDQWkyJGb7zaIzgPp6jrn
	uqzlzBNTBNy/LzDbPMiACxU9Jly/ZYW+1qBO8gudi4UF1F4jOPD6eek009FkoTwlVwiW5b
	psT+06D0vDXh5ac2Q8gxvG6DEjhGEPPpJya9b7cjilDTerd+38eI1TF5xxOTW8UEBXDVz+
	/ddCYH/xlTj6Rm0emfhHsdlnpdHLLxzdCIHALj2cS/uOyL7eIwXRxi30gqsGWg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1742046987;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=JEMkUyC15SjMVnsaIH4Lwux/DQ0YV0+20da4nCiVXrA=;
	b=RfF4xvyTIrdLS+pbmiiFWPJXqvgmzQuv+3ij7B+ntTItMt0sjtmMkzlpUwdV5GVxsI/C+a
	ggjm/D6qsp77kiKUIu5IkKFMcHL6tVbND4uMdsxFDcyEVPuo0vEw/hY1XKznlA7km3+oj6
	Kf0fkjXEAyHNTAgi5mTqqT2ODIio0yVLdWgzJKWrhfmJ8OTL0+DAuQ3AV2xOeQiJmLQjgz
	wMtzKmFmKe0mE1D42aJkMKDjowQF9lfE95mxJW92ByYbRlaLv2pQBIniQUMsOFvQA0onKS
	p8NxoPnASsqdidcHYxUJU6yg+4+5vr9s2fLtAw/qciqxu0vUI3fLe6x0zvFY0Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZFN7b244Dz2tW;
	Sat, 15 Mar 2025 13:56:27 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52FDuRVD007386;
	Sat, 15 Mar 2025 13:56:27 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52FDuRpm007383;
	Sat, 15 Mar 2025 13:56:27 GMT
	(envelope-from git)
Date: Sat, 15 Mar 2025 13:56:27 GMT
Message-Id: <202503151356.52FDuRpm007383@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Osipov <michaelo@FreeBSD.org>
Subject: git: d3e5558d3168 - stable/13 - caroot: Ignore soft distrust
  of server CA certificates after 398 days
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: michaelo
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: d3e5558d31688688684533e3fc575bc65d5e4b84
Auto-Submitted: auto-generated

The branch stable/13 has been updated by michaelo:

URL: https://cgit.FreeBSD.org/src/commit/?id=d3e5558d31688688684533e3fc575bc65d5e4b84

commit d3e5558d31688688684533e3fc575bc65d5e4b84
Author:     Michael Osipov <michaelo@FreeBSD.org>
AuthorDate: 2025-02-20 09:48:48 +0000
Commit:     Michael Osipov <michaelo@FreeBSD.org>
CommitDate: 2025-03-15 13:56:16 +0000

    caroot: Ignore soft distrust of server CA certificates after 398 days
    
    Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
    a CA certificate will be distrusted in the future before its NotAfter time.
    This means that the CA stops issuing new certificates, but previous ones are
    still valid, but at most for 398 days after the distrust date.
    
    See also:
    * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
    * https://github.com/Lukasa/mkcert/issues/19
    * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
    * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c
    
    Tested by:      michaelo
    Reviewed by:    emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D49075
    
    (cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02)
---
 secure/caroot/MAca-bundle.pl | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl
index 4feced90d782..58cfe1cbf6fa 100755
--- a/secure/caroot/MAca-bundle.pl
+++ b/secure/caroot/MAca-bundle.pl
@@ -37,6 +37,8 @@ use strict;
 use Carp;
 use MIME::Base64;
 use Getopt::Long;
+use Time::Local qw( timegm_posix );
+use POSIX qw( strftime );
 
 my $generated = '@' . 'generated';
 my $inputfh = *STDIN;
@@ -101,13 +103,6 @@ EOH
     }
 }
 
-# returns a string like YYMMDDhhmmssZ of current time in GMT zone
-sub timenow()
-{
-	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
-	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
-}
-
 sub printcert($$$)
 {
     my ($fh, $label, $certdata) = @_;
@@ -162,10 +157,15 @@ sub grabcert($)
 	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
 	{
 	    my $distrust_after = graboct($ifh);
-	    my $time_now = timenow();
-	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after;
+	    $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100);
+	    my $time_now = time;
+	    # When a CA is distrusted before its NotAfter date, issued certificates
+	    # are valid for a maximum of 398 days after that date.
+	    if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; }
 	    if ($debug) {
-		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	        printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial,
+	                strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now));
 	    }
 	    if ($distrust) {
 		return undef;