From nobody Sat Mar  8 15:34:00 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Z96dP1Ym2z5pM4r;
	Sat, 08 Mar 2025 15:34:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Z96dP05Qwz3MkN;
	Sat, 08 Mar 2025 15:34:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1741448041;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=sWffmzFSBv7BcZqACUIFBRA8rlrRWg3h/IRDtQeTBcc=;
	b=NjS+RZOcmoO2qFEqOn51sduNGbeM8s9sMF7NTqZtkq0sdFUc3mkz8lHP4svfxTdOujtuDv
	iZ38Qq+VU3jc0v6kxGSxZrHPnCjceOYDDcsQl2/DXBvmO4lGmS6F2NLOFKAI7Zotr8iYzy
	2UitU3604OrAMSSzmp3GWQd97XbOF7XqyNBS3X1O4BdLmsTcDIooi+zPAjOJAR+58Uw1oO
	9ZT7ynicONUrnmPaoZMzKfqECh3CPEhpRbRHKTBBW1ASY97zBnOab8+jJZGt4vCgSLv73Q
	LwM5owPD5+Y6MtBkveaY7Qzg267mKwNxojpBWClX24hKwxXizkIAEz5Ow4ikog==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1741448041; a=rsa-sha256; cv=none;
	b=UW4XnSA8dr9cVp2X1J28PztK0wFVX7EWcCgv1KdeenD5jPGwP8r9EHojrcbnPunWVbPFJc
	OxNq9o8PG/nJflhnOQqr5KQB4p3MFp4kN0JH/+7iCV5NrZyUB4whl1vRvvZdFIjVQP5YnX
	TcyHwKn9SE6ew+3kZOo7vk0a2FS0BLah/3Mt1/z4+Y848DQWXHxiwXP4qy2l1PoLdLswdt
	zPBnF5WWKDLrEMA4vUtQQyf0WdgGriajL6n0hscKZ2sbsN91YAbsoSdEUTEXRlxGJeyb/e
	jmR5HcEY1RS8i4WiYKAYRe3BPtQdHinUVJ0od/npomS8UfOJJ1wO6AB/T0z4Ug==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1741448041;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=sWffmzFSBv7BcZqACUIFBRA8rlrRWg3h/IRDtQeTBcc=;
	b=fz6D23b0cPCMLlXz5SScMhcZV36SOfJ+xybCBFNbl9GGJMw1LuhRlW0r8jvKJHC0+6tsuC
	eLbS5CbkYA60gYsMsrtr7mnpoiOzQkra9BKnDpAMLo3rch2nFajnkGpd8veCBws0RxaVh2
	Ii73Af3VETH62jtaose5N5VbhdotZuxwQdTFNdmsjI3lksHzdcVrCxOabo+pkGZrAsj2Q1
	guBw0U9U3CudGCqr9Nr0cBD57SGNytlLh4mkd7FJCI5h2deVMtPxLtqy6Y8UrpIG9K9Vtu
	DRR3WoU42/qnsZ6Iil/EKHMccrA5iHCn2n+Zq80XtKPSI+I2cdCYmgY15yqvtw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Z96dN652lzD29;
	Sat, 08 Mar 2025 15:34:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 528FY07W021946;
	Sat, 8 Mar 2025 15:34:00 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 528FY0MZ021943;
	Sat, 8 Mar 2025 15:34:00 GMT
	(envelope-from git)
Date: Sat, 8 Mar 2025 15:34:00 GMT
Message-Id: <202503081534.528FY0MZ021943@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Michael Osipov <michaelo@FreeBSD.org>
Subject: git: 457c03b397c8 - main - caroot: Ignore soft distrust
  of server CA certificates after 398 days
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: michaelo
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 457c03b397c80d44da92684d417a58b3ca1fed02
Auto-Submitted: auto-generated

The branch main has been updated by michaelo:

URL: https://cgit.FreeBSD.org/src/commit/?id=457c03b397c80d44da92684d417a58b3ca1fed02

commit 457c03b397c80d44da92684d417a58b3ca1fed02
Author:     Michael Osipov <michaelo@FreeBSD.org>
AuthorDate: 2025-02-20 09:48:48 +0000
Commit:     Michael Osipov <michaelo@FreeBSD.org>
CommitDate: 2025-03-08 15:33:44 +0000

    caroot: Ignore soft distrust of server CA certificates after 398 days
    
    Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
    a CA certificate will be distrusted in the future before its NotAfter time.
    This means that the CA stops issuing new certificates, but previous ones are
    still valid, but at most for 398 days after the distrust date.
    
    See also:
    * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
    * https://github.com/Lukasa/mkcert/issues/19
    * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
    * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c
    
    Tested by:      michaelo
    Reviewed by:    emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D49075
---
 secure/caroot/MAca-bundle.pl | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl
index 4feced90d782..58cfe1cbf6fa 100755
--- a/secure/caroot/MAca-bundle.pl
+++ b/secure/caroot/MAca-bundle.pl
@@ -37,6 +37,8 @@ use strict;
 use Carp;
 use MIME::Base64;
 use Getopt::Long;
+use Time::Local qw( timegm_posix );
+use POSIX qw( strftime );
 
 my $generated = '@' . 'generated';
 my $inputfh = *STDIN;
@@ -101,13 +103,6 @@ EOH
     }
 }
 
-# returns a string like YYMMDDhhmmssZ of current time in GMT zone
-sub timenow()
-{
-	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
-	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
-}
-
 sub printcert($$$)
 {
     my ($fh, $label, $certdata) = @_;
@@ -162,10 +157,15 @@ sub grabcert($)
 	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
 	{
 	    my $distrust_after = graboct($ifh);
-	    my $time_now = timenow();
-	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after;
+	    $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100);
+	    my $time_now = time;
+	    # When a CA is distrusted before its NotAfter date, issued certificates
+	    # are valid for a maximum of 398 days after that date.
+	    if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; }
 	    if ($debug) {
-		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	        printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial,
+	                strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now));
 	    }
 	    if ($distrust) {
 		return undef;