Skip to content

x/crypto/x509roots/fallback: should not exclude roots with Distrust After dates #70777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AGWA opened this issue Dec 11, 2024 · 3 comments
Closed

x/crypto/x509roots/fallback: should not exclude roots with Distrust After dates #70777

AGWA opened this issue Dec 11, 2024 · 3 comments
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@AGWA
Copy link

AGWA commented Dec 11, 2024

Due to https://github.com/golang/crypto/blob/7042ebcbe097f305ba3a93f9a22b4befa4b83d29/x509roots/gen_fallback_bundle.go#L129-L134, roots in the Mozilla trust store with Distrust After dates, such as Entrust, are being excluded from the fallback bundle, meaning certificates that Firefox would accept will be incorrectly rejected by Go programs which use x509roots/fallback. I believe this creates a compatibility risk for the WebPKI and the correct thing to do until #70623 is fixed is to include roots with constraints.

This does mean that Distrust After dates would be ignored, but the security value of Distrust After is practically nil due to backdating, and the real point of Distrust After is to pave the way for an uneventful root removal 398 days in the future.

(Apologies for not filing this sooner; when I did my review last month I unfortunately looked only at x509roots/nss/parser.go and missed the code in gen_fallback_bundle.go)

cc @rolandshoemaker @FiloSottile
@gopherbot gopherbot added this to the Unreleased milestone Dec 11, 2024
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@ianlancetaylor
Copy link
Member

CC @golang/security

@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 11, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/652996 mentions this issue: x509roots: support constrained roots

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. FixPending Issues that have a fix which has not yet been reviewed or submitted. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@cagedmantis @AGWA @dmitshur @ianlancetaylor @gopherbot @gabyhelp