From nobody Sat Mar 15 13:51:46 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZFN2B3027z5qqM1;
	Sat, 15 Mar 2025 13:51:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZFN2B1CQZz3tc2;
	Sat, 15 Mar 2025 13:51:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1742046706;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5Lf7Mp1qYzCeBG3MlMX+2koJhbP3QqOvVLTFvLkgECM=;
	b=GR0hPNaDtGBW4LdEpV0FhgfAT2IEabgOjtoYWw4nTvYsULbpLVaplsOCAT5lB0HtVezm45
	q81ppx4H//+1paflNgFcEcWN8otM33K1zBkMStmOiEGMVgiLjJz7MDCsXJtO09xL6AS4lp
	B5Ft4xgrmIRKpqxUo4ELMZsEittGI5KQSE+/FNgH94F5dYYtgft9JjNrLK5r1VhZy0uCvz
	Yu+r/YUzGJoNnlsW1kJSd3lyMHxs2AUtWdpIc8zrSbmdqrt/dagl2ymk0jRqe+3o4g0X/B
	9aocvbOzz1kMtq239dgf7tISFLAe4QNu4eTBJmuPCkb/ZAYh0c1o4qQusEj0bw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1742046706; a=rsa-sha256; cv=none;
	b=Wvygl00CBOylnozQIKAAlCxMUf73N1lb8183xPBhiLTadgLkF9YHa0htj1TE0dvC63uR9R
	ZsnbC7DEaiqCItdvsZ/RrOL+UPejJpMyN3RiqQ7pLVlZNLkEz7tCJZYx6u33sgn5UHEXjS
	O2Z3R9vnaqqKdppemU6a77Ne41HYXoyIVpJB3cRyo9hUYYeXfaW7BS6sHSjOLBMCkovLGq
	nF+FFQ/QR3zwljEDCzvDDqS1WvuKJ/v8kAYQrOCaYmi1WeG//1eSGbCKgTy1ujl4tJjVZO
	s2mo4nyYN/QhDJu6qklHX0YYR2s8JuXlja9iw3dJkQ0wrBxu3MMcdM7Ehs4ATQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1742046706;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5Lf7Mp1qYzCeBG3MlMX+2koJhbP3QqOvVLTFvLkgECM=;
	b=pZOAuOL3oSpfc7WPkyZhDesF9l5wHFrQZT+CsUlYGiQOl+NdauWjF1bk9gsu6Y/wA3VTBF
	LCCMtwsMKDVeU+NNP2xQw/0db4zt19gI5uah3ho2NL6GOYiA1RZp6I8C4wEALon0ODZCMJ
	tV5NR67lJvlHEnxN1aDt9lGH9bwRN5bmZavEIXDodKCkHDClGROzcliZZtrVnJi1rubnIg
	cTXn3+USI24hwIvunEa99GVpdrIbtGGFyXuHWXxA0xyNpZk/lhv7f5suhQApyUpnghqPRf
	abGRHYtWb7jUxsHl6jJr20iWDt05eYO0X9X53ZL5DSlk3iP8WGoM1aXVP+jxRQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZFN2B0cBwz2wc;
	Sat, 15 Mar 2025 13:51:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 52FDpk5h002097;
	Sat, 15 Mar 2025 13:51:46 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 52FDpkuG002094;
	Sat, 15 Mar 2025 13:51:46 GMT
	(envelope-from git)
Date: Sat, 15 Mar 2025 13:51:46 GMT
Message-Id: <202503151351.52FDpkuG002094@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Osipov <michaelo@FreeBSD.org>
Subject: git: 4fd560bc94f0 - stable/14 - caroot: Ignore soft distrust
  of server CA certificates after 398 days
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: michaelo
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 4fd560bc94f0f6f070aeab9183c680a796450f22
Auto-Submitted: auto-generated

The branch stable/14 has been updated by michaelo:

URL: https://cgit.FreeBSD.org/src/commit/?id=4fd560bc94f0f6f070aeab9183c680a796450f22

commit 4fd560bc94f0f6f070aeab9183c680a796450f22
Author:     Michael Osipov <michaelo@FreeBSD.org>
AuthorDate: 2025-02-20 09:48:48 +0000
Commit:     Michael Osipov <michaelo@FreeBSD.org>
CommitDate: 2025-03-15 13:51:24 +0000

    caroot: Ignore soft distrust of server CA certificates after 398 days
    
    Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
    a CA certificate will be distrusted in the future before its NotAfter time.
    This means that the CA stops issuing new certificates, but previous ones are
    still valid, but at most for 398 days after the distrust date.
    
    See also:
    * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
    * https://github.com/Lukasa/mkcert/issues/19
    * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
    * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c
    
    Tested by:      michaelo
    Reviewed by:    emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D49075
    
    (cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02)
---
 secure/caroot/MAca-bundle.pl | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl
index 4feced90d782..58cfe1cbf6fa 100755
--- a/secure/caroot/MAca-bundle.pl
+++ b/secure/caroot/MAca-bundle.pl
@@ -37,6 +37,8 @@ use strict;
 use Carp;
 use MIME::Base64;
 use Getopt::Long;
+use Time::Local qw( timegm_posix );
+use POSIX qw( strftime );
 
 my $generated = '@' . 'generated';
 my $inputfh = *STDIN;
@@ -101,13 +103,6 @@ EOH
     }
 }
 
-# returns a string like YYMMDDhhmmssZ of current time in GMT zone
-sub timenow()
-{
-	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
-	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
-}
-
 sub printcert($$$)
 {
     my ($fh, $label, $certdata) = @_;
@@ -162,10 +157,15 @@ sub grabcert($)
 	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
 	{
 	    my $distrust_after = graboct($ifh);
-	    my $time_now = timenow();
-	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after;
+	    $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100);
+	    my $time_now = time;
+	    # When a CA is distrusted before its NotAfter date, issued certificates
+	    # are valid for a maximum of 398 days after that date.
+	    if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; }
 	    if ($debug) {
-		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	        printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial,
+	                strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now));
 	    }
 	    if ($distrust) {
 		return undef;