tls: distrust trustcor ca certificates

[bnoordhuis]

https://www.theregister.com/2022/12/02/mozilla_microsoft_trustcor/ for a summary and https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ for more details.

tl;dr Microsoft and Mozilla now distrust TrustCor-issued certificates; Microsoft uses a Nov 1 cutoff data, Mozilla Nov 30. I suggest we use Nov 1, too.

Currently still trusted:

$ git rev-parse @
ab064d12b79d14a3d02ba420138cc9d24169a951

$ git grep -i trustcor src/node_root_certs.h 
src/node_root_certs.h:/* TrustCor RootCert CA-1 */
src/node_root_certs.h:/* TrustCor RootCert CA-2 */
src/node_root_certs.h:/* TrustCor ECA-1 */

cc @nodejs/crypto

[richardlau]

https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ suggests that Mozilla are not going to be removing these from the root certs for a while yet but will be distrusting them. I think that's an area where there's a gap in Node.js -- we take the root certs from NSS but I don't think we have any additional logic on top of that (fairly certain that has come up in the past).

[richardlau]

It looks like https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c9 is the NSS change. That is to the root certs so maybe we either update to a non-release version of NSS or float the patch onto our certdata.txt and regenerate the header file? I'm not sure that mk-ca-bundle.pl would preserve CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL (and/or CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL) much less Node.js knowing what to do with it.

[bnoordhuis]

we take the root certs from NSS but I don't think we have any additional logic on top of that (fairly certain that has come up in the past)

We've done that at least once in the past, when we started distrusting certain (but not all) CNNIc certificates in commit 3beb880.

mk-ca-bundle.pl does not understand "distrust after" fields, of that I'm fairly sure (and neither does node.)

[richardlau]

As a reference point, our mk-ca-bundle.pl is based on the script of the same name from curl and the current version of that parses the CKA_NSS_SERVER_DISTRUST_AFTER field and skips it if the date is in the past: curl/curl@1ebc53d

[bnoordhuis]

Ubuntu is dropping TrustCor altogether: https://ubuntu.com/security/notices/USN-5761-2

I like that better than the idea of adding custom code for a shifty CA.