-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace mkcert.org
with ccadb.org
as the source of truth
#41
Conversation
0fbc3f4
to
f1769df
Compare
f1769df
to
b459ca9
Compare
Awesome! |
FWIW this is totally fine -- these comments were coming from mkcert's output, and we just wrapped them in a block comment. So we were always somewhat at risk of the output changing under our feet. It's a big improvement alone that the comments are now generated in our code, so it becomes more deterministic. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a big improvement! 💯
Small convenience for CLion users.
b459ca9
to
f75b638
Compare
@djc I think this is ready for another 🔍 pass when you have a chance. I'd like to get your +1 before I merge. Thanks! |
These digest algorithms are not recommended for use. To avoid needing to take unnecessary dependencies in the CCADB tooling that will replace the mkcert data source that provides these fingerprints we choose to remove them, leaving only the SHA256 FP.
Prior to this commit the `tests/codegen.rs` generator used https://mkcert.org as its source of truth for trusted root metadata. This commit replaces that source of truth (and accompanying generator code) to use https://ccadb.org instead. The Common CA Database (CCADB) has emerged as a multi-stakeholder repository for information about certificate authorities participating in the trust stores maintained by CCADB root store operators. The `IncludedCACertificateReportPEMCSV` report made available by CCADB is a great replacement for the needs of webpki-roots: * it allows us to filter by roots that are trusted for TLS. * it allows us to filter by "distrust after" dates. * it allows us to generate imposed name constraints automatically. This removes the need to maintain a separate distrust list in webpki-roots, or a separate manually curated imposed name constraints set. To minimize the trust surface of webpki-roots we take care to pin the trust anchor used to fetch the CCADB CSV to the trust anchor in use today for serving https://ccadb-public.secure.force.com/, helping minimize the risk of person-in-the-middle attack. Note that we are not pinning the leaf/intermediates in use, just the expected root.
f75b638
to
9f48dd9
Compare
Description
This branch resolves #37, switching from the third party mkcert.org service to consuming the IncludedCACertificateReportPEMCSV report directly from the Common CA Database (CCADB).
misc: add jetbrains .idea to git ignore.
Small convenience for CLion users.
tests: clippy fixes for verify.
We weren't running clippy in CI so a couple of small nits slipped through that are fixed in this commit.
ci: add clippy to build workflow.
This prevents backsliding on the above.
lib: remove MD5 and SHA1 fingerprint metadata.
These digest algorithms are not recommended for use. To avoid needing to take unnecessary dependencies in the CCADB tooling that will replace the mkcert data source that provides these fingerprints we choose to remove them, leaving only the SHA256 FP. This will also minimize the diff that must be reviewed when
src/lib.rs
is regenerated with the new tooling in the subsequent commit.codegen: use CCADB as the source of truth.
Prior to this commit the
tests/codegen.rs
generator used https://mkcert.org/ as its source of truth for trusted root metadata. This commit replaces that source of truth (and accompanying generator code) to use https://ccadb.org/ instead.The Common CA Database (CCADB) has emerged as a multi-stakeholder repository for information about certificate authorities participating in the trust stores maintained by CCADB root store operators.
The
IncludedCACertificateReportPEMCSV
report made available by CCADB is a great replacement for the needs of webpki-roots:This removes the need to maintain a separate distrust list in webpki-roots, or a separate manually curated imposed name constraints set.
To minimize the trust surface of webpki-roots we take care to pin the trust anchor used to fetch the CCADB CSV to the trust anchor in use today for serving https://ccadb-public.secure.force.com/, helping minimize the risk of person-in-the-middle attack. Note that we are not pinning the leaf/intermediates in use, just the expected root.
Included in this commit is the regeneration of
src/lib.rs
with the new tooling, ensuring tests pass. The set of trust anchors remains unchanged, but there are some slight metadata differences to note in review:The file header was updated to reflect the new data source.
The mkcert.org "label" and the CCADB "Common Name or Certificate Name" field used in some of the comment content differ in some cases, e.g. "GlobalSign Root CA - R6" vs "GlobalSign".
In one case the "issuer" and "subject" fields used in a comment differ based on how we use x509_parser to reconstitute the
issuer/subject string from the DER content instead of what mkcert.org provided:
All of the above are metadata only changes. The PEM, DER, and name constraints content that are the functional parts of this library remain unchanged.