Support displaying Microsoft notBeforing
Closed this issue · 7 comments
AuthRoot.stl supports the ability to restrict new certificates based on the notBefore date of the CA certificate.
It'd be useful to indicate that information in the CA record (including transitively to sub-CAs), similar to the display of disallowedroots.stl. That is, the states become "Trusted", "Technically Constrained", "Revoked [via source]", "Constrained (notBefore XX-YY-ZZZZ)" or something to that effect.
@robstradling wdyt?
@sleevi Yes, I agree that it would be useful for crt.sh to support this. I've considered this before, but I've shied away from implementing it so far because:
- It's "not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change." (https://docs.microsoft.com/en-us/security/trusted-root/sept2019), but Win7 is still on Extended Support until Jan 14th 2020). What should crt.sh show for a root cert that is "Trusted" on Win7 but "Constrained (notBefore XX-YY-ZZZZ) on Win10?
- I haven't yet found any documentation from Microsoft regarding this and the other attributes that have been added to authroot.stl over the last few years. (Last time I looked at this, I was able to kinda figure out the implementation details of some but not all of them). Do you know of any documentation?
BTW, I don't understand why you say this is "based on the notBefore date of the CA certificate". Please could you explain?
@robstradling I would think "Constrained (notBefore XX-YY-ZZZZ)" could be accompanied by a footnote simply explaining that, on !Win10, anything constrained is actually trusted.
-
WinCrypt.h has been getting updated in the latest Win 10 SDKs. That said, it's a fair concern. I'm not sure if this would be one they formally document (since it might be viewed as an implementation detail of authroot.stl), but I suspect it will be stable.
-
notBefore date of the CA certificate meant the "CertGetCertificateContextProperty-notBefore date" - i.e. the attribute of the CA certificate expressed in authroot. Sorry, got thinking how Microsoft does it :)
The Mozilla root store now has a similar feature: https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
Included @robstradling on an e-mail to Microsoft, and I suspect his reversing matches mine, but:
CERT_DISALLOWED_FILETIME_PROP_ID(OID:1.3.6.1.4.1.311.10.11.104)- An optional 64-bit little-endian FILETIME that indicates when the certificate was revoked. It can be empty, which seems to indicate since epoch
- UNKNOWN_RESERVED_PROP_ID_126 (OID:
1.3.6.1.4.1.311.10.11.126)- Indicates the NotBefore time of a particular certificate, as a FILETIME (like above)
- UNKNOWN_RESERVED_PROP_ID_127 (OID:
1.3.6.1.4.1.311.10.11.127)- Appears to be the set of EKUs for which the NotBefore-ing applies
Oh, one other observation: When CERT_DISALLOWED_FILETIME_PROP_ID is an empty OCTET STRING, it has the effect of "since the beginning of time" (effectively, revocation since epoch), similar to CRLs going to 1970
@sleevi I've implemented this in e79bd84 and https://github.com/crtsh/root_programs. Please let me know if anything looks wonky.
The Mozilla root store now has a similar feature: https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
I've implemented a Go parser for certdata.txt (based heavily on https://github.com/agl/extract-nss-root-certs, but adding support for CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER) in crtsh/root_programs@78def82. Time to close this issue.