Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools: fix root certificate updater #55681

Closed
wants to merge 3 commits into from
Closed

tools: fix root certificate updater #55681

wants to merge 3 commits into from

Conversation

richardlau
Copy link
Member

@richardlau richardlau commented Nov 1, 2024
edited
Loading

Determine the NSS version from actual Firefox releases, instead of attempting to parse a wiki page (which is sensitive to formatting changes and relies on the page being up to date).

Refs: #54680 (comment)

Second commit is the result of running the script to update to Firefox 131 which picks up NSS 3.104.

Running the script again without specifying the version shows the script picking up Firefox 132 and NSS 3.105 but there are no certdata changes from NSS 3.104 which would correctly prevent .github/workflows/tools.yml from creating a new pull request as no files would change:

$ node tools/dep_updaters/update-root-certs.mjs -v
Fetching Firefox release data from https://nucleus.mozilla.org/rna/all-releases.json.
Fetching NSS tag from https://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_132_0_RELEASE/security/nss/TAG-INFO.
Found tag NSS_3_105_RTM.
Updating to NSS version 3.105
Fetching https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_105_RTM/lib/ckfw/builtins/certdata.txt
Writing /home/rlau/sandbox/github/node/tools/certdata.txt
Running tools/mk-ca-bundle.pl
Parsing: GlobalSign Root CA
Parsing: Entrust.net Premium 2048 Secure Server CA
Parsing: Baltimore CyberTrust Root
Parsing: Entrust Root Certification Authority
Parsing: Comodo AAA Services root
Parsing: QuoVadis Root CA 2
Parsing: QuoVadis Root CA 3
Parsing: XRamp Global CA Root
Parsing: Go Daddy Class 2 CA
Parsing: Starfield Class 2 CA
Parsing: DigiCert Assured ID Root CA
Parsing: DigiCert Global Root CA
Parsing: DigiCert High Assurance EV Root CA
Parsing: SwissSign Gold CA - G2
Parsing: SwissSign Silver CA - G2
Parsing: SecureTrust CA
Parsing: Secure Global CA
Parsing: COMODO Certification Authority
Parsing: COMODO ECC Certification Authority
Parsing: Certigna
Parsing: ePKI Root Certification Authority
Parsing: certSIGN ROOT CA
Parsing: NetLock Arany (Class Gold) Főtanúsítvány
Parsing: SecureSign RootCA11
Parsing: Microsec e-Szigno Root CA 2009
Parsing: GlobalSign Root CA - R3
Parsing: Izenpe.com
Parsing: Go Daddy Root Certificate Authority - G2
Parsing: Starfield Root Certificate Authority - G2
Parsing: Starfield Services Root Certificate Authority - G2
Parsing: AffirmTrust Commercial
Parsing: AffirmTrust Networking
Parsing: AffirmTrust Premium
Parsing: AffirmTrust Premium ECC
Parsing: Certum Trusted Network CA
Parsing: TWCA Root Certification Authority
Parsing: Security Communication RootCA2
Parsing: Actalis Authentication Root CA
Parsing: Buypass Class 2 Root CA
Parsing: Buypass Class 3 Root CA
Parsing: T-TeleSec GlobalRoot Class 3
Parsing: D-TRUST Root Class 3 CA 2 2009
Parsing: D-TRUST Root Class 3 CA 2 EV 2009
Parsing: CA Disig Root R2
Parsing: ACCVRAIZ1
Parsing: TWCA Global Root CA
Parsing: TeliaSonera Root CA v1
Parsing: T-TeleSec GlobalRoot Class 2
Parsing: Atos TrustedRoot 2011
Parsing: QuoVadis Root CA 1 G3
Parsing: QuoVadis Root CA 2 G3
Parsing: QuoVadis Root CA 3 G3
Parsing: DigiCert Assured ID Root G2
Parsing: DigiCert Assured ID Root G3
Parsing: DigiCert Global Root G2
Parsing: DigiCert Global Root G3
Parsing: DigiCert Trusted Root G4
Parsing: COMODO RSA Certification Authority
Parsing: USERTrust RSA Certification Authority
Parsing: USERTrust ECC Certification Authority
Parsing: GlobalSign ECC Root CA - R5
Parsing: IdenTrust Commercial Root CA 1
Parsing: IdenTrust Public Sector Root CA 1
Parsing: Entrust Root Certification Authority - G2
Parsing: Entrust Root Certification Authority - EC1
Parsing: CFCA EV ROOT
Parsing: OISTE WISeKey Global Root GB CA
Parsing: SZAFIR ROOT CA2
Parsing: Certum Trusted Network CA 2
Parsing: Hellenic Academic and Research Institutions RootCA 2015
Parsing: Hellenic Academic and Research Institutions ECC RootCA 2015
Parsing: ISRG Root X1
Parsing: AC RAIZ FNMT-RCM
Parsing: Amazon Root CA 1
Parsing: Amazon Root CA 2
Parsing: Amazon Root CA 3
Parsing: Amazon Root CA 4
Parsing: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
Parsing: GDCA TrustAUTH R5 ROOT
Parsing: SSL.com Root Certification Authority RSA
Parsing: SSL.com Root Certification Authority ECC
Parsing: SSL.com EV Root Certification Authority RSA R2
Parsing: SSL.com EV Root Certification Authority ECC
Parsing: GlobalSign Root CA - R6
Parsing: OISTE WISeKey Global Root GC CA
Parsing: UCA Global G2 Root
Parsing: UCA Extended Validation Root
Parsing: Certigna Root CA
Parsing: emSign Root CA - G1
Parsing: emSign ECC Root CA - G3
Parsing: emSign Root CA - C1
Parsing: emSign ECC Root CA - C3
Parsing: Hongkong Post Root CA 3
Parsing: Entrust Root Certification Authority - G4
Parsing: Microsoft ECC Root Certificate Authority 2017
Parsing: Microsoft RSA Root Certificate Authority 2017
Parsing: e-Szigno Root CA 2017
Parsing: certSIGN Root CA G2
Parsing: Trustwave Global Certification Authority
Parsing: Trustwave Global ECC P256 Certification Authority
Parsing: Trustwave Global ECC P384 Certification Authority
Parsing: NAVER Global Root Certification Authority
Parsing: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
Parsing: GlobalSign Root R46
Parsing: GlobalSign Root E46
Parsing: GLOBALTRUST 2020
Parsing: ANF Secure Server Root CA
Parsing: Certum EC-384 CA
Parsing: Certum Trusted Root CA
Parsing: TunTrust Root CA
Parsing: HARICA TLS RSA Root CA 2021
Parsing: HARICA TLS ECC Root CA 2021
Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068
Parsing: vTrus ECC Root CA
Parsing: vTrus Root CA
Parsing: ISRG Root X2
Parsing: HiPKI Root CA - G1
Parsing: GlobalSign ECC Root CA - R4
Parsing: GTS Root R1
Parsing: GTS Root R2
Parsing: GTS Root R3
Parsing: GTS Root R4
Parsing: Telia Root CA v2
Parsing: D-TRUST BR Root CA 1 2020
Parsing: D-TRUST EV Root CA 1 2020
Parsing: DigiCert TLS ECC P384 Root G5
Parsing: DigiCert TLS RSA4096 Root G5
Parsing: Certainly Root R1
Parsing: Certainly Root E1
Parsing: Security Communication RootCA3
Parsing: Security Communication ECC RootCA1
Parsing: BJCA Global Root CA1
Parsing: BJCA Global Root CA2
Parsing: Sectigo Public Server Authentication Root E46
Parsing: Sectigo Public Server Authentication Root R46
Parsing: SSL.com TLS RSA Root CA 2022
Parsing: SSL.com TLS ECC Root CA 2022
Parsing: Atos TrustedRoot Root CA ECC TLS 2021
Parsing: Atos TrustedRoot Root CA RSA TLS 2021
Parsing: TrustAsia Global Root CA G3
Parsing: TrustAsia Global Root CA G4
Parsing: CommScope Public Trust ECC Root-01
Parsing: CommScope Public Trust ECC Root-02
Parsing: CommScope Public Trust RSA Root-01
Parsing: CommScope Public Trust RSA Root-02
Parsing: Telekom Security TLS ECC Root 2020
Parsing: Telekom Security TLS RSA Root 2023
Parsing: FIRMAPROFESIONAL CA ROOT-A WEB
Parsing: TWCA CYBER Root CA
Parsing: SecureSign Root CA12
Parsing: SecureSign Root CA14
Parsing: SecureSign Root CA15
Done (152 CA certs processed, 25 skipped).


NEW_VERSION=3.105
COMMIT_MSG<<c116927d-aa5a-4b1e-b0ba-96d2c33ae849
crypto: update root certificates to NSS 3.105

This is the certdata.txt[0] from NSS 3.105.

This is the version of NSS that shipped in Firefox 132.0 on 2024-10-29.

[0] https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_105_RTM/lib/ckfw/builtins/certdata.txt
c116927d-aa5a-4b1e-b0ba-96d2c33ae849
$ git status
On branch rootcerts
Your branch is ahead of 'upstream/main' by 2 commits.
  (use "git push" to publish your local commits)

nothing to commit, working tree clean
$

For the release notes, the notable change is

Update root certificates to NSS 3.104

This is the version of NSS that shipped in Firefox 131.0 on 2024-10-01.

Certificates added:
- FIRMAPROFESIONAL CA ROOT-A WEB
- TWCA CYBER Root CA
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15

@richardlau
tools: fix root certificate updater
eeacb8e 
Determine the NSS version from actual Firefox releases, instead of
attempting to parse a wiki page (which is sensitive to formatting
changes and relies on the page being up to date).
@richardlau
crypto: update root certificates to NSS 3.104
b7332f8 
This is the certdata.txt[0] from NSS 3.104.

This is the version of NSS that shipped in Firefox 131.0 on 2024-10-01.

Certificates added:
- FIRMAPROFESIONAL CA ROOT-A WEB
- TWCA CYBER Root CA
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15

[0] https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_104_RTM/lib/ckfw/builtins/certdata.txt
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Nov 1, 2024
@RedYetiDev RedYetiDev added crypto Issues and PRs related to the crypto subsystem. tools Issues and PRs related to the tools directory. commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. labels Nov 1, 2024
@richardlau richardlau added request-ci Add this label to start a Jenkins CI on a PR. notable-change PRs with changes that should be highlighted in changelogs. labels Nov 1, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 1, 2024

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @richardlau.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

@richardlau richardlau mentioned this pull request Nov 1, 2024
Closed
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 1, 2024
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@codecov Codecov
Copy link

codecov bot commented Nov 1, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.40%. Comparing base (9b6cea6) to head (35da4e0).
Report is 35 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #55681      +/-   ##
==========================================
- Coverage   88.43%   88.40%   -0.03%     
==========================================
  Files         654      654              
  Lines      187720   187594     -126     
  Branches    36140    36097      -43     
==========================================
- Hits       166004   165838     -166     
- Misses      14953    14998      +45     
+ Partials     6763     6758       -5

see 43 files with indirect coverage changes

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/63385/

@richardlau richardlau added lts-watch-v18.x PRs that may need to be released in v18.x. lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x labels Nov 2, 2024
targos
targos approved these changes Nov 2, 2024
View reviewed changes
tools/dep_updaters/update-root-certs.mjs Outdated Show resolved Hide resolved
@richardlau @targos
fixup! tools: fix root certificate updater
35da4e0 
Co-authored-by: Michaël Zasso <targos@protonmail.com>
@richardlau richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label Nov 2, 2024
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 2, 2024
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/63398/

@richardlau richardlau added the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 3, 2024
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 3, 2024
@nodejs-github-bot
Copy link
Collaborator

Landed in 8dd0819...32ff100

nodejs-github-bot pushed a commit that referenced this pull request Nov 3, 2024
@richardlau @nodejs-github-bot
tools: fix root certificate updater
794cb51 
Determine the NSS version from actual Firefox releases, instead of
attempting to parse a wiki page (which is sensitive to formatting
changes and relies on the page being up to date).

PR-URL: #55681
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
nodejs-github-bot pushed a commit that referenced this pull request Nov 3, 2024
@richardlau @nodejs-github-bot
crypto: update root certificates to NSS 3.104
32ff100 
This is the certdata.txt[0] from NSS 3.104.

This is the version of NSS that shipped in Firefox 131.0 on 2024-10-01.

Certificates added:
- FIRMAPROFESIONAL CA ROOT-A WEB
- TWCA CYBER Root CA
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15

[0] https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_104_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #55681
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
@richardlau richardlau deleted the rootcerts branch November 3, 2024 19:53
aduh95 pushed a commit that referenced this pull request Nov 5, 2024
@richardlau @aduh95
tools: fix root certificate updater
840d8f3 
Determine the NSS version from actual Firefox releases, instead of
attempting to parse a wiki page (which is sensitive to formatting
changes and relies on the page being up to date).

PR-URL: #55681
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
aduh95 pushed a commit that referenced this pull request Nov 5, 2024
@richardlau @aduh95
crypto: update root certificates to NSS 3.104
e40fb08 
This is the certdata.txt[0] from NSS 3.104.

This is the version of NSS that shipped in Firefox 131.0 on 2024-10-01.

Certificates added:
- FIRMAPROFESIONAL CA ROOT-A WEB
- TWCA CYBER Root CA
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15

[0] https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_104_RTM/lib/ckfw/builtins/certdata.txt

PR-URL: #55681
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lpinca lpinca lpinca approved these changes

@targos targos targos approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. crypto Issues and PRs related to the crypto subsystem. lib / src Issues and PRs related to general changes in the lib or src directory. lts-watch-v18.x PRs that may need to be released in v18.x. lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x needs-ci PRs that need a full CI run. notable-change PRs with changes that should be highlighted in changelogs. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@richardlau @nodejs-github-bot @lpinca @targos @RafaelGSS @RedYetiDev