README
¶
tlsrestrictnss
This tool applies a name constraint exclusion to an NSS sqlite database for all CKBI TLS trust anchors. The intended use case is to disallow public CA's from issuing certificates for TLD's with unique regulatory or policy requirements, such as:
- The
.bitTLD used by Namecoin. - A TLD controlled by your corporate intranet.
Requirements
tlsrestrictnss requires Go 1.10.0 or higher; this requirement is inherited from the crosssignnameconstraint dependency.
Warnings
- This tool only applies name constraints to certificates from Mozilla's CKBI (built-in certificates) module. If you want to import a TLS trust anchor that's not part of CKBI, and you want a name constraint to be applied to it, you should use crosssignnameconstraint to modify that trust anchor before you import it to NSS.
- This tool will probably prevent HPKP from working as intended, unless HPKP is applied to user-defined trust anchors. Firefox is capable of doing this (though it's not the default); Chromium is not AFAIK.
Licence
tlsrestrictnss is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
tlsrestrictnss is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with tlsrestrictnss. If not, see https://www.gnu.org/licenses/.
Documentation
¶
Index ¶
- Constants
- Variables
- func ApplyRestrictions(nssDestDir, nssCKBIDir string, CKBICerts map[string]NSSCertificate, ...) error
- func CalculateAndApplyConstraints(nssCKBIDir, nssTempDir, nssDestDir, rootPrefix, intermediatePrefix, ... string, ...) error
- func GetCKBICertList(...) (certs map[string]NSSCertificate, rawCerts string, err error)
- func GetCertList(nssDir, rootPrefix, intermediatePrefix, crossSignedPrefix string) (map[string]NSSCertificate, string, error)
- func GetCertsToAdd(CKBICerts, destCerts map[string]NSSCertificate, rootPrefix string) ([]string, error)
- func GetCertsToRemove(CKBICerts, destCerts map[string]NSSCertificate, rootPrefix string) ([]string, error)
- func GetCertsWithCrossSignatures(destCerts map[string]NSSCertificate, ...) ([]string, error)
- type NSSCertificate
Constants ¶
const ( // NSSCertutilName is the executable name of NSS certutil. NSSCertutilName = "certutil" // NSSCKBIName is the filename of the NSS CKBI shared library. NSSCKBIName = "libnssckbi.so" )
Variables ¶
var _, Log = xlog.New("tlsrestrictnss")
golint warning is a bug in xlog; bug report is at https://github.com/hlandau/xlog/issues/6 nolint: golint
Functions ¶
func ApplyRestrictions ¶
func ApplyRestrictions(nssDestDir, nssCKBIDir string, CKBICerts map[string]NSSCertificate, nicksToRemove, nicksToAdd []string, rootPrefix, intermediatePrefix, crossSignedPrefix, excludedDomain string) error
ApplyRestrictions applies the specified name constraint operations to the sqlite NSS database at the specified nssDestDir. nssCKBIDir should contain a CKBI library (libnssckbi.so on GNU+Linux systems). CKBICerts, nicksToRemove, and nicksToAdd are the output of GetCKBICertList(), GetCertsToRemove(), and GetCertsToAdd(), respectively. rootPrefix, intermediatePrefix, and crossSignedPrefix are prepended to the nicknames of each certificate in CKBICerts when adding the root, intermediate, and cross-signed certificates. rootPrefix and intermediatePrefix are also prepended to the Subject CommonName of each certificate in CKBICerts when generating the root and intermediate certificates. excludedDomain specified the DNS domain name to exclude via a name constraint. TODO: Figure out how to avoid race conditions here.
func CalculateAndApplyConstraints ¶ added in v0.0.3
func CalculateAndApplyConstraints(nssCKBIDir, nssTempDir, nssDestDir, rootPrefix, intermediatePrefix, crossSignedPrefix, excludedDomain string, undo bool) error
CalculateAndApplyConstraints is a high-level wrapper for the other functions in tlsrestrictnss. It extracts the certificate lists from CKBI and the NSS DB, calculates which changes to make, and applies those changes. A previous operation can be reversed by setting undo to true.
func GetCKBICertList ¶
func GetCKBICertList(nssCKBIDir, nssTempDir, rootPrefix, intermediatePrefix, crossSignedPrefix string) ( certs map[string]NSSCertificate, rawCerts string, err error)
GetCKBICertList extracts the certificates from a Mozilla CKBI (built-in certificates) module. nssCKBIDir should contain a Mozilla CKBI module (usually libnssckbi.so); nssTempDir should be an empty directory that only trusted applications can read or write to.
func GetCertList ¶
func GetCertList(nssDir, rootPrefix, intermediatePrefix, crossSignedPrefix string) (map[string]NSSCertificate, string, error)
GetCertList extracts the certificates from the NSS sqlite database in nssDir.
func GetCertsToAdd ¶
func GetCertsToAdd(CKBICerts, destCerts map[string]NSSCertificate, rootPrefix string) ([]string, error)
GetCertsToAdd returns the nicknames of all certs for which cross-signatures should be added to the NSS database.
func GetCertsToRemove ¶
func GetCertsToRemove(CKBICerts, destCerts map[string]NSSCertificate, rootPrefix string) ([]string, error)
GetCertsToRemove returns the nicknames of all certs that should be removed from the NSS database prior to adding fresh cross-signatures.
func GetCertsWithCrossSignatures ¶
func GetCertsWithCrossSignatures(destCerts map[string]NSSCertificate, rootPrefix, intermediatePrefix, crossSignedPrefix string) ([]string, error)
GetCertsWithCrossSignatures returns the nicknames of all certs for which any cross-signature-related certificates are present in destCerts.
Source Files
Directories