Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs. r=jcj

Differential Revision: https://phabricator.services.mozilla.com/D77062

1 files changed, 48 insertions, 12 deletions

diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
index 850b1afca..ea1492606 100644
--- a/lib/ckfw/builtins/certdata.txt
+++ b/lib/ckfw/builtins/certdata.txt
@@ -1810,7 +1810,10 @@ CKA_VALUE MULTILINE_OCTAL
 \302\005\146\200\241\313\346\063
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Wed Jan 01 00:00:00 2020
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\062\060\060\061\060\061\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "GeoTrust Global CA"
@@ -1972,7 +1975,10 @@ CKA_VALUE MULTILINE_OCTAL
 \244\346\216\330\371\051\110\212\316\163\376\054
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Sun Sep 30 00:00:00 2018
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\070\060\071\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "GeoTrust Universal CA"
@@ -2134,7 +2140,10 @@ CKA_VALUE MULTILINE_OCTAL
 \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Wed Jan 01 00:00:00 2020
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\062\060\060\061\060\061\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "GeoTrust Universal CA 2"
@@ -5332,7 +5341,10 @@ CKA_VALUE MULTILINE_OCTAL
 \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Tue Apr 30 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\064\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority"
@@ -5489,7 +5501,10 @@ CKA_VALUE MULTILINE_OCTAL
 \215\126\214\150
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Tue Apr 30 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\064\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "thawte Primary Root CA"
@@ -5666,7 +5681,10 @@ CKA_VALUE MULTILINE_OCTAL
 \254\021\326\250\355\143\152
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Tue Apr 30 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\064\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
@@ -7243,7 +7261,10 @@ CKA_VALUE MULTILINE_OCTAL
 \021\055
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Tue Apr 30 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\064\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G3"
@@ -7374,7 +7395,10 @@ CKA_VALUE MULTILINE_OCTAL
 \367\130\077\056\162\002\127\243\217\241\024\056
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Sun Sep 30 00:00:00 2018
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\070\060\071\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "thawte Primary Root CA - G2"
@@ -7536,7 +7560,10 @@ CKA_VALUE MULTILINE_OCTAL
 \061\324\100\032\142\064\066\077\065\001\256\254\143\240
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Tue Apr 30 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\064\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "thawte Primary Root CA - G3"
@@ -7674,7 +7701,10 @@ CKA_VALUE MULTILINE_OCTAL
 \017\212
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Wed Jan 01 00:00:00 2020
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\062\060\060\061\060\061\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "GeoTrust Primary Certification Authority - G2"
@@ -7846,7 +7876,10 @@ CKA_VALUE MULTILINE_OCTAL
 \354\315\202\141\361\070\346\117\227\230\052\132\215
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Tue Apr 30 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\064\063\060\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "VeriSign Universal Root Certification Authority"
@@ -8003,7 +8036,10 @@ CKA_VALUE MULTILINE_OCTAL
 \055\247\330\206\052\335\056\020
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Thu Jan 31 00:00:00 2019
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\061\071\060\061\063\061\060\060\060\060\060\060\132
+END
 CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
 
 # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"