agl/extract-nss-root-certs agl/extract-nss-root-certs

  • Stars
    star
    134
  • Rank 270,967 (Top 6 %)
  • Language
    Go
  • Created almost 13 years ago
  • Updated almost 7 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
agl/extract-nss-root-certs
github

agl

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Extracting Mozilla's Root Certificates

When people need a list of root certificates, they often turn to Mozilla's. However, Mozilla doesn't produce a nice list of PEM encoded certificate, rather they keep them in a form which is convenient for NSS to build from:

https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Several people have written quick scripts to try and convert this into PEM format, but they often miss something critical: some certificates are explicitly distrusted. These include the DigiNotar certificates and the misissued COMODO certificates. If you don't parse the trust records from the NSS data file, then you end up trusting these!

So this is a tool that I wrote for converting the NSS file to PEM format which is also aware of the trust records. It can be built with Go1. See http://golang.org/doc/install.html, but don't pass "-u release" when fetching the repository.

Once you have Go installed please do the following:

% curl https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt -o certdata.txt
% go run convert_mozilla_certdata.go > certdata.new

More Repositories

1

pond

Pond
Go
910
star
2

xmpp-client

An XMPP client with OTR support
Go
366
star
3

curve25519-donna

Implementations of a fast Elliptic-curve Diffie-Hellman primitive
C
323
star
4

critbit

Critbit trees in C
C
319
star
5

ed25519

ed25519 for Go
179
star
6

ctgrind

Checking that functions are constant time with Valgrind
C
147
star
7

crlset-tools

Tools for dealing with Chrome's CRLSets
Go
137
star
8

dnssec-tls-tools

DNSSEC/TLS tools
Python
35
star
9

dnscurve

Tools for DNS curve implementation
C
23
star
10

certificatetransparency

Certificate Transparency stuff
Go
18
star
11

rwb0fuz1024

This is example code for a Rabin-Williams public-key signature scheme designed to provide high speed verification and small signatures.
C
16
star
12

shamirsplit

The shamirsplit package implements Shamir's cryptographic secret sharing algorithm
Go
16
star
13

libdjb

A massaging of DJB's various client libraries into something that's easy to build and use
C
14
star
14

dclxvi

Naehrig, Niederhagen and Schwabe's pairings code, massaged into a shared library.
Assembly
12
star
15

obstcp

Obfuscated TCP
C
11
star
16

gcmsiv

draft-irtf-cfrg-gcmsiv-00
Go
11
star
17

nullok

Scripts that I used to write a blog post about section 7.24.1(2) of C11
Shell
10
star
18

local-dns-cache

DJB's dnscache made to play nicely with modern distributions
C
10
star
19

panda

PANDA key agreement experiment
Go
8
star
20

transport-security-state-generate

7
star
21

lsmsb

Linux Security Modules based sandboxing scheme
C++
7
star
22

tlsclient

C++
5
star
23

cfrgcurve

CFRG document on elliptic curves
XSLT
5
star
24

tls-chacha20poly1305

IETF draft for ChaCha20+Poly1305 in TLS
HTML
4
star
25

tls-padding

TLS padding draft
XML
4
star
26

harfbuzz

Harfbuzz is a unification of the shaping engines from Pango and Qt4 (fork)
3
star
27

spdy-compliance

SPDY compliance tests (mirror)
Go
3
star
28

aweb

Literate programming scheme targetting C and HTML
Haskell
3
star
29

ACVP-wiki

3
star
30

jbig2enc

JBIG2 Encoder
C++
3
star
31

otc

OpenType Condom
C++
2
star
32

technotes

Automatically exported from code.google.com/p/technotes
HTML
1
star
33

pkits-go

PKI testsuite for Go.
Go
1
star