All,
We are working towards updating the tool that we use in the CCADB to
parse PEM data and fill in the corresponding fields in the CCADB. The
new tool is in the TLS Observatory:
https://github.com/mozilla/tls-observatory
Example:
curl
https://tls-observatory.services.mozilla.com/api/v1/certificate -F
certificate=@/tmp/certificate.pem
There are some differences in the data that will result when we switch
to the new tool. Please let me know if you foresee problems with any of
these changes.
1) Certificate Serial Number
New value is upper case. (e.g. old: 35def4cf, new: 35DEF4CF)
The new data should be more correct in regards to handling of leading zeros.
2) SHA-1 Fingerprint and SHA-256 Fingerprint
Removing the colons.
OLD:
08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78
NEW: 08297A4047DBA23680C731DB6E317653CA7848E1BEBD3A0B0179A707F92CF178
3) Certificate ID
OLD: hash(Subject + SPKI), with colons
NEW: hash(SPKI), no colons
OLD:
4F:31:A6:06:59:45:EA:BC:6A:45:CB:AD:72:D8:0A:20:A4:40:0E:55:05:B9:2A:0C:4C:F1:F6:C1:A3:10:92:9F
NEW: FF5680CD73A5703DA04817A075FD462506A73506C4B81A1583EF549478D26476
4) Signature Hash Algorithm
OLD Values:
ecdsaWithSHA256
ecdsaWithSHA384
md5WithRSAEncryption
sha1WithRSAEncryption
sha256WithRSAEncryption
sha384WithRSAEncryption
sha512WithRSAEncryption
NEW Values:
ecdsaWithSHA256
ecdsaWithSHA384
MD5WithRSA
SHA1WithRSA
SHA256WithRSA
SHA384WithRSA
SHA512WithRSA
5) Key Usage
OLD Values:
cRLSign
digitalSignature
nonRepudiation
keyAgreement
keyEncipherment
keyCertSign
NEW Values:
CRL Sign
Digital Signature
Non Repudiation
Key Encipherment
Certificate Sign
Key Agreement
6) Extended Key Usage
OLD Values:
1.3.6.1.5.5.7.3.9
1.3.6.1.5.5.7.3.5
1.3.6.1.5.5.7.3.6
1.3.6.1.5.5.7.3.7
clientAuth
codeSigning
emailProtection
serverAuth
1.2.840.113583.1.1.5
msSGC
nsSGC
NEW Values:
ExtKeyUsageOCSPSigning
ExtKeyUsageIPSECEndSystem
ExtKeyUsageIPSECTunnel
ExtKeyUsageIPSECUser
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageServerAuth
ExtKeyUsageTimeStamping
ExtKeyUsageMicrosoftServerGatedCrypto
ExtKeyUsageNetscapeServerGatedCrypto
7) Technically Constrained
Checkbox will be updated according to Mozilla's current policy (e.g. EKU
*and* Name Constraints)
Thanks,
Kathleen