)]}'
{
  "commit": "53f6007e0e5a3eba1919d09ac7130e20e8108ba4",
  "tree": "caddfefaf68344565fdb0af420c5d6c7ebf149f0",
  "parents": [
    "3e721e0c0836588b64deb6e1c1befd08f0f02e71"
  ],
  "author": {
    "name": "Michael Brown",
    "email": "mcb30@ipxe.org",
    "time": "Wed Feb 14 16:02:43 2024 +0000"
  },
  "committer": {
    "name": "Michael Brown",
    "email": "mcb30@ipxe.org",
    "time": "Wed Feb 14 20:10:32 2024 +0000"
  },
  "message": "[crypto] Allow for multiple cross-signed certificate download attempts\n\nCertificates issued by Let\u0027s Encrypt have two options for their chain\nof trust: the chain can either terminate in the self-signed ISRG Root\nX1 root certificate, or in an intermediate ISRG Root X1 certificate\nthat is signed in turn by the self-signed DST Root CA X3 root\ncertificate.  This is a historical artifact: when Let\u0027s Encrypt first\nlaunched as a project, the chain ending in DST Root CA X3 was used\nsince existing clients would not have recognised the ISRG Root X1\ncertificate as a trusted root certificate.\n\nThe DST Root CA X3 certificate expired in September 2021, and so is no\nlonger trusted by clients (such as iPXE) that validate the expiry\ntimes of all certificates in the certificate chain.\n\nIn order to maintain usability of certificates on older Android\ndevices, the default certificate chain provided by Let\u0027s Encrypt still\nterminates in DST Root CA X3, even though that certificate has now\nexpired.  On newer devices which include ISRG Root X1 as a trusted\nroot certificate, the intermediate version of ISRG Root X1 in the\ncertificate chain is ignored and validation is performed as though the\nchain had terminated in the self-signed ISRG Root X1 root certificate.\nOn older Android devices which do not include ISRG Root X1 as a\ntrusted root certificate, the validation succeeds since Android\nchooses to ignore expiry times for root certificates and so continues\nto trust the DST Root CA X3 root certificate.\n\nThis backwards compatibility hack unfortunately breaks the cross-\nsigning mechanism used by iPXE, which assumes that the certificate\nchain will always terminate in a non-expired root certificate.\n\nGeneralise the validator\u0027s cross-signed certificate download mechanism\nto walk up the certificate chain in the event of a failure, attempting\nto find a replacement cross-signed certificate chain starting from the\nnext level up.  This allows the validator to step over the expired\n(and hence invalidatable) DST Root CA X3 certificate, and instead\ndownload the cross-signed version of the ISRG Root X1 certificate.\n\nThis generalisation also gives us the ability to handle servers that\nprovide a full certificate chain including their root certificate:\niPXE will step over the untrusted public root certificate and attempt\nto find a cross-signed version of it instead.\n\nSigned-off-by: Michael Brown \u003cmcb30@ipxe.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "5cad4597ddf45ca44e8964399269da225746a6e0",
      "old_mode": 33188,
      "old_path": "src/include/ipxe/x509.h",
      "new_id": "62f936d1198ba455a21cdcbc4f4d6aab7259ecc6",
      "new_mode": 33188,
      "new_path": "src/include/ipxe/x509.h"
    },
    {
      "type": "modify",
      "old_id": "693d4464b36ab2cbe6606648e6ce3637bba9413b",
      "old_mode": 33188,
      "old_path": "src/net/validator.c",
      "new_id": "d6eaefc6769ab242e7a8ba5fc758ee7787fda0e0",
      "new_mode": 33188,
      "new_path": "src/net/validator.c"
    }
  ]
}