zmap
Mozilla trusted roots data set and assoc. tooling
ZLint's Mozilla root program specific lints will deliver the best quality results when we have the infrastructure in place to make a determination if a public key corresponds to an SPKI from the Mozilla trusted root set.
One approach (originally included as part of #323 by @fotisl) is to process certificates from the NSS certdata.txt file, emitting SHA256 hashes of the associated encoded SPKI fields. The certdata.txt file is accessible through the MXR source code viewer here:
http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
Since this data is subject to change it makes sense to follow a model similar to the one used for gTLD data. E.g. a stand alone cmd that can be run to emit a rendered .go file with data in the zlint src tree. Automation like @tld-update-bot can be used to run the stand alone cmd on a daily basis and submit PRs for changes.
#323 implemented this work flow with a zlint-mozilla-trusted-roots-update command that rendered a []string of SPKI hashes to util/mozilla_trusted_roots_data.go. That data file was then used by a util.IsInMozillaRootStore function. One example consumer of this information is the e_mp_allowed_eku lint. Likely this is a good starting point for anyone interested to pick up.
Related to #277.
