tools: fix root certificate updater

[richardlau]

Determine the NSS version from actual Firefox releases, instead of attempting to parse a wiki page (which is sensitive to formatting changes and relies on the page being up to date).

Refs: #54680 (comment)

---

Second commit is the result of running the script to update to Firefox 131 which picks up NSS 3.104.

Running the script again without specifying the version shows the script picking up Firefox 132 and NSS 3.105 but there are no certdata changes from NSS 3.104 which would correctly prevent .github/workflows/tools.yml from creating a new pull request as no files would change:

$ node tools/dep_updaters/update-root-certs.mjs -v
Fetching Firefox release data from https://nucleus.mozilla.org/rna/all-releases.json.
Fetching NSS tag from https://hg.mozilla.org/releases/mozilla-release/raw-file/FIREFOX_132_0_RELEASE/security/nss/TAG-INFO.
Found tag NSS_3_105_RTM.
Updating to NSS version 3.105
Fetching https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_105_RTM/lib/ckfw/builtins/certdata.txt
Writing /home/rlau/sandbox/github/node/tools/certdata.txt
Running tools/mk-ca-bundle.pl
Parsing: GlobalSign Root CA
Parsing: Entrust.net Premium 2048 Secure Server CA
Parsing: Baltimore CyberTrust Root
Parsing: Entrust Root Certification Authority
Parsing: Comodo AAA Services root
Parsing: QuoVadis Root CA 2
Parsing: QuoVadis Root CA 3
Parsing: XRamp Global CA Root
Parsing: Go Daddy Class 2 CA
Parsing: Starfield Class 2 CA
Parsing: DigiCert Assured ID Root CA
Parsing: DigiCert Global Root CA
Parsing: DigiCert High Assurance EV Root CA
Parsing: SwissSign Gold CA - G2
Parsing: SwissSign Silver CA - G2
Parsing: SecureTrust CA
Parsing: Secure Global CA
Parsing: COMODO Certification Authority
Parsing: COMODO ECC Certification Authority
Parsing: Certigna
Parsing: ePKI Root Certification Authority
Parsing: certSIGN ROOT CA
Parsing: NetLock Arany (Class Gold) Főtanúsítvány
Parsing: SecureSign RootCA11
Parsing: Microsec e-Szigno Root CA 2009
Parsing: GlobalSign Root CA - R3
Parsing: Izenpe.com
Parsing: Go Daddy Root Certificate Authority - G2
Parsing: Starfield Root Certificate Authority - G2
Parsing: Starfield Services Root Certificate Authority - G2
Parsing: AffirmTrust Commercial
Parsing: AffirmTrust Networking
Parsing: AffirmTrust Premium
Parsing: AffirmTrust Premium ECC
Parsing: Certum Trusted Network CA
Parsing: TWCA Root Certification Authority
Parsing: Security Communication RootCA2
Parsing: Actalis Authentication Root CA
Parsing: Buypass Class 2 Root CA
Parsing: Buypass Class 3 Root CA
Parsing: T-TeleSec GlobalRoot Class 3
Parsing: D-TRUST Root Class 3 CA 2 2009
Parsing: D-TRUST Root Class 3 CA 2 EV 2009
Parsing: CA Disig Root R2
Parsing: ACCVRAIZ1
Parsing: TWCA Global Root CA
Parsing: TeliaSonera Root CA v1
Parsing: T-TeleSec GlobalRoot Class 2
Parsing: Atos TrustedRoot 2011
Parsing: QuoVadis Root CA 1 G3
Parsing: QuoVadis Root CA 2 G3
Parsing: QuoVadis Root CA 3 G3
Parsing: DigiCert Assured ID Root G2
Parsing: DigiCert Assured ID Root G3
Parsing: DigiCert Global Root G2
Parsing: DigiCert Global Root G3
Parsing: DigiCert Trusted Root G4
Parsing: COMODO RSA Certification Authority
Parsing: USERTrust RSA Certification Authority
Parsing: USERTrust ECC Certification Authority
Parsing: GlobalSign ECC Root CA - R5
Parsing: IdenTrust Commercial Root CA 1
Parsing: IdenTrust Public Sector Root CA 1
Parsing: Entrust Root Certification Authority - G2
Parsing: Entrust Root Certification Authority - EC1
Parsing: CFCA EV ROOT
Parsing: OISTE WISeKey Global Root GB CA
Parsing: SZAFIR ROOT CA2
Parsing: Certum Trusted Network CA 2
Parsing: Hellenic Academic and Research Institutions RootCA 2015
Parsing: Hellenic Academic and Research Institutions ECC RootCA 2015
Parsing: ISRG Root X1
Parsing: AC RAIZ FNMT-RCM
Parsing: Amazon Root CA 1
Parsing: Amazon Root CA 2
Parsing: Amazon Root CA 3
Parsing: Amazon Root CA 4
Parsing: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
Parsing: GDCA TrustAUTH R5 ROOT
Parsing: SSL.com Root Certification Authority RSA
Parsing: SSL.com Root Certification Authority ECC
Parsing: SSL.com EV Root Certification Authority RSA R2
Parsing: SSL.com EV Root Certification Authority ECC
Parsing: GlobalSign Root CA - R6
Parsing: OISTE WISeKey Global Root GC CA
Parsing: UCA Global G2 Root
Parsing: UCA Extended Validation Root
Parsing: Certigna Root CA
Parsing: emSign Root CA - G1
Parsing: emSign ECC Root CA - G3
Parsing: emSign Root CA - C1
Parsing: emSign ECC Root CA - C3
Parsing: Hongkong Post Root CA 3
Parsing: Entrust Root Certification Authority - G4
Parsing: Microsoft ECC Root Certificate Authority 2017
Parsing: Microsoft RSA Root Certificate Authority 2017
Parsing: e-Szigno Root CA 2017
Parsing: certSIGN Root CA G2
Parsing: Trustwave Global Certification Authority
Parsing: Trustwave Global ECC P256 Certification Authority
Parsing: Trustwave Global ECC P384 Certification Authority
Parsing: NAVER Global Root Certification Authority
Parsing: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
Parsing: GlobalSign Root R46
Parsing: GlobalSign Root E46
Parsing: GLOBALTRUST 2020
Parsing: ANF Secure Server Root CA
Parsing: Certum EC-384 CA
Parsing: Certum Trusted Root CA
Parsing: TunTrust Root CA
Parsing: HARICA TLS RSA Root CA 2021
Parsing: HARICA TLS ECC Root CA 2021
Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068
Parsing: vTrus ECC Root CA
Parsing: vTrus Root CA
Parsing: ISRG Root X2
Parsing: HiPKI Root CA - G1
Parsing: GlobalSign ECC Root CA - R4
Parsing: GTS Root R1
Parsing: GTS Root R2
Parsing: GTS Root R3
Parsing: GTS Root R4
Parsing: Telia Root CA v2
Parsing: D-TRUST BR Root CA 1 2020
Parsing: D-TRUST EV Root CA 1 2020
Parsing: DigiCert TLS ECC P384 Root G5
Parsing: DigiCert TLS RSA4096 Root G5
Parsing: Certainly Root R1
Parsing: Certainly Root E1
Parsing: Security Communication RootCA3
Parsing: Security Communication ECC RootCA1
Parsing: BJCA Global Root CA1
Parsing: BJCA Global Root CA2
Parsing: Sectigo Public Server Authentication Root E46
Parsing: Sectigo Public Server Authentication Root R46
Parsing: SSL.com TLS RSA Root CA 2022
Parsing: SSL.com TLS ECC Root CA 2022
Parsing: Atos TrustedRoot Root CA ECC TLS 2021
Parsing: Atos TrustedRoot Root CA RSA TLS 2021
Parsing: TrustAsia Global Root CA G3
Parsing: TrustAsia Global Root CA G4
Parsing: CommScope Public Trust ECC Root-01
Parsing: CommScope Public Trust ECC Root-02
Parsing: CommScope Public Trust RSA Root-01
Parsing: CommScope Public Trust RSA Root-02
Parsing: Telekom Security TLS ECC Root 2020
Parsing: Telekom Security TLS RSA Root 2023
Parsing: FIRMAPROFESIONAL CA ROOT-A WEB
Parsing: TWCA CYBER Root CA
Parsing: SecureSign Root CA12
Parsing: SecureSign Root CA14
Parsing: SecureSign Root CA15
Done (152 CA certs processed, 25 skipped).


NEW_VERSION=3.105
COMMIT_MSG<<c116927d-aa5a-4b1e-b0ba-96d2c33ae849
crypto: update root certificates to NSS 3.105

This is the certdata.txt[0] from NSS 3.105.

This is the version of NSS that shipped in Firefox 132.0 on 2024-10-29.

[0] https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_105_RTM/lib/ckfw/builtins/certdata.txt
c116927d-aa5a-4b1e-b0ba-96d2c33ae849
$ git status
On branch rootcerts
Your branch is ahead of 'upstream/main' by 2 commits.
  (use "git push" to publish your local commits)

nothing to commit, working tree clean
$

---

For the release notes, the notable change is

Update root certificates to NSS 3.104

This is the version of NSS that shipped in Firefox 131.0 on 2024-10-01.

Certificates added:
- FIRMAPROFESIONAL CA ROOT-A WEB
- TWCA CYBER Root CA
- SecureSign Root CA12
- SecureSign Root CA14
- SecureSign Root CA15

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg

[github-actions]

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @richardlau.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.40%. Comparing base (9b6cea6) to head (35da4e0).
Report is 35 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #55681      +/-   ##
==========================================
- Coverage   88.43%   88.40%   -0.03%     
==========================================
  Files         654      654              
  Lines      187720   187594     -126     
  Branches    36140    36097      -43     
==========================================
- Hits       166004   165838     -166     
- Misses      14953    14998      +45     
+ Partials     6763     6758       -5     

see 43 files with indirect coverage changes

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/63385/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/63398/