Closed
Bug 387892
Opened 17 years ago
Closed 16 years ago
Add Entrust root CA certificate(s) to NSS
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.10
People
(Reporter: gerv, Assigned: KaiE)
References
Details
Attachments
(5 files, 1 obsolete file)
|
1.15 KB,
application/x-x509-ca-cert
|
Details | |
|
8.78 KB,
patch
|
nelson
:
review+
rrelyea
:
superreview+
|
Details | Diff | Splinter Review |
|
272.00 KB,
application/octet-stream
|
Details | |
|
48.29 KB,
image/jpeg
|
Details | |
|
48.31 KB,
image/gif
|
Details |
new root viewed through Firefox
This bug requests inclusion in the NSS root certificate store of the following certificate(s), owned by Entrust: 1) Friendly name: "Entrust Root Certification Authority" SHA1 Fingerprint: B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9 Trust flags: Websites The certificate(s) themselves will be attached momentarily. This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 382352. The steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below. 2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly. 3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED. 4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products. Gerv
|
Reporter | |
Comment 1•17 years ago
|
||
|
|
Reporter | |
Comment 2•17 years ago
|
||
Bruce: the next action here is yours (see above). Gerv
Entrust has confirmed that the correct root cert is attached to this bug report. Friendly name: "Entrust Root Certification Authority" SHA1 Fingerprint: B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
|
||
Comment 5•17 years ago
|
||
Gerv: the next action is item 2 above. Is someone from Mozilla creating the test build? Thanks, Bruce.
|
Assignee | |
Comment 6•17 years ago
|
||
It's my job to do a test build. I haven't done so yet, because I had the hope I could do a single build for multiple cert requests. I'll do it now.
|
|
Assignee | |
Comment 7•17 years ago
|
||
This is the patch I'm using to create the binary test dll, cert was added with the following folland: addbuiltin -n "Entrust Root Certification Authority" -t C,, < ~/moz/nss/311/entrust.der >> certdata.txt
|
|
Assignee | |
Comment 8•17 years ago
|
||
nssckbi.dll for testing purposes Please test with a Windows build of Firefox 2.0.0.x.
I downloaded a the latest version of Firefox 2.0.9 on a clean Windows XP SP1 system. I replaced the nssckbi.dll with the new file from Kai's attachment. The root does not show when I view the cert store from Firefox.
|
|
Assignee | |
Comment 10•17 years ago
|
||
Comment on attachment 287876 [details]
nssckbi.dll for testing purposes
Sorry, my mistake, I attached the wrong file :-/
Attachment #287876 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 11•17 years ago
|
||
file size: 278528 sha1sum: 6fa4139cf6a1b7ceea22c660dfcbe2df6c9775dd Can you please try again?
|
||
Comment 12•17 years ago
|
||
The root is there now. I've added a screen shot too.
|
|
||
Comment 13•17 years ago
|
||
Also, confirmed that the thumbprint matches
|
|
||
Comment 14•17 years ago
|
||
After testing to see the certification path in firefox, it appears that
the test fails. The path should branch up to this root ("Entrust Root Certification Authority") and stop there, however it seems to be going to our other 1024 root. Even if I remove the 1024 root (expiry 2019), I get a trust alert.|
|
Assignee | |
Comment 15•17 years ago
|
||
Can you please give more details? Do you have a test case? Can you attach the cert you are trying to verify? Or even better, is there a test server to connect to?
|
|
||
Comment 16•17 years ago
|
||
Attached is the incorrect cert path. You can test and view this by hitting https://buy.entrust.net with Firefox using the new nssckbi.dll The path should actually be chained back to the correct root, but it's taking the longer path. There should only be three certificates in the path. The parent which is the new root added, then the L1A chain and then the cert issued to the site itself.
|
||
Comment 17•17 years ago
|
||
The 4-cert chain shown by Firefox is not incorrect. It is merely not the one that the CA prefers. But this chain, which uses the cross-certified intermediate CA cert, shown in the above image as "Entrust Root Certificate Authority", which chains up to "Entrust.net Secure Server Certification Authority", was created by Entrust, and exists PRECISELY so that servers with the certs from the new hierarchy can correctly chain up to the older root. The version of Firefox with which the test was done displays cert chains constructed by code that does not consider cert policies. There is not yet any version available that does consider cert policies for this display. However it appears to me that, even if it did consider policies, the chain could still legitimately go up to the old root, because the cross cert explicitly allows it! Further work on the issue of cert chain displays depends on a resolution to bug 403691.
|
|
Assignee | |
Comment 18•17 years ago
|
||
Rob, would you like to have the certificate added as is, independent of any discussions about chaining functionality?
|
|
||
Comment 19•17 years ago
|
||
Please add the certificate. That makes sense, but it also makes sense for the browser to use the shortest path when possible as it's more practical.
|
|
Assignee | |
Comment 20•16 years ago
|
||
Comment on attachment 287855 [details] [diff] [review] Patch v1 I apologize for having missed this for a while. Requesting review to get this into NSS 3.12 Requesting second review, because we attempt to keep NSS 3.11.x branch in synch wrt root certs.
Attachment #287855 -
Flags: superreview?(rrelyea)
Attachment #287855 -
Flags: review?(nelson)
|
|
||
Comment 21•16 years ago
|
||
As part of my review, I'm trying to determine that this bug's patch installs the correct/intended cert. In comment 0, Gerv says this cert was approved in bug 382352. But bug 416544 appears to be requesting this same cert. Should I be concerned?
|
|
||
Comment 22•16 years ago
|
||
Comment on attachment 287855 [details] [diff] [review] Patch v1 This patch does appear to contain the correct contents to add the cert requested in bug 382352.
Attachment #287855 -
Flags: review?(nelson) → review+
|
|
||
Updated•16 years ago
|
|
|
Assignee | |
Comment 23•16 years ago
|
||
checked in. Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.47; previous revision: 1.46 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.46; previous revision: 1.45 done
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12
|
|
Assignee | |
Comment 24•16 years ago
|
||
(In reply to comment #21) Nelson, this bug request adding the cert to NSS. The other bug is about enabling certs for EV.
|
||
Comment 25•16 years ago
|
||
Comment on attachment 287855 [details] [diff] [review] Patch v1 r+ with comments... It appears the original request was for SSL, email and code signing, but only SSL was approved? bob
Attachment #287855 -
Flags: superreview?(rrelyea) → superreview+
|
|
||
Comment 26•16 years ago
|
||
Bob, comment 0 of this bug tells us (NSS team members) that the cert was approved only for SSL. So, if this cert was given trust only for SSL, then NSS (and Kai) did what was requested of it/him. If there is some doubt that comment 0 requested the right trust flags, that comment should probably go into the mozilla.org CA-Certificates bug that led to this NSS bug.
|
|
Assignee | |
Comment 27•16 years ago
|
||
I agree with Nelson's latest comment. At this point we've been requested to technically enable the root for SSL, and that's what we did. Yes, if further trust flags shall be added, Frank must approve that and request that we add more trust. Thanks for the second review. I plan to check in both 425469 and this bug 387892 at the same time into the stable 3.11 branch in the near future.
|
|
Assignee | |
Comment 28•16 years ago
|
||
I've checked in the patches for both bug 425469 and bug 387892 to the NSS 3.11 stable branch, and at the same time I incremented the nssckbi.h version number to 1.66 Marking fixed.
|
|
Assignee | |
Comment 29•16 years ago
|
||
cvs version numbers for branch commit: Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.36.24.10; previous revision: 1.36.24.9 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.37.24.9; previous revision: 1.37.24.8 done Checking in nssckbi.h; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v <-- nssckbi.h new revision: 1.14.2.6; previous revision: 1.14.2.5 done
|
|
Assignee | |
Comment 30•16 years ago
|
||
Changing target milestone to 3.11.10 (not yet released).
Target Milestone: 3.12 → 3.11.10
You need to log in
before you can comment on or make changes to this bug.
Description
•