1052099 - August 2014 batch of EV root CA changes

Status: RESOLVED FIXED

(Core :: Security: PSM, enhancement)

Description

[Kathleen Wilson]

The purpose of this bug is to use a single patch to make the code changes for the August 2014 batch of EV-enablement changes (see the list of bugs this one blocks).

Please enable EV treatment in 
source/security/certverifier/ExtendedValidation.cpp 
for the following root certs.


== Bug #991215 – Actalis – 1 root ==

Test URL: https://ssltest-a.actalis.it:8443
// CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
EV Policy OID: 1.3.159.1.17.1
Fingerprint (SHA-256): 55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66
Issuer DER Base64:
MGsxCzAJBgNVBAYTAklUMQ4wDAYDVQQHDAVNaWxhbjEjMCEGA1UECgwaQWN0YWxp
cyBTLnAuQS4vMDMzNTg1MjA5NjcxJzAlBgNVBAMMHkFjdGFsaXMgQXV0aGVudGlj
YXRpb24gUm9vdCBDQQ==
Serial DER Base64: VwoRl0LE48w=

== Bug #1017299 – WoSign – 2 roots ==

Test URL: https://root1evtest.wosign.com/
// CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
EV Policy OID: 1.3.6.1.4.1.36305.2
Fingerprint (SHA-256): 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
Issuer DER Base64:
MFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEqMCgG
A1UEAxMhQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWdu
Serial DER Base64: XmjWEXGUY1BWAGjzPsnFkQ==

Test URL: https://root2evtest.wosign.com
// CN=CA ...............,O=WoSign CA Limited,C=CN
EV Policy OID: 1.3.6.1.4.1.36305.2
Fingerprint (SHA-256): D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
Issuer DER Base64:
MEYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEbMBkG
A1UEAwwSQ0Eg5rKD6YCa5qC56K+B5Lmm
Serial DER Base64: UHBrzdgT/BtOOzNy0hFIjQ==


== Bug #1021093 – DigiCert – 5 roots ==

Test URL: https://assured-id-root-g2.digicert.com/
// CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
EV Policy OID: 2.16.840.1.114412.2.1
Fingerprint (SHA-256): 7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
Issuer DER Base64:
MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg
Um9vdCBHMg==
Serial DER Base64: C5McOtY5Z+pnI7/Dr5r0Sw==

Test URL: https://assured-id-root-g3.digicert.com/
// CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
EV Policy OID: 2.16.840.1.114412.2.1
Fingerprint (SHA-256): 7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
Issuer DER Base64:
MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQg
Um9vdCBHMw==
Serial DER Base64: C6Fa+h3foLVJRK/NJKBs7A==

Test URL: https://global-root-g2.digicert.com/
// CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
EV Policy OID: 2.16.840.1.114412.2.1
Fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
Issuer DER Base64:
MGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290
IEcy
Serial DER Base64: Azrx5qcRqaC7KGSxHQn65Q==

Test URL: https://global-root-g3.digicert.com/
// CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
EV Policy OID: 2.16.840.1.114412.2.1
Fingerprint (SHA-256): 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
Issuer DER Base64:
MGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290
IEcz
Serial DER Base64: BVVWvPJepDU1w6QP1atFcg==

Test URL: https://trusted-root-g4.digicert.com/
// CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
EV Policy OID: 2.16.840.1.114412.2.1
Fingerprint (SHA-256): 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
Issuer DER Base64:
MGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9v
dCBHNA==
Serial DER Base64: BZsbV56OITLiOQe9p3d1XA==


== Bug #1021106 – QuoVadis – 1 root==

Test URL: https://evsslicag3-v.quovadisglobal.com/
// CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
EV Policy OID: 1.3.6.1.4.1.8024.0.2.100.1.2
Fingerprint (SHA-256): 8F:E4:FB:0A:F9:3A:4D:0D:67:DB:0B:EB:B2:3E:37:C7:1B:F3:25:DC:BC:DD:24:0E:A0:4D:AF:58:B4:7E:18:40
Issuer DER Base64:
MEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYD
VQQDExVRdW9WYWRpcyBSb290IENBIDIgRzM=
Serial DER Base64: RFc0JFuBiZs18s64KztbpybwdSg=

Comment 1

[Camilo Viecco (:cviecco)]

Attachment: august-2014-ev-changes

Comment 2

[Camilo Viecco (:cviecco)]

test builds should appear later today at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/cviecco@mozilla.com-b90c044d528a/

Comment 3

[[:mmc] Monica Chew (no longer reading bugmail)]

NB: removals of root certs need to regenerate the pinning list. Looks like that doesn't apply here, though.

Comment 4

[Camilo Viecco (:cviecco)]

try url:
https://tbpl.mozilla.org/?tree=Try&rev=b90c044d528a

Comment 5

[Adriano Santoni]

I tried the test build and it's ok to me.

Comment 6

[Kathleen Wilson]

I have tested with the try-build, and confirm that EV treatment is given as expected for all of the roots listed above.

I also reviewed the patch, and the changes are as expected.

Thanks!

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Comment on attachment 8479431 [details] [diff] [review]
august-2014-ev-changes

Review of attachment 8479431 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/bbb7d48bfea8