Closed
Bug 1132689
Opened 10 years ago
Closed 10 years ago
February 2015 batch of EV root CA Changes
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: kathleen.a.wilson, Assigned: mgoodwin)
References
Details
Attachments
(4 files)
The purpose of this bug is to use a single patch to make the code changes for the February 2015 batch of EV-enablement changes (see the list of bugs this one blocks). NOTE: This change needs to happen AFTER a Mozilla channel picks up a version of NSS that has these roots included. Please enable EV treatment in source/security/certverifier/ExtendedValidation.cpp for the following root certs. == Bug #1108780 - Government of The Netherlands, PKIoverheid - 1 root == Test URL: https://pkioevssl-v.quovadisglobal.com/ // CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL "2.16.528.1.1003.1.2.7", "Staat der Nederlanden EV OID", SEC_OID_UNKNOWN, { 0x4D, 0x24, 0x91, 0x41, 0x4C, 0xFE, 0x95, 0x67, 0x46, 0xEC, 0x4C, 0xEF, 0xA6, 0xCF, 0x6F, 0x72, 0xE2, 0x8A, 0x13, 0x29, 0x43, 0x2F, 0x9D, 0x8A, 0x90, 0x7A, 0xC4, 0xCB, 0x5D, 0xAD, 0xC1, 0x5A }, "MFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x" "KTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENB", "AJiWjQ==", == Bug #1120608 - Entrust - 2 roots == Test URL: https://validg2.entrust.net/ // CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US "2.16.840.1.114028.10.1.2", "Entrust EV OID", SEC_OID_UNKNOWN, { 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D, 0x93, 0x1A, 0x7B, 0xED, 0xF1, 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C, 0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 }, "MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" "IDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIw" "MAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH" "Mg==", "SlOMKA==", Test URL: https://validec.entrust.net // CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US "2.16.840.1.114028.10.1.2", "Entrust EV OID", SEC_OID_UNKNOWN, { 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56, 0x67, 0x91, 0x70, 0x0D, 0x64, 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2, 0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 }, "MIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE" "CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp" "IDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMw" "MQYDVQQDEypFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBF" "QzE=", "AKaLeSkAAAAAUNCR+Q==", == Bug #1131699 - CFCA - 1 root == Test URL: https://pub.cebnet.com.cn // CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN "2.16.156.112554.3", "CFCA EV OID", SEC_OID_UNKNOWN, { 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04, 0xE6, 0x87, 0x3E, 0x64, 0xF9, 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC, 0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD }, "MFYxCzAJBgNVBAYTAkNOMTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlm" "aWNhdGlvbiBBdXRob3JpdHkxFTATBgNVBAMMDENGQ0EgRVYgUk9PVA==", "GErM1g==", Success!
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → mgoodwin
Assignee | ||
Comment 1•10 years ago
|
||
Patch for the Feb2015 EV additions. Requesting feedback (instead of review) as there's a slight issue in that the 2nd and 3rd entries don't work (at least with the test URLs provided); I'll look into this. Maybe we have some bad data?
Attachment #8585546 -
Flags: feedback?(dkeeler)
Comment 2•10 years ago
|
||
Kathleen, it looks like one of the Entrust roots (CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US) doesn't have the EV policy extension. Also, the OCSP responder for the certificates served by the test site for the other root (https://validec.entrust.net) is failing with sec_error_ocsp_unauthorized_request.
Flags: needinfo?(kwilson)
Comment 3•10 years ago
|
||
Oh, hmmm - it looks like the root can omit policies we've explicitly trusted it for. Something else must be going wrong for that one.
Comment 4•10 years ago
|
||
Oh, here we go: looks like the intermediate has a policy OID of 2.16.840.1.114028.10.1.9.1, whereas it should be 2.16.840.1.114028.10.1.2.
Comment 5•10 years ago
|
||
Comment on attachment 8585546 [details] [diff] [review] Bug1132689.patch This should be correct, but it won't work until the Entrust issues have been fixed.
Attachment #8585546 -
Flags: feedback?(dkeeler) → feedback+
Comment 6•10 years ago
|
||
For test site https://validg2.entrust.net/, the certificate policy OID states "All issuance policies". The certificate policy OID for the end entity certificate is 2.16.840.1.114028.10.1.2. This should work. Am I looking at the same site? Thanks, Bruce Morton Entrust
Comment 7•10 years ago
|
||
I meant the intermediate certificate policy is "All issuance policies."
Reporter | ||
Comment 8•10 years ago
|
||
I'm seeing the incorrect OID for the intermediate. See attached.
Flags: needinfo?(kwilson)
Reporter | ||
Comment 9•10 years ago
|
||
Oh! Test URL: https://validec.entrust.net // CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US For this one I just noticed that there is no intermediate cert. I thought the EV test would fail if there was not intermediate cert. We cannot give EV treatment for this root if the CA hierarchy is not following the EV guidelines.
Comment 10•10 years ago
|
||
Reporter | ||
Comment 11•10 years ago
|
||
(In reply to Bruce Morton from comment #10) > Created attachment 8586431 [details] > l1m_policy.jpg I just tried with a new Firefox profile, and I still got the same result as Comment #8. Bruce, maybe you have a different version of the intermediate cert cached?
Comment 12•10 years ago
|
||
Will get it retested tomorrow. Thanks, Bruce.
Comment 13•10 years ago
|
||
Kathleen, both test sites have been updated. They should meet your requirements now. Thanks, Bruce.
Reporter | ||
Comment 14•10 years ago
|
||
I confirm that both of the Entrust EV test websites are passing the EV Checking Tool again. Mark, please proceed with the patch. Thanks, Kathleen
Comment 15•10 years ago
|
||
Comment on attachment 8585546 [details] [diff] [review] Bug1132689.patch Review of attachment 8585546 [details] [diff] [review]: ----------------------------------------------------------------- The test sites now work as expected - r=me.
Attachment #8585546 -
Flags: feedback+ → review+
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 16•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/265b6b657740
Keywords: checkin-needed
Comment 17•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/265b6b657740
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in
before you can comment on or make changes to this bug.
Description
•