February 2015 batch of EV root CA Changes

RESOLVED FIXED in Firefox 40

Status

()

enhancement
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: kwilson, Assigned: mgoodwin)

Tracking

unspecified
mozilla40
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox40 fixed)

Details

Attachments

(4 attachments)

Reporter

Description

4 years ago
The purpose of this bug is to use a single patch to make the code changes for the February 2015 batch of EV-enablement changes (see the list of bugs this one blocks).

NOTE: This change needs to happen AFTER a Mozilla channel picks up a version of NSS that has these roots included. 

Please enable EV treatment in 
source/security/certverifier/ExtendedValidation.cpp 
for the following root certs.

== Bug #1108780 - Government of The Netherlands, PKIoverheid - 1 root ==

Test URL: https://pkioevssl-v.quovadisglobal.com/
// CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
"2.16.528.1.1003.1.2.7",
"Staat der Nederlanden EV OID",
SEC_OID_UNKNOWN,
{ 0x4D, 0x24, 0x91, 0x41, 0x4C, 0xFE, 0x95, 0x67, 0x46, 0xEC, 0x4C,
0xEF, 0xA6, 0xCF, 0x6F, 0x72, 0xE2, 0x8A, 0x13, 0x29, 0x43, 0x2F,
0x9D, 0x8A, 0x90, 0x7A, 0xC4, 0xCB, 0x5D, 0xAD, 0xC1, 0x5A },
"MFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x"
"KTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENB",
"AJiWjQ==",


== Bug #1120608 - Entrust - 2 roots ==

Test URL: https://validg2.entrust.net/
// CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
"2.16.840.1.114028.10.1.2",
"Entrust EV OID",
SEC_OID_UNKNOWN,
{ 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D,
0x93, 0x1A, 0x7B, 0xED, 0xF1, 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C,
0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 },
"MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE"
"CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp"
"IDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIw"
"MAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH"
"Mg==",
"SlOMKA==",


Test URL: https://validec.entrust.net
// CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
"2.16.840.1.114028.10.1.2",
"Entrust EV OID",
SEC_OID_UNKNOWN,
{ 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56,
0x67, 0x91, 0x70, 0x0D, 0x64, 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2,
0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 },
"MIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE"
"CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp"
"IDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMw"
"MQYDVQQDEypFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBF"
"QzE=",
"AKaLeSkAAAAAUNCR+Q==",



== Bug #1131699 - CFCA - 1 root ==

Test URL: https://pub.cebnet.com.cn
// CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
"2.16.156.112554.3",
"CFCA EV OID",
SEC_OID_UNKNOWN,
{ 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04,
0xE6, 0x87, 0x3E, 0x64, 0xF9, 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC,
0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD },
"MFYxCzAJBgNVBAYTAkNOMTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlm"
"aWNhdGlvbiBBdXRob3JpdHkxFTATBgNVBAMMDENGQ0EgRVYgUk9PVA==",
"GErM1g==",
Success!
Assignee

Updated

4 years ago
Assignee: nobody → mgoodwin
Assignee

Comment 1

4 years ago
Patch for the Feb2015 EV additions.

Requesting feedback (instead of review) as there's a slight issue in that the 2nd and 3rd entries don't work (at least with the test URLs provided); I'll look into this. Maybe we have some bad data?
Attachment #8585546 - Flags: feedback?(dkeeler)
Kathleen, it looks like one of the Entrust roots (CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US) doesn't have the EV policy extension. Also, the OCSP responder for the certificates served by the test site for the other root (https://validec.entrust.net) is failing with sec_error_ocsp_unauthorized_request.
Flags: needinfo?(kwilson)
Oh, hmmm - it looks like the root can omit policies we've explicitly trusted it for. Something else must be going wrong for that one.
Oh, here we go: looks like the intermediate has a policy OID of 2.16.840.1.114028.10.1.9.1, whereas it should be 2.16.840.1.114028.10.1.2.
Comment on attachment 8585546 [details] [diff] [review]
Bug1132689.patch

This should be correct, but it won't work until the Entrust issues have been fixed.
Attachment #8585546 - Flags: feedback?(dkeeler) → feedback+

Comment 6

4 years ago
For test site https://validg2.entrust.net/, the certificate policy OID states "All issuance policies". The certificate policy OID for the end entity certificate is 2.16.840.1.114028.10.1.2. This should work. Am I looking at the same site?

Thanks, Bruce Morton
Entrust

Comment 7

4 years ago
I meant the intermediate certificate policy is "All issuance policies."
Reporter

Comment 8

4 years ago
I'm seeing the incorrect OID for the intermediate. See attached.
Flags: needinfo?(kwilson)
Reporter

Comment 9

4 years ago
Oh! 
Test URL: https://validec.entrust.net
// CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US

For this one I just noticed that there is no intermediate cert. I thought the EV test would fail if there was not intermediate cert.

We cannot give EV treatment for this root if the CA hierarchy is not following the EV guidelines.

Comment 10

4 years ago
Posted image l1m_policy.jpg
Reporter

Comment 11

4 years ago
(In reply to Bruce Morton from comment #10)
> Created attachment 8586431 [details]
> l1m_policy.jpg

I just tried with a new Firefox profile, and I still got the same result as Comment #8.

Bruce, maybe you have a different version of the intermediate cert cached?

Comment 12

4 years ago
Will get it retested tomorrow. Thanks, Bruce.

Comment 13

4 years ago
Kathleen, both test sites have been updated. They should meet your requirements now.

Thanks, Bruce.
Reporter

Comment 14

4 years ago
I confirm that both of the Entrust EV test websites are passing the EV Checking Tool again.

Mark, please proceed with the patch.

Thanks,
Kathleen
Comment on attachment 8585546 [details] [diff] [review]
Bug1132689.patch

Review of attachment 8585546 [details] [diff] [review]:
-----------------------------------------------------------------

The test sites now work as expected - r=me.
Attachment #8585546 - Flags: feedback+ → review+
Assignee

Updated

4 years ago
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/265b6b657740
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.