Closed Bug 1132689 Opened 7 years ago Closed 7 years ago

February 2015 batch of EV root CA Changes

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: kwilson, Assigned: mgoodwin)

References

Details

Attachments

(4 files)

The purpose of this bug is to use a single patch to make the code changes for the February 2015 batch of EV-enablement changes (see the list of bugs this one blocks).

NOTE: This change needs to happen AFTER a Mozilla channel picks up a version of NSS that has these roots included. 

Please enable EV treatment in 
source/security/certverifier/ExtendedValidation.cpp 
for the following root certs.

== Bug #1108780 - Government of The Netherlands, PKIoverheid - 1 root ==

Test URL: https://pkioevssl-v.quovadisglobal.com/
// CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
"2.16.528.1.1003.1.2.7",
"Staat der Nederlanden EV OID",
SEC_OID_UNKNOWN,
{ 0x4D, 0x24, 0x91, 0x41, 0x4C, 0xFE, 0x95, 0x67, 0x46, 0xEC, 0x4C,
0xEF, 0xA6, 0xCF, 0x6F, 0x72, 0xE2, 0x8A, 0x13, 0x29, 0x43, 0x2F,
0x9D, 0x8A, 0x90, 0x7A, 0xC4, 0xCB, 0x5D, 0xAD, 0xC1, 0x5A },
"MFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x"
"KTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENB",
"AJiWjQ==",


== Bug #1120608 - Entrust - 2 roots ==

Test URL: https://validg2.entrust.net/
// CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
"2.16.840.1.114028.10.1.2",
"Entrust EV OID",
SEC_OID_UNKNOWN,
{ 0x43, 0xDF, 0x57, 0x74, 0xB0, 0x3E, 0x7F, 0xEF, 0x5F, 0xE4, 0x0D,
0x93, 0x1A, 0x7B, 0xED, 0xF1, 0xBB, 0x2E, 0x6B, 0x42, 0x73, 0x8C,
0x4E, 0x6D, 0x38, 0x41, 0x10, 0x3D, 0x3A, 0xA7, 0xF3, 0x39 },
"MIG+MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE"
"CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp"
"IDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIw"
"MAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH"
"Mg==",
"SlOMKA==",


Test URL: https://validec.entrust.net
// CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
"2.16.840.1.114028.10.1.2",
"Entrust EV OID",
SEC_OID_UNKNOWN,
{ 0x02, 0xED, 0x0E, 0xB2, 0x8C, 0x14, 0xDA, 0x45, 0x16, 0x5C, 0x56,
0x67, 0x91, 0x70, 0x0D, 0x64, 0x51, 0xD7, 0xFB, 0x56, 0xF0, 0xB2,
0xAB, 0x1D, 0x3B, 0x8E, 0xB0, 0x70, 0xE5, 0x6E, 0xDF, 0xF5 },
"MIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE"
"CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMp"
"IDIwMTIgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMw"
"MQYDVQQDEypFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBF"
"QzE=",
"AKaLeSkAAAAAUNCR+Q==",



== Bug #1131699 - CFCA - 1 root ==

Test URL: https://pub.cebnet.com.cn
// CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
"2.16.156.112554.3",
"CFCA EV OID",
SEC_OID_UNKNOWN,
{ 0x5C, 0xC3, 0xD7, 0x8E, 0x4E, 0x1D, 0x5E, 0x45, 0x54, 0x7A, 0x04,
0xE6, 0x87, 0x3E, 0x64, 0xF9, 0x0C, 0xF9, 0x53, 0x6D, 0x1C, 0xCC,
0x2E, 0xF8, 0x00, 0xF3, 0x55, 0xC4, 0xC5, 0xFD, 0x70, 0xFD },
"MFYxCzAJBgNVBAYTAkNOMTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlm"
"aWNhdGlvbiBBdXRob3JpdHkxFTATBgNVBAMMDENGQ0EgRVYgUk9PVA==",
"GErM1g==",
Success!
Assignee: nobody → mgoodwin
Attached patch Bug1132689.patchSplinter Review
Patch for the Feb2015 EV additions.

Requesting feedback (instead of review) as there's a slight issue in that the 2nd and 3rd entries don't work (at least with the test URLs provided); I'll look into this. Maybe we have some bad data?
Attachment #8585546 - Flags: feedback?(dkeeler)
Kathleen, it looks like one of the Entrust roots (CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US) doesn't have the EV policy extension. Also, the OCSP responder for the certificates served by the test site for the other root (https://validec.entrust.net) is failing with sec_error_ocsp_unauthorized_request.
Flags: needinfo?(kwilson)
Oh, hmmm - it looks like the root can omit policies we've explicitly trusted it for. Something else must be going wrong for that one.
Oh, here we go: looks like the intermediate has a policy OID of 2.16.840.1.114028.10.1.9.1, whereas it should be 2.16.840.1.114028.10.1.2.
Comment on attachment 8585546 [details] [diff] [review]
Bug1132689.patch

This should be correct, but it won't work until the Entrust issues have been fixed.
Attachment #8585546 - Flags: feedback?(dkeeler) → feedback+
For test site https://validg2.entrust.net/, the certificate policy OID states "All issuance policies". The certificate policy OID for the end entity certificate is 2.16.840.1.114028.10.1.2. This should work. Am I looking at the same site?

Thanks, Bruce Morton
Entrust
I meant the intermediate certificate policy is "All issuance policies."
I'm seeing the incorrect OID for the intermediate. See attached.
Flags: needinfo?(kwilson)
Oh! 
Test URL: https://validec.entrust.net
// CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US

For this one I just noticed that there is no intermediate cert. I thought the EV test would fail if there was not intermediate cert.

We cannot give EV treatment for this root if the CA hierarchy is not following the EV guidelines.
Attached image l1m_policy.jpg
(In reply to Bruce Morton from comment #10)
> Created attachment 8586431 [details]
> l1m_policy.jpg

I just tried with a new Firefox profile, and I still got the same result as Comment #8.

Bruce, maybe you have a different version of the intermediate cert cached?
Will get it retested tomorrow. Thanks, Bruce.
Kathleen, both test sites have been updated. They should meet your requirements now.

Thanks, Bruce.
I confirm that both of the Entrust EV test websites are passing the EV Checking Tool again.

Mark, please proceed with the patch.

Thanks,
Kathleen
Comment on attachment 8585546 [details] [diff] [review]
Bug1132689.patch

Review of attachment 8585546 [details] [diff] [review]:
-----------------------------------------------------------------

The test sites now work as expected - r=me.
Attachment #8585546 - Flags: feedback+ → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/265b6b657740
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.