Closed Bug 1175227 Opened 10 years ago Closed 10 years ago

June 2015 batch of root CA changes

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.19.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.19.3

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(1 file, 1 obsolete file)

1175227-v2.patch (without SZAFIR)
102.57 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review
June 2015 batch of root CA changes
Attached patch 1175227-v1.patch (obsolete) — Splinter Review
Assignee: nobody → kaie
I've started a try build with patch v1. Once completed, builds will be available at: https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-a84519b8b0bd
I'm testing the try build on Mac OS. For bug #1157375 I see the SZAFIR ROOT CA is now a Builtin Object Token, but the Edit Trust button in the Certificate Manager shows none of the trust bits are set. However, I am able to successfully browse to the test website. Note that I am using a new profile for testing. Kai, do you get the same results?
(In reply to Kathleen Wilson from comment #3) > I'm testing the try build on Mac OS. For bug #1157375 I see the SZAFIR ROOT > CA is now a Builtin Object Token, but the Edit Trust button in the > Certificate Manager shows none of the trust bits are set. However, I am able > to successfully browse to the test website. Note that I am using a new > profile for testing. > > Kai, do you get the same results? I've tested all the other changes and everything else looks correct. The problem seems to be specific to this particular root cert. Kai, do you see the same problem?
Yes, I see what you see. I checked the nssckbi.dll tool with NSS utilities, and I see that NSS correctly reports the trust flags, which explains why you can successfully visit the test site. This probably means that the problem is inside the Firefox/PSM code that displays the information. I looked at the browser console, and it indeed reports an error. When clicking the "edit trust" button, the browser console reports "cert is null". So apparently, the existing PSM code fails to properly construct a certificate object based on the szafir root, and the dialog receives a NULL certificate. The dialog doesn't show an error, but proceeds with absent information.
(In reply to Kathleen Wilson from comment #3) > but the Edit Trust button in the Certificate Manager shows none of the trust bits are set Bug 1139205 is the explanation for this.
It seems the SZAFIR certificate is using a serial number that's too long. I'd like to also mention that it's using a SHA1 self-signature. If the CA refreshes their root, maybe they should consider to use a SHA256 signature. I expect that you'd like to proceed with the remaining certs. If that's true, then please remove the SZAFIR bug from the dependency list. I've started another try build that use the attached patch v2, which excludes the SZAFIR root. Once completed, builds will be available at: https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-9b057506cb37
No longer blocks: 1157375
(In reply to Kai Engert (:kaie) from comment #7) > Created attachment 8623670 [details] [diff] [review] > 1175227-v2.patch (without SZAFIR) I've reviewed this patch, and the changes are as expected. > > It seems the SZAFIR certificate is using a serial number that's too long. > I'd like to also mention that it's using a SHA1 self-signature. If the CA > refreshes their root, maybe they should consider to use a SHA256 signature. > > I expect that you'd like to proceed with the remaining certs. If that's > true, then please remove the SZAFIR bug from the dependency list. Done. > > I've started another try build that use the attached patch v2, which > excludes the SZAFIR root. > > Once completed, builds will be available at: > https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de- > 9b057506cb37 I tested with this build too, and verified the expected changes. The CAs who needed to test (root additions) have also completed their testing. So, please proceed with 1175227-v2.patch Thanks!
Attachment #8623193 - Attachment is obsolete: true
Attachment #8623670 - Flags: review?(rrelyea)
Target Milestone: --- → 3.20
Attachment #8623670 - Flags: review?(rrelyea) → review+
https://hg.mozilla.org/projects/nss/rev/6e4591303bcc
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 1190794
Target Milestone: 3.20 → 3.19.3
Pushed to NSS_3_19_3_PLUS_BRANCH https://hg.mozilla.org/projects/nss/rev/556e6a3fdf70 for NSS 3.19.3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: