Closed
Bug 1230994
Opened 10 years ago
Closed 10 years ago
December 2015 batch of EV root CA Changes
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla46
People
(Reporter: kathleen.a.wilson, Assigned: keeler)
References
Details
Attachments
(1 file)
|
40 bytes,
text/x-review-board-request
|
mgoodwin
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details |
The purpose of this bug is to use a single patch to make the code changes for the December 2015 batch of EV-enablement changes (see the list of bugs this one blocks).
Please enable EV treatment in
source/security/certverifier/ExtendedValidation.cpp
for the following root certs.
== Bug #1193480 - WoSign ==
Test URL:https://root4evtest.wosign.com/
// CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
"1.3.6.1.4.1.36305.2",
"WoSign EV OID",
SEC_OID_UNKNOWN,
{ 0xD4, 0x87, 0xA5, 0x6F, 0x83, 0xB0, 0x74, 0x82, 0xE8, 0x5E, 0x96,
0x33, 0x94, 0xC1, 0xEC, 0xC2, 0xC9, 0xE5, 0x1D, 0x09, 0x03, 0xEE,
0x94, 0x6B, 0x02, 0xC3, 0x01, 0x58, 0x1E, 0xD9, 0x9E, 0x16 },
"MFgxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEtMCsG"
"A1UEAxMkQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduIEcy",
"ayXaioidfLwPBbOxemFFRA==",
Test URL: https://root5evtest.wosign.com/
// CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
"1.3.6.1.4.1.36305.2",
"WoSign EV OID",
SEC_OID_UNKNOWN,
{ 0x8B, 0x45, 0xDA, 0x1C, 0x06, 0xF7, 0x91, 0xEB, 0x0C, 0xAB, 0xF2,
0x6B, 0xE5, 0x88, 0xF5, 0xFB, 0x23, 0x16, 0x5C, 0x2E, 0x61, 0x4B,
0xF8, 0x85, 0x56, 0x2D, 0x0D, 0xCE, 0x50, 0xB2, 0x9B, 0x02 },
"MEYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEbMBkG"
"A1UEAxMSQ0EgV29TaWduIEVDQyBSb290",
"aEpYcIBr8I8C+vbe6LCQkA==",
== Bug #1147675 - TurkTrust ==
Test URL: https://testsuite12002.turktrust.com.tr/
// CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6,O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A...,L=Ankara,C=TR
"2.16.792.3.0.3.1.1.5",
"TurkTrust EV OID",
SEC_OID_UNKNOWN,
{ 0x8D, 0xE7, 0x86, 0x55, 0xE1, 0xBE, 0x7F, 0x78, 0x47, 0x80, 0x0B,
0x93, 0xF6, 0x94, 0xD2, 0x1D, 0x36, 0x8C, 0xC0, 0x6E, 0x03, 0x3E,
0x7F, 0xAB, 0x04, 0xBB, 0x5E, 0xB9, 0x9D, 0xA6, 0xB7, 0x00 },
"MIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0wSwYDVQQKDERUw5xS"
"S1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kg"
"SGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBFbGVrdHJvbmlr"
"IFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg2",
"faHyZeyK",
== Bug #1230985 - SECOM ==
Test URL: https://pfwtest.secomtrust.net/
// OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
"1.2.392.200091.100.721.1",
"SECOM EV OID",
SEC_OID_UNKNOWN,
{ 0x51, 0x3B, 0x2C, 0xEC, 0xB8, 0x10, 0xD4, 0xCD, 0xE5, 0xDD, 0x85,
0x39, 0x1A, 0xDF, 0xC6, 0xC2, 0xDD, 0x60, 0xD8, 0x7B, 0xB7, 0x36,
0xD2, 0xB5, 0x21, 0x48, 0x4A, 0xA4, 0x7A, 0x0E, 0xBE, 0xF6 },
"MF0xCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP"
"LixMVEQuMScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTI="
"",
"AA==",
== Bug #1213044 - WISeKey ==
Test URL: https://goodevssl.wisekey.com/
// CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
"2.16.756.5.14.7.4.8",
"WISeKey EV OID",
SEC_OID_UNKNOWN,
{ 0x6B, 0x9C, 0x08, 0xE8, 0x6E, 0xB0, 0xF7, 0x67, 0xCF, 0xAD, 0x65,
0xCD, 0x98, 0xB6, 0x21, 0x49, 0xE5, 0x49, 0x4A, 0x67, 0xF5, 0x84,
0x5E, 0x7B, 0xD1, 0xED, 0x01, 0x9F, 0x27, 0xB8, 0x6B, 0xD6 },
"MG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNU"
"RSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEds"
"b2JhbCBSb290IEdCIENB",
"drEgUnTwhYdGs/gjGvbCwA==",
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → dkeeler
|
|
Assignee | |
Comment 1•10 years ago
|
||
bug 1230994 - December 2015 batch of EV root CA changes r?mgoodwin
Adds:
bug 1193480:
CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
bug 1147675:
CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6,O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A...,L=Ankara,C=TR
bug 1230985:
OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
bug 1213044:
CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
Attachment #8698220 -
Flags: review?(mgoodwin)
|
||
Comment 2•10 years ago
|
||
Comment on attachment 8698220 [details]
MozReview Request: bug 1230994 - December 2015 batch of EV root CA changes r?mgoodwin
https://reviewboard.mozilla.org/r/27859/#review25079
::: security/certverifier/ExtendedValidation.cpp:1160
(Diff revision 1)
> + "",
We can lose this line, can't we?
Just one nit. LGTM.
Attachment #8698220 -
Flags: review?(mgoodwin) → review+
|
Reporter | |
Comment 3•10 years ago
|
||
Thanks for making these changes.
Can you make a test build?
|
|
||
Comment 4•10 years ago
|
||
(In reply to Kathleen Wilson from comment #3)
> Thanks for making these changes.
>
> Can you make a test build?
You can download test builds from Try when Keeler does a try push. I was hoping you'd be able to start your own with the mozreview automation tools but apparently only the author can do that at the moment.
|
|
Assignee | |
Comment 5•10 years ago
|
||
https://reviewboard.mozilla.org/r/27859/#review25079
> We can lose this line, can't we?
Good call. Looks like a bug in pp.
|
|
Assignee | |
Comment 6•10 years ago
|
||
|
|
Assignee | |
Comment 7•10 years ago
|
||
Kathleen, you should be able to download an OS X build here: https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-6dfdc80ce461e6d23dde6c8a3c8eb06978925776/try-macosx64/firefox-45.0a1.en-US.mac.dmg
Flags: needinfo?(kwilson)
|
|
Reporter | |
Comment 8•10 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> Kathleen, you should be able to download an OS X build here:
> https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-
> 6dfdc80ce461e6d23dde6c8a3c8eb06978925776/try-macosx64/firefox-45.0a1.en-US.
> mac.dmg
I'm seeing EV treatment for all of the test sites listed above, so it looks good.
Thanks!
Flags: needinfo?(kwilson)
|
||
Comment 10•10 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
|
|
Reporter | |
Comment 11•10 years ago
|
||
Thanks for working on this update so quickly.
Is there any chance we can get it into mozilla44 or 45?
A couple of the impacted CAs have customers anxiously waiting for their certs to get EV treatment.
|
|
Assignee | |
Comment 12•10 years ago
|
||
Comment on attachment 8698220 [details]
MozReview Request: bug 1230994 - December 2015 batch of EV root CA changes r?mgoodwin
Approval Request Comment
[Feature/regressing bug #]: n/a
[User impact if declined]: no EV indication on some sites
[Describe test coverage new/current, TreeHerder]: there are automated tests for EV functionality in general, but not for these specific roots. These specific roots can be manually verified by visiting the test sites listed earlier in this bug.
[Risks and why]: low - this only adds to a list and we've done this sort of thing before without any issues
[String/UUID change made/needed]: none
Attachment #8698220 -
Flags: approval-mozilla-beta?
Attachment #8698220 -
Flags: approval-mozilla-aurora?
|
||
Comment 13•10 years ago
|
||
Comment on attachment 8698220 [details]
MozReview Request: bug 1230994 - December 2015 batch of EV root CA changes r?mgoodwin
Seems like usual business, taking it. Beta44+, Aurora45+
Attachment #8698220 -
Flags: approval-mozilla-beta?
Attachment #8698220 -
Flags: approval-mozilla-beta+
Attachment #8698220 -
Flags: approval-mozilla-aurora?
Attachment #8698220 -
Flags: approval-mozilla-aurora+
status-firefox44:
--- → affected
status-firefox45:
--- → affected
|
||
Comment 14•10 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 15•10 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 16•10 years ago
|
||
| bugherder uplift | ||
status-b2g-v2.5:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•