Closed Bug 272903 Opened 20 years ago Closed 20 years ago

Add root CA certificate NSS patch to Mozilla

Categories

(SeaMonkey :: General, enhancement)

Product:
SeaMonkey
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: hecker, Unassigned)

References

Details

I've approved a bunch of new CAs to have their root CA certificates added to
Mozilla, Firefox, Thunderbird, etc. Nelson Bolyard has created an NSS patch to
add those new CA certs to the NSS built-in cert library (see bug 271585). I'm
requesting that this NSS patch for the new CA certs be added to future versions
of Mozilla. (Nelson can explain more about the actual patch and how it relates
to the official NSS releases.)
So what actually needs to be done for this bug?  It'd be good to get this in for
1.8a6 or 1.8b so it can get some testing....
I thought those certs were already commited on the NSS client branch...?
In answer to the questions asked in comments 1 and 2:

Guys (Boris, Benjamin, et. al. CC readers),  
I'm not entirely sure what (if any) work needs to be done for this bug.
I don't keep up with all the mozilla/seamonkey/TB/FF/aviary/etc/ projects
and thier branches, etc.  But I believe that there are some mozilla products
that now have their own branches of NSS (branches other than the NSS trunk
and the NSS_3_x_BRANCH branches).  They may occasionally sync their branches
with the NSS trunk or NSS_3_x_BRANCH or some other tag.  This bug suggests 
to them that they do so again, if they have not done so since the recent 
round of new CA certs was added to NSS.

The work that I did to check in the many recent new CA certs was done for the
NSS trunk and the NSS_3_9_BRANCH branches only, AFAIK.  To put it another way,
if anyone has checked in those changes onto any other branches (e.g. AVIARY,
etc.) it's news to me.

So, the purpose of this bug is to ask/suggest to the maintainers of all those
other branches that they keep their branches in sync with the NSS trunk (or
NSS_3_9_BRANCH as appropriate) with respect to the contents of the files 
that contain the CA certs.  

Perhaps it is now the case that all those products have abandoned their own
branches, and have gone to using the "NSS_CLIENT_TAG" or some other NSS 
trunk or branch tag, and so no work is needed.  But AFAIAC, only the keepers
of those other branches can tell what, if any, work is neeeded here.  
This bug asks them to do just that.
Blocks: 272905
So the NSS version Mozilla pulls is set at
http://lxr.mozilla.org/seamonkey/source/client.mk#183

So I would think this would Just Work.  Comments in bug 272905, however,
indicate that this may not be the case...  Frank, do you know what's up with that?
I just checked the following nightly release:
 
http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest/mozilla-i686-pc-linux-gnu-gtk2+xft.tar.gz

and looked at the libnssckbi.so file. It does not contain the data for Sonera,
one of the CAs added in the patch Nelson referenced. (I did "strings
mozilla/libnssckbi.so | grep Sonera".)

I also downloaded the associated source tarball:

http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest/mozilla-source.tar.gz

and looked at the source file mozilla/security/nss/lib/ckfw/builtins/certdata.c
that contains the built-in CA cert data; again, it does not have the Sonera
data. The revision info for the file is

$Revision: 1.27.16.1 $ $Date: 2004/09/16 02:43:57 $ $Name: NSS_CLIENT_TAG

which is consistent with the version of the file at

http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.c

On the other hand, if I look at

http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.c

(which presumably tracks the NSS trunk) then I see that its revision info is

$Revision: 1.30 $ $Date: 2004/12/02 19:47:45

and it does in fact contain the data for Sonera.

I'm not a CVS expert at all, but isn't NSS_CLIENT_TAG just that, a tag pointing
to a particular revision of NSS, and wouldn't it have to be updated periodically
to point to whatever new NSS revision we want to use?
Yes, indeed.  The NSS_CLIENT_TAG should be pointing to whatever the current "NSS
clients should use this" revision of the client branch is, as I understand.  I'm
not sure whose responsibility it is to update that tag, but it seems to me that
someone familiar with NSS would be in the best position to do it....

See also last paragraph of comment 3.

I just checked, and the NSS_CLIENT_TAG revision for certdata.c is indeed
1.27.16.1.  Per CVS logs, that tag should be moved to revision 1.27.16.2 of
certdata.c, and similar changes should happen for certdata.txt and nssckbi.h.
I just moved the NSS_CLIENT_TAG on certdata.c,
certdata.txt, and nssckbi.h to the latest
revisions on NSS_3_9_BRANCH (what Boris asked
for in comment 6).
Let's mark this FIXED then, that's all the branches/tags I think we care about.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta
You need to log in before you can comment on or make changes to this bug.