Closed Bug 383722 Opened 14 years ago Closed 14 years ago

Add StartCom root CA certificate(s) to NSS

Categories

(NSS :: Libraries, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.11.8

People

(Reporter: gerv, Assigned: KaiE)

Details

Attachments

(5 files)

This bug requests inclusion in the NSS root certificate store of the following certificate(s), owned by StartCom:

1) Friendly name: "StartCom Certification Authority"
   SHA1 Fingerprint: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
   Trust flags: websites, email

The certificate(s) themselves will be attached momentarily.

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 362304.

The steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on Windows and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s).

Gerv
I confirm that the attachment https://bugzilla.mozilla.org/attachment.cgi?id=267708 to be the correct certificate and also checked against the fingerprint. Thanks!
Kai: please can you produce a test nssckbi.dll with this cert? Thanks.

Gerv
Attached patch Patch v1Splinter Review
Hi Kai,

We'll have to apply the patch in order to test, except in case you can compile a nssckbi.so (for Linux). Please advice.
does this work for you?

Please use
  gzip -d
then place the place into a linux firefox 2 download.
I confirm, that the patch provided to me by Kai has the correct certificate and by applying to the NSS module produced the correct results.
Eddy, this is the patch that you tested and that works correctly for you, right?
Thanks.
Comment on attachment 268159 [details] [diff] [review]
Patch v1

Bob, Nelson, can you please review/approve this patch?

It was produced using:
cat cert-383722.der | addbuiltin -n "StartCom Certification Authority" -t C,C, >> certdata.txt
Attachment #268159 - Flags: superreview?(rrelyea)
Attachment #268159 - Flags: review?(nelson)
FYI, the changes to certdata.txt in attachment 268159 [details] [diff] [review] and attachment 268426 [details] [diff] [review] are identical.
(In reply to comment #9)
> Created an attachment (id=268426) [details]
> Patch v1 plus generated certdata.c
> 
> Eddy, this is the patch that you tested and that works correctly for you,
> right?
> Thanks.
> 
Correct. diff p2-383722 moz-ca.patch returns 0 lines.

Comment on attachment 268159 [details] [diff] [review]
Patch v1

r+=rrelyea
Attachment #268159 - Flags: superreview?(rrelyea) → superreview+
Comment on attachment 268159 [details] [diff] [review]
Patch v1

I wrote a little program to process the certdata.txt file and turn it into readable contents.  It's a gross hack, and it requires reading the result to visually search for errors, but it made reviewing this patch possible.  

r=nelson
Attachment #268159 - Flags: review?(nelson) → review+
I checked in the patches for bug 384118 and bug 383722 to both trunk and 3.11 branch. Marking fixed.

trunk:

Checking in ckfw/builtins/certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.43; previous revision: 1.42
done
Checking in ckfw/builtins/certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.43; previous revision: 1.42
done


3.11 branch:

Checking in ckfw/builtins/certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.36.24.6; previous revision: 1.36.24.5
done
Checking in ckfw/builtins/certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.37.24.6; previous revision: 1.37.24.5
done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
FWIW, before I checked in the patch, I moved the new StartCom root further up in certdata.txt so that both StartCom certs are grouped in the file. This explains a difference in numbering in the .c file you might see in the check in.
(In reply to comment #16)
> FWIW, before I checked in the patch, I moved the new StartCom root further up
> in certdata.txt so that both StartCom certs are grouped in the file. This
> explains a difference in numbering in the .c file you might see in the check
> in.

I don't object to that movement in principle, but I think it would have been better to have done that before generating the test build for the CA(s) to 
approve.  

Same confirmation of correctness after checkout from CVS (and rebuild of NSS module). All clear and the change introduced by Kai had no (negative) effect.
Target Milestone: --- → 3.11.8
You need to log in before you can comment on or make changes to this bug.