Add StartCom root CA certificate(s) to NSS

RESOLVED FIXED in 3.11.8

Status

--
enhancement
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: gerv, Assigned: kaie)

Tracking

unspecified
3.11.8

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(5 attachments)

This bug requests inclusion in the NSS root certificate store of the following certificate(s), owned by StartCom:

1) Friendly name: "StartCom Certification Authority"
   SHA1 Fingerprint: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
   Trust flags: websites, email

The certificate(s) themselves will be attached momentarily.

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 362304.

The steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on Windows and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s).

Gerv
Created attachment 267708 [details]
StartCom Certification Authority certificate

Comment 2

12 years ago
I confirm that the attachment https://bugzilla.mozilla.org/attachment.cgi?id=267708 to be the correct certificate and also checked against the fingerprint. Thanks!
Kai: please can you produce a test nssckbi.dll with this cert? Thanks.

Gerv
(Assignee)

Comment 4

12 years ago
Created attachment 268159 [details] [diff] [review]
Patch v1
(Assignee)

Comment 5

12 years ago
Created attachment 268161 [details]
nssckbi.dll for testing purposes

Comment 6

12 years ago
Hi Kai,

We'll have to apply the patch in order to test, except in case you can compile a nssckbi.so (for Linux). Please advice.
(Assignee)

Comment 7

12 years ago
Created attachment 268165 [details]
Linux libnssckbi.so for testing purposes

does this work for you?

Please use
  gzip -d
then place the place into a linux firefox 2 download.

Comment 8

12 years ago
I confirm, that the patch provided to me by Kai has the correct certificate and by applying to the NSS module produced the correct results.
(Assignee)

Comment 9

12 years ago
Created attachment 268426 [details] [diff] [review]
Patch v1 plus generated certdata.c

Eddy, this is the patch that you tested and that works correctly for you, right?
Thanks.
(Assignee)

Comment 10

12 years ago
Comment on attachment 268159 [details] [diff] [review]
Patch v1

Bob, Nelson, can you please review/approve this patch?

It was produced using:
cat cert-383722.der | addbuiltin -n "StartCom Certification Authority" -t C,C, >> certdata.txt
Attachment #268159 - Flags: superreview?(rrelyea)
Attachment #268159 - Flags: review?(nelson)
(Assignee)

Comment 11

12 years ago
FYI, the changes to certdata.txt in attachment 268159 [details] [diff] [review] and attachment 268426 [details] [diff] [review] are identical.

Comment 12

12 years ago
(In reply to comment #9)
> Created an attachment (id=268426) [details]
> Patch v1 plus generated certdata.c
> 
> Eddy, this is the patch that you tested and that works correctly for you,
> right?
> Thanks.
> 
Correct. diff p2-383722 moz-ca.patch returns 0 lines.

Comment 13

12 years ago
Comment on attachment 268159 [details] [diff] [review]
Patch v1

r+=rrelyea
Attachment #268159 - Flags: superreview?(rrelyea) → superreview+
Comment on attachment 268159 [details] [diff] [review]
Patch v1

I wrote a little program to process the certdata.txt file and turn it into readable contents.  It's a gross hack, and it requires reading the result to visually search for errors, but it made reviewing this patch possible.  

r=nelson
Attachment #268159 - Flags: review?(nelson) → review+
(Assignee)

Comment 15

12 years ago
I checked in the patches for bug 384118 and bug 383722 to both trunk and 3.11 branch. Marking fixed.

trunk:

Checking in ckfw/builtins/certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.43; previous revision: 1.42
done
Checking in ckfw/builtins/certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.43; previous revision: 1.42
done


3.11 branch:

Checking in ckfw/builtins/certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.36.24.6; previous revision: 1.36.24.5
done
Checking in ckfw/builtins/certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.37.24.6; previous revision: 1.37.24.5
done
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 16

12 years ago
FWIW, before I checked in the patch, I moved the new StartCom root further up in certdata.txt so that both StartCom certs are grouped in the file. This explains a difference in numbering in the .c file you might see in the check in.
(In reply to comment #16)
> FWIW, before I checked in the patch, I moved the new StartCom root further up
> in certdata.txt so that both StartCom certs are grouped in the file. This
> explains a difference in numbering in the .c file you might see in the check
> in.

I don't object to that movement in principle, but I think it would have been better to have done that before generating the test build for the CA(s) to 
approve.  

Comment 18

12 years ago
Same confirmation of correctness after checkout from CVS (and rebuild of NSS module). All clear and the change introduced by Kai had no (negative) effect.
(Assignee)

Updated

11 years ago
Target Milestone: --- → 3.11.8
You need to log in before you can comment on or make changes to this bug.