Closed Bug 411299 Opened 12 years ago Closed 12 years ago
Add Identrust, Turktrust, Swiss
115.20 KB, patch
|Details | Diff | Splinter Review|
108.76 KB, application/octet-stream
1.28 KB, text/plain
53.74 KB, text/plain
115.10 KB, patch
|Details | Diff | Splinter Review|
This is the bug to get several new roots added to NSS. In particular, I intend to add the following roots to NSS at once, after we got approval for all of them. IdenTrust: bug 394733 TürkTrust: bug 410821 SwissSign: bug 407396
This is a single patch that adds all new roots as listed in the 3 other bugs.
This is a test comment, to ensure I will be using the correct syntax to quote the nssckbi.dll attachment: attachment 295966 [details]
New patch, only change: added websites trust for TürkTrust Root 1.
Attachment #295961 - Attachment is obsolete: true
nssckbi.dll based on patch v2
Attachment #295966 - Attachment is obsolete: true
(In reply to comment #4) > New patch, only change: added websites trust for TürkTrust Root 1. This change will cure "untrusted issuer" errors, but not "unknown issuer" errors.
Comment on attachment 296542 [details] [diff] [review] Patch v2 All 3 CAs have confirmed this patch and the derived binary roots module matches their expectations. Bob, Nelson, could you please review/approve this patch? Not sure you want to do a real code review. If you intend to look at the patch, please ignore the changes to certdata.c, but look at the changes to certdata.txt only. Nelson, do you still have your magic tool that you can reuse? I'm requesting two reviews, because we might want to land this on the 3.11 branch. Of course, should I land this on the 3.11 branch, I will increment the module version number. When receiving reviews for this patch, i assume you give approval for that version number change, too (branch only).
This is the program I used to make the patch to the certdata.txt readable for review purposes. I could add the usual boilerplate and commit it to the source tree, if anyone thinks I should. The way to use it is to apply the patch to the certdata.txt file, then run this program with stdin coming from that patched certdata.txt file. Then study the output. Actually, it's best to run this program with just a subset of the certdata.txt file as input, the subset being the newly added or revised parts.
Here's the output from the helper tool when run with the certdata.txt file with Kai's patch v2, for your reviewing pleasure. :)
Comment on attachment 296542 [details] [diff] [review] Patch v2 I focused the review on certdata.txt since certdata.c is generated. After some review of the bugs, I have verified that the Trust values here are correct (despite the fact the SwissSign Platinum looks weird and TURKTRUST Root 1 is different than the initial request). SwissSign verified that the Platinum bits are correct and TURKTRUST verified that SSL is needed for CA 1. bob
Attachment #296542 - Flags: superreview?(rrelyea) → superreview+
Comment on attachment 296542 [details] [diff] [review] Patch v2 based on my visual scanning of the output in the above attachment, I see no obvious flaws. r=nelson
Attachment #296542 - Flags: review?(nelson) → review+
The other patch I had attached was a 3.11 branch version. This patch is the version for trunk. The changes to certdata.txt are identical, they differ in the certdata.c file (generated). I checked in this patch to trunk. Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.45; previous revision: 1.44 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.45; previous revision: 1.44 done
Comment on attachment 296542 [details] [diff] [review] Patch v2 I checked in this patch to the 3.11 branch. In addition, as mentioned before, I updated the builtins version number on the 3.11 branch. -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 64 -#define NSS_BUILTINS_LIBRARY_VERSION "1.64" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 65 +#define NSS_BUILTINS_LIBRARY_VERSION "1.65" Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 22.214.171.124; previous revision: 126.96.36.199 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 188.8.131.52; previous revision: 184.108.40.206 done Checking in nssckbi.h; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v <-- nssckbi.h new revision: 220.127.116.11; previous revision: 18.104.22.168 done
I'm resolving this as fixed as of NSS 3.11.9 (Note to CAs: this task is independent of including this snapshot in Mozilla client products)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.11.9
Summary: Add Identrust, Truktrust, SwissSign Roots → Add Identrust, Turktrust, SwissSign Roots
You need to log in before you can comment on or make changes to this bug.