Closed Bug 411299 Opened 12 years ago Closed 12 years ago

Add Identrust, Turktrust, SwissSign Roots

Categories

(NSS :: Libraries, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED
3.11.9

People

(Reporter: KaiE, Unassigned)

References

Details

Attachments

(5 files, 2 obsolete files)

This is the bug to get several new roots added to NSS.

In particular, I intend to add the following roots to NSS at once, after we got approval for all of them.

IdenTrust: bug 394733
TürkTrust: bug 410821
SwissSign: bug 407396
Attached patch Patch v1 (obsolete) — Splinter Review
This is a single patch that adds all new roots as listed in the 3 other bugs.
This is a test comment, to ensure I will be using the correct syntax to quote the nssckbi.dll attachment:

attachment 295966 [details]
Attached patch Patch v2Splinter Review
New patch, only change: added websites trust for TürkTrust Root 1.
Attachment #295961 - Attachment is obsolete: true
Attached file nssckbi.dll v2
nssckbi.dll based on patch v2
Attachment #295966 - Attachment is obsolete: true
(In reply to comment #4)
> New patch, only change: added websites trust for TürkTrust Root 1.

This change will cure "untrusted issuer" errors, but not "unknown issuer" 
errors.  

Comment on attachment 296542 [details] [diff] [review]
Patch v2

All 3 CAs have confirmed this patch and the derived binary roots module matches their expectations.

Bob, Nelson, could you please review/approve this patch?

Not sure you want to do a real code review. If you intend to look at the patch, please ignore the changes to certdata.c, but look at the changes to certdata.txt only.

Nelson, do you still have your magic tool that you can reuse?

I'm requesting two reviews, because we might want to land this on the 3.11 branch. Of course, should I land this on the 3.11 branch, I will increment the module version number. When receiving reviews for this patch, i assume you give approval for that version number change, too (branch only).
Attachment #296542 - Flags: superreview?(rrelyea)
Attachment #296542 - Flags: review?(nelson)
This is the program I used to make the patch to the certdata.txt readable
for review purposes.  I could add the usual boilerplate and commit it to 
the source tree, if anyone thinks I should.

The way to use it is to apply the patch to the certdata.txt file, then 
run this program with stdin coming from that patched certdata.txt file.
Then study the output.  Actually, it's best to run this program with 
just a subset of the certdata.txt file as input, the subset being the 
newly added or revised parts.
Here's the output from the helper tool when run with the certdata.txt 
file with Kai's patch v2, for your reviewing pleasure.  :)
Comment on attachment 296542 [details] [diff] [review]
Patch v2

I focused the review on certdata.txt since certdata.c is generated.

After some review of the bugs, I have verified that the Trust values here are correct (despite the fact the SwissSign Platinum looks weird and TURKTRUST Root 1 is different than the initial request). SwissSign verified that the Platinum bits are correct and TURKTRUST verified that SSL is needed for CA 1.

bob
Attachment #296542 - Flags: superreview?(rrelyea) → superreview+
Comment on attachment 296542 [details] [diff] [review]
Patch v2

based on my visual scanning of the output in the above attachment, I see no obvious flaws.
r=nelson
Attachment #296542 - Flags: review?(nelson) → review+
Attached patch Patch v2 trunkSplinter Review
The other patch I had attached was a 3.11 branch version.

This patch is the version for trunk.

The changes to certdata.txt are identical, they differ in the certdata.c file (generated).

I checked in this patch to trunk.


Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.45; previous revision: 1.44
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.45; previous revision: 1.44
done
Comment on attachment 296542 [details] [diff] [review]
Patch v2

I checked in this patch to the 3.11 branch.

In addition, as mentioned before, I updated the builtins version number on the 3.11 branch.

-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 64
-#define NSS_BUILTINS_LIBRARY_VERSION "1.64"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 65
+#define NSS_BUILTINS_LIBRARY_VERSION "1.65"

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.36.24.7; previous revision: 1.36.24.6
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.37.24.7; previous revision: 1.37.24.6
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.14.2.5; previous revision: 1.14.2.4
done
I'm resolving this as fixed as of NSS 3.11.9

(Note to CAs: this task is independent of including this snapshot in Mozilla client products)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.11.9
Summary: Add Identrust, Truktrust, SwissSign Roots → Add Identrust, Turktrust, SwissSign Roots
You need to log in before you can comment on or make changes to this bug.