Closed Bug 425469 Opened 13 years ago Closed 13 years ago

Add multiple new roots: Geotrust, Thawte, Verisign, Trustwave, Comodo

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.11.10

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(4 files, 1 obsolete file)

This bug is meant to land a single patch that adds multiple new roots.
$ pp-with-certid -t certificate -x -a -i geotrust-424169
Subject:
    CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
Issuer:
    CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
Serial Number:
    18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
Issuer DER Base64:
MFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQD
EyhHZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
Serial DER Base64:
GKy1av1pthU6Y2yv2vrEoQ==
Fingerprint (MD5):
    02:26:C3:01:5E:08:30:37:43:A9:D0:7D:CF:37:E6:BF
Fingerprint (SHA1):
    32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96

$ addbuiltin -n "GeoTrust Primary Certification Authority" -t C,, < ~/moz/nss/head/425469/geotrust-424169.der >> certdata.txt



$ pp-with-certid -t certificate -x -a -i thawte-424152
Subject:
    CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
Issuer:
    CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
Serial Number:
    34:4e:d5:57:20:d5:ed:ec:49:f4:2f:ce:37:db:2b:6d
Issuer DER Base64:
MIGpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL
Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg
MjAwNiB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0G
A1UEAxMWdGhhd3RlIFByaW1hcnkgUm9vdCBDQQ==
Serial DER Base64:
NE7VVyDV7exJ9C/ON9srbQ==
Fingerprint (MD5):
    8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12
Fingerprint (SHA1):
    91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81

$ addbuiltin -n "thawte Primary Root CA" -t C,, < ~/moz/nss/head/425469/thawte-424152.der >> certdata.txt



$ pp-with-certid -t certificate -x -a -i verisign3g5
Subject:
    CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
Issuer:
    CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
Serial Number:
    18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Issuer DER Base64:
MIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV
BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZl
cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMT
PFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHNQ==
Serial DER Base64:
GNrRniZ96LtKIVjNzGs7Sg==
Fingerprint (MD5):
    CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C
Fingerprint (SHA1):
    4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5

$ addbuiltin -n "VeriSign Class 3 Public Primary Certification Authority - G5" -t C,, < ~/moz/nss/head/425469/verisign3g5.der >> certdata.txt



$ pp-with-certid -t certificate -x -a -i trustwave-418907-ca1
Subject:
    CN=SecureTrust CA,O=SecureTrust Corporation,C=US
Issuer:
    CN=SecureTrust CA,O=SecureTrust Corporation,C=US
Serial Number:
    0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
Issuer DER Base64:
MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv
bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E=
Serial DER Base64:
DPCOXAgWpa1Cf/DrJxhZ0A==
Fingerprint (MD5):
    DC:32:C3:A7:6D:25:57:C7:68:09:9D:EA:2D:A9:A2:D1
Fingerprint (SHA1):
    87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11

addbuiltin -n "SecureTrust CA" -t C,,C < ~/moz/nss/head/425469/trustwave-418907-ca1.der >> certdata.txt



$ pp-with-certid -t certificate -x -a -i trustwave-418907-ca2
Subject:
    CN=Secure Global CA,O=SecureTrust Corporation,C=US
Issuer:
    CN=Secure Global CA,O=SecureTrust Corporation,C=US
Serial Number:
    07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
Issuer DER Base64:
MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv
bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ==
Serial DER Base64:
B1YipOjUiolN9BPI8PjqpQ==
Fingerprint (MD5):
    CF:F4:27:0D:D4:ED:DC:65:16:49:6D:3D:DA:BF:6E:DE
Fingerprint (SHA1):
    3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B

$ addbuiltin -n "Secure Global CA" -t C,C,C < ~/moz/nss/head/425469/trustwave-418907-ca2.der >> certdata.txt

Attached patch Patch v1 (obsolete) — Splinter Review
This is the patch I created using the above commands.

I'll use it to produce a test binary roots module.
I'll not yet request review on the patch, but will wait for test feedback from CA's.
Zip file containing a nssckbi.dll compatible with Firefox 2.

Please note, I had some trouble on my windows machine today, and had to uninstall the Antivirus software. So, I can not give any guarantees for the file, please make sure you scan it before you use it.

Details of the file contained in the zip file:
- 294912 bytes
- sha1 6ea3d17d24f7e911a221e25a5e6c7a8fed61bd99
Blocks: 425518
$ pp-with-certid -t certificate -x -i comodo-426568
Subject:
    CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Issuer:
    CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Serial Number:
    4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
Issuer DER Base64:
MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw
DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG
A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
Serial DER Base64:
ToEtioJl4AsC7j41AkblPQ==
Fingerprint (MD5):
    5C:48:DC:F7:42:72:EC:56:94:6D:1C:CC:71:35:80:75
Fingerprint (SHA1):
    66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B

$ addbuiltin -n "COMODO Certification Authority" -t C,C,C < 426568/comodo-426568 >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
This patch is v1 with the comodo certificate added.

I used the commands from my previous comment to add the comodo certificate.
Attachment #312094 - Attachment is obsolete: true
Summary: Add multiple new roots: Geotrust, Thawte, Verisign, Trustwave → Add multiple new roots: Geotrust, Thawte, Verisign, Trustwave, Comodo
Blocks: 426568
Zip file containing a nssckbi.dll compatible with Firefox 2.

Please note, I had some trouble on my windows machine, and had to
uninstall the Antivirus software. So, I can not give any guarantees for the
file, please make sure you scan it before you use it.

Details of the file contained in the zip file:
- 299008 bytes
- sha1 3931960170e6e032e1585467aa816407c2691b2d


This file has Comodo's cert in addition to everything I had added previously.
Blocks: 426681
Comment on attachment 313259 [details] [diff] [review]
Patch v2 == v1 + comodo

The CAs in all dependent bugs have confirmed the information is correct.

While there is an ongoing discussion about granting additional trust flags to Verisign, Thawte and Geotrust certs, nobody has rejected the idea to add those certs now as is, and potentially add more trust flags at a later time.

Requesting two reviews, one for trunk, one for stable branch.

I'll check in to trunk as soon as I get the first review.

For the second review and the branch, the second review will grant me permission to increment the version number in nssckbi.h from its current 1.65 to 1.66 (3.11 branch only).

The version number on the trunk can remain unchanged this time. It's already at 1.70 which is correct for the 3.12 release.
Attachment #313259 - Flags: superreview?(rrelyea)
Attachment #313259 - Flags: review?(nelson)
Comment on attachment 313259 [details] [diff] [review]
Patch v2 == v1 + comodo

r+ rrelyea
Attachment #313259 - Flags: superreview?(rrelyea) → superreview+
Thanks for the review, checked in.

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.48; previous revision: 1.47
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.47; previous revision: 1.46
I'll not yet mark this bug as fixed, because we want a second review for the 3.11 branch.

Keeping the bug should ensure that Nelson sees this review request on his radar.
Comment on attachment 313259 [details] [diff] [review]
Patch v2 == v1 + comodo

r=nelson for 3.11 branch
Attachment #313259 - Flags: review?(nelson) → review+
I've checked in the patches for both bug 425469 and bug 387892 to the NSS 3.11 stable branch, and at the same time I incremented the nssckbi.h version number to 1.66

Marking fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
cvs version numbers for branch commit:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.36.24.10; previous revision: 1.36.24.9
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.37.24.9; previous revision: 1.37.24.8
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.14.2.6; previous revision: 1.14.2.5
done
Target Milestone: --- → 3.12
Changing target milestone to 3.11.10 (not yet released).
Target Milestone: 3.12 → 3.11.10
I need to fix a mistake I made when I worked on this a while ago.

Everything was done correctly for NSS 3.12 and Firefox 3.
I correctly checked in attachment 313259 [details] [diff] [review].

But I missed to add the Comodo root cert to the NSS 3.11 branch, that would eventually be included in an update for the Firefox 2.x releases.

I looks like I checked in attachment 312094 [details] [diff] [review] to the NSS 3.11 branch.
The only difference is the missing Comodo cert.

I want to fix this by checking in the missing piece, which already got review.

Note that our recent root cert updates to the NSS 3.11 branch have not gotten released anywhere. Neither in an NSS 3.11.x release, nor in a Firefox 2 update.
This is the difference between attachment 313259 [details] [diff] [review] and attachment 313259 [details] [diff] [review].

It has already been checked in on NSS trunk for NSS 3.12,
but it was forgotton for the 3.11 branch.
Kai, We're planning to do 3.11.10 very soon.  
Hopefully 3.11.10 and 3.12.1 will contain the same sets of root CA certs.
Comment on attachment 333008 [details] [diff] [review]
The missing piece for NSS 3.11 branch

I checked in the missing piece to the 3.11 branch:

Checking in ckfw/builtins/certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.36.24.12; previous revision: 1.36.24.11
done
Checking in ckfw/builtins/certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.37.24.11; previous revision: 1.37.24.10
done
(In reply to comment #17)
> Kai, We're planning to do 3.11.10 very soon.  
> Hopefully 3.11.10 and 3.12.1 will contain the same sets of root CA certs.

With the checkin I mentionedin comment 18, the certdata.txt files on 3.11 branch and 3.12 trunk are now identical.

You need to log in before you can comment on or make changes to this bug.