Closed Bug 449883 Opened 17 years ago Closed 17 years ago

Replace existing "GlobalSign Root CA" cert and add new WellsSecure cert

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.11.10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(3 files)

Patch v1 for both NSS 3.12x and NSS 3.11.x
13.59 KB, patch
rrelyea
: review+
nelson
: review+
Details | Diff | Splinter Review
Patch v2, increase roots module version number for NSS 3.12.1
844 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
test binary nssckbi.dll compatible with Firefox 2 on Windows
114.86 KB, application/octet-stream
Details
I want to do a single patch to fix both 446407 and 449393.
Assignee: nobody → kaie
I used addbuiltin -n "GlobalSign Root CA" -t C,C,C < globalsign_446407.crt and used the output to replace the existing "GlobalSign Root CA". I used addbuiltin -n "WellsSecure Public Root Certificate Authority" -t C,, < wellssecure_449393.crt to add the new WellsSecure cert.
Attachment #333011 - Flags: superreview?(nelson)
Attachment #333011 - Flags: review?(rrelyea)
If we are able to get patch v1 added to the NSS 3.11 branch very quickly, before the NSS 3.11.10 release, then we can avoid updating the roots module version number on the 3.11 branch. However, should we miss the train, I'll attach a patch for updating the version on the 3.11 branch. We'll decide that later.
$ sha1sum nssckbi.dll 82c5cdc1e30d677eea0653031f92f867caace91f nssckbi.dll
Do we actually want to replace an existing cert? Or do we rather want to add it as a new cert? If someone has a signed document, signed (say) 3 years ago (or 5 or 10), will its signature still validate (as of the date it was signed) with the new cert?
If the new cert has the same public key as the one it replaces, and if its validity period entirely overlaps the old one (starts not later than the old one started), then replacing it is fine. Is that the case here?
(In reply to comment #7) > Do we actually want to replace an existing cert? yes > Or do we rather want to add it as a new cert? I'd say: no (In reply to comment #8) > If the new cert has the same public key as the one it replaces according to bug 406794: yes > and if its > validity period entirely overlaps the old one (starts not later than the > old one started), according to my inspection: yes > then replacing it is fine. Is that the case here? I think it is.
Blocks: 449892
Attachment #333011 - Flags: superreview?(nelson) → review+
The intention is to replace the cert. See the authorization bug and discussion at m.d.t.c
Attachment #333013 - Flags: review?(rrelyea)
Comment on attachment 333011 [details] [diff] [review] Patch v1 for both NSS 3.12x and NSS 3.11.x r+ It appears we are replacing the global sign cert with one with the same Subject/Issuer/and Key. I did not verify that the proper extensions exist in the new cert (that is I did not actually decode the certificate). this matches with the description in the bug. I also see ae are adding WellsSecure which also matches the description in the bug. bob
Attachment #333011 - Flags: review?(rrelyea) → review+
Attachment #333013 - Flags: review?(rrelyea)
checked in the root changes and the version number increase on trunk. Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.50; previous revision: 1.49 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.49; previous revision: 1.48 done Checking in nssckbi.h; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v <-- nssckbi.h new revision: 1.16; previous revision: 1.15 done
checked in the root changes to the 3.11 branch (no version increase necessary, because that already happened since the last release) Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.36.24.13; previous revision: 1.36.24.12 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.37.24.12; previous revision: 1.37.24.11 done
Marking fixed as of 3.11.10
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Version: 3.12.1 → 3.11.10
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: