The default bug view has changed. See this FAQ.

Enable Buypass Class 3 CA 1 for EV in PSM

RESOLVED FIXED

Status

()

Core
Security: PSM
--
enhancement
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: Kathleen Wilson, Assigned: kaie)

Tracking

unspecified
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.2 -
wanted1.9.2 +

Firefox Tracking Flags

(status1.9.2 beta5-fixed, status1.9.1 .8-fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

8 years ago
Per bug 477028 the request from Buypass has been approved to enable its Buypass Class 3 CA 1 root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows:

Friendly name: Buypass Class 3 CA 1

SHA1 Fingerprint: 
61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71

EV policy OID:  
2.16.578.1.26.1.3.3

Test URL:  
https://evident.ssl.buypass.no/ssl/evident/
As the representative of the CA (Buypass) I hereby confirm that above
information / data is correct. 

Thanks for your efforts!


Rgds.,

John Arild A. Johansen  •  CSO •  Buypass AS
Hi, here at Buypass we're quite eager to get our certificates included, so I'm
posting a "request for status" for this bug to see if we can get som additional information on the schedule. 

Rgds., 
John

John Arild A. Johansen  •  CSO •  Buypass AS
(Assignee)

Comment 3

8 years ago
I began to work on this.
I built a test version of Firefox, using the code from bug 499712 that added several new CAs.

My test used NSS 3.12.4.5 + new roots

When I connect to https://evident.ssl.buypass.no/ssl/evident/
I get an error message:

An error occurred during a connection to evident.ssl.buypass.no.
The OCSP server found the request to be corrupted or improperly formed.
(Error code: sec_error_ocsp_malformed_request)

It seems the OCSP server rejects our standard OCSP requests (that work well everywhere else) and the OCSP server does not give a valid response.

This is a failure in my profile, because I have configured Firefox to complain about OCSP server errors (security.ocsp.require = 1)

Buypass, please fix your OCSP server, before we can proceed with this bug and let us know.

If you believe this error is not on your side, then please provide evidence, log files, descriptions, etc.
Thank you.
(Assignee)

Comment 4

8 years ago
Created attachment 401121 [details] [diff] [review]
Patch v1

Code used to grant EV privileges to Buypass CA as requested.
However, because of the OCSP server error, no green EV chrome is seen yet, as expected.

We'll request code review after we have a positive test result.
Kai, our test site has now been fixed. 
Sorry for the inconvenience and thanks for your efforts so so far.
(Assignee)

Comment 6

8 years ago
Thanks for the quick turnaround. I was able to get a green verification result with your test site.

We need a slightly different patch, will attach in a moment.
(Assignee)

Comment 7

8 years ago
Created attachment 401219 [details] [diff] [review]
Patch v2

I notice the existing code that processes our static list of EV roots is case sensitive, this new patch changes the fingerprint to all uppercase, in order to remind us when working on future additions.
Attachment #401121 - Attachment is obsolete: true
Attachment #401219 - Flags: review?(rrelyea)

Comment 8

8 years ago
Comment on attachment 401219 [details] [diff] [review]
Patch v2

r+ I presume Bypass is already in the nssckbi.

bob
Attachment #401219 - Flags: review?(rrelyea) → review+
Yes, see bug 499712  :-D

https://bugzilla.mozilla.org/show_bug.cgi?id=499712

Rgds.,

John Arild A. Johansen  •  CSO •  Buypass AS
Hi, here at Buypass we're quite eager to get our certificates included AND EV enabled...hopefully in version 3.6 of Firefox, so I'm posting a "request for status" for this bug.

Best regards, 
John
(Assignee)

Comment 11

8 years ago
Prior to adding this patch to Mozilla, each desired branch must get updated to NSS 3.12.5, which will be released soon. I filed a tracker bug for this delivery.

Right now Mozilla still uses 3.12.4 (or earlier) on all branches.
Depends on: 527659
(Assignee)

Updated

8 years ago
Depends on: 528277
No longer depends on: 527659
Hi, not beeing included in the current Beta4 of FireFox either...I take the liberty to again submit a "request for status" for this bug.

Best regards, 
John
(Assignee)

Updated

7 years ago
Flags: blocking1.9.2?
Attachment #401219 - Flags: approval1.9.2+
(Assignee)

Comment 13

7 years ago
Pushed to mozilla-central
http://hg.mozilla.org/mozilla-central/rev/d5ad580e03b1
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Assignee)

Comment 14

7 years ago
pushed to mozilla-1.9.2
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6b2b01c69d4e
status1.9.2: --- → final-fixed
Attachment #401219 - Flags: approval1.9.1.7?
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Flags: blocking1.9.2-

Comment 15

7 years ago
Comment on attachment 401219 [details] [diff] [review]
Patch v2

>+    "Buypass Class 3 CA 1", // for real entries use a string like "Sample INVALID EV OID"

The (copied) comment seems bogus here.
Comment on attachment 401219 [details] [diff] [review]
Patch v2

Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #401219 - Flags: approval1.9.1.8? → approval1.9.1.8+
Whiteboard: [needs 1.9.1 landing]
(Assignee)

Comment 17

7 years ago
pushed
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab
status1.9.1: --- → .8-fixed
Whiteboard: [needs 1.9.1 landing]
(Assignee)

Comment 18

7 years ago
(In reply to comment #17)
> pushed
> http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab

Sorry, I made a mistake when I landed the patch into the Firefox 3.5.x, Mozilla 1.9.1 branch.

I accidentally landed the old patch, which used lowercase for the fingerprint, but we require uppercase for the comparison to succeed.

I propose to fix this by backing out the wrong patch and applying the correct patch.
status1.9.1: .8-fixed → ?
(Assignee)

Comment 19

7 years ago
I'm asking for blocking1.9.1 as a way to ask for approval to fix the wrong patch.
blocking1.9.1: --- → ?
(Assignee)

Updated

7 years ago
Blocks: 546023
Messing with this bug further is going to confuse things, especially since we've already shipped this fix. We can fix this in bug 546023.
blocking1.9.1: ? → ---
status1.9.1: ? → .8-fixed
No longer blocks: 546023
Depends on: 546023
You need to log in before you can comment on or make changes to this bug.