Last Comment Bug 499716 - Enable Buypass Class 3 CA 1 for EV in PSM
: Enable Buypass Class 3 CA 1 for EV in PSM
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: unspecified
: All All
: -- enhancement (vote)
: ---
Assigned To: Kai Engert (:kaie)
:
Mentors:
Depends on: 499712 528277 546023
Blocks: 477028
  Show dependency treegraph
 
Reported: 2009-06-22 10:38 PDT by Kathleen Wilson
Modified: 2010-02-18 11:31 PST (History)
4 users (show)
mbeltzner: blocking1.9.2-
mbeltzner: wanted1.9.2+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
beta5-fixed
.8-fixed


Attachments
Patch v1 (1.22 KB, patch)
2009-09-16 15:46 PDT, Kai Engert (:kaie)
no flags Details | Diff | Review
Patch v2 (1.38 KB, patch)
2009-09-17 09:37 PDT, Kai Engert (:kaie)
rrelyea: review+
bugzilla: approval1.9.2+
dveditz: approval1.9.1.8+
Details | Diff | Review

Description Kathleen Wilson 2009-06-22 10:38:10 PDT
Per bug 477028 the request from Buypass has been approved to enable its Buypass Class 3 CA 1 root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows:

Friendly name: Buypass Class 3 CA 1

SHA1 Fingerprint: 
61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71

EV policy OID:  
2.16.578.1.26.1.3.3

Test URL:  
https://evident.ssl.buypass.no/ssl/evident/
Comment 1 John Arild A. Johansen 2009-06-22 12:42:33 PDT
As the representative of the CA (Buypass) I hereby confirm that above
information / data is correct. 

Thanks for your efforts!


Rgds.,

John Arild A. Johansen  •  CSO •  Buypass AS
Comment 2 John Arild A. Johansen 2009-08-10 01:35:39 PDT
Hi, here at Buypass we're quite eager to get our certificates included, so I'm
posting a "request for status" for this bug to see if we can get som additional information on the schedule. 

Rgds., 
John

John Arild A. Johansen  •  CSO •  Buypass AS
Comment 3 Kai Engert (:kaie) 2009-09-16 15:44:10 PDT
I began to work on this.
I built a test version of Firefox, using the code from bug 499712 that added several new CAs.

My test used NSS 3.12.4.5 + new roots

When I connect to https://evident.ssl.buypass.no/ssl/evident/
I get an error message:

An error occurred during a connection to evident.ssl.buypass.no.
The OCSP server found the request to be corrupted or improperly formed.
(Error code: sec_error_ocsp_malformed_request)

It seems the OCSP server rejects our standard OCSP requests (that work well everywhere else) and the OCSP server does not give a valid response.

This is a failure in my profile, because I have configured Firefox to complain about OCSP server errors (security.ocsp.require = 1)

Buypass, please fix your OCSP server, before we can proceed with this bug and let us know.

If you believe this error is not on your side, then please provide evidence, log files, descriptions, etc.
Thank you.
Comment 4 Kai Engert (:kaie) 2009-09-16 15:46:35 PDT
Created attachment 401121 [details] [diff] [review]
Patch v1

Code used to grant EV privileges to Buypass CA as requested.
However, because of the OCSP server error, no green EV chrome is seen yet, as expected.

We'll request code review after we have a positive test result.
Comment 5 John Arild A. Johansen 2009-09-17 06:50:37 PDT
Kai, our test site has now been fixed. 
Sorry for the inconvenience and thanks for your efforts so so far.
Comment 6 Kai Engert (:kaie) 2009-09-17 09:35:31 PDT
Thanks for the quick turnaround. I was able to get a green verification result with your test site.

We need a slightly different patch, will attach in a moment.
Comment 7 Kai Engert (:kaie) 2009-09-17 09:37:49 PDT
Created attachment 401219 [details] [diff] [review]
Patch v2

I notice the existing code that processes our static list of EV roots is case sensitive, this new patch changes the fingerprint to all uppercase, in order to remind us when working on future additions.
Comment 8 Robert Relyea 2009-09-18 16:35:41 PDT
Comment on attachment 401219 [details] [diff] [review]
Patch v2

r+ I presume Bypass is already in the nssckbi.

bob
Comment 9 John Arild A. Johansen 2009-09-20 12:09:36 PDT
Yes, see bug 499712  :-D

https://bugzilla.mozilla.org/show_bug.cgi?id=499712

Rgds.,

John Arild A. Johansen  •  CSO •  Buypass AS
Comment 10 John Arild A. Johansen 2009-11-02 03:51:07 PST
Hi, here at Buypass we're quite eager to get our certificates included AND EV enabled...hopefully in version 3.6 of Firefox, so I'm posting a "request for status" for this bug.

Best regards, 
John
Comment 11 Kai Engert (:kaie) 2009-11-10 04:29:44 PST
Prior to adding this patch to Mozilla, each desired branch must get updated to NSS 3.12.5, which will be released soon. I filed a tracker bug for this delivery.

Right now Mozilla still uses 3.12.4 (or earlier) on all branches.
Comment 12 John Arild A. Johansen 2009-11-27 02:38:59 PST
Hi, not beeing included in the current Beta4 of FireFox either...I take the liberty to again submit a "request for status" for this bug.

Best regards, 
John
Comment 13 Kai Engert (:kaie) 2009-12-03 22:17:18 PST
Pushed to mozilla-central
http://hg.mozilla.org/mozilla-central/rev/d5ad580e03b1
Comment 14 Kai Engert (:kaie) 2009-12-03 22:20:16 PST
pushed to mozilla-1.9.2
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6b2b01c69d4e
Comment 15 John P Baker 2009-12-07 02:59:29 PST
Comment on attachment 401219 [details] [diff] [review]
Patch v2

>+    "Buypass Class 3 CA 1", // for real entries use a string like "Sample INVALID EV OID"

The (copied) comment seems bogus here.
Comment 16 Daniel Veditz [:dveditz] 2009-12-21 15:32:11 PST
Comment on attachment 401219 [details] [diff] [review]
Patch v2

Approved for 1.9.1.8, a=dveditz for release-drivers
Comment 17 Kai Engert (:kaie) 2010-01-26 13:22:38 PST
pushed
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab
Comment 18 Kai Engert (:kaie) 2010-02-18 10:37:23 PST
(In reply to comment #17)
> pushed
> http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab

Sorry, I made a mistake when I landed the patch into the Firefox 3.5.x, Mozilla 1.9.1 branch.

I accidentally landed the old patch, which used lowercase for the fingerprint, but we require uppercase for the comparison to succeed.

I propose to fix this by backing out the wrong patch and applying the correct patch.
Comment 19 Kai Engert (:kaie) 2010-02-18 10:42:08 PST
I'm asking for blocking1.9.1 as a way to ask for approval to fix the wrong patch.
Comment 20 Daniel Veditz [:dveditz] 2010-02-18 11:21:59 PST
Messing with this bug further is going to confuse things, especially since we've already shipped this fix. We can fix this in bug 546023.

Note You need to log in before you can comment on or make changes to this bug.