Closed
Bug 527759
Opened 15 years ago
Closed 15 years ago
Add multiple roots to NSS (single patch)
Categories
(NSS :: Libraries, defect)
Tracking
(status1.9.2 beta5-fixed, blocking1.9.1 .8+, status1.9.1 .8-fixed)
RESOLVED
FIXED
3.12.6
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta5-fixed |
blocking1.9.1 | --- | .8+ |
status1.9.1 | --- | .8-fixed |
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
Attachments
(2 files, 4 obsolete files)
131.90 KB,
patch
|
nelson
:
review+
dveditz
:
approval1.9.1.8+
|
Details | Diff | Splinter Review |
1.24 KB,
patch
|
nelson
:
review+
dveditz
:
approval1.9.1.8+
|
Details | Diff | Splinter Review |
Add multiple roots to NSS (single patch) See list of bugs this one blocks.
Assignee | ||
Comment 1•15 years ago
|
||
I used the following 4 commands to add the 4 new root certs, using friendly names and trust flags as indicated in the related 4 bugs. addbuiltin -n "certSIGN ROOT CA" -t C,C,C < ~/moz/nss/head/cert-526532.der >> certdata.txt addbuiltin -n "CNNIC ROOT" -t C,, < ~/moz/nss/head/cert-525008 >> certdata.txt addbuiltin -n "ApplicationCA - Japanese Government" -t C,,C < ~/moz/nss/head/cert-523434.der >> certdata.txt addbuiltin -n "GeoTrust Primary Certification Authority - G3" -t C,C,C < ~/moz/nss/head/cert-517234.der >> certdata.txt
Attachment #411492 -
Flags: review?(nelson)
Assignee | ||
Comment 2•15 years ago
|
||
Comment on attachment 411492 [details] [diff] [review] Patch v1 Maybe you'll want to postpone the review until the test build has been confirmed. I'll create a try server build, ask CAs for confirmation, and afterwards ask you again for review.
Attachment #411492 -
Flags: review?(nelson)
Assignee | ||
Comment 3•15 years ago
|
||
adding 2 more bugs, 4 more certs
Assignee | ||
Comment 4•15 years ago
|
||
for the additional thawte and verisign roots I used the following commands: addbuiltin -n "thawte Primary Root CA - G2" -t C,,C < ~/moz/nss/head/cert-521869-g2 >> certdata.txt addbuiltin -n "thawte Primary Root CA - G3" -t C,,C < ~/moz/nss/head/cert-521869-g3 >> certdata.txt addbuiltin -n "Verisign Class 1 Public Primary Certification Authority" -t ,C, < ~/moz/nss/head/cert-515462-pca1.der >> certdata.txt addbuiltin -n "Verisign Class 3 Public Primary Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515462-pca3.der >> certdata.txt
Assignee | ||
Comment 5•15 years ago
|
||
I'll produce a test build based on stable Firefox 3.5.x, mozilla-1.9.1 branch That branch still uses NSS 3.12.4, I'll copy certdata.c and certdata.txt from my patched trunk version of NSS to the NSS snapshot currently used in mozilla-1.9.1 (can't simply apply the patch because additional roots have been added recently, after 3.12.4)
Assignee | ||
Comment 6•15 years ago
|
||
Attachment #411492 -
Attachment is obsolete: true
Attachment #411639 -
Flags: review?(nelson)
Assignee | ||
Comment 7•15 years ago
|
||
test build: https://build.mozilla.org/tryserver-builds/kaie@kuix.de-bug527759/ I've updated the individual bugs, asking for testing and feedback.
Updated•15 years ago
|
Attachment #411639 -
Flags: review?(nelson) → review+
Comment 8•15 years ago
|
||
Comment on attachment 411639 [details] [diff] [review] Patch v2, 8 new roots Behold the rubber stamp.
Assignee | ||
Comment 9•15 years ago
|
||
We missed 3 roots! I added 3 more dependent bugs, added them to this patch. Patch v3 is equivalent to v2, it just adds 3 additional roots. Here are the commands I had used to add them: addbuiltin -n "GeoTrust Primary Certificate Authority - G2" -t C,C,C < ~/moz/nss/head/cert-517242.der >> certdata.txt addbuiltin -n "VeriSign Universal Root Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515470 >> certdata.txt addbuiltin -n "VeriSign Class 3 Public Primary Certificate Authority - G4" -t C,C,C < ~/moz/nss/head/cert-515472 >> certdata.txt
Attachment #412641 -
Flags: review?(nelson)
Comment 10•15 years ago
|
||
Comment on attachment 412641 [details] [diff] [review] Patch v3, 11 new roots Per bug 515472 comment 7, two of these should have different nicknames. "GeoTrust Primary Certificate Authority - G2" should be "GeoTrust Primary Certification Authority - G2" "VeriSign Class 3 Public Primary Certificate Authority - G4" should be "VeriSign Class 3 Public Primary Certification Authority - G4"
Attachment #412641 -
Flags: review?(nelson) → review-
Assignee | ||
Comment 11•15 years ago
|
||
I reverted my tree to the clean original cvs contents. I repeated my 11 commands, now using the 2 corrected nicknames. addbuiltin -n "certSIGN ROOT CA" -t C,C,C < ~/moz/nss/head/cert-526532.der >> certdata.txt addbuiltin -n "CNNIC ROOT" -t C,, < ~/moz/nss/head/cert-525008 >> certdata.txt addbuiltin -n "ApplicationCA - Japanese Government" -t C,,C < ~/moz/nss/head/cert-523434.der >> certdata.txt addbuiltin -n "GeoTrust Primary Certification Authority - G3" -t C,C,C < ~/moz/nss/head/cert-517234.der >> certdata.txt addbuiltin -n "thawte Primary Root CA - G2" -t C,,C < ~/moz/nss/head/cert-521869-g2 >> certdata.txt addbuiltin -n "thawte Primary Root CA - G3" -t C,,C < ~/moz/nss/head/cert-521869-g3 >> certdata.txt addbuiltin -n "Verisign Class 1 Public Primary Certification Authority" -t ,C, < ~/moz/nss/head/cert-515462-pca1.der >> certdata.txt addbuiltin -n "Verisign Class 3 Public Primary Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515462-pca3.der >> certdata.txt addbuiltin -n "GeoTrust Primary Certification Authority - G2" -t C,C,C < ~/moz/nss/head/cert-517242.der >> certdata.txt addbuiltin -n "VeriSign Universal Root Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515470 >> certdata.txt addbuiltin -n "VeriSign Class 3 Public Primary Certification Authority - G4" -t C,C,C < ~/moz/nss/head/cert-515472 >> certdata.txt and ran "make generate" This gave me this updated patch. I compared previous patch v3 and this patch v4. The only difference is in nickname strings and string length constants. (I think another test build is not necessary.)
Attachment #411639 -
Attachment is obsolete: true
Attachment #412641 -
Attachment is obsolete: true
Attachment #413313 -
Flags: review?(nelson)
Assignee | ||
Comment 12•15 years ago
|
||
Please delay reviewing this patch until we have feedback from verisign. They complained that trust bits are missing, but I can't confirm their impression.
Comment 13•15 years ago
|
||
Comment on attachment 413313 [details] [diff] [review] Patch v4 Since you've asked me to delay the review, I'm canceling the review request. Please request review again when you're ready.
Attachment #413313 -
Flags: review?(nelson)
Assignee | ||
Comment 14•15 years ago
|
||
It appears bug 515462 needs some more analysis. I therefore propose to omit it from this round of cert additions, in order to get the other certs shipped soon.
No longer blocks: 515462
Assignee | ||
Comment 15•15 years ago
|
||
Attachment #413313 -
Attachment is obsolete: true
Attachment #415099 -
Flags: review?(nelson)
Assignee | ||
Comment 16•15 years ago
|
||
Patch v5 adds 9 roots. (When compared to the previously attached patch, I removed the 2 roots from bug 515462) NSS 3.12.5 got released with ckbi v 1.76. When adding the 9 roots, I propose to upgrade the ckbi version number to v 1.77. I propose to release ckbi v 1.77 immediately after adding the roots and produce a NSS 3.12.4 + ckbi 1.77 tag. The first part of the patch updates the version number. As NSS 3.12 turns out to be a surprisingly long lived branch, I propose to increase the range of version numbers we reserve for 3.12. The second part of the patch adds this proposal and states the proposed new version number ranges.
Assignee | ||
Comment 17•15 years ago
|
||
Attachment #415100 -
Flags: review?(nelson)
Assignee | ||
Comment 18•15 years ago
|
||
Please review both patches, thanks in advance.
Comment 19•15 years ago
|
||
Comment on attachment 415100 [details] [diff] [review] Patch v6, version numbers I see no problem with this.
Attachment #415100 -
Flags: review?(nelson) → review+
Comment 20•15 years ago
|
||
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots r=nelson I have verified that the roots in this patch have the nicknames requested in their respective NSS RFEs. I have not verified the trust flags. I am relying on the CAs, who have each approved their respective cert additions, for this purpose.
Attachment #415099 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 21•15 years ago
|
||
Thanks for the reviews. Marking resolved fixed. I forgot to copy the output from cvs commit, but here are the version's I've committed: /certdata.c/1.58/Thu Dec 3 21:22:36 2009//TNSSCKBI_1_77_RTM /certdata.txt/1.57/Thu Dec 3 21:22:36 2009//TNSSCKBI_1_77_RTM /nssckbi.h/1.22/Thu Dec 3 21:22:36 2009//TNSSCKBI_1_77_RTM
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 22•15 years ago
|
||
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots I assume you'll want to add these to Firefox 3.0 and 3.5 as well
Attachment #415099 -
Flags: approval1.9.2?
Attachment #415099 -
Flags: approval1.9.1.7?
Attachment #415099 -
Flags: approval1.9.0.17?
Updated•15 years ago
|
Attachment #415100 -
Flags: approval1.9.2?
Attachment #415100 -
Flags: approval1.9.1.7?
Attachment #415100 -
Flags: approval1.9.0.17?
Comment 23•15 years ago
|
||
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots Firefox 3.0.x is still on NSS 3.12.3.1 and basically EOL, let's not.
Attachment #415099 -
Flags: approval1.9.0.17?
Updated•15 years ago
|
Attachment #415100 -
Flags: approval1.9.0.17?
Assignee | ||
Comment 24•15 years ago
|
||
Johnathan's comment in Bug 528277 comment 3 should be seen as approval-1.9.2+ for both r+'ed patches in this bug (attachment 415099 [details] [diff] [review] and attachment 415100 [details] [diff] [review])
Comment 25•15 years ago
|
||
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #415099 -
Flags: approval1.9.1.8? → approval1.9.1.8+
Comment 26•15 years ago
|
||
Comment on attachment 415100 [details] [diff] [review] Patch v6, version numbers Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #415100 -
Flags: approval1.9.1.8? → approval1.9.1.8+
Comment 27•15 years ago
|
||
This has been fixed for 1.9.2 in bug 528277.
Updated•14 years ago
|
blocking1.9.1: --- → .8+
Assignee | ||
Comment 28•14 years ago
|
||
pushed http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab
Assignee | ||
Updated•14 years ago
|
Whiteboard: [needs 1.9.1 landing]
Updated•14 years ago
|
Attachment #415099 -
Flags: approval1.9.2?
Updated•14 years ago
|
Attachment #415100 -
Flags: approval1.9.2?
You need to log in
before you can comment on or make changes to this bug.
Description
•