Closed Bug 527759 Opened 15 years ago Closed 15 years ago

Add multiple roots to NSS (single patch)

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.5
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(status1.9.2 beta5-fixed, blocking1.9.1 .8+, status1.9.1 .8-fixed)

Status:
RESOLVED FIXED
Milestone:
3.12.6
Tracking Flags:
Tracking Status
status1.9.2 --- beta5-fixed
blocking1.9.1 --- .8+
status1.9.1 --- .8-fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(2 files, 4 obsolete files)

Patch v5, roots
131.90 KB, patch
nelson
: review+
dveditz
: approval1.9.1.8+
Details | Diff | Splinter Review
Patch v6, version numbers
1.24 KB, patch
nelson
: review+
dveditz
: approval1.9.1.8+
Details | Diff | Splinter Review
Add multiple roots to NSS (single patch) See list of bugs this one blocks.
Attached patch Patch v1 (obsolete) — Splinter Review
I used the following 4 commands to add the 4 new root certs, using friendly names and trust flags as indicated in the related 4 bugs. addbuiltin -n "certSIGN ROOT CA" -t C,C,C < ~/moz/nss/head/cert-526532.der >> certdata.txt addbuiltin -n "CNNIC ROOT" -t C,, < ~/moz/nss/head/cert-525008 >> certdata.txt addbuiltin -n "ApplicationCA - Japanese Government" -t C,,C < ~/moz/nss/head/cert-523434.der >> certdata.txt addbuiltin -n "GeoTrust Primary Certification Authority - G3" -t C,C,C < ~/moz/nss/head/cert-517234.der >> certdata.txt
Attachment #411492 - Flags: review?(nelson)
Comment on attachment 411492 [details] [diff] [review] Patch v1 Maybe you'll want to postpone the review until the test build has been confirmed. I'll create a try server build, ask CAs for confirmation, and afterwards ask you again for review.
Attachment #411492 - Flags: review?(nelson)
adding 2 more bugs, 4 more certs
Blocks: 521869, 515462
for the additional thawte and verisign roots I used the following commands: addbuiltin -n "thawte Primary Root CA - G2" -t C,,C < ~/moz/nss/head/cert-521869-g2 >> certdata.txt addbuiltin -n "thawte Primary Root CA - G3" -t C,,C < ~/moz/nss/head/cert-521869-g3 >> certdata.txt addbuiltin -n "Verisign Class 1 Public Primary Certification Authority" -t ,C, < ~/moz/nss/head/cert-515462-pca1.der >> certdata.txt addbuiltin -n "Verisign Class 3 Public Primary Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515462-pca3.der >> certdata.txt
I'll produce a test build based on stable Firefox 3.5.x, mozilla-1.9.1 branch That branch still uses NSS 3.12.4, I'll copy certdata.c and certdata.txt from my patched trunk version of NSS to the NSS snapshot currently used in mozilla-1.9.1 (can't simply apply the patch because additional roots have been added recently, after 3.12.4)
Attached patch Patch v2, 8 new roots (obsolete) — Splinter Review
Attachment #411492 - Attachment is obsolete: true
Attachment #411639 - Flags: review?(nelson)
test build: https://build.mozilla.org/tryserver-builds/kaie@kuix.de-bug527759/ I've updated the individual bugs, asking for testing and feedback.
Attachment #411639 - Flags: review?(nelson) → review+
Comment on attachment 411639 [details] [diff] [review] Patch v2, 8 new roots Behold the rubber stamp.
Blocks: 528277
Target Milestone: --- → 3.12.6
Blocks: 517242
Blocks: 515470
Blocks: 515472
Attached patch Patch v3, 11 new roots (obsolete) — Splinter Review
We missed 3 roots! I added 3 more dependent bugs, added them to this patch. Patch v3 is equivalent to v2, it just adds 3 additional roots. Here are the commands I had used to add them: addbuiltin -n "GeoTrust Primary Certificate Authority - G2" -t C,C,C < ~/moz/nss/head/cert-517242.der >> certdata.txt addbuiltin -n "VeriSign Universal Root Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515470 >> certdata.txt addbuiltin -n "VeriSign Class 3 Public Primary Certificate Authority - G4" -t C,C,C < ~/moz/nss/head/cert-515472 >> certdata.txt
Attachment #412641 - Flags: review?(nelson)
Comment on attachment 412641 [details] [diff] [review] Patch v3, 11 new roots Per bug 515472 comment 7, two of these should have different nicknames. "GeoTrust Primary Certificate Authority - G2" should be "GeoTrust Primary Certification Authority - G2" "VeriSign Class 3 Public Primary Certificate Authority - G4" should be "VeriSign Class 3 Public Primary Certification Authority - G4"
Attachment #412641 - Flags: review?(nelson) → review-
Attached patch Patch v4 (obsolete) — Splinter Review
I reverted my tree to the clean original cvs contents. I repeated my 11 commands, now using the 2 corrected nicknames. addbuiltin -n "certSIGN ROOT CA" -t C,C,C < ~/moz/nss/head/cert-526532.der >> certdata.txt addbuiltin -n "CNNIC ROOT" -t C,, < ~/moz/nss/head/cert-525008 >> certdata.txt addbuiltin -n "ApplicationCA - Japanese Government" -t C,,C < ~/moz/nss/head/cert-523434.der >> certdata.txt addbuiltin -n "GeoTrust Primary Certification Authority - G3" -t C,C,C < ~/moz/nss/head/cert-517234.der >> certdata.txt addbuiltin -n "thawte Primary Root CA - G2" -t C,,C < ~/moz/nss/head/cert-521869-g2 >> certdata.txt addbuiltin -n "thawte Primary Root CA - G3" -t C,,C < ~/moz/nss/head/cert-521869-g3 >> certdata.txt addbuiltin -n "Verisign Class 1 Public Primary Certification Authority" -t ,C, < ~/moz/nss/head/cert-515462-pca1.der >> certdata.txt addbuiltin -n "Verisign Class 3 Public Primary Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515462-pca3.der >> certdata.txt addbuiltin -n "GeoTrust Primary Certification Authority - G2" -t C,C,C < ~/moz/nss/head/cert-517242.der >> certdata.txt addbuiltin -n "VeriSign Universal Root Certification Authority" -t C,C,C < ~/moz/nss/head/cert-515470 >> certdata.txt addbuiltin -n "VeriSign Class 3 Public Primary Certification Authority - G4" -t C,C,C < ~/moz/nss/head/cert-515472 >> certdata.txt and ran "make generate" This gave me this updated patch. I compared previous patch v3 and this patch v4. The only difference is in nickname strings and string length constants. (I think another test build is not necessary.)
Attachment #411639 - Attachment is obsolete: true
Attachment #412641 - Attachment is obsolete: true
Attachment #413313 - Flags: review?(nelson)
Please delay reviewing this patch until we have feedback from verisign. They complained that trust bits are missing, but I can't confirm their impression.
Comment on attachment 413313 [details] [diff] [review] Patch v4 Since you've asked me to delay the review, I'm canceling the review request. Please request review again when you're ready.
Attachment #413313 - Flags: review?(nelson)
It appears bug 515462 needs some more analysis. I therefore propose to omit it from this round of cert additions, in order to get the other certs shipped soon.
No longer blocks: 515462
Attached patch Patch v5, rootsSplinter Review
Attachment #413313 - Attachment is obsolete: true
Attachment #415099 - Flags: review?(nelson)
Patch v5 adds 9 roots. (When compared to the previously attached patch, I removed the 2 roots from bug 515462) NSS 3.12.5 got released with ckbi v 1.76. When adding the 9 roots, I propose to upgrade the ckbi version number to v 1.77. I propose to release ckbi v 1.77 immediately after adding the roots and produce a NSS 3.12.4 + ckbi 1.77 tag. The first part of the patch updates the version number. As NSS 3.12 turns out to be a surprisingly long lived branch, I propose to increase the range of version numbers we reserve for 3.12. The second part of the patch adds this proposal and states the proposed new version number ranges.
Attachment #415100 - Flags: review?(nelson)
Please review both patches, thanks in advance.
Comment on attachment 415100 [details] [diff] [review] Patch v6, version numbers I see no problem with this.
Attachment #415100 - Flags: review?(nelson) → review+
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots r=nelson I have verified that the roots in this patch have the nicknames requested in their respective NSS RFEs. I have not verified the trust flags. I am relying on the CAs, who have each approved their respective cert additions, for this purpose.
Attachment #415099 - Flags: review?(nelson) → review+
Thanks for the reviews. Marking resolved fixed. I forgot to copy the output from cvs commit, but here are the version's I've committed: /certdata.c/1.58/Thu Dec 3 21:22:36 2009//TNSSCKBI_1_77_RTM /certdata.txt/1.57/Thu Dec 3 21:22:36 2009//TNSSCKBI_1_77_RTM /nssckbi.h/1.22/Thu Dec 3 21:22:36 2009//TNSSCKBI_1_77_RTM
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots I assume you'll want to add these to Firefox 3.0 and 3.5 as well
Attachment #415099 - Flags: approval1.9.2?
Attachment #415099 - Flags: approval1.9.1.7?
Attachment #415099 - Flags: approval1.9.0.17?
Attachment #415100 - Flags: approval1.9.2?
Attachment #415100 - Flags: approval1.9.1.7?
Attachment #415100 - Flags: approval1.9.0.17?
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots Firefox 3.0.x is still on NSS 3.12.3.1 and basically EOL, let's not.
Attachment #415099 - Flags: approval1.9.0.17?
Attachment #415100 - Flags: approval1.9.0.17?
Johnathan's comment in Bug 528277 comment 3 should be seen as approval-1.9.2+ for both r+'ed patches in this bug (attachment 415099 [details] [diff] [review] and attachment 415100 [details] [diff] [review])
Comment on attachment 415099 [details] [diff] [review] Patch v5, roots Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #415099 - Flags: approval1.9.1.8? → approval1.9.1.8+
Comment on attachment 415100 [details] [diff] [review] Patch v6, version numbers Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #415100 - Flags: approval1.9.1.8? → approval1.9.1.8+
This has been fixed for 1.9.2 in bug 528277.
status1.9.1: --- → wanted
status1.9.2: --- → beta5-fixed
Whiteboard: [needs 1.9.1 landing]
blocking1.9.1: --- → .8+
Whiteboard: [needs 1.9.1 landing]
Attachment #415099 - Flags: approval1.9.2?
Attachment #415100 - Flags: approval1.9.2?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: