July 2011 batch of CA certificate changes

RESOLVED FIXED in 3.12.11

Status

NSS
CA Certificates Code
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

trunk
3.12.11
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

6 years ago
July 2011 batch of CA certificate changes
(Assignee)

Updated

6 years ago
Blocks: 670790
(Assignee)

Comment 1

6 years ago
I'll create a single patch for multiple bugs.

Used these commands:

addbuiltin -n "Certinomis - Autorité Racine" -t C,, < certinomis-645880.der >> ../mozilla/security/nss/lib/ckfw/builtins/certdata.txt
addbuiltin -n "Root CA Generalitat Valenciana" -t C,C,C < accv-653761.der >> ../mozilla/security/nss/lib/ckfw/builtins/certdata.txt
addbuiltin -n "A-Trust-nQual-03" -t C,, < atrust-661672.der >> ../mozilla/security/nss/lib/ckfw/builtins/certdata.txt
addbuiltin -n "TWCA Root Certification Authority" -t C,C, < twca-666681.der >> ../mozilla/security/nss/lib/ckfw/builtins/certdata.txt

And I manually edited the trust flug for Nederlanden-G2.
(Assignee)

Comment 2

6 years ago
Created attachment 545426 [details] [diff] [review]
Patch v1 - trunk version (3.13)
Assignee: nobody → kaie
(Assignee)

Comment 3

6 years ago
Created attachment 545427 [details] [diff] [review]
Patch v1 - stable branch version (3.12)
(Assignee)

Comment 4

6 years ago
Why are two different patches needed for trunk and branch?

Because the symbolic names used in file certdata.txt have been recently renamed (trunk only).

The data contained in both patches is identical, it's just the symbolic names that are different.
(Assignee)

Comment 5

6 years ago
I was able to connect to all 4 sites, and the email trust flag appears for the Nederlanden-G2 root. I'll do a tryserver build next and ask CAs to test.
(Assignee)

Comment 6

6 years ago
The tryserver build 
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-34aa937b13fb/
uses this patch:
http://hg.mozilla.org/try/rev/34aa937b13fb

We are now waiting for feedback from CAs.
(Assignee)

Comment 7

6 years ago
The 4 CAs that request addition of a new root have given positive test feedback, which means we're ready to proceed to the code review step.


The patch includes one additional trust flag for
  "Staat der Nederlanden Root CA - G2"

Test feedback for this is still pending.

Should the CA not give feedback in time for the next release, I might remove this change from the patch prior to checkin.
(Assignee)

Comment 8

6 years ago
Comment on attachment 545426 [details] [diff] [review]
Patch v1 - trunk version (3.13)

Requesting review from Bob.

(If someone else would like to review instead, please feel free to jump in.)
Attachment #545426 - Flags: review?(rrelyea)
(Assignee)

Updated

6 years ago
Target Milestone: --- → 3.12.11
(Assignee)

Comment 9

6 years ago
(In reply to comment #7)
> 
> The patch includes one additional trust flag for
>   "Staat der Nederlanden Root CA - G2"
> 
> Test feedback for this is still pending.

We now have positive test feedback for all changes.

Comment 10

6 years ago
Comment on attachment 545426 [details] [diff] [review]
Patch v1 - trunk version (3.13)

r+ rrelyea.

I was going to point out that you'll need a separate patch for the 3.12 branch because of the symbol name page, but I see you've already noticed this.

bob
Attachment #545426 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 11

6 years ago
trunk:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.78; previous revision: 1.77
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.75; previous revision: 1.74
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.29; previous revision: 1.28
done


3.12 branch:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.67.2.10; previous revision: 1.67.2.9
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.64.2.10; previous revision: 1.64.2.9
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.24.2.5; previous revision: 1.24.2.4
done
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.