Closed Bug 757197 Opened 12 years ago Closed 12 years ago

May 2012 batch of NSS root CA changes


(NSS :: CA Certificates Code, task)

Not set


(firefox-esr10 verified)

Tracking Status
firefox-esr10 --- verified


(Reporter: KaiE, Assigned: KaiE)




(1 file, 1 obsolete file)

This single bug intends to deal with multiple pending change requests, as of mid May 2012,
see dependency list.
Depends on: 757189
Target Milestone: --- → 3.13.5
Version: 3.13.5 → 3.13.4
No longer depends on: 757189
Ok, this bug also depends on bug 757189.

We should make a decision which trust flag to use for consistency, and the patch in this bug should use the agreed not-explicitly-trusted flag from bug 757189
Depends on: 757189
Attached patch Patch v1 (obsolete) — Splinter Review
This patch adds 6 new root CA certificates as requested in 4 bugs.

This patch also changes the the trust flags of 3 certificates as requested in 3 bugs.

The certificate additions were created using the patch from bug 757189 (which uses the CKT_NSS_TRUST_UNKNOWN flag) and the following commands:

addbuiltin -n "Actalis Authentication Root CA" -t C,,C < ~/moz/nss/head/root0512/actalis-742525.der >> certdata.txt
addbuiltin -n "Trustis FPS Root CA" -t C,C, < ~/moz/nss/head/root0512/trustis-742514.der >> certdata.txt
addbuiltin -n "StartCom Certification Authority" -t C,C,C   < ~/moz/nss/head/root0512/startcom-sha256-751954.der >> certdata.txt
addbuiltin -n "StartCom Certification Authority G2" -t C,C,C   < ~/moz/nss/head/root0512/startcom-g2-751954.der >> certdata.txt
addbuiltin -n "Buypass Class 2 Root CA" -t C,,   < ~/moz/nss/head/root0512/buypass-c2-752103.der >> certdata.txt
addbuiltin -n "Buypass Class 3 Root CA" -t C,,   < ~/moz/nss/head/root0512/buypass-c3-752103.der >> certdata.txt
Assignee: nobody → kaie
I'm NOT yet requesting review.

I propose to produce a test build first.

As a first step, I propose that Kathleen might do a sanity check that the actions from bug 757189 didn't have a bad effect for the roots where we're doing the consistency cleanup (which should have zero effect on functionality.)

Later, after the first step succeeded, I will proceed with asking CAs to test and give feedback.
Blocks: 757242
The link in comment 4 will go away after a couple of days.
A backup download locaiton is
Target Milestone: 3.13.5 → 3.14
Depends on: 760167
Comment on attachment 625758 [details] [diff] [review]
Patch v1

We'll use a different patch and a new build,
because we want to use a different approach for bug 757189 and we want to include bug 760167, too.
Attachment #625758 - Attachment is obsolete: true
Attached patch Patch v3Splinter Review
This patch must be applied on top of the patch from bug 757189.
Comment on attachment 629325 [details] [diff] [review]
Patch v3

Bob, we've received all the necessary testing confirmation,
therefore I'd like to ask for your code review.
Attachment #629325 - Flags: review?(rrelyea)
Comment on attachment 629325 [details] [diff] [review]
Patch v3

r+ rrelyea
Attachment #629325 - Flags: review?(rrelyea) → review+
trunk for 3.14:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.88; previous revision: 1.87
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.85; previous revision: 1.84

3.13.4 branch for 3.13.6:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision:; previous revision:
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision:; previous revision:
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: 3.14 → 3.13.6
Kai, anything QA needs to be on the lookout for in terms of potential Firefox 10.0.12esr regressions?
Whiteboard: [qa?]
Anthony, besides new root CA certs now being trusted by Firefox (now the same set of certificates that are trusted in the most recent release of Firefox 18), you shouldn't see anything else.
Do we know of any websites utilizing the new root CA certs that we can spotcheck?
As per bug 795355 comment 16, adding verifyme to spotcheck the test URLs mentioned in the dependent bugs.
Keywords: verifyme
Whiteboard: [qa?]
Thank you Kathleen!
Verified fixed on Firefox 10.0.12 ESR, for the following OSs: Windows 7 64-bit, Ubuntu 12.04 32-bit, Mac OSX 10.8. I've also done some exploratory on these links: refreshing tabs, closing & reopening tabs, session restore, etc.

Build ID: 20130103094221

User Agents:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:10.0.12) Gecko/20100101 Firefox/10.0.12
QA Contact: manuela.muntean
Thank you Manuela!
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.