Closed Bug 902511 Opened 9 years ago Closed 9 years ago

August 2013 batch of EV root CA changes

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: kwilson, Assigned: cviecco)

References

Details

Attachments

(1 file)

The purpose of this bug is to make the changes necessary for the August 2013 batch of EV-enablement root CA changes using a single patch.

For the work covered by this bug, see the list of bugs this one blocks.

Please enable EV treatment for the following root certs in 
source/security/manager/ssl/src/nsIdentityChecking.cpp

Bug #788321 – TurkTrust 
Test URL: https://evssl.turktrust.com.tr/
Add these lines:
{
// CN=TURKTRUST Elektronik Sertifika Hizmet Saglayicisi,O=TURKTRUST Bilgi Illetisim ve Bilisim Guvenligi Hizmetleri A.S.,C=TR
"2.16.792.3.0.3.1.1.5",
"TurkTrust EV OID",
SEC_OID_UNKNOWN,
"F1:7F:6F:B6:31:DC:99:E3:A3:C8:7F:FE:1C:F1:81:10:88:D9:60:33",
“MIG/MT8wPQYDVQQDDDZUw5xSS1RSVVNUIEVsZWt0cm9uaWsgU2VydGlmaWthIEhp”
“em1ldCBTYcSfbGF5xLFjxLFzxLExCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmth”
“cmExXjBcBgNVBAoMVVTDnFJLVFJVU1QgQmlsZ2kgxLBsZXRpxZ9pbSB2ZSBCaWxp”
“xZ9pbSBHw7x2ZW5sacSfaSBIaXptZXRsZXJpIEEuxZ4uIChjKSBBcmFsxLFrIDIw”
“MDc=”,
"AQ==",
nullptr
},

Bug #799697 – CNNIC
Test URL: https://evdemo.cnnic.cn/
Add these lines:
{
// CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
"1.3.6.1.4.1.29836.1.10",
"CNNIC EV OID",
SEC_OID_UNKNOWN,
"4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E",
“MIGKMQswCQYDVQQGEwJDTjEyMDAGA1UECgwpQ2hpbmEgSW50ZXJuZXQgTmV0d29y”
“ayBJbmZvcm1hdGlvbiBDZW50ZXIxRzBFBgNVBAMMPkNoaW5hIEludGVybmV0IE5l”
“dHdvcmsgSW5mb3JtYXRpb24gQ2VudGVyIEVWIENlcnRpZmljYXRlcyBSb290”,
"SJ8AAQ==",
nullptr
},

Bug #823770 – TWCA
Test URL: https://evssldemo.twca.com.tw/index.html
Add these lines:
{
// CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
"1.3.6.1.4.1.40869.1.1.22.3",
"TWCA EV OID",
SEC_OID_UNKNOWN,
"CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48",
“MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jv”
“b3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0”
“eQ==”,
"AQ==",
nullptr
},

Bug #845149 – D-TRUST
Test URL: https://certdemo-ev-valid.ssl.d-trust.net/
Add these lines:
{
// CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
"1.3.6.1.4.1.4788.2.202.1",
"D-TRUST EV OID",
SEC_OID_UNKNOWN,
"96:C9:1B:0B:95:B4:10:98:42:FA:D0:D8:22:79:FE:60:FA:B9:16:83",
“MFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMM”
“IUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOQ==”,
"CYP0",
nullptr
},

Bug #856710 – Swisscom
Test URL: https://test-quarz-ev-ca-2.pre.swissdigicert.ch/
Add these lines:
{
// CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
" 2.16.756.1.83.21.0",
"Swisscom  EV OID",
SEC_OID_UNKNOWN,
"E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B",
“MGcxCzAJBgNVBAYTAmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGln”
“aXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEAxMVU3dpc3Njb20gUm9v”
“dCBFViBDQSAy”,
"APL6ZOJ0Y9ON/RAdBB92ylg=",
nullptr
},

Bug #872288 – VeriSign (Symantec)
Test URL: https://ssltest26.bbtest.net/
Add these lines:
{
// CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
"2.16.840.1.113733.1.7.23.6",
"VeriSign EV OID",
SEC_OID_UNKNOWN,
"36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54",
"MIG9MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
"BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZl"
"cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMT"
"L1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
"QBrEZCGzEyEDDrvkEhrFHQ==",
nullptr
},

Bug #872294 – GeoTrust (Symantec)
Test URL: https://ssltest21.bbtest.net/
Add these lines:
{
// CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
"1.3.6.1.4.1.14370.1.6",
"GeoTrust EV OID",
SEC_OID_UNKNOWN,
"03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD",
“MIGYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjE5MDcGA1UE”
“CxMwKGMpIDIwMDggR2VvVHJ1c3QgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBv”
“bmx5MTYwNAYDVQQDEy1HZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0”
“aG9yaXR5IC0gRzM=”,
"FaxulBmyeUtB9iepwxgPHw==",
nullptr
},

Bug #872304 – Thawte (Symantec)
Test URL: https://ssltest8.bbtest.net/
Add these lines:
{
// CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
"2.16.840.1.113733.1.7.48.1",
"Thawte EV OID",
SEC_OID_UNKNOWN,
"F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2",
“MIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL”
“Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg”
“MjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG”
“A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz”,
"YAGXt0an6rS0mtZLL/eQ+w==",
nullptr
},
Assignee: nobody → cviecco
Attached patch ev-augSplinter Review
Comment on attachment 789645 [details] [diff] [review]
ev-aug

Review of attachment 789645 [details] [diff] [review]:
-----------------------------------------------------------------

EV certs for aug. Should be simple (bsmith and keeler are on PTO)
Attachment #789645 - Flags: review?(honzab.moz)
I have reviewed the code changes, and they look correct.
I have also tested using the build in Comment #1. EV treatment is given when it is supposed to (as per the test URLs provided), and I've also tested some of those CA's other EV and non-EV sites. All working as expected.
Looks good to me.  Thanks!

Probably still want a developer to do a quick code review too.
Unified push, with tests in all platforms:

https://tbpl.mozilla.org/?tree=Try&rev=a49ee142b7dd
Comment on attachment 789645 [details] [diff] [review]
ev-aug

Review of attachment 789645 [details] [diff] [review]:
-----------------------------------------------------------------

r=honzab.

Checked that w/ the patch all sites do have EV (and not w/o it).
Attachment #789645 - Flags: review?(honzab.moz) → review+
https://hg.mozilla.org/mozilla-central/rev/d0c7789c7ff0
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.