Enable real EV checking. Bug 289520. patch by kai engert. review rrelyea approval mtschrep.
authorrrelyea@redhat.com
Wed, 21 Nov 2007 14:28:13 -0800
changeset 8272 1415f9688fcbbe38f87b5a49894d83bd13de9e1e
parent 8271 18b13d4531481d94b375ef3eb410145bd9c04c16
child 8273 b31bdbcafad19912ec5184c46f855ad8e5b8ad89
push idunknown
push userunknown
push dateunknown
bugs289520
milestone1.9b2pre
Enable real EV checking. Bug 289520. patch by kai engert. review rrelyea approval mtschrep.
client.mk
security/manager/ssl/src/nsIdentityChecking.cpp
--- a/client.mk
+++ b/client.mk
@@ -403,17 +403,17 @@ MODULES_all :=                          
 
 #######################################################################
 # Checkout Tags
 #
 # For branches, uncomment the MOZ_CO_TAG line with the proper tag,
 # and commit this file on that tag.
 #MOZ_CO_TAG          = <tag>
 NSPR_CO_TAG          = NSPR_HEAD_20071016
-NSS_CO_TAG           = NSS_3_12_ALPHA_2
+NSS_CO_TAG           = NSS_3_12_ALPHA_2B
 LDAPCSDK_CO_TAG      = LDAPCSDK_6_0_3_CLIENT_BRANCH
 LOCALES_CO_TAG       =
 
 #######################################################################
 # Defines
 #
 CVS = cvs
 comma := ,
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -71,16 +71,24 @@ struct nsMyTrustedEVInfo
   SECOidTag oid_tag;
   const char *ev_root_subject;
   const char *ev_root_issuer;
   const char *ev_root_sha1_fingerprint;
 };
 
 static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
   {
+    "2.16.840.1.113733.1.7.23.6",
+    "Verisign EV OID",
+    SEC_OID_UNKNOWN,
+    "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+    "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+    "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2"
+  },
+  {
     "0.0.0.0",
     0, // for real entries use a string like "Sample INVALID EV OID"
     SEC_OID_UNKNOWN,
     "OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US",
     "OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US",
     "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33"
   }
 };
@@ -535,19 +543,21 @@ nsNSSCertificate::hasValidEVOidTag(SECOi
 
   if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
     return NS_OK;
 
   CERTValInParam cvin[3];
   cvin[0].type = cert_pi_policyOID;
   cvin[0].value.arraySize = 1; 
   cvin[0].value.array.oids = &oid_tag;
+
   cvin[1].type = cert_pi_revocationFlags;
-  cvin[1].value.scalar.ul = CERT_REV_FLAG_OCSP
-                            | CERT_REV_FLAG_CRL;
+  cvin[1].value.scalar.ul = CERT_REV_FAIL_SOFT_CRL
+                            | CERT_REV_FLAG_CRL
+                            ;
   cvin[2].type = cert_pi_end;
 
   CERTValOutParam cvout[2];
   cvout[0].type = cert_po_trustAnchor;
   cvout[1].type = cert_po_end;
 
   rv = CERT_PKIXVerifyCert(mCert, certificateUsageSSLServer,
                            cvin, cvout, nsnull);