Enable real EV checking. Bug 289520. patch by kai engert. review rrelyea approval mtschrep.
authorrrelyea@redhat.com
Wed, 21 Nov 2007 14:28:13 -0800
changeset 8272 1415f9688fcbbe38f87b5a49894d83bd13de9e1e
parent 8271 18b13d4531481d94b375ef3eb410145bd9c04c16
child 8273 b31bdbcafad19912ec5184c46f855ad8e5b8ad89
push id1
push userbsmedberg@mozilla.com
push dateThu, 20 Mar 2008 16:49:24 +0000
treeherdermozilla-central@61007906a1f8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs289520
milestone1.9b2pre
Enable real EV checking. Bug 289520. patch by kai engert. review rrelyea approval mtschrep.
client.mk
security/manager/ssl/src/nsIdentityChecking.cpp
--- a/client.mk
+++ b/client.mk
@@ -403,17 +403,17 @@ MODULES_all :=                          
 
 #######################################################################
 # Checkout Tags
 #
 # For branches, uncomment the MOZ_CO_TAG line with the proper tag,
 # and commit this file on that tag.
 #MOZ_CO_TAG          = <tag>
 NSPR_CO_TAG          = NSPR_HEAD_20071016
-NSS_CO_TAG           = NSS_3_12_ALPHA_2
+NSS_CO_TAG           = NSS_3_12_ALPHA_2B
 LDAPCSDK_CO_TAG      = LDAPCSDK_6_0_3_CLIENT_BRANCH
 LOCALES_CO_TAG       =
 
 #######################################################################
 # Defines
 #
 CVS = cvs
 comma := ,
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -71,16 +71,24 @@ struct nsMyTrustedEVInfo
   SECOidTag oid_tag;
   const char *ev_root_subject;
   const char *ev_root_issuer;
   const char *ev_root_sha1_fingerprint;
 };
 
 static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
   {
+    "2.16.840.1.113733.1.7.23.6",
+    "Verisign EV OID",
+    SEC_OID_UNKNOWN,
+    "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+    "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+    "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2"
+  },
+  {
     "0.0.0.0",
     0, // for real entries use a string like "Sample INVALID EV OID"
     SEC_OID_UNKNOWN,
     "OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US",
     "OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US",
     "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33"
   }
 };
@@ -535,19 +543,21 @@ nsNSSCertificate::hasValidEVOidTag(SECOi
 
   if (oid_tag == SEC_OID_UNKNOWN) // not in our list of OIDs accepted for EV
     return NS_OK;
 
   CERTValInParam cvin[3];
   cvin[0].type = cert_pi_policyOID;
   cvin[0].value.arraySize = 1; 
   cvin[0].value.array.oids = &oid_tag;
+
   cvin[1].type = cert_pi_revocationFlags;
-  cvin[1].value.scalar.ul = CERT_REV_FLAG_OCSP
-                            | CERT_REV_FLAG_CRL;
+  cvin[1].value.scalar.ul = CERT_REV_FAIL_SOFT_CRL
+                            | CERT_REV_FLAG_CRL
+                            ;
   cvin[2].type = cert_pi_end;
 
   CERTValOutParam cvout[2];
   cvout[0].type = cert_po_trustAnchor;
   cvout[1].type = cert_po_end;
 
   rv = CERT_PKIXVerifyCert(mCert, certificateUsageSSLServer,
                            cvin, cvout, nsnull);