bug 1091232 - update PSM data structures that are affected by root CA changes r=mmc
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 18 Nov 2014 16:41:18 -0800
changeset 216515 82967a14f25fd37e336ee7d76954cc99a1ae6e44
parent 216514 3f5f0844f2f45389a3cd884e2f69e748d4219c9f
child 216516 84d6178e3be2e7d21d68e20c4a0a4b2b4a1fb626
push idunknown
push userunknown
push dateunknown
reviewersmmc
bugs1091232
milestone36.0a1
bug 1091232 - update PSM data structures that are affected by root CA changes r=mmc
security/manager/boot/src/RootHashes.inc
security/manager/tools/KnownRootHashes.json
security/manager/tools/PreloadedHPKPins.json
--- a/security/manager/boot/src/RootHashes.inc
+++ b/security/manager/boot/src/RootHashes.inc
@@ -112,16 +112,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* COMODO_ECC_Certification_Authority */
     { 0x17, 0x93, 0x92, 0x7A, 0x06, 0x14, 0x54, 0x97, 0x89, 0xAD, 0xCE, 0x2F, 0x8F, 0x34, 0xF7, 0xF0,
       0xB6, 0x6D, 0x0F, 0x3A, 0xE3, 0xA3, 0xB8, 0x4D, 0x21, 0xEC, 0x15, 0xDB, 0xBA, 0x4F, 0xAD, 0xC7 },
       66 /* Bin Number */
   },
   {
+    /* GlobalSign */
+    { 0x17, 0x9F, 0xBC, 0x14, 0x8A, 0x3D, 0xD0, 0x0F, 0xD2, 0x4E, 0xA1, 0x34, 0x58, 0xCC, 0x43, 0xBF,
+      0xA7, 0xF5, 0x9C, 0x81, 0x82, 0xD7, 0x83, 0xA5, 0x13, 0xF6, 0xEB, 0xEC, 0x10, 0x0C, 0x89, 0x24 },
+      158 /* Bin Number */
+  },
+  {
     /* QuoVadis_Root_CA_3 */
     { 0x18, 0xF1, 0xFC, 0x7F, 0x20, 0x5D, 0xF8, 0xAD, 0xDD, 0xEB, 0x7F, 0xE0, 0x07, 0xDD, 0x57, 0xE3,
       0xAF, 0x37, 0x5A, 0x9C, 0x4D, 0x8D, 0x73, 0x54, 0x6B, 0xF4, 0xF1, 0xFE, 0xD1, 0xE1, 0x8D, 0x35 },
       33 /* Bin Number */
   },
   {
     /* China_Internet_Network_Information_Center_EV_Certificates_Root */
     { 0x1C, 0x01, 0xC6, 0xF4, 0xDB, 0xB2, 0xFE, 0xFC, 0x22, 0x55, 0x8B, 0x2B, 0xCA, 0x32, 0x56, 0x3F,
@@ -256,28 +262,40 @@ static const struct CertAuthorityHash RO
   },
   {
     /* Certification_Authority_of_WoSign */
     { 0x4B, 0x22, 0xD5, 0xA6, 0xAE, 0xC9, 0x9F, 0x3C, 0xDB, 0x79, 0xAA, 0x5E, 0xC0, 0x68, 0x38, 0x47,
       0x9C, 0xD5, 0xEC, 0xBA, 0x71, 0x64, 0xF7, 0xF2, 0x2D, 0xC1, 0xD6, 0x5F, 0x63, 0xD8, 0x57, 0x08 },
       152 /* Bin Number */
   },
   {
+    /* USERTrust_ECC_Certification_Authority */
+    { 0x4F, 0xF4, 0x60, 0xD5, 0x4B, 0x9C, 0x86, 0xDA, 0xBF, 0xBC, 0xFC, 0x57, 0x12, 0xE0, 0x40, 0x0D,
+      0x2B, 0xED, 0x3F, 0xBC, 0x4D, 0x4F, 0xBD, 0xAA, 0x86, 0xE0, 0x6A, 0xDC, 0xD2, 0xA9, 0xAD, 0x7A },
+      156 /* Bin Number */
+  },
+  {
     /* ComSign_Secured_CA */
     { 0x50, 0x79, 0x41, 0xC7, 0x44, 0x60, 0xA0, 0xB4, 0x70, 0x86, 0x22, 0x0D, 0x4E, 0x99, 0x32, 0x57,
       0x2A, 0xB5, 0xD1, 0xB5, 0xBB, 0xCB, 0x89, 0x80, 0xAB, 0x1C, 0xB1, 0x76, 0x51, 0xA8, 0x44, 0xD2 },
       76 /* Bin Number */
   },
   {
     /* OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP */
     { 0x51, 0x3B, 0x2C, 0xEC, 0xB8, 0x10, 0xD4, 0xCD, 0xE5, 0xDD, 0x85, 0x39, 0x1A, 0xDF, 0xC6, 0xC2,
       0xDD, 0x60, 0xD8, 0x7B, 0xB7, 0x36, 0xD2, 0xB5, 0x21, 0x48, 0x4A, 0xA4, 0x7A, 0x0E, 0xBE, 0xF6 },
       118 /* Bin Number */
   },
   {
+    /* COMODO_RSA_Certification_Authority */
+    { 0x52, 0xF0, 0xE1, 0xC4, 0xE5, 0x8E, 0xC6, 0x29, 0x29, 0x1B, 0x60, 0x31, 0x7F, 0x07, 0x46, 0x71,
+      0xB8, 0x5D, 0x7E, 0xA8, 0x0D, 0x5B, 0x07, 0x27, 0x34, 0x63, 0x53, 0x4B, 0x32, 0xB4, 0x02, 0x34 },
+      154 /* Bin Number */
+  },
+  {
     /* DigiCert_Trusted_Root_G4 */
     { 0x55, 0x2F, 0x7B, 0xDC, 0xF1, 0xA7, 0xAF, 0x9E, 0x6C, 0xE6, 0x72, 0x01, 0x7F, 0x4F, 0x12, 0xAB,
       0xF7, 0x72, 0x40, 0xC7, 0x8E, 0x76, 0x1A, 0xC2, 0x03, 0xD1, 0xD9, 0xD2, 0x0A, 0xC8, 0x99, 0x88 },
       151 /* Bin Number */
   },
   {
     /* Actalis_Authentication_Root_CA */
     { 0x55, 0x92, 0x60, 0x84, 0xEC, 0x96, 0x3A, 0x64, 0xB9, 0x6E, 0x2A, 0xBE, 0x01, 0xCE, 0x0B, 0xA8,
@@ -658,16 +676,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* SwissSign_Silver_CA___G2 */
     { 0xBE, 0x6C, 0x4D, 0xA2, 0xBB, 0xB9, 0xBA, 0x59, 0xB6, 0xF3, 0x93, 0x97, 0x68, 0x37, 0x42, 0x46,
       0xC3, 0xC0, 0x05, 0x99, 0x3F, 0xA9, 0x8F, 0x02, 0x0D, 0x1D, 0xED, 0xBE, 0xD4, 0x8A, 0x81, 0xD5 },
       57 /* Bin Number */
   },
   {
+    /* GlobalSign */
+    { 0xBE, 0xC9, 0x49, 0x11, 0xC2, 0x95, 0x56, 0x76, 0xDB, 0x6C, 0x0A, 0x55, 0x09, 0x86, 0xD7, 0x6E,
+      0x3B, 0xA0, 0x05, 0x66, 0x7C, 0x44, 0x2C, 0x97, 0x62, 0xB4, 0xFB, 0xB7, 0x73, 0xDE, 0x22, 0x8C },
+      157 /* Bin Number */
+  },
+  {
     /* SecureSign_RootCA11 */
     { 0xBF, 0x0F, 0xEE, 0xFB, 0x9E, 0x3A, 0x58, 0x1A, 0xD5, 0xF9, 0xE9, 0xDB, 0x75, 0x89, 0x98, 0x57,
       0x43, 0xD2, 0x61, 0x08, 0x5C, 0x4D, 0x31, 0x4F, 0x6F, 0x5D, 0x72, 0x59, 0xAA, 0x42, 0x16, 0x12 },
       97 /* Bin Number */
   },
   {
     /* TWCA_Root_Certification_Authority */
     { 0xBF, 0xD8, 0x8F, 0xE1, 0x10, 0x1C, 0x41, 0xAE, 0x3E, 0x80, 0x1B, 0xF8, 0xBE, 0x56, 0x35, 0x0E,
@@ -832,16 +856,22 @@ static const struct CertAuthorityHash RO
   },
   {
     /* OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP */
     { 0xE7, 0x5E, 0x72, 0xED, 0x9F, 0x56, 0x0E, 0xEC, 0x6E, 0xB4, 0x80, 0x00, 0x73, 0xA4, 0x3F, 0xC3,
       0xAD, 0x19, 0x19, 0x5A, 0x39, 0x22, 0x82, 0x01, 0x78, 0x95, 0x97, 0x4A, 0x99, 0x02, 0x6B, 0x6C },
       34 /* Bin Number */
   },
   {
+    /* USERTrust_RSA_Certification_Authority */
+    { 0xE7, 0x93, 0xC9, 0xB0, 0x2F, 0xD8, 0xAA, 0x13, 0xE2, 0x1C, 0x31, 0x22, 0x8A, 0xCC, 0xB0, 0x81,
+      0x19, 0x64, 0x3B, 0x74, 0x9C, 0x89, 0x89, 0x64, 0xB1, 0x74, 0x6D, 0x46, 0xC3, 0xD4, 0xCB, 0xD2 },
+      155 /* Bin Number */
+  },
+  {
     /* OU_certSIGN_ROOT_CA_O_certSIGN_C_RO */
     { 0xEA, 0xA9, 0x62, 0xC4, 0xFA, 0x4A, 0x6B, 0xAF, 0xEB, 0xE4, 0x15, 0x19, 0x6D, 0x35, 0x1C, 0xCD,
       0x88, 0x8D, 0x4F, 0x53, 0xF3, 0xFA, 0x8A, 0xE6, 0xD7, 0xC4, 0x66, 0xA9, 0x4E, 0x60, 0x42, 0xBB },
       83 /* Bin Number */
   },
   {
     /* VeriSign_Class_3_Public_Primary_Certification_Authority___G3 */
     { 0xEB, 0x04, 0xCF, 0x5E, 0xB1, 0xF3, 0x9A, 0xFA, 0x76, 0x2F, 0x2B, 0xB1, 0x20, 0xF2, 0x96, 0xCB,
--- a/security/manager/tools/KnownRootHashes.json
+++ b/security/manager/tools/KnownRootHashes.json
@@ -768,12 +768,37 @@
       "label": "Certification_Authority_of_WoSign",
       "binNumber": 152,
       "sha256Fingerprint": "SyLVpq7JnzzbeapewGg4R5zV7LpxZPfyLcHWX2PYVwg="
     },
     {
       "label": "CA______",
       "binNumber": 153,
       "sha256Fingerprint": "1vA0vZSqIz8Cl+ykJFsoOXPkR6pZDzEMd/SP34MRIlQ="
+    },
+    {
+      "label": "COMODO_RSA_Certification_Authority",
+      "binNumber": 154,
+      "sha256Fingerprint": "UvDhxOWOxikpG2AxfwdGcbhdfqgNWwcnNGNTSzK0AjQ="
+    },
+    {
+      "label": "USERTrust_RSA_Certification_Authority",
+      "binNumber": 155,
+      "sha256Fingerprint": "55PJsC/YqhPiHDEiisywgRlkO3SciYlksXRtRsPUy9I="
+    },
+    {
+      "label": "USERTrust_ECC_Certification_Authority",
+      "binNumber": 156,
+      "sha256Fingerprint": "T/Rg1Uuchtq/vPxXEuBADSvtP7xNT72qhuBq3NKprXo="
+    },
+    {
+      "label": "GlobalSign",
+      "binNumber": 157,
+      "sha256Fingerprint": "vslJEcKVVnbbbApVCYbXbjugBWZ8RCyXYrT7t3PeIow="
+    },
+    {
+      "label": "GlobalSign",
+      "binNumber": 158,
+      "sha256Fingerprint": "F5+8FIo90A/STqE0WMxDv6f1nIGC14OlE/br7BAMiSQ="
     }
   ],
-  "maxBin": 153
+  "maxBin": 158
 }
\ No newline at end of file
--- a/security/manager/tools/PreloadedHPKPins.json
+++ b/security/manager/tools/PreloadedHPKPins.json
@@ -123,18 +123,18 @@
         "AddTrust External Root",
         "AddTrust Low-Value Services Root",
         "AddTrust Public Services Root",
         "AddTrust Qualified Certificates Root",
         "AffirmTrust Commercial",
         "AffirmTrust Networking",
         "AffirmTrust Premium",
         "AffirmTrust Premium ECC",
-        "America Online Root Certification Authority 1",
-        "America Online Root Certification Authority 2",
+        // "America Online Root Certification Authority 1",
+        // "America Online Root Certification Authority 2",
         "Baltimore CyberTrust Root",
         "Comodo AAA Services root",
         "COMODO Certification Authority",
         "COMODO ECC Certification Authority",
         "Comodo Secure Services root",
         "Comodo Trusted Services root",
         "Cybertrust Global Root",
         "DigiCert Assured ID Root CA",
@@ -167,21 +167,21 @@
         "Starfield Services Root Certificate Authority - G2",
         "StartCom Certification Authority",
         "StartCom Certification Authority",
         "StartCom Certification Authority G2",
         "TC TrustCenter Class 2 CA II",
         "TC TrustCenter Class 3 CA II",
         "TC TrustCenter Universal CA I",
         "TC TrustCenter Universal CA III",
-        "Thawte Premium Server CA",
+        // "Thawte Premium Server CA",
         "thawte Primary Root CA",
         "thawte Primary Root CA - G2",
         "thawte Primary Root CA - G3",
-        "Thawte Server CA",
+        // "Thawte Server CA",
         "UTN DATACorp SGC Root CA",
         "UTN USERFirst Hardware Root CA",
         // "ValiCert Class 1 VA",
         // "ValiCert Class 2 VA",
         "Verisign Class 3 Public Primary Certification Authority",
         "Verisign Class 3 Public Primary Certification Authority",
         "Verisign Class 3 Public Primary Certification Authority - G2",
         "Verisign Class 3 Public Primary Certification Authority - G3",