Bug 1194419 - Remove signature algorithm duplicate use in serial number determination in pycert. r=dkeeler
☠☠ backed out by 80f151ddd504 ☠ ☠
authorCykesiopka <cykesiopka.bmo@gmail.com>
Sat, 17 Oct 2015 09:04:43 -0700
changeset 303658 11e681d48acde9fb42dd1d564a8136539d7cd4e8
parent 303656 a4334a6c531326e239293511a3bdb670b83effdf
child 303659 4ae51f0916616b62c3fd42dbe5d0254f7ba35b25
push id1001
push userraliiev@mozilla.com
push dateMon, 18 Jan 2016 19:06:03 +0000
treeherdermozilla-release@8b89261f3ac4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdkeeler
bugs1194419
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1194419 - Remove signature algorithm duplicate use in serial number determination in pycert. r=dkeeler
security/certverifier/ExtendedValidation.cpp
security/manager/ssl/tests/unit/pycert.py
security/manager/ssl/tests/unit/test_keysize_ev.js
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -113,21 +113,21 @@ static struct nsMyTrustedEVInfo myTruste
     // extension:basicConstraints:cA,
     // extension:keyUsage:keyCertSign,cRLSign
     //
     // If this ever needs to change, re-generate the certificate and update the
     // following entry with the new fingerprint, issuer, and serial number.
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
-    { 0x85, 0x2A, 0x29, 0x38, 0x31, 0x09, 0x7D, 0x14, 0x0C, 0x83, 0xAB,
-      0x8D, 0x6D, 0x54, 0x32, 0x77, 0x37, 0xC8, 0xBF, 0xB2, 0xC2, 0xEC,
-      0xCC, 0x82, 0xC0, 0xA2, 0x5F, 0x24, 0x9D, 0xFD, 0xFB, 0xAB },
+    { 0xE4, 0xFB, 0x04, 0x16, 0x10, 0x32, 0x67, 0x08, 0x6C, 0x84, 0x2E,
+      0x91, 0xF3, 0xEF, 0x0E, 0x45, 0x99, 0xBC, 0xA8, 0x54, 0x73, 0xF5,
+      0x03, 0x2C, 0x7B, 0xDC, 0x09, 0x70, 0x76, 0x49, 0xBF, 0xAA },
     "MBExDzANBgNVBAMMBmV2cm9vdA==",
-    "GSsFG1fp8SGMxPjAQvdOBN26ij4=",
+    "W9j5PS8YoKgynZdYa9i2Kwexnp8=",
     nullptr
   },
   {
     // This is an RSA root with an inadequate key size. It is used to test that
     // minimum key sizes are enforced when verifying for EV. It can be
     // generated using pycert.py and the following specification:
     //
     // issuer:ev_root_rsa_2040
@@ -138,21 +138,21 @@ static struct nsMyTrustedEVInfo myTruste
     // extension:basicConstraints:cA,
     // extension:keyUsage:cRLSign,keyCertSign
     //
     // If this ever needs to change, re-generate the certificate and update the
     // following entry with the new fingerprint, issuer, and serial number.
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
-    { 0x28, 0x79, 0xB9, 0x6C, 0x08, 0x71, 0x6C, 0x7D, 0xCE, 0x38, 0x8C,
-      0xAB, 0x7E, 0xEB, 0x08, 0xA6, 0xF7, 0x2C, 0xCE, 0xE4, 0x47, 0xF5,
-      0x72, 0xA1, 0xEB, 0x16, 0x9B, 0xC3, 0x49, 0x49, 0x72, 0x5D },
+    { 0x49, 0x46, 0x10, 0xF4, 0xF5, 0xB1, 0x96, 0xE7, 0xFB, 0xFA, 0x4D,
+      0xA6, 0x34, 0x03, 0xD0, 0x99, 0x22, 0xD4, 0x77, 0x20, 0x3F, 0x84,
+      0xE0, 0xDF, 0x1C, 0xAD, 0xB4, 0xC2, 0x76, 0xBB, 0x63, 0x24 },
     "MBsxGTAXBgNVBAMMEGV2X3Jvb3RfcnNhXzIwNDA=",
-    "N2nWLMPfNebIktpezTGThHoXsDU=",
+    "P1iIBgxk6kH+x64EUBTV3qoHuas=",
     nullptr
   },
 #endif
   {
     // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
     "1.2.392.200091.100.721.1",
     "SECOM EV OID",
     SEC_OID_UNKNOWN,
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@@ -324,20 +324,16 @@ class Certificate(object):
         this file)."""
         hasher = hashlib.sha256()
         hasher.update(str(self.versionValue))
         hasher.update(self.signature)
         hasher.update(self.issuer)
         hasher.update(str(self.notBefore))
         hasher.update(str(self.notAfter))
         hasher.update(self.subject)
-        # Bug 1194419: This is duplicated so as to not have to
-        # re-generate the EV testing root certificates. At some point
-        # we should clean this up and re-generate them.
-        hasher.update(self.signature)
         if self.extensions:
             for extension in self.extensions:
                 hasher.update(str(extension))
         serialBytes = [ord(c) for c in hasher.digest()[:20]]
         # Ensure that the most significant bit isn't set (which would
         # indicate a negative number, which isn't valid for serial
         # numbers).
         serialBytes[0] &= 0x7f
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -130,17 +130,17 @@ function checkRSAChains(inadequateKeySiz
 
 function run_test() {
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   let smallKeyEVRoot =
     constructCertFromFile("test_keysize_ev/ev_root_rsa_2040.pem");
   equal(smallKeyEVRoot.sha256Fingerprint,
-        "28:79:B9:6C:08:71:6C:7D:CE:38:8C:AB:7E:EB:08:A6:" +
-        "F7:2C:CE:E4:47:F5:72:A1:EB:16:9B:C3:49:49:72:5D",
+        "49:46:10:F4:F5:B1:96:E7:FB:FA:4D:A6:34:03:D0:99:" +
+        "22:D4:77:20:3F:84:E0:DF:1C:AD:B4:C2:76:BB:63:24",
         "test sanity check: the small-key EV root must have the same " +
         "fingerprint as the corresponding entry in ExtendedValidation.cpp");
 
   checkRSAChains(2040, 2048);
 
   run_next_test();
 }