2007-11-19 11:33:03 -08:00
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
2012-05-31 02:33:35 -07:00
* This Source Code Form is subject to the terms of the Mozilla Public
* License , v . 2.0 . If a copy of the MPL was not distributed with this
* file , You can obtain one at http : //mozilla.org/MPL/2.0/. */
2007-11-19 11:33:03 -08:00
2007-10-23 11:30:16 -07:00
# include "nsAppDirectoryServiceDefs.h"
# include "nsStreamUtils.h"
# include "nsNetUtil.h"
# include "nsILineInputStream.h"
# include "nsPromiseFlatString.h"
# include "nsTArray.h"
# include "cert.h"
2008-03-16 06:42:32 -07:00
# include "base64.h"
2007-10-23 11:30:16 -07:00
# include "nsNSSComponent.h"
2012-04-29 21:00:22 -07:00
# include "nsSSLStatus.h"
2007-10-23 11:30:16 -07:00
# include "nsNSSCertificate.h"
2012-11-12 09:42:28 -08:00
# include "ScopedNSSTypes.h"
using namespace mozilla ;
2007-10-23 11:30:16 -07:00
# ifdef DEBUG
# ifndef PSM_ENABLE_TEST_EV_ROOTS
# define PSM_ENABLE_TEST_EV_ROOTS
# endif
# endif
2008-01-14 07:45:07 -08:00
# ifdef PR_LOGGING
extern PRLogModuleInfo * gPIPNSSLog ;
# endif
2007-10-23 11:30:16 -07:00
# define CONST_OID static const unsigned char
# define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
struct nsMyTrustedEVInfo
{
2009-06-13 22:09:38 -07:00
const char * dotted_oid ;
const char * oid_name ; // Set this to null to signal an invalid structure,
2008-03-14 08:22:50 -07:00
// (We can't have an empty list, so we'll use a dummy entry)
2007-10-23 11:30:16 -07:00
SECOidTag oid_tag ;
2009-06-13 22:09:38 -07:00
const char * ev_root_sha1_fingerprint ;
const char * issuer_base64 ;
const char * serial_base64 ;
2008-03-16 06:42:32 -07:00
CERTCertificate * cert ;
2007-10-23 11:30:16 -07:00
} ;
2012-11-15 08:33:37 -08:00
/* HOWTO enable additional CA root certificates for EV:
*
* For each combination of " root certificate " and " policy OID " ,
* one entry must be added to the array named myTrustedEVInfos .
*
* We use the combination of " issuer name " and " serial number " to
* uniquely identify the certificate . In order to avoid problems
* because of encodings when comparing certificates , we don ' t
* use plain text representation , we rather use the original encoding
* as it can be found in the root certificate ( in base64 format ) .
*
* We can use the NSS utility named " pp " to extract the encoding .
*
* Build standalone NSS including the NSS tools , then run
* pp - t certificate - identity - i the - cert - filename
*
* You will need the output from sections " Issuer " , " Fingerprint (SHA1) " ,
* " Issuer DER Base64 " and " Serial DER Base64 " .
*
* The new section consists of 8 lines :
*
* - a comment that should contain the human readable issuer name
* of the certificate , as printed by the pp tool
* - the EV policy OID that is associated to the EV grant
* - a text description of the EV policy OID . The array can contain
* multiple entries with the same OID .
* Please make sure to use the identical OID text description for
* all entries with the same policy OID ( use the text search
* feature of your text editor to find duplicates ) .
* When adding a new policy OID that is not yet contained in the array ,
* please make sure that your new description is different from
* all the other descriptions ( again use the text search feature
* to be sure ) .
* - the constant SEC_OID_UNKNOWN
* ( it will be replaced at runtime with another identifier )
* - the UPPERCASE version of the SHA1 fingerprint , hexadecimal ,
* bytes separated by colons ( as printed by pp )
* - the " Issuer DER Base64 " as printed by the pp tool .
* Remove all whitespaces . If you use multiple lines , make sure that
* only the final line will be followed by a comma .
* - the " Serial DER Base64 " ( as printed by pp )
* - a NULL pointer value
*
* After adding an entry , test it locally against the test site that
* has been provided by the CA . Note that you must use a version of NSS
* where the root certificate has already been added and marked as trusted
* for issueing SSL server certificates ( at least ) .
*
* If you are able to connect to the site without certificate errors ,
* but you don ' t see the EV status indicator , then most likely the CA
* has a problem in their infrastructure . The most common problems are
* related to the CA ' s OCSP infrastructure , either they use an incorrect
* OCSP signing certificate , or OCSP for the intermediate certificates
* isn ' t working , or OCSP isn ' t working at all .
*/
2007-10-23 11:30:16 -07:00
static struct nsMyTrustedEVInfo myTrustedEVInfos [ ] = {
2011-05-05 07:38:11 -07:00
/*
* IMPORTANT ! When extending this list ,
* pairs of dotted_oid and oid_name should always be unique pairs .
* In other words , if you add another list , that uses the same dotted_oid
* as an existing entry , then please use the same oid_name .
*/
2009-05-22 08:41:44 -07:00
{
// CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
" 2.16.840.1.114171.500.9 " ,
" WellsSecure EV OID " ,
SEC_OID_UNKNOWN ,
" E7:B4:F6:9D:61:EC:90:69:DB:7E:90:A7:40:1A:3C:F4:7D:4F:E8:EE " ,
" MIGFMQswCQYDVQQGEwJVUzEgMB4GA1UECgwXV2VsbHMgRmFyZ28gV2VsbHNTZWN1 "
" cmUxHDAaBgNVBAsME1dlbGxzIEZhcmdvIEJhbmsgTkExNjA0BgNVBAMMLVdlbGxz "
" U2VjdXJlIFB1YmxpYyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eQ== " ,
" AQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2009-05-22 08:41:44 -07:00
} ,
{
// OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
" 1.2.392.200091.100.721.1 " ,
" SECOM EV OID " ,
SEC_OID_UNKNOWN ,
" FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D " ,
" MGAxCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP "
" LixMVEQuMSowKAYDVQQLEyFTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVWIFJvb3RD "
" QTE= " ,
" AA== " ,
2012-07-30 07:20:58 -07:00
nullptr
2009-05-22 08:41:44 -07:00
} ,
{
// CN=Cybertrust Global Root,O=Cybertrust, Inc
" 1.3.6.1.4.1.6334.1.100.1 " ,
" Cybertrust EV OID " ,
SEC_OID_UNKNOWN ,
" 5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 " ,
" MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz "
" dCBHbG9iYWwgUm9vdA== " ,
" BAAAAAABD4WqLUg= " ,
2012-07-30 07:20:58 -07:00
nullptr
2009-05-22 08:41:44 -07:00
} ,
{
// CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
" 2.16.756.1.89.1.2.1.1 " ,
" SwissSign EV OID " ,
SEC_OID_UNKNOWN ,
" D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61 " ,
" MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT "
" FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI= " ,
" ALtAHEP1Xk+w " ,
2012-07-30 07:20:58 -07:00
nullptr
2009-05-22 08:41:44 -07:00
} ,
{
// CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
2012-10-18 13:17:59 -07:00
" 1.3.6.1.4.1.23223.1.1.1 " ,
2009-05-22 08:41:44 -07:00
" StartCom EV OID " ,
SEC_OID_UNKNOWN ,
" 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F " ,
" MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL "
" EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT "
" dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ== " ,
" AQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2009-05-22 08:41:44 -07:00
} ,
2012-10-18 13:17:59 -07:00
{
// CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
" 1.3.6.1.4.1.23223.1.1.1 " ,
" StartCom EV OID " ,
SEC_OID_UNKNOWN ,
" A3:F1:33:3F:E2:42:BF:CF:C5:D1:4E:8F:39:42:98:40:68:10:D1:A0 " ,
" MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL "
" EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT "
" dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ== " ,
" LQ== " ,
nullptr
} ,
{
// CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
" 1.3.6.1.4.1.23223.1.1.1 " ,
" StartCom EV OID " ,
SEC_OID_UNKNOWN ,
" 31:F1:FD:68:22:63:20:EE:C6:3B:3F:9D:EA:4A:3E:53:7C:7C:39:17 " ,
" MFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYDVQQD "
" EyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMg== " ,
" Ow== " ,
nullptr
} ,
2008-04-08 17:28:48 -07:00
{
// CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
" 2.16.840.1.113733.1.7.23.6 " ,
" VeriSign EV OID " ,
SEC_OID_UNKNOWN ,
" 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5 " ,
" MIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV "
" BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZl "
" cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMT "
" PFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB "
" dXRob3JpdHkgLSBHNQ== " ,
" GNrRniZ96LtKIVjNzGs7Sg== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
" 1.3.6.1.4.1.14370.1.6 " ,
" GeoTrust EV OID " ,
SEC_OID_UNKNOWN ,
" 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96 " ,
" MFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQD "
" EyhHZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 " ,
" GKy1av1pthU6Y2yv2vrEoQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
" 2.16.840.1.113733.1.7.48.1 " ,
" Thawte EV OID " ,
SEC_OID_UNKNOWN ,
" 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 " ,
" MIGpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL "
" Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg "
" MjAwNiB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0G "
" A1UEAxMWdGhhd3RlIFByaW1hcnkgUm9vdCBDQQ== " ,
" NE7VVyDV7exJ9C/ON9srbQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
" 2.16.840.1.114404.1.1.2.4.1 " ,
" Trustwave EV OID " ,
SEC_OID_UNKNOWN ,
" B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6 " ,
" MIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29t "
" MSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMT "
" JFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ== " ,
" UJRs7Bjq1ZxN1ZfvdY+grQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=SecureTrust CA,O=SecureTrust Corporation,C=US
" 2.16.840.1.114404.1.1.2.4.1 " ,
" Trustwave EV OID " ,
SEC_OID_UNKNOWN ,
" 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11 " ,
" MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv "
" bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E= " ,
" DPCOXAgWpa1Cf/DrJxhZ0A== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=Secure Global CA,O=SecureTrust Corporation,C=US
" 2.16.840.1.114404.1.1.2.4.1 " ,
" Trustwave EV OID " ,
SEC_OID_UNKNOWN ,
" 3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B " ,
" MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv "
" bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ== " ,
" B1YipOjUiolN9BPI8PjqpQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
2008-10-21 19:29:51 -07:00
{
// CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
" 1.3.6.1.4.1.6449.1.2.1.5.1 " ,
" Comodo EV OID " ,
SEC_OID_UNKNOWN ,
" 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11 " ,
" MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw "
" DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG "
" A1UEAxMiQ09NT0RPIEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ== " ,
" H0evqmIAcFBUTAGem2OZKg== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-10-21 19:29:51 -07:00
} ,
2008-04-08 17:28:48 -07:00
{
// CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
" 1.3.6.1.4.1.6449.1.2.1.5.1 " ,
" Comodo EV OID " ,
SEC_OID_UNKNOWN ,
" 66:31:BF:9E:F7:4F:9E:B6:C9:D5:A6:0C:BA:6A:BE:D1:F7:BD:EF:7B " ,
" MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw "
" DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG "
" A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 " ,
" ToEtioJl4AsC7j41AkblPQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
" 1.3.6.1.4.1.6449.1.2.1.5.1 " ,
" Comodo EV OID " ,
SEC_OID_UNKNOWN ,
" 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68 " ,
" MG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMd "
" QWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0 "
" IEV4dGVybmFsIENBIFJvb3Q= " ,
" AQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
" 1.3.6.1.4.1.6449.1.2.1.5.1 " ,
" Comodo EV OID " ,
SEC_OID_UNKNOWN ,
" 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4 " ,
" MIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr "
" ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT "
" GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNv "
" cnAgU0dD " ,
" RL4Mi1AAIbQR0ypoBqmtaQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
{
// CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
" 1.3.6.1.4.1.6449.1.2.1.5.1 " ,
" Comodo EV OID " ,
SEC_OID_UNKNOWN ,
" 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7 " ,
" MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr "
" ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT "
" GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJz "
" dC1IYXJkd2FyZQ== " ,
" RL4Mi1AAJLQR0zYq/mUK/Q== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-04-08 17:28:48 -07:00
} ,
2008-02-28 10:00:57 -08:00
{
2008-03-06 22:14:33 -08:00
// OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group, Inc.\",C=US
2008-02-28 10:00:57 -08:00
" 2.16.840.1.114413.1.7.23.3 " ,
" Go Daddy EV OID a " ,
SEC_OID_UNKNOWN ,
" 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4 " ,
2008-03-16 06:42:32 -07:00
" MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIElu "
" Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRo "
" b3JpdHk= " ,
" AA== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-02-28 10:00:57 -08:00
} ,
2011-05-05 07:38:11 -07:00
{
// CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
" 2.16.840.1.114413.1.7.23.3 " ,
" Go Daddy EV OID a " ,
SEC_OID_UNKNOWN ,
" 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B " ,
" MIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv "
" dHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMTKEdv "
" IERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzI= " ,
" AA== " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
2008-02-28 10:00:57 -08:00
{
2008-03-06 22:14:33 -08:00
// E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation Network
2008-02-28 10:00:57 -08:00
" 2.16.840.1.114413.1.7.23.3 " ,
" Go Daddy EV OID a " ,
SEC_OID_UNKNOWN ,
" 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6 " ,
2008-03-16 06:42:32 -07:00
" MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldHdvcmsxFzAVBgNV "
" BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydCBDbGFzcyAyIFBv "
" bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaHR0cDovL3d3dy52 "
" YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbGljZXJ0LmNvbQ== " ,
" AQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-02-28 10:00:57 -08:00
} ,
{
2008-03-06 22:14:33 -08:00
// E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation Network
2008-02-28 10:00:57 -08:00
" 2.16.840.1.114414.1.7.23.3 " ,
" Go Daddy EV OID b " ,
SEC_OID_UNKNOWN ,
" 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6 " ,
2008-03-16 06:42:32 -07:00
" MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldHdvcmsxFzAVBgNV "
" BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydCBDbGFzcyAyIFBv "
" bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaHR0cDovL3d3dy52 "
" YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbGljZXJ0LmNvbQ== " ,
" AQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-02-28 10:00:57 -08:00
} ,
{
2008-03-06 22:14:33 -08:00
// OU=Starfield Class 2 Certification Authority,O=\"Starfield Technologies, Inc.\",C=US
2008-02-28 10:00:57 -08:00
" 2.16.840.1.114414.1.7.23.3 " ,
" Go Daddy EV OID b " ,
SEC_OID_UNKNOWN ,
" AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A " ,
2008-03-16 06:42:32 -07:00
" MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVz "
" LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9u "
" IEF1dGhvcml0eQ== " ,
" AA== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-02-28 10:00:57 -08:00
} ,
2011-05-05 07:38:11 -07:00
{
// CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
" 2.16.840.1.114414.1.7.23.3 " ,
" Go Daddy EV OID b " ,
SEC_OID_UNKNOWN ,
" B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E " ,
" MIGPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv "
" dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEy "
" MDAGA1UEAxMpU3RhcmZpZWxkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g "
" RzI= " ,
" AA== " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
2008-02-22 00:54:42 -08:00
{
2008-03-06 22:14:33 -08:00
// CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
2008-02-22 00:54:42 -08:00
" 2.16.840.1.114412.2.1 " ,
" DigiCert EV OID " ,
SEC_OID_UNKNOWN ,
2008-03-16 06:42:32 -07:00
" 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25 " ,
" MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT "
" EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh "
" bmNlIEVWIFJvb3QgQ0E= " ,
" AqxcJmoLQJuPC3nyrkYldw== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-02-22 00:54:42 -08:00
} ,
2008-02-22 00:51:59 -08:00
{
2008-03-06 22:14:33 -08:00
// CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
2008-02-22 00:51:59 -08:00
" 1.3.6.1.4.1.8024.0.2.100.1.2 " ,
" Quo Vadis EV OID " ,
SEC_OID_UNKNOWN ,
2008-03-16 06:42:32 -07:00
" CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7 " ,
" MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD "
" VQQDExJRdW9WYWRpcyBSb290IENBIDI= " ,
" BQk= " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-02-22 00:51:59 -08:00
} ,
2008-05-03 18:36:46 -07:00
{
// CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
" 1.3.6.1.4.1.782.1.2.1.8.1 " ,
" Network Solutions EV OID " ,
SEC_OID_UNKNOWN ,
" 74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE " ,
" MGIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhOZXR3b3JrIFNvbHV0aW9ucyBMLkwu "
" Qy4xMDAuBgNVBAMTJ05ldHdvcmsgU29sdXRpb25zIENlcnRpZmljYXRlIEF1dGhv "
" cml0eQ== " ,
" V8szb8JcFuZHFhfjkDFo4A== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-05-03 18:36:46 -07:00
} ,
2008-07-08 14:27:13 -07:00
{
// CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
" 2.16.840.1.114028.10.1.2 " ,
" Entrust EV OID " ,
SEC_OID_UNKNOWN ,
" B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9 " ,
" MIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UE "
" CxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJl "
" bmNlMR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRF "
" bnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk= " ,
" RWtQVA== " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-07-08 14:27:13 -07:00
} ,
2008-08-19 18:57:23 -07:00
{
// CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
" 1.3.6.1.4.1.4146.1.1 " ,
" GlobalSign EV OID " ,
SEC_OID_UNKNOWN ,
" B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C " ,
" MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYD "
" VQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0E= " ,
" BAAAAAABFUtaw5Q= " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-08-19 18:57:23 -07:00
} ,
{
// CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
" 1.3.6.1.4.1.4146.1.1 " ,
" GlobalSign EV OID " ,
SEC_OID_UNKNOWN ,
" 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE " ,
" MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpH "
" bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu " ,
" BAAAAAABD4Ym5g0= " ,
2012-07-30 07:20:58 -07:00
nullptr
2008-08-19 18:57:23 -07:00
} ,
2010-11-25 11:53:32 -08:00
{
// CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
" 1.3.6.1.4.1.4146.1.1 " ,
" GlobalSign EV OID " ,
SEC_OID_UNKNOWN ,
" D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD " ,
" MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpH "
" bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu " ,
" BAAAAAABIVhTCKI= " ,
2012-07-30 07:20:58 -07:00
nullptr
2010-11-25 11:53:32 -08:00
} ,
2009-12-03 22:10:35 -08:00
{
// CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
" 2.16.578.1.26.1.3.3 " ,
2012-10-18 13:17:59 -07:00
" Buypass EV OID " ,
2009-12-03 22:10:35 -08:00
SEC_OID_UNKNOWN ,
" 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71 " ,
" MEsxCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEd "
" MBsGA1UEAwwUQnV5cGFzcyBDbGFzcyAzIENBIDE= " ,
" Ag== " ,
2012-07-30 07:20:58 -07:00
nullptr
2009-12-03 22:10:35 -08:00
} ,
2012-10-18 13:17:59 -07:00
{
// CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
" 2.16.578.1.26.1.3.3 " ,
" Buypass EV OID " ,
SEC_OID_UNKNOWN ,
" DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57 " ,
" ME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEg "
" MB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0E= " ,
" Ag== " ,
nullptr
} ,
2010-05-03 04:34:56 -07:00
{
// CN=Class 2 Primary CA,O=Certplus,C=FR
" 1.3.6.1.4.1.22234.2.5.2.3.1 " ,
" Certplus EV OID " ,
SEC_OID_UNKNOWN ,
" 74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB " ,
" MD0xCzAJBgNVBAYTAkZSMREwDwYDVQQKEwhDZXJ0cGx1czEbMBkGA1UEAxMSQ2xh "
" c3MgMiBQcmltYXJ5IENB " ,
" AIW9S/PY2uNp9pTXX8OlRCM= " ,
2012-07-30 07:20:58 -07:00
nullptr
2010-05-03 04:34:56 -07:00
} ,
2011-02-17 05:52:25 -08:00
{
// CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
" 1.3.6.1.4.1.17326.10.14.2.1.2 " ,
" Camerfirma EV OID a " ,
SEC_OID_UNKNOWN ,
" 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C " ,
" MIGuMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh "
" ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ "
" QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMT "
" IENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4 " ,
" AKPaQn6ksa7a " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-02-17 05:52:25 -08:00
} ,
{
// CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
" 1.3.6.1.4.1.17326.10.8.12.1.2 " ,
" Camerfirma EV OID b " ,
SEC_OID_UNKNOWN ,
" 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C " ,
" MIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh "
" ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ "
" QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMT "
" Hkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwOA== " ,
" AMnN0+nVfSPO " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-02-17 05:52:25 -08:00
} ,
{
// CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
" 1.2.276.0.44.1.1.1.4 " ,
" TC TrustCenter EV OID " ,
SEC_OID_UNKNOWN ,
" 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87 " ,
" MHsxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQw "
" IgYDVQQLExtUQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0ExKDAmBgNVBAMTH1RD "
" IFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJSUk= " ,
" YyUAAQACFI0zFQLkbPQ= " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-02-17 05:52:25 -08:00
} ,
2011-05-05 07:38:11 -07:00
{
// CN=AffirmTrust Commercial,O=AffirmTrust,C=US
" 1.3.6.1.4.1.34697.2.1 " ,
" AffirmTrust EV OID a " ,
SEC_OID_UNKNOWN ,
" F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7 " ,
" MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW "
" QWZmaXJtVHJ1c3QgQ29tbWVyY2lhbA== " ,
" d3cGJyapsXw= " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
{
// CN=AffirmTrust Networking,O=AffirmTrust,C=US
" 1.3.6.1.4.1.34697.2.2 " ,
" AffirmTrust EV OID b " ,
SEC_OID_UNKNOWN ,
" 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F " ,
" MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW "
" QWZmaXJtVHJ1c3QgTmV0d29ya2luZw== " ,
" fE8EORzUmS0= " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
{
// CN=AffirmTrust Premium,O=AffirmTrust,C=US
" 1.3.6.1.4.1.34697.2.3 " ,
" AffirmTrust EV OID c " ,
SEC_OID_UNKNOWN ,
" D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27 " ,
" MEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEcMBoGA1UEAwwT "
" QWZmaXJtVHJ1c3QgUHJlbWl1bQ== " ,
" bYwURrGmCu4= " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
{
// CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
" 1.3.6.1.4.1.34697.2.4 " ,
" AffirmTrust EV OID d " ,
SEC_OID_UNKNOWN ,
" B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB " ,
" MEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwX "
" QWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0M= " ,
" dJclisc/elQ= " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
{
// CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
" 1.2.616.1.113527.2.5.1.1 " ,
" Certum EV OID " ,
SEC_OID_UNKNOWN ,
" 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E " ,
" MH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT "
" LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg "
" BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0E= " ,
" BETA " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
{
// CN=Izenpe.com,O=IZENPE S.A.,C=ES
" 1.3.6.1.4.1.14777.6.1.1 " ,
" Izenpe EV OID 1 " ,
SEC_OID_UNKNOWN ,
" 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19 " ,
" MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK "
" SXplbnBlLmNvbQ== " ,
" ALC3WhZIX7/hy/WL1xnmfQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
{
// CN=Izenpe.com,O=IZENPE S.A.,C=ES
" 1.3.6.1.4.1.14777.6.1.2 " ,
" Izenpe EV OID 2 " ,
SEC_OID_UNKNOWN ,
" 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19 " ,
" MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK "
" SXplbnBlLmNvbQ== " ,
" ALC3WhZIX7/hy/WL1xnmfQ== " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-05-05 07:38:11 -07:00
} ,
2011-12-18 07:08:38 -08:00
{
// CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
" 1.2.40.0.17.1.22 " ,
" A-Trust EV OID " ,
SEC_OID_UNKNOWN ,
" D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2 " ,
" MIGNMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hl "
" cmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYD "
" VQQLDBBBLVRydXN0LW5RdWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAz " ,
" AWwe " ,
2012-07-30 07:20:58 -07:00
nullptr
2011-12-18 07:08:38 -08:00
} ,
2007-10-23 11:30:16 -07:00
{
2008-03-06 22:14:33 -08:00
// OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US
2007-10-23 11:30:16 -07:00
" 0.0.0.0 " ,
0 , // for real entries use a string like "Sample INVALID EV OID"
SEC_OID_UNKNOWN ,
2009-12-03 22:10:35 -08:00
" 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 " , //UPPERCASE!
2008-03-16 06:42:32 -07:00
" Cg== " ,
" Cg== " ,
2012-07-30 07:20:58 -07:00
nullptr
2007-10-23 11:30:16 -07:00
}
} ;
static SECOidTag
register_oid ( const SECItem * oid_item , const char * oid_name )
{
if ( ! oid_item )
return SEC_OID_UNKNOWN ;
SECOidData od ;
od . oid . len = oid_item - > len ;
od . oid . data = oid_item - > data ;
od . offset = SEC_OID_UNKNOWN ;
od . desc = oid_name ;
od . mechanism = CKM_INVALID_MECHANISM ;
od . supportedExtension = INVALID_CERT_EXTENSION ;
return SECOID_AddEntry ( & od ) ;
}
# ifdef PSM_ENABLE_TEST_EV_ROOTS
class nsMyTrustedEVInfoClass : public nsMyTrustedEVInfo
{
public :
nsMyTrustedEVInfoClass ( ) ;
~ nsMyTrustedEVInfoClass ( ) ;
} ;
nsMyTrustedEVInfoClass : : nsMyTrustedEVInfoClass ( )
{
2012-07-30 07:20:58 -07:00
dotted_oid = nullptr ;
oid_name = nullptr ;
2007-10-23 11:30:16 -07:00
oid_tag = SEC_OID_UNKNOWN ;
2012-07-30 07:20:58 -07:00
ev_root_sha1_fingerprint = nullptr ;
issuer_base64 = nullptr ;
serial_base64 = nullptr ;
cert = nullptr ;
2007-10-23 11:30:16 -07:00
}
nsMyTrustedEVInfoClass : : ~ nsMyTrustedEVInfoClass ( )
{
2009-06-13 22:09:38 -07:00
// Cast away const-ness in order to free these strings
free ( const_cast < char * > ( dotted_oid ) ) ;
free ( const_cast < char * > ( oid_name ) ) ;
free ( const_cast < char * > ( ev_root_sha1_fingerprint ) ) ;
free ( const_cast < char * > ( issuer_base64 ) ) ;
free ( const_cast < char * > ( serial_base64 ) ) ;
2008-03-16 06:42:32 -07:00
if ( cert )
CERT_DestroyCertificate ( cert ) ;
2007-10-23 11:30:16 -07:00
}
typedef nsTArray < nsMyTrustedEVInfoClass * > testEVArray ;
static testEVArray * testEVInfos ;
2011-09-28 23:19:26 -07:00
static bool testEVInfosLoaded = false ;
2007-10-23 11:30:16 -07:00
# endif
2011-09-28 23:19:26 -07:00
static bool isEVMatch ( SECOidTag policyOIDTag ,
2007-10-23 11:30:16 -07:00
CERTCertificate * rootCert ,
const nsMyTrustedEVInfo & info )
{
if ( ! rootCert )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
NS_ConvertASCIItoUTF16 info_sha1 ( info . ev_root_sha1_fingerprint ) ;
nsNSSCertificate c ( rootCert ) ;
nsAutoString fingerprint ;
if ( NS_FAILED ( c . GetSha1Fingerprint ( fingerprint ) ) )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
if ( fingerprint ! = info_sha1 )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
return ( policyOIDTag = = info . oid_tag ) ;
}
# ifdef PSM_ENABLE_TEST_EV_ROOTS
static const char kTestEVRootsFileName [ ] = " test_ev_roots.txt " ;
static void
loadTestEVInfos ( )
{
if ( ! testEVInfos )
return ;
testEVInfos - > Clear ( ) ;
char * env_val = getenv ( " ENABLE_TEST_EV_ROOTS_FILE " ) ;
if ( ! env_val )
return ;
int enabled_val = atoi ( env_val ) ;
if ( ! enabled_val )
return ;
nsCOMPtr < nsIFile > aFile ;
NS_GetSpecialDirectory ( NS_APP_USER_PROFILE_50_DIR , getter_AddRefs ( aFile ) ) ;
if ( ! aFile )
return ;
aFile - > AppendNative ( NS_LITERAL_CSTRING ( kTestEVRootsFileName ) ) ;
nsresult rv ;
nsCOMPtr < nsIInputStream > fileInputStream ;
rv = NS_NewLocalFileInputStream ( getter_AddRefs ( fileInputStream ) , aFile ) ;
if ( NS_FAILED ( rv ) )
return ;
nsCOMPtr < nsILineInputStream > lineInputStream = do_QueryInterface ( fileInputStream , & rv ) ;
if ( NS_FAILED ( rv ) )
return ;
2012-09-01 19:35:17 -07:00
nsAutoCString buffer ;
2011-09-28 23:19:26 -07:00
bool isMore = true ;
2007-10-23 11:30:16 -07:00
/* file format
*
* file format must be strictly followed
* strings in file must be UTF - 8
* each record consists of multiple lines
* each line consists of a descriptor , a single space , and the data
* the descriptors are :
2008-03-06 22:14:33 -08:00
* 1 _fingerprint ( in format XX : XX : XX : . . . )
* 2 _readable_oid ( treated as a comment )
2007-10-23 11:30:16 -07:00
* the input file must strictly follow this order
* the input file may contain 0 , 1 or many records
* completely empty lines are ignored
* lines that start with the # char are ignored
*/
int line_counter = 0 ;
2011-09-28 23:19:26 -07:00
bool found_error = false ;
2007-10-23 11:30:16 -07:00
enum {
2008-03-16 06:42:32 -07:00
pos_fingerprint , pos_readable_oid , pos_issuer , pos_serial
2008-03-06 22:14:33 -08:00
} reader_position = pos_fingerprint ;
2007-10-23 11:30:16 -07:00
2008-03-16 06:42:32 -07:00
nsCString fingerprint , readable_oid , issuer , serial ;
2007-10-23 11:30:16 -07:00
while ( isMore & & NS_SUCCEEDED ( lineInputStream - > ReadLine ( buffer , & isMore ) ) ) {
+ + line_counter ;
if ( buffer . IsEmpty ( ) | | buffer . First ( ) = = ' # ' ) {
continue ;
}
2012-08-22 08:56:38 -07:00
int32_t seperatorIndex = buffer . FindChar ( ' ' , 0 ) ;
2007-10-23 11:30:16 -07:00
if ( seperatorIndex = = 0 ) {
2011-10-17 07:59:28 -07:00
found_error = true ;
2007-10-23 11:30:16 -07:00
break ;
}
const nsASingleFragmentCString & descriptor = Substring ( buffer , 0 , seperatorIndex ) ;
const nsASingleFragmentCString & data =
Substring ( buffer , seperatorIndex + 1 ,
buffer . Length ( ) - seperatorIndex + 1 ) ;
2008-03-06 22:14:33 -08:00
if ( reader_position = = pos_fingerprint & &
descriptor . EqualsLiteral ( ( " 1_fingerprint " ) ) ) {
2007-10-23 11:30:16 -07:00
fingerprint = data ;
reader_position = pos_readable_oid ;
continue ;
}
else if ( reader_position = = pos_readable_oid & &
2008-03-06 22:14:33 -08:00
descriptor . EqualsLiteral ( ( " 2_readable_oid " ) ) ) {
2007-10-23 11:30:16 -07:00
readable_oid = data ;
2008-03-16 06:42:32 -07:00
reader_position = pos_issuer ;
2008-04-08 18:48:02 -07:00
continue ;
2008-03-16 06:42:32 -07:00
}
else if ( reader_position = = pos_issuer & &
descriptor . EqualsLiteral ( ( " 3_issuer " ) ) ) {
issuer = data ;
reader_position = pos_serial ;
2008-04-08 18:48:02 -07:00
continue ;
2008-03-16 06:42:32 -07:00
}
2008-04-08 18:48:02 -07:00
else if ( reader_position = = pos_serial & &
2008-03-16 06:42:32 -07:00
descriptor . EqualsLiteral ( ( " 4_serial " ) ) ) {
serial = data ;
2008-03-06 22:14:33 -08:00
reader_position = pos_fingerprint ;
2007-10-23 11:30:16 -07:00
}
else {
2011-10-17 07:59:28 -07:00
found_error = true ;
2007-10-23 11:30:16 -07:00
break ;
}
nsMyTrustedEVInfoClass * temp_ev = new nsMyTrustedEVInfoClass ;
if ( ! temp_ev )
return ;
temp_ev - > ev_root_sha1_fingerprint = strdup ( fingerprint . get ( ) ) ;
temp_ev - > oid_name = strdup ( readable_oid . get ( ) ) ;
temp_ev - > dotted_oid = strdup ( readable_oid . get ( ) ) ;
2008-03-16 06:42:32 -07:00
temp_ev - > issuer_base64 = strdup ( issuer . get ( ) ) ;
temp_ev - > serial_base64 = strdup ( serial . get ( ) ) ;
SECStatus rv ;
CERTIssuerAndSN ias ;
rv = ATOB_ConvertAsciiToItem ( & ias . derIssuer , const_cast < char * > ( temp_ev - > issuer_base64 ) ) ;
NS_ASSERTION ( rv = = SECSuccess , " error converting ascii to binary. " ) ;
rv = ATOB_ConvertAsciiToItem ( & ias . serialNumber , const_cast < char * > ( temp_ev - > serial_base64 ) ) ;
NS_ASSERTION ( rv = = SECSuccess , " error converting ascii to binary. " ) ;
2012-07-30 07:20:58 -07:00
temp_ev - > cert = CERT_FindCertByIssuerAndSN ( nullptr , & ias ) ;
2008-03-16 06:42:32 -07:00
NS_ASSERTION ( temp_ev - > cert , " Could not find EV root in NSS storage " ) ;
2011-10-17 07:59:28 -07:00
SECITEM_FreeItem ( & ias . derIssuer , false ) ;
SECITEM_FreeItem ( & ias . serialNumber , false ) ;
2011-01-17 09:26:53 -08:00
2008-03-16 06:42:32 -07:00
if ( ! temp_ev - > cert )
return ;
nsNSSCertificate c ( temp_ev - > cert ) ;
nsAutoString fingerprint ;
c . GetSha1Fingerprint ( fingerprint ) ;
NS_ConvertASCIItoUTF16 sha1 ( temp_ev - > ev_root_sha1_fingerprint ) ;
if ( sha1 ! = fingerprint ) {
NS_ASSERTION ( sha1 = = fingerprint , " found EV root with unexpected SHA1 mismatch " ) ;
CERT_DestroyCertificate ( temp_ev - > cert ) ;
2012-07-30 07:20:58 -07:00
temp_ev - > cert = nullptr ;
2008-03-16 06:42:32 -07:00
return ;
}
2007-10-23 11:30:16 -07:00
SECItem ev_oid_item ;
2012-07-30 07:20:58 -07:00
ev_oid_item . data = nullptr ;
2007-10-23 11:30:16 -07:00
ev_oid_item . len = 0 ;
2012-07-30 07:20:58 -07:00
SECStatus srv = SEC_StringToOID ( nullptr , & ev_oid_item ,
2007-10-23 11:30:16 -07:00
readable_oid . get ( ) , readable_oid . Length ( ) ) ;
if ( srv ! = SECSuccess ) {
delete temp_ev ;
2011-10-17 07:59:28 -07:00
found_error = true ;
2007-10-23 11:30:16 -07:00
break ;
}
temp_ev - > oid_tag = register_oid ( & ev_oid_item , temp_ev - > oid_name ) ;
2011-10-17 07:59:28 -07:00
SECITEM_FreeItem ( & ev_oid_item , false ) ;
2007-10-23 11:30:16 -07:00
testEVInfos - > AppendElement ( temp_ev ) ;
}
if ( found_error ) {
fprintf ( stderr , " invalid line %d in test_ev_roots file \n " , line_counter ) ;
}
}
2011-09-28 23:19:26 -07:00
static bool
2007-10-23 11:30:16 -07:00
isEVPolicyInExternalDebugRootsFile ( SECOidTag policyOIDTag )
{
if ( ! testEVInfos )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
char * env_val = getenv ( " ENABLE_TEST_EV_ROOTS_FILE " ) ;
if ( ! env_val )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
int enabled_val = atoi ( env_val ) ;
if ( ! enabled_val )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
for ( size_t i = 0 ; i < testEVInfos - > Length ( ) ; + + i ) {
nsMyTrustedEVInfoClass * ev = testEVInfos - > ElementAt ( i ) ;
if ( ! ev )
continue ;
if ( policyOIDTag = = ev - > oid_tag )
2011-10-17 07:59:28 -07:00
return true ;
2007-10-23 11:30:16 -07:00
}
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
}
2011-09-28 23:19:26 -07:00
static bool
2008-03-16 06:42:32 -07:00
getRootsForOidFromExternalRootsFile ( CERTCertList * certList ,
SECOidTag policyOIDTag )
{
if ( ! testEVInfos )
2011-10-17 07:59:28 -07:00
return false ;
2008-03-16 06:42:32 -07:00
char * env_val = getenv ( " ENABLE_TEST_EV_ROOTS_FILE " ) ;
if ( ! env_val )
2011-10-17 07:59:28 -07:00
return false ;
2008-03-16 06:42:32 -07:00
int enabled_val = atoi ( env_val ) ;
if ( ! enabled_val )
2011-10-17 07:59:28 -07:00
return false ;
2008-03-16 06:42:32 -07:00
for ( size_t i = 0 ; i < testEVInfos - > Length ( ) ; + + i ) {
nsMyTrustedEVInfoClass * ev = testEVInfos - > ElementAt ( i ) ;
if ( ! ev )
continue ;
if ( policyOIDTag = = ev - > oid_tag )
2008-07-08 13:42:51 -07:00
CERT_AddCertToListTail ( certList , CERT_DupCertificate ( ev - > cert ) ) ;
2008-03-16 06:42:32 -07:00
}
2011-10-17 07:59:28 -07:00
return false ;
2008-03-16 06:42:32 -07:00
}
2011-09-28 23:19:26 -07:00
static bool
2007-10-23 11:30:16 -07:00
isEVMatchInExternalDebugRootsFile ( SECOidTag policyOIDTag ,
CERTCertificate * rootCert )
{
if ( ! testEVInfos )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
if ( ! rootCert )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
char * env_val = getenv ( " ENABLE_TEST_EV_ROOTS_FILE " ) ;
if ( ! env_val )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
int enabled_val = atoi ( env_val ) ;
if ( ! enabled_val )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
for ( size_t i = 0 ; i < testEVInfos - > Length ( ) ; + + i ) {
nsMyTrustedEVInfoClass * ev = testEVInfos - > ElementAt ( i ) ;
if ( ! ev )
continue ;
if ( isEVMatch ( policyOIDTag , rootCert , * ev ) )
2011-10-17 07:59:28 -07:00
return true ;
2007-10-23 11:30:16 -07:00
}
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
}
# endif
2011-09-28 23:19:26 -07:00
static bool
2007-10-23 11:30:16 -07:00
isEVPolicy ( SECOidTag policyOIDTag )
{
for ( size_t iEV = 0 ; iEV < ( sizeof ( myTrustedEVInfos ) / sizeof ( nsMyTrustedEVInfo ) ) ; + + iEV ) {
nsMyTrustedEVInfo & entry = myTrustedEVInfos [ iEV ] ;
if ( ! entry . oid_name ) // invalid or placeholder list entry
continue ;
if ( policyOIDTag = = entry . oid_tag ) {
2011-10-17 07:59:28 -07:00
return true ;
2007-10-23 11:30:16 -07:00
}
}
# ifdef PSM_ENABLE_TEST_EV_ROOTS
if ( isEVPolicyInExternalDebugRootsFile ( policyOIDTag ) ) {
2011-10-17 07:59:28 -07:00
return true ;
2007-10-23 11:30:16 -07:00
}
# endif
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
}
2008-03-16 06:42:32 -07:00
static CERTCertList *
getRootsForOid ( SECOidTag oid_tag )
{
CERTCertList * certList = CERT_NewCertList ( ) ;
if ( ! certList )
2012-07-30 07:20:58 -07:00
return nullptr ;
2008-03-16 06:42:32 -07:00
for ( size_t iEV = 0 ; iEV < ( sizeof ( myTrustedEVInfos ) / sizeof ( nsMyTrustedEVInfo ) ) ; + + iEV ) {
nsMyTrustedEVInfo & entry = myTrustedEVInfos [ iEV ] ;
if ( ! entry . oid_name ) // invalid or placeholder list entry
continue ;
if ( entry . oid_tag = = oid_tag )
2008-07-08 13:42:51 -07:00
CERT_AddCertToListTail ( certList , CERT_DupCertificate ( entry . cert ) ) ;
2008-03-16 06:42:32 -07:00
}
# ifdef PSM_ENABLE_TEST_EV_ROOTS
getRootsForOidFromExternalRootsFile ( certList , oid_tag ) ;
# endif
return certList ;
}
2011-09-28 23:19:26 -07:00
static bool
2007-10-23 11:30:16 -07:00
isApprovedForEV ( SECOidTag policyOIDTag , CERTCertificate * rootCert )
{
if ( ! rootCert )
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
for ( size_t iEV = 0 ; iEV < ( sizeof ( myTrustedEVInfos ) / sizeof ( nsMyTrustedEVInfo ) ) ; + + iEV ) {
nsMyTrustedEVInfo & entry = myTrustedEVInfos [ iEV ] ;
if ( ! entry . oid_name ) // invalid or placeholder list entry
continue ;
if ( isEVMatch ( policyOIDTag , rootCert , entry ) ) {
2011-10-17 07:59:28 -07:00
return true ;
2007-10-23 11:30:16 -07:00
}
}
# ifdef PSM_ENABLE_TEST_EV_ROOTS
if ( isEVMatchInExternalDebugRootsFile ( policyOIDTag , rootCert ) ) {
2011-10-17 07:59:28 -07:00
return true ;
2007-10-23 11:30:16 -07:00
}
# endif
2011-10-17 07:59:28 -07:00
return false ;
2007-10-23 11:30:16 -07:00
}
2012-09-25 09:18:38 -07:00
PRStatus
2007-10-23 11:30:16 -07:00
nsNSSComponent : : IdentityInfoInit ( )
{
for ( size_t iEV = 0 ; iEV < ( sizeof ( myTrustedEVInfos ) / sizeof ( nsMyTrustedEVInfo ) ) ; + + iEV ) {
nsMyTrustedEVInfo & entry = myTrustedEVInfos [ iEV ] ;
if ( ! entry . oid_name ) // invalid or placeholder list entry
continue ;
2008-03-16 06:42:32 -07:00
SECStatus rv ;
CERTIssuerAndSN ias ;
rv = ATOB_ConvertAsciiToItem ( & ias . derIssuer , const_cast < char * > ( entry . issuer_base64 ) ) ;
NS_ASSERTION ( rv = = SECSuccess , " error converting ascii to binary. " ) ;
rv = ATOB_ConvertAsciiToItem ( & ias . serialNumber , const_cast < char * > ( entry . serial_base64 ) ) ;
NS_ASSERTION ( rv = = SECSuccess , " error converting ascii to binary. " ) ;
2010-07-18 02:25:16 -07:00
ias . serialNumber . type = siUnsignedInteger ;
2008-03-16 06:42:32 -07:00
2012-07-30 07:20:58 -07:00
entry . cert = CERT_FindCertByIssuerAndSN ( nullptr , & ias ) ;
2008-03-16 06:42:32 -07:00
NS_ASSERTION ( entry . cert , " Could not find EV root in NSS storage " ) ;
2011-10-17 07:59:28 -07:00
SECITEM_FreeItem ( & ias . derIssuer , false ) ;
SECITEM_FreeItem ( & ias . serialNumber , false ) ;
2011-01-17 09:26:53 -08:00
2008-03-16 06:42:32 -07:00
if ( ! entry . cert )
continue ;
nsNSSCertificate c ( entry . cert ) ;
nsAutoString fingerprint ;
c . GetSha1Fingerprint ( fingerprint ) ;
NS_ConvertASCIItoUTF16 sha1 ( entry . ev_root_sha1_fingerprint ) ;
if ( sha1 ! = fingerprint ) {
NS_ASSERTION ( sha1 = = fingerprint , " found EV root with unexpected SHA1 mismatch " ) ;
CERT_DestroyCertificate ( entry . cert ) ;
2012-07-30 07:20:58 -07:00
entry . cert = nullptr ;
2008-03-16 06:42:32 -07:00
continue ;
}
2007-10-23 11:30:16 -07:00
SECItem ev_oid_item ;
2012-07-30 07:20:58 -07:00
ev_oid_item . data = nullptr ;
2007-10-23 11:30:16 -07:00
ev_oid_item . len = 0 ;
2012-07-30 07:20:58 -07:00
SECStatus srv = SEC_StringToOID ( nullptr , & ev_oid_item ,
2007-10-23 11:30:16 -07:00
entry . dotted_oid , 0 ) ;
if ( srv ! = SECSuccess )
continue ;
entry . oid_tag = register_oid ( & ev_oid_item , entry . oid_name ) ;
2011-10-17 07:59:28 -07:00
SECITEM_FreeItem ( & ev_oid_item , false ) ;
2007-10-23 11:30:16 -07:00
}
# ifdef PSM_ENABLE_TEST_EV_ROOTS
if ( ! testEVInfosLoaded ) {
2011-10-17 07:59:28 -07:00
testEVInfosLoaded = true ;
2007-10-23 11:30:16 -07:00
testEVInfos = new testEVArray ;
if ( testEVInfos ) {
loadTestEVInfos ( ) ;
}
}
# endif
return PR_SUCCESS ;
}
// Find the first policy OID that is known to be an EV policy OID.
static SECStatus getFirstEVPolicy ( CERTCertificate * cert , SECOidTag & outOidTag )
{
if ( ! cert )
return SECFailure ;
if ( cert - > extensions ) {
2012-10-17 13:48:36 -07:00
for ( int i = 0 ; cert - > extensions [ i ] ; i + + ) {
2007-10-23 11:30:16 -07:00
const SECItem * oid = & cert - > extensions [ i ] - > id ;
SECOidTag oidTag = SECOID_FindOIDTag ( oid ) ;
if ( oidTag ! = SEC_OID_X509_CERTIFICATE_POLICIES )
continue ;
SECItem * value = & cert - > extensions [ i ] - > value ;
CERTCertificatePolicies * policies ;
CERTPolicyInfo * * policyInfos , * policyInfo ;
policies = CERT_DecodeCertificatePoliciesExtension ( value ) ;
if ( ! policies )
continue ;
policyInfos = policies - > policyInfos ;
2011-09-28 23:19:26 -07:00
bool found = false ;
2012-10-17 13:48:36 -07:00
while ( * policyInfos ) {
2007-10-23 11:30:16 -07:00
policyInfo = * policyInfos + + ;
2009-08-14 06:37:31 -07:00
SECOidTag oid_tag = policyInfo - > oid ;
2009-08-15 20:51:10 -07:00
if ( oid_tag ! = SEC_OID_UNKNOWN & & isEVPolicy ( oid_tag ) ) {
// in our list of OIDs accepted for EV
outOidTag = oid_tag ;
2011-10-17 07:59:28 -07:00
found = true ;
2009-08-15 20:51:10 -07:00
break ;
}
2007-10-23 11:30:16 -07:00
}
2009-08-15 20:51:10 -07:00
CERT_DestroyCertificatePoliciesExtension ( policies ) ;
if ( found )
return SECSuccess ;
2007-10-23 11:30:16 -07:00
}
}
return SECFailure ;
}
2007-08-23 14:28:15 -07:00
NS_IMETHODIMP
2011-10-30 11:43:06 -07:00
nsSSLStatus : : GetIsExtendedValidation ( bool * aIsEV )
2007-08-23 14:28:15 -07:00
{
2011-10-30 11:43:06 -07:00
NS_ENSURE_ARG_POINTER ( aIsEV ) ;
2011-10-17 07:59:28 -07:00
* aIsEV = false ;
2007-08-23 14:28:15 -07:00
2011-10-30 11:43:06 -07:00
nsCOMPtr < nsIX509Cert > cert = mServerCert ;
nsresult rv ;
nsCOMPtr < nsIIdentityInfo > idinfo = do_QueryInterface ( cert , & rv ) ;
// mServerCert should never be null when this method is called because
// nsSSLStatus objects always have mServerCert set right after they are
// constructed and before they are returned. GetIsExtendedValidation should
// only be called in the chrome process (in e10s), and mServerCert will always
// implement nsIIdentityInfo in the chrome process.
if ( ! idinfo ) {
NS_ERROR ( " nsSSLStatus has null mServerCert or was called in the content "
" process " ) ;
return NS_ERROR_UNEXPECTED ;
}
2007-10-23 11:30:16 -07:00
2008-01-22 15:43:12 -08:00
// Never allow bad certs for EV, regardless of overrides.
2011-11-02 20:59:56 -07:00
if ( mHaveCertErrorBits )
2008-01-14 07:45:07 -08:00
return NS_OK ;
return idinfo - > GetIsExtendedValidation ( aIsEV ) ;
2007-10-23 11:30:16 -07:00
}
nsresult
2011-09-28 23:19:26 -07:00
nsNSSCertificate : : hasValidEVOidTag ( SECOidTag & resultOidTag , bool & validEV )
2007-10-23 11:30:16 -07:00
{
nsNSSShutDownPreventionLock locker ;
if ( isAlreadyShutDown ( ) )
return NS_ERROR_NOT_AVAILABLE ;
nsresult nrv ;
nsCOMPtr < nsINSSComponent > nssComponent =
do_GetService ( PSM_COMPONENT_CONTRACTID , & nrv ) ;
if ( NS_FAILED ( nrv ) )
return nrv ;
nssComponent - > EnsureIdentityInfoLoaded ( ) ;
2011-10-17 07:59:28 -07:00
validEV = false ;
2007-10-23 11:30:16 -07:00
resultOidTag = SEC_OID_UNKNOWN ;
2011-09-28 23:19:26 -07:00
bool isOCSPEnabled = false ;
2008-01-22 15:46:49 -08:00
nsCOMPtr < nsIX509CertDB > certdb ;
certdb = do_GetService ( NS_X509CERTDB_CONTRACTID ) ;
if ( certdb )
certdb - > GetIsOcspOn ( & isOCSPEnabled ) ;
// No OCSP, no EV
if ( ! isOCSPEnabled )
return NS_OK ;
2007-10-23 11:30:16 -07:00
SECOidTag oid_tag ;
SECStatus rv = getFirstEVPolicy ( mCert , oid_tag ) ;
if ( rv ! = SECSuccess )
return NS_OK ;
if ( oid_tag = = SEC_OID_UNKNOWN ) // not in our list of OIDs accepted for EV
return NS_OK ;
2012-11-12 09:42:28 -08:00
ScopedCERTCertList rootList ( getRootsForOid ( oid_tag ) ) ;
2008-03-16 06:42:32 -07:00
CERTRevocationMethodIndex preferedRevMethods [ 1 ] = {
cert_revocation_method_ocsp
} ;
2012-08-22 08:56:38 -07:00
uint64_t revMethodFlags =
2008-03-16 06:42:32 -07:00
CERT_REV_M_TEST_USING_THIS_METHOD
| CERT_REV_M_ALLOW_NETWORK_FETCHING
| CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
| CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
2009-08-14 06:37:31 -07:00
| CERT_REV_M_IGNORE_MISSING_FRESH_INFO
2008-03-16 06:42:32 -07:00
| CERT_REV_M_STOP_TESTING_ON_FRESH_INFO ;
2012-08-22 08:56:38 -07:00
uint64_t revMethodIndependentFlags =
2008-03-16 06:42:32 -07:00
CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
| CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE ;
2013-01-07 15:21:50 -08:00
uint64_t methodFlags [ 2 ] ;
2008-03-16 06:42:32 -07:00
methodFlags [ cert_revocation_method_crl ] = revMethodFlags ;
methodFlags [ cert_revocation_method_ocsp ] = revMethodFlags ;
CERTRevocationFlags rev ;
rev . leafTests . number_of_defined_methods = cert_revocation_method_ocsp + 1 ;
rev . leafTests . cert_rev_flags_per_method = methodFlags ;
rev . leafTests . number_of_preferred_methods = 1 ;
rev . leafTests . preferred_methods = preferedRevMethods ;
rev . leafTests . cert_rev_method_independent_flags =
revMethodIndependentFlags ;
rev . chainTests . number_of_defined_methods = cert_revocation_method_ocsp + 1 ;
2008-03-17 11:42:04 -07:00
rev . chainTests . cert_rev_flags_per_method = methodFlags ;
2008-03-16 06:42:32 -07:00
rev . chainTests . number_of_preferred_methods = 1 ;
rev . chainTests . preferred_methods = preferedRevMethods ;
rev . chainTests . cert_rev_method_independent_flags =
revMethodIndependentFlags ;
2008-10-15 18:06:44 -07:00
CERTValInParam cvin [ 4 ] ;
2007-10-23 11:30:16 -07:00
cvin [ 0 ] . type = cert_pi_policyOID ;
cvin [ 0 ] . value . arraySize = 1 ;
cvin [ 0 ] . value . array . oids = & oid_tag ;
2007-11-21 14:28:13 -08:00
2007-10-23 11:30:16 -07:00
cvin [ 1 ] . type = cert_pi_revocationFlags ;
2008-03-16 06:42:32 -07:00
cvin [ 1 ] . value . pointer . revocation = & rev ;
cvin [ 2 ] . type = cert_pi_trustAnchors ;
cvin [ 2 ] . value . pointer . chain = rootList ;
cvin [ 3 ] . type = cert_pi_end ;
2007-10-23 11:30:16 -07:00
CERTValOutParam cvout [ 2 ] ;
cvout [ 0 ] . type = cert_po_trustAnchor ;
2012-07-30 07:20:58 -07:00
cvout [ 0 ] . value . pointer . cert = nullptr ;
2007-10-23 11:30:16 -07:00
cvout [ 1 ] . type = cert_po_end ;
2012-11-12 09:42:28 -08:00
PR_LOG ( gPIPNSSLog , PR_LOG_DEBUG , ( " calling CERT_PKIXVerifyCert nss cert %p \n " , mCert . get ( ) ) ) ;
2007-10-23 11:30:16 -07:00
rv = CERT_PKIXVerifyCert ( mCert , certificateUsageSSLServer ,
2012-07-30 07:20:58 -07:00
cvin , cvout , nullptr ) ;
2007-10-23 11:30:16 -07:00
if ( rv ! = SECSuccess )
return NS_OK ;
2012-11-12 09:42:28 -08:00
ScopedCERTCertificate issuerCert ( cvout [ 0 ] . value . pointer . cert ) ;
2007-10-23 11:30:16 -07:00
2008-03-16 06:42:32 -07:00
# ifdef PR_LOGGING
if ( PR_LOG_TEST ( gPIPNSSLog , PR_LOG_DEBUG ) ) {
nsNSSCertificate ic ( issuerCert ) ;
nsAutoString fingerprint ;
ic . GetSha1Fingerprint ( fingerprint ) ;
NS_LossyConvertUTF16toASCII fpa ( fingerprint ) ;
PR_LOG ( gPIPNSSLog , PR_LOG_DEBUG , ( " CERT_PKIXVerifyCert returned success, issuer: %s, SHA1: %s \n " ,
issuerCert - > subjectName , fpa . get ( ) ) ) ;
}
# endif
2008-02-28 10:00:57 -08:00
2007-10-23 11:30:16 -07:00
validEV = isApprovedForEV ( oid_tag , issuerCert ) ;
if ( validEV )
resultOidTag = oid_tag ;
return NS_OK ;
}
2008-01-14 07:45:07 -08:00
nsresult
2011-09-28 23:19:26 -07:00
nsNSSCertificate : : getValidEVOidTag ( SECOidTag & resultOidTag , bool & validEV )
2008-01-14 07:45:07 -08:00
{
if ( mCachedEVStatus ! = ev_status_unknown ) {
validEV = ( mCachedEVStatus = = ev_status_valid ) ;
if ( validEV )
resultOidTag = mCachedEVOidTag ;
return NS_OK ;
}
nsresult rv = hasValidEVOidTag ( resultOidTag , validEV ) ;
if ( NS_SUCCEEDED ( rv ) ) {
if ( validEV ) {
mCachedEVOidTag = resultOidTag ;
}
mCachedEVStatus = validEV ? ev_status_valid : ev_status_invalid ;
}
return rv ;
}
2007-10-23 11:30:16 -07:00
NS_IMETHODIMP
2011-09-28 23:19:26 -07:00
nsNSSCertificate : : GetIsExtendedValidation ( bool * aIsEV )
2007-10-23 11:30:16 -07:00
{
nsNSSShutDownPreventionLock locker ;
if ( isAlreadyShutDown ( ) )
return NS_ERROR_NOT_AVAILABLE ;
NS_ENSURE_ARG ( aIsEV ) ;
2011-10-17 07:59:28 -07:00
* aIsEV = false ;
2007-10-23 11:30:16 -07:00
2008-01-14 07:45:07 -08:00
if ( mCachedEVStatus ! = ev_status_unknown ) {
* aIsEV = ( mCachedEVStatus = = ev_status_valid ) ;
return NS_OK ;
}
2007-10-23 11:30:16 -07:00
SECOidTag oid_tag ;
2008-01-14 07:45:07 -08:00
return getValidEVOidTag ( oid_tag , * aIsEV ) ;
2007-10-23 11:30:16 -07:00
}
NS_IMETHODIMP
nsNSSCertificate : : GetValidEVPolicyOid ( nsACString & outDottedOid )
{
nsNSSShutDownPreventionLock locker ;
if ( isAlreadyShutDown ( ) )
return NS_ERROR_NOT_AVAILABLE ;
SECOidTag oid_tag ;
2011-09-28 23:19:26 -07:00
bool valid ;
2008-01-14 07:45:07 -08:00
nsresult rv = getValidEVOidTag ( oid_tag , valid ) ;
2007-10-23 11:30:16 -07:00
if ( NS_FAILED ( rv ) )
return rv ;
if ( valid ) {
SECOidData * oid_data = SECOID_FindOIDByTag ( oid_tag ) ;
if ( ! oid_data )
return NS_ERROR_FAILURE ;
char * oid_str = CERT_GetOidString ( & oid_data - > oid ) ;
if ( ! oid_str )
return NS_ERROR_FAILURE ;
outDottedOid = oid_str ;
PR_smprintf_free ( oid_str ) ;
}
2007-08-23 14:28:15 -07:00
return NS_OK ;
}
2007-10-23 11:30:16 -07:00
NS_IMETHODIMP
nsNSSComponent : : EnsureIdentityInfoLoaded ( )
{
PRStatus rv = PR_CallOnce ( & mIdentityInfoCallOnce , IdentityInfoInit ) ;
return ( rv = = PR_SUCCESS ) ? NS_OK : NS_ERROR_FAILURE ;
}
// only called during shutdown
void
nsNSSComponent : : CleanupIdentityInfo ( )
{
2008-03-16 06:42:32 -07:00
nsNSSShutDownPreventionLock locker ;
for ( size_t iEV = 0 ; iEV < ( sizeof ( myTrustedEVInfos ) / sizeof ( nsMyTrustedEVInfo ) ) ; + + iEV ) {
nsMyTrustedEVInfo & entry = myTrustedEVInfos [ iEV ] ;
if ( entry . cert ) {
CERT_DestroyCertificate ( entry . cert ) ;
2012-07-30 07:20:58 -07:00
entry . cert = nullptr ;
2008-03-16 06:42:32 -07:00
}
}
2007-10-23 11:30:16 -07:00
# ifdef PSM_ENABLE_TEST_EV_ROOTS
if ( testEVInfosLoaded ) {
2011-10-17 07:59:28 -07:00
testEVInfosLoaded = false ;
2007-10-23 11:30:16 -07:00
if ( testEVInfos ) {
2008-01-22 15:44:29 -08:00
for ( size_t i = 0 ; i < testEVInfos - > Length ( ) ; + + i ) {
2007-10-23 11:30:16 -07:00
delete testEVInfos - > ElementAt ( i ) ;
}
testEVInfos - > Clear ( ) ;
delete testEVInfos ;
2012-07-30 07:20:58 -07:00
testEVInfos = nullptr ;
2007-10-23 11:30:16 -07:00
}
}
# endif
memset ( & mIdentityInfoCallOnce , 0 , sizeof ( PRCallOnceType ) ) ;
}