gecko/security/certverifier/ExtendedValidation.cpp
Brian Smith 726599adbd Bug 1006958: Use mozilla::pkix::der to parse certificate policies instead of NSS, r=keeler
--HG--
extra : rebase_source : fde88efebc1025bc4f825aa38df809d04b1b250a
2014-05-15 18:59:52 -07:00

1073 lines
39 KiB
C++

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ExtendedValidation.h"
#include "cert.h"
#include "certdb.h"
#include "base64.h"
#include "pkix/nullptr.h"
#include "pkix/pkixtypes.h"
#include "pk11pub.h"
#include "secerr.h"
#include "prerror.h"
#include "prinit.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
#define CONST_OID static const unsigned char
#define OI(x) { siDEROID, (unsigned char*) x, sizeof x }
struct nsMyTrustedEVInfo
{
const char* dotted_oid;
const char* oid_name; // Set this to null to signal an invalid structure,
// (We can't have an empty list, so we'll use a dummy entry)
SECOidTag oid_tag;
const unsigned char ev_root_sha1_fingerprint[20];
const char* issuer_base64;
const char* serial_base64;
CERTCertificate* cert;
};
// HOWTO enable additional CA root certificates for EV:
//
// For each combination of "root certificate" and "policy OID",
// one entry must be added to the array named myTrustedEVInfos.
//
// We use the combination of "issuer name" and "serial number" to
// uniquely identify the certificate. In order to avoid problems
// because of encodings when comparing certificates, we don't
// use plain text representation, we rather use the original encoding
// as it can be found in the root certificate (in base64 format).
//
// We can use the NSS utility named "pp" to extract the encoding.
//
// Build standalone NSS including the NSS tools, then run
// pp -t certificate-identity -i the-cert-filename
//
// You will need the output from sections "Issuer", "Fingerprint (SHA1)",
// "Issuer DER Base64" and "Serial DER Base64".
//
// The new section consists of 8 lines:
//
// - a comment that should contain the human readable issuer name
// of the certificate, as printed by the pp tool
// - the EV policy OID that is associated to the EV grant
// - a text description of the EV policy OID. The array can contain
// multiple entries with the same OID.
// Please make sure to use the identical OID text description for
// all entries with the same policy OID (use the text search
// feature of your text editor to find duplicates).
// When adding a new policy OID that is not yet contained in the array,
// please make sure that your new description is different from
// all the other descriptions (again use the text search feature
// to be sure).
// - the constant SEC_OID_UNKNOWN
// (it will be replaced at runtime with another identifier)
// - the SHA1 fingerprint
// - the "Issuer DER Base64" as printed by the pp tool.
// Remove all whitespaces. If you use multiple lines, make sure that
// only the final line will be followed by a comma.
// - the "Serial DER Base64" (as printed by pp)
// - nullptr
//
// After adding an entry, test it locally against the test site that
// has been provided by the CA. Note that you must use a version of NSS
// where the root certificate has already been added and marked as trusted
// for issueing SSL server certificates (at least).
//
// If you are able to connect to the site without certificate errors,
// but you don't see the EV status indicator, then most likely the CA
// has a problem in their infrastructure. The most common problems are
// related to the CA's OCSP infrastructure, either they use an incorrect
// OCSP signing certificate, or OCSP for the intermediate certificates
// isn't working, or OCSP isn't working at all.
static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
// IMPORTANT! When extending this list,
// pairs of dotted_oid and oid_name should always be unique pairs.
// In other words, if you add another list, that uses the same dotted_oid
// as an existing entry, then please use the same oid_name.
#ifdef DEBUG
// Debug EV certificates should all use the OID (repeating EV OID is OK):
// 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
// If you add or remove debug EV certs you must also modify IdentityInfoInit
// (there is another #ifdef DEBUG section there) so that the correct number of
// certs are skipped as these debug EV certs are NOT part of the default trust
// store.
{
// This is the testing EV signature (xpcshell) (RSA)
// CN=XPCShell EV Testing (untrustworthy) CA,OU=Security Engineering,O=Mozilla - EV debug test CA,L=Mountain View,ST=CA,C=US"
"1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
"DEBUGtesting EV OID",
SEC_OID_UNKNOWN,
{ 0x9C, 0x62, 0xEF, 0xDB, 0xAE, 0xF9, 0xEB, 0x36, 0x58, 0xFB,
0x3B, 0xD3, 0x47, 0x64, 0x93, 0x9D, 0x86, 0x29, 0x6A, 0xE0 },
"MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu"
"IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
"VQQLDBRTZWN1cml0eSBFbmdpbmVlcmluZzEvMC0GA1UEAwwmWFBDU2hlbGwgRVYg"
"VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=",
"At+3zdo=",
nullptr
},
#endif
{
// OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
"1.2.392.200091.100.721.1",
"SECOM EV OID",
SEC_OID_UNKNOWN,
{ 0xFE, 0xB8, 0xC4, 0x32, 0xDC, 0xF9, 0x76, 0x9A, 0xCE, 0xAE,
0x3D, 0xD8, 0x90, 0x8F, 0xFD, 0x28, 0x86, 0x65, 0x64, 0x7D },
"MGAxCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP"
"LixMVEQuMSowKAYDVQQLEyFTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVWIFJvb3RD"
"QTE=",
"AA==",
nullptr
},
{
// CN=Cybertrust Global Root,O=Cybertrust, Inc
"1.3.6.1.4.1.6334.1.100.1",
"Cybertrust EV OID",
SEC_OID_UNKNOWN,
{ 0x5F, 0x43, 0xE5, 0xB1, 0xBF, 0xF8, 0x78, 0x8C, 0xAC, 0x1C,
0xC7, 0xCA, 0x4A, 0x9A, 0xC6, 0x22, 0x2B, 0xCC, 0x34, 0xC6 },
"MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz"
"dCBHbG9iYWwgUm9vdA==",
"BAAAAAABD4WqLUg=",
nullptr
},
{
// CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
"2.16.756.1.89.1.2.1.1",
"SwissSign EV OID",
SEC_OID_UNKNOWN,
{ 0xD8, 0xC5, 0x38, 0x8A, 0xB7, 0x30, 0x1B, 0x1B, 0x6E, 0xD4,
0x7A, 0xE6, 0x45, 0x25, 0x3A, 0x6F, 0x9F, 0x1A, 0x27, 0x61 },
"MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT"
"FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=",
"ALtAHEP1Xk+w",
nullptr
},
{
// CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
"1.3.6.1.4.1.23223.1.1.1",
"StartCom EV OID",
SEC_OID_UNKNOWN,
{ 0x3E, 0x2B, 0xF7, 0xF2, 0x03, 0x1B, 0x96, 0xF3, 0x8C, 0xE6,
0xC4, 0xD8, 0xA8, 0x5D, 0x3E, 0x2D, 0x58, 0x47, 0x6A, 0x0F },
"MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL"
"EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT"
"dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
"AQ==",
nullptr
},
{
// CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
"1.3.6.1.4.1.23223.1.1.1",
"StartCom EV OID",
SEC_OID_UNKNOWN,
{ 0xA3, 0xF1, 0x33, 0x3F, 0xE2, 0x42, 0xBF, 0xCF, 0xC5, 0xD1,
0x4E, 0x8F, 0x39, 0x42, 0x98, 0x40, 0x68, 0x10, 0xD1, 0xA0 },
"MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL"
"EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT"
"dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
"LQ==",
nullptr
},
{
// CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
"1.3.6.1.4.1.23223.1.1.1",
"StartCom EV OID",
SEC_OID_UNKNOWN,
{ 0x31, 0xF1, 0xFD, 0x68, 0x22, 0x63, 0x20, 0xEE, 0xC6, 0x3B,
0x3F, 0x9D, 0xEA, 0x4A, 0x3E, 0x53, 0x7C, 0x7C, 0x39, 0x17 },
"MFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYDVQQD"
"EyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMg==",
"Ow==",
nullptr
},
{
// CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
"2.16.840.1.113733.1.7.23.6",
"VeriSign EV OID",
SEC_OID_UNKNOWN,
{ 0x4E, 0xB6, 0xD5, 0x78, 0x49, 0x9B, 0x1C, 0xCF, 0x5F, 0x58,
0x1E, 0xAD, 0x56, 0xBE, 0x3D, 0x9B, 0x67, 0x44, 0xA5, 0xE5 },
"MIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
"BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZl"
"cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMT"
"PFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB"
"dXRob3JpdHkgLSBHNQ==",
"GNrRniZ96LtKIVjNzGs7Sg==",
nullptr
},
{
// CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
"1.3.6.1.4.1.14370.1.6",
"GeoTrust EV OID",
SEC_OID_UNKNOWN,
{ 0x32, 0x3C, 0x11, 0x8E, 0x1B, 0xF7, 0xB8, 0xB6, 0x52, 0x54,
0xE2, 0xE2, 0x10, 0x0D, 0xD6, 0x02, 0x90, 0x37, 0xF0, 0x96 },
"MFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQD"
"EyhHZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
"GKy1av1pthU6Y2yv2vrEoQ==",
nullptr
},
{
// CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
"2.16.840.1.113733.1.7.48.1",
"Thawte EV OID",
SEC_OID_UNKNOWN,
{ 0x91, 0xC6, 0xD6, 0xEE, 0x3E, 0x8A, 0xC8, 0x63, 0x84, 0xE5,
0x48, 0xC2, 0x99, 0x29, 0x5C, 0x75, 0x6C, 0x81, 0x7B, 0x81 },
"MIGpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL"
"Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg"
"MjAwNiB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0G"
"A1UEAxMWdGhhd3RlIFByaW1hcnkgUm9vdCBDQQ==",
"NE7VVyDV7exJ9C/ON9srbQ==",
nullptr
},
{
// CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
"2.16.840.1.114404.1.1.2.4.1",
"Trustwave EV OID",
SEC_OID_UNKNOWN,
{ 0xB8, 0x01, 0x86, 0xD1, 0xEB, 0x9C, 0x86, 0xA5, 0x41, 0x04,
0xCF, 0x30, 0x54, 0xF3, 0x4C, 0x52, 0xB7, 0xE5, 0x58, 0xC6 },
"MIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29t"
"MSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMT"
"JFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
"UJRs7Bjq1ZxN1ZfvdY+grQ==",
nullptr
},
{
// CN=SecureTrust CA,O=SecureTrust Corporation,C=US
"2.16.840.1.114404.1.1.2.4.1",
"Trustwave EV OID",
SEC_OID_UNKNOWN,
{ 0x87, 0x82, 0xC6, 0xC3, 0x04, 0x35, 0x3B, 0xCF, 0xD2, 0x96,
0x92, 0xD2, 0x59, 0x3E, 0x7D, 0x44, 0xD9, 0x34, 0xFF, 0x11 },
"MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv"
"bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E=",
"DPCOXAgWpa1Cf/DrJxhZ0A==",
nullptr
},
{
// CN=Secure Global CA,O=SecureTrust Corporation,C=US
"2.16.840.1.114404.1.1.2.4.1",
"Trustwave EV OID",
SEC_OID_UNKNOWN,
{ 0x3A, 0x44, 0x73, 0x5A, 0xE5, 0x81, 0x90, 0x1F, 0x24, 0x86,
0x61, 0x46, 0x1E, 0x3B, 0x9C, 0xC4, 0x5F, 0xF5, 0x3A, 0x1B },
"MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv"
"bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ==",
"B1YipOjUiolN9BPI8PjqpQ==",
nullptr
},
{
// CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
"1.3.6.1.4.1.6449.1.2.1.5.1",
"Comodo EV OID",
SEC_OID_UNKNOWN,
{ 0x9F, 0x74, 0x4E, 0x9F, 0x2B, 0x4D, 0xBA, 0xEC, 0x0F, 0x31,
0x2C, 0x50, 0xB6, 0x56, 0x3B, 0x8E, 0x2D, 0x93, 0xC3, 0x11 },
"MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw"
"DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG"
"A1UEAxMiQ09NT0RPIEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
"H0evqmIAcFBUTAGem2OZKg==",
nullptr
},
{
// CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
"1.3.6.1.4.1.6449.1.2.1.5.1",
"Comodo EV OID",
SEC_OID_UNKNOWN,
{ 0x66, 0x31, 0xBF, 0x9E, 0xF7, 0x4F, 0x9E, 0xB6, 0xC9, 0xD5,
0xA6, 0x0C, 0xBA, 0x6A, 0xBE, 0xD1, 0xF7, 0xBD, 0xEF, 0x7B },
"MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw"
"DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG"
"A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
"ToEtioJl4AsC7j41AkblPQ==",
nullptr
},
{
// CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
"1.3.6.1.4.1.6449.1.2.1.5.1",
"Comodo EV OID",
SEC_OID_UNKNOWN,
{ 0x02, 0xFA, 0xF3, 0xE2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78,
0x57, 0x69, 0x4D, 0xF5, 0xE4, 0x5B, 0x68, 0x85, 0x18, 0x68 },
"MG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMd"
"QWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0"
"IEV4dGVybmFsIENBIFJvb3Q=",
"AQ==",
nullptr
},
{
// CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
"1.3.6.1.4.1.6449.1.2.1.5.1",
"Comodo EV OID",
SEC_OID_UNKNOWN,
{ 0x58, 0x11, 0x9F, 0x0E, 0x12, 0x82, 0x87, 0xEA, 0x50, 0xFD,
0xD9, 0x87, 0x45, 0x6F, 0x4F, 0x78, 0xDC, 0xFA, 0xD6, 0xD4 },
"MIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr"
"ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT"
"GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNv"
"cnAgU0dD",
"RL4Mi1AAIbQR0ypoBqmtaQ==",
nullptr
},
{
// CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
"1.3.6.1.4.1.6449.1.2.1.5.1",
"Comodo EV OID",
SEC_OID_UNKNOWN,
{ 0x04, 0x83, 0xED, 0x33, 0x99, 0xAC, 0x36, 0x08, 0x05, 0x87,
0x22, 0xED, 0xBC, 0x5E, 0x46, 0x00, 0xE3, 0xBE, 0xF9, 0xD7 },
"MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr"
"ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT"
"GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJz"
"dC1IYXJkd2FyZQ==",
"RL4Mi1AAJLQR0zYq/mUK/Q==",
nullptr
},
{
// OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group, Inc.\",C=US
"2.16.840.1.114413.1.7.23.3",
"Go Daddy EV OID a",
SEC_OID_UNKNOWN,
{ 0x27, 0x96, 0xBA, 0xE6, 0x3F, 0x18, 0x01, 0xE2, 0x77, 0x26,
0x1B, 0xA0, 0xD7, 0x77, 0x70, 0x02, 0x8F, 0x20, 0xEE, 0xE4 },
"MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIElu"
"Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRo"
"b3JpdHk=",
"AA==",
nullptr
},
{
// CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
"2.16.840.1.114413.1.7.23.3",
"Go Daddy EV OID a",
SEC_OID_UNKNOWN,
{ 0x47, 0xBE, 0xAB, 0xC9, 0x22, 0xEA, 0xE8, 0x0E, 0x78, 0x78,
0x34, 0x62, 0xA7, 0x9F, 0x45, 0xC2, 0x54, 0xFD, 0xE6, 0x8B },
"MIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
"dHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMTKEdv"
"IERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzI=",
"AA==",
nullptr
},
{
// OU=Starfield Class 2 Certification Authority,O=\"Starfield Technologies, Inc.\",C=US
"2.16.840.1.114414.1.7.23.3",
"Go Daddy EV OID b",
SEC_OID_UNKNOWN,
{ 0xAD, 0x7E, 0x1C, 0x28, 0xB0, 0x64, 0xEF, 0x8F, 0x60, 0x03,
0x40, 0x20, 0x14, 0xC3, 0xD0, 0xE3, 0x37, 0x0E, 0xB5, 0x8A },
"MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVz"
"LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9u"
"IEF1dGhvcml0eQ==",
"AA==",
nullptr
},
{
// CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
"2.16.840.1.114414.1.7.23.3",
"Go Daddy EV OID b",
SEC_OID_UNKNOWN,
{ 0xB5, 0x1C, 0x06, 0x7C, 0xEE, 0x2B, 0x0C, 0x3D, 0xF8, 0x55,
0xAB, 0x2D, 0x92, 0xF4, 0xFE, 0x39, 0xD4, 0xE7, 0x0F, 0x0E },
"MIGPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
"dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEy"
"MDAGA1UEAxMpU3RhcmZpZWxkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g"
"RzI=",
"AA==",
nullptr
},
{
// CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
"2.16.840.1.114412.2.1",
"DigiCert EV OID",
SEC_OID_UNKNOWN,
{ 0x5F, 0xB7, 0xEE, 0x06, 0x33, 0xE2, 0x59, 0xDB, 0xAD, 0x0C,
0x4C, 0x9A, 0xE6, 0xD3, 0X8F, 0x1A, 0x61, 0xC7, 0xDC, 0x25 },
"MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT"
"EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh"
"bmNlIEVWIFJvb3QgQ0E=",
"AqxcJmoLQJuPC3nyrkYldw==",
nullptr
},
{
// CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
"1.3.6.1.4.1.8024.0.2.100.1.2",
"Quo Vadis EV OID",
SEC_OID_UNKNOWN,
{ 0xCA, 0x3A, 0xFB, 0xCF, 0x12, 0x40, 0x36, 0x4B, 0x44, 0xB2,
0x16, 0x20, 0x88, 0x80, 0x48, 0x39, 0x19, 0x93, 0x7C, 0xF7 },
"MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD"
"VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
"BQk=",
nullptr
},
{
// CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
"1.3.6.1.4.1.782.1.2.1.8.1",
"Network Solutions EV OID",
SEC_OID_UNKNOWN,
{ 0x74, 0xF8, 0xA3, 0xC3, 0xEF, 0xE7, 0xB3, 0x90, 0x06, 0x4B,
0x83, 0x90, 0x3C, 0x21, 0x64, 0x60, 0x20, 0xE5, 0xDF, 0xCE },
"MGIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhOZXR3b3JrIFNvbHV0aW9ucyBMLkwu"
"Qy4xMDAuBgNVBAMTJ05ldHdvcmsgU29sdXRpb25zIENlcnRpZmljYXRlIEF1dGhv"
"cml0eQ==",
"V8szb8JcFuZHFhfjkDFo4A==",
nullptr
},
{
// CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
"2.16.840.1.114028.10.1.2",
"Entrust EV OID",
SEC_OID_UNKNOWN,
{ 0xB3, 0x1E, 0xB1, 0xB7, 0x40, 0xE3, 0x6C, 0x84, 0x02, 0xDA,
0xDC, 0x37, 0xD4, 0x4D, 0xF5, 0xD4, 0x67, 0x49, 0x52, 0xF9 },
"MIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UE"
"CxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJl"
"bmNlMR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRF"
"bnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=",
"RWtQVA==",
nullptr
},
{
// CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
"1.3.6.1.4.1.4146.1.1",
"GlobalSign EV OID",
SEC_OID_UNKNOWN,
{ 0xB1, 0xBC, 0x96, 0x8B, 0xD4, 0xF4, 0x9D, 0x62, 0x2A, 0xA8,
0x9A, 0x81, 0xF2, 0x15, 0x01, 0x52, 0xA4, 0x1D, 0x82, 0x9C },
"MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYD"
"VQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0E=",
"BAAAAAABFUtaw5Q=",
nullptr
},
{
// CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
"1.3.6.1.4.1.4146.1.1",
"GlobalSign EV OID",
SEC_OID_UNKNOWN,
{ 0x75, 0xE0, 0xAB, 0xB6, 0x13, 0x85, 0x12, 0x27, 0x1C, 0x04,
0xF8, 0x5F, 0xDD, 0xDE, 0x38, 0xE4, 0xB7, 0x24, 0x2E, 0xFE },
"MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpH"
"bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
"BAAAAAABD4Ym5g0=",
nullptr
},
{
// CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
"1.3.6.1.4.1.4146.1.1",
"GlobalSign EV OID",
SEC_OID_UNKNOWN,
{ 0xD6, 0x9B, 0x56, 0x11, 0x48, 0xF0, 0x1C, 0x77, 0xC5, 0x45,
0x78, 0xC1, 0x09, 0x26, 0xDF, 0x5B, 0x85, 0x69, 0x76, 0xAD },
"MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpH"
"bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
"BAAAAAABIVhTCKI=",
nullptr
},
{
// CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
"2.16.578.1.26.1.3.3",
"Buypass EV OID",
SEC_OID_UNKNOWN,
{ 0x61, 0x57, 0x3A, 0x11, 0xDF, 0x0E, 0xD8, 0x7E, 0xD5, 0x92,
0x65, 0x22, 0xEA, 0xD0, 0x56, 0xD7, 0x44, 0xB3, 0x23, 0x71 },
"MEsxCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEd"
"MBsGA1UEAwwUQnV5cGFzcyBDbGFzcyAzIENBIDE=",
"Ag==",
nullptr
},
{
// CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
"2.16.578.1.26.1.3.3",
"Buypass EV OID",
SEC_OID_UNKNOWN,
{ 0xDA, 0xFA, 0xF7, 0xFA, 0x66, 0x84, 0xEC, 0x06, 0x8F, 0x14,
0x50, 0xBD, 0xC7, 0xC2, 0x81, 0xA5, 0xBC, 0xA9, 0x64, 0x57 },
"ME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEg"
"MB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0E=",
"Ag==",
nullptr
},
{
// CN=Class 2 Primary CA,O=Certplus,C=FR
"1.3.6.1.4.1.22234.2.5.2.3.1",
"Certplus EV OID",
SEC_OID_UNKNOWN,
{ 0x74, 0x20, 0x74, 0x41, 0x72, 0x9C, 0xDD, 0x92, 0xEC, 0x79,
0x31, 0xD8, 0x23, 0x10, 0x8D, 0xC2, 0x81, 0x92, 0xE2, 0xBB },
"MD0xCzAJBgNVBAYTAkZSMREwDwYDVQQKEwhDZXJ0cGx1czEbMBkGA1UEAxMSQ2xh"
"c3MgMiBQcmltYXJ5IENB",
"AIW9S/PY2uNp9pTXX8OlRCM=",
nullptr
},
{
// CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
"1.3.6.1.4.1.17326.10.14.2.1.2",
"Camerfirma EV OID a",
SEC_OID_UNKNOWN,
{ 0x78, 0x6A, 0x74, 0xAC, 0x76, 0xAB, 0x14, 0x7F, 0x9C, 0x6A,
0x30, 0x50, 0xBA, 0x9E, 0xA8, 0x7E, 0xFE, 0x9A, 0xCE, 0x3C },
"MIGuMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh"
"ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ"
"QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMT"
"IENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4",
"AKPaQn6ksa7a",
nullptr
},
{
// CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
"1.3.6.1.4.1.17326.10.8.12.1.2",
"Camerfirma EV OID b",
SEC_OID_UNKNOWN,
{ 0x4A, 0xBD, 0xEE, 0xEC, 0x95, 0x0D, 0x35, 0x9C, 0x89, 0xAE,
0xC7, 0x52, 0xA1, 0x2C, 0x5B, 0x29, 0xF6, 0xD6, 0xAA, 0x0C },
"MIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh"
"ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ"
"QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMT"
"Hkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwOA==",
"AMnN0+nVfSPO",
nullptr
},
{
// CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
"1.2.276.0.44.1.1.1.4",
"TC TrustCenter EV OID",
SEC_OID_UNKNOWN,
{ 0x96, 0x56, 0xCD, 0x7B, 0x57, 0x96, 0x98, 0x95, 0xD0, 0xE1,
0x41, 0x46, 0x68, 0x06, 0xFB, 0xB8, 0xC6, 0x11, 0x06, 0x87 },
"MHsxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQw"
"IgYDVQQLExtUQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0ExKDAmBgNVBAMTH1RD"
"IFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJSUk=",
"YyUAAQACFI0zFQLkbPQ=",
nullptr
},
{
// CN=AffirmTrust Commercial,O=AffirmTrust,C=US
"1.3.6.1.4.1.34697.2.1",
"AffirmTrust EV OID a",
SEC_OID_UNKNOWN,
{ 0xF9, 0xB5, 0xB6, 0x32, 0x45, 0x5F, 0x9C, 0xBE, 0xEC, 0x57,
0x5F, 0x80, 0xDC, 0xE9, 0x6E, 0x2C, 0xC7, 0xB2, 0x78, 0xB7 },
"MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW"
"QWZmaXJtVHJ1c3QgQ29tbWVyY2lhbA==",
"d3cGJyapsXw=",
nullptr
},
{
// CN=AffirmTrust Networking,O=AffirmTrust,C=US
"1.3.6.1.4.1.34697.2.2",
"AffirmTrust EV OID b",
SEC_OID_UNKNOWN,
{ 0x29, 0x36, 0x21, 0x02, 0x8B, 0x20, 0xED, 0x02, 0xF5, 0x66,
0xC5, 0x32, 0xD1, 0xD6, 0xED, 0x90, 0x9F, 0x45, 0x00, 0x2F },
"MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW"
"QWZmaXJtVHJ1c3QgTmV0d29ya2luZw==",
"fE8EORzUmS0=",
nullptr
},
{
// CN=AffirmTrust Premium,O=AffirmTrust,C=US
"1.3.6.1.4.1.34697.2.3",
"AffirmTrust EV OID c",
SEC_OID_UNKNOWN,
{ 0xD8, 0xA6, 0x33, 0x2C, 0xE0, 0x03, 0x6F, 0xB1, 0x85, 0xF6,
0x63, 0x4F, 0x7D, 0x6A, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 },
"MEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEcMBoGA1UEAwwT"
"QWZmaXJtVHJ1c3QgUHJlbWl1bQ==",
"bYwURrGmCu4=",
nullptr
},
{
// CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
"1.3.6.1.4.1.34697.2.4",
"AffirmTrust EV OID d",
SEC_OID_UNKNOWN,
{ 0xB8, 0x23, 0x6B, 0x00, 0x2F, 0x1D, 0x16, 0x86, 0x53, 0x01,
0x55, 0x6C, 0x11, 0xA4, 0x37, 0xCA, 0xEB, 0xFF, 0xC3, 0xBB },
"MEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwX"
"QWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0M=",
"dJclisc/elQ=",
nullptr
},
{
// CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
"1.2.616.1.113527.2.5.1.1",
"Certum EV OID",
SEC_OID_UNKNOWN,
{ 0x07, 0xE0, 0x32, 0xE0, 0x20, 0xB7, 0x2C, 0x3F, 0x19, 0x2F,
0x06, 0x28, 0xA2, 0x59, 0x3A, 0x19, 0xA7, 0x0F, 0x06, 0x9E },
"MH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT"
"LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg"
"BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0E=",
"BETA",
nullptr
},
{
// CN=Izenpe.com,O=IZENPE S.A.,C=ES
"1.3.6.1.4.1.14777.6.1.1",
"Izenpe EV OID 1",
SEC_OID_UNKNOWN,
{ 0x2F, 0x78, 0x3D, 0x25, 0x52, 0x18, 0xA7, 0x4A, 0x65, 0x39,
0x71, 0xB5, 0x2C, 0xA2, 0x9C, 0x45, 0x15, 0x6F, 0xE9, 0x19 },
"MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK"
"SXplbnBlLmNvbQ==",
"ALC3WhZIX7/hy/WL1xnmfQ==",
nullptr
},
{
// CN=Izenpe.com,O=IZENPE S.A.,C=ES
"1.3.6.1.4.1.14777.6.1.2",
"Izenpe EV OID 2",
SEC_OID_UNKNOWN,
{ 0x2F, 0x78, 0x3D, 0x25, 0x52, 0x18, 0xA7, 0x4A, 0x65, 0x39,
0x71, 0xB5, 0x2C, 0xA2, 0x9C, 0x45, 0x15, 0x6F, 0xE9, 0x19 },
"MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK"
"SXplbnBlLmNvbQ==",
"ALC3WhZIX7/hy/WL1xnmfQ==",
nullptr
},
{
// CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
"1.2.40.0.17.1.22",
"A-Trust EV OID",
SEC_OID_UNKNOWN,
{ 0xD3, 0xC0, 0x63, 0xF2, 0x19, 0xED, 0x07, 0x3E, 0x34, 0xAD,
0x5D, 0x75, 0x0B, 0x32, 0x76, 0x29, 0xFF, 0xD5, 0x9A, 0xF2 },
"MIGNMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hl"
"cmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYD"
"VQQLDBBBLVRydXN0LW5RdWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAz",
"AWwe",
nullptr
},
{
// CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
"1.3.6.1.4.1.7879.13.24.1",
"T-Systems EV OID",
SEC_OID_UNKNOWN,
{ 0x55, 0xA6, 0x72, 0x3E, 0xCB, 0xF2, 0xEC, 0xCD, 0xC3, 0x23,
0x74, 0x70, 0x19, 0x9D, 0x2A, 0xBE, 0x11, 0xE3, 0x81, 0xD1 },
"MIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2Ug"
"U2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjEl"
"MCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMw==",
"AQ==",
nullptr
},
{
// CN=TURKTRUST Elektronik Sertifika Hizmet Saglayicisi,O=TURKTRUST Bilgi Illetisim ve Bilisim Guvenligi Hizmetleri A.S.,C=TR
"2.16.792.3.0.3.1.1.5",
"TurkTrust EV OID",
SEC_OID_UNKNOWN,
{ 0xF1, 0x7F, 0x6F, 0xB6, 0x31, 0xDC, 0x99, 0xE3, 0xA3, 0xC8,
0x7F, 0xFE, 0x1C, 0xF1, 0x81, 0x10, 0x88, 0xD9, 0x60, 0x33 },
"MIG/MT8wPQYDVQQDDDZUw5xSS1RSVVNUIEVsZWt0cm9uaWsgU2VydGlmaWthIEhp"
"em1ldCBTYcSfbGF5xLFjxLFzxLExCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmth"
"cmExXjBcBgNVBAoMVVTDnFJLVFJVU1QgQmlsZ2kgxLBsZXRpxZ9pbSB2ZSBCaWxp"
"xZ9pbSBHw7x2ZW5sacSfaSBIaXptZXRsZXJpIEEuxZ4uIChjKSBBcmFsxLFrIDIw"
"MDc=",
"AQ==",
nullptr
},
{
// CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
"1.3.6.1.4.1.29836.1.10",
"CNNIC EV OID",
SEC_OID_UNKNOWN,
{ 0x4F, 0x99, 0xAA, 0x93, 0xFB, 0x2B, 0xD1, 0x37, 0x26, 0xA1,
0x99, 0x4A, 0xCE, 0x7F, 0xF0, 0x05, 0xF2, 0x93, 0x5D, 0x1E },
"MIGKMQswCQYDVQQGEwJDTjEyMDAGA1UECgwpQ2hpbmEgSW50ZXJuZXQgTmV0d29y"
"ayBJbmZvcm1hdGlvbiBDZW50ZXIxRzBFBgNVBAMMPkNoaW5hIEludGVybmV0IE5l"
"dHdvcmsgSW5mb3JtYXRpb24gQ2VudGVyIEVWIENlcnRpZmljYXRlcyBSb290",
"SJ8AAQ==",
nullptr
},
{
// CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
"1.3.6.1.4.1.40869.1.1.22.3",
"TWCA EV OID",
SEC_OID_UNKNOWN,
{ 0xCF, 0x9E, 0x87, 0x6D, 0xD3, 0xEB, 0xFC, 0x42, 0x26, 0x97,
0xA3, 0xB5, 0xA3, 0x7A, 0xA0, 0x76, 0xA9, 0x06, 0x23, 0x48 },
"MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jv"
"b3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0"
"eQ==",
"AQ==",
nullptr
},
{
// CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
"1.3.6.1.4.1.4788.2.202.1",
"D-TRUST EV OID",
SEC_OID_UNKNOWN,
{ 0x96, 0xC9, 0x1B, 0x0B, 0x95, 0xB4, 0x10, 0x98, 0x42, 0xFA,
0xD0, 0xD8, 0x22, 0x79, 0xFE, 0x60, 0xFA, 0xB9, 0x16, 0x83 },
"MFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMM"
"IUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOQ==",
"CYP0",
nullptr
},
{
// CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
"2.16.756.1.83.21.0",
"Swisscom EV OID",
SEC_OID_UNKNOWN,
{ 0xE7, 0xA1, 0x90, 0x29, 0xD3, 0xD5, 0x52, 0xDC, 0x0D, 0x0F,
0xC6, 0x92, 0xD3, 0xEA, 0x88, 0x0D, 0x15, 0x2E, 0x1A, 0x6B },
"MGcxCzAJBgNVBAYTAmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGln"
"aXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEAxMVU3dpc3Njb20gUm9v"
"dCBFViBDQSAy",
"APL6ZOJ0Y9ON/RAdBB92ylg=",
nullptr
},
{
// CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
"2.16.840.1.113733.1.7.23.6",
"VeriSign EV OID",
SEC_OID_UNKNOWN,
{ 0x36, 0x79, 0xCA, 0x35, 0x66, 0x87, 0x72, 0x30, 0x4D, 0x30,
0xA5, 0xFB, 0x87, 0x3B, 0x0F, 0xA7, 0x7B, 0xB7, 0x0D, 0x54 },
"MIG9MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
"BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZl"
"cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMT"
"L1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
"QBrEZCGzEyEDDrvkEhrFHQ==",
nullptr
},
{
// CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
"1.3.6.1.4.1.14370.1.6",
"GeoTrust EV OID",
SEC_OID_UNKNOWN,
{ 0x03, 0x9E, 0xED, 0xB8, 0x0B, 0xE7, 0xA0, 0x3C, 0x69, 0x53,
0x89, 0x3B, 0x20, 0xD2, 0xD9, 0x32, 0x3A, 0x4C, 0x2A, 0xFD },
"MIGYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjE5MDcGA1UE"
"CxMwKGMpIDIwMDggR2VvVHJ1c3QgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBv"
"bmx5MTYwNAYDVQQDEy1HZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0"
"aG9yaXR5IC0gRzM=",
"FaxulBmyeUtB9iepwxgPHw==",
nullptr
},
{
// CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
"2.16.840.1.113733.1.7.48.1",
"Thawte EV OID",
SEC_OID_UNKNOWN,
{ 0xF1, 0x8B, 0x53, 0x8D, 0x1B, 0xE9, 0x03, 0xB6, 0xA6, 0xF0,
0x56, 0x43, 0x5B, 0x17, 0x15, 0x89, 0xCA, 0xF3, 0x6B, 0xF2 },
"MIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL"
"Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg"
"MjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG"
"A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz",
"YAGXt0an6rS0mtZLL/eQ+w==",
nullptr
},
{
// CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES
"1.3.6.1.4.1.13177.10.1.3.10",
"Firmaprofesional EV OID",
SEC_OID_UNKNOWN,
{ 0xAE, 0xC5, 0xFB, 0x3F, 0xC8, 0xE1, 0xBF, 0xC4, 0xE5, 0x4F,
0x03, 0x07, 0x5A, 0x9A, 0xE8, 0x00, 0xB7, 0xF7, 0xB6, 0xFA },
"MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh"
"Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=",
"U+w77vuySF8=",
nullptr
},
{
// CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW
"1.3.6.1.4.1.40869.1.1.22.3",
"TWCA EV OID",
SEC_OID_UNKNOWN,
{ 0x9C, 0xBB, 0x48, 0x53, 0xF6, 0xA4, 0xF6, 0xD3, 0x52, 0xA4,
0xE8, 0x32, 0x52, 0x55, 0x60, 0x13, 0xF5, 0xAD, 0xAF, 0x65 },
"MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv"
"b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=",
"DL4=",
nullptr
},
{
// CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-TuÄŸra EBG BiliÅŸim Teknolojileri ve Hizmetleri A.Åž., L = Ankara, C = TR
"2.16.792.3.0.4.1.1.4",
"ETugra EV OID",
SEC_OID_UNKNOWN,
{ 0x51, 0xC6, 0xE7, 0x08, 0x49, 0x06, 0x6E, 0xF3, 0x92, 0xD4,
0x5C, 0xA0, 0x0D, 0x6D, 0xA3, 0x62, 0x8F, 0xC3, 0x52, 0x39 },
"MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1"
"xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu"
"xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG"
"A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
"amg+nFGby1M=",
nullptr
}
};
static SECOidTag
register_oid(const SECItem* oid_item, const char* oid_name)
{
if (!oid_item)
return SEC_OID_UNKNOWN;
SECOidData od;
od.oid.len = oid_item->len;
od.oid.data = oid_item->data;
od.offset = SEC_OID_UNKNOWN;
od.desc = oid_name;
od.mechanism = CKM_INVALID_MECHANISM;
od.supportedExtension = INVALID_CERT_EXTENSION;
return SECOID_AddEntry(&od);
}
#ifndef NSS_NO_LIBPKIX
static void
addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
CERTCertTrust nssTrust;
if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
return;
}
unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
if (flags & CERTDB_TRUSTED_CA) {
CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
}
}
#endif
static bool
isEVPolicy(SECOidTag policyOIDTag)
{
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (policyOIDTag == entry.oid_tag) {
return true;
}
}
return false;
}
namespace mozilla { namespace psm {
#ifndef NSS_NO_LIBPKIX
CERTCertList*
GetRootsForOid(SECOidTag oid_tag)
{
CERTCertList* certList = CERT_NewCertList();
if (!certList)
return nullptr;
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (entry.oid_tag == oid_tag) {
addToCertListIfTrusted(certList, entry.cert);
}
}
return certList;
}
#endif
bool
CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy)
{
PR_ASSERT(cert);
if (!cert) {
return false;
}
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (entry.cert && CERT_CompareCerts(cert, entry.cert)) {
const SECOidData* oidData = SECOID_FindOIDByTag(entry.oid_tag);
if (oidData && oidData->oid.len == policy.numBytes &&
!memcmp(oidData->oid.data, policy.bytes, policy.numBytes)) {
return true;
}
}
}
return false;
}
static PRStatus
IdentityInfoInit()
{
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
SECStatus rv;
CERTIssuerAndSN ias;
rv = ATOB_ConvertAsciiToItem(&ias.derIssuer, const_cast<char*>(entry.issuer_base64));
PR_ASSERT(rv == SECSuccess);
if (rv != SECSuccess) {
return PR_FAILURE;
}
rv = ATOB_ConvertAsciiToItem(&ias.serialNumber,
const_cast<char*>(entry.serial_base64));
PR_ASSERT(rv == SECSuccess);
if (rv != SECSuccess) {
SECITEM_FreeItem(&ias.derIssuer, false);
return PR_FAILURE;
}
ias.serialNumber.type = siUnsignedInteger;
entry.cert = CERT_FindCertByIssuerAndSN(nullptr, &ias);
SECITEM_FreeItem(&ias.derIssuer, false);
SECITEM_FreeItem(&ias.serialNumber, false);
// If an entry is missing in the NSS root database, it may be because the
// root database is out of sync with what we expect (e.g. a different
// version of system NSS is installed). We will just silently avoid
// treating that root cert as EV.
if (!entry.cert) {
#ifdef DEBUG
// The debug CA info is at position 0, and is NOT on the NSS root db
if (iEV == 0) {
continue;
}
#endif
PR_NOT_REACHED("Could not find EV root in NSS storage");
continue;
}
unsigned char certFingerprint[20];
rv = PK11_HashBuf(SEC_OID_SHA1, certFingerprint,
entry.cert->derCert.data,
static_cast<int32_t>(entry.cert->derCert.len));
PR_ASSERT(rv == SECSuccess);
if (rv == SECSuccess) {
bool same = !memcmp(certFingerprint, entry.ev_root_sha1_fingerprint, 20);
PR_ASSERT(same);
if (same) {
SECItem ev_oid_item;
ev_oid_item.data = nullptr;
ev_oid_item.len = 0;
rv = SEC_StringToOID(nullptr, &ev_oid_item, entry.dotted_oid, 0);
PR_ASSERT(rv == SECSuccess);
if (rv == SECSuccess) {
entry.oid_tag = register_oid(&ev_oid_item, entry.oid_name);
if (entry.oid_tag == SEC_OID_UNKNOWN) {
rv = SECFailure;
}
SECITEM_FreeItem(&ev_oid_item, false);
}
} else {
PR_SetError(SEC_ERROR_BAD_DATA, 0);
rv = SECFailure;
}
}
if (rv != SECSuccess) {
CERT_DestroyCertificate(entry.cert);
entry.cert = nullptr;
entry.oid_tag = SEC_OID_UNKNOWN;
return PR_FAILURE;
}
}
return PR_SUCCESS;
}
static PRCallOnceType sIdentityInfoCallOnce;
void
EnsureIdentityInfoLoaded()
{
(void) PR_CallOnce(&sIdentityInfoCallOnce, IdentityInfoInit);
}
void
CleanupIdentityInfo()
{
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo &entry = myTrustedEVInfos[iEV];
if (entry.cert) {
CERT_DestroyCertificate(entry.cert);
entry.cert = nullptr;
}
}
memset(&sIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
}
// Find the first policy OID that is known to be an EV policy OID.
SECStatus
GetFirstEVPolicy(CERTCertificate* cert,
/*out*/ mozilla::pkix::CertPolicyId& policy,
/*out*/ SECOidTag& policyOidTag)
{
if (!cert) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
if (cert->extensions) {
for (int i=0; cert->extensions[i]; i++) {
const SECItem* oid = &cert->extensions[i]->id;
SECOidTag oidTag = SECOID_FindOIDTag(oid);
if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
continue;
SECItem* value = &cert->extensions[i]->value;
CERTCertificatePolicies* policies;
CERTPolicyInfo** policyInfos;
policies = CERT_DecodeCertificatePoliciesExtension(value);
if (!policies)
continue;
policyInfos = policies->policyInfos;
bool found = false;
while (*policyInfos) {
const CERTPolicyInfo* policyInfo = *policyInfos++;
SECOidTag oid_tag = policyInfo->oid;
if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) {
const SECOidData* oidData = SECOID_FindOIDByTag(oid_tag);
PR_ASSERT(oidData);
PR_ASSERT(oidData->oid.data);
PR_ASSERT(oidData->oid.len > 0);
PR_ASSERT(oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES);
if (oidData && oidData->oid.data && oidData->oid.len > 0 &&
oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES) {
policy.numBytes = static_cast<uint16_t>(oidData->oid.len);
memcpy(policy.bytes, oidData->oid.data, policy.numBytes);
policyOidTag = oid_tag;
found = true;
}
break;
}
}
CERT_DestroyCertificatePoliciesExtension(policies);
if (found) {
return SECSuccess;
}
}
}
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
return SECFailure;
}
} } // namespace mozilla::psm