bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj

MozReview-Commit-ID: 1itMZuWY9HO --HG-- extra : rebase_source : 5e46c04d959ab1b6e7c961e0b5d4fff7ad6417bc
2016-10-12 17:02:33 -07:00 · 2016-10-12 17:02:33 -07:00 · 544761d217
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -17,6 +17,7 @@
 #include "certdb.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Casting.h"
+#include "mozilla/PodOperations.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/Unused.h"
 #include "nsNSSCertificate.h"
@ -32,6 +33,7 @@
 #include "secerr.h"

 #include "CNNICHashWhitelist.inc"
+#include "StartComAndWoSignData.inc"

 using namespace mozilla;
 using namespace mozilla::pkix;
@ -729,6 +731,61 @@ private:
  const uint8_t* mTarget;
 };

+static bool
+CertIsStartComOrWoSign(const CERTCertificate* cert)
+{
+  for (const DataAndLength& dn : StartComAndWoSignDNs) {
+    if (cert->derSubject.len == dn.len &&
+        PodEqual(cert->derSubject.data, dn.data, dn.len)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// If a certificate in the given chain appears to have been issued by one of
+// seven roots operated by StartCom and WoSign that are not trusted to issue new
+// certificates, verify that the end-entity has a notBefore date before 21
+// October 2016. If the value of notBefore is after this time, the chain is not
+// valid.
+// (NB: While there are seven distinct roots being checked for, two of them
+// share distinguished names, resulting in six distinct distinguished names to
+// actually look for.)
+static Result
+CheckForStartComOrWoSign(const UniqueCERTCertList& certChain)
+{
+  if (CERT_LIST_EMPTY(certChain)) {
+    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+  }
+  const CERTCertListNode* endEntityNode = CERT_LIST_HEAD(certChain);
+  if (!endEntityNode || !endEntityNode->cert) {
+    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+  }
+  PRTime notBefore;
+  PRTime notAfter;
+  if (CERT_GetCertTimes(endEntityNode->cert, &notBefore, &notAfter)
+        != SECSuccess) {
+    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+  }
+  // PRTime is microseconds since the epoch, whereas JS time is milliseconds.
+  // (new Date("2016-10-21T00:00:00Z")).getTime() * 1000
+  static const PRTime OCTOBER_21_2016 = 1477008000000000;
+  if (notBefore <= OCTOBER_21_2016) {
+    return Success;
+  }
+
+  for (const CERTCertListNode* node = CERT_LIST_HEAD(certChain);
+       !CERT_LIST_END(node, certChain); node = CERT_LIST_NEXT(node)) {
+    if (!node || !node->cert) {
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    }
+    if (CertIsStartComOrWoSign(node->cert)) {
+      return Result::ERROR_REVOKED_CERTIFICATE;
+    }
+  }
+  return Success;
+}
+
 Result
 NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time)
 {
@ -745,6 +802,11 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time)
    return Result::FATAL_ERROR_LIBRARY_FAILURE;
  }

+  Result rv = CheckForStartComOrWoSign(certList);
+  if (rv != Success) {
+    return rv;
+  }
+
  // If the certificate appears to have been issued by a CNNIC root, only allow
  // it if it is on the whitelist.
  CERTCertListNode* rootNode = CERT_LIST_TAIL(certList);
@ -789,7 +851,7 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time)
  }

  bool isBuiltInRoot = false;
-  Result rv = IsCertBuiltInRoot(root, isBuiltInRoot);
+  rv = IsCertBuiltInRoot(root, isBuiltInRoot);
  if (rv != Success) {
    return rv;
  }
--- a/security/certverifier/StartComAndWoSignData.inc
+++ b/security/certverifier/StartComAndWoSignData.inc
@ -0,0 +1,89 @@
+// /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6
+// Using a consistent naming convention, this would actually be called
+// 'CA沃通根证书DN', but since GCC 6.2.1 apparently can't handle UTF-8
+// identifiers, this will have to do.
+static const uint8_t CAWoSignRootDN[72] = {
+  0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x0C, 0x12, 0x43, 0x41, 0x20, 0xE6, 0xB2, 0x83, 0xE9, 0x80, 0x9A, 0xE6, 0xA0,
+  0xB9, 0xE8, 0xAF, 0x81, 0xE4, 0xB9, 0xA6,
+};
+
+// /C=CN/O=WoSign CA Limited/CN=CA WoSign ECC Root
+static const uint8_t CAWoSignECCRootDN[72] = {
+  0x30, 0x46, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x1B, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x13, 0x12, 0x43, 0x41, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x45,
+  0x43, 0x43, 0x20, 0x52, 0x6F, 0x6F, 0x74,
+};
+
+// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
+static const uint8_t CertificationAuthorityofWoSignDN[87] = {
+  0x30, 0x55, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x2A, 0x30, 0x28, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x13, 0x21, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
+  0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
+  0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E,
+};
+
+// /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2
+static const uint8_t CertificationAuthorityofWoSignG2DN[90] = {
+  0x30, 0x58, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x43, 0x4E, 0x31, 0x1A, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x11,
+  0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x43, 0x41, 0x20, 0x4C, 0x69, 0x6D,
+  0x69, 0x74, 0x65, 0x64, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03,
+  0x13, 0x24, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
+  0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20,
+  0x6F, 0x66, 0x20, 0x57, 0x6F, 0x53, 0x69, 0x67, 0x6E, 0x20, 0x47, 0x32,
+};
+
+// /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
+static const uint8_t StartComCertificationAuthorityDN[127] = {
+  0x30, 0x7D, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
+  0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
+  0x31, 0x2B, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x22, 0x53, 0x65,
+  0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6C, 0x20,
+  0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53,
+  0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55,
+  0x04, 0x03, 0x13, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20,
+  0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E,
+  0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79,
+};
+
+// /C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
+static const uint8_t StartComCertificationAuthorityG2DN[85] = {
+  0x30, 0x53, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+  0x49, 0x4C, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x0D,
+  0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x4C, 0x74, 0x64, 0x2E,
+  0x31, 0x2C, 0x30, 0x2A, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74,
+  0x61, 0x72, 0x74, 0x43, 0x6F, 0x6D, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
+  0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F,
+  0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
+};
+
+struct DataAndLength {
+  const uint8_t* data;
+  uint32_t len;
+};
+
+static const DataAndLength StartComAndWoSignDNs[]= {
+ { CAWoSignRootDN,
+   sizeof(CAWoSignRootDN) },
+ { CAWoSignECCRootDN,
+   sizeof(CAWoSignECCRootDN) },
+ { CertificationAuthorityofWoSignDN,
+   sizeof(CertificationAuthorityofWoSignDN) },
+ { CertificationAuthorityofWoSignG2DN,
+   sizeof(CertificationAuthorityofWoSignG2DN) },
+ { StartComCertificationAuthorityDN,
+   sizeof(StartComCertificationAuthorityDN) },
+ { StartComCertificationAuthorityG2DN,
+   sizeof(StartComCertificationAuthorityG2DN) },
+};
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@ -31,5 +31,6 @@ TEST_DIRS += [
    'test_ocsp_url',
    'test_onecrl',
    'test_pinning_dynamic',
+    'test_startcom_wosign',
    'test_validity',
 ]
--- a/security/manager/ssl/tests/unit/test_startcom_wosign.js
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign.js
@ -0,0 +1,43 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests handling of certificates issued by StartCom and WoSign. If such
+// certificates have a notBefore before 21 October 2016, they are handled
+// normally. Otherwise, they are treated as revoked.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString);
+}
+
+function certFromFile(certName) {
+  return constructCertFromFile("test_startcom_wosign/" + certName + ".pem");
+}
+
+function checkEndEntity(cert, expectedResult) {
+  // (new Date("2016-11-01")).getTime() / 1000
+  const VALIDATION_TIME = 1477958400;
+  checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+                              certificateUsageSSLServer, VALIDATION_TIME);
+}
+
+loadCertWithTrust("ca", "CTu,,");
+// This is not a real StartCom CA - it merely has the same distinguished name as
+// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2",
+// encoded with PrintableStrings). By checking for specific DNs, we can enforce
+// the date-based policy in a way that is testable.
+loadCertWithTrust("StartComCA", ",,");
+checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
+checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+
+// Similarly, this is not a real WoSign CA. It has the same distinguished name
+// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded
+// with PrintableStrings).
+loadCertWithTrust("WoSignCA", ",,");
+checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
+checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-after-cutoff.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-after-cutoff.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgWgAwIBAgIUQcnJ38esL8x6sizuR5KC5SFcqMUwCwYJKoZIhvcNAQEL
+MFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYDVQQD
+EyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMjAiGA8yMDE2MTAy
+MjAwMDAwMFoYDzIwMTcxMDIyMDAwMDAwWjAgMR4wHAYDVQQDDBVTdGFydENvbS1h
+ZnRlci1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAsG
+CSqGSIb3DQEBCwOCAQEAhvpbb5H8Cokd2S8g/tYMutgqnA7UXrYMiIMTC4AwLua3
+FCbqpHVU8oyAuL2uQ+RIPGIRBgVKgqlz1zrvB3HLX1DJ1yiUUbgDcCfGeLTQ1dOj
+ZEHKYgRxmb6OQyMjaHRvXSlPpuKoA2eymj7IaCyRwX3qxVX1vt7UpVEInpwVusNQ
+L2UH4ni0W/GfoO2z8DgMWv2fJAWaFJlVQgalhEq7qZ0B1vSMsx/exwjsqQiTCdGL
+y46y/wo/sUklpQyX7U3/FsYGAEw27LoJ+pf88Stk5VuTu+Ip5KnbWklRlKDxHoo1
+5VriR2NfFVfqtvapGNougn7t2xEuISVtSp2CKVBuUA==
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-after-cutoff.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-after-cutoff.pem.certspec
@ -0,0 +1,4 @@
+issuer:printableString/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
+subject:StartCom-after-cutoff
+validity:20161022-20171022
+extension:subjectAlternativeName:example.com
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-before-cutoff.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-before-cutoff.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgagAwIBAgIUWZ9YRoup7gVY1EokoIfmnmi93gYwCwYJKoZIhvcNAQEL
+MFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYDVQQD
+EyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMjAiGA8yMDE1MTAy
+MjAwMDAwMFoYDzIwMTcxMDIyMDAwMDAwWjAhMR8wHQYDVQQDDBZTdGFydENvbS1i
+ZWZvcmUtY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABoxowGDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAL
+BgkqhkiG9w0BAQsDggEBAFhgX9UQSu/Bde3O4EDhIrl413weRbOsy2qU8UrRMrm5
+3im2TGF2/75rlu3vE3dHQaSqPRiZ1HK1FvHt6faohJKGfbN2AFABIpPleh2evQC8
+wXjOcrURnz0MrK5c9v6gNjUq63n9daeIDLby7CTnKPuVGa2kpOWFI8gBGnOj3a96
+oBO9wfi8fVpKRxK+BoCfwUmF4HzlyQy7hMDcHUuf0rlSch6NKVeUpHBP4XlmnITO
+KC7TCIbM2cGSqsSr8rF5AdeCSf2ZukAHQUwO7W/Bs8OIaqurIjwEnM3E/wqUk/MW
+VzySem5LqHnz4yfeOKR9+DQImKZ0pAWn6cIuumMDP2M=
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-before-cutoff.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/StartCom-before-cutoff.pem.certspec
@ -0,0 +1,4 @@
+issuer:printableString/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
+subject:StartCom-before-cutoff
+validity:20151022-20171022
+extension:subjectAlternativeName:example.com
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/StartComCA.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/StartComCA.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAfWgAwIBAgIUUxFs6jf2B83B+9Xnxmdl0MvdHqUwCwYJKoZIhvcNAQEL
+MA0xCzAJBgNVBAMMAmNhMCIYDzIwMTQxMTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAw
+MDBaMFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYD
+VQQDEyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMjCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd
+MBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wCwYJKoZIhvcNAQELA4IBAQAZ
+krznugxu7QXXhkohV1lNM2FbN5B9VP4SVhvAzAEsHh4Jwf50czuIuBcWCGA7F7it
+tgCa9yerQ+uI9TI8uvGbCTFJwVUsjgIoJBKRAOcenD3KDEdzMYrTXEfRB5pecbJl
+eCEgx8BaeVYq1aiF8UjA6mtI7uaPJMBravG1nWaLMAqyyrvckp3FSji5bz3RdP9D
+tzXiHcgCGmHL26GspAhjIN1DC3ezv2lwGQav7Iw8vz/urfNg6eGZ7iFtl/QRoyc
+LCzDQ3SD//4ThT60ncLnivqWLWDNZTkS3dn8mdIW2aQsqtB49vh1QYqdLBoZ9/T6
+uaJNBcn1eG41hIqIsEl/
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/StartComCA.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/StartComCA.pem.certspec
@ -0,0 +1,4 @@
+issuer:ca
+subject:printableString/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-after-cutoff.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-after-cutoff.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgWgAwIBAgIUMYT7CkMtLLxN3tKEWzFXFQ6c/gwwCwYJKoZIhvcNAQEL
+MFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEqMCgG
+A1UEAxMhQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduMCIYDzIwMTYx
+MDIyMDAwMDAwWhgPMjAxNzEwMjIwMDAwMDBaMB4xHDAaBgNVBAMME1dvU2lnbi1h
+ZnRlci1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjGjAYMBYGA1UdEQQPMA2CC2V4YW1wbGUuY29tMAsG
+CSqGSIb3DQEBCwOCAQEAjBm9k3WX810z55fcMrbsT6AJk4Fhr+rRLth+KWEpkvN+
+gYZymkVIA390oFyH9VxbEGvSIv6bJfB7yVOtL2q6mj9mn7ybRoWlX1HOH7Cjqp7R
+6qivI4nG5Khn6uQxSxBbu26yhHmGcyq0QrhKEGrLzhoQc/0MOg32xnRRNu/bkFiL
+GNsu6wkRnB82aC4qjyohfkNqnaHES+D5ed+GuSD5QEU/r7Gz0Wd1a+MiOBc71R0W
+WDadFfE7sTuMiidSrxdN4j5sGwSvyudM3NlEHhnyn/jJcOzYpTtVOg5qmcrNRxq5
+ppj7eoIfCz+YJVz86cI96TM7S4OL8LG+UU90+3Kd8w==
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-after-cutoff.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-after-cutoff.pem.certspec
@ -0,0 +1,4 @@
+issuer:printableString/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
+subject:WoSign-after-cutoff
+validity:20161022-20171022
+extension:subjectAlternativeName:example.com
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-before-cutoff.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-before-cutoff.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAgagAwIBAgIUVWn2KHK/AHKe+8z02VsFj3fXqjAwCwYJKoZIhvcNAQEL
+MFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEqMCgG
+A1UEAxMhQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduMCIYDzIwMTUx
+MDIyMDAwMDAwWhgPMjAxNzEwMjIwMDAwMDBaMB8xHTAbBgNVBAMMFFdvU2lnbi1i
+ZWZvcmUtY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR
+qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv
+WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+
+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv
+JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5
+Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6
+clHEMdUDrNoYCjXtjQIDAQABoxowGDAWBgNVHREEDzANggtleGFtcGxlLmNvbTAL
+BgkqhkiG9w0BAQsDggEBALMqCQoOhrBOeIzR7ffMCR/qUNz8LeELms31eF0Ks/Ol
+vMUJ9FBJOVHWq40zXnNBrH3qTVnTgAAZegjepzgggwd52gkkg0aD5WCZZy7TP1ie
+fbcdqC71LWghBZKkl6EFBDcnB4/ssc5MDhFAd3qyH/GHZSwtn2Ekk3vQBudOC/tW
+W/OGS5o+qP3NwtTWXmdD5Q/dmm0wUp9t+4sJ9glwBVDeJfi23QWbR6G2cBBcyzvS
+IZ+F1dOPKrZ23OJufiu4pDLQupC9mpQUWXb5kst+i//52Zsfupe3U/4XjcLbqR+1
+VVhcoBNf/mJs9UMIpaG0tn+j82rw7t8zGd1VMcA/XYM=
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-before-cutoff.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/WoSign-before-cutoff.pem.certspec
@ -0,0 +1,4 @@
+issuer:printableString/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
+subject:WoSign-before-cutoff
+validity:20151022-20171022
+extension:subjectAlternativeName:example.com
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/WoSignCA.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/WoSignCA.pem
@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDTCCAfegAwIBAgIUfbsmhHMoPiaMnmoiE39CCcEhFnMwCwYJKoZIhvcNAQEL
+MA0xCzAJBgNVBAMMAmNhMCIYDzIwMTQxMTI3MDAwMDAwWhgPMjAxNzAyMDQwMDAw
+MDBaMFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEq
+MCgGA1UEAxMhQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
+5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
+An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
+ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
+zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
+JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
+ox0wGzALBgNVHQ8EBAMCAQYwDAYDVR0TBAUwAwEB/zALBgkqhkiG9w0BAQsDggEB
+AEje4XX7DBIf+8XJhdOhzJA30JOG3slWzz6tXHGyhOgs6ipysKN1gQf8hXn7Pf/e
+but8bmZlWs96TiPbZaGjlgA0ORVLn3gcS7GJ+3c3NNUOtc9SLpMCaNKUN5KpaIRu
+8Uj1cvBgN3Vz9qCPvLCwZAfnSWu+p27r2tdMksQpU1z4vjbsW1sbpGLE9WOfUGUA
+WSIgA4n9lseCcW7k7g2+j24ovprejPPHAW4ogXhU6CHnWRbY1iitjQ1EtWY/RbpV
+/7vhyc6jZ7ee9VfMk3RnkqKRkKAQnosiOWh2ZYixcAKIYFVFgKtujIfPGlib7z87
+IhPco15Vx/rjeNX+mfU/axs=
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/WoSignCA.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/WoSignCA.pem.certspec
@ -0,0 +1,4 @@
+issuer:ca
+subject:printableString/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/ca.pem
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/ca.pem
@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAa+gAwIBAgIUQd13DvR3qDTAkz/7io280SPUCd0wCwYJKoZIhvcNAQEL
+MA0xCzAJBgNVBAMMAmNhMCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAw
+MDBaMA0xCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8EBAMCAQYwDAYDVR0T
+BAUwAwEB/zALBgkqhkiG9w0BAQsDggEBAAEilE//BPKAsXleuiF6ITvBkjgJzlaD
+lGphvhPZNXENmYqkSOAZXAglmX0N4mq/1o3OC4IAhxqOj901y+QRM8zdemGDbpG7
+oqvAgeX5JLMKg5zj1lkdVkuNTfnKzNVJOWLHU4T1LrLuUGkVl7ba3s9RrqRmYtu8
+o4IgFUOXopjAo6Be/xrPzrRE6wTOFkhVaShYZBNNN/yJ4Eni4BnwxQ3uNSs6OQOO
+MpHW1Ibil2Oq7xcOmMj3WbB8uWCp1deM7h7l/u8cyUEMSCAhkYgSCorv/rECjP1k
+K3quGWnX3aN7idc4lOZkROIFyKR2V1No5OyUjmR2QKxf2RUq4XEWP2E=
+-----END CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/ca.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/ca.pem.certspec
@ -0,0 +1,5 @@
+issuer:ca
+subject:ca
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
--- a/security/manager/ssl/tests/unit/test_startcom_wosign/moz.build
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign/moz.build
@ -0,0 +1,19 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Temporarily disabled. See bug 1256495.
+#test_certificates = (
+#    'StartCom-after-cutoff.pem',
+#    'StartCom-before-cutoff.pem',
+#    'StartComCA.pem',
+#    'WoSign-after-cutoff.pem',
+#    'WoSign-before-cutoff.pem',
+#    'WoSignCA.pem',
+#    'ca.pem',
+#)
+#
+#for test_certificate in test_certificates:
+#    GeneratedTestCertificate(test_certificate)
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@ -28,6 +28,7 @@ support-files =
  test_pinning_dynamic/**
  test_signed_apps/**
  test_signed_dir/**
+  test_startcom_wosign/**
  test_validity/**
  tlsserver/**

@ -143,6 +144,7 @@ skip-if = toolkit == 'android' || toolkit == 'gonk'
 [test_sss_readstate_garbage.js]
 [test_sss_readstate_huge.js]
 [test_sss_savestate.js]
+[test_startcom_wosign.js]
 [test_sts_fqdn.js]
 [test_sts_holepunch.js]
 [test_sts_ipv4_ipv6.js]