зеркало из https://github.com/mozilla/gecko-dev.git
f27f0bf4d1
There is a late-breaking EV compatibility concern with cross signatures for EV
certificates:
Firefox's EV handling code always validates EV using the first EV policy OID
expressed in a certificate. For compatibility certificates issued under a cross-
signed root, if the first EV policy OID matches the original Symantec EV policy
OID, then Firefox will attempt to verify that the root CA matches the original
Symantec EV CA -- which it won't, as the root will be one of DigiCert's. Without
a patch, EV treatment will break.
This patch removes all EV policy OIDs for roots mentioned in TrustOverride-
SymantecData.inc, letting the moz::pkix algorithm pick other EV policy OIDs to
validate. I verified that I removed all affected OIDs using the BASH shell
commands:
$ cd security/certverifier
$ grep "CN=" TrustOverride-SymantecData.inc | sed -e 's/.*\(CN=.*\).*/\1/' |
sort | uniq | while read r; do
echo $r; grep "$r" ExtendedValidation.cpp;
done
Reviewers should help me ensure that I did not remove any unexpected EV policy
OIDs.
Differential Revision: https://phabricator.services.mozilla.com/D4709
--HG--
extra : moz-landing-system : lando
|
||
|---|---|---|
| .. | ||
| tests/gtest | ||
| BRNameMatchingPolicy.cpp | ||
| BRNameMatchingPolicy.h | ||
| BTInclusionProof.h | ||
| BTVerifier.cpp | ||
| BTVerifier.h | ||
| Buffer.cpp | ||
| Buffer.h | ||
| CTDiversityPolicy.cpp | ||
| CTDiversityPolicy.h | ||
| CTKnownLogs.h | ||
| CTLog.h | ||
| CTLogVerifier.cpp | ||
| CTLogVerifier.h | ||
| CTObjectsExtractor.cpp | ||
| CTObjectsExtractor.h | ||
| CTPolicyEnforcer.cpp | ||
| CTPolicyEnforcer.h | ||
| CTSerialization.cpp | ||
| CTSerialization.h | ||
| CTUtils.h | ||
| CTVerifyResult.cpp | ||
| CTVerifyResult.h | ||
| CertVerifier.cpp | ||
| CertVerifier.h | ||
| ExtendedValidation.cpp | ||
| ExtendedValidation.h | ||
| MultiLogCTVerifier.cpp | ||
| MultiLogCTVerifier.h | ||
| NSSCertDBTrustDomain.cpp | ||
| NSSCertDBTrustDomain.h | ||
| OCSPCache.cpp | ||
| OCSPCache.h | ||
| OCSPVerificationTrustDomain.cpp | ||
| OCSPVerificationTrustDomain.h | ||
| SignedCertificateTimestamp.cpp | ||
| SignedCertificateTimestamp.h | ||
| SignedTreeHead.h | ||
| TrustOverride-AppleGoogleDigiCertData.inc | ||
| TrustOverride-GlobalSignData.inc | ||
| TrustOverride-StartComAndWoSignData.inc | ||
| TrustOverride-SymantecData.inc | ||
| TrustOverride-TestImminentDistrustData.inc | ||
| TrustOverrideUtils.h | ||
| moz.build | ||