mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-18 07:45:30 +00:00
f27f0bf4d1
There is a late-breaking EV compatibility concern with cross signatures for EV certificates: Firefox's EV handling code always validates EV using the first EV policy OID expressed in a certificate. For compatibility certificates issued under a cross- signed root, if the first EV policy OID matches the original Symantec EV policy OID, then Firefox will attempt to verify that the root CA matches the original Symantec EV CA -- which it won't, as the root will be one of DigiCert's. Without a patch, EV treatment will break. This patch removes all EV policy OIDs for roots mentioned in TrustOverride- SymantecData.inc, letting the moz::pkix algorithm pick other EV policy OIDs to validate. I verified that I removed all affected OIDs using the BASH shell commands: $ cd security/certverifier $ grep "CN=" TrustOverride-SymantecData.inc | sed -e 's/.*\(CN=.*\).*/\1/' | sort | uniq | while read r; do echo $r; grep "$r" ExtendedValidation.cpp; done Reviewers should help me ensure that I did not remove any unexpected EV policy OIDs. Differential Revision: https://phabricator.services.mozilla.com/D4709 --HG-- extra : moz-landing-system : lando |
||
---|---|---|
.. | ||
tests/gtest | ||
BRNameMatchingPolicy.cpp | ||
BRNameMatchingPolicy.h | ||
BTInclusionProof.h | ||
BTVerifier.cpp | ||
BTVerifier.h | ||
Buffer.cpp | ||
Buffer.h | ||
CertVerifier.cpp | ||
CertVerifier.h | ||
CTDiversityPolicy.cpp | ||
CTDiversityPolicy.h | ||
CTKnownLogs.h | ||
CTLog.h | ||
CTLogVerifier.cpp | ||
CTLogVerifier.h | ||
CTObjectsExtractor.cpp | ||
CTObjectsExtractor.h | ||
CTPolicyEnforcer.cpp | ||
CTPolicyEnforcer.h | ||
CTSerialization.cpp | ||
CTSerialization.h | ||
CTUtils.h | ||
CTVerifyResult.cpp | ||
CTVerifyResult.h | ||
ExtendedValidation.cpp | ||
ExtendedValidation.h | ||
moz.build | ||
MultiLogCTVerifier.cpp | ||
MultiLogCTVerifier.h | ||
NSSCertDBTrustDomain.cpp | ||
NSSCertDBTrustDomain.h | ||
OCSPCache.cpp | ||
OCSPCache.h | ||
OCSPVerificationTrustDomain.cpp | ||
OCSPVerificationTrustDomain.h | ||
SignedCertificateTimestamp.cpp | ||
SignedCertificateTimestamp.h | ||
SignedTreeHead.h | ||
TrustOverride-AppleGoogleDigiCertData.inc | ||
TrustOverride-GlobalSignData.inc | ||
TrustOverride-StartComAndWoSignData.inc | ||
TrustOverride-SymantecData.inc | ||
TrustOverride-TestImminentDistrustData.inc | ||
TrustOverrideUtils.h |