summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcjNathan Froyd2020-08-031-0/+2
| | | | | | | | This case comes up when attempting to build NSS on ARM64 Mac. If we don't do this, we wind up detecting arm64 as "arm", with predictably bad consequences. Differential Revision: https://phabricator.services.mozilla.com/D85786
* Bug 1654142 - Add CPU feature detection for Intel SHA extension. r=kjacobsMakoto Kato2020-07-313-0/+11
| | | | Differential Revision: https://phabricator.services.mozilla.com/D84286
* Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyeaJan-Marek Glogowski2020-07-291-7/+11
| | | | | | Just reorder the rules in manifest.mn, so all is again the first rule. This restores pre-3.53 Makefile defaults. Differential Revision: https://phabricator.services.mozilla.com/D85195
* Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobsMakoto Kato2020-07-297-13/+344
| | | | | | | | | | | | | | | | | | | | | ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3 times faster on ARMv8 CPU. The following data is AWS's a1 instance (Cortex-A72). Before ====== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ``` After ===== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ``` Differential Revision: https://phabricator.services.mozilla.com/D84125
* Fix more of the timeout issues on tests. (Drop expensive 4098 dh tests ).Robert Relyea2020-07-272-5/+21
|
* Bug 1648822 Add stricter validation of DH keys when in FIPS mode.Robert Relyea2020-07-2716-46/+5237
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update: FIPS now also requires us to do y^q mod p testing on key generation (always). We now do that in FIPS mode only, but in all modes we do full DH verification for DH and ECDH. Because of this, the path has now separated out the prime checks, which are now only done for the DH operation if we aren't using a known prime and the subprime value has been provided. I've also learned we can accept keys that we do full validation on in FIPS mode, so I've added that to this patch, though we still can't generate those kinds of keys without adding the subprime at keygen time. The new FIPS standard is dh operations must use approved primes. Approved primes are those selected in the tls and ike RFCs. Currently tls and ike have modes with checks whether the primes are approved, but the check may not always happen. The safest thing to do in FIPS mode is only allow those primes. In addition, FIPS requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer those two tests are identical). While making changes I realized we would want a mode where we can do more strict checks on the prime while not requiring that the prime be an approved prime. We already allow for strict checking if q is supplied with the private key, but there were a couple of issues with that check: 1. there was no way of actually setting q in the current NSS pk11wrap interfaces. 2. If the prime was a safe prime, but g was an actual generator, then we would fail the y^q mod p = 1 tests for 50% of the keys, even though those keys are safe. 3. We weren't checking primality of p and q. So the old code: if (q) { check y^q mod p = 1 if not fail } check 1 <y < p-1 (done in DH_Derive). New code: if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if (p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail if not check subprime is subprime fail if not y_test^q mod p = 1 } } check 1 < y < p-1 (done in DH_Derive) This means: Existing code non-fips without setting the subprime continues to run as before. Non-fips code which sets the subprime now runs slower, but p and q are checked if p or q where not prime, the derive fails (which it should). In FIPS mode only approved primes will succeed now. Non-fips code can now set the subprime to q=(p-1)/2 if it doesn't have an explicit q value (like in tls). If the derive succeeds, we know that p is a safe prime. If p is approved, the checks are skipped because we already know that p is a safe prime. Code can optionally do a test derive on a new p and remember it's safe so that we know longer need to check ever call (though if q is not (p-1)/2, you will need to continue to do the checks each call because y could still be a small subgroup). This patch: gtests/softoken_gtest 1. Added New dh tests to softoken_gtests. The tests were added to softoken_gtests because we need to test both non-FIPS and FIPS mode. Test vectors include a category, so the same test vectors can be used in FIPS and non-FIPS even though each class may have different results. Most of the test vectors where created either by dhparams command in openssl, dsaparams in openssl, and the nss makepqg command. Each vector includes a label, prime, base, optional subprime, optional public key, test type, and key class (basically size). 2. If public key is not supplied, we use a generated public key. 3. If subPrime is supplied to wet it on the private key after generation. lib/freebl/dh.c add primality tests to KEA_VerifyKey(). lib/softokn/ 1. Allow CKA_SUBPRIME to be set after key generation or import. This affects how we test for it's existance, since it is now always there on the key, we check it's length to make sure it's non-zero. 2. We implement the psuedocode above as real code. 3. We create two new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime is an approved prime. sftk_IsSafePrime which returns SECSuess of both prime and subprime look reasonable, and sets a Bool to PR_TRUE is subprime -> prime is safe (subprime = (prime-1)/2. These functions are implemented in sftkdhverify.c 4.Cleanup incorrect nominclature on primes (safe primes are not strong primes).
* Bug 1652729 - Add build flag to disable RC2 and relocate to ↵Benjamin Beurdouche2020-07-2411-13/+139
| | | | | | lib/freebl/deprecated. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D83494
* Bug 1652032 Disable all freebl assembler code for MSVC arm64 ↵Jan-Marek Glogowski2020-07-271-0/+7
| | | | | | | | | | | | | | r=rrelyea,bbeurdouche There are two places, where NSS tries to compile either x86_64 MSVC assembler or GCC aarch64 code, which will fail the build. And also drop the non-MSVC arch build flags for them. AFAI could identify, there isn't any armasm64 compatible asm code in the whole NSS library, so I don't even adapt AS for the build. The cross-build finishes this way. Differential Revision: https://phabricator.services.mozilla.com/D83137
* Set version numbers to 3.56 betaJ.C. Jones2020-07-245-12/+7
|
* Bug 1653310 - Backed out changeset ca207655b4b7, because with updated NSPR ↵Kai Engert2020-07-221-14/+2
| | | | this workaround is no longer required. r=kjacobe
* Added tag NSS_3_55_BETA1 for changeset 0768baa431e7Kevin Jacobs2020-07-210-0/+0
|
* Bug 1653202 - Fix issue disabling other mechanisms when SEED is deprecated ↵NSS_3_55_BETA1Benjamin Beurdouche2020-07-211-2/+2
| | | | | | in cmd/bltest/blapitest.c. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D83758
* Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaieKevin Jacobs2020-07-211-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D84362
* Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdoucheBilly Brumley2020-07-201-21/+0
| | | | | | | | | Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. Timing attack countermeasures are now applied more generally deeper in the call stack. Differential Revision: https://phabricator.services.mozilla.com/D82011
* Bug 1653310 - On macOS check if nssckbi exists prior to loading it. r=kjacobsKai Engert2020-07-201-2/+14
| | | | Differential Revision: https://phabricator.services.mozilla.com/D84194
* Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyeaBenjamin Beurdouche2020-07-182-0/+50
| | | | | | Depends on D74801 Differential Revision: https://phabricator.services.mozilla.com/D83994
* Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. ↵Benjamin Beurdouche2020-07-182-3/+10
| | | | | | r=jcj,kjacobs,rrelyea Differential Revision: https://phabricator.services.mozilla.com/D74801
* Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcjBenjamin Beurdouche2020-07-161-7/+4
| | | | Differential Revision: https://phabricator.services.mozilla.com/D75774
* Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdoucheBilly Brumley2020-07-165-1/+11824
| | | | | | | | | | | This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> Differential Revision: https://phabricator.services.mozilla.com/D80012
* Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyeaBilly Brumley2020-07-166-1/+19681
| | | | | | | | | | | This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> Differential Revision: https://phabricator.services.mozilla.com/D79267
* Bug 1643528 Cannot compile code with nss headers and -Werror=strict-prototypesRobert Relyea2020-07-131-1/+1
| | | | r=kjacobs
* Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mtDaiki Ueno2020-07-105-13/+91
| | | | | | | | | | | | | | | | | | | | | Summary: In TLS 1.3, unless "signature_algorithms_cert" is advertised, the "signature_algorithms" extension is used as an indication of supported algorithms for signatures on certificates. While rsa_pkcs1_* signatures schemes cannot be used for signing handshake messages, they should be advertised if the peer wants to to support certificates signed with RSA PKCS#1. This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to preserve rsa_pkcs1_* schemes in the output. Reviewers: mt Reviewed By: mt Bug #: 1646324 Differential Revision: https://phabricator.services.mozilla.com/D80881
* Bug 1649648 - Fix null pointers passed as argument in pk11wrap/pk11pbe.c:886 ↵Benjamin Beurdouche2020-07-092-9/+47
| | | | | | r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D81824
* Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobsJ.C. Jones2020-07-091-2/+4
| | | | | | | | | Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it, even though slotLock is defined as its lock. [0] [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8a9fbde/lib/softoken/pkcs11i.h#320-321 Differential Revision: https://phabricator.services.mozilla.com/D82955
* Bug 1649322 - Fix null pointer passed as argument in pk11wrap/pk11pbe.c:1246 ↵Benjamin Beurdouche2020-07-092-4/+3
| | | | | | | | r=kjacobs This is a fixup patch that reverts https://hg.mozilla.org/projects/nss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null check around the memcpy in question. Differential Revision: https://phabricator.services.mozilla.com/D82494
* Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mtKevin Jacobs2020-07-0813-14/+99
| | | | | | | | | | | This patch updates DTLS 1.3 to draft-38. Specifically: # `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only support GCM/ChaCha20 AEADs) decryption failures before the connection is closed. # Post-handshake authentication will no longer be negotiated in DTLS 1.3. This allows us to side-step the more convoluted state machine requirements. Differential Revision: https://phabricator.services.mozilla.com/D82421
* Bug 1067214 - Check minimum padding in RSA_CheckSignRecover. r=rrelyeaKevin Jacobs2020-07-072-0/+120
| | | | | | This patch adds a check to `RSA_CheckSignRecover` enforcing a minimum padding length of 8 bytes for PKCS #1 v1.5-formatted signatures. In practice, RSA key size requirements already ensure this requirement is met, but smaller (read: broken) key sizes can be used via configuration overrides, and NSS should just follow the spec. Differential Revision: https://phabricator.services.mozilla.com/D82462
* Bug 1649633 - follow-up to make test comparisons in ↵Dana Keeler2020-07-061-94/+89
| | | | | | pk11_find_certs_unittest.cc yoda comparisons r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D82460
* Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcjDana Keeler2020-07-065-79/+92
| | | | | | | | PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle of an encoded certificate in a given slot. If the given certificate does not exist in that slot, CK_INVALID_HANDLE is returned. Differential Revision: https://phabricator.services.mozilla.com/D81924
* Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcjAlexander Scheel2020-07-021-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D82054
* Bug 1649316 - Prevent memcmp to be called with a zero length in ↵Benjamin Beurdouche2020-07-021-1/+1
| | | | | | ssl/ssl3con.c:6621 r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D81667
* Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3 r=bbeurdoucheDanh2020-06-303-2/+10
|
* Bug 1649322 - Fix null pointer passed as argument in pk11wrap/pk11pbe.c:1246 ↵Benjamin Beurdouche2020-06-301-0/+3
| | | | | | r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D81668
* Bug 1649226 - Add Wycheproof ECDSA tests. r=bbeurdoucheKevin Jacobs2020-06-296-0/+32377
| | | | Differential Revision: https://phabricator.services.mozilla.com/D81589
* Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test cycle. r=jcjKevin Jacobs2020-06-291-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D81559
* Set version numbers to 3.55 betaKevin Jacobs2020-06-265-17/+7
|
* Bug 1640516 - NSS 3.54 should depend on NSPR 4.26. r=kjacobsKai Engert2020-06-241-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D80879
* Added tag NSS_3_54_BETA1 for changeset 2bd2f3267dc5Kevin Jacobs2020-06-230-0/+0
|
* Bug 1646520 - Stricter leading-zero checks for ASN.1 INTEGER values. r=jcjNSS_3_54_BETA1Kevin Jacobs2020-06-221-4/+7
| | | | | | | | This patch adjusts QuickDER to strictly enforce INTEGER encoding with respect to leading zeros: - If the MSB of the first (value) octet is set, a single zero byte MAY be present to make the value positive. This singular pad byte is removed. - Otherwise, the first octet must not be zero. Differential Revision: https://phabricator.services.mozilla.com/D80221
* Bug 1631597 - Constant-time GCD and modular inversion r=rrelyea,kjacobsSohaib ul Hassan2020-06-163-132/+292
| | | | | | | | | | | | | | The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co Author : Billy Bob Brumley Differential Revision: https://phabricator.services.mozilla.com/D78668
* Bug 1618402 - June 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION ↵J.C. Jones2020-06-151-2/+2
| | | | | | | | | | | | | | | | | | | 2.42 r=bbeurdouche,KathleenWilson All changes: Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit for others Bug 1621151 - Disable Email trust bit for GRCA root Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert Bug 1641718 - Remove "LuxTrust Global Root 2" root cert Bug 1641716 - Add Microsoft's non-EV roots Bug 1645174 - Add Microsec's "e-Szigno Root CA 2017" root cert Bug 1645186 - Add "certSIGN Root CA G2" root cert Bug 1645199 - Remove Expired AddTrust root certs Depends on D79373 Differential Revision: https://phabricator.services.mozilla.com/D79374
* Bug 1645186 - Add certSIGN Root CA G2 root cert r=KathleenWilsonJ.C. Jones2020-06-121-0/+160
| | | | | | | | | | | | | Friendly Name: certSIGN Root CA G2 Cert Location: http://crl.certsign.ro/certsign-rootg2.crt SHA-1 Fingerprint: 26F993B4ED3D2827B0B94BA7E9151DA38D92E532 SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305 Trust Flags: Websites Test URL: https://testssl-valid-evcp.certsign.ro/ Depends on D79372 Differential Revision: https://phabricator.services.mozilla.com/D79373
* Bug 1645174 - Add e-Szigno Root CA 2017 r=KathleenWilson,kjacobsJ.C. Jones2020-06-121-0/+121
| | | | | | Depends on D79371 Differential Revision: https://phabricator.services.mozilla.com/D79372
* Bug 1641716 - Add Microsoft non-EV roots r=KathleenWilson,kjacobsJ.C. Jones2020-06-121-0/+295
| | | | | | | | | | | | | | | | | | | | Friendly Name: Microsoft ECC Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 999A64C37FF47D9FAB95F14769891460EEC4C3C5 SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02 Trust Flags: Websites Test URL: https://acteccroot2017.pki.microsoft.com/ Friendly Name: Microsoft RSA Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0 Trust Flags: Websites Test URL: https://actrsaroot2017.pki.microsoft.com/ Depends on D79370 Differential Revision: https://phabricator.services.mozilla.com/D79371
* Bug 1645199 - Remove Expired AddTrust root certs r=KathleenWilson,kjacobsJ.C. Jones2020-06-121-299/+0
| | | | | | | | | | | | | | | | | | | | | | | | Remove the following two expired AddTrust root certs from NSS. Subject/Issuer: CN=AddTrust Class 1 CA Root; OU=AddTrust TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: CCAB0EA04C2301D6697BDD379FCD12EB24E3949D SHA-256 Fingerprint: 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7 Subject/Issuer: CN=AddTrust External CA Root; OU=AddTrust External TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: 02FAF3E291435468607857694DF5E45B68851868 SHA-256 Fingerprint: 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2 Mozilla EV Policy OID(s): 1.3.6.1.4.1.6449.1.2.1.5.1 Depends on D79369 Differential Revision: https://phabricator.services.mozilla.com/D79370
* Bug 1641718 - Remove "LuxTrust Global Root 2" root cert r=KathleenWilson,kjacobsJ.C. Jones2020-06-121-170/+0
| | | | | | | | | | | | | Subject: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU Valid From (GMT): 3/5/2015 Valid To (GMT): 3/5/2035 Certificate Serial Number: 0A7EA6DF4B449EDA6A24859EE6B815D3167FBBB1 SHA-1 Fingerprint: 1E0E56190AD18B2598B20444FF668A0417995F3F SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5 Depends on D79368 Differential Revision: https://phabricator.services.mozilla.com/D79369
* Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert ↵J.C. Jones2020-06-121-171/+0
| | | | | | | | | | | | | | | r=KathleenWilson,kjacobs Subject: CN=Staat der Nederlanden Root CA - G2; O=Staat der Nederlanden; C=NL Valid From (GMT): 3/26/2008 Valid To (GMT): 3/25/2020 Certificate Serial Number: 0098968C SHA-1 Fingerprint: 59AF82799186C7B47507CBCF035746EB04DDB716 SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F Depends on D79367 Differential Revision: https://phabricator.services.mozilla.com/D79368
* Bug 1621151 - Disable email trust bit for TW Government Root Certification ↵J.C. Jones2020-06-121-1/+1
| | | | | | | | Authority root r=kjacobs,KathleenWilson Depends on D79366 Differential Revision: https://phabricator.services.mozilla.com/D79367
* Bug 1618402 - Disable email trust bit for several Symantec certs ↵J.C. Jones2020-06-121-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | r=KathleenWilson,kjacobs Disable the Email trust bit for the following root certs" Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 023456 SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0 SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766 Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4 Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79 SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912 Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079 SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3 SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79 Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF Depends on D79365 Differential Revision: https://phabricator.services.mozilla.com/D79366
* Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries ↵J.C. Jones2020-06-121-279/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | r=KathleenWilson,kjacobs Remove the VeriSign Class 3 Public Primary Certification Authority - G3 CA: Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57 SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6 SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244 Because of the removal of VeriSign Class 3 Public Primary Certification Authority - G3, these knock-out entries, signed by that CA, should be removed: cert 1: Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34 Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1 cert 2: Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51 Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34 Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E cert 3: Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76 Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2 Depends on D79364 Differential Revision: https://phabricator.services.mozilla.com/D79365
View Lorry Controller Status