| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This case comes up when attempting to build NSS on ARM64 Mac. If we don't
do this, we wind up detecting arm64 as "arm", with predictably bad
consequences.
Differential Revision: https://phabricator.services.mozilla.com/D85786
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D84286
|
|
|
|
|
|
| |
Just reorder the rules in manifest.mn, so all is again the first rule. This restores pre-3.53 Makefile defaults.
Differential Revision: https://phabricator.services.mozilla.com/D85195
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3 times
faster on ARMv8 CPU. The following data is AWS's a1 instance (Cortex-A72).
Before
======
```
# mode in opreps cxreps context op time(sec) thrgput
sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb
```
After
=====
```
# mode in opreps cxreps context op time(sec) thrgput
sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb
```
Differential Revision: https://phabricator.services.mozilla.com/D84125
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update:
FIPS now also requires us to do y^q mod p testing on key generation (always).
We now do that in FIPS mode only, but in all modes we do full DH verification
for DH and ECDH. Because of this, the path has now separated out the prime
checks, which are now only done for the DH operation if we aren't using a known
prime and the subprime value has been provided. I've also learned we can accept
keys that we do full validation on in FIPS mode, so I've added that to
this patch, though we still can't generate those kinds of keys without
adding the subprime at keygen time.
The new FIPS standard is dh operations must use approved primes. Approved
primes are those selected in the tls and ike RFCs. Currently tls and ike
have modes with checks whether the primes are approved, but the check may
not always happen. The safest thing to do in FIPS mode is only allow those
primes. In addition, FIPS requires 1< y < p-1 (or technically 2<=y<=p-2, since
y is an integer those two tests are identical).
While making changes I realized we would want a mode where we can do more strict
checks on the prime while not requiring that the prime be an approved prime. We
already allow for strict checking if q is supplied with the private key, but there
were a couple of issues with that check:
1. there was no way of actually setting q in the current NSS pk11wrap interfaces.
2. If the prime was a safe prime, but g was an actual generator, then we would fail the y^q mod p = 1 tests for 50% of the keys, even though those keys are safe.
3. We weren't checking primality of p and q.
So the old code:
if (q) {
check y^q mod p = 1
if not fail
}
check 1 <y < p-1 (done in DH_Derive).
New code:
if (! p is approved prime) {
if (FIPS) fail;
if (q) {
y_test = y
if (p,q-> p is a safe prime) {
y_test = 1
}
check prime is prime Fail if not
check subprime is subprime fail if not
y_test^q mod p = 1
}
}
check 1 < y < p-1 (done in DH_Derive)
This means:
Existing code non-fips without setting the subprime continues to run as before.
Non-fips code which sets the subprime now runs slower, but p and q are checked
if p or q where not prime, the derive fails (which it should).
In FIPS mode only approved primes will succeed now.
Non-fips code can now set the subprime to q=(p-1)/2 if it doesn't have an
explicit q value (like in tls). If the derive succeeds, we know that p is a
safe prime. If p is approved, the checks are skipped because we already know
that p is a safe prime. Code can optionally do a test derive on a new p and
remember it's safe so that we know longer need to check ever call (though if
q is not (p-1)/2, you will need to continue to do the checks each call
because y could still be a small subgroup).
This patch:
gtests/softoken_gtest
1. Added New dh tests to softoken_gtests. The tests were added to softoken_gtests
because we need to test both non-FIPS and FIPS mode. Test vectors include a
category, so the same test vectors can be used in FIPS and non-FIPS even though
each class may have different results. Most of the test vectors where created
either by dhparams command in openssl, dsaparams in openssl, and the nss makepqg
command. Each vector includes a label, prime, base, optional subprime, optional
public key, test type, and key class (basically size).
2. If public key is not supplied, we use a generated public key.
3. If subPrime is supplied to wet it on the private key after generation.
lib/freebl/dh.c
add primality tests to KEA_VerifyKey().
lib/softokn/
1. Allow CKA_SUBPRIME to be set after key generation or import. This affects
how we test for it's existance, since it is now always there on the key, we
check it's length to make sure it's non-zero.
2. We implement the psuedocode above as real code.
3. We create two new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime is an approved prime. sftk_IsSafePrime which returns SECSuess of both prime and subprime look reasonable, and sets a Bool to PR_TRUE is subprime -> prime is safe (subprime = (prime-1)/2. These functions are implemented in sftkdhverify.c
4.Cleanup incorrect nominclature on primes (safe primes are not strong primes).
|
|
|
|
|
|
| |
lib/freebl/deprecated. r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D83494
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=rrelyea,bbeurdouche
There are two places, where NSS tries to compile either x86_64
MSVC assembler or GCC aarch64 code, which will fail the build.
And also drop the non-MSVC arch build flags for them.
AFAI could identify, there isn't any armasm64 compatible asm
code in the whole NSS library, so I don't even adapt AS for the
build. The cross-build finishes this way.
Differential Revision: https://phabricator.services.mozilla.com/D83137
|
| |
|
|
|
|
| |
this workaround is no longer required. r=kjacobe
|
| |
|
|
|
|
|
|
| |
in cmd/bltest/blapitest.c. r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D83758
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D84362
|
|
|
|
|
|
|
|
|
| |
Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
Timing attack countermeasures are now applied more generally deeper in
the call stack.
Differential Revision: https://phabricator.services.mozilla.com/D82011
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D84194
|
|
|
|
|
|
| |
Depends on D74801
Differential Revision: https://phabricator.services.mozilla.com/D83994
|
|
|
|
|
|
| |
r=jcj,kjacobs,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D74801
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D75774
|
|
|
|
|
|
|
|
|
|
|
| |
This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from:
[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic.
Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi>
Differential Revision: https://phabricator.services.mozilla.com/D80012
|
|
|
|
|
|
|
|
|
|
|
| |
This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from:
[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic.
Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi>
Differential Revision: https://phabricator.services.mozilla.com/D79267
|
|
|
|
| |
r=kjacobs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
In TLS 1.3, unless "signature_algorithms_cert" is advertised, the
"signature_algorithms" extension is used as an indication of supported
algorithms for signatures on certificates. While rsa_pkcs1_*
signatures schemes cannot be used for signing handshake messages, they
should be advertised if the peer wants to to support certificates
signed with RSA PKCS#1.
This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to
preserve rsa_pkcs1_* schemes in the output.
Reviewers: mt
Reviewed By: mt
Bug #: 1646324
Differential Revision: https://phabricator.services.mozilla.com/D80881
|
|
|
|
|
|
| |
r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D81824
|
|
|
|
|
|
|
|
|
| |
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it,
even though slotLock is defined as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8a9fbde/lib/softoken/pkcs11i.h#320-321
Differential Revision: https://phabricator.services.mozilla.com/D82955
|
|
|
|
|
|
|
|
| |
r=kjacobs
This is a fixup patch that reverts https://hg.mozilla.org/projects/nss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null check around the memcpy in question.
Differential Revision: https://phabricator.services.mozilla.com/D82494
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates DTLS 1.3 to draft-38. Specifically:
# `ssl_ct_ack` value changes from 25 to 26.
# AEAD limits in `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only support GCM/ChaCha20 AEADs) decryption failures before the connection is closed.
# Post-handshake authentication will no longer be negotiated in DTLS 1.3. This allows us to side-step the more convoluted state machine requirements.
Differential Revision: https://phabricator.services.mozilla.com/D82421
|
|
|
|
|
|
| |
This patch adds a check to `RSA_CheckSignRecover` enforcing a minimum padding length of 8 bytes for PKCS #1 v1.5-formatted signatures. In practice, RSA key size requirements already ensure this requirement is met, but smaller (read: broken) key sizes can be used via configuration overrides, and NSS should just follow the spec.
Differential Revision: https://phabricator.services.mozilla.com/D82462
|
|
|
|
|
|
| |
pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D82460
|
|
|
|
|
|
|
|
| |
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle
of an encoded certificate in a given slot. If the given certificate does not
exist in that slot, CK_INVALID_HANDLE is returned.
Differential Revision: https://phabricator.services.mozilla.com/D81924
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D82054
|
|
|
|
|
|
| |
ssl/ssl3con.c:6621 r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D81667
|
| |
|
|
|
|
|
|
| |
r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D81668
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D81589
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D81559
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D80879
|
| |
|
|
|
|
|
|
|
|
| |
This patch adjusts QuickDER to strictly enforce INTEGER encoding with respect to leading zeros:
- If the MSB of the first (value) octet is set, a single zero byte MAY be present to make the value positive. This singular pad byte is removed.
- Otherwise, the first octet must not be zero.
Differential Revision: https://phabricator.services.mozilla.com/D80221
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation is based on the work by Bernstein and Yang
(https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation
and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m
functions.
The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d
by having less control flow to reduce side-channel leaks.
Co Author : Billy Bob Brumley
Differential Revision: https://phabricator.services.mozilla.com/D78668
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2.42 r=bbeurdouche,KathleenWilson
All changes:
Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit for others
Bug 1621151 - Disable Email trust bit for GRCA root
Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert
Bug 1641718 - Remove "LuxTrust Global Root 2" root cert
Bug 1641716 - Add Microsoft's non-EV roots
Bug 1645174 - Add Microsec's "e-Szigno Root CA 2017" root cert
Bug 1645186 - Add "certSIGN Root CA G2" root cert
Bug 1645199 - Remove Expired AddTrust root certs
Depends on D79373
Differential Revision: https://phabricator.services.mozilla.com/D79374
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Friendly Name: certSIGN Root CA G2
Cert Location: http://crl.certsign.ro/certsign-rootg2.crt
SHA-1 Fingerprint: 26F993B4ED3D2827B0B94BA7E9151DA38D92E532
SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305
Trust Flags: Websites
Test URL: https://testssl-valid-evcp.certsign.ro/
Depends on D79372
Differential Revision: https://phabricator.services.mozilla.com/D79373
|
|
|
|
|
|
| |
Depends on D79371
Differential Revision: https://phabricator.services.mozilla.com/D79372
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Friendly Name: Microsoft ECC Root Certificate Authority 2017
Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt
SHA-1 Fingerprint: 999A64C37FF47D9FAB95F14769891460EEC4C3C5
SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02
Trust Flags: Websites
Test URL: https://acteccroot2017.pki.microsoft.com/
Friendly Name: Microsoft RSA Root Certificate Authority 2017
Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt
SHA-1 Fingerprint: 73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74
SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0
Trust Flags: Websites
Test URL: https://actrsaroot2017.pki.microsoft.com/
Depends on D79370
Differential Revision: https://phabricator.services.mozilla.com/D79371
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the following two expired AddTrust root certs from NSS.
Subject/Issuer: CN=AddTrust Class 1 CA Root; OU=AddTrust TTP Network;
O=AddTrust AB; C=SE
Valid To (GMT): 5/30/2020
SHA-1 Fingerprint: CCAB0EA04C2301D6697BDD379FCD12EB24E3949D
SHA-256 Fingerprint:
8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7
Subject/Issuer: CN=AddTrust External CA Root; OU=AddTrust External TTP
Network; O=AddTrust AB; C=SE
Valid To (GMT): 5/30/2020
SHA-1 Fingerprint: 02FAF3E291435468607857694DF5E45B68851868
SHA-256 Fingerprint:
687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2
Mozilla EV Policy OID(s): 1.3.6.1.4.1.6449.1.2.1.5.1
Depends on D79369
Differential Revision: https://phabricator.services.mozilla.com/D79370
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Subject: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU
Valid From (GMT): 3/5/2015
Valid To (GMT): 3/5/2035
Certificate Serial Number: 0A7EA6DF4B449EDA6A24859EE6B815D3167FBBB1
SHA-1 Fingerprint: 1E0E56190AD18B2598B20444FF668A0417995F3F
SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5
Depends on D79368
Differential Revision: https://phabricator.services.mozilla.com/D79369
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=KathleenWilson,kjacobs
Subject: CN=Staat der Nederlanden Root CA - G2; O=Staat der Nederlanden; C=NL
Valid From (GMT): 3/26/2008
Valid To (GMT): 3/25/2020
Certificate Serial Number: 0098968C
SHA-1 Fingerprint: 59AF82799186C7B47507CBCF035746EB04DDB716
SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F
Depends on D79367
Differential Revision: https://phabricator.services.mozilla.com/D79368
|
|
|
|
|
|
|
|
| |
Authority root r=kjacobs,KathleenWilson
Depends on D79366
Differential Revision: https://phabricator.services.mozilla.com/D79367
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=KathleenWilson,kjacobs
Disable the Email trust bit for the following root certs"
Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 023456
SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A
Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B
SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0
SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766
Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F
SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4
Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79
SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912
Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079
SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3
SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
Depends on D79365
Differential Revision: https://phabricator.services.mozilla.com/D79366
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=KathleenWilson,kjacobs
Remove the VeriSign Class 3 Public Primary Certification Authority - G3 CA:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57
SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6
SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244
Because of the removal of VeriSign Class 3 Public Primary Certification Authority - G3, these knock-out entries, signed by that CA, should be removed:
cert 1:
Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
Not Valid Before: Sun May 18 00:00:00 2008
Not Valid After : Thu May 17 23:59:59 2018
Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D
Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1
cert 2:
Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51
Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
Not Valid Before: Sun May 18 00:00:00 2008
Not Valid After : Thu May 17 23:59:59 2018
Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34
Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E
cert 3:
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
Not Valid Before: Sun May 18 00:00:00 2008
Not Valid After : Thu May 17 23:59:59 2018
Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E
Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2
Depends on D79364
Differential Revision: https://phabricator.services.mozilla.com/D79365
|