corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1966632 - bundle cross-signed "SSL.com TLS Transit ECC CA R2" intermediate. r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D250486
This commit is contained in:
John M. Schanck
2025-05-22 17:41:53 +00:00
committed by jschanck@mozilla.com
parent 2cc2a23d36
commit 8acc8bc5ad
6 changed files with 243 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
security/manager/ssl/tests/unit/head_psm.js
View File

@@ -330,6 +330,55 @@ function checkCertErrorGeneric(
);
}
// Helper for checkRootOfBuiltChain
class CertVerificationExpectedRootResult {
constructor(certName, rootSha256SpkiDigest, resolve) {
this.certName = certName;
this.rootSha256SpkiDigest = rootSha256SpkiDigest;
this.resolve = resolve;
}
verifyCertFinished(aPRErrorCode, aVerifiedChain, _aHasEVPolicy) {
equal(
aPRErrorCode,
PRErrorCodeSuccess,
`verifying ${this.certName}: should succeed`
);
equal(
aVerifiedChain[aVerifiedChain.length - 1]
.sha256SubjectPublicKeyInfoDigest,
this.rootSha256SpkiDigest,
`verifying ${this.certName}: should build chain to ${this.rootSha256SpkiDigest}`
);
this.resolve();
}
}
function checkRootOfBuiltChain(
certdb,
cert,
rootSha256SpkiDigest,
time,
/* optional */ hostname,
/* optional */ flags = NO_FLAGS
) {
return new Promise(resolve => {
let result = new CertVerificationExpectedRootResult(
cert.commonName,
rootSha256SpkiDigest,
resolve
);
certdb.asyncVerifyCertAtTime(
cert,
Ci.nsIX509CertDB.verifyUsageTLSServer,
flags,
hostname,
time,
result
);
});
}
function checkEVStatus(certDB, cert, usage, isEVExpected) {
return checkCertErrorGeneric(
certDB,

14
security/manager/ssl/tests/unit/test_intermediate_preloads.js
View File

@@ -425,6 +425,20 @@ add_task(async function test_delete() {
);
});
add_task(async function test_bug1966632() {
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
constructCertFromFile("test_intermediate_preloads/bug1966632-int1.pem", ",,");
await checkRootOfBuiltChain(
certDB,
constructCertFromFile("test_intermediate_preloads/bug1966632-ee.pem", ",,"),
"G/ANXI8TwJTdF+AFBM8IiIUPEv0Gf6H5LA/b9guG4yE=",
new Date("2025-05-21T00:00:00Z").getTime() / 1000
);
});
function run_test() {
server = new HttpServer();
server.start(-1);

23
security/manager/ssl/tests/unit/test_intermediate_preloads/bug1966632-ee.pem Normal file
View File

@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID4DCCA4WgAwIBAgIQUZgPcox2Ip1KGuuF5KHdpzAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNTA0MjMxMDA1MzBa
Fw0yNTA3MjIxMDAxMzJaMBcxFTATBgNVBAMMDHd3dy5sZWdvLmNvbTBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABKU7ro3nPX0A7LdCEnMilvq0ccYpcKN2xQWjlTVc
kVb3D5Enip6Dte1r0cgqvg5gLmezH+4QHIFggwxPv+bPhp+jggJ2MIICcjAMBgNV
HRMBAf8EAjAAMB8GA1UdIwQYMBaAFJzECXJHGBd7pxqJs5I11eEDjP6SMGwGCCsG
AQUFBwEBBGAwXjA5BggrBgEFBQcwAoYtaHR0cDovL2kuY2YtYi5zc2wuY29tL0Ns
b3VkZmxhcmUtVExTLUktRTEuY2VyMCEGCCsGAQUFBzABhhVodHRwOi8vby5jZi1i
LnNzbC5jb20wJwYDVR0RBCAwHoIMd3d3LmxlZ28uY29tgg4qLnd3dy5sZWdvLmNv
bTAjBgNVHSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9j
LmNmLWIuc3NsLmNvbS9DbG91ZGZsYXJlLVRMUy1JLUUxLmNybDAOBgNVHQ8BAf8E
BAMCB4AwDwYJKwYBBAGC2kssBAIFADCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2
AN3cyjSV1+EWBeeVMvrHn/g9HFDf2wA6FBJ2Ciysu8gqAAABlmIlRAUAAAQDAEcw
RQIgCvV0Q8IQ6rlxiNeAag68X7Dg9B3qwzGanXGWWwPhIScCIQDyO9SMHZPizNp6
YPkjqFvDF7CjOIC4of8Eptcnhx2PiwB1AMz7D2qFcQll/pWbU87psnwi6YVcDZeN
tql+VMD+TA2wAAABlmIlRDsAAAQDAEYwRAIgF1DXDTWseC/rZn7riEIxJX1yFR53
sfRbGkfehzeY034CIG9X2iRLIH/XnBKeNU63Y9hUbtyGdxX4R0oUZNpLiDanMAoG
CCqGSM49BAMCA0kAMEYCIQCO/LFf44vZw0z0Pm22U2KhX1Hc5lGrG0ks3ZeOo6Cv
SAIhAMrm/nig702IHWF5q8SAA52t6wtM6ph2+Pe9NCnF9x0y
-----END CERTIFICATE-----

18
security/manager/ssl/tests/unit/test_intermediate_preloads/bug1966632-int1.pem Normal file
View File

@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC5DCCAmqgAwIBAgIQLD+iaS9BE707f+W2BLSdTTAKBggqhkjOPQQDAzBPMQsw
CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSYwJAYDVQQDDB1T
U0wuY29tIFRMUyBUcmFuc2l0IEVDQyBDQSBSMjAeFw0yMzEwMzExNzE3NDlaFw0z
MzEwMjgxNzE3NDhaMFIxCzAJBgNVBAYTAlVTMRkwFwYDVQQKDBBDTE9VREZMQVJF
LCBJTkMuMSgwJgYDVQQDDB9DbG91ZGZsYXJlIFRMUyBJc3N1aW5nIEVDQyBDQSAx
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEByHHIHytNSzTS+F3JA7hHMDGd2cp
cY9i3MLTKmE6DJTKc6JwvW50pwKodvd2Qj4RAAy2jSejsVgw5jeh6syt3KOCASMw
ggEfMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUMqLH2FiL/3/APPJV
aTPszswfvJcwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUFBzAChixodHRwOi8vY2Vy
dC5zc2wuY29tL1NTTC5jb20tVExTLVQtRUNDLVIyLmNlcjARBgNVHSAECjAIMAYG
BFUdIAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMD0GA1UdHwQ2MDQw
MqAwoC6GLGh0dHA6Ly9jcmxzLnNzbC5jb20vU1NMLmNvbS1UTFMtVC1FQ0MtUjIu
Y3JsMB0GA1UdDgQWBBScxAlyRxgXe6caibOSNdXhA4z+kjAOBgNVHQ8BAf8EBAMC
AYYwCgYIKoZIzj0EAwMDaAAwZQIxAL0Sk3RweR6uG1aSHF3JgHQptubP9xoZyUmz
HSa+SSdY5wTGSx5qAowrLPCpLio2PAIwXQGgYzf5QzD/1Bsu87WrUcIVtLixr5KQ
wKBaFAyIJ7OOiWgW0HV/NA1UeuSe0zmN
-----END CERTIFICATE-----

21
security/manager/ssl/trust_anchors/build.rs
View File

@@ -320,9 +320,12 @@ fn main() -> std::io::Result<()> {
TOPSRCDIR.join("security/manager/ssl/tests/unit/test_trust_anchors/certdata.txt");
let mozilla_certdata = TOPSRCDIR.join("security/nss/lib/ckfw/builtins/certdata.txt");
let nssckbi_header = TOPSRCDIR.join("security/nss/lib/ckfw/builtins/nssckbi.h");
let bundled_intermediates =
TOPSRCDIR.join("security/manager/ssl/trust_anchors/bundled_intermediates.txt");
println!("cargo:rerun-if-changed={}", testlib_certdata.display());
println!("cargo:rerun-if-changed={}", mozilla_certdata.display());
println!("cargo:rerun-if-changed={}", nssckbi_header.display());
println!("cargo:rerun-if-changed={}", bundled_intermediates.display());
let bindings = Builder::default()
.header(nssckbi_header.display().to_string())
@@ -357,6 +360,12 @@ fn main() -> std::io::Result<()> {
let mut input =
std::fs::read_to_string(mozilla_certdata).expect("Unable to read certdata.txt.");
#[cfg(not(feature = "testlib"))]
input.push_str(
&std::fs::read_to_string(bundled_intermediates)
.expect("Unable to read bundled_intermediates.txt."),
);
// Add a trailing newline to simplify parsing.
input.push('\n');
@@ -520,19 +529,7 @@ fn main() -> std::io::Result<()> {
writeln!(out, "pub static BUILTINS: [Root; {}] = [", certs.len())?;
for (i, cert) in certs.iter().enumerate() {
let subject = attr(cert, "CKA_SUBJECT");
let issuer = attr(cert, "CKA_ISSUER");
let label = attr(cert, "CKA_LABEL");
if !subject.eq(issuer) {
writeln!(out, "];")?; // end the definition of BUILTINS
let label = format!("{}", label);
writeln!(
out,
"std::compile_error!(\"Certificate with label {} is not self-signed\");",
label.escape_debug()
)?;
return Ok(());
}
let mozpol = attr(cert, "CKA_NSS_MOZILLA_CA_POLICY");
let server_distrust = attr(cert, "CKA_NSS_SERVER_DISTRUST_AFTER");
let email_distrust = attr(cert, "CKA_NSS_EMAIL_DISTRUST_AFTER");

130
security/manager/ssl/trust_anchors/bundled_intermediates.txt Normal file
View File

@@ -0,0 +1,130 @@
#
# Certificate "SSL.com TLS Transit ECC CA R2"
#
# Issuer: CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US
# Serial Number:60:4d:8a:f8:d0:0b:a8:74:8b:95:58:53:17:2c:5f:2e
# Subject: CN=SSL.com TLS Transit ECC CA R2,O=SSL Corporation,C=US
# Not Valid Before: Fri Oct 21 17:02:23 2022
# Not Valid After : Sat Oct 17 17:02:22 2037
# Fingerprint (SHA-256): 5D:1B:C3:99:27:4E:64:9E:1C:72:69:7D:E9:1A:54:AD:72:50:88:C5:22:1C:B6:1E:17:EE:9C:29:0B:C4:2A:92
# Fingerprint (SHA1): E1:51:88:4D:AE:92:4B:08:EF:26:46:01:21:D7:79:06:D5:D1:8A:C8
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "SSL.com TLS Transit ECC CA R2"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157
\162\160\157\162\141\164\151\157\156\061\046\060\044\006\003\125
\004\003\014\035\123\123\114\056\143\157\155\040\124\114\123\040
\124\162\141\156\163\151\164\040\105\103\103\040\103\101\040\122
\062
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157
\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125
\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040
\105\103\103\040\122\157\157\164\040\103\101\040\062\060\062\062
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\140\115\212\370\320\013\250\164\213\225\130\123\027\054
\137\056
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\064\060\202\002\271\240\003\002\001\002\002\020\140
\115\212\370\320\013\250\164\213\225\130\123\027\054\137\056\060
\012\006\010\052\206\110\316\075\004\003\003\060\116\061\013\060
\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
\125\004\012\014\017\123\123\114\040\103\157\162\160\157\162\141
\164\151\157\156\061\045\060\043\006\003\125\004\003\014\034\123
\123\114\056\143\157\155\040\124\114\123\040\105\103\103\040\122
\157\157\164\040\103\101\040\062\060\062\062\060\036\027\015\062
\062\061\060\062\061\061\067\060\062\062\063\132\027\015\063\067
\061\060\061\067\061\067\060\062\062\062\132\060\117\061\013\060
\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
\125\004\012\014\017\123\123\114\040\103\157\162\160\157\162\141
\164\151\157\156\061\046\060\044\006\003\125\004\003\014\035\123
\123\114\056\143\157\155\040\124\114\123\040\124\162\141\156\163
\151\164\040\105\103\103\040\103\101\040\122\062\060\166\060\020
\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042
\003\142\000\004\144\347\175\231\003\123\134\221\036\352\370\330
\043\255\241\277\054\342\143\211\357\050\150\366\355\327\360\354
\253\150\256\167\053\344\166\227\033\120\353\333\131\050\055\157
\270\066\271\253\215\227\312\114\042\236\356\211\331\002\077\375
\172\163\072\220\215\053\314\057\072\067\203\332\015\264\055\105
\033\163\162\011\145\137\170\041\075\347\213\146\077\107\375\011
\051\326\024\017\243\202\001\131\060\202\001\125\060\022\006\003
\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\001
\060\037\006\003\125\035\043\004\030\060\026\200\024\211\217\057
\243\350\053\240\024\124\173\363\126\270\046\137\147\070\013\234
\320\060\114\006\010\053\006\001\005\005\007\001\001\004\100\060
\076\060\074\006\010\053\006\001\005\005\007\060\002\206\060\150
\164\164\160\072\057\057\143\145\162\164\056\163\163\154\056\143
\157\155\057\123\123\114\143\157\155\055\124\114\123\055\122\157
\157\164\055\062\060\062\062\055\105\103\103\056\143\145\162\060
\077\006\003\125\035\040\004\070\060\066\060\064\006\004\125\035
\040\000\060\054\060\052\006\010\053\006\001\005\005\007\002\001
\026\036\150\164\164\160\163\072\057\057\167\167\167\056\163\163
\154\056\143\157\155\057\162\145\160\157\163\151\164\157\162\171
\060\035\006\003\125\035\045\004\026\060\024\006\010\053\006\001
\005\005\007\003\002\006\010\053\006\001\005\005\007\003\001\060
\101\006\003\125\035\037\004\072\060\070\060\066\240\064\240\062
\206\060\150\164\164\160\072\057\057\143\162\154\163\056\163\163
\154\056\143\157\155\057\123\123\114\143\157\155\055\124\114\123
\055\122\157\157\164\055\062\060\062\062\055\105\103\103\056\143
\162\154\060\035\006\003\125\035\016\004\026\004\024\062\242\307
\330\130\213\377\177\300\074\362\125\151\063\354\316\314\037\274
\227\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
\206\060\012\006\010\052\206\110\316\075\004\003\003\003\151\000
\060\146\002\061\000\270\112\102\076\173\147\055\263\131\323\067
\323\002\106\051\175\357\076\266\341\154\113\002\237\170\205\076
\355\065\221\217\144\267\275\142\042\310\313\070\012\251\157\333
\023\106\366\207\320\002\061\000\257\127\225\314\105\313\247\003
\051\120\150\044\034\340\237\306\301\035\151\357\052\317\013\100
\321\131\147\262\054\011\020\132\056\130\226\326\275\017\031\127
\357\204\005\026\113\005\010\375
END
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "SSL.com TLS Transit ECC CA R2"
# Issuer: CN=SSL.com TLS ECC Root CA 2022,O=SSL Corporation,C=US
# Serial Number:60:4d:8a:f8:d0:0b:a8:74:8b:95:58:53:17:2c:5f:2e
# Subject: CN=SSL.com TLS Transit ECC CA R2,O=SSL Corporation,C=US
# Not Valid Before: Fri Oct 21 17:02:23 2022
# Not Valid After : Sat Oct 17 17:02:22 2037
# Fingerprint (SHA-256): 5D:1B:C3:99:27:4E:64:9E:1C:72:69:7D:E9:1A:54:AD:72:50:88:C5:22:1C:B6:1E:17:EE:9C:29:0B:C4:2A:92
# Fingerprint (SHA1): E1:51:88:4D:AE:92:4B:08:EF:26:46:01:21:D7:79:06:D5:D1:8A:C8
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "SSL.com TLS Transit ECC CA R2"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\341\121\210\115\256\222\113\010\357\046\106\001\041\327\171\006
\325\321\212\310
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\056\365\236\073\237\071\373\006\014\326\002\247\064\076\176\155
END
CKA_ISSUER MULTILINE_OCTAL
\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\030\060\026\006\003\125\004\012\014\017\123\123\114\040\103\157
\162\160\157\162\141\164\151\157\156\061\045\060\043\006\003\125
\004\003\014\034\123\123\114\056\143\157\155\040\124\114\123\040
\105\103\103\040\122\157\157\164\040\103\101\040\062\060\062\062
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\140\115\212\370\320\013\250\164\213\225\130\123\027\054
\137\056
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE