From c09d43c4313529cf34e58ede47aa8f48dab7cea1 Mon Sep 17 00:00:00 2001
From: "rrelyea@redhat.com" <rrelyea@redhat.com>
Date: Wed, 21 Nov 2007 14:28:13 -0800
Subject: [PATCH] Enable real EV checking. Bug 289520. patch by kai engert.
review rrelyea approval mtschrep.
---
client.mk | 2 +-
security/manager/ssl/src/nsIdentityChecking.cpp | 14 ++++++++++++--
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/client.mk b/client.mk
index f62c81d36214c..45543aee995ab 100644
--- a/client.mk
+++ b/client.mk
@@ -408,7 +408,7 @@ MODULES_all := \
# and commit this file on that tag.
#MOZ_CO_TAG = <tag>
NSPR_CO_TAG = NSPR_HEAD_20071016
-NSS_CO_TAG = NSS_3_12_ALPHA_2
+NSS_CO_TAG = NSS_3_12_ALPHA_2B
LDAPCSDK_CO_TAG = LDAPCSDK_6_0_3_CLIENT_BRANCH
LOCALES_CO_TAG =
diff --git a/security/manager/ssl/src/nsIdentityChecking.cpp b/security/manager/ssl/src/nsIdentityChecking.cpp
index 3645d07268cee..f5a5d4a213336 100644
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -75,6 +75,14 @@ struct nsMyTrustedEVInfo
};
static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
+ {
+ "2.16.840.1.113733.1.7.23.6",
+ "Verisign EV OID",
+ SEC_OID_UNKNOWN,
+ "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+ "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+ "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2"
+ },
{
"0.0.0.0",
0, // for real entries use a string like "Sample INVALID EV OID"
@@ -540,9 +548,11 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, PRBool &validEV)
cvin[0].type = cert_pi_policyOID;
cvin[0].value.arraySize = 1;
cvin[0].value.array.oids = &oid_tag;
+
cvin[1].type = cert_pi_revocationFlags;
- cvin[1].value.scalar.ul = CERT_REV_FLAG_OCSP
- | CERT_REV_FLAG_CRL;
+ cvin[1].value.scalar.ul = CERT_REV_FAIL_SOFT_CRL
+ | CERT_REV_FLAG_CRL
+ ;
cvin[2].type = cert_pi_end;
CERTValOutParam cvout[2];
--
GitLab