Enable real EV checking. Bug 289520. patch by kai engert. review rrelyea approval mtschrep.

c09d43c4 · rrelyea@redhat.com · bdefaafe · c09d43c4 · c09d43c4
Commit c09d43c4 authored 17 years ago by rrelyea@redhat.com
--- a/client.mk
+++ b/client.mk
@@ -408,7 +408,7 @@ MODULES_all :=                                  \
 # and commit this file on that tag.
 #MOZ_CO_TAG          = <tag>
 NSPR_CO_TAG          = NSPR_HEAD_20071016
-NSS_CO_TAG           = NSS_3_12_ALPHA_2
+NSS_CO_TAG           = NSS_3_12_ALPHA_2B
 LDAPCSDK_CO_TAG      = LDAPCSDK_6_0_3_CLIENT_BRANCH
 LOCALES_CO_TAG       =

--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -75,6 +75,14 @@ struct nsMyTrustedEVInfo
 };
 static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
+  {
+    "2.16.840.1.113733.1.7.23.6",
+    "Verisign EV OID",
+    SEC_OID_UNKNOWN,
+    "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+    "OU=Class 3 Public Primary Certification Authority,O=\"VeriSign, Inc.\",C=US",
+    "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2"
+  },
  {
    "0.0.0.0",
    0, // for real entries use a string like "Sample INVALID EV OID"
@@ -540,9 +548,11 @@ nsNSSCertificate::hasValidEVOidTag(SECOidTag &resultOidTag, PRBool &validEV)
  cvin[0].type = cert_pi_policyOID;
  cvin[0].value.arraySize = 1; 
  cvin[0].value.array.oids = &oid_tag;
  cvin[1].type = cert_pi_revocationFlags;
-  cvin[1].value.scalar.ul = CERT_REV_FLAG_OCSP
+  cvin[1].value.scalar.ul = CERT_REV_FAIL_SOFT_CRL
-                            | CERT_REV_FLAG_CRL;
+                            | CERT_REV_FLAG_CRL
+                            ;
  cvin[2].type = cert_pi_end;
  CERTValOutParam cvout[2];