The Tor Browser / annotate

security/certverifier/ExtendedValidation.cpp@6474c204b198 (annotated)

security/certverifier/ExtendedValidation.cpp

Wed, 31 Dec 2014 06:09:35 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Wed, 31 Dec 2014 06:09:35 +0100
changeset 0
6474c204b198
permissions
-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0 1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
michael@0 2 *
michael@0 3 * This Source Code Form is subject to the terms of the Mozilla Public
michael@0 4 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 6
michael@0 7 #include "ExtendedValidation.h"
michael@0 8
michael@0 9 #include "cert.h"
michael@0 10 #include "certdb.h"
michael@0 11 #include "base64.h"
michael@0 12 #include "pkix/nullptr.h"
michael@0 13 #include "pk11pub.h"
michael@0 14 #include "secerr.h"
michael@0 15 #include "prerror.h"
michael@0 16 #include "prinit.h"
michael@0 17
michael@0 18 #ifdef PR_LOGGING
michael@0 19 extern PRLogModuleInfo* gPIPNSSLog;
michael@0 20 #endif
michael@0 21
michael@0 22 #define CONST_OID static const unsigned char
michael@0 23 #define OI(x) { siDEROID, (unsigned char*) x, sizeof x }
michael@0 24
michael@0 25 struct nsMyTrustedEVInfo
michael@0 26 {
michael@0 27 const char* dotted_oid;
michael@0 28 const char* oid_name; // Set this to null to signal an invalid structure,
michael@0 29 // (We can't have an empty list, so we'll use a dummy entry)
michael@0 30 SECOidTag oid_tag;
michael@0 31 const unsigned char ev_root_sha1_fingerprint[20];
michael@0 32 const char* issuer_base64;
michael@0 33 const char* serial_base64;
michael@0 34 CERTCertificate* cert;
michael@0 35 };
michael@0 36
michael@0 37 // HOWTO enable additional CA root certificates for EV:
michael@0 38 //
michael@0 39 // For each combination of "root certificate" and "policy OID",
michael@0 40 // one entry must be added to the array named myTrustedEVInfos.
michael@0 41 //
michael@0 42 // We use the combination of "issuer name" and "serial number" to
michael@0 43 // uniquely identify the certificate. In order to avoid problems
michael@0 44 // because of encodings when comparing certificates, we don't
michael@0 45 // use plain text representation, we rather use the original encoding
michael@0 46 // as it can be found in the root certificate (in base64 format).
michael@0 47 //
michael@0 48 // We can use the NSS utility named "pp" to extract the encoding.
michael@0 49 //
michael@0 50 // Build standalone NSS including the NSS tools, then run
michael@0 51 // pp -t certificate-identity -i the-cert-filename
michael@0 52 //
michael@0 53 // You will need the output from sections "Issuer", "Fingerprint (SHA1)",
michael@0 54 // "Issuer DER Base64" and "Serial DER Base64".
michael@0 55 //
michael@0 56 // The new section consists of 8 lines:
michael@0 57 //
michael@0 58 // - a comment that should contain the human readable issuer name
michael@0 59 // of the certificate, as printed by the pp tool
michael@0 60 // - the EV policy OID that is associated to the EV grant
michael@0 61 // - a text description of the EV policy OID. The array can contain
michael@0 62 // multiple entries with the same OID.
michael@0 63 // Please make sure to use the identical OID text description for
michael@0 64 // all entries with the same policy OID (use the text search
michael@0 65 // feature of your text editor to find duplicates).
michael@0 66 // When adding a new policy OID that is not yet contained in the array,
michael@0 67 // please make sure that your new description is different from
michael@0 68 // all the other descriptions (again use the text search feature
michael@0 69 // to be sure).
michael@0 70 // - the constant SEC_OID_UNKNOWN
michael@0 71 // (it will be replaced at runtime with another identifier)
michael@0 72 // - the SHA1 fingerprint
michael@0 73 // - the "Issuer DER Base64" as printed by the pp tool.
michael@0 74 // Remove all whitespaces. If you use multiple lines, make sure that
michael@0 75 // only the final line will be followed by a comma.
michael@0 76 // - the "Serial DER Base64" (as printed by pp)
michael@0 77 // - nullptr
michael@0 78 //
michael@0 79 // After adding an entry, test it locally against the test site that
michael@0 80 // has been provided by the CA. Note that you must use a version of NSS
michael@0 81 // where the root certificate has already been added and marked as trusted
michael@0 82 // for issueing SSL server certificates (at least).
michael@0 83 //
michael@0 84 // If you are able to connect to the site without certificate errors,
michael@0 85 // but you don't see the EV status indicator, then most likely the CA
michael@0 86 // has a problem in their infrastructure. The most common problems are
michael@0 87 // related to the CA's OCSP infrastructure, either they use an incorrect
michael@0 88 // OCSP signing certificate, or OCSP for the intermediate certificates
michael@0 89 // isn't working, or OCSP isn't working at all.
michael@0 90
michael@0 91 static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
michael@0 92 // IMPORTANT! When extending this list,
michael@0 93 // pairs of dotted_oid and oid_name should always be unique pairs.
michael@0 94 // In other words, if you add another list, that uses the same dotted_oid
michael@0 95 // as an existing entry, then please use the same oid_name.
michael@0 96 #ifdef DEBUG
michael@0 97 // Debug EV certificates should all use the OID (repeating EV OID is OK):
michael@0 98 // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
michael@0 99 // If you add or remove debug EV certs you must also modify IdentityInfoInit
michael@0 100 // (there is another #ifdef DEBUG section there) so that the correct number of
michael@0 101 // certs are skipped as these debug EV certs are NOT part of the default trust
michael@0 102 // store.
michael@0 103 {
michael@0 104 // This is the testing EV signature (xpcshell) (RSA)
michael@0 105 // CN=XPCShell EV Testing (untrustworthy) CA,OU=Security Engineering,O=Mozilla - EV debug test CA,L=Mountain View,ST=CA,C=US"
michael@0 106 "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
michael@0 107 "DEBUGtesting EV OID",
michael@0 108 SEC_OID_UNKNOWN,
michael@0 109 { 0x9C, 0x62, 0xEF, 0xDB, 0xAE, 0xF9, 0xEB, 0x36, 0x58, 0xFB,
michael@0 110 0x3B, 0xD3, 0x47, 0x64, 0x93, 0x9D, 0x86, 0x29, 0x6A, 0xE0 },
michael@0 111 "MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu"
michael@0 112 "IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
michael@0 113 "VQQLDBRTZWN1cml0eSBFbmdpbmVlcmluZzEvMC0GA1UEAwwmWFBDU2hlbGwgRVYg"
michael@0 114 "VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=",
michael@0 115 "At+3zdo=",
michael@0 116 nullptr
michael@0 117 },
michael@0 118 #endif
michael@0 119 {
michael@0 120 // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
michael@0 121 "1.2.392.200091.100.721.1",
michael@0 122 "SECOM EV OID",
michael@0 123 SEC_OID_UNKNOWN,
michael@0 124 { 0xFE, 0xB8, 0xC4, 0x32, 0xDC, 0xF9, 0x76, 0x9A, 0xCE, 0xAE,
michael@0 125 0x3D, 0xD8, 0x90, 0x8F, 0xFD, 0x28, 0x86, 0x65, 0x64, 0x7D },
michael@0 126 "MGAxCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP"
michael@0 127 "LixMVEQuMSowKAYDVQQLEyFTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVWIFJvb3RD"
michael@0 128 "QTE=",
michael@0 129 "AA==",
michael@0 130 nullptr
michael@0 131 },
michael@0 132 {
michael@0 133 // CN=Cybertrust Global Root,O=Cybertrust, Inc
michael@0 134 "1.3.6.1.4.1.6334.1.100.1",
michael@0 135 "Cybertrust EV OID",
michael@0 136 SEC_OID_UNKNOWN,
michael@0 137 { 0x5F, 0x43, 0xE5, 0xB1, 0xBF, 0xF8, 0x78, 0x8C, 0xAC, 0x1C,
michael@0 138 0xC7, 0xCA, 0x4A, 0x9A, 0xC6, 0x22, 0x2B, 0xCC, 0x34, 0xC6 },
michael@0 139 "MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz"
michael@0 140 "dCBHbG9iYWwgUm9vdA==",
michael@0 141 "BAAAAAABD4WqLUg=",
michael@0 142 nullptr
michael@0 143 },
michael@0 144 {
michael@0 145 // CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
michael@0 146 "2.16.756.1.89.1.2.1.1",
michael@0 147 "SwissSign EV OID",
michael@0 148 SEC_OID_UNKNOWN,
michael@0 149 { 0xD8, 0xC5, 0x38, 0x8A, 0xB7, 0x30, 0x1B, 0x1B, 0x6E, 0xD4,
michael@0 150 0x7A, 0xE6, 0x45, 0x25, 0x3A, 0x6F, 0x9F, 0x1A, 0x27, 0x61 },
michael@0 151 "MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT"
michael@0 152 "FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=",
michael@0 153 "ALtAHEP1Xk+w",
michael@0 154 nullptr
michael@0 155 },
michael@0 156 {
michael@0 157 // CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
michael@0 158 "1.3.6.1.4.1.23223.1.1.1",
michael@0 159 "StartCom EV OID",
michael@0 160 SEC_OID_UNKNOWN,
michael@0 161 { 0x3E, 0x2B, 0xF7, 0xF2, 0x03, 0x1B, 0x96, 0xF3, 0x8C, 0xE6,
michael@0 162 0xC4, 0xD8, 0xA8, 0x5D, 0x3E, 0x2D, 0x58, 0x47, 0x6A, 0x0F },
michael@0 163 "MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL"
michael@0 164 "EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT"
michael@0 165 "dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
michael@0 166 "AQ==",
michael@0 167 nullptr
michael@0 168 },
michael@0 169 {
michael@0 170 // CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
michael@0 171 "1.3.6.1.4.1.23223.1.1.1",
michael@0 172 "StartCom EV OID",
michael@0 173 SEC_OID_UNKNOWN,
michael@0 174 { 0xA3, 0xF1, 0x33, 0x3F, 0xE2, 0x42, 0xBF, 0xCF, 0xC5, 0xD1,
michael@0 175 0x4E, 0x8F, 0x39, 0x42, 0x98, 0x40, 0x68, 0x10, 0xD1, 0xA0 },
michael@0 176 "MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL"
michael@0 177 "EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT"
michael@0 178 "dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
michael@0 179 "LQ==",
michael@0 180 nullptr
michael@0 181 },
michael@0 182 {
michael@0 183 // CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
michael@0 184 "1.3.6.1.4.1.23223.1.1.1",
michael@0 185 "StartCom EV OID",
michael@0 186 SEC_OID_UNKNOWN,
michael@0 187 { 0x31, 0xF1, 0xFD, 0x68, 0x22, 0x63, 0x20, 0xEE, 0xC6, 0x3B,
michael@0 188 0x3F, 0x9D, 0xEA, 0x4A, 0x3E, 0x53, 0x7C, 0x7C, 0x39, 0x17 },
michael@0 189 "MFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYDVQQD"
michael@0 190 "EyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMg==",
michael@0 191 "Ow==",
michael@0 192 nullptr
michael@0 193 },
michael@0 194 {
michael@0 195 // CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
michael@0 196 "2.16.840.1.113733.1.7.23.6",
michael@0 197 "VeriSign EV OID",
michael@0 198 SEC_OID_UNKNOWN,
michael@0 199 { 0x4E, 0xB6, 0xD5, 0x78, 0x49, 0x9B, 0x1C, 0xCF, 0x5F, 0x58,
michael@0 200 0x1E, 0xAD, 0x56, 0xBE, 0x3D, 0x9B, 0x67, 0x44, 0xA5, 0xE5 },
michael@0 201 "MIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
michael@0 202 "BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZl"
michael@0 203 "cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMT"
michael@0 204 "PFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB"
michael@0 205 "dXRob3JpdHkgLSBHNQ==",
michael@0 206 "GNrRniZ96LtKIVjNzGs7Sg==",
michael@0 207 nullptr
michael@0 208 },
michael@0 209 {
michael@0 210 // CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
michael@0 211 "1.3.6.1.4.1.14370.1.6",
michael@0 212 "GeoTrust EV OID",
michael@0 213 SEC_OID_UNKNOWN,
michael@0 214 { 0x32, 0x3C, 0x11, 0x8E, 0x1B, 0xF7, 0xB8, 0xB6, 0x52, 0x54,
michael@0 215 0xE2, 0xE2, 0x10, 0x0D, 0xD6, 0x02, 0x90, 0x37, 0xF0, 0x96 },
michael@0 216 "MFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQD"
michael@0 217 "EyhHZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
michael@0 218 "GKy1av1pthU6Y2yv2vrEoQ==",
michael@0 219 nullptr
michael@0 220 },
michael@0 221 {
michael@0 222 // CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
michael@0 223 "2.16.840.1.113733.1.7.48.1",
michael@0 224 "Thawte EV OID",
michael@0 225 SEC_OID_UNKNOWN,
michael@0 226 { 0x91, 0xC6, 0xD6, 0xEE, 0x3E, 0x8A, 0xC8, 0x63, 0x84, 0xE5,
michael@0 227 0x48, 0xC2, 0x99, 0x29, 0x5C, 0x75, 0x6C, 0x81, 0x7B, 0x81 },
michael@0 228 "MIGpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL"
michael@0 229 "Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg"
michael@0 230 "MjAwNiB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0G"
michael@0 231 "A1UEAxMWdGhhd3RlIFByaW1hcnkgUm9vdCBDQQ==",
michael@0 232 "NE7VVyDV7exJ9C/ON9srbQ==",
michael@0 233 nullptr
michael@0 234 },
michael@0 235 {
michael@0 236 // CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
michael@0 237 "2.16.840.1.114404.1.1.2.4.1",
michael@0 238 "Trustwave EV OID",
michael@0 239 SEC_OID_UNKNOWN,
michael@0 240 { 0xB8, 0x01, 0x86, 0xD1, 0xEB, 0x9C, 0x86, 0xA5, 0x41, 0x04,
michael@0 241 0xCF, 0x30, 0x54, 0xF3, 0x4C, 0x52, 0xB7, 0xE5, 0x58, 0xC6 },
michael@0 242 "MIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29t"
michael@0 243 "MSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMT"
michael@0 244 "JFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
michael@0 245 "UJRs7Bjq1ZxN1ZfvdY+grQ==",
michael@0 246 nullptr
michael@0 247 },
michael@0 248 {
michael@0 249 // CN=SecureTrust CA,O=SecureTrust Corporation,C=US
michael@0 250 "2.16.840.1.114404.1.1.2.4.1",
michael@0 251 "Trustwave EV OID",
michael@0 252 SEC_OID_UNKNOWN,
michael@0 253 { 0x87, 0x82, 0xC6, 0xC3, 0x04, 0x35, 0x3B, 0xCF, 0xD2, 0x96,
michael@0 254 0x92, 0xD2, 0x59, 0x3E, 0x7D, 0x44, 0xD9, 0x34, 0xFF, 0x11 },
michael@0 255 "MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv"
michael@0 256 "bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E=",
michael@0 257 "DPCOXAgWpa1Cf/DrJxhZ0A==",
michael@0 258 nullptr
michael@0 259 },
michael@0 260 {
michael@0 261 // CN=Secure Global CA,O=SecureTrust Corporation,C=US
michael@0 262 "2.16.840.1.114404.1.1.2.4.1",
michael@0 263 "Trustwave EV OID",
michael@0 264 SEC_OID_UNKNOWN,
michael@0 265 { 0x3A, 0x44, 0x73, 0x5A, 0xE5, 0x81, 0x90, 0x1F, 0x24, 0x86,
michael@0 266 0x61, 0x46, 0x1E, 0x3B, 0x9C, 0xC4, 0x5F, 0xF5, 0x3A, 0x1B },
michael@0 267 "MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv"
michael@0 268 "bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ==",
michael@0 269 "B1YipOjUiolN9BPI8PjqpQ==",
michael@0 270 nullptr
michael@0 271 },
michael@0 272 {
michael@0 273 // CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
michael@0 274 "1.3.6.1.4.1.6449.1.2.1.5.1",
michael@0 275 "Comodo EV OID",
michael@0 276 SEC_OID_UNKNOWN,
michael@0 277 { 0x9F, 0x74, 0x4E, 0x9F, 0x2B, 0x4D, 0xBA, 0xEC, 0x0F, 0x31,
michael@0 278 0x2C, 0x50, 0xB6, 0x56, 0x3B, 0x8E, 0x2D, 0x93, 0xC3, 0x11 },
michael@0 279 "MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw"
michael@0 280 "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG"
michael@0 281 "A1UEAxMiQ09NT0RPIEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
michael@0 282 "H0evqmIAcFBUTAGem2OZKg==",
michael@0 283 nullptr
michael@0 284 },
michael@0 285 {
michael@0 286 // CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
michael@0 287 "1.3.6.1.4.1.6449.1.2.1.5.1",
michael@0 288 "Comodo EV OID",
michael@0 289 SEC_OID_UNKNOWN,
michael@0 290 { 0x66, 0x31, 0xBF, 0x9E, 0xF7, 0x4F, 0x9E, 0xB6, 0xC9, 0xD5,
michael@0 291 0xA6, 0x0C, 0xBA, 0x6A, 0xBE, 0xD1, 0xF7, 0xBD, 0xEF, 0x7B },
michael@0 292 "MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw"
michael@0 293 "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG"
michael@0 294 "A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
michael@0 295 "ToEtioJl4AsC7j41AkblPQ==",
michael@0 296 nullptr
michael@0 297 },
michael@0 298 {
michael@0 299 // CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
michael@0 300 "1.3.6.1.4.1.6449.1.2.1.5.1",
michael@0 301 "Comodo EV OID",
michael@0 302 SEC_OID_UNKNOWN,
michael@0 303 { 0x02, 0xFA, 0xF3, 0xE2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78,
michael@0 304 0x57, 0x69, 0x4D, 0xF5, 0xE4, 0x5B, 0x68, 0x85, 0x18, 0x68 },
michael@0 305 "MG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMd"
michael@0 306 "QWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0"
michael@0 307 "IEV4dGVybmFsIENBIFJvb3Q=",
michael@0 308 "AQ==",
michael@0 309 nullptr
michael@0 310 },
michael@0 311 {
michael@0 312 // CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
michael@0 313 "1.3.6.1.4.1.6449.1.2.1.5.1",
michael@0 314 "Comodo EV OID",
michael@0 315 SEC_OID_UNKNOWN,
michael@0 316 { 0x58, 0x11, 0x9F, 0x0E, 0x12, 0x82, 0x87, 0xEA, 0x50, 0xFD,
michael@0 317 0xD9, 0x87, 0x45, 0x6F, 0x4F, 0x78, 0xDC, 0xFA, 0xD6, 0xD4 },
michael@0 318 "MIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr"
michael@0 319 "ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT"
michael@0 320 "GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNv"
michael@0 321 "cnAgU0dD",
michael@0 322 "RL4Mi1AAIbQR0ypoBqmtaQ==",
michael@0 323 nullptr
michael@0 324 },
michael@0 325 {
michael@0 326 // CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
michael@0 327 "1.3.6.1.4.1.6449.1.2.1.5.1",
michael@0 328 "Comodo EV OID",
michael@0 329 SEC_OID_UNKNOWN,
michael@0 330 { 0x04, 0x83, 0xED, 0x33, 0x99, 0xAC, 0x36, 0x08, 0x05, 0x87,
michael@0 331 0x22, 0xED, 0xBC, 0x5E, 0x46, 0x00, 0xE3, 0xBE, 0xF9, 0xD7 },
michael@0 332 "MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr"
michael@0 333 "ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT"
michael@0 334 "GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJz"
michael@0 335 "dC1IYXJkd2FyZQ==",
michael@0 336 "RL4Mi1AAJLQR0zYq/mUK/Q==",
michael@0 337 nullptr
michael@0 338 },
michael@0 339 {
michael@0 340 // OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group, Inc.\",C=US
michael@0 341 "2.16.840.1.114413.1.7.23.3",
michael@0 342 "Go Daddy EV OID a",
michael@0 343 SEC_OID_UNKNOWN,
michael@0 344 { 0x27, 0x96, 0xBA, 0xE6, 0x3F, 0x18, 0x01, 0xE2, 0x77, 0x26,
michael@0 345 0x1B, 0xA0, 0xD7, 0x77, 0x70, 0x02, 0x8F, 0x20, 0xEE, 0xE4 },
michael@0 346 "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIElu"
michael@0 347 "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRo"
michael@0 348 "b3JpdHk=",
michael@0 349 "AA==",
michael@0 350 nullptr
michael@0 351 },
michael@0 352 {
michael@0 353 // CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
michael@0 354 "2.16.840.1.114413.1.7.23.3",
michael@0 355 "Go Daddy EV OID a",
michael@0 356 SEC_OID_UNKNOWN,
michael@0 357 { 0x47, 0xBE, 0xAB, 0xC9, 0x22, 0xEA, 0xE8, 0x0E, 0x78, 0x78,
michael@0 358 0x34, 0x62, 0xA7, 0x9F, 0x45, 0xC2, 0x54, 0xFD, 0xE6, 0x8B },
michael@0 359 "MIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
michael@0 360 "dHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMTKEdv"
michael@0 361 "IERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzI=",
michael@0 362 "AA==",
michael@0 363 nullptr
michael@0 364 },
michael@0 365 {
michael@0 366 // OU=Starfield Class 2 Certification Authority,O=\"Starfield Technologies, Inc.\",C=US
michael@0 367 "2.16.840.1.114414.1.7.23.3",
michael@0 368 "Go Daddy EV OID b",
michael@0 369 SEC_OID_UNKNOWN,
michael@0 370 { 0xAD, 0x7E, 0x1C, 0x28, 0xB0, 0x64, 0xEF, 0x8F, 0x60, 0x03,
michael@0 371 0x40, 0x20, 0x14, 0xC3, 0xD0, 0xE3, 0x37, 0x0E, 0xB5, 0x8A },
michael@0 372 "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVz"
michael@0 373 "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9u"
michael@0 374 "IEF1dGhvcml0eQ==",
michael@0 375 "AA==",
michael@0 376 nullptr
michael@0 377 },
michael@0 378 {
michael@0 379 // CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
michael@0 380 "2.16.840.1.114414.1.7.23.3",
michael@0 381 "Go Daddy EV OID b",
michael@0 382 SEC_OID_UNKNOWN,
michael@0 383 { 0xB5, 0x1C, 0x06, 0x7C, 0xEE, 0x2B, 0x0C, 0x3D, 0xF8, 0x55,
michael@0 384 0xAB, 0x2D, 0x92, 0xF4, 0xFE, 0x39, 0xD4, 0xE7, 0x0F, 0x0E },
michael@0 385 "MIGPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
michael@0 386 "dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEy"
michael@0 387 "MDAGA1UEAxMpU3RhcmZpZWxkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g"
michael@0 388 "RzI=",
michael@0 389 "AA==",
michael@0 390 nullptr
michael@0 391 },
michael@0 392 {
michael@0 393 // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
michael@0 394 "2.16.840.1.114412.2.1",
michael@0 395 "DigiCert EV OID",
michael@0 396 SEC_OID_UNKNOWN,
michael@0 397 { 0x5F, 0xB7, 0xEE, 0x06, 0x33, 0xE2, 0x59, 0xDB, 0xAD, 0x0C,
michael@0 398 0x4C, 0x9A, 0xE6, 0xD3, 0X8F, 0x1A, 0x61, 0xC7, 0xDC, 0x25 },
michael@0 399 "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT"
michael@0 400 "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh"
michael@0 401 "bmNlIEVWIFJvb3QgQ0E=",
michael@0 402 "AqxcJmoLQJuPC3nyrkYldw==",
michael@0 403 nullptr
michael@0 404 },
michael@0 405 {
michael@0 406 // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
michael@0 407 "1.3.6.1.4.1.8024.0.2.100.1.2",
michael@0 408 "Quo Vadis EV OID",
michael@0 409 SEC_OID_UNKNOWN,
michael@0 410 { 0xCA, 0x3A, 0xFB, 0xCF, 0x12, 0x40, 0x36, 0x4B, 0x44, 0xB2,
michael@0 411 0x16, 0x20, 0x88, 0x80, 0x48, 0x39, 0x19, 0x93, 0x7C, 0xF7 },
michael@0 412 "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD"
michael@0 413 "VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
michael@0 414 "BQk=",
michael@0 415 nullptr
michael@0 416 },
michael@0 417 {
michael@0 418 // CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
michael@0 419 "1.3.6.1.4.1.782.1.2.1.8.1",
michael@0 420 "Network Solutions EV OID",
michael@0 421 SEC_OID_UNKNOWN,
michael@0 422 { 0x74, 0xF8, 0xA3, 0xC3, 0xEF, 0xE7, 0xB3, 0x90, 0x06, 0x4B,
michael@0 423 0x83, 0x90, 0x3C, 0x21, 0x64, 0x60, 0x20, 0xE5, 0xDF, 0xCE },
michael@0 424 "MGIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhOZXR3b3JrIFNvbHV0aW9ucyBMLkwu"
michael@0 425 "Qy4xMDAuBgNVBAMTJ05ldHdvcmsgU29sdXRpb25zIENlcnRpZmljYXRlIEF1dGhv"
michael@0 426 "cml0eQ==",
michael@0 427 "V8szb8JcFuZHFhfjkDFo4A==",
michael@0 428 nullptr
michael@0 429 },
michael@0 430 {
michael@0 431 // CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
michael@0 432 "2.16.840.1.114028.10.1.2",
michael@0 433 "Entrust EV OID",
michael@0 434 SEC_OID_UNKNOWN,
michael@0 435 { 0xB3, 0x1E, 0xB1, 0xB7, 0x40, 0xE3, 0x6C, 0x84, 0x02, 0xDA,
michael@0 436 0xDC, 0x37, 0xD4, 0x4D, 0xF5, 0xD4, 0x67, 0x49, 0x52, 0xF9 },
michael@0 437 "MIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UE"
michael@0 438 "CxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJl"
michael@0 439 "bmNlMR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRF"
michael@0 440 "bnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=",
michael@0 441 "RWtQVA==",
michael@0 442 nullptr
michael@0 443 },
michael@0 444 {
michael@0 445 // CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
michael@0 446 "1.3.6.1.4.1.4146.1.1",
michael@0 447 "GlobalSign EV OID",
michael@0 448 SEC_OID_UNKNOWN,
michael@0 449 { 0xB1, 0xBC, 0x96, 0x8B, 0xD4, 0xF4, 0x9D, 0x62, 0x2A, 0xA8,
michael@0 450 0x9A, 0x81, 0xF2, 0x15, 0x01, 0x52, 0xA4, 0x1D, 0x82, 0x9C },
michael@0 451 "MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYD"
michael@0 452 "VQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0E=",
michael@0 453 "BAAAAAABFUtaw5Q=",
michael@0 454 nullptr
michael@0 455 },
michael@0 456 {
michael@0 457 // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
michael@0 458 "1.3.6.1.4.1.4146.1.1",
michael@0 459 "GlobalSign EV OID",
michael@0 460 SEC_OID_UNKNOWN,
michael@0 461 { 0x75, 0xE0, 0xAB, 0xB6, 0x13, 0x85, 0x12, 0x27, 0x1C, 0x04,
michael@0 462 0xF8, 0x5F, 0xDD, 0xDE, 0x38, 0xE4, 0xB7, 0x24, 0x2E, 0xFE },
michael@0 463 "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpH"
michael@0 464 "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
michael@0 465 "BAAAAAABD4Ym5g0=",
michael@0 466 nullptr
michael@0 467 },
michael@0 468 {
michael@0 469 // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
michael@0 470 "1.3.6.1.4.1.4146.1.1",
michael@0 471 "GlobalSign EV OID",
michael@0 472 SEC_OID_UNKNOWN,
michael@0 473 { 0xD6, 0x9B, 0x56, 0x11, 0x48, 0xF0, 0x1C, 0x77, 0xC5, 0x45,
michael@0 474 0x78, 0xC1, 0x09, 0x26, 0xDF, 0x5B, 0x85, 0x69, 0x76, 0xAD },
michael@0 475 "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpH"
michael@0 476 "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
michael@0 477 "BAAAAAABIVhTCKI=",
michael@0 478 nullptr
michael@0 479 },
michael@0 480 {
michael@0 481 // CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
michael@0 482 "2.16.578.1.26.1.3.3",
michael@0 483 "Buypass EV OID",
michael@0 484 SEC_OID_UNKNOWN,
michael@0 485 { 0x61, 0x57, 0x3A, 0x11, 0xDF, 0x0E, 0xD8, 0x7E, 0xD5, 0x92,
michael@0 486 0x65, 0x22, 0xEA, 0xD0, 0x56, 0xD7, 0x44, 0xB3, 0x23, 0x71 },
michael@0 487 "MEsxCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEd"
michael@0 488 "MBsGA1UEAwwUQnV5cGFzcyBDbGFzcyAzIENBIDE=",
michael@0 489 "Ag==",
michael@0 490 nullptr
michael@0 491 },
michael@0 492 {
michael@0 493 // CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
michael@0 494 "2.16.578.1.26.1.3.3",
michael@0 495 "Buypass EV OID",
michael@0 496 SEC_OID_UNKNOWN,
michael@0 497 { 0xDA, 0xFA, 0xF7, 0xFA, 0x66, 0x84, 0xEC, 0x06, 0x8F, 0x14,
michael@0 498 0x50, 0xBD, 0xC7, 0xC2, 0x81, 0xA5, 0xBC, 0xA9, 0x64, 0x57 },
michael@0 499 "ME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEg"
michael@0 500 "MB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0E=",
michael@0 501 "Ag==",
michael@0 502 nullptr
michael@0 503 },
michael@0 504 {
michael@0 505 // CN=Class 2 Primary CA,O=Certplus,C=FR
michael@0 506 "1.3.6.1.4.1.22234.2.5.2.3.1",
michael@0 507 "Certplus EV OID",
michael@0 508 SEC_OID_UNKNOWN,
michael@0 509 { 0x74, 0x20, 0x74, 0x41, 0x72, 0x9C, 0xDD, 0x92, 0xEC, 0x79,
michael@0 510 0x31, 0xD8, 0x23, 0x10, 0x8D, 0xC2, 0x81, 0x92, 0xE2, 0xBB },
michael@0 511 "MD0xCzAJBgNVBAYTAkZSMREwDwYDVQQKEwhDZXJ0cGx1czEbMBkGA1UEAxMSQ2xh"
michael@0 512 "c3MgMiBQcmltYXJ5IENB",
michael@0 513 "AIW9S/PY2uNp9pTXX8OlRCM=",
michael@0 514 nullptr
michael@0 515 },
michael@0 516 {
michael@0 517 // CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
michael@0 518 "1.3.6.1.4.1.17326.10.14.2.1.2",
michael@0 519 "Camerfirma EV OID a",
michael@0 520 SEC_OID_UNKNOWN,
michael@0 521 { 0x78, 0x6A, 0x74, 0xAC, 0x76, 0xAB, 0x14, 0x7F, 0x9C, 0x6A,
michael@0 522 0x30, 0x50, 0xBA, 0x9E, 0xA8, 0x7E, 0xFE, 0x9A, 0xCE, 0x3C },
michael@0 523 "MIGuMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh"
michael@0 524 "ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ"
michael@0 525 "QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMT"
michael@0 526 "IENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4",
michael@0 527 "AKPaQn6ksa7a",
michael@0 528 nullptr
michael@0 529 },
michael@0 530 {
michael@0 531 // CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
michael@0 532 "1.3.6.1.4.1.17326.10.8.12.1.2",
michael@0 533 "Camerfirma EV OID b",
michael@0 534 SEC_OID_UNKNOWN,
michael@0 535 { 0x4A, 0xBD, 0xEE, 0xEC, 0x95, 0x0D, 0x35, 0x9C, 0x89, 0xAE,
michael@0 536 0xC7, 0x52, 0xA1, 0x2C, 0x5B, 0x29, 0xF6, 0xD6, 0xAA, 0x0C },
michael@0 537 "MIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh"
michael@0 538 "ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ"
michael@0 539 "QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMT"
michael@0 540 "Hkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwOA==",
michael@0 541 "AMnN0+nVfSPO",
michael@0 542 nullptr
michael@0 543 },
michael@0 544 {
michael@0 545 // CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
michael@0 546 "1.2.276.0.44.1.1.1.4",
michael@0 547 "TC TrustCenter EV OID",
michael@0 548 SEC_OID_UNKNOWN,
michael@0 549 { 0x96, 0x56, 0xCD, 0x7B, 0x57, 0x96, 0x98, 0x95, 0xD0, 0xE1,
michael@0 550 0x41, 0x46, 0x68, 0x06, 0xFB, 0xB8, 0xC6, 0x11, 0x06, 0x87 },
michael@0 551 "MHsxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQw"
michael@0 552 "IgYDVQQLExtUQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0ExKDAmBgNVBAMTH1RD"
michael@0 553 "IFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJSUk=",
michael@0 554 "YyUAAQACFI0zFQLkbPQ=",
michael@0 555 nullptr
michael@0 556 },
michael@0 557 {
michael@0 558 // CN=AffirmTrust Commercial,O=AffirmTrust,C=US
michael@0 559 "1.3.6.1.4.1.34697.2.1",
michael@0 560 "AffirmTrust EV OID a",
michael@0 561 SEC_OID_UNKNOWN,
michael@0 562 { 0xF9, 0xB5, 0xB6, 0x32, 0x45, 0x5F, 0x9C, 0xBE, 0xEC, 0x57,
michael@0 563 0x5F, 0x80, 0xDC, 0xE9, 0x6E, 0x2C, 0xC7, 0xB2, 0x78, 0xB7 },
michael@0 564 "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW"
michael@0 565 "QWZmaXJtVHJ1c3QgQ29tbWVyY2lhbA==",
michael@0 566 "d3cGJyapsXw=",
michael@0 567 nullptr
michael@0 568 },
michael@0 569 {
michael@0 570 // CN=AffirmTrust Networking,O=AffirmTrust,C=US
michael@0 571 "1.3.6.1.4.1.34697.2.2",
michael@0 572 "AffirmTrust EV OID b",
michael@0 573 SEC_OID_UNKNOWN,
michael@0 574 { 0x29, 0x36, 0x21, 0x02, 0x8B, 0x20, 0xED, 0x02, 0xF5, 0x66,
michael@0 575 0xC5, 0x32, 0xD1, 0xD6, 0xED, 0x90, 0x9F, 0x45, 0x00, 0x2F },
michael@0 576 "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW"
michael@0 577 "QWZmaXJtVHJ1c3QgTmV0d29ya2luZw==",
michael@0 578 "fE8EORzUmS0=",
michael@0 579 nullptr
michael@0 580 },
michael@0 581 {
michael@0 582 // CN=AffirmTrust Premium,O=AffirmTrust,C=US
michael@0 583 "1.3.6.1.4.1.34697.2.3",
michael@0 584 "AffirmTrust EV OID c",
michael@0 585 SEC_OID_UNKNOWN,
michael@0 586 { 0xD8, 0xA6, 0x33, 0x2C, 0xE0, 0x03, 0x6F, 0xB1, 0x85, 0xF6,
michael@0 587 0x63, 0x4F, 0x7D, 0x6A, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 },
michael@0 588 "MEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEcMBoGA1UEAwwT"
michael@0 589 "QWZmaXJtVHJ1c3QgUHJlbWl1bQ==",
michael@0 590 "bYwURrGmCu4=",
michael@0 591 nullptr
michael@0 592 },
michael@0 593 {
michael@0 594 // CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
michael@0 595 "1.3.6.1.4.1.34697.2.4",
michael@0 596 "AffirmTrust EV OID d",
michael@0 597 SEC_OID_UNKNOWN,
michael@0 598 { 0xB8, 0x23, 0x6B, 0x00, 0x2F, 0x1D, 0x16, 0x86, 0x53, 0x01,
michael@0 599 0x55, 0x6C, 0x11, 0xA4, 0x37, 0xCA, 0xEB, 0xFF, 0xC3, 0xBB },
michael@0 600 "MEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwX"
michael@0 601 "QWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0M=",
michael@0 602 "dJclisc/elQ=",
michael@0 603 nullptr
michael@0 604 },
michael@0 605 {
michael@0 606 // CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
michael@0 607 "1.2.616.1.113527.2.5.1.1",
michael@0 608 "Certum EV OID",
michael@0 609 SEC_OID_UNKNOWN,
michael@0 610 { 0x07, 0xE0, 0x32, 0xE0, 0x20, 0xB7, 0x2C, 0x3F, 0x19, 0x2F,
michael@0 611 0x06, 0x28, 0xA2, 0x59, 0x3A, 0x19, 0xA7, 0x0F, 0x06, 0x9E },
michael@0 612 "MH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT"
michael@0 613 "LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg"
michael@0 614 "BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0E=",
michael@0 615 "BETA",
michael@0 616 nullptr
michael@0 617 },
michael@0 618 {
michael@0 619 // CN=Izenpe.com,O=IZENPE S.A.,C=ES
michael@0 620 "1.3.6.1.4.1.14777.6.1.1",
michael@0 621 "Izenpe EV OID 1",
michael@0 622 SEC_OID_UNKNOWN,
michael@0 623 { 0x2F, 0x78, 0x3D, 0x25, 0x52, 0x18, 0xA7, 0x4A, 0x65, 0x39,
michael@0 624 0x71, 0xB5, 0x2C, 0xA2, 0x9C, 0x45, 0x15, 0x6F, 0xE9, 0x19 },
michael@0 625 "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK"
michael@0 626 "SXplbnBlLmNvbQ==",
michael@0 627 "ALC3WhZIX7/hy/WL1xnmfQ==",
michael@0 628 nullptr
michael@0 629 },
michael@0 630 {
michael@0 631 // CN=Izenpe.com,O=IZENPE S.A.,C=ES
michael@0 632 "1.3.6.1.4.1.14777.6.1.2",
michael@0 633 "Izenpe EV OID 2",
michael@0 634 SEC_OID_UNKNOWN,
michael@0 635 { 0x2F, 0x78, 0x3D, 0x25, 0x52, 0x18, 0xA7, 0x4A, 0x65, 0x39,
michael@0 636 0x71, 0xB5, 0x2C, 0xA2, 0x9C, 0x45, 0x15, 0x6F, 0xE9, 0x19 },
michael@0 637 "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK"
michael@0 638 "SXplbnBlLmNvbQ==",
michael@0 639 "ALC3WhZIX7/hy/WL1xnmfQ==",
michael@0 640 nullptr
michael@0 641 },
michael@0 642 {
michael@0 643 // CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
michael@0 644 "1.2.40.0.17.1.22",
michael@0 645 "A-Trust EV OID",
michael@0 646 SEC_OID_UNKNOWN,
michael@0 647 { 0xD3, 0xC0, 0x63, 0xF2, 0x19, 0xED, 0x07, 0x3E, 0x34, 0xAD,
michael@0 648 0x5D, 0x75, 0x0B, 0x32, 0x76, 0x29, 0xFF, 0xD5, 0x9A, 0xF2 },
michael@0 649 "MIGNMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hl"
michael@0 650 "cmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYD"
michael@0 651 "VQQLDBBBLVRydXN0LW5RdWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAz",
michael@0 652 "AWwe",
michael@0 653 nullptr
michael@0 654 },
michael@0 655 {
michael@0 656 // CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
michael@0 657 "1.3.6.1.4.1.7879.13.24.1",
michael@0 658 "T-Systems EV OID",
michael@0 659 SEC_OID_UNKNOWN,
michael@0 660 { 0x55, 0xA6, 0x72, 0x3E, 0xCB, 0xF2, 0xEC, 0xCD, 0xC3, 0x23,
michael@0 661 0x74, 0x70, 0x19, 0x9D, 0x2A, 0xBE, 0x11, 0xE3, 0x81, 0xD1 },
michael@0 662 "MIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2Ug"
michael@0 663 "U2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjEl"
michael@0 664 "MCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMw==",
michael@0 665 "AQ==",
michael@0 666 nullptr
michael@0 667 },
michael@0 668 {
michael@0 669 // CN=TURKTRUST Elektronik Sertifika Hizmet Saglayicisi,O=TURKTRUST Bilgi Illetisim ve Bilisim Guvenligi Hizmetleri A.S.,C=TR
michael@0 670 "2.16.792.3.0.3.1.1.5",
michael@0 671 "TurkTrust EV OID",
michael@0 672 SEC_OID_UNKNOWN,
michael@0 673 { 0xF1, 0x7F, 0x6F, 0xB6, 0x31, 0xDC, 0x99, 0xE3, 0xA3, 0xC8,
michael@0 674 0x7F, 0xFE, 0x1C, 0xF1, 0x81, 0x10, 0x88, 0xD9, 0x60, 0x33 },
michael@0 675 "MIG/MT8wPQYDVQQDDDZUw5xSS1RSVVNUIEVsZWt0cm9uaWsgU2VydGlmaWthIEhp"
michael@0 676 "em1ldCBTYcSfbGF5xLFjxLFzxLExCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmth"
michael@0 677 "cmExXjBcBgNVBAoMVVTDnFJLVFJVU1QgQmlsZ2kgxLBsZXRpxZ9pbSB2ZSBCaWxp"
michael@0 678 "xZ9pbSBHw7x2ZW5sacSfaSBIaXptZXRsZXJpIEEuxZ4uIChjKSBBcmFsxLFrIDIw"
michael@0 679 "MDc=",
michael@0 680 "AQ==",
michael@0 681 nullptr
michael@0 682 },
michael@0 683 {
michael@0 684 // CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
michael@0 685 "1.3.6.1.4.1.29836.1.10",
michael@0 686 "CNNIC EV OID",
michael@0 687 SEC_OID_UNKNOWN,
michael@0 688 { 0x4F, 0x99, 0xAA, 0x93, 0xFB, 0x2B, 0xD1, 0x37, 0x26, 0xA1,
michael@0 689 0x99, 0x4A, 0xCE, 0x7F, 0xF0, 0x05, 0xF2, 0x93, 0x5D, 0x1E },
michael@0 690 "MIGKMQswCQYDVQQGEwJDTjEyMDAGA1UECgwpQ2hpbmEgSW50ZXJuZXQgTmV0d29y"
michael@0 691 "ayBJbmZvcm1hdGlvbiBDZW50ZXIxRzBFBgNVBAMMPkNoaW5hIEludGVybmV0IE5l"
michael@0 692 "dHdvcmsgSW5mb3JtYXRpb24gQ2VudGVyIEVWIENlcnRpZmljYXRlcyBSb290",
michael@0 693 "SJ8AAQ==",
michael@0 694 nullptr
michael@0 695 },
michael@0 696 {
michael@0 697 // CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
michael@0 698 "1.3.6.1.4.1.40869.1.1.22.3",
michael@0 699 "TWCA EV OID",
michael@0 700 SEC_OID_UNKNOWN,
michael@0 701 { 0xCF, 0x9E, 0x87, 0x6D, 0xD3, 0xEB, 0xFC, 0x42, 0x26, 0x97,
michael@0 702 0xA3, 0xB5, 0xA3, 0x7A, 0xA0, 0x76, 0xA9, 0x06, 0x23, 0x48 },
michael@0 703 "MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jv"
michael@0 704 "b3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0"
michael@0 705 "eQ==",
michael@0 706 "AQ==",
michael@0 707 nullptr
michael@0 708 },
michael@0 709 {
michael@0 710 // CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
michael@0 711 "1.3.6.1.4.1.4788.2.202.1",
michael@0 712 "D-TRUST EV OID",
michael@0 713 SEC_OID_UNKNOWN,
michael@0 714 { 0x96, 0xC9, 0x1B, 0x0B, 0x95, 0xB4, 0x10, 0x98, 0x42, 0xFA,
michael@0 715 0xD0, 0xD8, 0x22, 0x79, 0xFE, 0x60, 0xFA, 0xB9, 0x16, 0x83 },
michael@0 716 "MFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMM"
michael@0 717 "IUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOQ==",
michael@0 718 "CYP0",
michael@0 719 nullptr
michael@0 720 },
michael@0 721 {
michael@0 722 // CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
michael@0 723 "2.16.756.1.83.21.0",
michael@0 724 "Swisscom EV OID",
michael@0 725 SEC_OID_UNKNOWN,
michael@0 726 { 0xE7, 0xA1, 0x90, 0x29, 0xD3, 0xD5, 0x52, 0xDC, 0x0D, 0x0F,
michael@0 727 0xC6, 0x92, 0xD3, 0xEA, 0x88, 0x0D, 0x15, 0x2E, 0x1A, 0x6B },
michael@0 728 "MGcxCzAJBgNVBAYTAmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGln"
michael@0 729 "aXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEAxMVU3dpc3Njb20gUm9v"
michael@0 730 "dCBFViBDQSAy",
michael@0 731 "APL6ZOJ0Y9ON/RAdBB92ylg=",
michael@0 732 nullptr
michael@0 733 },
michael@0 734 {
michael@0 735 // CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
michael@0 736 "2.16.840.1.113733.1.7.23.6",
michael@0 737 "VeriSign EV OID",
michael@0 738 SEC_OID_UNKNOWN,
michael@0 739 { 0x36, 0x79, 0xCA, 0x35, 0x66, 0x87, 0x72, 0x30, 0x4D, 0x30,
michael@0 740 0xA5, 0xFB, 0x87, 0x3B, 0x0F, 0xA7, 0x7B, 0xB7, 0x0D, 0x54 },
michael@0 741 "MIG9MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
michael@0 742 "BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZl"
michael@0 743 "cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMT"
michael@0 744 "L1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
michael@0 745 "QBrEZCGzEyEDDrvkEhrFHQ==",
michael@0 746 nullptr
michael@0 747 },
michael@0 748 {
michael@0 749 // CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
michael@0 750 "1.3.6.1.4.1.14370.1.6",
michael@0 751 "GeoTrust EV OID",
michael@0 752 SEC_OID_UNKNOWN,
michael@0 753 { 0x03, 0x9E, 0xED, 0xB8, 0x0B, 0xE7, 0xA0, 0x3C, 0x69, 0x53,
michael@0 754 0x89, 0x3B, 0x20, 0xD2, 0xD9, 0x32, 0x3A, 0x4C, 0x2A, 0xFD },
michael@0 755 "MIGYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjE5MDcGA1UE"
michael@0 756 "CxMwKGMpIDIwMDggR2VvVHJ1c3QgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBv"
michael@0 757 "bmx5MTYwNAYDVQQDEy1HZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0"
michael@0 758 "aG9yaXR5IC0gRzM=",
michael@0 759 "FaxulBmyeUtB9iepwxgPHw==",
michael@0 760 nullptr
michael@0 761 },
michael@0 762 {
michael@0 763 // CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
michael@0 764 "2.16.840.1.113733.1.7.48.1",
michael@0 765 "Thawte EV OID",
michael@0 766 SEC_OID_UNKNOWN,
michael@0 767 { 0xF1, 0x8B, 0x53, 0x8D, 0x1B, 0xE9, 0x03, 0xB6, 0xA6, 0xF0,
michael@0 768 0x56, 0x43, 0x5B, 0x17, 0x15, 0x89, 0xCA, 0xF3, 0x6B, 0xF2 },
michael@0 769 "MIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL"
michael@0 770 "Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg"
michael@0 771 "MjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG"
michael@0 772 "A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz",
michael@0 773 "YAGXt0an6rS0mtZLL/eQ+w==",
michael@0 774 nullptr
michael@0 775 },
michael@0 776 {
michael@0 777 // CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES
michael@0 778 "1.3.6.1.4.1.13177.10.1.3.10",
michael@0 779 "Firmaprofesional EV OID",
michael@0 780 SEC_OID_UNKNOWN,
michael@0 781 { 0xAE, 0xC5, 0xFB, 0x3F, 0xC8, 0xE1, 0xBF, 0xC4, 0xE5, 0x4F,
michael@0 782 0x03, 0x07, 0x5A, 0x9A, 0xE8, 0x00, 0xB7, 0xF7, 0xB6, 0xFA },
michael@0 783 "MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh"
michael@0 784 "Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=",
michael@0 785 "U+w77vuySF8=",
michael@0 786 nullptr
michael@0 787 },
michael@0 788 {
michael@0 789 // CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW
michael@0 790 "1.3.6.1.4.1.40869.1.1.22.3",
michael@0 791 "TWCA EV OID",
michael@0 792 SEC_OID_UNKNOWN,
michael@0 793 { 0x9C, 0xBB, 0x48, 0x53, 0xF6, 0xA4, 0xF6, 0xD3, 0x52, 0xA4,
michael@0 794 0xE8, 0x32, 0x52, 0x55, 0x60, 0x13, 0xF5, 0xAD, 0xAF, 0x65 },
michael@0 795 "MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv"
michael@0 796 "b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=",
michael@0 797 "DL4=",
michael@0 798 nullptr
michael@0 799 },
michael@0 800 {
michael@0 801 // CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-TuÄŸra EBG BiliÅŸim Teknolojileri ve Hizmetleri A.Åž., L = Ankara, C = TR
michael@0 802 "2.16.792.3.0.4.1.1.4",
michael@0 803 "ETugra EV OID",
michael@0 804 SEC_OID_UNKNOWN,
michael@0 805 { 0x51, 0xC6, 0xE7, 0x08, 0x49, 0x06, 0x6E, 0xF3, 0x92, 0xD4,
michael@0 806 0x5C, 0xA0, 0x0D, 0x6D, 0xA3, 0x62, 0x8F, 0xC3, 0x52, 0x39 },
michael@0 807 "MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1"
michael@0 808 "xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu"
michael@0 809 "xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG"
michael@0 810 "A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
michael@0 811 "amg+nFGby1M=",
michael@0 812 nullptr
michael@0 813 }
michael@0 814 };
michael@0 815
michael@0 816 static SECOidTag
michael@0 817 register_oid(const SECItem* oid_item, const char* oid_name)
michael@0 818 {
michael@0 819 if (!oid_item)
michael@0 820 return SEC_OID_UNKNOWN;
michael@0 821
michael@0 822 SECOidData od;
michael@0 823 od.oid.len = oid_item->len;
michael@0 824 od.oid.data = oid_item->data;
michael@0 825 od.offset = SEC_OID_UNKNOWN;
michael@0 826 od.desc = oid_name;
michael@0 827 od.mechanism = CKM_INVALID_MECHANISM;
michael@0 828 od.supportedExtension = INVALID_CERT_EXTENSION;
michael@0 829 return SECOID_AddEntry(&od);
michael@0 830 }
michael@0 831
michael@0 832 #ifndef NSS_NO_LIBPKIX
michael@0 833 static void
michael@0 834 addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
michael@0 835 CERTCertTrust nssTrust;
michael@0 836 if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
michael@0 837 return;
michael@0 838 }
michael@0 839 unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
michael@0 840
michael@0 841 if (flags & CERTDB_TRUSTED_CA) {
michael@0 842 CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
michael@0 843 }
michael@0 844 }
michael@0 845 #endif
michael@0 846
michael@0 847 static bool
michael@0 848 isEVPolicy(SECOidTag policyOIDTag)
michael@0 849 {
michael@0 850 for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
michael@0 851 nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
michael@0 852 if (policyOIDTag == entry.oid_tag) {
michael@0 853 return true;
michael@0 854 }
michael@0 855 }
michael@0 856
michael@0 857 return false;
michael@0 858 }
michael@0 859
michael@0 860 namespace mozilla { namespace psm {
michael@0 861
michael@0 862 #ifndef NSS_NO_LIBPKIX
michael@0 863 CERTCertList*
michael@0 864 GetRootsForOid(SECOidTag oid_tag)
michael@0 865 {
michael@0 866 CERTCertList* certList = CERT_NewCertList();
michael@0 867 if (!certList)
michael@0 868 return nullptr;
michael@0 869
michael@0 870 for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
michael@0 871 nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
michael@0 872 if (entry.oid_tag == oid_tag) {
michael@0 873 addToCertListIfTrusted(certList, entry.cert);
michael@0 874 }
michael@0 875 }
michael@0 876
michael@0 877 return certList;
michael@0 878 }
michael@0 879 #endif
michael@0 880
michael@0 881 bool
michael@0 882 CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
michael@0 883 SECOidTag policyOidTag)
michael@0 884 {
michael@0 885 PR_ASSERT(cert);
michael@0 886 PR_ASSERT(policyOidTag != SEC_OID_UNKNOWN);
michael@0 887 if (!cert || !policyOidTag) {
michael@0 888 return false;
michael@0 889 }
michael@0 890
michael@0 891 for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
michael@0 892 nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
michael@0 893 if (entry.oid_tag == policyOidTag && entry.cert &&
michael@0 894 CERT_CompareCerts(cert, entry.cert)) {
michael@0 895 return true;
michael@0 896 }
michael@0 897 }
michael@0 898
michael@0 899 return false;
michael@0 900 }
michael@0 901
michael@0 902 static PRStatus
michael@0 903 IdentityInfoInit()
michael@0 904 {
michael@0 905 for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
michael@0 906 nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
michael@0 907
michael@0 908 SECStatus rv;
michael@0 909 CERTIssuerAndSN ias;
michael@0 910
michael@0 911 rv = ATOB_ConvertAsciiToItem(&ias.derIssuer, const_cast<char*>(entry.issuer_base64));
michael@0 912 PR_ASSERT(rv == SECSuccess);
michael@0 913 if (rv != SECSuccess) {
michael@0 914 return PR_FAILURE;
michael@0 915 }
michael@0 916 rv = ATOB_ConvertAsciiToItem(&ias.serialNumber,
michael@0 917 const_cast<char*>(entry.serial_base64));
michael@0 918 PR_ASSERT(rv == SECSuccess);
michael@0 919 if (rv != SECSuccess) {
michael@0 920 SECITEM_FreeItem(&ias.derIssuer, false);
michael@0 921 return PR_FAILURE;
michael@0 922 }
michael@0 923
michael@0 924 ias.serialNumber.type = siUnsignedInteger;
michael@0 925
michael@0 926 entry.cert = CERT_FindCertByIssuerAndSN(nullptr, &ias);
michael@0 927
michael@0 928 SECITEM_FreeItem(&ias.derIssuer, false);
michael@0 929 SECITEM_FreeItem(&ias.serialNumber, false);
michael@0 930
michael@0 931 // If an entry is missing in the NSS root database, it may be because the
michael@0 932 // root database is out of sync with what we expect (e.g. a different
michael@0 933 // version of system NSS is installed). We will just silently avoid
michael@0 934 // treating that root cert as EV.
michael@0 935 if (!entry.cert) {
michael@0 936 #ifdef DEBUG
michael@0 937 // The debug CA info is at position 0, and is NOT on the NSS root db
michael@0 938 if (iEV == 0) {
michael@0 939 continue;
michael@0 940 }
michael@0 941 #endif
michael@0 942 PR_NOT_REACHED("Could not find EV root in NSS storage");
michael@0 943 continue;
michael@0 944 }
michael@0 945
michael@0 946 unsigned char certFingerprint[20];
michael@0 947 rv = PK11_HashBuf(SEC_OID_SHA1, certFingerprint,
michael@0 948 entry.cert->derCert.data, entry.cert->derCert.len);
michael@0 949 PR_ASSERT(rv == SECSuccess);
michael@0 950 if (rv == SECSuccess) {
michael@0 951 bool same = !memcmp(certFingerprint, entry.ev_root_sha1_fingerprint, 20);
michael@0 952 PR_ASSERT(same);
michael@0 953 if (same) {
michael@0 954
michael@0 955 SECItem ev_oid_item;
michael@0 956 ev_oid_item.data = nullptr;
michael@0 957 ev_oid_item.len = 0;
michael@0 958 rv = SEC_StringToOID(nullptr, &ev_oid_item, entry.dotted_oid, 0);
michael@0 959 PR_ASSERT(rv == SECSuccess);
michael@0 960 if (rv == SECSuccess) {
michael@0 961 entry.oid_tag = register_oid(&ev_oid_item, entry.oid_name);
michael@0 962 if (entry.oid_tag == SEC_OID_UNKNOWN) {
michael@0 963 rv = SECFailure;
michael@0 964 }
michael@0 965 SECITEM_FreeItem(&ev_oid_item, false);
michael@0 966 }
michael@0 967 } else {
michael@0 968 PR_SetError(SEC_ERROR_BAD_DATA, 0);
michael@0 969 rv = SECFailure;
michael@0 970 }
michael@0 971 }
michael@0 972
michael@0 973 if (rv != SECSuccess) {
michael@0 974 CERT_DestroyCertificate(entry.cert);
michael@0 975 entry.cert = nullptr;
michael@0 976 entry.oid_tag = SEC_OID_UNKNOWN;
michael@0 977 return PR_FAILURE;
michael@0 978 }
michael@0 979 }
michael@0 980
michael@0 981 return PR_SUCCESS;
michael@0 982 }
michael@0 983
michael@0 984 static PRCallOnceType sIdentityInfoCallOnce;
michael@0 985
michael@0 986 void
michael@0 987 EnsureIdentityInfoLoaded()
michael@0 988 {
michael@0 989 (void) PR_CallOnce(&sIdentityInfoCallOnce, IdentityInfoInit);
michael@0 990 }
michael@0 991
michael@0 992 void
michael@0 993 CleanupIdentityInfo()
michael@0 994 {
michael@0 995 for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
michael@0 996 nsMyTrustedEVInfo &entry = myTrustedEVInfos[iEV];
michael@0 997 if (entry.cert) {
michael@0 998 CERT_DestroyCertificate(entry.cert);
michael@0 999 entry.cert = nullptr;
michael@0 1000 }
michael@0 1001 }
michael@0 1002
michael@0 1003 memset(&sIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
michael@0 1004 }
michael@0 1005
michael@0 1006 // Find the first policy OID that is known to be an EV policy OID.
michael@0 1007 SECStatus
michael@0 1008 GetFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag)
michael@0 1009 {
michael@0 1010 if (!cert)
michael@0 1011 return SECFailure;
michael@0 1012
michael@0 1013 if (cert->extensions) {
michael@0 1014 for (int i=0; cert->extensions[i]; i++) {
michael@0 1015 const SECItem* oid = &cert->extensions[i]->id;
michael@0 1016
michael@0 1017 SECOidTag oidTag = SECOID_FindOIDTag(oid);
michael@0 1018 if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
michael@0 1019 continue;
michael@0 1020
michael@0 1021 SECItem* value = &cert->extensions[i]->value;
michael@0 1022
michael@0 1023 CERTCertificatePolicies* policies;
michael@0 1024 CERTPolicyInfo** policyInfos;
michael@0 1025
michael@0 1026 policies = CERT_DecodeCertificatePoliciesExtension(value);
michael@0 1027 if (!policies)
michael@0 1028 continue;
michael@0 1029
michael@0 1030 policyInfos = policies->policyInfos;
michael@0 1031
michael@0 1032 bool found = false;
michael@0 1033 while (*policyInfos) {
michael@0 1034 const CERTPolicyInfo* policyInfo = *policyInfos++;
michael@0 1035
michael@0 1036 SECOidTag oid_tag = policyInfo->oid;
michael@0 1037 if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) {
michael@0 1038 // in our list of OIDs accepted for EV
michael@0 1039 outOidTag = oid_tag;
michael@0 1040 found = true;
michael@0 1041 break;
michael@0 1042 }
michael@0 1043 }
michael@0 1044 CERT_DestroyCertificatePoliciesExtension(policies);
michael@0 1045 if (found)
michael@0 1046 return SECSuccess;
michael@0 1047 }
michael@0 1048 }
michael@0 1049
michael@0 1050 return SECFailure;
michael@0 1051 }
michael@0 1052
michael@0 1053 } } // namespace mozilla::psm

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial