1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/certverifier/ExtendedValidation.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,1053 @@
1.4 +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 + *
1.6 + * This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +#include "ExtendedValidation.h"
1.11 +
1.12 +#include "cert.h"
1.13 +#include "certdb.h"
1.14 +#include "base64.h"
1.15 +#include "pkix/nullptr.h"
1.16 +#include "pk11pub.h"
1.17 +#include "secerr.h"
1.18 +#include "prerror.h"
1.19 +#include "prinit.h"
1.20 +
1.21 +#ifdef PR_LOGGING
1.22 +extern PRLogModuleInfo* gPIPNSSLog;
1.23 +#endif
1.24 +
1.25 +#define CONST_OID static const unsigned char
1.26 +#define OI(x) { siDEROID, (unsigned char*) x, sizeof x }
1.27 +
1.28 +struct nsMyTrustedEVInfo
1.29 +{
1.30 + const char* dotted_oid;
1.31 + const char* oid_name; // Set this to null to signal an invalid structure,
1.32 + // (We can't have an empty list, so we'll use a dummy entry)
1.33 + SECOidTag oid_tag;
1.34 + const unsigned char ev_root_sha1_fingerprint[20];
1.35 + const char* issuer_base64;
1.36 + const char* serial_base64;
1.37 + CERTCertificate* cert;
1.38 +};
1.39 +
1.40 +// HOWTO enable additional CA root certificates for EV:
1.41 +//
1.42 +// For each combination of "root certificate" and "policy OID",
1.43 +// one entry must be added to the array named myTrustedEVInfos.
1.44 +//
1.45 +// We use the combination of "issuer name" and "serial number" to
1.46 +// uniquely identify the certificate. In order to avoid problems
1.47 +// because of encodings when comparing certificates, we don't
1.48 +// use plain text representation, we rather use the original encoding
1.49 +// as it can be found in the root certificate (in base64 format).
1.50 +//
1.51 +// We can use the NSS utility named "pp" to extract the encoding.
1.52 +//
1.53 +// Build standalone NSS including the NSS tools, then run
1.54 +// pp -t certificate-identity -i the-cert-filename
1.55 +//
1.56 +// You will need the output from sections "Issuer", "Fingerprint (SHA1)",
1.57 +// "Issuer DER Base64" and "Serial DER Base64".
1.58 +//
1.59 +// The new section consists of 8 lines:
1.60 +//
1.61 +// - a comment that should contain the human readable issuer name
1.62 +// of the certificate, as printed by the pp tool
1.63 +// - the EV policy OID that is associated to the EV grant
1.64 +// - a text description of the EV policy OID. The array can contain
1.65 +// multiple entries with the same OID.
1.66 +// Please make sure to use the identical OID text description for
1.67 +// all entries with the same policy OID (use the text search
1.68 +// feature of your text editor to find duplicates).
1.69 +// When adding a new policy OID that is not yet contained in the array,
1.70 +// please make sure that your new description is different from
1.71 +// all the other descriptions (again use the text search feature
1.72 +// to be sure).
1.73 +// - the constant SEC_OID_UNKNOWN
1.74 +// (it will be replaced at runtime with another identifier)
1.75 +// - the SHA1 fingerprint
1.76 +// - the "Issuer DER Base64" as printed by the pp tool.
1.77 +// Remove all whitespaces. If you use multiple lines, make sure that
1.78 +// only the final line will be followed by a comma.
1.79 +// - the "Serial DER Base64" (as printed by pp)
1.80 +// - nullptr
1.81 +//
1.82 +// After adding an entry, test it locally against the test site that
1.83 +// has been provided by the CA. Note that you must use a version of NSS
1.84 +// where the root certificate has already been added and marked as trusted
1.85 +// for issueing SSL server certificates (at least).
1.86 +//
1.87 +// If you are able to connect to the site without certificate errors,
1.88 +// but you don't see the EV status indicator, then most likely the CA
1.89 +// has a problem in their infrastructure. The most common problems are
1.90 +// related to the CA's OCSP infrastructure, either they use an incorrect
1.91 +// OCSP signing certificate, or OCSP for the intermediate certificates
1.92 +// isn't working, or OCSP isn't working at all.
1.93 +
1.94 +static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
1.95 + // IMPORTANT! When extending this list,
1.96 + // pairs of dotted_oid and oid_name should always be unique pairs.
1.97 + // In other words, if you add another list, that uses the same dotted_oid
1.98 + // as an existing entry, then please use the same oid_name.
1.99 +#ifdef DEBUG
1.100 + // Debug EV certificates should all use the OID (repeating EV OID is OK):
1.101 + // 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
1.102 + // If you add or remove debug EV certs you must also modify IdentityInfoInit
1.103 + // (there is another #ifdef DEBUG section there) so that the correct number of
1.104 + // certs are skipped as these debug EV certs are NOT part of the default trust
1.105 + // store.
1.106 + {
1.107 + // This is the testing EV signature (xpcshell) (RSA)
1.108 + // CN=XPCShell EV Testing (untrustworthy) CA,OU=Security Engineering,O=Mozilla - EV debug test CA,L=Mountain View,ST=CA,C=US"
1.109 + "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
1.110 + "DEBUGtesting EV OID",
1.111 + SEC_OID_UNKNOWN,
1.112 + { 0x9C, 0x62, 0xEF, 0xDB, 0xAE, 0xF9, 0xEB, 0x36, 0x58, 0xFB,
1.113 + 0x3B, 0xD3, 0x47, 0x64, 0x93, 0x9D, 0x86, 0x29, 0x6A, 0xE0 },
1.114 + "MIGnMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWlu"
1.115 + "IFZpZXcxIzAhBgNVBAoMGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
1.116 + "VQQLDBRTZWN1cml0eSBFbmdpbmVlcmluZzEvMC0GA1UEAwwmWFBDU2hlbGwgRVYg"
1.117 + "VGVzdGluZyAodW50cnVzdHdvcnRoeSkgQ0E=",
1.118 + "At+3zdo=",
1.119 + nullptr
1.120 + },
1.121 +#endif
1.122 + {
1.123 + // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
1.124 + "1.2.392.200091.100.721.1",
1.125 + "SECOM EV OID",
1.126 + SEC_OID_UNKNOWN,
1.127 + { 0xFE, 0xB8, 0xC4, 0x32, 0xDC, 0xF9, 0x76, 0x9A, 0xCE, 0xAE,
1.128 + 0x3D, 0xD8, 0x90, 0x8F, 0xFD, 0x28, 0x86, 0x65, 0x64, 0x7D },
1.129 + "MGAxCzAJBgNVBAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENP"
1.130 + "LixMVEQuMSowKAYDVQQLEyFTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVWIFJvb3RD"
1.131 + "QTE=",
1.132 + "AA==",
1.133 + nullptr
1.134 + },
1.135 + {
1.136 + // CN=Cybertrust Global Root,O=Cybertrust, Inc
1.137 + "1.3.6.1.4.1.6334.1.100.1",
1.138 + "Cybertrust EV OID",
1.139 + SEC_OID_UNKNOWN,
1.140 + { 0x5F, 0x43, 0xE5, 0xB1, 0xBF, 0xF8, 0x78, 0x8C, 0xAC, 0x1C,
1.141 + 0xC7, 0xCA, 0x4A, 0x9A, 0xC6, 0x22, 0x2B, 0xCC, 0x34, 0xC6 },
1.142 + "MDsxGDAWBgNVBAoTD0N5YmVydHJ1c3QsIEluYzEfMB0GA1UEAxMWQ3liZXJ0cnVz"
1.143 + "dCBHbG9iYWwgUm9vdA==",
1.144 + "BAAAAAABD4WqLUg=",
1.145 + nullptr
1.146 + },
1.147 + {
1.148 + // CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
1.149 + "2.16.756.1.89.1.2.1.1",
1.150 + "SwissSign EV OID",
1.151 + SEC_OID_UNKNOWN,
1.152 + { 0xD8, 0xC5, 0x38, 0x8A, 0xB7, 0x30, 0x1B, 0x1B, 0x6E, 0xD4,
1.153 + 0x7A, 0xE6, 0x45, 0x25, 0x3A, 0x6F, 0x9F, 0x1A, 0x27, 0x61 },
1.154 + "MEUxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMT"
1.155 + "FlN3aXNzU2lnbiBHb2xkIENBIC0gRzI=",
1.156 + "ALtAHEP1Xk+w",
1.157 + nullptr
1.158 + },
1.159 + {
1.160 + // CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
1.161 + "1.3.6.1.4.1.23223.1.1.1",
1.162 + "StartCom EV OID",
1.163 + SEC_OID_UNKNOWN,
1.164 + { 0x3E, 0x2B, 0xF7, 0xF2, 0x03, 0x1B, 0x96, 0xF3, 0x8C, 0xE6,
1.165 + 0xC4, 0xD8, 0xA8, 0x5D, 0x3E, 0x2D, 0x58, 0x47, 0x6A, 0x0F },
1.166 + "MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL"
1.167 + "EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT"
1.168 + "dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
1.169 + "AQ==",
1.170 + nullptr
1.171 + },
1.172 + {
1.173 + // CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
1.174 + "1.3.6.1.4.1.23223.1.1.1",
1.175 + "StartCom EV OID",
1.176 + SEC_OID_UNKNOWN,
1.177 + { 0xA3, 0xF1, 0x33, 0x3F, 0xE2, 0x42, 0xBF, 0xCF, 0xC5, 0xD1,
1.178 + 0x4E, 0x8F, 0x39, 0x42, 0x98, 0x40, 0x68, 0x10, 0xD1, 0xA0 },
1.179 + "MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL"
1.180 + "EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT"
1.181 + "dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
1.182 + "LQ==",
1.183 + nullptr
1.184 + },
1.185 + {
1.186 + // CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
1.187 + "1.3.6.1.4.1.23223.1.1.1",
1.188 + "StartCom EV OID",
1.189 + SEC_OID_UNKNOWN,
1.190 + { 0x31, 0xF1, 0xFD, 0x68, 0x22, 0x63, 0x20, 0xEE, 0xC6, 0x3B,
1.191 + 0x3F, 0x9D, 0xEA, 0x4A, 0x3E, 0x53, 0x7C, 0x7C, 0x39, 0x17 },
1.192 + "MFMxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSwwKgYDVQQD"
1.193 + "EyNTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHMg==",
1.194 + "Ow==",
1.195 + nullptr
1.196 + },
1.197 + {
1.198 + // CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
1.199 + "2.16.840.1.113733.1.7.23.6",
1.200 + "VeriSign EV OID",
1.201 + SEC_OID_UNKNOWN,
1.202 + { 0x4E, 0xB6, 0xD5, 0x78, 0x49, 0x9B, 0x1C, 0xCF, 0x5F, 0x58,
1.203 + 0x1E, 0xAD, 0x56, 0xBE, 0x3D, 0x9B, 0x67, 0x44, 0xA5, 0xE5 },
1.204 + "MIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
1.205 + "BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZl"
1.206 + "cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMT"
1.207 + "PFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB"
1.208 + "dXRob3JpdHkgLSBHNQ==",
1.209 + "GNrRniZ96LtKIVjNzGs7Sg==",
1.210 + nullptr
1.211 + },
1.212 + {
1.213 + // CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
1.214 + "1.3.6.1.4.1.14370.1.6",
1.215 + "GeoTrust EV OID",
1.216 + SEC_OID_UNKNOWN,
1.217 + { 0x32, 0x3C, 0x11, 0x8E, 0x1B, 0xF7, 0xB8, 0xB6, 0x52, 0x54,
1.218 + 0xE2, 0xE2, 0x10, 0x0D, 0xD6, 0x02, 0x90, 0x37, 0xF0, 0x96 },
1.219 + "MFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQD"
1.220 + "EyhHZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
1.221 + "GKy1av1pthU6Y2yv2vrEoQ==",
1.222 + nullptr
1.223 + },
1.224 + {
1.225 + // CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
1.226 + "2.16.840.1.113733.1.7.48.1",
1.227 + "Thawte EV OID",
1.228 + SEC_OID_UNKNOWN,
1.229 + { 0x91, 0xC6, 0xD6, 0xEE, 0x3E, 0x8A, 0xC8, 0x63, 0x84, 0xE5,
1.230 + 0x48, 0xC2, 0x99, 0x29, 0x5C, 0x75, 0x6C, 0x81, 0x7B, 0x81 },
1.231 + "MIGpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL"
1.232 + "Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg"
1.233 + "MjAwNiB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0G"
1.234 + "A1UEAxMWdGhhd3RlIFByaW1hcnkgUm9vdCBDQQ==",
1.235 + "NE7VVyDV7exJ9C/ON9srbQ==",
1.236 + nullptr
1.237 + },
1.238 + {
1.239 + // CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
1.240 + "2.16.840.1.114404.1.1.2.4.1",
1.241 + "Trustwave EV OID",
1.242 + SEC_OID_UNKNOWN,
1.243 + { 0xB8, 0x01, 0x86, 0xD1, 0xEB, 0x9C, 0x86, 0xA5, 0x41, 0x04,
1.244 + 0xCF, 0x30, 0x54, 0xF3, 0x4C, 0x52, 0xB7, 0xE5, 0x58, 0xC6 },
1.245 + "MIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29t"
1.246 + "MSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMT"
1.247 + "JFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
1.248 + "UJRs7Bjq1ZxN1ZfvdY+grQ==",
1.249 + nullptr
1.250 + },
1.251 + {
1.252 + // CN=SecureTrust CA,O=SecureTrust Corporation,C=US
1.253 + "2.16.840.1.114404.1.1.2.4.1",
1.254 + "Trustwave EV OID",
1.255 + SEC_OID_UNKNOWN,
1.256 + { 0x87, 0x82, 0xC6, 0xC3, 0x04, 0x35, 0x3B, 0xCF, 0xD2, 0x96,
1.257 + 0x92, 0xD2, 0x59, 0x3E, 0x7D, 0x44, 0xD9, 0x34, 0xFF, 0x11 },
1.258 + "MEgxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv"
1.259 + "bjEXMBUGA1UEAxMOU2VjdXJlVHJ1c3QgQ0E=",
1.260 + "DPCOXAgWpa1Cf/DrJxhZ0A==",
1.261 + nullptr
1.262 + },
1.263 + {
1.264 + // CN=Secure Global CA,O=SecureTrust Corporation,C=US
1.265 + "2.16.840.1.114404.1.1.2.4.1",
1.266 + "Trustwave EV OID",
1.267 + SEC_OID_UNKNOWN,
1.268 + { 0x3A, 0x44, 0x73, 0x5A, 0xE5, 0x81, 0x90, 0x1F, 0x24, 0x86,
1.269 + 0x61, 0x46, 0x1E, 0x3B, 0x9C, 0xC4, 0x5F, 0xF5, 0x3A, 0x1B },
1.270 + "MEoxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlv"
1.271 + "bjEZMBcGA1UEAxMQU2VjdXJlIEdsb2JhbCBDQQ==",
1.272 + "B1YipOjUiolN9BPI8PjqpQ==",
1.273 + nullptr
1.274 + },
1.275 + {
1.276 + // CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
1.277 + "1.3.6.1.4.1.6449.1.2.1.5.1",
1.278 + "Comodo EV OID",
1.279 + SEC_OID_UNKNOWN,
1.280 + { 0x9F, 0x74, 0x4E, 0x9F, 0x2B, 0x4D, 0xBA, 0xEC, 0x0F, 0x31,
1.281 + 0x2C, 0x50, 0xB6, 0x56, 0x3B, 0x8E, 0x2D, 0x93, 0xC3, 0x11 },
1.282 + "MIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw"
1.283 + "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkG"
1.284 + "A1UEAxMiQ09NT0RPIEVDQyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
1.285 + "H0evqmIAcFBUTAGem2OZKg==",
1.286 + nullptr
1.287 + },
1.288 + {
1.289 + // CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
1.290 + "1.3.6.1.4.1.6449.1.2.1.5.1",
1.291 + "Comodo EV OID",
1.292 + SEC_OID_UNKNOWN,
1.293 + { 0x66, 0x31, 0xBF, 0x9E, 0xF7, 0x4F, 0x9E, 0xB6, 0xC9, 0xD5,
1.294 + 0xA6, 0x0C, 0xBA, 0x6A, 0xBE, 0xD1, 0xF7, 0xBD, 0xEF, 0x7B },
1.295 + "MIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw"
1.296 + "DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEnMCUG"
1.297 + "A1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
1.298 + "ToEtioJl4AsC7j41AkblPQ==",
1.299 + nullptr
1.300 + },
1.301 + {
1.302 + // CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
1.303 + "1.3.6.1.4.1.6449.1.2.1.5.1",
1.304 + "Comodo EV OID",
1.305 + SEC_OID_UNKNOWN,
1.306 + { 0x02, 0xFA, 0xF3, 0xE2, 0x91, 0x43, 0x54, 0x68, 0x60, 0x78,
1.307 + 0x57, 0x69, 0x4D, 0xF5, 0xE4, 0x5B, 0x68, 0x85, 0x18, 0x68 },
1.308 + "MG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMd"
1.309 + "QWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0"
1.310 + "IEV4dGVybmFsIENBIFJvb3Q=",
1.311 + "AQ==",
1.312 + nullptr
1.313 + },
1.314 + {
1.315 + // CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
1.316 + "1.3.6.1.4.1.6449.1.2.1.5.1",
1.317 + "Comodo EV OID",
1.318 + SEC_OID_UNKNOWN,
1.319 + { 0x58, 0x11, 0x9F, 0x0E, 0x12, 0x82, 0x87, 0xEA, 0x50, 0xFD,
1.320 + 0xD9, 0x87, 0x45, 0x6F, 0x4F, 0x78, 0xDC, 0xFA, 0xD6, 0xD4 },
1.321 + "MIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr"
1.322 + "ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT"
1.323 + "GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNv"
1.324 + "cnAgU0dD",
1.325 + "RL4Mi1AAIbQR0ypoBqmtaQ==",
1.326 + nullptr
1.327 + },
1.328 + {
1.329 + // CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
1.330 + "1.3.6.1.4.1.6449.1.2.1.5.1",
1.331 + "Comodo EV OID",
1.332 + SEC_OID_UNKNOWN,
1.333 + { 0x04, 0x83, 0xED, 0x33, 0x99, 0xAC, 0x36, 0x08, 0x05, 0x87,
1.334 + 0x22, 0xED, 0xBC, 0x5E, 0x46, 0x00, 0xE3, 0xBE, 0xF9, 0xD7 },
1.335 + "MIGXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFr"
1.336 + "ZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsT"
1.337 + "GGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTEfMB0GA1UEAxMWVVROLVVTRVJGaXJz"
1.338 + "dC1IYXJkd2FyZQ==",
1.339 + "RL4Mi1AAJLQR0zYq/mUK/Q==",
1.340 + nullptr
1.341 + },
1.342 + {
1.343 + // OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group, Inc.\",C=US
1.344 + "2.16.840.1.114413.1.7.23.3",
1.345 + "Go Daddy EV OID a",
1.346 + SEC_OID_UNKNOWN,
1.347 + { 0x27, 0x96, 0xBA, 0xE6, 0x3F, 0x18, 0x01, 0xE2, 0x77, 0x26,
1.348 + 0x1B, 0xA0, 0xD7, 0x77, 0x70, 0x02, 0x8F, 0x20, 0xEE, 0xE4 },
1.349 + "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIElu"
1.350 + "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRo"
1.351 + "b3JpdHk=",
1.352 + "AA==",
1.353 + nullptr
1.354 + },
1.355 + {
1.356 + // CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
1.357 + "2.16.840.1.114413.1.7.23.3",
1.358 + "Go Daddy EV OID a",
1.359 + SEC_OID_UNKNOWN,
1.360 + { 0x47, 0xBE, 0xAB, 0xC9, 0x22, 0xEA, 0xE8, 0x0E, 0x78, 0x78,
1.361 + 0x34, 0x62, 0xA7, 0x9F, 0x45, 0xC2, 0x54, 0xFD, 0xE6, 0x8B },
1.362 + "MIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
1.363 + "dHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMTKEdv"
1.364 + "IERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzI=",
1.365 + "AA==",
1.366 + nullptr
1.367 + },
1.368 + {
1.369 + // OU=Starfield Class 2 Certification Authority,O=\"Starfield Technologies, Inc.\",C=US
1.370 + "2.16.840.1.114414.1.7.23.3",
1.371 + "Go Daddy EV OID b",
1.372 + SEC_OID_UNKNOWN,
1.373 + { 0xAD, 0x7E, 0x1C, 0x28, 0xB0, 0x64, 0xEF, 0x8F, 0x60, 0x03,
1.374 + 0x40, 0x20, 0x14, 0xC3, 0xD0, 0xE3, 0x37, 0x0E, 0xB5, 0x8A },
1.375 + "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVz"
1.376 + "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9u"
1.377 + "IEF1dGhvcml0eQ==",
1.378 + "AA==",
1.379 + nullptr
1.380 + },
1.381 + {
1.382 + // CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
1.383 + "2.16.840.1.114414.1.7.23.3",
1.384 + "Go Daddy EV OID b",
1.385 + SEC_OID_UNKNOWN,
1.386 + { 0xB5, 0x1C, 0x06, 0x7C, 0xEE, 0x2B, 0x0C, 0x3D, 0xF8, 0x55,
1.387 + 0xAB, 0x2D, 0x92, 0xF4, 0xFE, 0x39, 0xD4, 0xE7, 0x0F, 0x0E },
1.388 + "MIGPMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
1.389 + "dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEy"
1.390 + "MDAGA1UEAxMpU3RhcmZpZWxkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g"
1.391 + "RzI=",
1.392 + "AA==",
1.393 + nullptr
1.394 + },
1.395 + {
1.396 + // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
1.397 + "2.16.840.1.114412.2.1",
1.398 + "DigiCert EV OID",
1.399 + SEC_OID_UNKNOWN,
1.400 + { 0x5F, 0xB7, 0xEE, 0x06, 0x33, 0xE2, 0x59, 0xDB, 0xAD, 0x0C,
1.401 + 0x4C, 0x9A, 0xE6, 0xD3, 0X8F, 0x1A, 0x61, 0xC7, 0xDC, 0x25 },
1.402 + "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT"
1.403 + "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh"
1.404 + "bmNlIEVWIFJvb3QgQ0E=",
1.405 + "AqxcJmoLQJuPC3nyrkYldw==",
1.406 + nullptr
1.407 + },
1.408 + {
1.409 + // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
1.410 + "1.3.6.1.4.1.8024.0.2.100.1.2",
1.411 + "Quo Vadis EV OID",
1.412 + SEC_OID_UNKNOWN,
1.413 + { 0xCA, 0x3A, 0xFB, 0xCF, 0x12, 0x40, 0x36, 0x4B, 0x44, 0xB2,
1.414 + 0x16, 0x20, 0x88, 0x80, 0x48, 0x39, 0x19, 0x93, 0x7C, 0xF7 },
1.415 + "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD"
1.416 + "VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
1.417 + "BQk=",
1.418 + nullptr
1.419 + },
1.420 + {
1.421 + // CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
1.422 + "1.3.6.1.4.1.782.1.2.1.8.1",
1.423 + "Network Solutions EV OID",
1.424 + SEC_OID_UNKNOWN,
1.425 + { 0x74, 0xF8, 0xA3, 0xC3, 0xEF, 0xE7, 0xB3, 0x90, 0x06, 0x4B,
1.426 + 0x83, 0x90, 0x3C, 0x21, 0x64, 0x60, 0x20, 0xE5, 0xDF, 0xCE },
1.427 + "MGIxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhOZXR3b3JrIFNvbHV0aW9ucyBMLkwu"
1.428 + "Qy4xMDAuBgNVBAMTJ05ldHdvcmsgU29sdXRpb25zIENlcnRpZmljYXRlIEF1dGhv"
1.429 + "cml0eQ==",
1.430 + "V8szb8JcFuZHFhfjkDFo4A==",
1.431 + nullptr
1.432 + },
1.433 + {
1.434 + // CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
1.435 + "2.16.840.1.114028.10.1.2",
1.436 + "Entrust EV OID",
1.437 + SEC_OID_UNKNOWN,
1.438 + { 0xB3, 0x1E, 0xB1, 0xB7, 0x40, 0xE3, 0x6C, 0x84, 0x02, 0xDA,
1.439 + 0xDC, 0x37, 0xD4, 0x4D, 0xF5, 0xD4, 0x67, 0x49, 0x52, 0xF9 },
1.440 + "MIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcGA1UE"
1.441 + "CxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJl"
1.442 + "bmNlMR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRF"
1.443 + "bnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=",
1.444 + "RWtQVA==",
1.445 + nullptr
1.446 + },
1.447 + {
1.448 + // CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
1.449 + "1.3.6.1.4.1.4146.1.1",
1.450 + "GlobalSign EV OID",
1.451 + SEC_OID_UNKNOWN,
1.452 + { 0xB1, 0xBC, 0x96, 0x8B, 0xD4, 0xF4, 0x9D, 0x62, 0x2A, 0xA8,
1.453 + 0x9A, 0x81, 0xF2, 0x15, 0x01, 0x52, 0xA4, 0x1D, 0x82, 0x9C },
1.454 + "MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYD"
1.455 + "VQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0E=",
1.456 + "BAAAAAABFUtaw5Q=",
1.457 + nullptr
1.458 + },
1.459 + {
1.460 + // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
1.461 + "1.3.6.1.4.1.4146.1.1",
1.462 + "GlobalSign EV OID",
1.463 + SEC_OID_UNKNOWN,
1.464 + { 0x75, 0xE0, 0xAB, 0xB6, 0x13, 0x85, 0x12, 0x27, 0x1C, 0x04,
1.465 + 0xF8, 0x5F, 0xDD, 0xDE, 0x38, 0xE4, 0xB7, 0x24, 0x2E, 0xFE },
1.466 + "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpH"
1.467 + "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
1.468 + "BAAAAAABD4Ym5g0=",
1.469 + nullptr
1.470 + },
1.471 + {
1.472 + // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
1.473 + "1.3.6.1.4.1.4146.1.1",
1.474 + "GlobalSign EV OID",
1.475 + SEC_OID_UNKNOWN,
1.476 + { 0xD6, 0x9B, 0x56, 0x11, 0x48, 0xF0, 0x1C, 0x77, 0xC5, 0x45,
1.477 + 0x78, 0xC1, 0x09, 0x26, 0xDF, 0x5B, 0x85, 0x69, 0x76, 0xAD },
1.478 + "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpH"
1.479 + "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
1.480 + "BAAAAAABIVhTCKI=",
1.481 + nullptr
1.482 + },
1.483 + {
1.484 + // CN=Buypass Class 3 CA 1,O=Buypass AS-983163327,C=NO
1.485 + "2.16.578.1.26.1.3.3",
1.486 + "Buypass EV OID",
1.487 + SEC_OID_UNKNOWN,
1.488 + { 0x61, 0x57, 0x3A, 0x11, 0xDF, 0x0E, 0xD8, 0x7E, 0xD5, 0x92,
1.489 + 0x65, 0x22, 0xEA, 0xD0, 0x56, 0xD7, 0x44, 0xB3, 0x23, 0x71 },
1.490 + "MEsxCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEd"
1.491 + "MBsGA1UEAwwUQnV5cGFzcyBDbGFzcyAzIENBIDE=",
1.492 + "Ag==",
1.493 + nullptr
1.494 + },
1.495 + {
1.496 + // CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO
1.497 + "2.16.578.1.26.1.3.3",
1.498 + "Buypass EV OID",
1.499 + SEC_OID_UNKNOWN,
1.500 + { 0xDA, 0xFA, 0xF7, 0xFA, 0x66, 0x84, 0xEC, 0x06, 0x8F, 0x14,
1.501 + 0x50, 0xBD, 0xC7, 0xC2, 0x81, 0xA5, 0xBC, 0xA9, 0x64, 0x57 },
1.502 + "ME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2MzMyNzEg"
1.503 + "MB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0E=",
1.504 + "Ag==",
1.505 + nullptr
1.506 + },
1.507 + {
1.508 + // CN=Class 2 Primary CA,O=Certplus,C=FR
1.509 + "1.3.6.1.4.1.22234.2.5.2.3.1",
1.510 + "Certplus EV OID",
1.511 + SEC_OID_UNKNOWN,
1.512 + { 0x74, 0x20, 0x74, 0x41, 0x72, 0x9C, 0xDD, 0x92, 0xEC, 0x79,
1.513 + 0x31, 0xD8, 0x23, 0x10, 0x8D, 0xC2, 0x81, 0x92, 0xE2, 0xBB },
1.514 + "MD0xCzAJBgNVBAYTAkZSMREwDwYDVQQKEwhDZXJ0cGx1czEbMBkGA1UEAxMSQ2xh"
1.515 + "c3MgMiBQcmltYXJ5IENB",
1.516 + "AIW9S/PY2uNp9pTXX8OlRCM=",
1.517 + nullptr
1.518 + },
1.519 + {
1.520 + // CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
1.521 + "1.3.6.1.4.1.17326.10.14.2.1.2",
1.522 + "Camerfirma EV OID a",
1.523 + SEC_OID_UNKNOWN,
1.524 + { 0x78, 0x6A, 0x74, 0xAC, 0x76, 0xAB, 0x14, 0x7F, 0x9C, 0x6A,
1.525 + 0x30, 0x50, 0xBA, 0x9E, 0xA8, 0x7E, 0xFE, 0x9A, 0xCE, 0x3C },
1.526 + "MIGuMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh"
1.527 + "ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ"
1.528 + "QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xKTAnBgNVBAMT"
1.529 + "IENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4",
1.530 + "AKPaQn6ksa7a",
1.531 + nullptr
1.532 + },
1.533 + {
1.534 + // CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
1.535 + "1.3.6.1.4.1.17326.10.8.12.1.2",
1.536 + "Camerfirma EV OID b",
1.537 + SEC_OID_UNKNOWN,
1.538 + { 0x4A, 0xBD, 0xEE, 0xEC, 0x95, 0x0D, 0x35, 0x9C, 0x89, 0xAE,
1.539 + 0xC7, 0x52, 0xA1, 0x2C, 0x5B, 0x29, 0xF6, 0xD6, 0xAA, 0x0C },
1.540 + "MIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBh"
1.541 + "ZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ"
1.542 + "QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMT"
1.543 + "Hkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwOA==",
1.544 + "AMnN0+nVfSPO",
1.545 + nullptr
1.546 + },
1.547 + {
1.548 + // CN=TC TrustCenter Universal CA III,OU=TC TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DE
1.549 + "1.2.276.0.44.1.1.1.4",
1.550 + "TC TrustCenter EV OID",
1.551 + SEC_OID_UNKNOWN,
1.552 + { 0x96, 0x56, 0xCD, 0x7B, 0x57, 0x96, 0x98, 0x95, 0xD0, 0xE1,
1.553 + 0x41, 0x46, 0x68, 0x06, 0xFB, 0xB8, 0xC6, 0x11, 0x06, 0x87 },
1.554 + "MHsxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNUQyBUcnVzdENlbnRlciBHbWJIMSQw"
1.555 + "IgYDVQQLExtUQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0ExKDAmBgNVBAMTH1RD"
1.556 + "IFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQSBJSUk=",
1.557 + "YyUAAQACFI0zFQLkbPQ=",
1.558 + nullptr
1.559 + },
1.560 + {
1.561 + // CN=AffirmTrust Commercial,O=AffirmTrust,C=US
1.562 + "1.3.6.1.4.1.34697.2.1",
1.563 + "AffirmTrust EV OID a",
1.564 + SEC_OID_UNKNOWN,
1.565 + { 0xF9, 0xB5, 0xB6, 0x32, 0x45, 0x5F, 0x9C, 0xBE, 0xEC, 0x57,
1.566 + 0x5F, 0x80, 0xDC, 0xE9, 0x6E, 0x2C, 0xC7, 0xB2, 0x78, 0xB7 },
1.567 + "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW"
1.568 + "QWZmaXJtVHJ1c3QgQ29tbWVyY2lhbA==",
1.569 + "d3cGJyapsXw=",
1.570 + nullptr
1.571 + },
1.572 + {
1.573 + // CN=AffirmTrust Networking,O=AffirmTrust,C=US
1.574 + "1.3.6.1.4.1.34697.2.2",
1.575 + "AffirmTrust EV OID b",
1.576 + SEC_OID_UNKNOWN,
1.577 + { 0x29, 0x36, 0x21, 0x02, 0x8B, 0x20, 0xED, 0x02, 0xF5, 0x66,
1.578 + 0xC5, 0x32, 0xD1, 0xD6, 0xED, 0x90, 0x9F, 0x45, 0x00, 0x2F },
1.579 + "MEQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwW"
1.580 + "QWZmaXJtVHJ1c3QgTmV0d29ya2luZw==",
1.581 + "fE8EORzUmS0=",
1.582 + nullptr
1.583 + },
1.584 + {
1.585 + // CN=AffirmTrust Premium,O=AffirmTrust,C=US
1.586 + "1.3.6.1.4.1.34697.2.3",
1.587 + "AffirmTrust EV OID c",
1.588 + SEC_OID_UNKNOWN,
1.589 + { 0xD8, 0xA6, 0x33, 0x2C, 0xE0, 0x03, 0x6F, 0xB1, 0x85, 0xF6,
1.590 + 0x63, 0x4F, 0x7D, 0x6A, 0x06, 0x65, 0x26, 0x32, 0x28, 0x27 },
1.591 + "MEExCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEcMBoGA1UEAwwT"
1.592 + "QWZmaXJtVHJ1c3QgUHJlbWl1bQ==",
1.593 + "bYwURrGmCu4=",
1.594 + nullptr
1.595 + },
1.596 + {
1.597 + // CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
1.598 + "1.3.6.1.4.1.34697.2.4",
1.599 + "AffirmTrust EV OID d",
1.600 + SEC_OID_UNKNOWN,
1.601 + { 0xB8, 0x23, 0x6B, 0x00, 0x2F, 0x1D, 0x16, 0x86, 0x53, 0x01,
1.602 + 0x55, 0x6C, 0x11, 0xA4, 0x37, 0xCA, 0xEB, 0xFF, 0xC3, 0xBB },
1.603 + "MEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwX"
1.604 + "QWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0M=",
1.605 + "dJclisc/elQ=",
1.606 + nullptr
1.607 + },
1.608 + {
1.609 + // CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL
1.610 + "1.2.616.1.113527.2.5.1.1",
1.611 + "Certum EV OID",
1.612 + SEC_OID_UNKNOWN,
1.613 + { 0x07, 0xE0, 0x32, 0xE0, 0x20, 0xB7, 0x2C, 0x3F, 0x19, 0x2F,
1.614 + 0x06, 0x28, 0xA2, 0x59, 0x3A, 0x19, 0xA7, 0x0F, 0x06, 0x9E },
1.615 + "MH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT"
1.616 + "LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg"
1.617 + "BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0E=",
1.618 + "BETA",
1.619 + nullptr
1.620 + },
1.621 + {
1.622 + // CN=Izenpe.com,O=IZENPE S.A.,C=ES
1.623 + "1.3.6.1.4.1.14777.6.1.1",
1.624 + "Izenpe EV OID 1",
1.625 + SEC_OID_UNKNOWN,
1.626 + { 0x2F, 0x78, 0x3D, 0x25, 0x52, 0x18, 0xA7, 0x4A, 0x65, 0x39,
1.627 + 0x71, 0xB5, 0x2C, 0xA2, 0x9C, 0x45, 0x15, 0x6F, 0xE9, 0x19 },
1.628 + "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK"
1.629 + "SXplbnBlLmNvbQ==",
1.630 + "ALC3WhZIX7/hy/WL1xnmfQ==",
1.631 + nullptr
1.632 + },
1.633 + {
1.634 + // CN=Izenpe.com,O=IZENPE S.A.,C=ES
1.635 + "1.3.6.1.4.1.14777.6.1.2",
1.636 + "Izenpe EV OID 2",
1.637 + SEC_OID_UNKNOWN,
1.638 + { 0x2F, 0x78, 0x3D, 0x25, 0x52, 0x18, 0xA7, 0x4A, 0x65, 0x39,
1.639 + 0x71, 0xB5, 0x2C, 0xA2, 0x9C, 0x45, 0x15, 0x6F, 0xE9, 0x19 },
1.640 + "MDgxCzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwK"
1.641 + "SXplbnBlLmNvbQ==",
1.642 + "ALC3WhZIX7/hy/WL1xnmfQ==",
1.643 + nullptr
1.644 + },
1.645 + {
1.646 + // CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
1.647 + "1.2.40.0.17.1.22",
1.648 + "A-Trust EV OID",
1.649 + SEC_OID_UNKNOWN,
1.650 + { 0xD3, 0xC0, 0x63, 0xF2, 0x19, 0xED, 0x07, 0x3E, 0x34, 0xAD,
1.651 + 0x5D, 0x75, 0x0B, 0x32, 0x76, 0x29, 0xFF, 0xD5, 0x9A, 0xF2 },
1.652 + "MIGNMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hl"
1.653 + "cmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYD"
1.654 + "VQQLDBBBLVRydXN0LW5RdWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAz",
1.655 + "AWwe",
1.656 + nullptr
1.657 + },
1.658 + {
1.659 + // CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
1.660 + "1.3.6.1.4.1.7879.13.24.1",
1.661 + "T-Systems EV OID",
1.662 + SEC_OID_UNKNOWN,
1.663 + { 0x55, 0xA6, 0x72, 0x3E, 0xCB, 0xF2, 0xEC, 0xCD, 0xC3, 0x23,
1.664 + 0x74, 0x70, 0x19, 0x9D, 0x2A, 0xBE, 0x11, 0xE3, 0x81, 0xD1 },
1.665 + "MIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2Ug"
1.666 + "U2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjEl"
1.667 + "MCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMw==",
1.668 + "AQ==",
1.669 + nullptr
1.670 + },
1.671 + {
1.672 + // CN=TURKTRUST Elektronik Sertifika Hizmet Saglayicisi,O=TURKTRUST Bilgi Illetisim ve Bilisim Guvenligi Hizmetleri A.S.,C=TR
1.673 + "2.16.792.3.0.3.1.1.5",
1.674 + "TurkTrust EV OID",
1.675 + SEC_OID_UNKNOWN,
1.676 + { 0xF1, 0x7F, 0x6F, 0xB6, 0x31, 0xDC, 0x99, 0xE3, 0xA3, 0xC8,
1.677 + 0x7F, 0xFE, 0x1C, 0xF1, 0x81, 0x10, 0x88, 0xD9, 0x60, 0x33 },
1.678 + "MIG/MT8wPQYDVQQDDDZUw5xSS1RSVVNUIEVsZWt0cm9uaWsgU2VydGlmaWthIEhp"
1.679 + "em1ldCBTYcSfbGF5xLFjxLFzxLExCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmth"
1.680 + "cmExXjBcBgNVBAoMVVTDnFJLVFJVU1QgQmlsZ2kgxLBsZXRpxZ9pbSB2ZSBCaWxp"
1.681 + "xZ9pbSBHw7x2ZW5sacSfaSBIaXptZXRsZXJpIEEuxZ4uIChjKSBBcmFsxLFrIDIw"
1.682 + "MDc=",
1.683 + "AQ==",
1.684 + nullptr
1.685 + },
1.686 + {
1.687 + // CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
1.688 + "1.3.6.1.4.1.29836.1.10",
1.689 + "CNNIC EV OID",
1.690 + SEC_OID_UNKNOWN,
1.691 + { 0x4F, 0x99, 0xAA, 0x93, 0xFB, 0x2B, 0xD1, 0x37, 0x26, 0xA1,
1.692 + 0x99, 0x4A, 0xCE, 0x7F, 0xF0, 0x05, 0xF2, 0x93, 0x5D, 0x1E },
1.693 + "MIGKMQswCQYDVQQGEwJDTjEyMDAGA1UECgwpQ2hpbmEgSW50ZXJuZXQgTmV0d29y"
1.694 + "ayBJbmZvcm1hdGlvbiBDZW50ZXIxRzBFBgNVBAMMPkNoaW5hIEludGVybmV0IE5l"
1.695 + "dHdvcmsgSW5mb3JtYXRpb24gQ2VudGVyIEVWIENlcnRpZmljYXRlcyBSb290",
1.696 + "SJ8AAQ==",
1.697 + nullptr
1.698 + },
1.699 + {
1.700 + // CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW
1.701 + "1.3.6.1.4.1.40869.1.1.22.3",
1.702 + "TWCA EV OID",
1.703 + SEC_OID_UNKNOWN,
1.704 + { 0xCF, 0x9E, 0x87, 0x6D, 0xD3, 0xEB, 0xFC, 0x42, 0x26, 0x97,
1.705 + 0xA3, 0xB5, 0xA3, 0x7A, 0xA0, 0x76, 0xA9, 0x06, 0x23, 0x48 },
1.706 + "MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jv"
1.707 + "b3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0"
1.708 + "eQ==",
1.709 + "AQ==",
1.710 + nullptr
1.711 + },
1.712 + {
1.713 + // CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE
1.714 + "1.3.6.1.4.1.4788.2.202.1",
1.715 + "D-TRUST EV OID",
1.716 + SEC_OID_UNKNOWN,
1.717 + { 0x96, 0xC9, 0x1B, 0x0B, 0x95, 0xB4, 0x10, 0x98, 0x42, 0xFA,
1.718 + 0xD0, 0xD8, 0x22, 0x79, 0xFE, 0x60, 0xFA, 0xB9, 0x16, 0x83 },
1.719 + "MFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMM"
1.720 + "IUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOQ==",
1.721 + "CYP0",
1.722 + nullptr
1.723 + },
1.724 + {
1.725 + // CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
1.726 + "2.16.756.1.83.21.0",
1.727 + "Swisscom EV OID",
1.728 + SEC_OID_UNKNOWN,
1.729 + { 0xE7, 0xA1, 0x90, 0x29, 0xD3, 0xD5, 0x52, 0xDC, 0x0D, 0x0F,
1.730 + 0xC6, 0x92, 0xD3, 0xEA, 0x88, 0x0D, 0x15, 0x2E, 0x1A, 0x6B },
1.731 + "MGcxCzAJBgNVBAYTAmNoMREwDwYDVQQKEwhTd2lzc2NvbTElMCMGA1UECxMcRGln"
1.732 + "aXRhbCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEeMBwGA1UEAxMVU3dpc3Njb20gUm9v"
1.733 + "dCBFViBDQSAy",
1.734 + "APL6ZOJ0Y9ON/RAdBB92ylg=",
1.735 + nullptr
1.736 + },
1.737 + {
1.738 + // CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
1.739 + "2.16.840.1.113733.1.7.23.6",
1.740 + "VeriSign EV OID",
1.741 + SEC_OID_UNKNOWN,
1.742 + { 0x36, 0x79, 0xCA, 0x35, 0x66, 0x87, 0x72, 0x30, 0x4D, 0x30,
1.743 + 0xA5, 0xFB, 0x87, 0x3B, 0x0F, 0xA7, 0x7B, 0xB7, 0x0D, 0x54 },
1.744 + "MIG9MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
1.745 + "BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZl"
1.746 + "cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMT"
1.747 + "L1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5",
1.748 + "QBrEZCGzEyEDDrvkEhrFHQ==",
1.749 + nullptr
1.750 + },
1.751 + {
1.752 + // CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
1.753 + "1.3.6.1.4.1.14370.1.6",
1.754 + "GeoTrust EV OID",
1.755 + SEC_OID_UNKNOWN,
1.756 + { 0x03, 0x9E, 0xED, 0xB8, 0x0B, 0xE7, 0xA0, 0x3C, 0x69, 0x53,
1.757 + 0x89, 0x3B, 0x20, 0xD2, 0xD9, 0x32, 0x3A, 0x4C, 0x2A, 0xFD },
1.758 + "MIGYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjE5MDcGA1UE"
1.759 + "CxMwKGMpIDIwMDggR2VvVHJ1c3QgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBv"
1.760 + "bmx5MTYwNAYDVQQDEy1HZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0"
1.761 + "aG9yaXR5IC0gRzM=",
1.762 + "FaxulBmyeUtB9iepwxgPHw==",
1.763 + nullptr
1.764 + },
1.765 + {
1.766 + // CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
1.767 + "2.16.840.1.113733.1.7.48.1",
1.768 + "Thawte EV OID",
1.769 + SEC_OID_UNKNOWN,
1.770 + { 0xF1, 0x8B, 0x53, 0x8D, 0x1B, 0xE9, 0x03, 0xB6, 0xA6, 0xF0,
1.771 + 0x56, 0x43, 0x5B, 0x17, 0x15, 0x89, 0xCA, 0xF3, 0x6B, 0xF2 },
1.772 + "MIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQL"
1.773 + "Ex9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykg"
1.774 + "MjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG"
1.775 + "A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz",
1.776 + "YAGXt0an6rS0mtZLL/eQ+w==",
1.777 + nullptr
1.778 + },
1.779 + {
1.780 + // CN = Autoridad de Certificacion Firmaprofesional CIF A62634068, C = ES
1.781 + "1.3.6.1.4.1.13177.10.1.3.10",
1.782 + "Firmaprofesional EV OID",
1.783 + SEC_OID_UNKNOWN,
1.784 + { 0xAE, 0xC5, 0xFB, 0x3F, 0xC8, 0xE1, 0xBF, 0xC4, 0xE5, 0x4F,
1.785 + 0x03, 0x07, 0x5A, 0x9A, 0xE8, 0x00, 0xB7, 0xF7, 0xB6, 0xFA },
1.786 + "MFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNh"
1.787 + "Y2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjg=",
1.788 + "U+w77vuySF8=",
1.789 + nullptr
1.790 + },
1.791 + {
1.792 + // CN = TWCA Global Root CA, OU = Root CA, O = TAIWAN-CA, C = TW
1.793 + "1.3.6.1.4.1.40869.1.1.22.3",
1.794 + "TWCA EV OID",
1.795 + SEC_OID_UNKNOWN,
1.796 + { 0x9C, 0xBB, 0x48, 0x53, 0xF6, 0xA4, 0xF6, 0xD3, 0x52, 0xA4,
1.797 + 0xE8, 0x32, 0x52, 0x55, 0x60, 0x13, 0xF5, 0xAD, 0xAF, 0x65 },
1.798 + "MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jv"
1.799 + "b3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0E=",
1.800 + "DL4=",
1.801 + nullptr
1.802 + },
1.803 + {
1.804 + // CN = E-Tugra Certification Authority, OU = E-Tugra Sertifikasyon Merkezi, O = E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L = Ankara, C = TR
1.805 + "2.16.792.3.0.4.1.1.4",
1.806 + "ETugra EV OID",
1.807 + SEC_OID_UNKNOWN,
1.808 + { 0x51, 0xC6, 0xE7, 0x08, 0x49, 0x06, 0x6E, 0xF3, 0x92, 0xD4,
1.809 + 0x5C, 0xA0, 0x0D, 0x6D, 0xA3, 0x62, 0x8F, 0xC3, 0x52, 0x39 },
1.810 + "MIGyMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1"
1.811 + "xJ9yYSBFQkcgQmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEu"
1.812 + "xZ4uMSYwJAYDVQQLDB1FLVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYG"
1.813 + "A1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==",
1.814 + "amg+nFGby1M=",
1.815 + nullptr
1.816 + }
1.817 +};
1.818 +
1.819 +static SECOidTag
1.820 +register_oid(const SECItem* oid_item, const char* oid_name)
1.821 +{
1.822 + if (!oid_item)
1.823 + return SEC_OID_UNKNOWN;
1.824 +
1.825 + SECOidData od;
1.826 + od.oid.len = oid_item->len;
1.827 + od.oid.data = oid_item->data;
1.828 + od.offset = SEC_OID_UNKNOWN;
1.829 + od.desc = oid_name;
1.830 + od.mechanism = CKM_INVALID_MECHANISM;
1.831 + od.supportedExtension = INVALID_CERT_EXTENSION;
1.832 + return SECOID_AddEntry(&od);
1.833 +}
1.834 +
1.835 +#ifndef NSS_NO_LIBPKIX
1.836 +static void
1.837 +addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
1.838 + CERTCertTrust nssTrust;
1.839 + if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
1.840 + return;
1.841 + }
1.842 + unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
1.843 +
1.844 + if (flags & CERTDB_TRUSTED_CA) {
1.845 + CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
1.846 + }
1.847 +}
1.848 +#endif
1.849 +
1.850 +static bool
1.851 +isEVPolicy(SECOidTag policyOIDTag)
1.852 +{
1.853 + for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
1.854 + nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
1.855 + if (policyOIDTag == entry.oid_tag) {
1.856 + return true;
1.857 + }
1.858 + }
1.859 +
1.860 + return false;
1.861 +}
1.862 +
1.863 +namespace mozilla { namespace psm {
1.864 +
1.865 +#ifndef NSS_NO_LIBPKIX
1.866 +CERTCertList*
1.867 +GetRootsForOid(SECOidTag oid_tag)
1.868 +{
1.869 + CERTCertList* certList = CERT_NewCertList();
1.870 + if (!certList)
1.871 + return nullptr;
1.872 +
1.873 + for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
1.874 + nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
1.875 + if (entry.oid_tag == oid_tag) {
1.876 + addToCertListIfTrusted(certList, entry.cert);
1.877 + }
1.878 + }
1.879 +
1.880 + return certList;
1.881 +}
1.882 +#endif
1.883 +
1.884 +bool
1.885 +CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
1.886 + SECOidTag policyOidTag)
1.887 +{
1.888 + PR_ASSERT(cert);
1.889 + PR_ASSERT(policyOidTag != SEC_OID_UNKNOWN);
1.890 + if (!cert || !policyOidTag) {
1.891 + return false;
1.892 + }
1.893 +
1.894 + for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
1.895 + nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
1.896 + if (entry.oid_tag == policyOidTag && entry.cert &&
1.897 + CERT_CompareCerts(cert, entry.cert)) {
1.898 + return true;
1.899 + }
1.900 + }
1.901 +
1.902 + return false;
1.903 +}
1.904 +
1.905 +static PRStatus
1.906 +IdentityInfoInit()
1.907 +{
1.908 + for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
1.909 + nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
1.910 +
1.911 + SECStatus rv;
1.912 + CERTIssuerAndSN ias;
1.913 +
1.914 + rv = ATOB_ConvertAsciiToItem(&ias.derIssuer, const_cast<char*>(entry.issuer_base64));
1.915 + PR_ASSERT(rv == SECSuccess);
1.916 + if (rv != SECSuccess) {
1.917 + return PR_FAILURE;
1.918 + }
1.919 + rv = ATOB_ConvertAsciiToItem(&ias.serialNumber,
1.920 + const_cast<char*>(entry.serial_base64));
1.921 + PR_ASSERT(rv == SECSuccess);
1.922 + if (rv != SECSuccess) {
1.923 + SECITEM_FreeItem(&ias.derIssuer, false);
1.924 + return PR_FAILURE;
1.925 + }
1.926 +
1.927 + ias.serialNumber.type = siUnsignedInteger;
1.928 +
1.929 + entry.cert = CERT_FindCertByIssuerAndSN(nullptr, &ias);
1.930 +
1.931 + SECITEM_FreeItem(&ias.derIssuer, false);
1.932 + SECITEM_FreeItem(&ias.serialNumber, false);
1.933 +
1.934 + // If an entry is missing in the NSS root database, it may be because the
1.935 + // root database is out of sync with what we expect (e.g. a different
1.936 + // version of system NSS is installed). We will just silently avoid
1.937 + // treating that root cert as EV.
1.938 + if (!entry.cert) {
1.939 +#ifdef DEBUG
1.940 + // The debug CA info is at position 0, and is NOT on the NSS root db
1.941 + if (iEV == 0) {
1.942 + continue;
1.943 + }
1.944 +#endif
1.945 + PR_NOT_REACHED("Could not find EV root in NSS storage");
1.946 + continue;
1.947 + }
1.948 +
1.949 + unsigned char certFingerprint[20];
1.950 + rv = PK11_HashBuf(SEC_OID_SHA1, certFingerprint,
1.951 + entry.cert->derCert.data, entry.cert->derCert.len);
1.952 + PR_ASSERT(rv == SECSuccess);
1.953 + if (rv == SECSuccess) {
1.954 + bool same = !memcmp(certFingerprint, entry.ev_root_sha1_fingerprint, 20);
1.955 + PR_ASSERT(same);
1.956 + if (same) {
1.957 +
1.958 + SECItem ev_oid_item;
1.959 + ev_oid_item.data = nullptr;
1.960 + ev_oid_item.len = 0;
1.961 + rv = SEC_StringToOID(nullptr, &ev_oid_item, entry.dotted_oid, 0);
1.962 + PR_ASSERT(rv == SECSuccess);
1.963 + if (rv == SECSuccess) {
1.964 + entry.oid_tag = register_oid(&ev_oid_item, entry.oid_name);
1.965 + if (entry.oid_tag == SEC_OID_UNKNOWN) {
1.966 + rv = SECFailure;
1.967 + }
1.968 + SECITEM_FreeItem(&ev_oid_item, false);
1.969 + }
1.970 + } else {
1.971 + PR_SetError(SEC_ERROR_BAD_DATA, 0);
1.972 + rv = SECFailure;
1.973 + }
1.974 + }
1.975 +
1.976 + if (rv != SECSuccess) {
1.977 + CERT_DestroyCertificate(entry.cert);
1.978 + entry.cert = nullptr;
1.979 + entry.oid_tag = SEC_OID_UNKNOWN;
1.980 + return PR_FAILURE;
1.981 + }
1.982 + }
1.983 +
1.984 + return PR_SUCCESS;
1.985 +}
1.986 +
1.987 +static PRCallOnceType sIdentityInfoCallOnce;
1.988 +
1.989 +void
1.990 +EnsureIdentityInfoLoaded()
1.991 +{
1.992 + (void) PR_CallOnce(&sIdentityInfoCallOnce, IdentityInfoInit);
1.993 +}
1.994 +
1.995 +void
1.996 +CleanupIdentityInfo()
1.997 +{
1.998 + for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
1.999 + nsMyTrustedEVInfo &entry = myTrustedEVInfos[iEV];
1.1000 + if (entry.cert) {
1.1001 + CERT_DestroyCertificate(entry.cert);
1.1002 + entry.cert = nullptr;
1.1003 + }
1.1004 + }
1.1005 +
1.1006 + memset(&sIdentityInfoCallOnce, 0, sizeof(PRCallOnceType));
1.1007 +}
1.1008 +
1.1009 +// Find the first policy OID that is known to be an EV policy OID.
1.1010 +SECStatus
1.1011 +GetFirstEVPolicy(CERTCertificate* cert, SECOidTag& outOidTag)
1.1012 +{
1.1013 + if (!cert)
1.1014 + return SECFailure;
1.1015 +
1.1016 + if (cert->extensions) {
1.1017 + for (int i=0; cert->extensions[i]; i++) {
1.1018 + const SECItem* oid = &cert->extensions[i]->id;
1.1019 +
1.1020 + SECOidTag oidTag = SECOID_FindOIDTag(oid);
1.1021 + if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
1.1022 + continue;
1.1023 +
1.1024 + SECItem* value = &cert->extensions[i]->value;
1.1025 +
1.1026 + CERTCertificatePolicies* policies;
1.1027 + CERTPolicyInfo** policyInfos;
1.1028 +
1.1029 + policies = CERT_DecodeCertificatePoliciesExtension(value);
1.1030 + if (!policies)
1.1031 + continue;
1.1032 +
1.1033 + policyInfos = policies->policyInfos;
1.1034 +
1.1035 + bool found = false;
1.1036 + while (*policyInfos) {
1.1037 + const CERTPolicyInfo* policyInfo = *policyInfos++;
1.1038 +
1.1039 + SECOidTag oid_tag = policyInfo->oid;
1.1040 + if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) {
1.1041 + // in our list of OIDs accepted for EV
1.1042 + outOidTag = oid_tag;
1.1043 + found = true;
1.1044 + break;
1.1045 + }
1.1046 + }
1.1047 + CERT_DestroyCertificatePoliciesExtension(policies);
1.1048 + if (found)
1.1049 + return SECSuccess;
1.1050 + }
1.1051 + }
1.1052 +
1.1053 + return SECFailure;
1.1054 +}
1.1055 +
1.1056 +} } // namespace mozilla::psm
