Skip to content
/ ev-checker Public
forked from mozkeeler/ev-checker

Tool for testing enabling new EV roots in Firefox

0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

x19e/ev-checker

BranchesTags
 
 

Repository files navigation

ev-checker

What

ev-checker is a standalone command-line utility for determining if a given EV policy fulfills the requirements of Mozilla's Root CA program and may thus be enabled.

How

ev-checker depends on the libraries NSS and NSPR. It additionally makes use of mozilla::pkix. Since mozilla::pkix has not been released as a stand-alone library yet, this project imports a snapshot of the implementation. (See the file pkix-import.) ev-checker implements a mozilla::pkix::TrustDomain and uses mozilla::pkix::BuildCertChain to determine if a given EV policy meets the requirements to be enabled in Firefox.

Example

First, compile with make. There is no guarantee of portability, so feel free to file issues if this does not work as expected.

Then, given the file cert-chain.pem, the dotted OID of the EV policy, and a hostname to validate against, run ev-checker like so:

./ev-checker -c cert-chain.pem -o dotted.OID -h hostname

-c specifies the file containing a sequence of PEM-encoded certificates. The first certificate is the end-entity certificate intended to be tested for EV treatment. The last certificate is the root certificate that is authoritative for the given EV policy. Any certificates in between are intermediate certificates.

If run with the flag -d and a description of the EV OID, ev-checker will output a blob of text that must be added to security/certverifier/ExtendedValidation.cpp in the mozilla-central tree for Firefox to consider this a valid EV policy. It will also validate the end-entity certificate. If it succeeds, the EV policy is ready to be enabled. If not, something needs to be fixed. Hopefully ev-checker emitted a helpful error message pointing to the problem.

$ ev-checker -c chain.pem -o 2.16.840.1.114412.2.1 -d "Digicert EV OID" -h addons.mozilla.org

// CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
"2.16.840.1.114412.2.1",
"Digicert EV OID",
SEC_OID_UNKNOWN,
{ 0x74, 0x31, 0xE5, 0xF4, 0xC3, 0xC1, 0xCE, 0x46, 0x90, 0x77, 0x4F,
  0x0B, 0x61, 0xE0, 0x54, 0x40, 0x88, 0x3B, 0xA9, 0xA0, 0x1E, 0xD0,
  0x0B, 0xA6, 0xAB, 0xD7, 0x80, 0x6E, 0xD3, 0xB1, 0x18, 0xCF },
"MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT"
"EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh"
"bmNlIEVWIFJvb3QgQ0E=",
"AqxcJmoLQJuPC3nyrkYldw==",
Success!

TODO Items

  • Do OCSP fetching
  • Other policy issues
  • More helpful error messages

About

Tool for testing enabling new EV roots in Firefox

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 97.0%
  • Python 1.6%
  • JavaScript 0.7%
  • Shell 0.3%
  • HTML 0.2%
  • Makefile 0.2%