PSM:EV Testing

This document explains how to modify PSM (mozilla/security/manager) sources in order to enable a root CA cert for Extended Validation (EV).

Ensure the root CA cert has been added to NSS storage.

Find file mozilla/security/manager/ssl/src/nsIdentityChecking.cpp, which contains a definition for a type named nsMyTrustedEVInfo. Following the structure definition, add a new entry to array myTrustedEVInfos.

To ensure this page won't get out of date, please study the existing entries and field names, they should make it clear what you must provide. One noteworthy detail are the issuer and serial number fields, those most be provided in their encoded form (as stored in the certificate) and transformed to base64.

PSM will use {issuer name, serial number} as a key to find potential root certs in NSS storage.

Each entry should have a comment that mentions the cert's subject name, to make it easier for human readers to find the referenced cert.

Some words on PSM's EV verification strategy:

At runtime, PSM will register alls OIDs found in array entries, cobined with the oid name string.

When verifying end entity (EE) certs for EV, PSM will match policy OIDs contained in the EE cert against all entries in myTrustedEVInfos and derive a list of candidate roots. Next it will ask NSS to validate the EE cert, including policy validation, and find a path to one of the candidate roots.

User interface reporting: As of today, PSM's user interface, in particular the certificate viewer, is not in synch with EV policy validation. The displayed chain may be good for validating the cert, but a different chain might have been used for cert plus policy validation.