Bug 1018018: Remove support/mention of proprietary Netscape certificate extensions from PSM, r=cviecco
authorBrian Smith <brian@briansmith.org>
Thu, 29 May 2014 20:38:25 -0700
changeset 185966 1b779285c164d8a3e34d2d3e4e824197b03300db
parent 185965 e307284f7fa0f46ef9622293e959d10b4a17455a
child 185967 69d7eaad0a504fc6ab08a5759f7e91b4acdce605
push id7522
push userphilringnalda@gmail.com
push dateSun, 01 Jun 2014 03:46:25 +0000
treeherderb2g-inbound@642d5cafb96b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco
bugs1018018
milestone32.0a1
Bug 1018018: Remove support/mention of proprietary Netscape certificate extensions from PSM, r=cviecco
security/manager/locales/en-US/chrome/pipnss/pipnss.properties
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/nsNSSCertHelper.cpp
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -96,27 +96,16 @@ CertDumpParams=Algorithm Parameters
 CertDumpRSAEncr=PKCS #1 RSA Encryption
 CertDumpRSAPSSSignature=PKCS #1 RSASSA-PSS Signature
 CertDumpRSATemplate=Modulus (%S bits):\n%S\nExponent (%S bits):\n%S
 CertDumpECTemplate=Key size: %S bits\nBase point order length: %S bits\nPublic value:\n%S
 CertDumpIssuerUniqueID=Issuer Unique ID
 CertDumpSubjPubKey=Subject's Public Key
 CertDumpSubjectUniqueID=Subject Unique ID
 CertDumpExtensions=Extensions
-CertDumpCertType=Netscape Certificate Type
-CertDumpNSCertExtBaseUrl=Netscape Certificate Extension Base URL
-CertDumpNSCertExtRevocationUrl=Netscape Certificate Revocation URL
-CertDumpNSCertExtCARevocationUrl=Netscape Certificate Authority Revocation URL
-CertDumpNSCertExtCertRenewalUrl=Netscape Certificate Renewal URL
-CertDumpNSCertExtCAPolicyUrl=Netscape Certificate Authority Policy URL
-CertDumpNSCertExtSslServerName=Netscape Certificate SSL Server Name
-CertDumpNSCertExtComment=Netscape Certificate Comment
-CertDumpNSCertExtLostPasswordUrl=Netscape Lost Password URL
-CertDumpNSCertExtCertRenewalTime=NetscapeCertificate Renewal Time
-CertDumpNetscapeAolScreenname=AOL Screenname
 CertDumpSubjectDirectoryAttr=Certificate Subject Directory Attributes
 CertDumpSubjectKeyID=Certificate Subject Key ID
 CertDumpKeyUsage=Certificate Key Usage
 CertDumpSubjectAltName=Certificate Subject Alt Name
 CertDumpIssuerAltName=Certificate Issuer Alt Name
 CertDumpBasicConstraints=Certificate Basic Constraints
 CertDumpNameConstraints=Certificate Name Constraints
 CertDumpCrlDistPoints=CRL Distribution Points
@@ -124,18 +113,16 @@ CertDumpCertPolicies=Certificate Policie
 CertDumpPolicyMappings=Certificate Policy Mappings
 CertDumpPolicyConstraints=Certificate Policy Constraints
 CertDumpAuthKeyID=Certificate Authority Key Identifier
 CertDumpExtKeyUsage=Extended Key Usage
 CertDumpAuthInfoAccess=Authority Information Access
 CertDumpAnsiX9DsaSignature=ANSI X9.57 DSA Signature
 CertDumpAnsiX9DsaSignatureWithSha1=ANSI X9.57 DSA Signature with SHA1 Digest
 CertDumpAnsiX962ECDsaSignatureWithSha1=ANSI X9.62 ECDSA Signature with SHA1
-CertDumpCertTypeEmail=Email
-CertDumpEmailCA=Email Certificate Authority
 CertDumpKUSign=Signing
 CertDumpKUNonRep=Non-repudiation
 CertDumpKUEnc=Key Encipherment
 CertDumpKUDEnc=Data Encipherment
 CertDumpKUKA=Key Agreement
 CertDumpKUCertSign=Certificate Signer
 CertDumpKUCRLSigner=CRL Signer
 CertDumpCritical=Critical
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -702,23 +702,17 @@ AppendErrorTextMismatch(const nsString &
   nsString allNames;
   uint32_t nameCount = 0;
   bool useSAN = false;
 
   if (nssCert)
     useSAN = GetSubjectAltNames(nssCert.get(), component, allNames, nameCount);
 
   if (!useSAN) {
-    char *certName = nullptr;
-    // currently CERT_FindNSStringExtension is not being exported by NSS.
-    // If it gets exported, enable the following line.
-    //   certName = CERT_FindNSStringExtension(nssCert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-    // However, it has been discussed to treat the extension as obsolete and ignore it.
-    if (!certName)
-      certName = CERT_GetCommonName(&nssCert->subject);
+    char *certName = CERT_GetCommonName(&nssCert->subject);
     if (certName) {
       ++nameCount;
       allNames.Assign(NS_ConvertUTF8toUTF16(certName));
       PORT_Free(certName);
     }
   }
 
   if (nameCount > 1) {
--- a/security/manager/ssl/src/nsNSSCertHelper.cpp
+++ b/security/manager/ssl/src/nsNSSCertHelper.cpp
@@ -280,49 +280,16 @@ GetOIDText(SECItem *oid, nsINSSComponent
     bundlekey = "CertDumpSHA512WithRSA";
     break;
   case SEC_OID_PKCS1_RSA_ENCRYPTION:
     bundlekey = "CertDumpRSAEncr";
     break;
   case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
     bundlekey = "CertDumpRSAPSSSignature";
     break;
-  case SEC_OID_NS_CERT_EXT_CERT_TYPE:
-    bundlekey = "CertDumpCertType";
-    break;
-  case SEC_OID_NS_CERT_EXT_BASE_URL:
-    bundlekey = "CertDumpNSCertExtBaseUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
-    bundlekey = "CertDumpNSCertExtRevocationUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
-    bundlekey = "CertDumpNSCertExtCARevocationUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
-    bundlekey = "CertDumpNSCertExtCertRenewalUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
-    bundlekey = "CertDumpNSCertExtCAPolicyUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
-    bundlekey = "CertDumpNSCertExtSslServerName";
-    break;
-  case SEC_OID_NS_CERT_EXT_COMMENT:
-    bundlekey = "CertDumpNSCertExtComment";
-    break;
-  case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
-    bundlekey = "CertDumpNSCertExtLostPasswordUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME:
-    bundlekey = "CertDumpNSCertExtCertRenewalTime";
-    break;
-  case SEC_OID_NETSCAPE_AOLSCREENNAME:
-    bundlekey = "CertDumpNetscapeAolScreenname";
-    break;
   case SEC_OID_AVA_COUNTRY_NAME:
     bundlekey = "CertDumpAVACountry";
     break;
   case SEC_OID_AVA_COMMON_NAME:
     bundlekey = "CertDumpAVACN";
     break;
   case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
     bundlekey = "CertDumpAVAOU";
@@ -668,71 +635,16 @@ ProcessRawBytes(nsINSSComponent *nssComp
     if ((i+1)%16 == 0) {
       text.AppendLiteral(SEPARATOR);
     }
   }
   return NS_OK;
 }    
 
 static nsresult
-ProcessNSCertTypeExtensions(SECItem  *extData, 
-                            nsAString &text,
-                            nsINSSComponent *nssComponent)
-{
-  nsAutoString local;
-  SECItem decoded;
-  decoded.data = nullptr;
-  decoded.len  = 0;
-  if (SECSuccess != SEC_ASN1DecodeItem(nullptr, &decoded, 
-		SEC_ASN1_GET(SEC_BitStringTemplate), extData)) {
-    nssComponent->GetPIPNSSBundleString("CertDumpExtensionFailure", local);
-    text.Append(local.get());
-    return NS_OK;
-  }
-  unsigned char nsCertType = decoded.data[0];
-  nsMemory::Free(decoded.data);
-  if (nsCertType & NS_CERT_TYPE_SSL_CLIENT) {
-    nssComponent->GetPIPNSSBundleString("VerifySSLClient", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_SSL_SERVER) {
-    nssComponent->GetPIPNSSBundleString("VerifySSLServer", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_EMAIL) {
-    nssComponent->GetPIPNSSBundleString("CertDumpCertTypeEmail", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_OBJECT_SIGNING) {
-    nssComponent->GetPIPNSSBundleString("VerifyObjSign", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_SSL_CA) {
-    nssComponent->GetPIPNSSBundleString("VerifySSLCA", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_EMAIL_CA) {
-    nssComponent->GetPIPNSSBundleString("CertDumpEmailCA", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_OBJECT_SIGNING_CA) {
-    nssComponent->GetPIPNSSBundleString("VerifyObjSign", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  return NS_OK;
-}
-
-static nsresult
 ProcessKeyUsageExtension(SECItem *extData, nsAString &text,
                          nsINSSComponent *nssComponent)
 {
   nsAutoString local;
   SECItem decoded;
   decoded.data = nullptr;
   decoded.len  = 0;
   if (SECSuccess != SEC_ASN1DecodeItem(nullptr, &decoded, 
@@ -1605,19 +1517,16 @@ ProcessMSCAVersion(SECItem  *extData,
 static nsresult
 ProcessExtensionData(SECOidTag oidTag, SECItem *extData, 
                      nsAString &text, 
                      SECOidTag ev_oid_tag, // SEC_OID_UNKNOWN means: not EV
                      nsINSSComponent *nssComponent)
 {
   nsresult rv;
   switch (oidTag) {
-  case SEC_OID_NS_CERT_EXT_CERT_TYPE:
-    rv = ProcessNSCertTypeExtensions(extData, text, nssComponent);
-    break;
   case SEC_OID_X509_KEY_USAGE:
     rv = ProcessKeyUsageExtension(extData, text, nssComponent);
     break;
   case SEC_OID_X509_BASIC_CONSTRAINTS:
     rv = ProcessBasicConstraints(extData, text, nssComponent);
     break;
   case SEC_OID_X509_EXT_KEY_USAGE:
     rv = ProcessExtKeyUsage(extData, text, nssComponent);
@@ -1636,28 +1545,16 @@ ProcessExtensionData(SECOidTag oidTag, S
     rv = ProcessCertificatePolicies(extData, text, ev_oid_tag, nssComponent);
     break;
   case SEC_OID_X509_CRL_DIST_POINTS:
     rv = ProcessCrlDistPoints(extData, text, nssComponent);
     break;
   case SEC_OID_X509_AUTH_INFO_ACCESS:
     rv = ProcessAuthInfoAccess(extData, text, nssComponent);
     break;
-  case SEC_OID_NS_CERT_EXT_BASE_URL:
-  case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
-  case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
-  case SEC_OID_NS_CERT_EXT_CA_CERT_URL:
-  case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
-  case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
-  case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL:
-  case SEC_OID_NS_CERT_EXT_COMMENT:
-  case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
-  case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
-    rv = ProcessIA5String(extData, text, nssComponent);
-    break;
   default:
     if (oidTag == SEC_OID(MS_CERT_EXT_CERTTYPE)) {
       rv = ProcessBMPString(extData, text, nssComponent);
       break;
     }
     if (oidTag == SEC_OID(MS_CERTSERV_CA_VERSION)) {
       rv = ProcessMSCAVersion(extData, text, nssComponent);
       break;