| author | David Keeler <dkeeler@mozilla.com> |
| Thu, 20 Mar 2014 14:29:21 -0700 | |
| changeset 174639 | 04ea38d3515f3dd7e739cfed8005fa70634c06fb |
| parent 174638 | 817ccd4562d0c518751b6b1e01ef64da1838014e |
| child 174640 | 98e17f725ba235fcd1fe65e5c640b47e1b788005 |
| push id | 41308 |
| push user | dkeeler@mozilla.com |
| push date | Thu, 20 Mar 2014 21:31:16 +0000 |
| treeherder | mozilla-inbound@04ea38d3515f [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | cviecco, briansmith |
| bugs | 985201 |
| milestone | 31.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/apps/AppSignatureVerification.cpp +++ b/security/apps/AppSignatureVerification.cpp @@ -5,17 +5,17 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifdef MOZ_LOGGING #define FORCE_PR_LOG 1 #endif #include "nsNSSCertificateDB.h" -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include "mozilla/RefPtr.h" #include "CryptoTask.h" #include "AppTrustDomain.h" #include "nsComponentManagerUtils.h" #include "nsCOMPtr.h" #include "nsHashKeys.h" #include "nsIFile.h" #include "nsIInputStream.h" @@ -28,17 +28,17 @@ #include "ScopedNSSTypes.h" #include "base64.h" #include "certdb.h" #include "secmime.h" #include "plstr.h" #include "prlog.h" -using namespace insanity::pkix; +using namespace mozilla::pkix; using namespace mozilla; using namespace mozilla::psm; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif namespace { @@ -520,19 +520,19 @@ ParseMF(const char* filebuf, nsIZipReade } return NS_OK; } nsresult VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer, const SECItem& detachedDigest, - /*out*/ insanity::pkix::ScopedCERTCertList& builtChain) + /*out*/ mozilla::pkix::ScopedCERTCertList& builtChain) { - insanity::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy> + mozilla::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy> cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr, nullptr, nullptr, nullptr, nullptr, nullptr)); if (!cmsMsg) { return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING; } if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) { @@ -555,23 +555,23 @@ VerifySignature(AppTrustedRoot trustedRo // Set digest value. if (NSS_CMSSignedData_SetDigestValue(signedData, SEC_OID_SHA1, const_cast<SECItem*>(&detachedDigest))) { return NS_ERROR_CMS_VERIFY_BAD_DIGEST; } // Parse the certificates into CERTCertificate objects held in memory, so that // AppTrustDomain will be able to find them during path building. - insanity::pkix::ScopedCERTCertList certs(CERT_NewCertList()); + mozilla::pkix::ScopedCERTCertList certs(CERT_NewCertList()); if (!certs) { return NS_ERROR_OUT_OF_MEMORY; } if (signedData->rawCerts) { for (size_t i = 0; signedData->rawCerts[i]; ++i) { - insanity::pkix::ScopedCERTCertificate + mozilla::pkix::ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), signedData->rawCerts[i], nullptr, false, true)); // Skip certificates that fail to parse if (cert) { if (CERT_AddCertToListTail(certs.get(), cert.get()) == SECSuccess) { cert.release(); // ownership transfered } else { @@ -661,17 +661,17 @@ OpenSignedAppFile(AppTrustedRoot aTruste Digest sfCalculatedDigest; rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING), sfFilename, sfBuffer, &sfCalculatedDigest); if (NS_FAILED(rv)) { return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID; } sigBuffer.type = siBuffer; - insanity::pkix::ScopedCERTCertList builtChain; + mozilla::pkix::ScopedCERTCertList builtChain; rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(), builtChain); if (NS_FAILED(rv)) { return rv; } ScopedAutoSECItem mfDigest; rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
--- a/security/apps/AppTrustDomain.cpp +++ b/security/apps/AppTrustDomain.cpp @@ -5,30 +5,30 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifdef MOZ_LOGGING #define FORCE_PR_LOG 1 #endif #include "AppTrustDomain.h" #include "certdb.h" -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include "mozilla/ArrayUtils.h" #include "nsIX509CertDB.h" #include "prerror.h" #include "secerr.h" // Generated in Makefile.in #include "marketplace-prod-public.inc" #include "marketplace-prod-reviewers.inc" #include "marketplace-dev-public.inc" #include "marketplace-dev-reviewers.inc" #include "xpcshell.inc" -using namespace insanity::pkix; +using namespace mozilla::pkix; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif namespace mozilla { namespace psm { AppTrustDomain::AppTrustDomain(void* pinArg) @@ -83,17 +83,17 @@ AppTrustDomain::SetTrustedRoot(AppTruste } return SECSuccess; } SECStatus AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName, PRTime time, - /*out*/ insanity::pkix::ScopedCERTCertList& results) + /*out*/ mozilla::pkix::ScopedCERTCertList& results) { MOZ_ASSERT(mTrustedRoot); if (!mTrustedRoot) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; } results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), @@ -163,17 +163,17 @@ AppTrustDomain::GetCertTrust(EndEntityOr *trustLevel = InheritsTrust; return SECSuccess; } SECStatus AppTrustDomain::VerifySignedData(const CERTSignedData* signedData, const CERTCertificate* cert) { - return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg); + return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg); } SECStatus AppTrustDomain::CheckRevocation(EndEntityOrCA, const CERTCertificate*, /*const*/ CERTCertificate*, PRTime time, /*optional*/ const SECItem*)
--- a/security/apps/AppTrustDomain.h +++ b/security/apps/AppTrustDomain.h @@ -2,44 +2,44 @@ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef mozilla_psm_AppsTrustDomain_h #define mozilla_psm_AppsTrustDomain_h -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsDebug.h" #include "nsIX509CertDB.h" namespace mozilla { namespace psm { -class AppTrustDomain MOZ_FINAL : public insanity::pkix::TrustDomain +class AppTrustDomain MOZ_FINAL : public mozilla::pkix::TrustDomain { public: AppTrustDomain(void* pinArg); SECStatus SetTrustedRoot(AppTrustedRoot trustedRoot); - SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA, + SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA, SECOidTag policy, const CERTCertificate* candidateCert, /*out*/ TrustLevel* trustLevel) MOZ_OVERRIDE; SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName, PRTime time, - /*out*/ insanity::pkix::ScopedCERTCertList& results) + /*out*/ mozilla::pkix::ScopedCERTCertList& results) MOZ_OVERRIDE; SECStatus VerifySignedData(const CERTSignedData* signedData, const CERTCertificate* cert) MOZ_OVERRIDE; - SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA, + SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA, const CERTCertificate* cert, /*const*/ CERTCertificate* issuerCertToDup, PRTime time, /*optional*/ const SECItem* stapledOCSPresponse); private: void* mPinArg; // non-owning! - insanity::pkix::ScopedCERTCertificate mTrustedRoot; + mozilla::pkix::ScopedCERTCertificate mTrustedRoot; }; } } // namespace mozilla::psm #endif // mozilla_psm_AppsTrustDomain_h
--- a/security/apps/moz.build +++ b/security/apps/moz.build @@ -11,15 +11,15 @@ SOURCES += [ ] FAIL_ON_WARNINGS = True FINAL_LIBRARY = 'xul' LOCAL_INCLUDES += [ '../certverifier', - '../insanity/include', '../manager/ssl/src', + '../pkix/include', ] DEFINES['NSS_ENABLE_ECC'] = 'True' for var in ('DLL_PREFIX', 'DLL_SUFFIX'): DEFINES[var] = '"%s"' % CONFIG[var]
--- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -3,28 +3,28 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "CertVerifier.h" #include <stdint.h> -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include "ExtendedValidation.h" #include "NSSCertDBTrustDomain.h" #include "cert.h" #include "ocsp.h" #include "secerr.h" #include "prerror.h" #include "sslerr.h" -// ScopedXXX in this file are insanity::pkix::ScopedXXX, not +// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not // mozilla::ScopedXXX. -using namespace insanity::pkix; +using namespace mozilla::pkix; using namespace mozilla::psm; #ifdef PR_LOGGING PRLogModuleInfo* gCertVerifierLog = nullptr; #endif namespace mozilla { namespace psm { @@ -60,17 +60,17 @@ InitCertVerifierLog() #ifdef PR_LOGGING if (!gCertVerifierLog) { gCertVerifierLog = PR_NewLogModule("certverifier"); } #endif } #if 0 -// Once we migrate to insanity::pkix or change the overridable error +// Once we migrate to mozilla::pkix or change the overridable error // logic this will become unnecesary. static SECStatus insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err, CERTVerifyLog* verifyLog){ CERTVerifyLogNode* node; node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena, sizeof(CERTVerifyLogNode)); if (!node) { @@ -218,27 +218,27 @@ BuildCertChainForOneKeyUsage(TrustDomain PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0); } } } return rv; } SECStatus -CertVerifier::InsanityVerifyCert( +CertVerifier::MozillaPKIXVerifyCert( CERTCertificate* cert, const SECCertificateUsage usage, const PRTime time, void* pinArg, const Flags flags, /*optional*/ const SECItem* stapledOCSPResponse, - /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain, + /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, /*optional out*/ SECOidTag* evOidPolicy) { - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of InsanityVerifyCert\n")); + PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n")); PR_ASSERT(cert); PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV)); if (validationChain) { *validationChain = nullptr; } if (evOidPolicy) { @@ -262,17 +262,17 @@ CertVerifier::InsanityVerifyCert( // TODO(bug 970750): anyExtendedKeyUsage // TODO: encipherOnly/decipherOnly // S/MIME Key Usage: http://tools.ietf.org/html/rfc3850#section-4.4.2 // S/MIME EKU: http://tools.ietf.org/html/rfc3850#section-4.4.4 // TODO(bug 915931): Pass in stapled OCSP response in all calls to // BuildCertChain. - insanity::pkix::ScopedCERTCertList builtChain; + mozilla::pkix::ScopedCERTCertList builtChain; switch (usage) { case certificateUsageSSLClient: { // XXX: We don't really have a trust bit for SSL client authentication so // just use trustEmail as it is the closest alternative. NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache, pinArg); rv = BuildCertChain(trustDomain, cert, time, MustBeEndEntity, KU_DIGITAL_SIGNATURE, @@ -384,18 +384,18 @@ CertVerifier::InsanityVerifyCert( } case certificateUsageVerifyCA: case certificateUsageStatusResponder: { // XXX This is a pretty useless way to verify a certificate. It is used // by the implementation of window.crypto.importCertificates and in the // certificate viewer UI. Because we don't know what trust bit is // interesting, we just try them all. - insanity::pkix::EndEntityOrCA endEntityOrCA; - insanity::pkix::KeyUsages keyUsage; + mozilla::pkix::EndEntityOrCA endEntityOrCA; + mozilla::pkix::KeyUsages keyUsage; SECOidTag eku; if (usage == certificateUsageVerifyCA) { endEntityOrCA = MustBeCA; keyUsage = KU_KEY_CERT_SIGN; eku = SEC_OID_UNKNOWN; } else { endEntityOrCA = MustBeEndEntity; keyUsage = KU_DIGITAL_SIGNATURE; @@ -444,20 +444,20 @@ CertVerifier::VerifyCert(CERTCertificate const SECCertificateUsage usage, const PRTime time, void* pinArg, const Flags flags, /*optional out*/ ScopedCERTCertList* validationChain, /*optional out*/ SECOidTag* evOidPolicy, /*optional out*/ CERTVerifyLog* verifyLog) { - if (mImplementation == insanity) { - return InsanityVerifyCert(cert, usage, time, pinArg, flags, - stapledOCSPResponse, validationChain, - evOidPolicy); + if (mImplementation == mozillapkix) { + return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags, + stapledOCSPResponse, validationChain, + evOidPolicy); } if (!cert) { PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert"); PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } @@ -794,17 +794,17 @@ pkix_done: SECStatus CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert, /*optional*/ const SECItem* stapledOCSPResponse, PRTime time, /*optional*/ void* pinarg, const char* hostname, bool saveIntermediatesInPermanentDatabase, - /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut, + /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut, /*optional out*/ SECOidTag* evOidPolicy) { PR_ASSERT(peerCert); // XXX: PR_ASSERT(pinarg) PR_ASSERT(hostname); PR_ASSERT(hostname[0]); if (certChainOut) {
--- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -2,17 +2,17 @@ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef mozilla_psm__CertVerifier_h #define mozilla_psm__CertVerifier_h -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "OCSPCache.h" namespace mozilla { namespace psm { class CertVerifier { public: typedef unsigned int Flags; @@ -24,37 +24,37 @@ public: // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV // Only one usage per verification is supported. SECStatus VerifyCert(CERTCertificate* cert, /*optional*/ const SECItem* stapledOCSPResponse, const SECCertificateUsage usage, const PRTime time, void* pinArg, const Flags flags = 0, - /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain = nullptr, + /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr, /*optional out*/ SECOidTag* evOidPolicy = nullptr , /*optional out*/ CERTVerifyLog* verifyLog = nullptr); SECStatus VerifySSLServerCert( CERTCertificate* peerCert, /*optional*/ const SECItem* stapledOCSPResponse, PRTime time, /*optional*/ void* pinarg, const char* hostname, bool saveIntermediatesInPermanentDatabase = false, - /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut = nullptr, + /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr, /*optional out*/ SECOidTag* evOidPolicy = nullptr); enum implementation_config { classic = 0, #ifndef NSS_NO_LIBPKIX libpkix = 1, #endif - insanity = 2 + mozillapkix = 2 }; enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on }; enum crl_download_config { crl_local_only = 0, crl_download_allowed }; enum ocsp_download_config { ocsp_off = 0, ocsp_on }; enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict }; enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 }; @@ -75,23 +75,23 @@ public: const bool mMissingCertDownloadEnabled; const bool mCRLDownloadEnabled; #endif const bool mOCSPDownloadEnabled; const bool mOCSPStrict; const bool mOCSPGETEnabled; private: - SECStatus InsanityVerifyCert(CERTCertificate* cert, + SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert, const SECCertificateUsage usage, const PRTime time, void* pinArg, const Flags flags, /*optional*/ const SECItem* stapledOCSPResponse, - /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain, + /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, /*optional out*/ SECOidTag* evOidPolicy); OCSPCache mOCSPCache; }; void InitCertVerifierLog(); } } // namespace mozilla::psm
--- a/security/certverifier/ExtendedValidation.cpp +++ b/security/certverifier/ExtendedValidation.cpp @@ -4,17 +4,17 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "ExtendedValidation.h" #include "cert.h" #include "certdb.h" #include "base64.h" -#include "insanity/nullptr.h" +#include "pkix/nullptr.h" #include "pk11pub.h" #include "secerr.h" #include "prerror.h" #include "prinit.h" #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif
--- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -5,28 +5,28 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "NSSCertDBTrustDomain.h" #include <stdint.h> #include "ExtendedValidation.h" #include "certdb.h" -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include "mozilla/Telemetry.h" #include "nss.h" #include "ocsp.h" #include "pk11pub.h" #include "prerror.h" #include "prmem.h" #include "prprf.h" #include "secerr.h" #include "secmod.h" -using namespace insanity::pkix; +using namespace mozilla::pkix; #ifdef PR_LOGGING extern PRLogModuleInfo* gCertVerifierLog; #endif namespace mozilla { namespace psm { const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[] = "Builtin Roots Module"; @@ -48,17 +48,17 @@ NSSCertDBTrustDomain::NSSCertDBTrustDoma , mOCSPCache(ocspCache) , mPinArg(pinArg) { } SECStatus NSSCertDBTrustDomain::FindPotentialIssuers( const SECItem* encodedIssuerName, PRTime time, - /*out*/ insanity::pkix::ScopedCERTCertList& results) + /*out*/ mozilla::pkix::ScopedCERTCertList& results) { // TODO: normalize encodedIssuerName // TODO: NSS seems to be ambiguous between "no potential issuers found" and // "there was an error trying to retrieve the potential issuers." results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), encodedIssuerName, time, true); return SECSuccess; } @@ -126,32 +126,32 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn *trustLevel = InheritsTrust; return SECSuccess; } SECStatus NSSCertDBTrustDomain::VerifySignedData(const CERTSignedData* signedData, const CERTCertificate* cert) { - return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg); + return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg); } SECStatus NSSCertDBTrustDomain::CheckRevocation( - insanity::pkix::EndEntityOrCA endEntityOrCA, + mozilla::pkix::EndEntityOrCA endEntityOrCA, const CERTCertificate* cert, /*const*/ CERTCertificate* issuerCert, PRTime time, /*optional*/ const SECItem* stapledOCSPResponse) { // Actively distrusted certificates will have already been blocked by // GetCertTrust. // TODO: need to verify that IsRevoked isn't called for trust anchors AND - // that that fact is documented in insanity. + // that that fact is documented in mozillapkix. PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("NSSCertDBTrustDomain: Top of CheckRevocation\n")); PORT_Assert(cert); PORT_Assert(issuerCert); if (!cert || !issuerCert) { PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -2,17 +2,17 @@ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef mozilla_psm__NSSCertDBTrustDomain_h #define mozilla_psm__NSSCertDBTrustDomain_h -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "secmodt.h" #include "CertVerifier.h" namespace mozilla { namespace psm { SECStatus InitializeNSS(const char* dir, bool readOnly); void DisableMD5(); @@ -38,46 +38,46 @@ void UnloadLoadableRoots(const char* mod void SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled, CertVerifier::ocsp_strict_config strict, CertVerifier::ocsp_get_config get); // Caller must free the result with PR_Free char* DefaultServerNicknameForCert(CERTCertificate* cert); -void SaveIntermediateCerts(const insanity::pkix::ScopedCERTCertList& certList); +void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList); -class NSSCertDBTrustDomain : public insanity::pkix::TrustDomain +class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { public: enum OCSPFetching { NeverFetchOCSP = 0, FetchOCSPForDVSoftFail = 1, FetchOCSPForDVHardFail = 2, FetchOCSPForEV = 3, LocalOnlyOCSPForEV = 4, }; NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching, OCSPCache& ocspCache, void* pinArg); virtual SECStatus FindPotentialIssuers( const SECItem* encodedIssuerName, PRTime time, - /*out*/ insanity::pkix::ScopedCERTCertList& results); + /*out*/ mozilla::pkix::ScopedCERTCertList& results); - virtual SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA, + virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA, SECOidTag policy, const CERTCertificate* candidateCert, /*out*/ TrustLevel* trustLevel); virtual SECStatus VerifySignedData(const CERTSignedData* signedData, const CERTCertificate* cert); - virtual SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA, + virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA, const CERTCertificate* cert, /*const*/ CERTCertificate* issuerCert, PRTime time, /*optional*/ const SECItem* stapledOCSPResponse); private: SECStatus VerifyAndMaybeCacheEncodedOCSPResponse( const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time,
--- a/security/certverifier/OCSPCache.cpp +++ b/security/certverifier/OCSPCache.cpp @@ -23,24 +23,24 @@ #ifdef PR_LOGGING extern PRLogModuleInfo* gCertVerifierLog; #endif namespace mozilla { namespace psm { void -Insanity_PK11_DestroyContext_true(PK11Context* context) +MozillaPKIX_PK11_DestroyContext_true(PK11Context* context) { PK11_DestroyContext(context, true); } -typedef insanity::pkix::ScopedPtr<PK11Context, - Insanity_PK11_DestroyContext_true> - ScopedPK11Context; +typedef mozilla::pkix::ScopedPtr<PK11Context, + MozillaPKIX_PK11_DestroyContext_true> + ScopedPK11Context; // Let derIssuer be the DER encoding of the issuer of aCert. // Let derPublicKey be the DER encoding of the public key of aIssuerCert. // Let serialNumber be the bytes of the serial number of aCert. // The value calculated is SHA384(derIssuer || derPublicKey || serialNumber). // Because the DER encodings include the length of the data encoded, // there do not exist A(derIssuerA, derPublicKeyA, serialNumberA) and // B(derIssuerB, derPublicKeyB, serialNumberB) such that the concatenation of @@ -133,19 +133,19 @@ OCSPCache::FindInternal(const CERTCertif } void OCSPCache::LogWithCerts(const char* aMessage, const CERTCertificate* aCert, const CERTCertificate* aIssuerCert) { #ifdef PR_LOGGING if (PR_LOG_TEST(gCertVerifierLog, PR_LOG_DEBUG)) { - insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string> + mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string> cn(CERT_GetCommonName(&aCert->subject)); - insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string> + mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string> cnIssuer(CERT_GetCommonName(&aIssuerCert->subject)); PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, (aMessage, cn.get(), cnIssuer.get())); } #endif } void OCSPCache::MakeMostRecentlyUsed(size_t aIndex,
--- a/security/certverifier/OCSPCache.h +++ b/security/certverifier/OCSPCache.h @@ -15,17 +15,17 @@ * limitations under the License. */ #ifndef mozilla_psm_OCSPCache_h #define mozilla_psm_OCSPCache_h #include "certt.h" #include "hasht.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "mozilla/Mutex.h" #include "mozilla/Vector.h" #include "prerror.h" namespace mozilla { namespace psm { // make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH" typedef uint8_t SHA384Buffer[SHA384_LENGTH];
--- a/security/certverifier/moz.build +++ b/security/certverifier/moz.build @@ -11,20 +11,20 @@ UNIFIED_SOURCES += [ ] if not CONFIG['NSS_NO_EV_CERTS']: UNIFIED_SOURCES += [ 'ExtendedValidation.cpp', ] LOCAL_INCLUDES += [ - '../insanity/include', + '../pkix/include', ] DIRS += [ - '../insanity', + '../pkix', ] FAIL_ON_WARNINGS = True LIBRARY_NAME = 'certverifier' FINAL_LIBRARY = 'xul'
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp +++ b/security/manager/ssl/src/SSLServerCertVerification.cpp @@ -91,17 +91,17 @@ // an SSL handshake) and the PSM NSS I/O layer are not thread-safe, and because // we need the event to interrupt the PR_Poll that may waiting for I/O on the // socket for which we are validating the cert. #include "SSLServerCertVerification.h" #include <cstring> -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "CertVerifier.h" #include "CryptoTask.h" #include "ExtendedValidation.h" #include "NSSCertDBTrustDomain.h" #include "nsIBadCertListener2.h" #include "nsICertOverrideService.h" #include "nsISiteSecurityService.h" #include "nsNSSComponent.h" @@ -309,32 +309,32 @@ MapCertErrorToProbeValue(PRErrorCode err case SEC_ERROR_EXPIRED_CERTIFICATE: return 10; } NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue " "handle everything in PRErrorCodeToOverrideType?"); return 0; } SECStatus -InsanityDetermineCertOverrideErrors(CERTCertificate* cert, - const char* hostName, PRTime now, - PRErrorCode defaultErrorCodeToReport, - /*out*/ uint32_t& collectedErrors, - /*out*/ PRErrorCode& errorCodeTrust, - /*out*/ PRErrorCode& errorCodeMismatch, - /*out*/ PRErrorCode& errorCodeExpired) +MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert, + const char* hostName, PRTime now, + PRErrorCode defaultErrorCodeToReport, + /*out*/ uint32_t& collectedErrors, + /*out*/ PRErrorCode& errorCodeTrust, + /*out*/ PRErrorCode& errorCodeMismatch, + /*out*/ PRErrorCode& errorCodeExpired) { MOZ_ASSERT(cert); MOZ_ASSERT(hostName); MOZ_ASSERT(collectedErrors == 0); MOZ_ASSERT(errorCodeTrust == 0); MOZ_ASSERT(errorCodeMismatch == 0); MOZ_ASSERT(errorCodeExpired == 0); - // Assumes the error prioritization described in insanity::pkix's + // Assumes the error prioritization described in mozilla::pkix's // BuildForward function. Also assumes that CERT_VerifyCertName was only // called if CertVerifier::VerifyCert succeeded. switch (defaultErrorCodeToReport) { case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: case SEC_ERROR_UNKNOWN_ISSUER: { collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED; errorCodeTrust = defaultErrorCodeToReport; @@ -702,24 +702,24 @@ CreateCertErrorRunnable(CertVerifier& ce #endif rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse, infoObject, now, defaultErrorCodeToReport, collected_errors, errorCodeTrust, errorCodeMismatch, errorCodeExpired); break; - case CertVerifier::insanity: - rv = InsanityDetermineCertOverrideErrors(cert, - infoObject->GetHostNameRaw(), - now, defaultErrorCodeToReport, - collected_errors, - errorCodeTrust, - errorCodeMismatch, - errorCodeExpired); + case CertVerifier::mozillapkix: + rv = MozillaPKIXDetermineCertOverrideErrors(cert, + infoObject->GetHostNameRaw(), + now, defaultErrorCodeToReport, + collected_errors, + errorCodeTrust, + errorCodeMismatch, + errorCodeExpired); break; default: MOZ_CRASH("unexpected CertVerifier implementation"); PR_SetError(defaultErrorCodeToReport, 0); return nullptr; } @@ -804,17 +804,17 @@ private: TransportSecurityInfo* infoObject, CERTCertificate* cert, SECItem* stapledOCSPResponse, uint32_t providerFlags, PRTime time); const RefPtr<SharedCertVerifier> mCertVerifier; const void* const mFdForLogging; const RefPtr<TransportSecurityInfo> mInfoObject; - const insanity::pkix::ScopedCERTCertificate mCert; + const mozilla::pkix::ScopedCERTCertificate mCert; const uint32_t mProviderFlags; const PRTime mTime; const TimeStamp mJobStartTime; const ScopedSECItem mStapledOCSPResponse; }; SSLServerCertVerificationJob::SSLServerCertVerificationJob( const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging, @@ -904,17 +904,17 @@ AuthCertificate(CertVerifier& certVerifi CERTCertificate* cert, SECItem* stapledOCSPResponse, uint32_t providerFlags, PRTime time) { MOZ_ASSERT(infoObject); MOZ_ASSERT(cert); SECStatus rv; - // TODO: Remove this after we switch to insanity::pkix as the + // TODO: Remove this after we switch to mozilla::pkix as the // only option if (certVerifier.mImplementation == CertVerifier::classic) { if (stapledOCSPResponse) { CERTCertDBHandle* handle = CERT_GetDefaultCertDB(); rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(), stapledOCSPResponse, infoObject); if (rv != SECSuccess) { @@ -960,17 +960,17 @@ AuthCertificate(CertVerifier& certVerifi } } // We want to avoid storing any intermediate cert information when browsing // in private, transient contexts. bool saveIntermediates = !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE); - insanity::pkix::ScopedCERTCertList certList; + mozilla::pkix::ScopedCERTCertList certList; SECOidTag evOidPolicy; rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse, time, infoObject, infoObject->GetHostNameRaw(), saveIntermediates, nullptr, &evOidPolicy); // We want to remember the CA certs in the temp db, so that the application can find the @@ -1085,21 +1085,21 @@ SSLServerCertVerificationJob::Run() Telemetry::ID failureTelemetry; switch (mCertVerifier->mImplementation) { case CertVerifier::classic: successTelemetry = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC; failureTelemetry = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC; break; - case CertVerifier::insanity: + case CertVerifier::mozillapkix: successTelemetry - = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY; + = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX; failureTelemetry - = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY; + = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX; break; #ifndef NSS_NO_LIBPKIX case CertVerifier::libpkix: successTelemetry = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX; failureTelemetry = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX; break;
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp +++ b/security/manager/ssl/src/TransportSecurityInfo.cpp @@ -1,17 +1,17 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "TransportSecurityInfo.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsNSSComponent.h" #include "nsIWebProgressListener.h" #include "nsNSSCertificate.h" #include "nsIX509CertValidity.h" #include "nsIDateTimeFormat.h" #include "nsDateTimeFormatCID.h" #include "nsICertOverrideService.h" #include "nsIObjectInputStream.h" @@ -750,17 +750,17 @@ AppendErrorTextMismatch(const nsString & nsIX509Cert* ix509, nsINSSComponent *component, bool wantsHtml, nsString &returnedMessage) { const char16_t *params[1]; nsresult rv; - insanity::pkix::ScopedCERTCertificate nssCert; + mozilla::pkix::ScopedCERTCertificate nssCert; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv); if (cert2) nssCert = cert2->GetCert(); if (!nssCert) { // We are unable to extract the valid names, say "not valid for name". params[0] = host.get();
--- a/security/manager/ssl/src/moz.build +++ b/security/manager/ssl/src/moz.build @@ -90,17 +90,17 @@ UNIFIED_SOURCES += [ ] FAIL_ON_WARNINGS = True FINAL_LIBRARY = 'xul' LOCAL_INCLUDES += [ '../../../certverifier', - '../../../insanity/include', + '../../../pkix/include', ] if CONFIG['NSS_DISABLE_DBM']: DEFINES['NSS_DISABLE_DBM'] = '1' DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True' DEFINES['NSS_ENABLE_ECC'] = 'True' for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
--- a/security/manager/ssl/src/nsCMS.cpp +++ b/security/manager/ssl/src/nsCMS.cpp @@ -1,17 +1,17 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsCMS.h" #include "CertVerifier.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsISupports.h" #include "nsNSSHelper.h" #include "nsNSSCertificate.h" #include "smime.h" #include "cms.h" #include "nsICMSMessageErrors.h" #include "nsIArray.h" #include "nsArrayUtils.h" @@ -510,17 +510,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp for (i=0; i<recipientCertCount; i++) { nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i); nssRecipientCert = do_QueryInterface(x509cert); if (!nssRecipientCert) return NS_ERROR_FAILURE; - insanity::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert()); + mozilla::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert()); recipientCerts.set(i, c.get()); } // Find a bulk key algorithm // if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientCerts.getRawArray(), &bulkAlgTag, &keySize) != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't find bulk alg for recipients\n")); rv = NS_ERROR_CMS_ENCRYPT_NO_BULK_ALG; @@ -548,17 +548,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd); if (NSS_CMSContentInfo_SetContent_Data(m_cmsMsg, cinfo, nullptr, false) != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't set content data\n")); goto loser; } // Create and attach recipient information // for (i=0; i < recipientCertCount; i++) { - insanity::pkix::ScopedCERTCertificate rc(recipientCerts.get(i)); + mozilla::pkix::ScopedCERTCertificate rc(recipientCerts.get(i)); if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc.get())) == nullptr) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n")); goto loser; } if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientInfo) != SECSuccess) { PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't add recipient info\n")); goto loser; } @@ -579,18 +579,18 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned\n")); NSSCMSContentInfo *cinfo; NSSCMSSignedData *sigd; NSSCMSSignerInfo *signerinfo; - insanity::pkix::ScopedCERTCertificate scert; - insanity::pkix::ScopedCERTCertificate ecert; + mozilla::pkix::ScopedCERTCertificate scert; + mozilla::pkix::ScopedCERTCertificate ecert; nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert); nsresult rv = NS_ERROR_FAILURE; /* Get the certs */ if (aSigningCert2) { scert = aSigningCert2->GetCert(); } if (!scert) {
--- a/security/manager/ssl/src/nsCertOverrideService.cpp +++ b/security/manager/ssl/src/nsCertOverrideService.cpp @@ -1,17 +1,17 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsCertOverrideService.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsIX509Cert.h" #include "NSSCertDBTrustDomain.h" #include "nsNSSCertificate.h" #include "nsNSSCertHelper.h" #include "nsCRT.h" #include "nsAppDirectoryServiceDefs.h" #include "nsStreamUtils.h" #include "nsNetUtil.h" @@ -389,17 +389,17 @@ static nsresult GetCertFingerprintByOidTag(nsIX509Cert *aCert, SECOidTag aOidTag, nsCString &fp) { nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert); if (!cert2) return NS_ERROR_FAILURE; - insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert()); + mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert()); if (!nsscert) return NS_ERROR_FAILURE; return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp); } static nsresult GetCertFingerprintByDottedOidString(CERTCertificate* nsscert, @@ -427,17 +427,17 @@ static nsresult GetCertFingerprintByDottedOidString(nsIX509Cert *aCert, const nsCString &dottedOid, nsCString &fp) { nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert); if (!cert2) return NS_ERROR_FAILURE; - insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert()); + mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert()); if (!nsscert) return NS_ERROR_FAILURE; return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp); } NS_IMETHODIMP nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort, @@ -450,17 +450,17 @@ nsCertOverrideService::RememberValidityO return NS_ERROR_INVALID_ARG; if (aPort < -1) return NS_ERROR_INVALID_ARG; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert); if (!cert2) return NS_ERROR_FAILURE; - insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert()); + mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert()); if (!nsscert) return NS_ERROR_FAILURE; char* nickname = DefaultServerNicknameForCert(nsscert.get()); if (!aTemporary && nickname && *nickname) { ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) {
--- a/security/manager/ssl/src/nsCertPicker.cpp +++ b/security/manager/ssl/src/nsCertPicker.cpp @@ -1,15 +1,15 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsCertPicker.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsMemory.h" #include "nsCOMPtr.h" #include "nsXPIDLString.h" #include "nsIServiceManager.h" #include "nsNSSComponent.h" #include "nsNSSCertificate.h" #include "nsReadableUtils.h" #include "nsICertPickDialogs.h" @@ -45,24 +45,24 @@ NS_IMETHODIMP nsCertPicker::PickByUsage( char16_t **certNicknameList = nullptr; char16_t **certDetailsList = nullptr; CERTCertListNode* node = nullptr; nsresult rv = NS_OK; { // Iterate over all certs. This assures that user is logged in to all hardware tokens. nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); - insanity::pkix::ScopedCERTCertList allcerts( + mozilla::pkix::ScopedCERTCertList allcerts( PK11_ListCerts(PK11CertListUnique, ctx)); } /* find all user certs that are valid and for SSL */ /* note that we are allowing expired certs in this list */ - insanity::pkix::ScopedCERTCertList certList( + mozilla::pkix::ScopedCERTCertList certList( CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), (SECCertUsage)certUsage, !allowDuplicateNicknames, !allowInvalid, ctx)); if (!certList) { return NS_ERROR_NOT_AVAILABLE; }
--- a/security/manager/ssl/src/nsCertTree.cpp +++ b/security/manager/ssl/src/nsCertTree.cpp @@ -1,15 +1,15 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsCertTree.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsNSSComponent.h" // for PIPNSS string bundle calls. #include "nsITreeColumns.h" #include "nsIX509Cert.h" #include "nsIX509CertValidity.h" #include "nsIX509CertDB.h" #include "nsXPIDLString.h" #include "nsReadableUtils.h" #include "nsUnicharUtils.h" @@ -633,17 +633,17 @@ nsCertTree::GetCertsByTypeFromCertList(C nsresult nsCertTree::GetCertsByType(uint32_t aType, nsCertCompareFunc aCertCmpFn, void *aCertCmpFnArg) { nsNSSShutDownPreventionLock locker; nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); - insanity::pkix::ScopedCERTCertList certList( + mozilla::pkix::ScopedCERTCertList certList( PK11_ListCerts(PK11CertListUnique, cxt)); return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn, aCertCmpFnArg); } nsresult nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache *aCache, uint32_t aType, @@ -804,17 +804,17 @@ nsCertTree::DeleteEntryObject(uint32_t i } } else { if (addonInfo && addonInfo->mUsageCount > 1) { // user is trying to delete a perm trusted cert, // although there are still overrides stored, // so, we keep the cert, but remove the trust - insanity::pkix::ScopedCERTCertificate nsscert; + mozilla::pkix::ScopedCERTCertificate nsscert; nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert); if (cert2) { nsscert = cert2->GetCert(); } if (nsscert) { CERTCertTrust trust;
--- a/security/manager/ssl/src/nsCrypto.cpp +++ b/security/manager/ssl/src/nsCrypto.cpp @@ -65,17 +65,17 @@ #include "pk11pqg.h" #include "cmmf.h" #include "nssb64.h" #include "base64.h" #include "cert.h" #include "certdb.h" #include "secmod.h" #include "ScopedNSSTypes.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "ssl.h" // For SSL_ClearSessionCache #include "nsNSSCleaner.h" #include "nsNSSCertHelper.h" #include <algorithm> #include "nsWrapperCacheInlines.h" @@ -1037,17 +1037,17 @@ nsFreeCertReqMessages(CRMFCertReqMsg **c static nsresult nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo, nsNSSCertificate *wrappingCert) { if (!wrappingCert || CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){ return NS_ERROR_FAILURE; } - insanity::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert()); + mozilla::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert()); if (!cert) return NS_ERROR_FAILURE; CRMFEncryptedKey *encrKey = CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert.get()); if (!encrKey) return NS_ERROR_FAILURE; @@ -1937,17 +1937,17 @@ nsCrypto::GenerateCRMFRequest(JSContext* bool willEscrow = false; if (!aEaCert.IsVoid()) { SECItem certDer = {siBuffer, nullptr, 0}; SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, aEaCert.get()); if (srv != SECSuccess) { aRv.Throw(NS_ERROR_FAILURE); return nullptr; } - insanity::pkix::ScopedCERTCertificate cert( + mozilla::pkix::ScopedCERTCertificate cert( CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDer, nullptr, false, true)); if (!cert) { aRv.Throw(NS_ERROR_FAILURE); return nullptr; } escrowCert = nsNSSCertificate::Create(cert.get()); @@ -2206,17 +2206,17 @@ nsCryptoRunnable::Run() //Quick helper function to check if a newly issued cert //already exists in the user's database. static bool nsCertAlreadyExists(SECItem *derCert) { CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); bool retVal = false; - insanity::pkix::ScopedCERTCertificate cert( + mozilla::pkix::ScopedCERTCertificate cert( CERT_FindCertByDERCert(handle, derCert)); if (cert) { if (cert->isperm && !cert->nickname && !cert->emailAddr) { //If the cert doesn't have a nickname or email addr, it is //bogus cruft, so delete it. SEC_DeletePermCertificate(cert.get()); } else if (cert->isperm) { retVal = true; @@ -2368,17 +2368,17 @@ nsCrypto::ImportUserCertificates(const n CMMF_DestroyCertResponse(currResponse); } //Let the loser: label take care of freeing up our reference to //nickname (This way we don't free it twice and avoid crashing. //That would be a good thing. //Import the root chain into the cert db. { - insanity::pkix::ScopedCERTCertList + mozilla::pkix::ScopedCERTCertList caPubs(CMMF_CertRepContentGetCAPubs(certRepContent)); if (caPubs) { int32_t numCAs = nsCertListCount(caPubs.get()); NS_ASSERTION(numCAs > 0, "Invalid number of CA's"); if (numCAs > 0) { CERTCertListNode *node; SECItem *derCerts;
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -1,16 +1,16 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsNSSCallbacks.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "mozilla/Telemetry.h" #include "mozilla/TimeStamp.h" #include "nsNSSComponent.h" #include "nsNSSIOLayer.h" #include "nsIWebProgressListener.h" #include "nsProtectedAuthThread.h" #include "nsITokenDialogs.h" #include "nsIUploadChannel.h" @@ -1184,17 +1184,17 @@ void HandshakeCallback(PRFileDesc* fd, v nsAutoString msg; msg.Append(NS_ConvertASCIItoUTF16(hostName)); msg.Append(NS_LITERAL_STRING(" : server does not support RFC 5746, see CVE-2009-3555")); nsContentUtils::LogSimpleConsoleError(msg, "SSL"); } - insanity::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd)); + mozilla::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd)); /* Set the SSL Status information */ RefPtr<nsSSLStatus> status(infoObject->SSLStatus()); if (!status) { status = new nsSSLStatus(); infoObject->SetSSLStatus(status); }
--- a/security/manager/ssl/src/nsNSSCertCache.cpp +++ b/security/manager/ssl/src/nsNSSCertCache.cpp @@ -41,17 +41,17 @@ NS_IMETHODIMP nsNSSCertCache::CacheAllCerts() { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); - insanity::pkix::ScopedCERTCertList newList( + mozilla::pkix::ScopedCERTCertList newList( PK11_ListCerts(PK11CertListUnique, cxt)); if (newList) { MutexAutoLock lock(mutex); mCertList = new nsNSSCertList(newList, locker); } return NS_OK;
--- a/security/manager/ssl/src/nsNSSCertificate.cpp +++ b/security/manager/ssl/src/nsNSSCertificate.cpp @@ -5,17 +5,17 @@ #include "nsNSSCertificate.h" #include "prmem.h" #include "prerror.h" #include "prprf.h" #include "CertVerifier.h" #include "ExtendedValidation.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsNSSComponent.h" // for PIPNSS string bundle calls. #include "nsNSSCleaner.h" #include "nsCOMPtr.h" #include "nsIMutableArray.h" #include "nsNSSCertValidity.h" #include "nsPKCS12Blob.h" #include "nsPK11TokenDB.h" #include "nsIX509Cert.h" @@ -817,17 +817,17 @@ nsNSSCertificate::GetChain(nsIArray** _r nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; NS_ENSURE_ARG(_rvChain); nsresult rv; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname)); - ::insanity::pkix::ScopedCERTCertList nssChain; + ::mozilla::pkix::ScopedCERTCertList nssChain; RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED); // We want to test all usages, but we start with server because most of the // time Firefox users care about server certs. certVerifier->VerifyCert(mCert.get(), nullptr, certificateUsageSSLServer, PR_Now(), nullptr, /*XXX fixme*/ @@ -1537,17 +1537,17 @@ nsNSSCertificate::GetValidEVPolicyOid(ns } #endif return NS_OK; } NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList) -nsNSSCertList::nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList, +nsNSSCertList::nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList, const nsNSSShutDownPreventionLock& proofOfLock) { if (certList) { mCertList = certList.release(); } else { mCertList = CERT_NewCertList(); } }
--- a/security/manager/ssl/src/nsNSSCertificate.h +++ b/security/manager/ssl/src/nsNSSCertificate.h @@ -14,17 +14,17 @@ #include "nsIASN1Object.h" #include "nsISMimeCert.h" #include "nsIIdentityInfo.h" #include "nsCOMPtr.h" #include "nsNSSShutDown.h" #include "nsISimpleEnumerator.h" #include "nsISerializable.h" #include "nsIClassInfo.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "certt.h" class nsAutoString; class nsINSSComponent; class nsIASN1Sequence; class nsNSSCertificate : public nsIX509Cert3, public nsIIdentityInfo, @@ -49,17 +49,17 @@ public: nsresult FormatUIStrings(const nsAutoString& nickname, nsAutoString& nickWithSerial, nsAutoString& details); static nsNSSCertificate* Create(CERTCertificate*cert = nullptr, SECOidTag* evOidPolicy = nullptr); static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen); private: - insanity::pkix::ScopedCERTCertificate mCert; + mozilla::pkix::ScopedCERTCertificate mCert; bool mPermDelete; uint32_t mCertType; nsresult CreateASN1Struct(nsIASN1Object** aRetVal); nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence, nsINSSComponent* nssComponent); nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate); virtual void virtualDestroyNSSReference(); void destructorSafeDestroyNSSReference(); @@ -76,30 +76,30 @@ private: class nsNSSCertList: public nsIX509CertList, public nsNSSShutDownObject { public: NS_DECL_THREADSAFE_ISUPPORTS NS_DECL_NSIX509CERTLIST // certList is adopted - nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList, + nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList, const nsNSSShutDownPreventionLock& proofOfLock); nsNSSCertList(); static CERTCertList* DupCertList(CERTCertList* aCertList, const nsNSSShutDownPreventionLock& proofOfLock); private: virtual ~nsNSSCertList(); virtual void virtualDestroyNSSReference(); void destructorSafeDestroyNSSReference(); - insanity::pkix::ScopedCERTCertList mCertList; + mozilla::pkix::ScopedCERTCertList mCertList; nsNSSCertList(const nsNSSCertList&) MOZ_DELETE; void operator=(const nsNSSCertList&) MOZ_DELETE; }; class nsNSSCertListEnumerator: public nsISimpleEnumerator, public nsNSSShutDownObject { @@ -109,17 +109,17 @@ public: nsNSSCertListEnumerator(CERTCertList* certList, const nsNSSShutDownPreventionLock& proofOfLock); private: virtual ~nsNSSCertListEnumerator(); virtual void virtualDestroyNSSReference(); void destructorSafeDestroyNSSReference(); - insanity::pkix::ScopedCERTCertList mCertList; + mozilla::pkix::ScopedCERTCertList mCertList; nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) MOZ_DELETE; void operator=(const nsNSSCertListEnumerator&) MOZ_DELETE; }; #define NS_NSS_LONG 4 #define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp @@ -8,17 +8,17 @@ #define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm #include "nsNSSComponent.h" #include "nsNSSCertificateDB.h" #include "CertVerifier.h" #include "ExtendedValidation.h" #include "NSSCertDBTrustDomain.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsNSSComponent.h" #include "mozilla/Base64.h" #include "nsCOMPtr.h" #include "nsNSSCertificate.h" #include "nsNSSHelper.h" #include "nsNSSCertHelper.h" #include "nsNSSCertCache.h" #include "nsCRT.h" @@ -108,17 +108,17 @@ nsNSSCertificateDB::FindCertByNickname(n { NS_ENSURE_ARG_POINTER(_rvCert); *_rvCert = nullptr; nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname)); cert = PK11_FindCertFromNickname(asciiname, nullptr); if (!cert) { cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname); } @@ -154,17 +154,17 @@ nsNSSCertificateDB::FindCertByDBKey(cons dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey, (uint32_t)strlen(aDBkey)); if (!dummy || keyItem.len < NS_NSS_LONG*4) { PR_FREEIF(keyItem.data); return NS_ERROR_INVALID_ARG; } - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; // someday maybe we can speed up the search using the moduleID and slotID // moduleID = NS_NSS_GET_LONG(keyItem.data); // slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]); // build the issuer/SN structure issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]); issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]); if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0 @@ -198,17 +198,17 @@ nsNSSCertificateDB::FindCertNicknames(ns if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsresult rv = NS_ERROR_FAILURE; /* * obtain the cert list from NSS */ - insanity::pkix::ScopedCERTCertList certList; + mozilla::pkix::ScopedCERTCertList certList; certList = PK11_ListCerts(PK11CertListUnique, nullptr); if (!certList) goto cleanup; /* * get list of cert names from list of certs * XXX also cull the list (NSS only distinguishes based on user/non-user */ getCertNames(certList.get(), aType, _count, _certNames, locker); @@ -353,17 +353,17 @@ nsNSSCertificateDB::handleCACertDownload SECItem der; rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data); if (NS_FAILED(rv)) return rv; PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n")); - insanity::pkix::ScopedCERTCertificate tmpCert; + mozilla::pkix::ScopedCERTCertificate tmpCert; CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); tmpCert = CERT_FindCertByDERCert(certdb, &der); if (!tmpCert) { tmpCert = CERT_NewTempCertificate(certdb, &der, nullptr, false, true); } nsMemory::Free(der.data); der.data = nullptr; @@ -410,17 +410,17 @@ nsNSSCertificateDB::handleCACertDownload trust.GetTrust()); if (srv != SECSuccess) return NS_ERROR_FAILURE; // Import additional delivered certificates that can be verified. // build a CertList for filtering - insanity::pkix::ScopedCERTCertList certList(CERT_NewCertList()); + mozilla::pkix::ScopedCERTCertList certList(CERT_NewCertList()); if (!certList) { return NS_ERROR_FAILURE; } // get all remaining certs into temp store for (uint32_t i=0; i<numCerts; i++) { if (i == selCertIndex) { @@ -506,17 +506,17 @@ nsNSSCertificateDB::ImportCertificates(u } PORT_FreeArena(arena, false); return nsrv; } static SECStatus ImportCertsIntoPermanentStorage( - const insanity::pkix::ScopedCERTCertList& certChain, + const mozilla::pkix::ScopedCERTCertList& certChain, const SECCertUsage usage, const PRBool caOnly) { CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); int chainLen = 0; for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain); !CERT_LIST_END(chainNode, certChain); chainNode = CERT_LIST_NEXT(chainNode)) { @@ -556,17 +556,17 @@ nsNSSCertificateDB::ImportEmailCertifica if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } SECStatus srv = SECFailure; nsresult nsrv = NS_OK; CERTCertDBHandle *certdb; CERTCertificate **certArray = nullptr; - insanity::pkix::ScopedCERTCertList certList; + mozilla::pkix::ScopedCERTCertList certList; CERTCertListNode *node; SECItem **rawArray; int numcerts; int i; PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) return NS_ERROR_OUT_OF_MEMORY; @@ -627,17 +627,17 @@ nsNSSCertificateDB::ImportEmailCertifica for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node,certList); node = CERT_LIST_NEXT(node)) { if (!node->cert) { continue; } - insanity::pkix::ScopedCERTCertList certChain; + mozilla::pkix::ScopedCERTCertList certChain; SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr, certificateUsageEmailRecipient, now, ctx, 0, &certChain); if (rv != SECSuccess) { nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert); DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker); @@ -668,17 +668,17 @@ nsNSSCertificateDB::ImportServerCertific { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } SECStatus srv = SECFailure; nsresult nsrv = NS_OK; - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; SECItem **rawCerts = nullptr; int numcerts; int i; nsNSSCertTrust trust; char *serverNickname = nullptr; PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) @@ -795,17 +795,17 @@ nsNSSCertificateDB::ImportValidCACertsIn /* go down the remaining list of certs and verify that they have * valid chains, if yes, then import. */ CERTCertListNode *node; for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node,certList); node = CERT_LIST_NEXT(node)) { - insanity::pkix::ScopedCERTCertList certChain; + mozilla::pkix::ScopedCERTCertList certChain; SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr, certificateUsageVerifyCA, PR_Now(), ctx, 0, &certChain); if (rv != SECSuccess) { nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert); DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, proofOfLock); continue; } @@ -872,17 +872,17 @@ nsNSSCertificateDB::ImportUserCertificat ScopedPK11SlotInfo slot; nsAutoCString nickname; nsresult rv = NS_ERROR_FAILURE; int numCACerts; SECItem *CACerts; CERTDERCerts * collectArgs; PLArenaPool *arena; - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { goto loser; } collectArgs = getCertsFromPackage(arena, data, length, locker); if (!collectArgs) { @@ -949,17 +949,17 @@ loser: NS_IMETHODIMP nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert); - insanity::pkix::ScopedCERTCertificate cert(nssCert->GetCert()); + mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert()); if (!cert) return NS_ERROR_FAILURE; SECStatus srv = SECSuccess; uint32_t certType; nssCert->GetCertType(&certType); if (NS_FAILED(nssCert->MarkForPermDeletion())) { return NS_ERROR_FAILURE; @@ -996,17 +996,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509 return NS_ERROR_NOT_AVAILABLE; } nsNSSCertTrust trust; nsresult rv; nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert, &rv); if (!pipCert) { return rv; } - insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert()); + mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert()); rv = attemptToLogInWithDefaultPassword(); if (NS_WARN_IF(rv != NS_OK)) { return rv; } SECStatus srv; if (type == nsIX509Cert::CA_CERT) { @@ -1049,17 +1049,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50 *_isTrusted = false; nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } SECStatus srv; nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert); - insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert()); + mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert()); CERTCertTrust nsstrust; srv = CERT_GetCertTrust(nsscert.get(), &nsstrust); if (srv != SECSuccess) return NS_ERROR_FAILURE; nsNSSCertTrust trust(&nsstrust); if (certType == nsIX509Cert::CA_CERT) { if (trustType & nsIX509CertDB::TRUSTED_SSL) { @@ -1297,17 +1297,17 @@ nsNSSCertificateDB::FindEmailEncryptionC } nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailRecipient, true, ctx); if (!cert) { return NS_OK; } nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get()); if (!nssCert) { @@ -1327,17 +1327,17 @@ nsNSSCertificateDB::FindEmailSigningCert if (aNickname.IsEmpty()) return NS_OK; nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); char *asciiname = nullptr; NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname); asciiname = const_cast<char*>(aUtf8Nickname.get()); /* Find a good cert in the user's database */ cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname, certUsageEmailSigner, true, ctx); @@ -1457,17 +1457,17 @@ nsNSSCertificateDB::ConstructX509(const return NS_ERROR_INVALID_POINTER; } SECItem secitem_cert; secitem_cert.type = siDERCertBuffer; secitem_cert.data = (unsigned char*)certDER; secitem_cert.len = lengthDER; - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert, nullptr, false, true); if (!cert) return (PORT_GetError() == SEC_ERROR_NO_MEMORY) ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE; nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get()); @@ -1556,17 +1556,17 @@ nsNSSCertificateDB::get_default_nickname if (!tmp) { nickname.Truncate(); return; } nickname = tmp; PR_smprintf_free(tmp); } - insanity::pkix::ScopedCERTCertificate dummycert; + mozilla::pkix::ScopedCERTCertificate dummycert; if (PK11_IsInternal(slot)) { /* look up the nickname to make sure it isn't in use already */ dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get()); } else { /* * Check the cert against others that already live on the smart @@ -1617,17 +1617,17 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer NS_ENSURE_SUCCESS(rv, rv); SECItem der; rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data); NS_ENSURE_SUCCESS(rv, rv); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n")); CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - insanity::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); + mozilla::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der)); if (!tmpCert) tmpCert = CERT_NewTempCertificate(certdb, &der, nullptr, false, true); nsMemory::Free(der.data); der.data = nullptr; der.len = 0; if (!tmpCert) { @@ -1672,17 +1672,17 @@ nsNSSCertificateDB::SetCertTrustFromStri CERTCertTrust trust; // need to calculate the trust bits from the aTrust string. SECStatus srv = CERT_DecodeTrustString(&trust, const_cast<char *>(trustString)); if (srv != SECSuccess) { return MapSECStatus(SECFailure); } - insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert()); + mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert()); nsresult rv = attemptToLogInWithDefaultPassword(); if (NS_WARN_IF(rv != NS_OK)) { return rv; } srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nssCert.get(), &trust); return MapSECStatus(srv); @@ -1693,17 +1693,17 @@ nsNSSCertificateDB::GetCerts(nsIX509Cert { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext(); nsCOMPtr<nsIX509CertList> nssCertList; - insanity::pkix::ScopedCERTCertList certList( + mozilla::pkix::ScopedCERTCertList certList( PK11_ListCerts(PK11CertListUnique, ctx)); // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine. // (returns an empty list) nssCertList = new nsNSSCertList(certList, locker); *_retval = nssCertList; NS_ADDREF(*_retval); @@ -1763,17 +1763,17 @@ nsNSSCertificateDB::VerifyCertNow(nsIX50 if (!x509Cert) { return NS_ERROR_INVALID_ARG; } ScopedCERTCertificate nssCert(x509Cert->GetCert()); RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); - insanity::pkix::ScopedCERTCertList resultChain; + mozilla::pkix::ScopedCERTCertList resultChain; SECOidTag evOidPolicy; SECStatus srv; srv = certVerifier->VerifyCert(nssCert, nullptr, aUsage, PR_Now(), nullptr, // Assume no context aFlags, &resultChain, @@ -1806,17 +1806,17 @@ nsNSSCertificateDB::ClearOCSPCache() { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); - if (certVerifier->mImplementation == CertVerifier::insanity) { + if (certVerifier->mImplementation == CertVerifier::mozillapkix) { certVerifier->ClearOCSPCache(); } else { SECStatus srv = CERT_ClearOCSPCache(); if (srv != SECSuccess) { return MapSECStatus(srv); } }
--- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -966,19 +966,19 @@ void nsNSSComponent::setValidationOption bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling", true); PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); CertVerifier::implementation_config certVerifierImplementation = CertVerifier::classic; - // The insanity::pkix pref overrides the libpkix pref - if (Preferences::GetBool("security.use_insanity_verification", false)) { - certVerifierImplementation = CertVerifier::insanity; + // The mozilla::pkix pref overrides the libpkix pref + if (Preferences::GetBool("security.use_mozillapkix_verification", false)) { + certVerifierImplementation = CertVerifier::mozillapkix; } else { #ifndef NSS_NO_LIBPKIX if (Preferences::GetBool("security.use_libpkix_verification", false)) { certVerifierImplementation = CertVerifier::libpkix; } #endif } @@ -992,19 +992,19 @@ void nsNSSComponent::setValidationOption #ifndef NSS_NO_LIBPKIX aiaDownloadEnabled ? CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off, crlDownloading ? CertVerifier::crl_download_allowed : CertVerifier::crl_local_only, #endif odc, osc, ogc); - // insanity::pkix has its own OCSP cache, so disable the NSS cache + // mozilla::pkix has its own OCSP cache, so disable the NSS cache // if appropriate. - if (certVerifierImplementation == CertVerifier::insanity) { + if (certVerifierImplementation == CertVerifier::mozillapkix) { // Using -1 disables the cache. The other arguments are the default // values and aren't exposed by the API. CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L); } else { // Using 1000 enables the cache with the default size of 1000. Again, // these values are not exposed by the API. CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L); } @@ -1612,17 +1612,17 @@ nsNSSComponent::Observe(nsISupports* aSu ALPN_ENABLED_DEFAULT)); } else if (prefName.Equals("security.OCSP.enabled") || prefName.Equals("security.CRL_download.enabled") || prefName.Equals("security.fresh_revocation_info.require") || prefName.Equals("security.missing_cert_download.enabled") || prefName.Equals("security.OCSP.require") || prefName.Equals("security.OCSP.GET.enabled") || prefName.Equals("security.ssl.enable_ocsp_stapling") - || prefName.Equals("security.use_insanity_verification") + || prefName.Equals("security.use_mozillapkix_verification") || prefName.Equals("security.use_libpkix_verification")) { MutexAutoLock lock(mutex); setValidationOptions(false, lock); } else if (prefName.Equals("network.ntlm.send-lm-response")) { bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response", SEND_LM_DEFAULT); nsNTLMAuthModule::SetSendLM(sendLM); clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -1,17 +1,17 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsNSSIOLayer.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsNSSComponent.h" #include "mozilla/Casting.h" #include "mozilla/DebugOnly.h" #include "mozilla/Telemetry.h" #include "prlog.h" #include "prnetdb.h" #include "nsIPrefService.h" @@ -1865,19 +1865,19 @@ nsNSS_SSLGetClientAuthData(void* arg, PR return runnable->mRV; } void ClientAuthDataRunnable::RunOnTargetThread() { PLArenaPool* arena = nullptr; char** caNameStrings; - insanity::pkix::ScopedCERTCertificate cert; + mozilla::pkix::ScopedCERTCertificate cert; ScopedSECKEYPrivateKey privKey; - insanity::pkix::ScopedCERTCertList certList; + mozilla::pkix::ScopedCERTCertList certList; CERTCertListNode* node; ScopedCERTCertNicknames nicknames; char* extracted = nullptr; int keyError = 0; // used for private key retrieval error SSM_UserCertChoice certChoice; int32_t NumberOfCerts = 0; void* wincx = mSocketInfo; nsresult rv;
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp +++ b/security/manager/ssl/src/nsPKCS12Blob.cpp @@ -1,16 +1,16 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* $Id: nsPKCS12Blob.cpp,v 1.49 2007/09/05 07:13:46 jwalden%mit.edu Exp $ */ #include "nsPKCS12Blob.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "prmem.h" #include "prprf.h" #include "nsIFile.h" #include "nsNetUtil.h" #include "nsIDirectoryService.h" #include "nsThreadUtils.h" @@ -302,17 +302,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file goto finish; } // add password integrity srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1); if (srv) goto finish; for (i=0; i<numCerts; i++) { nsNSSCertificate *cert = (nsNSSCertificate *)certs[i]; // get it as a CERTCertificate XXX - insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert()); + mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert()); if (!nssCert) { rv = NS_ERROR_FAILURE; goto finish; } // We can only successfully export certs that are on // internal token. Most, if not all, smart card vendors // won't let you extract the private key (in any way // shape or form) from the card. So let's punt if
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp +++ b/security/manager/ssl/src/nsRecentBadCerts.cpp @@ -1,17 +1,17 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsRecentBadCerts.h" -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "nsIX509Cert.h" #include "nsIObserverService.h" #include "mozilla/RefPtr.h" #include "mozilla/Services.h" #include "nsSSLStatus.h" #include "nsCOMPtr.h" #include "nsNSSCertificate.h" #include "nsCRT.h" @@ -67,17 +67,17 @@ nsRecentBadCerts::GetRecentBadCert(const isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime; isUntrusted = mCerts[i].isUntrusted; } } } if (foundDER.len) { CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - insanity::pkix::ScopedCERTCertificate nssCert( + mozilla::pkix::ScopedCERTCertificate nssCert( CERT_FindCertByDERCert(certdb, &foundDER)); if (!nssCert) nssCert = CERT_NewTempCertificate(certdb, &foundDER, nullptr, // no nickname false, // not perm true); // copy der SECITEM_FreeItem(&foundDER, false);
--- a/security/manager/ssl/tests/gtest/moz.build +++ b/security/manager/ssl/tests/gtest/moz.build @@ -10,13 +10,13 @@ LIBXUL_LIBRARY = True SOURCES += [ 'OCSPCacheTest.cpp', 'TLSIntoleranceTest.cpp', ] LOCAL_INCLUDES += [ '../../../../certverifier', - '../../../../insanity/include', + '../../../../pkix/include', '/security/manager/ssl/src', ] include('/ipc/chromium/chromium-config.mozbuild')
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -67,76 +67,76 @@ function run_test() { add_test(function () { fakeOCSPResponder.stop(check_telemetry); }); run_next_test(); } -function add_tests_in_mode(useInsanity) { +function add_tests_in_mode(useMozillaPKIX) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); - add_simple_tests(useInsanity); - add_combo_tests(useInsanity); - add_distrust_tests(useInsanity); + add_simple_tests(useMozillaPKIX); + add_combo_tests(useMozillaPKIX); + add_distrust_tests(useMozillaPKIX); add_test(function () { certOverrideService.clearValidityOverride("all:temporary-certificates", 0); run_next_test(); }); } -function add_simple_tests(useInsanity) { +function add_simple_tests(useMozillaPKIX) { add_cert_override_test("expired.example.com", Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE)); add_cert_override_test("selfsigned.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_CA_CERT_INVALID)); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_CA_CERT_INVALID)); add_cert_override_test("unknownissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("expiredissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)); add_cert_override_test("md5signature.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); add_cert_override_test("mismatch.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH, getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); // A Microsoft IIS utility generates self-signed certificates with // properties similar to the one this "host" will present (see // tlsserver/generate_certs.sh). // One of the errors classic verification collects is that this // certificate has an inadequate key usage to sign a certificate // (i.e. itself). As a result, to be able to override this, // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although, // confusingly, this isn't the main error reported). - // insanity::pkix just says this certificate's issuer is unknown. + // mozilla::pkix just says this certificate's issuer is unknown. add_cert_override_test("selfsigned-inadequateEKU.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_CA_CERT_INVALID)); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_CA_CERT_INVALID)); // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for - // classic verification, but not for insanity::pkix verification. - if (useInsanity) { + // classic verification, but not for mozilla::pkix verification. + if (useMozillaPKIX) { add_connection_test("inadequatekeyusage.example.com", getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE), null, function (securityInfo) { // bug 754369 - no SSLStatus probably means this is // a non-overridable error, which is what we're testing // (although it would be best to test this directly). securityInfo.QueryInterface(Ci.nsISSLStatusProvider); @@ -144,70 +144,70 @@ function add_simple_tests(useInsanity) { }); } else { add_cert_override_test("inadequatekeyusage.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE)); } } -function add_combo_tests(useInsanity) { +function add_combo_tests(useMozillaPKIX) { // Note that "untrusted" here really is "unknown issuer" in the - // insanity::pkix case. + // mozilla::pkix case. add_cert_override_test("mismatch-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); add_cert_override_test("mismatch-untrusted.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER)); add_cert_override_test("untrusted-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS( - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER)); add_cert_override_test("mismatch-untrusted-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS( - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER)); add_cert_override_test("md5signature-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS( SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); } -function add_distrust_tests(useInsanity) { +function add_distrust_tests(useMozillaPKIX) { // Before we specifically distrust this certificate, it should be trusted. add_connection_test("untrusted.example.com", Cr.NS_OK); // XXX(Bug 975777): Active distrust is an overridable error when NSS-based // verification is used. add_distrust_override_test("tlsserver/default-ee.der", "untrusted.example.com", getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT), - useInsanity + useMozillaPKIX ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT) : Cr.NS_OK); // XXX(Bug 975777): Active distrust is an overridable error when NSS-based // verification is used. add_distrust_override_test("tlsserver/other-test-ca.der", "untrustedissuer.example.com", getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER), - useInsanity + useMozillaPKIX ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER) : Cr.NS_OK); } function add_distrust_override_test(certFileName, hostName, expectedResultBefore, expectedResultAfter) { let certToDistrust = constructCertFromFile(certFileName);
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js +++ b/security/manager/ssl/tests/unit/test_cert_signatures.js @@ -44,33 +44,33 @@ function run_test() { load_ca("ca-rsa"); load_ca("ca-p384"); load_ca("ca-dsa"); run_test_in_mode(true); run_test_in_mode(false); } -function run_test_in_mode(useInsanity) { - Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity); +function run_test_in_mode(useMozillaPKIX) { + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); clearOCSPCache(); clearSessionCache(); check_ca("ca-rsa"); check_ca("ca-p384"); check_ca("ca-dsa"); - // insanity::pkix does not allow CA certs to be validated for end-entity + // mozilla::pkix does not allow CA certs to be validated for end-entity // usages. - let int_usage = useInsanity + let int_usage = useMozillaPKIX ? 'SSL CA' : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; - // insanity::pkix doesn't implement the Netscape Object Signer restriction. - const ee_usage = useInsanity + // mozilla::pkix doesn't implement the Netscape Object Signer restriction. + const ee_usage = useMozillaPKIX ? 'Client,Server,Sign,Encrypt,Object Signer' : 'Client,Server,Sign,Encrypt'; let cert2usage = { // certs without the "int" prefix are end entity certs. 'int-rsa-valid': int_usage, 'rsa-valid': ee_usage, 'int-p384-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -34,207 +34,207 @@ function check_cert_err_generic(cert, ex do_print("cert issuer cn=" + cert.issuerCommonName); let hasEVPolicy = {}; let verifiedChain = {}; let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, verifiedChain, hasEVPolicy); do_check_eq(error, expected_error); }; -function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity) { +function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) { // On reset most usages are successful check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); // expected no bc check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useInsanity ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); // expected - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); // expected no bc check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); //expected // Test of active distrust. No usage should pass. setCertTrust(cert_to_modify_trust, 'p,p,p'); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLServer); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); // Trust set to T - trusted CA to issue client certs, where client cert is // usageSSLClient. setCertTrust(cert_to_modify_trust, 'T,T,T'); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340 - : 0 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340 + : 0 : 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageEmailSigner); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_INADEQUATE_CERT_TYPE - : useInsanity ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_INADEQUATE_CERT_TYPE + : useMozillaPKIX ? 0 + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); // Now tests on the SSL trust bit setCertTrust(cert_to_modify_trust, 'p,C,C'); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, useInsanity ? 0 //XXX Bug 982340 - : SEC_ERROR_UNTRUSTED_ISSUER, + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340 + : SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useInsanity ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); // Inherited trust SSL setCertTrust(cert_to_modify_trust, ',C,C'); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? 0 // XXX Bug 982340 - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340 + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useInsanity ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); // Now tests on the EMAIL trust bit setCertTrust(cert_to_modify_trust, 'C,p,C'); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER - : useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER - : 0, // Insanity is OK, NSS bug + : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER + : 0, // Insanity is OK, NSS bug certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useInsanity ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); //inherited EMAIL Trust setCertTrust(cert_to_modify_trust, 'C,,C'); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageEmailSigner); - check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER : 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useInsanity ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INVALID_ARGS, + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID + : SEC_ERROR_INVALID_ARGS, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); } -function run_test_in_mode(useInsanity) { - Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity); +function run_test_in_mode(useMozillaPKIX) { + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); let ca_cert = certdb.findCertByNickname(null, 'ca'); do_check_false(!ca_cert) let int_cert = certdb.findCertByNickname(null, 'int'); do_check_false(!int_cert) let ee_cert = certdb.findCertByNickname(null, 'ee'); do_check_false(!ee_cert); setup_basic_trusts(ca_cert, int_cert); - test_ca_distrust(ee_cert, ca_cert, true, useInsanity); + test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX); setup_basic_trusts(ca_cert, int_cert); - test_ca_distrust(ee_cert, int_cert, false, useInsanity); + test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX); } function run_test() { for (let i = 0 ; i < certList.length; i++) { load_cert(certList[i], ',,'); } run_test_in_mode(true);
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js +++ b/security/manager/ssl/tests/unit/test_certificate_usages.js @@ -30,46 +30,46 @@ function run_test() { do_print("ca_name=" + ca_name); var cert = certdb.findCertByNickname(null, ca_name); } run_test_in_mode(true); run_test_in_mode(false); } -function run_test_in_mode(useInsanity) { - Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity); +function run_test_in_mode(useMozillaPKIX) { + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); clearOCSPCache(); clearSessionCache(); - // insanity::pkix does not allow CA certs to be validated for non-CA usages. - var allCAUsages = useInsanity + // mozilla::pkix does not allow CA certs to be validated for non-CA usages. + var allCAUsages = useMozillaPKIX ? 'SSL CA' : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; - // insanity::pkix doesn't allow CA certificates to have the Status Responder + // mozilla::pkix doesn't allow CA certificates to have the Status Responder // EKU. var ca_usages = [allCAUsages, 'SSL CA', allCAUsages, - useInsanity ? '' - : 'Client,Server,Sign,Encrypt,Status Responder']; + useMozillaPKIX ? '' + : 'Client,Server,Sign,Encrypt,Status Responder']; - // insanity::pkix doesn't implement the Netscape Object Signer restriction. - var basicEndEntityUsages = useInsanity + // mozilla::pkix doesn't implement the Netscape Object Signer restriction. + var basicEndEntityUsages = useMozillaPKIX ? 'Client,Server,Sign,Encrypt,Object Signer' : 'Client,Server,Sign,Encrypt'; var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer" - // insanity::pkix won't let a certificate with the "Status Responder" EKU get + // mozilla::pkix won't let a certificate with the "Status Responder" EKU get // validated for any other usage. - var statusResponderUsages = (useInsanity ? "" : "Server,") + "Status Responder"; + var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder"; var statusResponderUsagesFull - = useInsanity ? statusResponderUsages - : basicEndEntityUsages + ',Object Signer,Status Responder'; + = useMozillaPKIX ? statusResponderUsages + : basicEndEntityUsages + ',Object Signer,Status Responder'; var ee_usages = [ [ basicEndEntityUsages, basicEndEntityUsages, basicEndEntityUsages, '', statusResponderUsagesFull, 'Client,Server', @@ -96,26 +96,26 @@ function run_test_in_mode(useInsanity) { 'Sign,Encrypt,Object Signer', statusResponderUsages ], // The CA has isCA=true without keyCertSign. // // The 'classic' NSS mode uses the 'union' of the // capabilites so the cert is considered a CA. - // insanity::pkix and libpkix use the intersection of + // mozilla::pkix and libpkix use the intersection of // capabilites, so the cert is NOT considered a CA. - [ useInsanity ? '' : basicEndEntityUsages, - useInsanity ? '' : basicEndEntityUsages, - useInsanity ? '' : basicEndEntityUsages, + [ useMozillaPKIX ? '' : basicEndEntityUsages, + useMozillaPKIX ? '' : basicEndEntityUsages, + useMozillaPKIX ? '' : basicEndEntityUsages, '', - useInsanity ? '' : statusResponderUsagesFull, - useInsanity ? '' : 'Client,Server', - useInsanity ? '' : 'Sign,Encrypt,Object Signer', - useInsanity ? '' : 'Server,Status Responder' + useMozillaPKIX ? '' : statusResponderUsagesFull, + useMozillaPKIX ? '' : 'Client,Server', + useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer', + useMozillaPKIX ? '' : 'Server,Status Responder' ] ]; do_check_eq(gNumCAs, ca_usages.length); for (var i = 0; i < gNumCAs; i++) { var ca_name = "ca-" + (i + 1); var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js +++ b/security/manager/ssl/tests/unit/test_ev_certs.js @@ -114,21 +114,21 @@ function run_test() { // setup and start ocsp responder Services.prefs.setCharPref("network.dns.localDomains", 'www.example.com, crl.example.com'); add_tests_in_mode(true); add_tests_in_mode(false); run_next_test(); } -function add_tests_in_mode(useInsanity) +function add_tests_in_mode(useMozillaPKIX) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); add_test(function () { clearOCSPCache(); let ocspResponder = start_ocsp_responder( isDebugBuild ? ["int-ev-valid", "ev-valid"] : ["ev-valid"]); @@ -157,18 +157,18 @@ function add_tests_in_mode(useInsanity) const nsIX509Cert = Ci.nsIX509Cert; add_test(function() { let evRootCA = certdb.findCertByNickname(null, evrootnick); certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0); clearOCSPCache(); let ocspResponder = failingOCSPResponder(); check_cert_err("ev-valid", - useInsanity ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER); + useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER + : SEC_ERROR_UNTRUSTED_ISSUER); ocspResponder.stop(run_next_test); }); // bug 917380: Chcek that a trusted EV root is trusted after disabling and // re-enabling trust. add_test(function() { let evRootCA = certdb.findCertByNickname(null, evrootnick); certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, @@ -181,33 +181,33 @@ function add_tests_in_mode(useInsanity) isDebugBuild ? ["int-ev-valid", "ev-valid"] : ["ev-valid"]); check_ee_for_ev("ev-valid", isDebugBuild); ocspResponder.stop(run_next_test); }); add_test(function () { check_no_ocsp_requests("ev-valid", - useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED - : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE - : SEC_ERROR_EXTENSION_NOT_FOUND)); + useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED + : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE + : SEC_ERROR_EXTENSION_NOT_FOUND)); }); add_test(function () { check_no_ocsp_requests("non-ev-root", - useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED - : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER - : SEC_ERROR_EXTENSION_NOT_FOUND)); + useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED + : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER + : SEC_ERROR_EXTENSION_NOT_FOUND)); }); add_test(function () { check_no_ocsp_requests("no-ocsp-url-cert", - useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED - : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE - : SEC_ERROR_EXTENSION_NOT_FOUND)); + useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED + : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE + : SEC_ERROR_EXTENSION_NOT_FOUND)); }); // Test the EV continues to work with flags after successful EV verification add_test(function () { clearOCSPCache(); let ocspResponder = start_ocsp_responder( isDebugBuild ? ["int-ev-valid", "ev-valid"] : ["ev-valid"]); @@ -221,18 +221,18 @@ function add_tests_in_mode(useInsanity) let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV; let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags, verifiedChain, hasEVPolicy); do_check_eq(hasEVPolicy.value, isDebugBuild); do_check_eq(error, isDebugBuild ? 0 - : (useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED - : SEC_ERROR_EXTENSION_NOT_FOUND)); + : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED + : SEC_ERROR_EXTENSION_NOT_FOUND)); failingOcspResponder.stop(run_next_test); }); }); } // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert // to prevent spurious OCSP requests that race with OCSP stapling. // This has the side-effect of saying an EV certificate is not EV if
--- a/security/manager/ssl/tests/unit/test_getchain.js +++ b/security/manager/ssl/tests/unit/test_getchain.js @@ -65,18 +65,18 @@ function check_getchain(ee_cert, ssl_ca, certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0); check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert); certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0); // Do a final test on the case of no trust. The results must // be cosistent (the actual value is non-deterministic). check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert); } -function run_test_in_mode(useInsanity) { - Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity); +function run_test_in_mode(useMozillaPKIX) { + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); clearOCSPCache(); clearSessionCache(); for (let i = 0 ; i < certList.length; i++) { load_cert(certList[i], ',,'); } let ee_cert = certdb.findCertByNickname(null, 'ee');
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js @@ -33,28 +33,28 @@ function test_cert_for_usages(certChainN let cert = certs[0]; let verified = {}; let usages = {}; cert.getUsagesString(true, verified, usages); do_print("usages.value = " + usages.value); do_check_eq(expected_usages_string, usages.value); } -function run_test_in_mode(useInsanity) { - Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity); +function run_test_in_mode(useMozillaPKIX) { + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); - // insanity::pkix doesn't support the obsolete Netscape object signing + // mozilla::pkix doesn't support the obsolete Netscape object signing // extension, but NSS does. - let ee_usage1 = useInsanity + let ee_usage1 = useMozillaPKIX ? 'Client,Server,Sign,Encrypt,Object Signer' : 'Client,Server,Sign,Encrypt' - // insanity::pkix doesn't validate CA certificates for non-CA uses, but + // mozilla::pkix doesn't validate CA certificates for non-CA uses, but // NSS does. - let ca_usage1 = useInsanity + let ca_usage1 = useMozillaPKIX ? "SSL CA" : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; // Load the ca into mem let ca_name = "ca"; load_cert(ca_name, "CTu,CTu,CTu"); do_print("ca_name = " + ca_name); test_cert_for_usages([ca_name], ca_usage1); @@ -80,36 +80,36 @@ function run_test_in_mode(useInsanity) { test_cert_for_usages(["ee-int-limited-depth", "int-limited-depth"], ee_usage1); // ca // int-limited-depth (cA==true, pathLenConstraint==0) // int-limited-depth-invalid (cA==true) // // XXX: It seems the NSS code does not consider the path length of the - // certificate we're validating, but insanity::pkix does. insanity::pkix's + // certificate we're validating, but mozilla::pkix does. mozilla::pkix's // behavior is correct. test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], - useInsanity ? "" : ca_usage1); + useMozillaPKIX ? "" : ca_usage1); test_cert_for_usages(["ee-int-limited-depth-invalid", "int-limited-depth-invalid", "int-limited-depth"], ""); // int-valid-ku-no-eku has keyCertSign test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA"); test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"], ee_usage1); // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension - // but the KU extension is missing keyCertSign. Note that insanity::pkix + // but the KU extension is missing keyCertSign. Note that mozilla::pkix // doesn't validate certificates with basicConstraints.Ca==true for non-CA // uses, but NSS does. test_cert_for_usages(["int-bad-ku-no-eku"], - useInsanity + useMozillaPKIX ? "" : 'Client,Server,Sign,Encrypt,Status Responder'); test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], ""); // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension. // We treat a missing KU as "any key usage is OK". test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1); test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
--- a/security/manager/ssl/tests/unit/test_name_constraints.js +++ b/security/manager/ssl/tests/unit/test_name_constraints.js @@ -45,18 +45,18 @@ function check_ok_ca (x) { function check_fail(x) { return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE); } function check_fail_ca(x) { return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA); } -function run_test_in_mode(useInsanity) { - Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity); +function run_test_in_mode(useMozillaPKIX) { + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); // Note that CN is only looked at when there is NO subjectAltName! // Testing with a unconstrained root, and intermediate constrained to PERMIT // foo.com. All failures on this section are doe to the cert DNS names // not being under foo.com. check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,')); // no dirName @@ -256,17 +256,17 @@ function run_test_in_mode(useInsanity) { check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der')); check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der')); check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der')); check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der')); check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der')); check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der')); // We don't enforce dNSName name constraints on CN unless we're validating - // for the server EKU. libpkix gets this wrong but insanity::pkix and classic + // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic // NSS get it right. { let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der'); check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer); check_cert_err_generic(cert, 0, certificateUsageSSLClient); } }
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js +++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js @@ -42,20 +42,20 @@ function run_test() { add_tests_in_mode(true); add_tests_in_mode(false); add_test(function() { ocspResponder.stop(run_next_test); }); run_next_test(); } -function add_tests_in_mode(useInsanity) { +function add_tests_in_mode(useMozillaPKIX) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); // This test assumes that OCSPStaplingServer uses the same cert for // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com. // Get an Unknown response for the *.exmaple.com cert and put it in the // OCSP cache. @@ -102,18 +102,18 @@ function add_tests_in_mode(useInsanity) add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); }); // A failure to retrieve an OCSP response will result in an error entry being // added to the cache. add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); }); - // TODO(bug 977865): implement this for insanity - if (!useInsanity) { + // TODO(bug 977865): implement this for mozilla::pkix + if (!useMozillaPKIX) { // The error entry will prevent a fetch from happening for a while. add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); }); } // The error entry must not prevent a stapled OCSP response from being // honored.
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js +++ b/security/manager/ssl/tests/unit/test_ocsp_required.js @@ -35,28 +35,28 @@ function run_test() { add_tests_in_mode(true); add_tests_in_mode(false); add_test(function () { ocspResponder.stop(run_next_test); }); run_next_test(); } -function add_tests_in_mode(useInsanity) +function add_tests_in_mode(useMozillaPKIX) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); add_connection_test("ocsp-stapling-none.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); add_connection_test("ocsp-stapling-none.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); add_test(function () { - // TODO(bug 977865): insanity::pkix keeps requesting responses from + // TODO(bug 977865): mozilla::pkix keeps requesting responses from // failing responders - do_check_eq(gOCSPRequestCount, useInsanity ? 2 : 1); + do_check_eq(gOCSPRequestCount, useMozillaPKIX ? 2 : 1); gOCSPRequestCount = 0; run_next_test(); }); }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -16,20 +16,20 @@ function add_ocsp_test(aHost, aExpectedR gExpectOCSPRequest = !aStaplingEnabled; clearOCSPCache(); clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", aStaplingEnabled); }); } -function add_tests_in_mode(useInsanity, certDB, otherTestCA) { +function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); // In the absence of OCSP stapling, these should actually all work. add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false); @@ -49,17 +49,17 @@ function add_tests_in_mode(useInsanity, add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-revoked.example.com", getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true); // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE // depends on whether the CA that signed the response is a trusted CA - // (but only with the classic implementation - insanity::pkix always + // (but only with the classic implementation - mozilla::pkix always // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT). // This stapled response is from a CA that is untrusted and did not issue // the server's certificate. add_test(function() { certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.UNTRUSTED); run_next_test(); @@ -108,17 +108,17 @@ function add_tests_in_mode(useInsanity, clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); } ); add_ocsp_test("ocsp-stapling-empty.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); // TODO(bug 979070): NSS can't handle this yet. - if (useInsanity) { + if (useMozillaPKIX) { add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); } // ocsp-stapling-expired.example.com and // ocsp-stapling-expired-fresh-ca.example.com are handled in // test_ocsp_stapling_expired.js }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -57,21 +57,21 @@ function run_test() { add_tls_server_setup("OCSPStaplingServer"); add_tests_in_mode(true); add_tests_in_mode(false); add_test(function () { ocspResponder.stop(run_next_test); }); add_test(check_ocsp_stapling_telemetry); run_next_test(); } -function add_tests_in_mode(useInsanity) +function add_tests_in_mode(useMozillaPKIX) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); // In these tests, the OCSP stapling server gives us a stapled // response based on the host name ("ocsp-stapling-expired" or // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're // properly falling back to fetching revocation information. // For ocsp-stapling-expired.example.com, the OCSP stapling server
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js @@ -39,17 +39,17 @@ function run_test() { add_test(function () { ocspResponder.stop(run_next_test); }); add_test(function() { do_check_eq(gOCSPRequestCount, 0); run_next_test(); }); run_next_test(); } -function add_tests_in_mode(useInsanity) { +function add_tests_in_mode(useMozillaPKIX) { add_test(function () { - Services.prefs.setBoolPref("security.use_insanity_verification", - useInsanity); + Services.prefs.setBoolPref("security.use_mozillapkix_verification", + useMozillaPKIX); run_next_test(); }); add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK); }
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in @@ -5,14 +5,14 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. include $(topsrcdir)/config/config.mk LIBS = \ $(NSPR_LIBS) \ $(NSS_LIBS) \ $(MOZALLOC_LIB) \ - ../../../../../../insanity/$(LIB_PREFIX)insanitypkix.$(LIB_SUFFIX) \ - ../../../../../../insanity/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \ + ../../../../../../pkix/$(LIB_PREFIX)mozillapkix.$(LIB_SUFFIX) \ + ../../../../../../pkix/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \ ../lib/$(LIB_PREFIX)tlsserver.$(LIB_SUFFIX) \ $(NULL) DEFINES += $(TK_CFLAGS)
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp @@ -8,16 +8,17 @@ #include "ScopedNSSTypes.h" #include "TLSServer.h" #include "pkixtestutil.h" #include "secerr.h" using namespace mozilla; using namespace mozilla::test; +using namespace mozilla::pkix::test; SECItemArray * GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert, PLArenaPool *aArena, const char *aAdditionalCertName) { if (aORT == ORTNone) { if (gDebugLevel >= DEBUG_WARNINGS) { @@ -33,17 +34,17 @@ GetOCSPResponseForType(OCSPResponseType arr->items[0].len = 0; return arr; } PRTime now = PR_Now(); PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC; PRTime oldNow = now - (8 * oneDay); - insanity::test::OCSPResponseContext context(aArena, aCert, now); + OCSPResponseContext context(aArena, aCert, now); if (aORT == ORTGoodOtherCert) { context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr); if (!context.cert) { PrintPRError("PK11_FindCertFromNickname failed"); return nullptr; } } @@ -98,17 +99,17 @@ GetOCSPResponseForType(OCSPResponseType if (aORT == ORTBadSignature) { context.badSignature = true; } if (!context.signerCert) { context.signerCert = CERT_DupCertificate(context.issuerCert.get()); } - SECItem* response = insanity::test::CreateEncodedOCSPResponse(context); + SECItem* response = CreateEncodedOCSPResponse(context); if (!response) { PrintPRError("CreateEncodedOCSPResponse failed"); return nullptr; } SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1); arr->items[0].data = response ? response->data : nullptr; arr->items[0].len = response ? response->len : 0;
--- a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build +++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build @@ -5,13 +5,13 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. UNIFIED_SOURCES += [ 'OCSPCommon.cpp', 'TLSServer.cpp', ] LOCAL_INCLUDES += [ - '../../../../../../insanity/include', - '../../../../../../insanity/test/lib', + '../../../../../../pkix/include', + '../../../../../../pkix/test/lib', ] LIBRARY_NAME = 'tlsserver'
rename from security/insanity/include/insanity/ScopedPtr.h rename to security/pkix/include/pkix/ScopedPtr.h --- a/security/insanity/include/insanity/ScopedPtr.h +++ b/security/pkix/include/pkix/ScopedPtr.h @@ -1,31 +1,31 @@ /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ -/* Copyright 2013 Mozilla Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. +/* Copyright 2013 Mozilla Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ -#ifndef insanity_pkix__ScopedPtr_h -#define insanity_pkix__ScopedPtr_h +#ifndef mozilla_pkix__ScopedPtr_h +#define mozilla_pkix__ScopedPtr_h -#include "insanity/nullptr.h" +#include "pkix/nullptr.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { // Similar to boost::scoped_ptr and std::unique_ptr. Does not support copying // or assignment. template <typename T, void (*Destroyer)(T*)> class ScopedPtr { public: explicit ScopedPtr(T* value = nullptr) : mValue(value) { } @@ -89,11 +89,11 @@ operator!=(T* a, const ScopedPtr<T, Dest template <typename T, void(*Destroyer)(T*)> inline bool operator!=(const ScopedPtr<T, Destroyer>& a, T* b) { return a.get() != b; } -} } // namespace insanity::pkix +} } // namespace mozilla::pkix -#endif // insanity_pkix__ScopedPtr_h +#endif // mozilla_pkix__ScopedPtr_h
rename from security/insanity/include/insanity/bind.h rename to security/pkix/include/pkix/bind.h --- a/security/insanity/include/insanity/bind.h +++ b/security/pkix/include/pkix/bind.h @@ -14,28 +14,28 @@ * See the License for the specific language governing permissions and * limitations under the License. */ // Work around missing std::bind, std::ref, std::cref in older compilers. This // implementation isn't intended to be complete; rather, it is the minimal // implementation needed to make our use of std::bind work. -#ifndef insanity_pkix__bind_h -#define insanity_pkix__bind_h +#ifndef mozilla_pkix__bind_h +#define mozilla_pkix__bind_h #ifdef _MSC_VER #pragma warning(disable:4275) //Suppress spurious MSVC warning #endif #include <functional> #ifdef _MSC_VER #pragma warning(default:4275) #endif -namespace insanity { +namespace mozilla { namespace pkix { #ifdef _MSC_VER using std::bind; using std::ref; using std::cref; using std::placeholders::_1; @@ -87,11 +87,11 @@ template <typename R, typename P1, typen inline internal::Bind2<R, P1, B1, B2> bind(R (*f)(P1&, B1&, B2&), Placeholder1 &, B1 & b1, B2 & b2) { return internal::Bind2<R, P1, B1, B2>(f, b1, b2); } #endif // _MSC_VER -} // namespace insanity +} } // namespace mozilla::pkix -#endif // insanity_pkix__bind_h +#endif // mozilla_pkix__bind_h
rename from security/insanity/include/insanity/nullptr.h rename to security/pkix/include/pkix/nullptr.h --- a/security/insanity/include/insanity/nullptr.h +++ b/security/pkix/include/pkix/nullptr.h @@ -10,19 +10,19 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity_pkix__nullptr_h -#define insanity_pkix__nullptr_h +#ifndef mozilla_pkix__nullptr_h +#define mozilla_pkix__nullptr_h // GCC does not understand nullptr until 4.6 #if defined(__GNUC__) && !defined(__clang__) #if __GNUC__ * 100 + __GNUC_MINOR__ < 406 #define nullptr __null #endif #endif -#endif // insanity_pkix__nullptr_h +#endif // mozilla_pkix__nullptr_h
rename from security/insanity/include/insanity/pkix.h rename to security/pkix/include/pkix/pkix.h --- a/security/insanity/include/insanity/pkix.h +++ b/security/pkix/include/pkix/pkix.h @@ -10,23 +10,23 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity_pkix__pkix_h -#define insanity_pkix__pkix_h +#ifndef mozilla_pkix__pkix_h +#define mozilla_pkix__pkix_h #include "pkixtypes.h" #include "prtime.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { // ---------------------------------------------------------------------------- // LIMITED SUPPORT FOR CERTIFICATE POLICIES // // If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy // parameter then all policy validation will be skipped. Otherwise, path // building and validation will be done for the given policy. // @@ -113,11 +113,11 @@ SECItem* CreateEncodedOCSPRequest(PLAren SECStatus VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time, const SECItem* encodedResponse, /* optional out */ PRTime* thisUpdate, /* optional out */ PRTime* validThrough); -} } // namespace insanity::pkix +} } // namespace mozilla::pkix -#endif // insanity_pkix__pkix_h +#endif // mozilla_pkix__pkix_h
rename from security/insanity/include/insanity/pkixtypes.h rename to security/pkix/include/pkix/pkixtypes.h --- a/security/insanity/include/insanity/pkixtypes.h +++ b/security/pkix/include/pkix/pkixtypes.h @@ -10,25 +10,25 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity_pkix__pkixtypes_h -#define insanity_pkix__pkixtypes_h +#ifndef mozilla_pkix__pkixtypes_h +#define mozilla_pkix__pkixtypes_h -#include "insanity/ScopedPtr.h" +#include "pkix/ScopedPtr.h" #include "plarena.h" #include "cert.h" #include "keyhi.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { typedef ScopedPtr<PLArenaPool, PL_FreeArenaPool> ScopedPLArenaPool; typedef ScopedPtr<CERTCertificate, CERT_DestroyCertificate> ScopedCERTCertificate; typedef ScopedPtr<CERTCertList, CERT_DestroyCertList> ScopedCERTCertList; typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey> ScopedSECKEYPublicKey; @@ -83,17 +83,17 @@ public: /*out*/ ScopedCERTCertList& results) = 0; // Verify the given signature using the public key of the given certificate. // The implementation should be careful to ensure that the given certificate // has all the public key information needed--i.e. it should ensure that the // certificate is not trying to use EC(DSA) parameter inheritance. // // Most implementations of this function should probably forward the call - // directly to insanity::pkix::VerifySignedData. + // directly to mozilla::pkix::VerifySignedData. virtual SECStatus VerifySignedData(const CERTSignedData* signedData, const CERTCertificate* cert) = 0; // issuerCertToDup is only non-const so CERT_DupCertificate can be called on // it. virtual SECStatus CheckRevocation(EndEntityOrCA endEntityOrCA, const CERTCertificate* cert, /*const*/ CERTCertificate* issuerCertToDup, @@ -103,11 +103,11 @@ public: protected: TrustDomain() { } private: TrustDomain(const TrustDomain&) /* = delete */; void operator=(const TrustDomain&) /* = delete */; }; -} } // namespace insanity::pkix +} } // namespace mozilla::pkix -#endif // insanity_pkix__pkixtypes_h +#endif // mozilla_pkix__pkixtypes_h
rename from security/insanity/lib/pkixbind.cpp rename to security/pkix/lib/pkixbind.cpp --- a/security/insanity/lib/pkixbind.cpp +++ b/security/pkix/lib/pkixbind.cpp @@ -12,17 +12,17 @@ * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #ifndef _MSC_VER -#include "insanity/bind.h" +#include "pkix/bind.h" -namespace insanity { +namespace mozilla { namespace pkix { Placeholder1 _1; - -} // namespace insanity + +} } // namespace mozilla::pkix #endif // _MSC_VER
rename from security/insanity/lib/pkixbuild.cpp rename to security/pkix/lib/pkixbuild.cpp --- a/security/insanity/lib/pkixbuild.cpp +++ b/security/pkix/lib/pkixbuild.cpp @@ -10,24 +10,24 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include <limits> #include "pkixcheck.h" #include "pkixder.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { // We assume ext has been zero-initialized by its constructor and otherwise // not modified. // // TODO(perf): This sorting of extensions should be be moved into the // certificate decoder so that the results are cached with the certificate, so // that the decoding doesn't have to happen more than once per cert. Result @@ -167,17 +167,17 @@ BuildForwardInner(TrustDomain& trustDoma return Success; } // Recursively build the path from the given subject certificate to the root. // // Be very careful about changing the order of checks. The order is significant // because it affects which error we return when a certificate or certificate // chain has multiple problems. See the error ranking documentation in -// insanity/pkix.h. +// pkix/pkix.h. static Result BuildForward(TrustDomain& trustDomain, BackCert& subject, PRTime time, EndEntityOrCA endEntityOrCA, KeyUsages requiredKeyUsagesIfPresent, SECOidTag requiredEKUIfPresent, SECOidTag requiredPolicy, @@ -358,9 +358,9 @@ BackCert::PrependNSSCertToList(CERTCertL if (CERT_AddCertToListHead(results, dup) != SECSuccess) { // takes ownership CERT_DestroyCertificate(dup); return FatalError; } return Success; } -} } // namespace insanity::pkix +} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.cpp rename to security/pkix/lib/pkixcheck.cpp --- a/security/insanity/lib/pkixcheck.cpp +++ b/security/pkix/lib/pkixcheck.cpp @@ -10,23 +10,23 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include "pkixcheck.h" #include "pkixder.h" #include "pkixutil.h" #include "secder.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { Result CheckTimes(const CERTCertificate* cert, PRTime time) { PR_ASSERT(cert); SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, time, false); if (validity != secCertTimeValid) { @@ -474,9 +474,9 @@ CheckIssuerIndependentProperties(TrustDo rv = CheckTimes(cert.GetNSSCert(), time); if (rv != Success) { return rv; } return Success; } -} } // namespace insanity::pkix +} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.h rename to security/pkix/lib/pkixcheck.h --- a/security/insanity/lib/pkixcheck.h +++ b/security/pkix/lib/pkixcheck.h @@ -10,32 +10,32 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity__pkixcheck_h -#define insanity__pkixcheck_h +#ifndef mozilla_pkix__pkixcheck_h +#define mozilla_pkix__pkixcheck_h #include "pkixutil.h" #include "certt.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { Result CheckIssuerIndependentProperties( TrustDomain& trustDomain, BackCert& cert, PRTime time, EndEntityOrCA endEntityOrCA, KeyUsages requiredKeyUsagesIfPresent, SECOidTag requiredEKUIfPresent, SECOidTag requiredPolicy, unsigned int subCACount, /*optional out*/ TrustDomain::TrustLevel* trustLevel = nullptr); Result CheckNameConstraints(BackCert& cert); -} } // namespace insanity::pkix +} } // namespace mozilla::pkix -#endif // insanity__pkixcheck_h +#endif // mozilla_pkix__pkixcheck_h
rename from security/insanity/lib/pkixder.cpp rename to security/pkix/lib/pkixder.cpp --- a/security/insanity/lib/pkixder.cpp +++ b/security/pkix/lib/pkixder.cpp @@ -12,17 +12,17 @@ * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "pkixder.h" -namespace insanity { namespace der { +namespace mozilla { namespace pkix { namespace der { // not inline Result Fail(PRErrorCode errorCode) { PR_SetError(errorCode, 0); return Failure; } @@ -73,9 +73,9 @@ ExpectTagAndGetLength(Input& input, uint } else { // We don't support lengths larger than 2^16 - 1. return Fail(SEC_ERROR_BAD_DER); } return Success; } -} } // namespace insanity::der +} } } // namespace mozilla::pkix::der
rename from security/insanity/lib/pkixder.h rename to security/pkix/lib/pkixder.h --- a/security/insanity/lib/pkixder.h +++ b/security/pkix/lib/pkixder.h @@ -10,29 +10,29 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity_pkix__pkixder_h -#define insanity_pkix__pkixder_h +#ifndef mozilla_pkix__pkixder_h +#define mozilla_pkix__pkixder_h -#include "insanity/nullptr.h" +#include "pkix/nullptr.h" #include "prerror.h" #include "prlog.h" #include "secder.h" #include "secerr.h" #include "secoidt.h" #include "stdint.h" -namespace insanity { namespace der { +namespace mozilla { namespace pkix { namespace der { enum Class { UNIVERSAL = 0 << 6, // APPLICATION = 1 << 6, // unused CONTEXT_SPECIFIC = 2 << 6, // PRIVATE = 3 << 6 // unused }; @@ -514,11 +514,11 @@ OptionalVersion(Input& input, /*out*/ ui return Failure; } if (version & 0x80) { // negative return Fail(SEC_ERROR_BAD_DER); } return Success; } -} } // namespace insanity::der +} } } // namespace mozilla::pkix::der -#endif // insanity_pkix__pkixder_h +#endif // mozilla_pkix__pkixder_h
rename from security/insanity/lib/pkixkey.cpp rename to security/pkix/lib/pkixkey.cpp --- a/security/insanity/lib/pkixkey.cpp +++ b/security/pkix/lib/pkixkey.cpp @@ -10,27 +10,27 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#include "insanity/pkix.h" +#include "pkix/pkix.h" #include <limits> #include <stdint.h> #include "cert.h" #include "cryptohi.h" #include "prerror.h" #include "secerr.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { SECStatus VerifySignedData(const CERTSignedData* sd, const CERTCertificate* cert, void* pkcs11PinArg) { if (!sd || !sd->data.data || !sd->signatureAlgorithm.algorithm.data || !sd->signature.data || !cert) { PR_NOT_REACHED("invalid args to VerifySignedData"); @@ -81,9 +81,9 @@ VerifySignedData(const CERTSignedData* s if ((policy & requiredPolicy) != requiredPolicy) { PR_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 0); return SECFailure; } return SECSuccess; } -} } // namespace insanity::pkix +} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixocsp.cpp rename to security/pkix/lib/pkixocsp.cpp --- a/security/insanity/lib/pkixocsp.cpp +++ b/security/pkix/lib/pkixocsp.cpp @@ -12,18 +12,18 @@ * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <limits> -#include "insanity/bind.h" -#include "insanity/pkix.h" +#include "pkix/bind.h" +#include "pkix/pkix.h" #include "pkixcheck.h" #include "pkixder.h" #include "hasht.h" #include "pk11pub.h" #include "secder.h" #ifdef _MSC_VER @@ -31,17 +31,17 @@ #define ENUM_CLASS __pragma(warning(disable: 4480)) enum #else #define ENUM_CLASS enum class #endif // TODO: use typed/qualified typedefs everywhere? // TODO: When should we return SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE? -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { static const PRTime ONE_DAY = INT64_C(24) * INT64_C(60) * INT64_C(60) * PR_USEC_PER_SEC; static const PRTime SLOP = ONE_DAY; // These values correspond to the tag values in the ASN.1 CertStatus ENUM_CLASS CertStatus : uint8_t { Good = der::CONTEXT_SPECIFIC | 0, @@ -988,9 +988,9 @@ CreateEncodedOCSPRequest(PLArenaPool* ar *d++ = cert->serialNumber.data[i]; } PR_ASSERT(d == encodedRequest->data + totalLen); return encodedRequest; } -} } // namespace insanity::pkix +} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixutil.h rename to security/pkix/lib/pkixutil.h --- a/security/insanity/lib/pkixutil.h +++ b/security/pkix/lib/pkixutil.h @@ -10,25 +10,25 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity_pkix__pkixutil_h -#define insanity_pkix__pkixutil_h +#ifndef mozilla_pkix__pkixutil_h +#define mozilla_pkix__pkixutil_h -#include "insanity/pkixtypes.h" +#include "pkix/pkixtypes.h" #include "prerror.h" #include "seccomon.h" #include "secerr.h" -namespace insanity { namespace pkix { +namespace mozilla { namespace pkix { enum Result { Success = 0, FatalError = -1, // An error was encountered that caused path building // to stop immediately. example: out-of-memory. RecoverableError = -2 // an error that will cause path building to continue // searching for alternative paths. example: expired @@ -136,11 +136,11 @@ private: ScopedPLArenaPool arena; CERTGeneralName* constrainedNames; ConstrainedNameOptions cnOptions; BackCert(const BackCert&) /* = delete */; void operator=(const BackCert&); /* = delete */; }; -} } // namespace insanity::pkix +} } // namespace mozilla::pkix -#endif // insanity_pkix__pkixutil_h +#endif // mozilla_pkix__pkixutil_h
rename from security/insanity/moz.build rename to security/pkix/moz.build --- a/security/insanity/moz.build +++ b/security/pkix/moz.build @@ -18,11 +18,11 @@ LOCAL_INCLUDES += [ ] DIRS += [ 'test/lib', ] FAIL_ON_WARNINGS = True -LIBRARY_NAME = 'insanitypkix' +LIBRARY_NAME = 'mozillapkix' FINAL_LIBRARY = 'xul'
rename from security/insanity/test/lib/pkixtestutil.cpp rename to security/pkix/test/lib/pkixtestutil.cpp --- a/security/insanity/test/lib/pkixtestutil.cpp +++ b/security/pkix/test/lib/pkixtestutil.cpp @@ -20,17 +20,17 @@ #include "pkixtestutil.h" #include "cryptohi.h" #include "hasht.h" #include "pk11pub.h" #include "prinit.h" #include "secder.h" -namespace insanity { namespace test { +namespace mozilla { namespace pkix { namespace test { class Output { public: Output() : numItems(0) , length(0) { @@ -627,9 +627,9 @@ CertStatus(OCSPResponseContext& context) } default: PR_NOT_REACHED("CertStatus: bad context.certStatus"); PR_Abort(); } return nullptr; } -} } // namespace insanity::test +} } } // namespace mozilla::pkix::test
rename from security/insanity/test/lib/pkixtestutil.h rename to security/pkix/test/lib/pkixtestutil.h --- a/security/insanity/test/lib/pkixtestutil.h +++ b/security/pkix/test/lib/pkixtestutil.h @@ -10,24 +10,24 @@ * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef insanity_test__pkixtestutils_h -#define insanity_test__pkixtestutils_h +#ifndef mozilla_pkix_test__pkixtestutils_h +#define mozilla_pkix_test__pkixtestutils_h -#include "insanity/ScopedPtr.h" -#include "insanity/pkixtypes.h" +#include "pkix/ScopedPtr.h" +#include "pkix/pkixtypes.h" #include "seccomon.h" -namespace insanity { namespace test { +namespace mozilla { namespace pkix { namespace test { class OCSPResponseContext { public: OCSPResponseContext(PLArenaPool* arena, CERTCertificate* cert, PRTime time); PLArenaPool* arena; // TODO(bug 980538): add a way to specify what certificates are included. @@ -57,11 +57,11 @@ public: // The return value, if non-null, is owned by the arena in the context // and MUST NOT be freed. // This function does its best to respect the NSPR error code convention // (that is, if it returns null, calling PR_GetError() will return the // error of the failed operation). However, this is not guaranteed. SECItem* CreateEncodedOCSPResponse(OCSPResponseContext& context); -} } // namespace insanity::test +} } } // namespace mozilla::pkix::test -#endif // insanity_test__pkixtestutils_h +#endif // mozilla_pkix_test__pkixtestutils_h
--- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -4249,23 +4249,23 @@ "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, "description": "Time spent on a successful cert verification in classic mode (ms)" }, - "SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY" : { + "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, - "description": "Time spent on a successful cert verification in insanity mode (ms)" + "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)" }, "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, "description": "Time spent on an initially failed cert verification in libpix mode (ms)" @@ -4273,23 +4273,23 @@ "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, "description": "Time spent on an initially failed cert verification in classic mode (ms)" }, - "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY" : { + "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, - "description": "Time spent on an initially failed cert verification in insanity mode (ms)" + "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)" }, "HEALTHREPORT_DB_OPEN_FIRSTRUN_MS": { "expires_in_version": "never", "kind": "exponential", "high": "20000", "n_buckets": 15, "description": "Time (ms) spent to open Firefox Health Report's database the first time, including schema setup." },