| author | Brian Smith <brian@briansmith.org> |
| Mon, 16 Jun 2014 23:13:29 -0700 | |
| changeset 189889 | b3ebf7675c7bd1d85ed1b7290e1d2c3ae28a0490 |
| parent 189888 | 83977d2750a225aa095b018c841d4c2169118209 |
| child 189890 | feaac6c10dc6dd76e908bdc9185cc8849bbb8595 |
| push id | 45183 |
| push user | brian@briansmith.org |
| push date | Sat, 21 Jun 2014 01:22:56 +0000 |
| treeherder | mozilla-inbound@b3ebf7675c7b [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 975229 |
| milestone | 33.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/netwerk/base/public/security-prefs.js +++ b/netwerk/base/public/security-prefs.js @@ -49,10 +49,8 @@ pref("security.ssl3.rsa_seed_sha", false pref("security.default_personal_cert", "Ask Every Time"); pref("security.remember_cert_checkbox_default_setting", true); pref("security.ask_for_password", 0); pref("security.password_lifetime", 30); pref("security.OCSP.enabled", 1); pref("security.OCSP.require", false); pref("security.OCSP.GET.enabled", false); - -pref("security.use_mozillapkix_verification", true);
--- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -8,17 +8,16 @@ #include <stdint.h> #include "ExtendedValidation.h" #include "NSSCertDBTrustDomain.h" #include "NSSErrorsService.h" #include "PublicKeyPinningService.h" #include "cert.h" -#include "ocsp.h" #include "pk11pub.h" #include "pkix/pkix.h" #include "prerror.h" #include "secerr.h" #include "sslerr.h" // ScopedXXX in this file are mozilla::pkix::ScopedXXX, not // mozilla::ScopedXXX. @@ -29,31 +28,21 @@ using namespace mozilla::psm; PRLogModuleInfo* gCertVerifierLog = nullptr; #endif namespace mozilla { namespace psm { const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1; const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2; -CertVerifier::CertVerifier(implementation_config ic, -#ifndef NSS_NO_LIBPKIX - missing_cert_download_config mcdc, - crl_download_config cdc, -#endif - ocsp_download_config odc, +CertVerifier::CertVerifier(ocsp_download_config odc, ocsp_strict_config osc, ocsp_get_config ogc, pinning_enforcement_config pel) - : mImplementation(ic) -#ifndef NSS_NO_LIBPKIX - , mMissingCertDownloadEnabled(mcdc == missing_cert_download_on) - , mCRLDownloadEnabled(cdc == crl_download_allowed) -#endif - , mOCSPDownloadEnabled(odc == ocsp_on) + : mOCSPDownloadEnabled(odc == ocsp_on) , mOCSPStrict(osc == ocsp_strict) , mOCSPGETEnabled(ogc == ocsp_get_enabled) , mPinningEnforcementLevel(pel) { } CertVerifier::~CertVerifier() { @@ -64,47 +53,16 @@ InitCertVerifierLog() { #ifdef PR_LOGGING if (!gCertVerifierLog) { gCertVerifierLog = PR_NewLogModule("certverifier"); } #endif } -// Once we migrate to mozilla::pkix or change the overridable error -// logic this will become unnecesary. -static SECStatus -insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err, - CERTVerifyLog* verifyLog){ - CERTVerifyLogNode* node; - node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena, - sizeof(CERTVerifyLogNode)); - if (!node) { - PR_SetError(PR_UNKNOWN_ERROR, 0); - return SECFailure; - } - node->cert = CERT_DupCertificate(cert); - node->error = err; - node->depth = 0; - node->arg = nullptr; - //and at to head! - node->prev = nullptr; - node->next = verifyLog->head; - if (verifyLog->head) { - verifyLog->head->prev = node; - } - verifyLog->head = node; - if (!verifyLog->tail) { - verifyLog->tail = node; - } - verifyLog->count++; - - return SECSuccess; -} - SECStatus IsCertBuiltInRoot(CERTCertificate* cert, bool& result) { result = false; ScopedPtr<PK11SlotList, PK11_FreeSlotList> slots; slots = PK11_GetAllSlotsForCert(cert, nullptr); if (!slots) { if (PORT_GetError() == SEC_ERROR_NO_TOKEN) { // no list @@ -194,118 +152,16 @@ SECStatus chainValidationCallback(void* *chainOK = PublicKeyPinningService:: ChainHasValidPins(certList, callbackState->hostname, callbackState->time, enforceTestMode); return SECSuccess; } static SECStatus -ClassicVerifyCert(CERTCertificate* cert, - const SECCertificateUsage usage, - const PRTime time, - void* pinArg, - ChainValidationCallbackState* callbackState, - /*optional out*/ ScopedCERTCertList* validationChain, - /*optional out*/ CERTVerifyLog* verifyLog) -{ - SECStatus rv; - SECCertUsage enumUsage; - switch (usage) { - case certificateUsageSSLClient: - enumUsage = certUsageSSLClient; - break; - case certificateUsageSSLServer: - enumUsage = certUsageSSLServer; - break; - case certificateUsageSSLCA: - enumUsage = certUsageSSLCA; - break; - case certificateUsageEmailSigner: - enumUsage = certUsageEmailSigner; - break; - case certificateUsageEmailRecipient: - enumUsage = certUsageEmailRecipient; - break; - case certificateUsageObjectSigner: - enumUsage = certUsageObjectSigner; - break; - case certificateUsageVerifyCA: - enumUsage = certUsageVerifyCA; - break; - case certificateUsageStatusResponder: - enumUsage = certUsageStatusResponder; - break; - default: - PR_NOT_REACHED("unexpected usage"); - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - if (usage == certificateUsageSSLServer) { - // SSL server cert verification has always used CERT_VerifyCert, so we - // continue to use it for SSL cert verification to minimize the risk of - // there being any differnce in results between CERT_VerifyCert and - // CERT_VerifyCertificate. - rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), cert, true, - certUsageSSLServer, time, pinArg, verifyLog); - } else { - rv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert, true, - usage, time, pinArg, verifyLog, nullptr); - } - - if (rv == SECSuccess && - (validationChain || usage == certificateUsageSSLServer)) { - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, - ("VerifyCert: getting chain in 'classic' \n")); - ScopedCERTCertList certChain(CERT_GetCertChainFromCert(cert, time, - enumUsage)); - if (!certChain) { - return SECFailure; - } - if (usage == certificateUsageSSLServer) { - PRBool chainOK = PR_FALSE; - SECStatus srv = chainValidationCallback(callbackState, certChain.get(), - &chainOK); - if (srv != SECSuccess) { - return srv; - } - if (chainOK != PR_TRUE) { - if (verifyLog) { - insertErrorIntoVerifyLog(cert, - PSM_ERROR_KEY_PINNING_FAILURE, - verifyLog); - } - PR_SetError(PSM_ERROR_KEY_PINNING_FAILURE, 0); - return SECFailure; - } - } - if (rv == SECSuccess && validationChain) { - *validationChain = certChain.release(); - } - } - - return rv; -} - -#ifndef NSS_NO_LIBPKIX -static void -destroyCertListThatShouldNotExist(CERTCertList** certChain) -{ - PR_ASSERT(certChain); - PR_ASSERT(!*certChain); - if (certChain && *certChain) { - // There SHOULD not be a validation chain on failure, asserion here for - // the debug builds AND a fallback for production builds - CERT_DestroyCertList(*certChain); - *certChain = nullptr; - } -} -#endif - -static SECStatus BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert, PRTime time, KeyUsage ku1, KeyUsage ku2, KeyUsage ku3, KeyPurposeId eku, const CertPolicyId& requiredPolicy, const SECItem* stapledOCSPResponse, ScopedCERTCertList& builtChain) { SECStatus rv = BuildCertChain(trustDomain, cert, time, @@ -326,28 +182,24 @@ BuildCertChainForOneKeyUsage(TrustDomain PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0); } } } return rv; } SECStatus -CertVerifier::MozillaPKIXVerifyCert( - CERTCertificate* cert, - const SECCertificateUsage usage, - const PRTime time, - void* pinArg, - const Flags flags, - ChainValidationCallbackState* callbackState, - /*optional*/ const SECItem* stapledOCSPResponse, - /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, - /*optional out*/ SECOidTag* evOidPolicy) +CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, + PRTime time, void* pinArg, const char* hostname, + const Flags flags, + /*optional*/ const SECItem* stapledOCSPResponse, + /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, + /*optional out*/ SECOidTag* evOidPolicy) { - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n")); + PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n")); PR_ASSERT(cert); PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV)); if (validationChain) { *validationChain = nullptr; } if (evOidPolicy) { @@ -355,19 +207,22 @@ CertVerifier::MozillaPKIXVerifyCert( } if (!cert || (usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) { PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; } + ChainValidationCallbackState callbackState = { + hostname, mPinningEnforcementLevel, usage, time + }; CERTChainVerifyCallback callbackContainer; callbackContainer.isChainValid = chainValidationCallback; - callbackContainer.isChainValidArg = callbackState; + callbackContainer.isChainValidArg = &callbackState; NSSCertDBTrustDomain::OCSPFetching ocspFetching = !mOCSPDownloadEnabled || (flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP : !mOCSPStrict ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail : NSSCertDBTrustDomain::FetchOCSPForDVHardFail; ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled @@ -554,378 +409,16 @@ CertVerifier::MozillaPKIXVerifyCert( if (validationChain && rv == SECSuccess) { *validationChain = builtChain.release(); } return rv; } SECStatus -CertVerifier::VerifyCert(CERTCertificate* cert, - const SECCertificateUsage usage, - const PRTime time, - void* pinArg, - const char* hostname, - const Flags flags, - /*optional in*/ const SECItem* stapledOCSPResponse, - /*optional out*/ ScopedCERTCertList* validationChain, - /*optional out*/ SECOidTag* evOidPolicy, - /*optional out*/ CERTVerifyLog* verifyLog) -{ - ChainValidationCallbackState callbackState = { hostname, - mPinningEnforcementLevel, - usage, - time }; - - if (mImplementation == mozillapkix) { - return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags, - &callbackState, stapledOCSPResponse, - validationChain, evOidPolicy); - } - - if (!cert) - { - PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert"); - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - if (validationChain) { - *validationChain = nullptr; - } - if (evOidPolicy) { - *evOidPolicy = SEC_OID_UNKNOWN; - } - - switch(usage){ - case certificateUsageSSLClient: - case certificateUsageSSLServer: - case certificateUsageSSLCA: - case certificateUsageEmailSigner: - case certificateUsageEmailRecipient: - case certificateUsageObjectSigner: - case certificateUsageVerifyCA: - case certificateUsageStatusResponder: - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - -#ifndef NSS_NO_LIBPKIX - ScopedCERTCertList trustAnchors; - SECStatus rv; - SECOidTag evPolicy = SEC_OID_UNKNOWN; - - // Do EV checking only for sslserver usage - if (usage == certificateUsageSSLServer) { - CertPolicyId unusedPolicyId; - SECStatus srv = GetFirstEVPolicy(cert, unusedPolicyId, evPolicy); - if (srv == SECSuccess) { - if (evPolicy != SEC_OID_UNKNOWN) { - trustAnchors = GetRootsForOid(evPolicy); - } - if (!trustAnchors) { - return SECFailure; - } - // pkix ignores an empty trustanchors list and - // decides then to use the whole set of trust in the DB - // so we set the evPolicy to unkown in this case - if (CERT_LIST_EMPTY(trustAnchors)) { - evPolicy = SEC_OID_UNKNOWN; - } - } else { - // No known EV policy found - if (flags & FLAG_MUST_BE_EV) { - PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND); - return SECFailure; - } - // Do not setup EV verification params - evPolicy = SEC_OID_UNKNOWN; - } - if ((evPolicy == SEC_OID_UNKNOWN) && (flags & FLAG_MUST_BE_EV)) { - PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); - return SECFailure; - } - } - - PR_ASSERT(evPolicy == SEC_OID_UNKNOWN || trustAnchors); - - size_t i = 0; - size_t validationChainLocation = 0; - size_t validationTrustAnchorLocation = 0; - CERTValOutParam cvout[4]; - if (verifyLog) { - cvout[i].type = cert_po_errorLog; - cvout[i].value.pointer.log = verifyLog; - ++i; - } - if (validationChain) { - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: setting up validation chain outparam.\n")); - validationChainLocation = i; - cvout[i].type = cert_po_certList; - cvout[i].value.pointer.chain = nullptr; - ++i; - validationTrustAnchorLocation = i; - cvout[i].type = cert_po_trustAnchor; - cvout[i].value.pointer.cert = nullptr; - ++i; - } - cvout[i].type = cert_po_end; - - CERTRevocationFlags rev; - - CERTRevocationMethodIndex revPreferredMethods[2]; - rev.leafTests.preferred_methods = - rev.chainTests.preferred_methods = revPreferredMethods; - - uint64_t revFlagsPerMethod[2]; - rev.leafTests.cert_rev_flags_per_method = - rev.chainTests.cert_rev_flags_per_method = revFlagsPerMethod; - rev.leafTests.number_of_preferred_methods = - rev.chainTests.number_of_preferred_methods = 1; - - rev.leafTests.number_of_defined_methods = - rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1; - - const bool localOnly = flags & FLAG_LOCAL_ONLY; - CERTValInParam cvin[7]; - - // Parameters for both EV and DV validation - cvin[0].type = cert_pi_useAIACertFetch; - cvin[0].value.scalar.b = mMissingCertDownloadEnabled && !localOnly; - cvin[1].type = cert_pi_revocationFlags; - cvin[1].value.pointer.revocation = &rev; - cvin[2].type = cert_pi_date; - cvin[2].value.scalar.time = time; - i = 3; - - CERTChainVerifyCallback callbackContainer; - if (usage == certificateUsageSSLServer) { - callbackContainer.isChainValid = chainValidationCallback; - callbackContainer.isChainValidArg = &callbackState; - cvin[i].type = cert_pi_chainVerifyCallback; - cvin[i].value.pointer.chainVerifyCallback = &callbackContainer; - ++i; - } - - const size_t evParamLocation = i; - - if (evPolicy != SEC_OID_UNKNOWN) { - // EV setup! - // XXX 859872 The current flags are not quite correct. (use - // of ocsp flags for crl preferences). - uint64_t ocspRevMethodFlags = - CERT_REV_M_TEST_USING_THIS_METHOD - | ((mOCSPDownloadEnabled && !localOnly) ? - CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING) - | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE - | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE - | CERT_REV_M_IGNORE_MISSING_FRESH_INFO - | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO - | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP); - - rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = - rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] - = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD; - - rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = - rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] - = ocspRevMethodFlags; - - rev.leafTests.cert_rev_method_independent_flags = - rev.chainTests.cert_rev_method_independent_flags = - // avoiding the network is good, let's try local first - CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST - // is overall revocation requirement strict or relaxed? - | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE - ; - - rev.leafTests.preferred_methods[0] = - rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp; - - cvin[i].type = cert_pi_policyOID; - cvin[i].value.arraySize = 1; - cvin[i].value.array.oids = &evPolicy; - ++i; - PR_ASSERT(trustAnchors); - cvin[i].type = cert_pi_trustAnchors; - cvin[i].value.pointer.chain = trustAnchors.get(); - ++i; - - cvin[i].type = cert_pi_end; - - rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg); - if (rv == SECSuccess) { - if (evOidPolicy) { - *evOidPolicy = evPolicy; - } - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, - ("VerifyCert: successful CERT_PKIXVerifyCert(ev) \n")); - goto pkix_done; - } - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, - ("VerifyCert: failed CERT_PKIXVerifyCert(ev)\n")); - if (flags & FLAG_MUST_BE_EV) { - return rv; - } - if (validationChain) { - destroyCertListThatShouldNotExist( - &cvout[validationChainLocation].value.pointer.chain); - } - - if (verifyLog) { - // Cleanup the log so that it is ready the the next validation - CERTVerifyLogNode* i_node; - for (i_node = verifyLog->head; i_node; i_node = i_node->next) { - //destroy cert if any. - if (i_node->cert) { - CERT_DestroyCertificate(i_node->cert); - } - // No need to cleanup the actual nodes in the arena. - } - verifyLog->count = 0; - verifyLog->head = nullptr; - verifyLog->tail = nullptr; - } - - } -#endif - - // If we're here, PKIX EV verification failed. - // If requested, don't do DV fallback. - if (flags & FLAG_MUST_BE_EV) { - PR_ASSERT(*evOidPolicy == SEC_OID_UNKNOWN); -#ifdef NSS_NO_LIBPKIX - PR_SetError(SEC_ERROR_INVALID_ARGS, 0); -#else - PR_SetError(PR_INVALID_STATE_ERROR, 0); -#endif - return SECFailure; - } - - if (mImplementation == classic) { - // XXX: we do not care about the localOnly flag (currently) as the - // caller that wants localOnly should disable and reenable the fetching. - return ClassicVerifyCert(cert, usage, time, pinArg, &callbackState, - validationChain, verifyLog); - } - -#ifdef NSS_NO_LIBPKIX - PR_NOT_REACHED("libpkix implementation chosen but not even compiled in"); - PR_SetError(PR_INVALID_STATE_ERROR, 0); - return SECFailure; -#else - PR_ASSERT(mImplementation == libpkix); - - // The current flags check the chain the same way as the leafs - rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = - rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = - // implicit default source - makes no sense for CRLs - CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE - - // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it - | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO - - // no fresh CRL? well, let other flag decide whether to fail or not - | CERT_REV_M_IGNORE_MISSING_FRESH_INFO - - // testing using local CRLs is always allowed - | CERT_REV_M_TEST_USING_THIS_METHOD - - // no local crl and don't know where to get it from? ignore - | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE - - // crl download based on parameter - | ((mCRLDownloadEnabled && !localOnly) ? - CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING) - ; - - rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = - rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = - // use OCSP - CERT_REV_M_TEST_USING_THIS_METHOD - - // if app has a default OCSP responder configured, let's use it - | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE - - // of course OCSP doesn't work without a source. let's accept such certs - | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE - - // if ocsp is required stop on lack of freshness - | (mOCSPStrict ? - CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO) - - // ocsp success is sufficient - | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO - - // ocsp enabled controls network fetching, too - | ((mOCSPDownloadEnabled && !localOnly) ? - CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING) - - | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP); - ; - - rev.leafTests.preferred_methods[0] = - rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp; - - rev.leafTests.cert_rev_method_independent_flags = - rev.chainTests.cert_rev_method_independent_flags = - // avoiding the network is good, let's try local first - CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; - - // Skip EV parameters - cvin[evParamLocation].type = cert_pi_end; - - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: calling CERT_PKIXVerifyCert(dv) \n")); - rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg); - -pkix_done: - if (validationChain) { - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: validation chain requested\n")); - ScopedCERTCertificate trustAnchor(cvout[validationTrustAnchorLocation].value.pointer.cert); - - if (rv == SECSuccess) { - if (! cvout[validationChainLocation].value.pointer.chain) { - PR_SetError(PR_UNKNOWN_ERROR, 0); - return SECFailure; - } - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: I have a chain\n")); - *validationChain = cvout[validationChainLocation].value.pointer.chain; - if (trustAnchor) { - // we should only add the issuer to the chain if it is not already - // present. On CA cert checking, the issuer is the same cert, so in - // that case we do not add the cert to the chain. - if (!CERT_CompareCerts(trustAnchor.get(), cert)) { - PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: adding issuer to tail for display\n")); - // note: rv is reused to catch errors on cert creation! - ScopedCERTCertificate tempCert(CERT_DupCertificate(trustAnchor.get())); - rv = CERT_AddCertToListTail(validationChain->get(), tempCert.get()); - if (rv == SECSuccess) { - tempCert.release(); // ownership traferred to validationChain - } else { - *validationChain = nullptr; - } - } - } - } else { - destroyCertListThatShouldNotExist( - &cvout[validationChainLocation].value.pointer.chain); - } - } - - return rv; -#endif -} - -SECStatus CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert, /*optional*/ const SECItem* stapledOCSPResponse, PRTime time, /*optional*/ void* pinarg, const char* hostname, bool saveIntermediatesInPermanentDatabase, /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut, /*optional out*/ SECOidTag* evOidPolicy) @@ -947,17 +440,17 @@ CertVerifier::VerifySSLServerCert(CERTCe return SECFailure; } // CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called // if VerifyCert succeeded. ScopedCERTCertList validationChain; SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg, hostname, 0, stapledOCSPResponse, &validationChain, - evOidPolicy, nullptr); + evOidPolicy); if (rv != SECSuccess) { return rv; } rv = CERT_VerifyCertName(peerCert, hostname); if (rv != SECSuccess) { return rv; }
--- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -21,91 +21,62 @@ public: // XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case static const Flags FLAG_LOCAL_ONLY; // Don't perform fallback DV validation on EV validation failure. static const Flags FLAG_MUST_BE_EV; // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV // Only one usage per verification is supported. SECStatus VerifyCert(CERTCertificate* cert, - const SECCertificateUsage usage, - const PRTime time, + SECCertificateUsage usage, + PRTime time, void* pinArg, const char* hostname, - const Flags flags = 0, + Flags flags = 0, /*optional in*/ const SECItem* stapledOCSPResponse = nullptr, /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr, - /*optional out*/ SECOidTag* evOidPolicy = nullptr , - /*optional out*/ CERTVerifyLog* verifyLog = nullptr); + /*optional out*/ SECOidTag* evOidPolicy = nullptr); SECStatus VerifySSLServerCert( CERTCertificate* peerCert, /*optional*/ const SECItem* stapledOCSPResponse, PRTime time, /*optional*/ void* pinarg, const char* hostname, bool saveIntermediatesInPermanentDatabase = false, /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr, /*optional out*/ SECOidTag* evOidPolicy = nullptr); - - enum implementation_config { - classic = 0, -#ifndef NSS_NO_LIBPKIX - libpkix = 1, -#endif - mozillapkix = 2 - }; - enum pinning_enforcement_config { pinningDisabled = 0, pinningAllowUserCAMITM = 1, pinningStrict = 2, pinningEnforceTestMode = 3 }; enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on }; enum crl_download_config { crl_local_only = 0, crl_download_allowed }; enum ocsp_download_config { ocsp_off = 0, ocsp_on }; enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict }; enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 }; bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; } - CertVerifier(implementation_config ic, -#ifndef NSS_NO_LIBPKIX - missing_cert_download_config ac, crl_download_config cdc, -#endif - ocsp_download_config odc, ocsp_strict_config osc, + CertVerifier(ocsp_download_config odc, ocsp_strict_config osc, ocsp_get_config ogc, pinning_enforcement_config pinningEnforcementLevel); ~CertVerifier(); void ClearOCSPCache() { mOCSPCache.Clear(); } - const implementation_config mImplementation; -#ifndef NSS_NO_LIBPKIX - const bool mMissingCertDownloadEnabled; - const bool mCRLDownloadEnabled; -#endif const bool mOCSPDownloadEnabled; const bool mOCSPStrict; const bool mOCSPGETEnabled; const pinning_enforcement_config mPinningEnforcementLevel; private: - SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert, - const SECCertificateUsage usage, - const PRTime time, - void* pinArg, - const Flags flags, - ChainValidationCallbackState* callbackState, - /*optional*/ const SECItem* stapledOCSPResponse, - /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain, - /*optional out*/ SECOidTag* evOidPolicy); - OCSPCache mOCSPCache; }; void InitCertVerifierLog(); } } // namespace mozilla::psm #endif // mozilla_psm__CertVerifier_h
--- a/security/certverifier/ExtendedValidation.cpp +++ b/security/certverifier/ExtendedValidation.cpp @@ -881,65 +881,31 @@ register_oid(const SECItem* oid_item, co od.oid.data = oid_item->data; od.offset = SEC_OID_UNKNOWN; od.desc = oid_name; od.mechanism = CKM_INVALID_MECHANISM; od.supportedExtension = INVALID_CERT_EXTENSION; return SECOID_AddEntry(&od); } -#ifndef NSS_NO_LIBPKIX -static void -addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) { - CERTCertTrust nssTrust; - if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) { - return; - } - unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL); - - if (flags & CERTDB_TRUSTED_CA) { - CERT_AddCertToListTail(certList, CERT_DupCertificate(cert)); - } -} -#endif - static bool isEVPolicy(SECOidTag policyOIDTag) { for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) { nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV]; if (policyOIDTag == entry.oid_tag) { return true; } } return false; } namespace mozilla { namespace psm { -#ifndef NSS_NO_LIBPKIX -CERTCertList* -GetRootsForOid(SECOidTag oid_tag) -{ - CERTCertList* certList = CERT_NewCertList(); - if (!certList) - return nullptr; - - for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) { - nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV]; - if (entry.oid_tag == oid_tag) { - addToCertListIfTrusted(certList, entry.cert); - } - } - - return certList; -} -#endif - bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert, const mozilla::pkix::CertPolicyId& policy) { PR_ASSERT(cert); if (!cert) { return false; }
--- a/security/certverifier/ExtendedValidation.h +++ b/security/certverifier/ExtendedValidation.h @@ -21,15 +21,11 @@ SECStatus GetFirstEVPolicy(CERTCertifica /*out*/ SECOidTag& policyOidTag); // CertIsAuthoritativeForEVPolicy does NOT evaluate whether the cert is trusted // or distrusted. bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert, const mozilla::pkix::CertPolicyId& policy); #endif -#ifndef NSS_NO_LIBPKIX -CERTCertList* GetRootsForOid(SECOidTag oid_tag); -#endif - } } // namespace mozilla::psm #endif // mozilla_psm_ExtendedValidation_h
--- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -9,17 +9,16 @@ #include <stdint.h> #include "ExtendedValidation.h" #include "NSSErrorsService.h" #include "OCSPRequestor.h" #include "certdb.h" #include "mozilla/Telemetry.h" #include "nss.h" -#include "ocsp.h" #include "pk11pub.h" #include "pkix/pkix.h" #include "prerror.h" #include "prmem.h" #include "prprf.h" #include "secerr.h" #include "secmod.h" @@ -691,42 +690,16 @@ UnloadLoadableRoots(const char* modNameU PR_ASSERT(modNameUTF8); ScopedSECMODModule rootsModule(SECMOD_FindModule(modNameUTF8)); if (rootsModule) { SECMOD_UnloadUserModule(rootsModule.get()); } } -void -SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled, - CertVerifier::ocsp_strict_config strict, - CertVerifier::ocsp_get_config get) -{ - CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()); - if (enabled == CertVerifier::ocsp_off) { - CERT_DisableOCSPChecking(CERT_GetDefaultCertDB()); - } else { - CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); - } - - SEC_OcspFailureMode failureMode = strict == CertVerifier::ocsp_strict - ? ocspMode_FailureIsVerificationFailure - : ocspMode_FailureIsNotAVerificationFailure; - (void) CERT_SetOCSPFailureMode(failureMode); - - CERT_ForcePostMethodForOCSP(get != CertVerifier::ocsp_get_enabled); - - uint32_t OCSPTimeoutSeconds = 3u; - if (strict == CertVerifier::ocsp_strict) { - OCSPTimeoutSeconds = 10u; - } - CERT_SetOCSPTimeout(OCSPTimeoutSeconds); -} - char* DefaultServerNicknameForCert(CERTCertificate* cert) { char* nickname = nullptr; int count; bool conflict; char* servername = nullptr;
--- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -27,24 +27,16 @@ void PORT_Free_string(char* str); // // The modNameUTF8 parameter should usually be // BUILTIN_ROOTS_MODULE_DEFAULT_NAME. SECStatus LoadLoadableRoots(/*optional*/ const char* dir, const char* modNameUTF8); void UnloadLoadableRoots(const char* modNameUTF8); -// Controls the OCSP fetching behavior of the classic verification mode. In the -// classic mode, the OCSP fetching behavior is set globally instead of per -// validation. -void -SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled, - CertVerifier::ocsp_strict_config strict, - CertVerifier::ocsp_get_config get); - // Caller must free the result with PR_Free char* DefaultServerNicknameForCert(CERTCertificate* cert); void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList); class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp +++ b/security/manager/ssl/src/SSLServerCertVerification.cpp @@ -100,17 +100,16 @@ #include "CertVerifier.h" #include "CryptoTask.h" #include "ExtendedValidation.h" #include "NSSCertDBTrustDomain.h" #include "nsIBadCertListener2.h" #include "nsICertOverrideService.h" #include "nsISiteSecurityService.h" #include "nsNSSComponent.h" -#include "nsNSSCleaner.h" #include "nsRecentBadCerts.h" #include "nsNSSIOLayer.h" #include "nsNSSShutDown.h" #include "mozilla/Assertions.h" #include "mozilla/Mutex.h" #include "mozilla/Telemetry.h" #include "mozilla/unused.h" @@ -122,29 +121,25 @@ #include "PSMRunnable.h" #include "SharedSSLState.h" #include "nsContentUtils.h" #include "ssl.h" #include "secerr.h" #include "secport.h" #include "sslerr.h" -#include "ocsp.h" #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif namespace mozilla { namespace psm { namespace { -NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) -NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false) - // do not use a nsCOMPtr to avoid static initializer/destructor nsIThreadPool* gCertVerificationThreadPool = nullptr; // We avoid using a mutex for the success case to avoid lock-related // performance issues. However, we do use a lock in the error case to simplify // the code, since performance in the error case is not important. Mutex* gSSLVerificationTelemetryMutex = nullptr; @@ -306,23 +301,22 @@ MapCertErrorToProbeValue(PRErrorCode err case SEC_ERROR_EXPIRED_CERTIFICATE: return 10; } NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue " "handle everything in PRErrorCodeToOverrideType?"); return 0; } SECStatus -MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert, - const char* hostName, PRTime now, - PRErrorCode defaultErrorCodeToReport, - /*out*/ uint32_t& collectedErrors, - /*out*/ PRErrorCode& errorCodeTrust, - /*out*/ PRErrorCode& errorCodeMismatch, - /*out*/ PRErrorCode& errorCodeExpired) +DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName, + PRTime now, PRErrorCode defaultErrorCodeToReport, + /*out*/ uint32_t& collectedErrors, + /*out*/ PRErrorCode& errorCodeTrust, + /*out*/ PRErrorCode& errorCodeMismatch, + /*out*/ PRErrorCode& errorCodeExpired) { MOZ_ASSERT(cert); MOZ_ASSERT(hostName); MOZ_ASSERT(collectedErrors == 0); MOZ_ASSERT(errorCodeTrust == 0); MOZ_ASSERT(errorCodeMismatch == 0); MOZ_ASSERT(errorCodeExpired == 0); @@ -543,139 +537,16 @@ CertErrorRunnable::RunOnTargetThread() { MOZ_ASSERT(NS_IsMainThread()); mResult = CheckCertOverrides(); MOZ_ASSERT(mResult); } -// Converts a PRErrorCode into one of -// nsICertOverrideService::ERROR_UNTRUSTED, -// nsICertOverrideService::ERROR_MISMATCH, -// nsICertOverrideService::ERROR_TIME -// if the given error code is an overridable error. -// If it is not, then 0 is returned. -uint32_t -PRErrorCodeToOverrideType(PRErrorCode errorCode) -{ - switch (errorCode) - { - case SEC_ERROR_UNKNOWN_ISSUER: - case SEC_ERROR_UNTRUSTED_ISSUER: - case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: - case SEC_ERROR_UNTRUSTED_CERT: - case SEC_ERROR_INADEQUATE_KEY_USAGE: - case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: - // We group all these errors as "cert not trusted" - return nsICertOverrideService::ERROR_UNTRUSTED; - case SSL_ERROR_BAD_CERT_DOMAIN: - return nsICertOverrideService::ERROR_MISMATCH; - case SEC_ERROR_EXPIRED_CERTIFICATE: - return nsICertOverrideService::ERROR_TIME; - default: - return 0; - } -} - -SECStatus -NSSDetermineCertOverrideErrors(CertVerifier& certVerifier, - CERTCertificate* cert, - const SECItem* stapledOCSPResponse, - TransportSecurityInfo* infoObject, - PRTime now, - PRErrorCode defaultErrorCodeToReport, - /*out*/ uint32_t& collectedErrors, - /*out*/ PRErrorCode& errorCodeTrust, - /*out*/ PRErrorCode& errorCodeMismatch, - /*out*/ PRErrorCode& errorCodeExpired) -{ - MOZ_ASSERT(cert); - MOZ_ASSERT(infoObject); - MOZ_ASSERT(defaultErrorCodeToReport != 0); - MOZ_ASSERT(collectedErrors == 0); - MOZ_ASSERT(errorCodeTrust == 0); - MOZ_ASSERT(errorCodeMismatch == 0); - MOZ_ASSERT(errorCodeExpired == 0); - - if (defaultErrorCodeToReport == 0) { - NS_ERROR("No error code set during certificate validation failure."); - PR_SetError(PR_INVALID_STATE_ERROR, 0); - return SECFailure; - } - - // We only allow overrides for certain errors. Return early if the error - // is not one of them. This is to avoid doing revocation fetching in the - // case of OCSP stapling and probably for other reasons. - if (PRErrorCodeToOverrideType(defaultErrorCodeToReport) == 0) { - PR_SetError(defaultErrorCodeToReport, 0); - return SECFailure; - } - - PLArenaPool* log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena); - if (!log_arena) { - NS_ERROR("PORT_NewArena failed"); - return SECFailure; // PORT_NewArena set error code - } - - CERTVerifyLog* verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog); - if (!verify_log) { - NS_ERROR("PORT_ArenaZNew failed"); - return SECFailure; // PORT_ArenaZNew set error code - } - CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log); - verify_log->arena = log_arena; - - // We ignore the result code of the cert verification (i.e. VerifyCert's rv) - // Either it is a failure, which is expected, and we'll process the - // verify log below. - // Or it is a success, then a domain mismatch is the only - // possible failure. - // XXX TODO: convert to VerifySSLServerCert - // XXX TODO: get rid of error log - certVerifier.VerifyCert(cert, certificateUsageSSLServer, - now, infoObject, infoObject->GetHostNameRaw(), - 0, stapledOCSPResponse, nullptr, nullptr, verify_log); - - // Check the name field against the desired hostname. - if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) { - collectedErrors |= nsICertOverrideService::ERROR_MISMATCH; - errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN; - } - - CERTVerifyLogNode* i_node; - for (i_node = verify_log->head; i_node; i_node = i_node->next) { - uint32_t overrideType = PRErrorCodeToOverrideType(i_node->error); - // If this isn't an overridable error, set the error and return. - if (overrideType == 0) { - PR_SetError(i_node->error, 0); - return SECFailure; - } - collectedErrors |= overrideType; - if (overrideType == nsICertOverrideService::ERROR_UNTRUSTED) { - if (errorCodeTrust == 0) { - errorCodeTrust = i_node->error; - } - } else if (overrideType == nsICertOverrideService::ERROR_MISMATCH) { - if (errorCodeMismatch == 0) { - errorCodeMismatch = i_node->error; - } - } else if (overrideType == nsICertOverrideService::ERROR_TIME) { - if (errorCodeExpired == 0) { - errorCodeExpired = i_node->error; - } - } else { - MOZ_CRASH("unexpected return value from PRErrorCodeToOverrideType"); - } - } - - return SECSuccess; -} - // Returns null with the error code (PR_GetError()) set if it does not create // the CertErrorRunnable. CertErrorRunnable* CreateCertErrorRunnable(CertVerifier& certVerifier, PRErrorCode defaultErrorCodeToReport, TransportSecurityInfo* infoObject, CERTCertificate* cert, const SECItem* stapledOCSPResponse, @@ -685,47 +556,20 @@ CreateCertErrorRunnable(CertVerifier& ce { MOZ_ASSERT(infoObject); MOZ_ASSERT(cert); uint32_t collected_errors = 0; PRErrorCode errorCodeTrust = 0; PRErrorCode errorCodeMismatch = 0; PRErrorCode errorCodeExpired = 0; - - SECStatus rv; - switch (certVerifier.mImplementation) { - case CertVerifier::classic: -#ifndef NSS_NO_LIBPKIX - case CertVerifier::libpkix: -#endif - rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse, - infoObject, now, - defaultErrorCodeToReport, - collected_errors, errorCodeTrust, - errorCodeMismatch, errorCodeExpired); - break; - - case CertVerifier::mozillapkix: - rv = MozillaPKIXDetermineCertOverrideErrors(cert, - infoObject->GetHostNameRaw(), - now, defaultErrorCodeToReport, - collected_errors, - errorCodeTrust, - errorCodeMismatch, - errorCodeExpired); - break; - - default: - MOZ_CRASH("unexpected CertVerifier implementation"); - PR_SetError(defaultErrorCodeToReport, 0); - return nullptr; - - } - if (rv != SECSuccess) { + if (DetermineCertOverrideErrors(cert, infoObject->GetHostNameRaw(), now, + defaultErrorCodeToReport, collected_errors, + errorCodeTrust, errorCodeMismatch, + errorCodeExpired) != SECSuccess) { return nullptr; } RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert)); if (!nssCert) { NS_ERROR("nsNSSCertificate::Create failed"); PR_SetError(SEC_ERROR_NO_MEMORY, 0); return nullptr; @@ -901,67 +745,16 @@ AuthCertificate(CertVerifier& certVerifi CERTCertificate* cert, SECItem* stapledOCSPResponse, uint32_t providerFlags, PRTime time) { MOZ_ASSERT(infoObject); MOZ_ASSERT(cert); SECStatus rv; - // TODO: Remove this after we switch to mozilla::pkix as the - // only option - if (certVerifier.mImplementation == CertVerifier::classic) { - if (stapledOCSPResponse) { - CERTCertDBHandle* handle = CERT_GetDefaultCertDB(); - rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(), - stapledOCSPResponse, - infoObject); - if (rv != SECSuccess) { - // Due to buggy servers that will staple expired OCSP responses - // (see for example http://trac.nginx.org/nginx/ticket/425), - // don't terminate the connection if the stapled response is expired. - // We will fall back to fetching revocation information. - PRErrorCode ocspErrorCode = PR_GetError(); - if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) { - // stapled OCSP response present but invalid for some reason - Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4); - return rv; - } else { - // stapled OCSP response present but expired - Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3); - } - } else { - // stapled OCSP response present and good - Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1); - } - } else { - // no stapled OCSP response - Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2); - - uint32_t reasonsForNotFetching = 0; - - char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert); - if (!ocspURI) { - reasonsForNotFetching |= 1; // invalid/missing OCSP URI - } else { - if (std::strncmp(ocspURI, "http://", 7)) { // approximation - reasonsForNotFetching |= 1; // invalid/missing OCSP URI - } - PORT_Free(ocspURI); - } - - if (!certVerifier.mOCSPDownloadEnabled) { - reasonsForNotFetching |= 2; - } - - Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH, - reasonsForNotFetching); - } - } - // We want to avoid storing any intermediate cert information when browsing // in private, transient contexts. bool saveIntermediates = !(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE); mozilla::pkix::ScopedCERTCertList certList; SECOidTag evOidPolicy; rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse, @@ -1073,44 +866,21 @@ SSLServerCertVerificationJob::Run() ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get())); PRErrorCode error; nsNSSShutDownPreventionLock nssShutdownPrevention; if (mInfoObject->isAlreadyShutDown()) { error = SEC_ERROR_USER_CANCELLED; } else { - Telemetry::ID successTelemetry; - Telemetry::ID failureTelemetry; - switch (mCertVerifier->mImplementation) { - case CertVerifier::classic: - successTelemetry - = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC; - failureTelemetry - = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC; - break; - case CertVerifier::mozillapkix: - successTelemetry - = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX; - failureTelemetry - = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX; - break; -#ifndef NSS_NO_LIBPKIX - case CertVerifier::libpkix: - successTelemetry - = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX; - failureTelemetry - = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX; - break; -#endif - default: - MOZ_CRASH("Unknown CertVerifier mode"); - } + Telemetry::ID successTelemetry + = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX; + Telemetry::ID failureTelemetry + = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX; - // XXX // Reset the error code here so we can detect if AuthCertificate fails to // set the error code if/when it fails. PR_SetError(0, 0); SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert.get(), mStapledOCSPResponse, mProviderFlags, mTime); if (rv == SECSuccess) { uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
--- a/security/manager/ssl/src/ScopedNSSTypes.h +++ b/security/manager/ssl/src/ScopedNSSTypes.h @@ -17,17 +17,16 @@ #include "cert.h" #include "cms.h" #include "keyhi.h" #include "cryptohi.h" #include "pk11pub.h" #include "sechash.h" #include "secpkcs7.h" #include "prerror.h" -#include "ocsp.h" namespace mozilla { // It is very common to cast between char* and uint8_t* when doing crypto stuff. // Here, we provide more type-safe wrappers around reinterpret_cast so you don't // shoot yourself in the foot by reinterpret_casting completely unrelated types. inline char * @@ -78,19 +77,16 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLAT CERTCertList, CERT_DestroyCertList) MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName, CERTName, CERT_DestroyName) MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames, CERTCertNicknames, CERT_FreeNicknames) -MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID, - CERTOCSPCertID, - CERT_DestroyOCSPCertID) MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo, CERTSubjectPublicKeyInfo, SECKEY_DestroySubjectPublicKeyInfo) MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTValidity, CERTValidity, CERT_DestroyValidity) MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedNSSCMSMessage,
--- a/security/manager/ssl/src/SharedCertVerifier.h +++ b/security/manager/ssl/src/SharedCertVerifier.h @@ -14,28 +14,19 @@ namespace mozilla { namespace psm { class SharedCertVerifier : public mozilla::psm::CertVerifier { protected: ~SharedCertVerifier(); public: NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier) - SharedCertVerifier(implementation_config ic, -#ifndef NSS_NO_LIBPKIX - missing_cert_download_config ac, crl_download_config cdc, -#endif - ocsp_download_config odc, ocsp_strict_config osc, + SharedCertVerifier(ocsp_download_config odc, ocsp_strict_config osc, ocsp_get_config ogc, pinning_enforcement_config pinningEnforcementLevel) - : mozilla::psm::CertVerifier(ic, -#ifndef NSS_NO_LIBPKIX - ac, cdc, -#endif - odc, osc, ogc, - pinningEnforcementLevel) + : mozilla::psm::CertVerifier(odc, osc, ogc, pinningEnforcementLevel) { } }; } } // namespace mozilla::psm #endif // mozilla_psm__SharedCertVerifier_h
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp +++ b/security/manager/ssl/src/nsNSSCallbacks.cpp @@ -581,26 +581,16 @@ void nsNSSHttpInterface::initTable() v1.createFcn = createFcn; v1.setPostDataFcn = setPostDataFcn; v1.addHeaderFcn = addHeaderFcn; v1.trySendAndReceiveFcn = trySendAndReceiveFcn; v1.cancelFcn = cancelFcn; v1.freeFcn = freeFcn; } -void nsNSSHttpInterface::registerHttpClient() -{ - SEC_RegisterDefaultHttpClient(&sNSSInterfaceTable); -} - -void nsNSSHttpInterface::unregisterHttpClient() -{ - SEC_RegisterDefaultHttpClient(nullptr); -} - nsHTTPListener::nsHTTPListener() : mResultData(nullptr), mResultLen(0), mLock("nsHTTPListener.mLock"), mCondition(mLock, "nsHTTPListener.mCondition"), mWaitFlag(true), mResponsibleForDoneSignal(false), mLoadGroup(nullptr),
--- a/security/manager/ssl/src/nsNSSCallbacks.h +++ b/security/manager/ssl/src/nsNSSCallbacks.h @@ -215,14 +215,11 @@ public: static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request) { return static_cast<nsNSSHttpRequestSession*>(request) ->freeFcn(); } static void initTable(); static SEC_HttpClientFcn sNSSInterfaceTable; - - void registerHttpClient(); - void unregisterHttpClient(); }; #endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/src/nsNSSCertificate.cpp +++ b/security/manager/ssl/src/nsNSSCertificate.cpp @@ -44,17 +44,16 @@ #include "nspr.h" #include "certdb.h" #include "secerr.h" #include "nssb64.h" #include "secasn1.h" #include "secder.h" #include "ssl.h" -#include "ocsp.h" #include "plbase64.h" using namespace mozilla; using namespace mozilla::psm; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; #endif
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp @@ -42,17 +42,16 @@ #include "nspr.h" #include "certdb.h" #include "secerr.h" #include "nssb64.h" #include "secasn1.h" #include "secder.h" #include "ssl.h" -#include "ocsp.h" #include "plbase64.h" using namespace mozilla; using namespace mozilla::psm; using mozilla::psm::SharedSSLState; #ifdef PR_LOGGING extern PRLogModuleInfo* gPIPNSSLog; @@ -1811,19 +1810,11 @@ nsNSSCertificateDB::ClearOCSPCache() { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) { return NS_ERROR_NOT_AVAILABLE; } RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); - if (certVerifier->mImplementation == CertVerifier::mozillapkix) { - certVerifier->ClearOCSPCache(); - } else { - SECStatus srv = CERT_ClearOCSPCache(); - if (srv != SECSuccess) { - return MapSECStatus(srv); - } - } - + certVerifier->ClearOCSPCache(); return NS_OK; }
--- a/security/manager/ssl/src/nsNSSComponent.cpp +++ b/security/manager/ssl/src/nsNSSComponent.cpp @@ -53,17 +53,16 @@ #include "SharedSSLState.h" #include "NSSErrorsService.h" #include "nss.h" #include "ssl.h" #include "sslproto.h" #include "secmod.h" #include "secmime.h" -#include "ocsp.h" #include "secerr.h" #include "sslerr.h" #include "nsXULAppAPI.h" #ifdef XP_WIN #include "nsILocalFileWin.h" #endif @@ -238,20 +237,20 @@ bool EnsureNSSInitialized(EnsureNSSOpera default: NS_ASSERTION(false, "Bad operator to EnsureNSSInitialized"); return false; } } static void -SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc, - /*out*/ CertVerifier::ocsp_strict_config* osc, - /*out*/ CertVerifier::ocsp_get_config* ogc, - const MutexAutoLock& /*proofOfLock*/) +GetOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc, + /*out*/ CertVerifier::ocsp_strict_config* osc, + /*out*/ CertVerifier::ocsp_get_config* ogc, + const MutexAutoLock& /*proofOfLock*/) { MOZ_ASSERT(NS_IsMainThread()); MOZ_ASSERT(odc); MOZ_ASSERT(osc); MOZ_ASSERT(ogc); // 0 = disabled, otherwise enabled *odc = Preferences::GetInt("security.OCSP.enabled", 1) @@ -262,18 +261,16 @@ SetClassicOCSPBehaviorFromPrefs(/*out*/ ? CertVerifier::ocsp_strict : CertVerifier::ocsp_relaxed; // XXX: Always use POST for OCSP; see bug 871954 for undoing this. *ogc = Preferences::GetBool("security.OCSP.GET.enabled", false) ? CertVerifier::ocsp_get_enabled : CertVerifier::ocsp_get_disabled; - SetClassicOCSPBehavior(*odc, *osc, *ogc); - SSL_ClearSessionCache(); } nsNSSComponent::nsNSSComponent() :mutex("nsNSSComponent.mutex"), mNSSInitialized(false), #ifndef MOZ_DISABLE_CRYPTOLEGACY mThreadList(nullptr), @@ -986,92 +983,38 @@ void nsNSSComponent::setValidationOption // We measure the setting of the pref at startup only to minimize noise by // addons that may muck with the settings, though it probably doesn't matter. if (isInitialSetting) { Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled); Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired); } -#ifndef NSS_NO_LIBPKIX - bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled", - false); - bool aiaDownloadEnabled = - Preferences::GetBool("security.missing_cert_download.enabled", false); - -#endif bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling", true); PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); - CertVerifier::implementation_config certVerifierImplementation - = CertVerifier::classic; - - // The mozilla::pkix pref overrides the libpkix pref - if (Preferences::GetBool("security.use_mozillapkix_verification", true)) { - certVerifierImplementation = CertVerifier::mozillapkix; - } else { -#ifndef NSS_NO_LIBPKIX - if (Preferences::GetBool("security.use_libpkix_verification", false)) { - certVerifierImplementation = CertVerifier::libpkix; - } -#endif - } - - if (isInitialSetting) { - if (certVerifierImplementation == CertVerifier::classic) { - Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 1); -#ifndef NSS_NO_LIBPKIX - } else if (certVerifierImplementation == CertVerifier::libpkix) { - Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 2); -#endif - } else if (certVerifierImplementation == CertVerifier::mozillapkix) { - Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 3); - } - } - // Default pinning enforcement level is disabled. CertVerifier::pinning_enforcement_config pinningEnforcementLevel = static_cast<CertVerifier::pinning_enforcement_config> (Preferences::GetInt("security.cert_pinning.enforcement_level", CertVerifier::pinningDisabled)); if (pinningEnforcementLevel > CertVerifier::pinningEnforceTestMode) { pinningEnforcementLevel = CertVerifier::pinningDisabled; } CertVerifier::ocsp_download_config odc; CertVerifier::ocsp_strict_config osc; CertVerifier::ocsp_get_config ogc; - SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock); - mDefaultCertVerifier = new SharedCertVerifier( - certVerifierImplementation, -#ifndef NSS_NO_LIBPKIX - aiaDownloadEnabled ? - CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off, - crlDownloading ? - CertVerifier::crl_download_allowed : CertVerifier::crl_local_only, -#endif - odc, osc, ogc, pinningEnforcementLevel); - - // mozilla::pkix has its own OCSP cache, so disable the NSS cache - // if appropriate. - if (certVerifierImplementation == CertVerifier::mozillapkix) { - // Using -1 disables the cache. The other arguments are the default - // values and aren't exposed by the API. - CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L); - } else { - // Using 1000 enables the cache with the default size of 1000. Again, - // these values are not exposed by the API. - CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L); - } - - CERT_ClearOCSPCache(); + GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock); + mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc, + pinningEnforcementLevel); } // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min // version) and TLS 1.2 (max version) when the prefs aren't set or set to // invalid values. nsresult nsNSSComponent::setEnabledTLSVersions() { @@ -1270,17 +1213,16 @@ nsNSSComponent::InitializeNSS() PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to initialize cipher suite settings\n")); return NS_ERROR_FAILURE; } // dynamic options from prefs setValidationOptions(true, lock); mHttpForNSS.initTable(); - mHttpForNSS.registerHttpClient(); #ifndef MOZ_DISABLE_CRYPTOLEGACY LaunchSmartCardThreads(); #endif RegisterPSMErrorTable(); PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n")); @@ -1296,17 +1238,16 @@ nsNSSComponent::ShutdownNSS() PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ShutdownNSS\n")); MutexAutoLock lock(mutex); if (mNSSInitialized) { mNSSInitialized = false; PK11_SetPasswordFunc((PK11PasswordFunc)nullptr); - mHttpForNSS.unregisterHttpClient(); Preferences::RemoveObserver(this, "security."); if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) { PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("nsNSSComponent::ShutdownNSS cannot stop observing cipher suite change\n")); } #ifndef MOZ_DISABLE_CRYPTOLEGACY ShutdownSmartCardThreads(); @@ -1665,24 +1606,19 @@ nsNSSComponent::Observe(nsISupports* aSu SSL_OptionSetDefault(SSL_ENABLE_NPN, Preferences::GetBool("security.ssl.enable_npn", NPN_ENABLED_DEFAULT)); } else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) { SSL_OptionSetDefault(SSL_ENABLE_ALPN, Preferences::GetBool("security.ssl.enable_alpn", ALPN_ENABLED_DEFAULT)); } else if (prefName.EqualsLiteral("security.OCSP.enabled") || - prefName.EqualsLiteral("security.CRL_download.enabled") || - prefName.EqualsLiteral("security.fresh_revocation_info.require") || - prefName.EqualsLiteral("security.missing_cert_download.enabled") || prefName.EqualsLiteral("security.OCSP.require") || prefName.EqualsLiteral("security.OCSP.GET.enabled") || prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") || - prefName.EqualsLiteral("security.use_mozillapkix_verification") || - prefName.EqualsLiteral("security.use_libpkix_verification") || prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) { MutexAutoLock lock(mutex); setValidationOptions(false, lock); } else if (prefName.EqualsLiteral("network.ntlm.send-lm-response")) { bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response", SEND_LM_DEFAULT); nsNTLMAuthModule::SetSendLM(sendLM); clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp +++ b/security/manager/ssl/src/nsNSSIOLayer.cpp @@ -8,16 +8,17 @@ #include "pkix/pkixtypes.h" #include "nsNSSComponent.h" #include "mozilla/Casting.h" #include "mozilla/DebugOnly.h" #include "mozilla/Telemetry.h" #include "prlog.h" +#include "prmem.h" #include "prnetdb.h" #include "nsIPrefService.h" #include "nsIClientAuthDialogs.h" #include "nsClientAuthRemember.h" #include "nsISSLErrorListener.h" #include "nsNetUtil.h" #include "nsPrintfCString.h"
--- a/security/manager/ssl/tests/unit/test_cert_eku.js +++ b/security/manager/ssl/tests/unit/test_cert_eku.js @@ -18,17 +18,16 @@ function cert_from_file(filename) { function load_cert(cert_name, trust_string) { var cert_filename = cert_name + ".der"; addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string); return cert_from_file(cert_filename); } function run_test() { load_cert("ca", "CT,CT,CT"); - Services.prefs.setBoolPref("security.use_mozillapkix_verification", true); checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
--- a/security/manager/ssl/tests/unit/test_cert_eku/generate.py +++ b/security/manager/ssl/tests/unit/test_cert_eku/generate.py @@ -64,17 +64,16 @@ function cert_from_file(filename) { function load_cert(cert_name, trust_string) { var cert_filename = cert_name + ".der"; addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string); return cert_from_file(cert_filename); } function run_test() { load_cert("ca", "CT,CT,CT"); - Services.prefs.setBoolPref("security.use_mozillapkix_verification", true); """ js_file_footer = """} """ def gen_int_js_output(int_string): expectedResult = "SEC_ERROR_INADEQUATE_CERT_TYPE" # For a certificate to verify successfully as a SSL CA, it must either
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -47,214 +47,150 @@ function add_non_overridable_test(aHost, } function check_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_CERT_ERROR_OVERRIDES") .snapshot(); do_check_eq(histogram.counts[ 0], 0); - do_check_eq(histogram.counts[ 2], 8 + 1); // SEC_ERROR_UNKNOWN_ISSUER - do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID - do_check_eq(histogram.counts[ 4], 0 + 5); // SEC_ERROR_UNTRUSTED_ISSUER - do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE - do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT - do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE - do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED - do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN - do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE + do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER + do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID + do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER + do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE + do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT + do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE + do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN + do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE run_next_test(); } function run_test() { add_tls_server_setup("BadCertServer"); let fakeOCSPResponder = new HttpServer(); fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); }); fakeOCSPResponder.start(8080); - add_tests_in_mode(true); - add_tests_in_mode(false); + add_simple_tests(); + add_combo_tests(); + add_distrust_tests(); add_test(function () { fakeOCSPResponder.stop(check_telemetry); }); run_next_test(); } -function add_tests_in_mode(useMozillaPKIX) { - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - - add_simple_tests(useMozillaPKIX); - add_combo_tests(useMozillaPKIX); - add_distrust_tests(useMozillaPKIX); - - add_test(function () { - certOverrideService.clearValidityOverride("all:temporary-certificates", 0); - run_next_test(); - }); -} - -function add_simple_tests(useMozillaPKIX) { +function add_simple_tests() { add_cert_override_test("expired.example.com", Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE)); - if (useMozillaPKIX) { - add_cert_override_test("selfsigned.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); - } else { - add_non_overridable_test("selfsigned.example.com", - SEC_ERROR_CA_CERT_INVALID); - } + add_cert_override_test("selfsigned.example.com", + Ci.nsICertOverrideService.ERROR_UNTRUSTED, + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("unknownissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("expiredissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - getXPCOMStatusFromNSS( - useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("md5signature.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS( SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); add_cert_override_test("mismatch.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH, getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); // A Microsoft IIS utility generates self-signed certificates with // properties similar to the one this "host" will present (see // tlsserver/generate_certs.sh). - // One of the errors classic verification collects is that this - // certificate has an inadequate key usage to sign a certificate - // (i.e. itself). As a result, to be able to override this, - // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although, - // confusingly, this isn't the main error reported). - // mozilla::pkix just says this certificate's issuer is unknown. - if (useMozillaPKIX) { - add_cert_override_test("selfsigned-inadequateEKU.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); - } else { - add_non_overridable_test("selfsigned-inadequateEKU.example.com", - SEC_ERROR_CA_CERT_INVALID); - } + add_cert_override_test("selfsigned-inadequateEKU.example.com", + Ci.nsICertOverrideService.ERROR_UNTRUSTED, + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); - // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for - // classic verification, but not for mozilla::pkix verification. - if (useMozillaPKIX) { - add_non_overridable_test("inadequatekeyusage.example.com", - SEC_ERROR_INADEQUATE_KEY_USAGE); - } else { - add_cert_override_test("inadequatekeyusage.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE)); - } + add_non_overridable_test("inadequatekeyusage.example.com", + SEC_ERROR_INADEQUATE_KEY_USAGE); // Bug 990603: Apache documentation has recommended generating a self-signed // test certificate with basic constraints: CA:true. For compatibility, this // is a scenario in which an override is allowed. add_cert_override_test("self-signed-end-entity-with-cA-true.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - getXPCOMStatusFromNSS( - useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); } -function add_combo_tests(useMozillaPKIX) { - // Note that "untrusted" here really is "unknown issuer" in the - // mozilla::pkix case. - +function add_combo_tests() { add_cert_override_test("mismatch-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); add_cert_override_test("mismatch-untrusted.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED, - getXPCOMStatusFromNSS( - useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("untrusted-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, - getXPCOMStatusFromNSS( - useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("mismatch-untrusted-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, - getXPCOMStatusFromNSS( - useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER)); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("md5signature-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, getXPCOMStatusFromNSS( SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); } -function add_distrust_tests(useMozillaPKIX) { +function add_distrust_tests() { // Before we specifically distrust this certificate, it should be trusted. add_connection_test("untrusted.example.com", Cr.NS_OK); - // XXX(Bug 975777): Active distrust is an overridable error when NSS-based - // verification is used. add_distrust_override_test("tlsserver/default-ee.der", "untrusted.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT), - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT) - : Cr.NS_OK); + getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)); - // XXX(Bug 975777): Active distrust is an overridable error when NSS-based - // verification is used. add_distrust_override_test("tlsserver/other-test-ca.der", "untrustedissuer.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER), - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER) - : Cr.NS_OK); + getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)); } -function add_distrust_override_test(certFileName, hostName, - expectedResultBefore, expectedResultAfter) { +function add_distrust_override_test(certFileName, hostName, expectedResult) { let certToDistrust = constructCertFromFile(certFileName); add_test(function () { // Add an entry to the NSS certDB that says to distrust the cert setCertTrust(certToDistrust, "pu,,"); clearSessionCache(); run_next_test(); }); - add_connection_test(hostName, expectedResultBefore, null, + add_connection_test(hostName, expectedResult, null, function (securityInfo) { securityInfo.QueryInterface(Ci.nsISSLStatusProvider); // XXX(Bug 754369): SSLStatus isn't available for // non-overridable errors. if (securityInfo.SSLStatus) { certOverrideService.rememberValidityOverride( hostName, 8443, securityInfo.SSLStatus.serverCert, Ci.nsICertOverrideService.ERROR_UNTRUSTED, true); } else { // A missing SSLStatus probably means (due to bug // 754369) that the error was non-overridable, which // is what we're trying to test, though we'd rather // not test it this way. - do_check_neq(expectedResultAfter, Cr.NS_OK); + do_check_neq(expectedResult, Cr.NS_OK); } clearSessionCache(); }); - add_connection_test(hostName, expectedResultAfter, null, + add_connection_test(hostName, expectedResult, null, function () { setCertTrust(certToDistrust, "u,,"); }); }
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js +++ b/security/manager/ssl/tests/unit/test_cert_signatures.js @@ -40,39 +40,29 @@ function check_ca(ca_name) { } function run_test() { // Load the ca into mem load_ca("ca-rsa"); load_ca("ca-p384"); load_ca("ca-dsa"); - run_test_in_mode(true); - run_test_in_mode(false); -} - -function run_test_in_mode(useMozillaPKIX) { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); clearOCSPCache(); clearSessionCache(); check_ca("ca-rsa"); check_ca("ca-p384"); check_ca("ca-dsa"); // mozilla::pkix does not allow CA certs to be validated for end-entity // usages. - let int_usage = useMozillaPKIX - ? 'SSL CA' - : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; + const int_usage = 'SSL CA'; // mozilla::pkix doesn't implement the Netscape Object Signer restriction. - const ee_usage = useMozillaPKIX - ? 'Client,Server,Sign,Encrypt,Object Signer' - : 'Client,Server,Sign,Encrypt'; + const ee_usage = 'Client,Server,Sign,Encrypt,Object Signer'; let cert2usage = { // certs without the "int" prefix are end entity certs. 'int-rsa-valid': int_usage, 'rsa-valid': ee_usage, 'int-p384-valid': int_usage, 'p384-valid': ee_usage, 'int-dsa-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -34,223 +34,166 @@ function check_cert_err_generic(cert, ex do_print("cert issuer cn=" + cert.issuerCommonName); let hasEVPolicy = {}; let verifiedChain = {}; let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, verifiedChain, hasEVPolicy); do_check_eq(error, expected_error); }; -function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) { +function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) { // On reset most usages are successful check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); // expected no bc check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner); // expected - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); // mozilla::pkix enforces that certificase must have a basic constraints // extension with cA:true to be a CA certificate, whereas classic does not check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); //expected // Test of active distrust. No usage should pass. setCertTrust(cert_to_modify_trust, 'p,p,p'); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLServer); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); // In mozilla::pkix (but not classic verification), certificate chain // properties are checked before the end-entity. Thus, if we're using // mozilla::pkix and the root certificate has been distrusted, the error // will be "untrusted issuer" and not "inadequate cert type". - check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX) - ? SEC_ERROR_UNTRUSTED_ISSUER - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, + !isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER + : SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); - // Trust set to T - trusted CA to issue client certs, where client cert is // usageSSLClient. setCertTrust(cert_to_modify_trust, 'T,T,T'); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340 - : 0 - : 0, + // XXX(Bug 982340) + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageEmailSigner); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_INADEQUATE_CERT_TYPE - : useMozillaPKIX ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); // Now tests on the SSL trust bit setCertTrust(cert_to_modify_trust, 'p,C,C'); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340 - : SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + + //XXX(Bug 982340) + check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient); + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, - certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner); + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); - // In mozilla::pkix (but not classic verification), certificate chain - // properties are checked before the end-entity. Thus, if we're using - // mozilla::pkix and the root certificate has been distrusted, the error - // will be "untrusted issuer" and not "inadequate cert type". - check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX) - ? SEC_ERROR_UNTRUSTED_ISSUER - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, + isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE + : SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageStatusResponder); // Inherited trust SSL setCertTrust(cert_to_modify_trust, ',C,C'); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340 - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, - certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + // XXX(Bug 982340) + check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient); + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, - certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner); + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); // Now tests on the EMAIL trust bit setCertTrust(cert_to_modify_trust, 'C,p,C'); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER - : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER - : 0, // mozilla::pkix is OK, NSS bug + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, - certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner); + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); //inherited EMAIL Trust setCertTrust(cert_to_modify_trust, 'C,,C'); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageSSLClient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : SEC_ERROR_INADEQUATE_CERT_TYPE, + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageSSLCA); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageEmailSigner); - check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER - : 0, + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0, certificateUsageEmailRecipient); - check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 - : SEC_ERROR_INADEQUATE_CERT_TYPE, - certificateUsageObjectSigner); - check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID - : 0, + check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner); + check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID, certificateUsageVerifyCA); check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder); } -function run_test_in_mode(useMozillaPKIX) { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); +function run_test() { + for (let i = 0 ; i < certList.length; i++) { + load_cert(certList[i], ',,'); + } let ca_cert = certdb.findCertByNickname(null, 'ca'); do_check_false(!ca_cert) let int_cert = certdb.findCertByNickname(null, 'int'); do_check_false(!int_cert) let ee_cert = certdb.findCertByNickname(null, 'ee'); do_check_false(!ee_cert); setup_basic_trusts(ca_cert, int_cert); - test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX); + test_ca_distrust(ee_cert, ca_cert, true); setup_basic_trusts(ca_cert, int_cert); - test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX); + test_ca_distrust(ee_cert, int_cert, false); } - -function run_test() { - for (let i = 0 ; i < certList.length; i++) { - load_cert(certList[i], ',,'); - } - - run_test_in_mode(true); - run_test_in_mode(false); -}
--- a/security/manager/ssl/tests/unit/test_cert_version.js +++ b/security/manager/ssl/tests/unit/test_cert_version.js @@ -39,31 +39,30 @@ function check_ca_err(cert, expected_err function check_ok(x) { return check_cert_err(x, 0); } function check_ok_ca(x) { return check_cert_err_generic(x, 0, certificateUsageSSLCA); } -function run_tests_in_mode(useMozillaPKIX) -{ - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); +function run_test() { + load_cert("v1_ca", "CTu,CTu,CTu"); + load_cert("v1_ca_bc", "CTu,CTu,CTu"); + load_cert("v2_ca", "CTu,CTu,CTu"); + load_cert("v2_ca_bc", "CTu,CTu,CTu"); + load_cert("v3_ca", "CTu,CTu,CTu"); + load_cert("v3_ca_missing_bc", "CTu,CTu,CTu"); check_ok_ca(cert_from_file('v1_ca.der')); - check_ca_err(cert_from_file('v1_ca_bc.der'), - useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); - check_ca_err(cert_from_file('v2_ca.der'), - useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); - check_ca_err(cert_from_file('v2_ca_bc.der'), - useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); + check_ca_err(cert_from_file('v1_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID); + check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID); + check_ca_err(cert_from_file('v2_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID); check_ok_ca(cert_from_file('v3_ca.der')); - check_ca_err(cert_from_file('v3_ca_missing_bc.der'), - useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); + check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID); // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and // intermediates when they have a v3 basic constraints extenstion (which // makes them invalid certs). Insanity only allows v1 certs to be CA in // anchor position (even if they have invalid encodings), v2 certs are not // considered CAs in any position. // Note that currently there are no change of behavior based on the // version of the end entity. @@ -71,714 +70,476 @@ function run_tests_in_mode(useMozillaPKI let ee_error = 0; let ca_error = 0; ////////////// // v1 CA supersection ////////////////// // v1 intermediate with v1 trust anchor - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error); // v1 intermediate with v3 extensions. CA is invalid. - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error); // A v2 intermediate with a v1 CA - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error); // A v2 intermediate with basic constraints (not allowed in insanity) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error); // Section is OK. A x509 v3 CA MUST have bc // http://tools.ietf.org/html/rfc5280#section-4.2.1.9 - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } - check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error); + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; + check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); // It is valid for a v1 ca to sign a v3 intemediate. check_ok_ca(cert_from_file('v3_int-v1_ca.der')); check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der')); check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der')); check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der')); check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der')); - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error); // The next groups change the v1 ca for a v1 ca with base constraints // (invalid trust anchor). The error pattern is the same as the groups // above // Using A v1 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error); // Using a v1 intermediate with v3 extenstions (invalid). - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); // Using v2 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error); // Using a v2 intermediate with basic constraints (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); // Using a v3 intermediate that is missing basic constraints (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); // these should pass assuming we are OK with v1 ca signing v3 intermediates - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error); ////////////// // v2 CA supersection ////////////////// // v2 ca, v1 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error) check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error); // v2 ca, v1 intermediate with basic constraints (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error); // v2 ca, v2 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error) // v2 ca, v2 intermediate with basic constraints (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error); // v2 ca, v3 intermediate missing basic constraints - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); // v2 ca, v3 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error); - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error); // v2 ca, v1 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error); // v2 ca, v1 intermediate with bc (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); // v2 ca, v2 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error); // v2 ca, v2 intermediate with bc (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); // v2 ca, invalid v3 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error) check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error); ////////////// // v3 CA supersection ////////////////// // v3 ca, v1 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error); // A v1 intermediate with v3 extensions - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error) // reject a v2 cert as intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error); // v2 intermediate with bc (invalid) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error); // invalid v3 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); // I dont think that v3 intermediates should be allowed to sign v1 or v2 // certs, but other thanthat this is what we usually get in the wild. check_ok_ca(cert_from_file('v3_int-v3_ca.der')); check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der')); check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der')); check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der')); check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der')); - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error); // v3 CA, invalid v3 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); // Int v1 with BC that is just invalid (classic fail insanity OK) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); // Good section (all fail) - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); // v2 intermediate (even with basic constraints) is invalid - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); // v3 intermediate missing basic constraints is invalid - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; - ee_error = SEC_ERROR_UNKNOWN_ISSUER; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); - if (useMozillaPKIX) { - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); // With a v3 root missing bc and valid v3 intermediate - if (useMozillaPKIX) { - ca_error = SEC_ERROR_CA_CERT_INVALID; - ee_error = SEC_ERROR_CA_CERT_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_CA_CERT_INVALID; + ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error); check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); - if (useMozillaPKIX) { - ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; - } else { - ca_error = 0; - ee_error = 0; - } + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); } - -function run_test() { - load_cert("v1_ca", "CTu,CTu,CTu"); - load_cert("v1_ca_bc", "CTu,CTu,CTu"); - load_cert("v2_ca", "CTu,CTu,CTu"); - load_cert("v2_ca_bc", "CTu,CTu,CTu"); - load_cert("v3_ca", "CTu,CTu,CTu"); - load_cert("v3_ca_missing_bc", "CTu,CTu,CTu"); - - run_tests_in_mode(false); - run_tests_in_mode(true); -}
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js +++ b/security/manager/ssl/tests/unit/test_certificate_usages.js @@ -26,96 +26,74 @@ function run_test() { for (var i = 0; i < gNumCAs; i++) { var ca_name = "ca-" + (i + 1); var ca_filename = ca_name + ".der"; addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu"); do_print("ca_name=" + ca_name); var cert = certdb.findCertByNickname(null, ca_name); } - run_test_in_mode(true); - run_test_in_mode(false); -} - -function run_test_in_mode(useMozillaPKIX) { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); - clearOCSPCache(); - clearSessionCache(); - - // mozilla::pkix does not allow CA certs to be validated for non-CA usages. - var allCAUsages = useMozillaPKIX - ? 'SSL CA' - : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; - // mozilla::pkix doesn't allow CA certificates to have the Status Responder // EKU. - var ca_usages = [allCAUsages, + var ca_usages = ['SSL CA', 'SSL CA', - allCAUsages, - useMozillaPKIX ? '' - : 'Client,Server,Sign,Encrypt,Status Responder']; + 'SSL CA', + '']; // mozilla::pkix doesn't implement the Netscape Object Signer restriction. - var basicEndEntityUsages = useMozillaPKIX - ? 'Client,Server,Sign,Encrypt,Object Signer' - : 'Client,Server,Sign,Encrypt'; + var basicEndEntityUsages = 'Client,Server,Sign,Encrypt,Object Signer'; var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer" - // mozilla::pkix won't let a certificate with the "Status Responder" EKU get + // mozilla::pkix won't let a certificate with the 'Status Responder' EKU get // validated for any other usage. - var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder"; - var statusResponderUsagesFull - = useMozillaPKIX ? statusResponderUsages - : basicEndEntityUsages + ',Object Signer,Status Responder'; - var ee_usages = [ [ basicEndEntityUsages, basicEndEntityUsages, basicEndEntityUsages, '', - statusResponderUsagesFull, + 'Status Responder', 'Client,Server', 'Sign,Encrypt,Object Signer', - statusResponderUsages + 'Status Responder' ], [ basicEndEntityUsages, basicEndEntityUsages, basicEndEntityUsages, '', - statusResponderUsagesFull, + 'Status Responder', 'Client,Server', 'Sign,Encrypt,Object Signer', - statusResponderUsages + 'Status Responder' ], [ basicEndEntityUsages, basicEndEntityUsages, basicEndEntityUsages, '', - statusResponderUsagesFull, + 'Status Responder', 'Client,Server', 'Sign,Encrypt,Object Signer', - statusResponderUsages + 'Status Responder' ], // The CA has isCA=true without keyCertSign. // // The 'classic' NSS mode uses the 'union' of the // capabilites so the cert is considered a CA. // mozilla::pkix and libpkix use the intersection of // capabilites, so the cert is NOT considered a CA. - [ useMozillaPKIX ? '' : basicEndEntityUsages, - useMozillaPKIX ? '' : basicEndEntityUsages, - useMozillaPKIX ? '' : basicEndEntityUsages, + [ '', + '', + '', '', - useMozillaPKIX ? '' : statusResponderUsagesFull, - useMozillaPKIX ? '' : 'Client,Server', - useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer', - useMozillaPKIX ? '' : 'Server,Status Responder' + '', + '', + '', + '' ] ]; do_check_eq(gNumCAs, ca_usages.length); for (var i = 0; i < gNumCAs; i++) { var ca_name = "ca-" + (i + 1); var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js +++ b/security/manager/ssl/tests/unit/test_ev_certs.js @@ -75,28 +75,16 @@ function run_test() { addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,'); } load_ca("evroot"); load_ca("non-evroot-ca"); // setup and start ocsp responder Services.prefs.setCharPref("network.dns.localDomains", 'www.example.com, crl.example.com'); - add_tests_in_mode(true); - add_tests_in_mode(false); - run_next_test(); -} - -function add_tests_in_mode(useMozillaPKIX) -{ - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); add_test(function () { clearOCSPCache(); let ocspResponder = start_ocsp_responder( isDebugBuild ? ["int-ev-valid", "ev-valid"] : ["ev-valid"]); check_ee_for_ev("ev-valid", isDebugBuild); ocspResponder.stop(run_next_test); @@ -133,19 +121,17 @@ function add_tests_in_mode(useMozillaPKI // bug 917380: Chcek that an untrusted EV root is untrusted. const nsIX509Cert = Ci.nsIX509Cert; add_test(function() { let evRootCA = certdb.findCertByNickname(null, evrootnick); certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0); clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("ev-valid", - useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER - : SEC_ERROR_UNTRUSTED_ISSUER); + check_cert_err("ev-valid",SEC_ERROR_UNKNOWN_ISSUER); ocspResponder.stop(run_next_test); }); // bug 917380: Chcek that a trusted EV root is trusted after disabling and // re-enabling trust. add_test(function() { let evRootCA = certdb.findCertByNickname(null, evrootnick); certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, @@ -157,34 +143,25 @@ function add_tests_in_mode(useMozillaPKI let ocspResponder = start_ocsp_responder( isDebugBuild ? ["int-ev-valid", "ev-valid"] : ["ev-valid"]); check_ee_for_ev("ev-valid", isDebugBuild); ocspResponder.stop(run_next_test); }); add_test(function () { - check_no_ocsp_requests("ev-valid", - useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED - : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE - : SEC_ERROR_EXTENSION_NOT_FOUND)); + check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED); }); add_test(function () { - check_no_ocsp_requests("non-ev-root", - useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED - : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER - : SEC_ERROR_EXTENSION_NOT_FOUND)); + check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED); }); add_test(function () { - check_no_ocsp_requests("no-ocsp-url-cert", - useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED - : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE - : SEC_ERROR_EXTENSION_NOT_FOUND)); + check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED); }); // Test the EV continues to work with flags after successful EV verification add_test(function () { clearOCSPCache(); let ocspResponder = start_ocsp_responder( isDebugBuild ? ["int-ev-valid", "ev-valid"] @@ -198,19 +175,17 @@ function add_tests_in_mode(useMozillaPKI let verifiedChain = {}; let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV; let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, flags, verifiedChain, hasEVPolicy); do_check_eq(hasEVPolicy.value, isDebugBuild); do_check_eq(error, - isDebugBuild ? 0 - : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED - : SEC_ERROR_EXTENSION_NOT_FOUND)); + isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED); failingOcspResponder.stop(run_next_test); }); }); // Bug 991815 old but valid intermediates are OK add_test(function () { clearOCSPCache(); let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [], @@ -230,50 +205,44 @@ function add_tests_in_mode(useMozillaPKI add_test(function () { clearOCSPCache(); // Since Mozilla::pkix does not consider the old amost invalid OCSP // response valid, it does not cache the old response and thus // makes a separate request for DV let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"]; let debugResponseArray = ["good", "longvalidityalmostold", "longvalidityalmostold"]; - if (!useMozillaPKIX) { - debugCertNickArray = ["int-ev-valid", "ev-valid"]; - debugResponseArray = ["good", "longvalidityalmostold"]; - } let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [], "test_ev_certs", isDebugBuild ? debugCertNickArray : ["ev-valid"], [], [], isDebugBuild ? debugResponseArray : ["longvalidityalmostold"]); - check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild); + check_ee_for_ev("ev-valid", false); ocspResponder.stop(run_next_test); }); // Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for // EV (still OK for soft fail DV) add_test(function () { clearOCSPCache(); let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"]; let debugResponseArray = ["good", "ancientstillvalid", "ancientstillvalid"]; - if (!useMozillaPKIX) { - debugCertNickArray = ["int-ev-valid", "ev-valid"]; - debugResponseArray = ["good", "ancientstillvalid"]; - } let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [], "test_ev_certs", isDebugBuild ? debugCertNickArray : ["ev-valid"], [], [], isDebugBuild ? debugResponseArray : ["ancientstillvalid"]); - check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild); + check_ee_for_ev("ev-valid", false); ocspResponder.stop(run_next_test); }); + + run_next_test(); } // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert // to prevent spurious OCSP requests that race with OCSP stapling. // This has the side-effect of saying an EV certificate is not EV if // it hasn't already been verified (e.g. on the verification thread when // connecting to a site). // This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
--- a/security/manager/ssl/tests/unit/test_getchain.js +++ b/security/manager/ssl/tests/unit/test_getchain.js @@ -65,31 +65,25 @@ function check_getchain(ee_cert, ssl_ca, certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0); check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert); certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0); // Do a final test on the case of no trust. The results must // be cosistent (the actual value is non-deterministic). check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert); } -function run_test_in_mode(useMozillaPKIX) { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); +function run_test() { clearOCSPCache(); clearSessionCache(); for (let i = 0 ; i < certList.length; i++) { load_cert(certList[i], ',,'); } let ee_cert = certdb.findCertByNickname(null, 'ee'); do_check_false(!ee_cert); let ca = get_ca_array(); check_getchain(ee_cert, ca[1], ca[2]); // Swap ca certs to deal alternate trust settings. check_getchain(ee_cert, ca[2], ca[1]); } - -function run_test() { - run_test_in_mode(true); - run_test_in_mode(false); -}
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js @@ -33,30 +33,24 @@ function test_cert_for_usages(certChainN let cert = certs[0]; let verified = {}; let usages = {}; cert.getUsagesString(true, verified, usages); do_print("usages.value = " + usages.value); do_check_eq(expected_usages_string, usages.value); } -function run_test_in_mode(useMozillaPKIX) { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); - +function run_test() { // mozilla::pkix doesn't support the obsolete Netscape object signing // extension, but NSS does. - let ee_usage1 = useMozillaPKIX - ? 'Client,Server,Sign,Encrypt,Object Signer' - : 'Client,Server,Sign,Encrypt' + let ee_usage1 = 'Client,Server,Sign,Encrypt,Object Signer'; // mozilla::pkix doesn't validate CA certificates for non-CA uses, but // NSS does. - let ca_usage1 = useMozillaPKIX - ? "SSL CA" - : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; + let ca_usage1 = "SSL CA"; // Load the ca into mem let ca_name = "ca"; load_cert(ca_name, "CTu,CTu,CTu"); do_print("ca_name = " + ca_name); test_cert_for_usages([ca_name], ca_usage1); // A certificate with no basicConstraints extension is considered an EE. @@ -82,36 +76,32 @@ function run_test_in_mode(useMozillaPKIX // ca // int-limited-depth (cA==true, pathLenConstraint==0) // int-limited-depth-invalid (cA==true) // // XXX: It seems the NSS code does not consider the path length of the // certificate we're validating, but mozilla::pkix does. mozilla::pkix's // behavior is correct. - test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], - useMozillaPKIX ? "" : ca_usage1); + test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], ""); test_cert_for_usages(["ee-int-limited-depth-invalid", "int-limited-depth-invalid", "int-limited-depth"], ""); // int-valid-ku-no-eku has keyCertSign test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA"); test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"], ee_usage1); // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension // but the KU extension is missing keyCertSign. Note that mozilla::pkix // doesn't validate certificates with basicConstraints.Ca==true for non-CA // uses, but NSS does. - test_cert_for_usages(["int-bad-ku-no-eku"], - useMozillaPKIX - ? "" - : 'Client,Server,Sign,Encrypt,Status Responder'); + test_cert_for_usages(["int-bad-ku-no-eku"], ""); test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], ""); // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension. // We treat a missing KU as "any key usage is OK". test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1); test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1); // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU, @@ -127,13 +117,8 @@ function run_test_in_mode(useMozillaPKIX ""); // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and // EKU=={id-kp-serverAuth,id-kp-clientAuth}. test_cert_for_usages(["int-no-ku-server-eku"], "SSL CA"); test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"], "Client,Server"); } - -function run_test() { - run_test_in_mode(true); - run_test_in_mode(false); -}
--- a/security/manager/ssl/tests/unit/test_name_constraints.js +++ b/security/manager/ssl/tests/unit/test_name_constraints.js @@ -45,18 +45,19 @@ function check_ok_ca (x) { function check_fail(x) { return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE); } function check_fail_ca(x) { return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA); } -function run_test_in_mode(useMozillaPKIX) { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); +function run_test() { + load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu"); + load_cert("ca-nc", "CTu,CTu,CTu"); // Note that CN is only looked at when there is NO subjectAltName! // Testing with a unconstrained root, and intermediate constrained to PERMIT // foo.com. All failures on this section are doe to the cert DNS names // not being under foo.com. check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,')); // no dirName @@ -264,16 +265,8 @@ function run_test_in_mode(useMozillaPKIX // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic // NSS get it right. { let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der'); check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer); check_cert_err_generic(cert, 0, certificateUsageSSLClient); } } - -function run_test() { - load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu"); - load_cert("ca-nc", "CTu,CTu,CTu"); - - run_test_in_mode(true); - run_test_in_mode(false); -}
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js +++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js @@ -35,30 +35,23 @@ function run_test() { do_print("returning 200 OK"); response.setStatusLine(request.httpVersion, 200, "OK"); response.setHeader("Content-Type", "application/ocsp-response"); response.write(gGoodOCSPResponse); }); ocspResponder.start(8080); - add_tests_in_mode(true); - add_tests_in_mode(false); + add_tests(); add_test(function() { ocspResponder.stop(run_next_test); }); run_next_test(); } -function add_tests_in_mode(useMozillaPKIX) { - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - +function add_tests() { // This test assumes that OCSPStaplingServer uses the same cert for // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com. // Get an Unknown response for the *.exmaple.com cert and put it in the // OCSP cache. add_connection_test("ocsp-stapling-unknown.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js +++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js @@ -33,29 +33,16 @@ function run_test() { addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,'); // Enabled so that we can force ocsp failure responses. Services.prefs.setBoolPref("security.OCSP.require", true); Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); - add_tests_in_mode(true); - add_tests_in_mode(false); - run_next_test(); -} - -function add_tests_in_mode(useMozillaPKIX) -{ - add_test(function() { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - add_test(function() { clearOCSPCache(); Services.prefs.setBoolPref("security.OCSP.GET.enabled", false); let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]); check_cert_err("a", 0); ocspResponder.stop(run_next_test); }); @@ -67,18 +54,16 @@ function add_tests_in_mode(useMozillaPKI ocspResponder.stop(run_next_test); }); // GET does fallback on bad entry add_test(function() { clearOCSPCache(); Services.prefs.setBoolPref("security.OCSP.GET.enabled", true); // Bug 1016681 mozilla::pkix does not support fallback yet. - if (!useMozillaPKIX) { - let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]); - check_cert_err("a", 0); - ocspResponder.stop(run_next_test); - } else { - run_next_test(); - } + // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]); + // check_cert_err("a", 0); + // ocspResponder.stop(run_next_test); + run_next_test(); }); + run_next_test(); }
--- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js +++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js @@ -23,40 +23,29 @@ function run_test() { let ocspResponder = new HttpServer(); ocspResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 200, "OK"); response.setHeader("Content-Type", "application/ocsp-response"); response.write(goodOCSPResponse); }); ocspResponder.start(8080); - add_tests_in_mode(true); - add_tests_in_mode(false); + // ocsp-stapling-none.example.com does not staple an OCSP response in the + // handshake, so the revocation checking code will attempt to fetch one. + // Since the domain of the certificate's OCSP AIA URI is an HSTS host + // (as added in the setup of this test, below), a buggy implementation would + // upgrade the OCSP request to HTTPS. We specifically prevent this. This + // test demonstrates that our implementation is correct in this regard. + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK); + add_test(function () { run_next_test(); }); add_test(function () { ocspResponder.stop(run_next_test); }); let SSService = Cc["@mozilla.org/ssservice;1"] .getService(Ci.nsISiteSecurityService); let uri = Services.io.newURI("http://localhost", null, null); SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri, "max-age=10000", 0); do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, "localhost", 0)); run_next_test(); } - -function add_tests_in_mode(useMozillaPKIX) { - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - - // ocsp-stapling-none.example.com does not staple an OCSP response in the - // handshake, so the revocation checking code will attempt to fetch one. - // Since the domain of the certificate's OCSP AIA URI is an HSTS host - // (as added in the setup of this test), a buggy implementation would - // upgrade the OCSP request to HTTPS. We specifically prevent this. This - // test demonstrates that our implementation is correct in this regard. - add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK); - add_test(function () { run_next_test(); }); -}
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js +++ b/security/manager/ssl/tests/unit/test_ocsp_required.js @@ -27,32 +27,25 @@ function run_test() { ocspResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 200, "OK"); response.setHeader("Content-Type", "application/ocsp-response"); response.write(ocspResponseBadSignature); gOCSPRequestCount++; }); ocspResponder.start(8080); - add_tests_in_mode(true); - add_tests_in_mode(false); + add_tests(); add_test(function () { ocspResponder.stop(run_next_test); }); run_next_test(); } -function add_tests_in_mode(useMozillaPKIX) +function add_tests() { - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - add_connection_test("ocsp-stapling-none.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); add_connection_test("ocsp-stapling-none.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); add_test(function () { do_check_eq(gOCSPRequestCount, 1); gOCSPRequestCount = 0; run_next_test();
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -16,23 +16,17 @@ function add_ocsp_test(aHost, aExpectedR gExpectOCSPRequest = !aStaplingEnabled; clearOCSPCache(); clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", aStaplingEnabled); }); } -function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) { - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - +function add_tests(certDB, otherTestCA) { // In the absence of OCSP stapling, these should actually all work. add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false); @@ -110,26 +104,21 @@ function add_tests_in_mode(useMozillaPKI clearOCSPCache(); clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); } ); add_ocsp_test("ocsp-stapling-empty.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); - // TODO(bug 979070): NSS can't handle this yet. - if (useMozillaPKIX) { - add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); - } + add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); add_ocsp_test("ocsp-stapling-critical-extension.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) - : Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION), true); add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true); // TODO(bug 997994): Disallow empty Extensions in responses add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-delegated-missing.example.com", @@ -150,21 +139,21 @@ function add_tests_in_mode(useMozillaPKI // test_ocsp_stapling_expired.js } function check_ocsp_stapling_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_OCSP_STAPLING") .snapshot(); - do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused - do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426) - do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp. - do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response - do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426) + do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused + do_check_eq(histogram.counts[1], 5); // 5 connections with a good response + do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp. + do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response + do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses run_next_test(); } function run_test() { do_get_profile(); let certDB = Cc["@mozilla.org/security/x509certdb;1"] .getService(Ci.nsIX509CertDB); @@ -176,17 +165,16 @@ function run_test() { fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); do_check_true(gExpectOCSPRequest); }); fakeOCSPResponder.start(8080); add_tls_server_setup("OCSPStaplingServer"); - add_tests_in_mode(true, certDB, otherTestCA); - add_tests_in_mode(false, certDB, otherTestCA); + add_tests(certDB, otherTestCA); add_test(function () { fakeOCSPResponder.stop(check_ocsp_stapling_telemetry); }); run_next_test(); }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -55,139 +55,112 @@ function run_test() { } else { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); response.write("Internal Server Error"); } gOCSPRequestCount++; }); ocspResponder.start(8080); add_tls_server_setup("OCSPStaplingServer"); - add_tests_in_mode(true); - add_tests_in_mode(false); - add_test(function () { ocspResponder.stop(run_next_test); }); - add_test(check_ocsp_stapling_telemetry); - run_next_test(); -} - -function add_tests_in_mode(useMozillaPKIX) -{ - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); // In these tests, the OCSP stapling server gives us a stapled // response based on the host name ("ocsp-stapling-expired" or // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're // properly falling back to fetching revocation information. // For ocsp-stapling-expired.example.com, the OCSP stapling server // staples an expired OCSP response. The certificate has not expired. // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling // server staples an OCSP response with a recent signature but with an // out-of-date validity period. The certificate has not expired. add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, ocspResponseGood); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, ocspResponseGood); - // With mozilla::pkix, if we can't fetch a more recent response when + // if we can't fetch a more recent response when // given an expired stapled response, we terminate the connection. add_ocsp_test("ocsp-stapling-expired.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE) - : Cr.NS_OK, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), expiredOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE) - : Cr.NS_OK, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), expiredOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE) - : Cr.NS_OK, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), oldValidityPeriodOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE) - : Cr.NS_OK, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), oldValidityPeriodOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE) - : Cr.NS_OK, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), null); add_ocsp_test("ocsp-stapling-expired.example.com", - useMozillaPKIX - ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE) - : Cr.NS_OK, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), null); // Of course, if the newer response indicates Revoked or Unknown, // that status must be returned. add_ocsp_test("ocsp-stapling-expired.example.com", getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), ocspResponseRevoked); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), ocspResponseRevoked); add_ocsp_test("ocsp-stapling-expired.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), ocspResponseUnknown); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), ocspResponseUnknown); - if (useMozillaPKIX) { - // If the response is expired but indicates Revoked or Unknown and a - // newer status can't be fetched, the Revoked or Unknown status will - // be returned. - add_ocsp_test("ocsp-stapling-revoked-old.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), - null); - add_ocsp_test("ocsp-stapling-unknown-old.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), - null); - // If the response is expired but indicates Revoked or Unknown and - // a newer status can be fetched and successfully verified, this - // should result in a successful certificate verification. - add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK, - ocspResponseGood); - add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK, - ocspResponseGood); - // If a newer status can be fetched but it fails to verify, the - // Revoked or Unknown status of the expired stapled response - // should be returned. - add_ocsp_test("ocsp-stapling-revoked-old.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), - expiredOCSPResponseGood); - add_ocsp_test("ocsp-stapling-unknown-old.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), - expiredOCSPResponseGood); - } + // If the response is expired but indicates Revoked or Unknown and a + // newer status can't be fetched, the Revoked or Unknown status will + // be returned. + add_ocsp_test("ocsp-stapling-revoked-old.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), + null); + add_ocsp_test("ocsp-stapling-unknown-old.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), + null); + // If the response is expired but indicates Revoked or Unknown and + // a newer status can be fetched and successfully verified, this + // should result in a successful certificate verification. + add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK, + ocspResponseGood); + add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK, + ocspResponseGood); + // If a newer status can be fetched but it fails to verify, the + // Revoked or Unknown status of the expired stapled response + // should be returned. + add_ocsp_test("ocsp-stapling-revoked-old.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), + expiredOCSPResponseGood); + add_ocsp_test("ocsp-stapling-unknown-old.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), + expiredOCSPResponseGood); - if (useMozillaPKIX) { - // These tests are verifying that an valid but very old response - // is rejected as a valid stapled response, requiring a fetch - // from the ocsp responder. - add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK, - ocspResponseGood); - add_ocsp_test("ocsp-stapling-ancient-valid.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), - ocspResponseRevoked); - add_ocsp_test("ocsp-stapling-ancient-valid.example.com", - getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), - ocspResponseUnknown); - } + // These tests are verifying that an valid but very old response + // is rejected as a valid stapled response, requiring a fetch + // from the ocsp responder. + add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK, + ocspResponseGood); + add_ocsp_test("ocsp-stapling-ancient-valid.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), + ocspResponseRevoked); + add_ocsp_test("ocsp-stapling-ancient-valid.example.com", + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), + ocspResponseUnknown); + + add_test(function () { ocspResponder.stop(run_next_test); }); + add_test(check_ocsp_stapling_telemetry); + run_next_test(); } function check_ocsp_stapling_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_OCSP_STAPLING") .snapshot(); - do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused - do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response - do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp. - do_check_eq(histogram.counts[3], 2 * 12 + 9); // 12 connections with an expired response - // +9 more mozilla::pkix-only expired responses - do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses + do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused + do_check_eq(histogram.counts[1], 0); // 0 connections with a good response + do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp. + do_check_eq(histogram.counts[3], 21); // 21 connections with an expired response + do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses run_next_test(); }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js @@ -28,28 +28,17 @@ function run_test() { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); let body = "Refusing to return a response"; response.bodyOutputStream.write(body, body.length); }); ocspResponder.start(8080); add_tls_server_setup("OCSPStaplingServer"); - add_tests_in_mode(true); - add_tests_in_mode(false); + add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK); add_test(function () { ocspResponder.stop(run_next_test); }); add_test(function() { do_check_eq(gOCSPRequestCount, 0); run_next_test(); }); run_next_test(); } - -function add_tests_in_mode(useMozillaPKIX) { - add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - - add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK); -}
--- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js +++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js @@ -33,30 +33,26 @@ function run_test() { add_tls_server_setup("OCSPStaplingServer"); let socket = Cc["@mozilla.org/network/server-socket;1"] .createInstance(Ci.nsIServerSocket); socket.init(8080, true, -1); socket.asyncListen(gSocketListener); - add_tests_in_mode(true, true); - add_tests_in_mode(false, true); - add_tests_in_mode(true, false); - add_tests_in_mode(false, false); + add_tests_in_mode(true); + add_tests_in_mode(false); add_test(function() { socket.close(); run_next_test(); }); run_next_test(); } -function add_tests_in_mode(useMozillaPKIX, useHardFail) { +function add_tests_in_mode(useHardFail) { let startTime; add_test(function () { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); Services.prefs.setBoolPref("security.OCSP.require", useHardFail); startTime = new Date(); run_next_test(); }); add_connection_test("ocsp-stapling-none.example.com", useHardFail ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR) : Cr.NS_OK, clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js @@ -35,69 +35,48 @@ function run_test() { addCertFromFile(certdb, "test_ocsp_url/int.der", ',,'); // Enabled so that we can force ocsp failure responses. Services.prefs.setBoolPref("security.OCSP.require", true); Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); - add_tests_in_mode(true); - add_tests_in_mode(false); - run_next_test(); -} - -function add_tests_in_mode(useMozillaPKIX) -{ - add_test(function() { - Services.prefs.setBoolPref("security.use_mozillapkix_verification", - useMozillaPKIX); - run_next_test(); - }); - add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("bad-scheme", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("empty-scheme-url", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("https-url", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); check_cert_err("hTTp-url", 0); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("negative-port", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); // XXX Bug 1013615 parser accepts ":8888" as hostname check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR); @@ -109,33 +88,28 @@ function add_tests_in_mode(useMozillaPKI let ocspResponder = start_ocsp_responder(["no-path-url"], ['']); check_cert_err("no-path-url", 0); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("no-scheme-host-port", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("no-scheme-url", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); - check_cert_err("unknown-scheme", - useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION - : SEC_ERROR_OCSP_MALFORMED_REQUEST); + check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); + run_next_test(); }
--- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -1242,22 +1242,16 @@ "CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME": { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 200, "extended_statistics_ok": true, "description": "ms elapsed time of OCSP etc.. that failed" }, - "CERT_VALIDATION_LIBRARY": { - "expires_in_version": "never", - "kind": "enumerated", - "n_values": 4, - "description": "Which certificate validation library is in use? (1=classic, 2=libpkix, 3=mozilla::pkix)" - }, "SSL_KEY_EXCHANGE_ALGORITHM_FULL": { "expires_in_version": "never", "kind": "enumerated", "n_values": 16, "description": "SSL Handshake Key Exchange Algorithm for full handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)" }, "SSL_KEY_EXCHANGE_ALGORITHM_RESUMED": { "expires_in_version": "never", @@ -4493,56 +4487,24 @@ "TELEMETRY_MEMORY_REPORTER_MS": { "expires_in_version": "never", "kind": "exponential", "high": "5000", "n_buckets": 10, "extended_statistics_ok": true, "description": "Time (ms) it takes to run memory reporters when sending a telemetry ping" }, - "SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX": { - "expires_in_version": "never", - "kind": "exponential", - "high": "60000", - "n_buckets": 50, - "extended_statistics_ok": true, - "description": "Time spent on a successful cert verification in libpix mode (ms)" - }, - "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": { - "expires_in_version": "never", - "kind": "exponential", - "high": "60000", - "n_buckets": 50, - "extended_statistics_ok": true, - "description": "Time spent on a successful cert verification in classic mode (ms)" - }, "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)" }, - "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : { - "expires_in_version": "never", - "kind": "exponential", - "high": "60000", - "n_buckets": 50, - "extended_statistics_ok": true, - "description": "Time spent on an initially failed cert verification in libpix mode (ms)" - }, - "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": { - "expires_in_version": "never", - "kind": "exponential", - "high": "60000", - "n_buckets": 50, - "extended_statistics_ok": true, - "description": "Time spent on an initially failed cert verification in classic mode (ms)" - }, "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : { "expires_in_version": "never", "kind": "exponential", "high": "60000", "n_buckets": 50, "extended_statistics_ok": true, "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)" },