bug 1594510 - update all TrustDomain implementations in mozilla-central due to the mozilla::pkix API change in bug 1593141 r=mbirghan
authorDana Keeler <dkeeler@mozilla.com>
Fri, 15 Nov 2019 18:26:45 +0000
changeset 502259 da344ab046b6ec344be2595752224d8ebc848b27
parent 502258 bbbe694dbff25ce304833a9c2f6520ba9f61fb32
child 502260 cee8f503d3c32d97955c077405880439c6c2a365
push id114172
push userdluca@mozilla.com
push dateTue, 19 Nov 2019 11:31:10 +0000
treeherdermozilla-inbound@b5c5ba07d3db [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmbirghan
bugs1594510, 1593141
milestone72.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1594510 - update all TrustDomain implementations in mozilla-central due to the mozilla::pkix API change in bug 1593141 r=mbirghan Bug 1593141 adds a parameter to mozilla::pkix::TrustDomain::CheckRevocation. This patch updates all TrustDomain implementations in mozilla-central to reflect this. Differential Revision: https://phabricator.services.mozilla.com/D52066
security/apps/AppTrustDomain.cpp
security/apps/AppTrustDomain.h
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/certverifier/OCSPVerificationTrustDomain.cpp
security/certverifier/OCSPVerificationTrustDomain.h
security/ct/CTLogVerifier.cpp
security/ct/tests/gtest/CTTestUtils.cpp
security/manager/ssl/CSTrustDomain.cpp
security/manager/ssl/CSTrustDomain.h
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -187,17 +187,17 @@ Result AppTrustDomain::GetCertTrust(EndE
 }
 
 Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
                                  /*out*/ uint8_t* digestBuf,
                                  size_t digestBufLen) {
   return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
 }
 
-Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
+Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time, Time,
                                        Duration,
                                        /*optional*/ const Input*,
                                        /*optional*/ const Input*) {
   // We don't currently do revocation checking. If we need to distrust an Apps
   // certificate, we will use the active distrust mechanism.
   return Success;
 }
 
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -29,16 +29,17 @@ class AppTrustDomain final : public mozi
       mozilla::pkix::Input candidateCertDER,
       /*out*/ mozilla::pkix::TrustLevel& trustLevel) override;
   virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
                             IssuerChecker& checker,
                             mozilla::pkix::Time time) override;
   virtual Result CheckRevocation(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
+      mozilla::pkix::Time validityPeriodBeginning,
       mozilla::pkix::Duration validityDuration,
       /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
       /*optional*/ const mozilla::pkix::Input* aiaExtension) override;
   virtual Result IsChainValid(
       const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
       const mozilla::pkix::CertPolicyId& requiredPolicy) override;
   virtual Result CheckSignatureDigestAlgorithm(
       mozilla::pkix::DigestAlgorithm digestAlg,
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -592,17 +592,17 @@ static Result GetOCSPAuthorityInfoAccess
     }
   }
 
   return Success;
 }
 
 Result NSSCertDBTrustDomain::CheckRevocation(
     EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
-    Duration validityDuration,
+    Time validityPeriodBeginning, Duration validityDuration,
     /*optional*/ const Input* stapledOCSPResponse,
     /*optional*/ const Input* aiaExtension) {
   // Actively distrusted certificates will have already been blocked by
   // GetCertTrust.
 
   // TODO: need to verify that IsRevoked isn't called for trust anchors AND
   // that that fact is documented in mozillapkix.
 
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -217,16 +217,17 @@ class NSSCertDBTrustDomain : public mozi
 
   virtual Result NetscapeStepUpMatchesServerAuth(
       mozilla::pkix::Time notBefore,
       /*out*/ bool& matches) override;
 
   virtual Result CheckRevocation(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
+      mozilla::pkix::Time validityPeriodBeginning,
       mozilla::pkix::Duration validityDuration,
       /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
       /*optional*/ const mozilla::pkix::Input* aiaExtension) override;
 
   virtual Result IsChainValid(
       const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
       const mozilla::pkix::CertPolicyId& requiredPolicy) override;
 
--- a/security/certverifier/OCSPVerificationTrustDomain.cpp
+++ b/security/certverifier/OCSPVerificationTrustDomain.cpp
@@ -31,17 +31,17 @@ Result OCSPVerificationTrustDomain::Find
 
 Result OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time,
                                                  const CertPolicyId&) {
   // We do not expect this to be called for OCSP signers
   return Result::FATAL_ERROR_LIBRARY_FAILURE;
 }
 
 Result OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA,
-                                                    const CertID&, Time,
+                                                    const CertID&, Time, Time,
                                                     Duration, const Input*,
                                                     const Input*) {
   // We do not expect this to be called for OCSP signers
   return Result::FATAL_ERROR_LIBRARY_FAILURE;
 }
 
 Result OCSPVerificationTrustDomain::CheckSignatureDigestAlgorithm(
     DigestAlgorithm aAlg, EndEntityOrCA aEEOrCA, Time notBefore) {
--- a/security/certverifier/OCSPVerificationTrustDomain.h
+++ b/security/certverifier/OCSPVerificationTrustDomain.h
@@ -62,16 +62,17 @@ class OCSPVerificationTrustDomain : publ
 
   virtual Result NetscapeStepUpMatchesServerAuth(
       mozilla::pkix::Time notBefore,
       /*out*/ bool& matches) override;
 
   virtual Result CheckRevocation(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
+      mozilla::pkix::Time validityPeriodBeginning,
       mozilla::pkix::Duration validityDuration,
       /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
       /*optional*/ const mozilla::pkix::Input* aiaExtension) override;
 
   virtual Result IsChainValid(
       const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
       const mozilla::pkix::CertPolicyId& requiredPolicy) override;
 
--- a/security/ct/CTLogVerifier.cpp
+++ b/security/ct/CTLogVerifier.cpp
@@ -33,17 +33,17 @@ class SignatureParamsTrustDomain final :
                       TrustLevel&) override {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   Result FindIssuer(Input, IssuerChecker&, Time) override {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
                          const Input*, const Input*) override {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
--- a/security/ct/tests/gtest/CTTestUtils.cpp
+++ b/security/ct/tests/gtest/CTTestUtils.cpp
@@ -670,18 +670,18 @@ class OCSPExtensionTrustDomain : public 
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   pkix::Result FindIssuer(Input, IssuerChecker&, Time) override {
     ADD_FAILURE();
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
-  pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                               const Input*, const Input*) override {
+  pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time,
+                               Duration, const Input*, const Input*) override {
     ADD_FAILURE();
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
 
   pkix::Result IsChainValid(const DERArray&, Time,
                             const CertPolicyId&) override {
     ADD_FAILURE();
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
--- a/security/manager/ssl/CSTrustDomain.cpp
+++ b/security/manager/ssl/CSTrustDomain.cpp
@@ -155,17 +155,17 @@ Result CSTrustDomain::FindIssuer(Input e
     }
   }
 
   return Success;
 }
 
 Result CSTrustDomain::CheckRevocation(
     EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
-    Duration validityDuration,
+    Time validityPeriodBeginning, Duration validityDuration,
     /*optional*/ const Input* stapledOCSPresponse,
     /*optional*/ const Input* aiaExtension) {
   // We're relying solely on the CertBlocklist for revocation - and we're
   // performing checks on this in GetCertTrust (as per nsNSSCertDBTrustDomain)
   return Success;
 }
 
 Result CSTrustDomain::IsChainValid(const DERArray& certChain, Time time,
--- a/security/manager/ssl/CSTrustDomain.h
+++ b/security/manager/ssl/CSTrustDomain.h
@@ -34,16 +34,17 @@ class CSTrustDomain final : public mozil
       mozilla::pkix::Input candidateCertDER,
       /*out*/ mozilla::pkix::TrustLevel& trustLevel) override;
   virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
                             IssuerChecker& checker,
                             mozilla::pkix::Time time) override;
   virtual Result CheckRevocation(
       mozilla::pkix::EndEntityOrCA endEntityOrCA,
       const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
+      mozilla::pkix::Time validityPeriodBeginning,
       mozilla::pkix::Duration validityDuration,
       /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
       /*optional*/ const mozilla::pkix::Input* aiaExtension) override;
   virtual Result IsChainValid(
       const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
       const mozilla::pkix::CertPolicyId& requiredPolicy) override;
   virtual Result CheckSignatureDigestAlgorithm(
       mozilla::pkix::DigestAlgorithm digestAlg,