| author | ffxbld |
| Thu, 06 Apr 2017 07:59:12 -0700 (2017-04-06) | |
| changeset 351544 | facaf90aeaaf6d7cf5e2966f9f918319536bddea |
| parent 345093 | df65d15b648daef67f1a76987c21f4fe9b23bdb7 |
| child 352715 | 7c1d15e5f6b014dd6b8a247efe012db74c654a4f |
| permissions | -rw-r--r-- |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1 |
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
2 |
/* vim: set ts=8 sts=2 et sw=2 tw=80: */ |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
3 |
/* This Source Code Form is subject to the terms of the Mozilla Public |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
4 |
* License, v. 2.0. If a copy of the MPL was not distributed with this |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
5 |
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
6 |
|
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
7 |
#include "NSSCertDBTrustDomain.h" |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
8 |
|
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
9 |
#include <stdint.h> |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
10 |
|
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
11 |
#include "ExtendedValidation.h" |
|
296847
222ef20fe6334e050d2b9f8f3ebc47ee1a97f6e8
Bug 1270005 - Replace uses of ScopedPK11SlotInfo with UniquePK11SlotInfo in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296399
diff
changeset
|
12 |
#include "NSSErrorsService.h" |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
13 |
#include "OCSPRequestor.h" |
|
253509
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
14 |
#include "OCSPVerificationTrustDomain.h" |
|
296847
222ef20fe6334e050d2b9f8f3ebc47ee1a97f6e8
Bug 1270005 - Replace uses of ScopedPK11SlotInfo with UniquePK11SlotInfo in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296399
diff
changeset
|
15 |
#include "PublicKeyPinningService.h" |
|
222ef20fe6334e050d2b9f8f3ebc47ee1a97f6e8
Bug 1270005 - Replace uses of ScopedPK11SlotInfo with UniquePK11SlotInfo in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296399
diff
changeset
|
16 |
#include "cert.h" |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
17 |
#include "certdb.h" |
|
315367
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
18 |
#include "mozilla/Assertions.h" |
|
298159
1ef294cb3b47138416d559cb2f36f35dc0de7151
Bug 1271501 - Use mozilla::BitwiseCast instead of reinterpret_cast in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
297224
diff
changeset
|
19 |
#include "mozilla/Casting.h" |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
20 |
#include "mozilla/Move.h" |
|
319324
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
21 |
#include "mozilla/PodOperations.h" |
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
22 |
#include "mozilla/TimeStamp.h" |
|
310969
564549c354b038a465c0b3fc245da3cab8753eab
Bug 1297276 - Rename mfbt/unused.h to mfbt/Unused.h for consistency. r=froydnj
Kan-Ru Chen <kanru@kanru.info>
parents:
308920
diff
changeset
|
23 |
#include "mozilla/Unused.h" |
|
222874
5f8dbb4956752d9759c92ac84b37c79d046805d2
Bug 1024809 - (OneCRL) Create a blocklist mechanism to revoke intermediate certs. r=keeler r=Unfocused
Mark Goodwin <mgoodwin@mozilla.com>, Harsh Pathak <hpathak@mozilla.com>
parents:
221801
diff
changeset
|
24 |
#include "nsNSSCertificate.h" |
|
296847
222ef20fe6334e050d2b9f8f3ebc47ee1a97f6e8
Bug 1270005 - Replace uses of ScopedPK11SlotInfo with UniquePK11SlotInfo in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296399
diff
changeset
|
25 |
#include "nsServiceManagerUtils.h" |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
26 |
#include "nss.h" |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
27 |
#include "pk11pub.h" |
|
296847
222ef20fe6334e050d2b9f8f3ebc47ee1a97f6e8
Bug 1270005 - Replace uses of ScopedPK11SlotInfo with UniquePK11SlotInfo in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296399
diff
changeset
|
28 |
#include "pkix/Result.h" |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
29 |
#include "pkix/pkix.h" |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
30 |
#include "pkix/pkixnss.h" |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
31 |
#include "prerror.h" |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
32 |
#include "prmem.h" |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
33 |
#include "secerr.h" |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
34 |
|
|
239764
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
35 |
#include "CNNICHashWhitelist.inc" |
|
319324
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
36 |
#include "StartComAndWoSignData.inc" |
|
239764
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
37 |
|
|
192744
3acf9162f52d566e5d446ddc7ce24dd5d390e365
Bug 1034636: Remove mozilla::pkix::ScopedCERTCertifciate and mozilla::pkix::ScopedPLArenaPool, r=mmc
Brian Smith <brian@briansmith.org>
parents:
192743
diff
changeset
|
38 |
using namespace mozilla; |
|
174647
04ea38d3515f3dd7e739cfed8005fa70634c06fb
bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
173430
diff
changeset
|
39 |
using namespace mozilla::pkix; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
40 |
|
|
288368
5c19306be55e240d32c7b36f39a06b640c69fce5
Bug 1219482: Replace PRLogModuleInfo with LazyLogModule in security subdirectory.r=nfroyd
sajitk <sajitk@rocketmail.com>
parents:
287958
diff
changeset
|
41 |
extern LazyLogModule gCertVerifierLog; |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
42 |
|
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
43 |
static const uint64_t ServerFailureDelaySeconds = 5 * 60; |
|
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
44 |
|
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
45 |
namespace mozilla { namespace psm { |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
46 |
|
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
47 |
NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
48 |
OCSPFetching ocspFetching, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
49 |
OCSPCache& ocspCache, |
|
193195
0ed88d692f42f34802beafcea77797f61c918155
Bug 1035009: Stop using CERTCertList in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192744
diff
changeset
|
50 |
/*optional but shouldn't be*/ void* pinArg, |
|
227646
fa67b437a89ab8590a5bcd3a91a4d779f716c6dd
Bug 1092398 - "remove unused CertVerifier enums (missing_cert_download_config and crl_download_config)". r=honzab.moz
TheKK <thumbd03803@gmail.com>
parents:
222874
diff
changeset
|
51 |
CertVerifier::OcspGetConfig ocspGETConfig, |
|
243995
1853f12d7d8c336d0689a8d3e0e21e174609f50a
bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
243549
diff
changeset
|
52 |
uint32_t certShortLifetimeInDays, |
|
207509
4f90b7fb1918462222c557100342cdd627e2f3f3
bug 1071308 - (2/2) remove libpkix-style chain validation callback from CertVerifier r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
198606
diff
changeset
|
53 |
CertVerifier::PinningMode pinningMode, |
|
232263
eee856befda3b54b11383be5192ce333de40ea08
Bug 1139177 - RSA public key size checking cleanups. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
231563
diff
changeset
|
54 |
unsigned int minRSABits, |
|
250685
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
55 |
ValidityCheckingMode validityCheckingMode, |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
56 |
CertVerifier::SHA1Mode sha1Mode, |
|
297224
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
57 |
NetscapeStepUpPolicy netscapeStepUpPolicy, |
|
329164
8fe52da5cb90209689b41879843ba93f6acda884
Bug 1328653 - Merging all the various *OriginAttributes to just one, r=huseby
Andrea Marchesini <amarchesini@mozilla.com>
parents:
328037
diff
changeset
|
58 |
const OriginAttributes& originAttributes, |
|
296399
6fc34759465ee7246858c63d090270797cd1f220
Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
294042
diff
changeset
|
59 |
UniqueCERTCertList& builtChain, |
|
258838
fc86e9f2d6ea34b486058211fe468f4ada67f144
Bug 1153444 - Fix up Key Pinning Telemetry (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253509
diff
changeset
|
60 |
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo, |
|
280844
bb6bfd172d6e40b5d6a87d8118faf860c02f8545
bug 1239455 - rework telemetry for SHA-1 certificates to reflect possible policy states r=Cykesiopka,mgoodwin,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
279729
diff
changeset
|
61 |
/*optional*/ const char* hostname) |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
62 |
: mCertDBTrustType(certDBTrustType) |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
63 |
, mOCSPFetching(ocspFetching) |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
64 |
, mOCSPCache(ocspCache) |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
65 |
, mPinArg(pinArg) |
|
185499
c288e2c355abaa840d36f1b754708bb466df767f
Bug 1005142 - Part 1/2 - Add OCSP get capabilities to OCSPRequestor. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
183491
diff
changeset
|
66 |
, mOCSPGetConfig(ocspGETConfig) |
|
243995
1853f12d7d8c336d0689a8d3e0e21e174609f50a
bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
243549
diff
changeset
|
67 |
, mCertShortLifetimeInDays(certShortLifetimeInDays) |
|
207509
4f90b7fb1918462222c557100342cdd627e2f3f3
bug 1071308 - (2/2) remove libpkix-style chain validation callback from CertVerifier r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
198606
diff
changeset
|
68 |
, mPinningMode(pinningMode) |
|
232263
eee856befda3b54b11383be5192ce333de40ea08
Bug 1139177 - RSA public key size checking cleanups. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
231563
diff
changeset
|
69 |
, mMinRSABits(minRSABits) |
|
250685
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
70 |
, mValidityCheckingMode(validityCheckingMode) |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
71 |
, mSHA1Mode(sha1Mode) |
|
297224
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
72 |
, mNetscapeStepUpPolicy(netscapeStepUpPolicy) |
|
323938
80a39e170b4106eae2d15d56ff10d1d0a5feb84b
Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
322401
diff
changeset
|
73 |
, mOriginAttributes(originAttributes) |
|
280844
bb6bfd172d6e40b5d6a87d8118faf860c02f8545
bug 1239455 - rework telemetry for SHA-1 certificates to reflect possible policy states r=Cykesiopka,mgoodwin,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
279729
diff
changeset
|
74 |
, mBuiltChain(builtChain) |
|
258838
fc86e9f2d6ea34b486058211fe468f4ada67f144
Bug 1153444 - Fix up Key Pinning Telemetry (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253509
diff
changeset
|
75 |
, mPinningTelemetryInfo(pinningTelemetryInfo) |
|
207509
4f90b7fb1918462222c557100342cdd627e2f3f3
bug 1071308 - (2/2) remove libpkix-style chain validation callback from CertVerifier r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
198606
diff
changeset
|
76 |
, mHostname(hostname) |
|
222874
5f8dbb4956752d9759c92ac84b37c79d046805d2
Bug 1024809 - (OneCRL) Create a blocklist mechanism to revoke intermediate certs. r=keeler r=Unfocused
Mark Goodwin <mgoodwin@mozilla.com>, Harsh Pathak <hpathak@mozilla.com>
parents:
221801
diff
changeset
|
77 |
, mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID)) |
|
219603
610eb25d2d63d18d7233d21aaf464471545ccab0
Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
Brian Smith <brian@briansmith.org>
parents:
218543
diff
changeset
|
78 |
, mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED) |
|
315367
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
79 |
, mSCTListFromCertificate() |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
80 |
, mSCTListFromOCSPStapling() |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
81 |
{ |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
82 |
} |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
83 |
|
|
218543
9cdb1871bd6540b8d2e238c73bc2458ffc13febd
bug 1020237 - follow-up to fix build bustage r=bustage on a CLOSED TREE
David Keeler <dkeeler@mozilla.com>
parents:
218541
diff
changeset
|
84 |
// If useRoots is true, we only use root certificates in the candidate list. |
|
9cdb1871bd6540b8d2e238c73bc2458ffc13febd
bug 1020237 - follow-up to fix build bustage r=bustage on a CLOSED TREE
David Keeler <dkeeler@mozilla.com>
parents:
218541
diff
changeset
|
85 |
// If useRoots is false, we only use non-root certificates in the list. |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
86 |
static Result |
|
296399
6fc34759465ee7246858c63d090270797cd1f220
Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
294042
diff
changeset
|
87 |
FindIssuerInner(const UniqueCERTCertList& candidates, bool useRoots, |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
88 |
Input encodedIssuerName, TrustDomain::IssuerChecker& checker, |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
89 |
/*out*/ bool& keepGoing) |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
90 |
{ |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
91 |
keepGoing = true; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
92 |
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates); |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
93 |
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) { |
|
218543
9cdb1871bd6540b8d2e238c73bc2458ffc13febd
bug 1020237 - follow-up to fix build bustage r=bustage on a CLOSED TREE
David Keeler <dkeeler@mozilla.com>
parents:
218541
diff
changeset
|
94 |
bool candidateIsRoot = !!n->cert->isRoot; |
|
9cdb1871bd6540b8d2e238c73bc2458ffc13febd
bug 1020237 - follow-up to fix build bustage r=bustage on a CLOSED TREE
David Keeler <dkeeler@mozilla.com>
parents:
218541
diff
changeset
|
95 |
if (candidateIsRoot != useRoots) { |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
96 |
continue; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
97 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
98 |
Input certDER; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
99 |
Result rv = certDER.Init(n->cert->derCert.data, n->cert->derCert.len); |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
100 |
if (rv != Success) { |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
101 |
continue; // probably too big |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
102 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
103 |
|
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
104 |
const SECItem encodedIssuerNameItem = { |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
105 |
siBuffer, |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
106 |
const_cast<unsigned char*>(encodedIssuerName.UnsafeGetData()), |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
107 |
encodedIssuerName.GetLength() |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
108 |
}; |
|
298730
34f82d838f0366381161ba9efcc2bc8124541968
Bug 1271496 - Stop using Scoped.h in non-exported PSM code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298427
diff
changeset
|
109 |
ScopedAutoSECItem nameConstraints; |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
110 |
SECStatus srv = CERT_GetImposedNameConstraints(&encodedIssuerNameItem, |
|
298730
34f82d838f0366381161ba9efcc2bc8124541968
Bug 1271496 - Stop using Scoped.h in non-exported PSM code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298427
diff
changeset
|
111 |
&nameConstraints); |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
112 |
if (srv != SECSuccess) { |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
113 |
if (PR_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
114 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
115 |
} |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
116 |
|
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
117 |
// If no imposed name constraints were found, continue without them |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
118 |
rv = checker.Check(certDER, nullptr, keepGoing); |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
119 |
} else { |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
120 |
// Otherwise apply the constraints |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
121 |
Input nameConstraintsInput; |
|
298730
34f82d838f0366381161ba9efcc2bc8124541968
Bug 1271496 - Stop using Scoped.h in non-exported PSM code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298427
diff
changeset
|
122 |
if (nameConstraintsInput.Init(nameConstraints.data, nameConstraints.len) |
|
34f82d838f0366381161ba9efcc2bc8124541968
Bug 1271496 - Stop using Scoped.h in non-exported PSM code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298427
diff
changeset
|
123 |
!= Success) { |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
124 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
125 |
} |
|
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
126 |
rv = checker.Check(certDER, &nameConstraintsInput, keepGoing); |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
127 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
128 |
if (rv != Success) { |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
129 |
return rv; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
130 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
131 |
if (!keepGoing) { |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
132 |
break; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
133 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
134 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
135 |
|
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
136 |
return Success; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
137 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
138 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
139 |
Result |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
140 |
NSSCertDBTrustDomain::FindIssuer(Input encodedIssuerName, |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
141 |
IssuerChecker& checker, Time) |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
142 |
{ |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
143 |
// TODO: NSS seems to be ambiguous between "no potential issuers found" and |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
144 |
// "there was an error trying to retrieve the potential issuers." |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
145 |
SECItem encodedIssuerNameItem = UnsafeMapInputToSECItem(encodedIssuerName); |
|
296399
6fc34759465ee7246858c63d090270797cd1f220
Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
294042
diff
changeset
|
146 |
UniqueCERTCertList |
|
192743
44c19e8283c2b4e590b3ffdfbfbdef6f370056cc
Bug 1033563, Part 3: Change mozilla::pkix::TrustDomain::FindPotentialIssuers API to be iterator-like, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192738
diff
changeset
|
147 |
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(), |
|
240892
91f989aedf12563b1bb431adb87124b91af13a34
Bug 1121982 - Update PSM to use NSS name constraints
Richard Barnes <rbarnes@mozilla.com>
parents:
239764
diff
changeset
|
148 |
&encodedIssuerNameItem, 0, |
|
197618
64719bb171797b81c6d155251da939904777fa31
Bug 1047792: Rely on mozilla::pkix to filter out expired certs instead of CERT_CreateSubjectCertList, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197251
diff
changeset
|
149 |
false)); |
|
192743
44c19e8283c2b4e590b3ffdfbfbdef6f370056cc
Bug 1033563, Part 3: Change mozilla::pkix::TrustDomain::FindPotentialIssuers API to be iterator-like, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192738
diff
changeset
|
150 |
if (candidates) { |
|
218541
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
151 |
// First, try all the root certs; then try all the non-root certs. |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
152 |
bool keepGoing; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
153 |
Result rv = FindIssuerInner(candidates, true, encodedIssuerName, checker, |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
154 |
keepGoing); |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
155 |
if (rv != Success) { |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
156 |
return rv; |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
157 |
} |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
158 |
if (keepGoing) { |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
159 |
rv = FindIssuerInner(candidates, false, encodedIssuerName, checker, |
|
73051c757857dda21a97ca731a1806aec25604aa
bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
218003
diff
changeset
|
160 |
keepGoing); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
161 |
if (rv != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
162 |
return rv; |
|
192743
44c19e8283c2b4e590b3ffdfbfbdef6f370056cc
Bug 1033563, Part 3: Change mozilla::pkix::TrustDomain::FindPotentialIssuers API to be iterator-like, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192738
diff
changeset
|
163 |
} |
|
44c19e8283c2b4e590b3ffdfbfbdef6f370056cc
Bug 1033563, Part 3: Change mozilla::pkix::TrustDomain::FindPotentialIssuers API to be iterator-like, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192738
diff
changeset
|
164 |
} |
|
44c19e8283c2b4e590b3ffdfbfbdef6f370056cc
Bug 1033563, Part 3: Change mozilla::pkix::TrustDomain::FindPotentialIssuers API to be iterator-like, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192738
diff
changeset
|
165 |
} |
|
44c19e8283c2b4e590b3ffdfbfbdef6f370056cc
Bug 1033563, Part 3: Change mozilla::pkix::TrustDomain::FindPotentialIssuers API to be iterator-like, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192738
diff
changeset
|
166 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
167 |
return Success; |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
168 |
} |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
169 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
170 |
Result |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
171 |
NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, |
|
183490
a4ae7060f43ac1a4e49b30dfd7a95c5212940d4b
Bug 1006958: Use mozilla::pkix::der to parse certificate policies instead of NSS, r=keeler
Brian Smith <brian@briansmith.org>
parents:
181310
diff
changeset
|
172 |
const CertPolicyId& policy, |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
173 |
Input candidateCertDER, |
|
197204
a6147f19dc56aecfcce19a019d8f966db8a32492
Bug 1041343: Use references instead of pointers for TrustLevel output parameters, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
197202
diff
changeset
|
174 |
/*out*/ TrustLevel& trustLevel) |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
175 |
{ |
|
186441
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
176 |
// XXX: This would be cleaner and more efficient if we could get the trust |
|
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
177 |
// information without constructing a CERTCertificate here, but NSS doesn't |
|
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
178 |
// expose it in any other easy-to-use fashion. The use of |
|
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
179 |
// CERT_NewTempCertificate to get a CERTCertificate shouldn't be a |
|
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
180 |
// performance problem because NSS will just find the existing |
|
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
181 |
// CERTCertificate in its in-memory cache and return it. |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
182 |
SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER); |
|
294042
9c98c0300a89bfe655a1213c91ceb57c517e8bf7
Bug 1260643 - Convert most uses of ScopedCERTCertificate in PSM to UniqueCERTCertificate. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
293252
diff
changeset
|
183 |
UniqueCERTCertificate candidateCert( |
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
184 |
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem, |
|
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
185 |
nullptr, false, true)); |
|
186441
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
186 |
if (!candidateCert) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
187 |
return MapPRErrorCodeToResult(PR_GetError()); |
|
186441
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
188 |
} |
|
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
189 |
|
|
231563
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
190 |
// Check the certificate against the OneCRL cert blocklist |
|
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
191 |
if (!mCertBlocklist) { |
|
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
192 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
193 |
} |
|
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
194 |
|
|
327138
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
195 |
// The certificate blocklist currently only applies to TLS server |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
196 |
// certificates. |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
197 |
if (mCertDBTrustType == trustSSL) { |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
198 |
bool isCertRevoked; |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
199 |
nsresult nsrv = mCertBlocklist->IsCertRevoked( |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
200 |
candidateCert->derIssuer.data, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
201 |
candidateCert->derIssuer.len, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
202 |
candidateCert->serialNumber.data, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
203 |
candidateCert->serialNumber.len, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
204 |
candidateCert->derSubject.data, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
205 |
candidateCert->derSubject.len, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
206 |
candidateCert->derPublicKey.data, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
207 |
candidateCert->derPublicKey.len, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
208 |
&isCertRevoked); |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
209 |
if (NS_FAILED(nsrv)) { |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
210 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
211 |
} |
|
231563
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
212 |
|
|
327138
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
213 |
if (isCertRevoked) { |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
214 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
215 |
("NSSCertDBTrustDomain: certificate is in blocklist")); |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
216 |
return Result::ERROR_REVOKED_CERTIFICATE; |
|
f4001bdf070d219a9c59a14bdee1053de505070c
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
327132
diff
changeset
|
217 |
} |
|
231563
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
218 |
} |
|
83c8e3ad6835efe962144396410bea2d5a612f28
Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler
Mark Goodwin <mgoodwin@mozilla.com>
parents:
231102
diff
changeset
|
219 |
|
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
220 |
// XXX: CERT_GetCertTrust seems to be abusing SECStatus as a boolean, where |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
221 |
// SECSuccess means that there is a trust record and SECFailure means there |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
222 |
// is not a trust record. I looked at NSS's internal uses of |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
223 |
// CERT_GetCertTrust, and all that code uses the result as a boolean meaning |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
224 |
// "We have a trust record." |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
225 |
CERTCertTrust trust; |
|
186441
44be87ea2e1be101218c3cb66032f599c465610a
Bug 1019814: Remove CERTCertificate dependency from TrustDomain::GetCertTrust, r=keeler
Brian Smith <brian@briansmith.org>
parents:
185979
diff
changeset
|
226 |
if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) { |
|
198606
e0c00c1861af255cc20060c69e30bb8595dd00b3
Bug 579517 follow-up: Remove NSPR types that crept in
Ehsan Akhgari <ehsan@mozilla.com>
parents:
197619
diff
changeset
|
227 |
uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, mCertDBTrustType); |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
228 |
|
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
229 |
// For DISTRUST, we use the CERTDB_TRUSTED or CERTDB_TRUSTED_CA bit, |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
230 |
// because we can have active distrust for either type of cert. Note that |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
231 |
// CERTDB_TERMINAL_RECORD means "stop trying to inherit trust" so if the |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
232 |
// relevant trust bit isn't set then that means the cert must be considered |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
233 |
// distrusted. |
|
198606
e0c00c1861af255cc20060c69e30bb8595dd00b3
Bug 579517 follow-up: Remove NSPR types that crept in
Ehsan Akhgari <ehsan@mozilla.com>
parents:
197619
diff
changeset
|
234 |
uint32_t relevantTrustBit = |
|
181275
c968e47ef70893902ed49f65ade8a2ffe116ea11
Bug 1002933: Use Strongly-typed enums more often in mozilla::pkix, r=mmc
Brian Smith <brian@briansmith.org>
parents:
181113
diff
changeset
|
235 |
endEntityOrCA == EndEntityOrCA::MustBeCA ? CERTDB_TRUSTED_CA |
|
c968e47ef70893902ed49f65ade8a2ffe116ea11
Bug 1002933: Use Strongly-typed enums more often in mozilla::pkix, r=mmc
Brian Smith <brian@briansmith.org>
parents:
181113
diff
changeset
|
236 |
: CERTDB_TRUSTED; |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
237 |
if (((flags & (relevantTrustBit|CERTDB_TERMINAL_RECORD))) |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
238 |
== CERTDB_TERMINAL_RECORD) { |
|
197204
a6147f19dc56aecfcce19a019d8f966db8a32492
Bug 1041343: Use references instead of pointers for TrustLevel output parameters, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
197202
diff
changeset
|
239 |
trustLevel = TrustLevel::ActivelyDistrusted; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
240 |
return Success; |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
241 |
} |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
242 |
|
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
243 |
// For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Gecko hasn't |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
244 |
// needed to consider end-entity certs to be their own trust anchors since |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
245 |
// Gecko implemented nsICertOverrideService. |
|
345093
df65d15b648daef67f1a76987c21f4fe9b23bdb7
bug 1294580 - prevent end-entity certificates from being their own trust anchors r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
343854
diff
changeset
|
246 |
// Of course, for this to work as expected, we need to make sure we're |
|
df65d15b648daef67f1a76987c21f4fe9b23bdb7
bug 1294580 - prevent end-entity certificates from being their own trust anchors r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
343854
diff
changeset
|
247 |
// inquiring about the trust of a CA and not an end-entity. If an end-entity |
|
df65d15b648daef67f1a76987c21f4fe9b23bdb7
bug 1294580 - prevent end-entity certificates from being their own trust anchors r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
343854
diff
changeset
|
248 |
// has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a |
|
df65d15b648daef67f1a76987c21f4fe9b23bdb7
bug 1294580 - prevent end-entity certificates from being their own trust anchors r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
343854
diff
changeset
|
249 |
// trust anchor; it must inherit its trust. |
|
df65d15b648daef67f1a76987c21f4fe9b23bdb7
bug 1294580 - prevent end-entity certificates from being their own trust anchors r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
343854
diff
changeset
|
250 |
if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) { |
|
183490
a4ae7060f43ac1a4e49b30dfd7a95c5212940d4b
Bug 1006958: Use mozilla::pkix::der to parse certificate policies instead of NSS, r=keeler
Brian Smith <brian@briansmith.org>
parents:
181310
diff
changeset
|
251 |
if (policy.IsAnyPolicy()) { |
|
197204
a6147f19dc56aecfcce19a019d8f966db8a32492
Bug 1041343: Use references instead of pointers for TrustLevel output parameters, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
197202
diff
changeset
|
252 |
trustLevel = TrustLevel::TrustAnchor; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
253 |
return Success; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
254 |
} |
|
308920
7afd32fc3da6479f5a534ac4c19ba0dbbd2b425e
Bug 1289455 - Obviate manual CERT_DestroyCertificate() calls in PSM. r=dkeeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
303574
diff
changeset
|
255 |
if (CertIsAuthoritativeForEVPolicy(candidateCert, policy)) { |
|
197204
a6147f19dc56aecfcce19a019d8f966db8a32492
Bug 1041343: Use references instead of pointers for TrustLevel output parameters, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
197202
diff
changeset
|
256 |
trustLevel = TrustLevel::TrustAnchor; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
257 |
return Success; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
258 |
} |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
259 |
} |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
260 |
} |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
261 |
|
|
197204
a6147f19dc56aecfcce19a019d8f966db8a32492
Bug 1041343: Use references instead of pointers for TrustLevel output parameters, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
197202
diff
changeset
|
262 |
trustLevel = TrustLevel::InheritsTrust; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
263 |
return Success; |
|
168279
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
264 |
} |
|
5eece3c778aaecfe6c4bcbeaae863f611ef47280
Bug 878932, Part 1: add insanity::pkix as an option for certificate verification, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165294
diff
changeset
|
265 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
266 |
Result |
|
228592
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
267 |
NSSCertDBTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg, |
|
193963
2ea91aa53633847fb32c280a079d9a958534f215
Bug 1036105: Delegate digest operations to the TrustDomain in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
193961
diff
changeset
|
268 |
/*out*/ uint8_t* digestBuf, size_t digestBufLen) |
|
2ea91aa53633847fb32c280a079d9a958534f215
Bug 1036105: Delegate digest operations to the TrustDomain in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
193961
diff
changeset
|
269 |
{ |
|
228592
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
270 |
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen); |
|
193963
2ea91aa53633847fb32c280a079d9a958534f215
Bug 1036105: Delegate digest operations to the TrustDomain in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
193961
diff
changeset
|
271 |
} |
|
2ea91aa53633847fb32c280a079d9a958534f215
Bug 1036105: Delegate digest operations to the TrustDomain in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
193961
diff
changeset
|
272 |
|
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
273 |
static TimeDuration |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
274 |
OCSPFetchingTypeToTimeoutTime(NSSCertDBTrustDomain::OCSPFetching ocspFetching) |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
275 |
{ |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
276 |
switch (ocspFetching) { |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
277 |
case NSSCertDBTrustDomain::FetchOCSPForDVSoftFail: |
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
278 |
return TimeDuration::FromSeconds(2); |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
279 |
case NSSCertDBTrustDomain::FetchOCSPForEV: |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
280 |
case NSSCertDBTrustDomain::FetchOCSPForDVHardFail: |
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
281 |
return TimeDuration::FromSeconds(10); |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
282 |
// The rest of these are error cases. Assert in debug builds, but return |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
283 |
// the default value corresponding to 2 seconds in release builds. |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
284 |
case NSSCertDBTrustDomain::NeverFetchOCSP: |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
285 |
case NSSCertDBTrustDomain::LocalOnlyOCSPForEV: |
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
286 |
MOZ_ASSERT_UNREACHABLE("we should never see this OCSPFetching type here"); |
|
277806
1b5c9493e4e97d5039882ff861117dfe63380878
Bug 1235308 - Fix -Wimplicit-fallthrough warnings in security/. r=keeler
Chris Peterson <cpeterson@mozilla.com>
parents:
272756
diff
changeset
|
287 |
break; |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
288 |
} |
|
277806
1b5c9493e4e97d5039882ff861117dfe63380878
Bug 1235308 - Fix -Wimplicit-fallthrough warnings in security/. r=keeler
Chris Peterson <cpeterson@mozilla.com>
parents:
272756
diff
changeset
|
289 |
|
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
290 |
MOZ_ASSERT_UNREACHABLE("we're not handling every OCSPFetching type"); |
|
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
291 |
return TimeDuration::FromSeconds(2); |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
292 |
} |
|
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
293 |
|
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
294 |
// Copied and modified from CERT_GetOCSPAuthorityInfoAccessLocation and |
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
295 |
// CERT_GetGeneralNameByType. Returns a non-Result::Success result on error, |
|
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
296 |
// Success with url == nullptr when an OCSP URI was not found, and Success with |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
297 |
// url != nullptr when an OCSP URI was found. The output url will be owned |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
298 |
// by the arena. |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
299 |
static Result |
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
300 |
GetOCSPAuthorityInfoAccessLocation(const UniquePLArenaPool& arena, |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
301 |
Input aiaExtension, |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
302 |
/*out*/ char const*& url) |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
303 |
{ |
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
304 |
MOZ_ASSERT(arena.get()); |
|
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
305 |
if (!arena.get()) { |
|
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
306 |
return Result::FATAL_ERROR_INVALID_ARGS; |
|
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
307 |
} |
|
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
308 |
|
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
309 |
url = nullptr; |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
310 |
SECItem aiaExtensionSECItem = UnsafeMapInputToSECItem(aiaExtension); |
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
311 |
CERTAuthInfoAccess** aia = |
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
312 |
CERT_DecodeAuthInfoAccessExtension(arena.get(), &aiaExtensionSECItem); |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
313 |
if (!aia) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
314 |
return Result::ERROR_CERT_BAD_ACCESS_LOCATION; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
315 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
316 |
for (size_t i = 0; aia[i]; ++i) { |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
317 |
if (SECOID_FindOIDTag(&aia[i]->method) == SEC_OID_PKIX_OCSP) { |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
318 |
// NSS chooses the **last** OCSP URL; we choose the **first** |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
319 |
CERTGeneralName* current = aia[i]->location; |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
320 |
if (!current) { |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
321 |
continue; |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
322 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
323 |
do { |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
324 |
if (current->type == certURI) { |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
325 |
const SECItem& location = current->name.other; |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
326 |
// (location.len + 1) must be small enough to fit into a uint32_t, |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
327 |
// but we limit it to a smaller bound to reduce OOM risk. |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
328 |
if (location.len > 1024 || memchr(location.data, 0, location.len)) { |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
329 |
// Reject embedded nulls. (NSS doesn't do this) |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
330 |
return Result::ERROR_CERT_BAD_ACCESS_LOCATION; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
331 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
332 |
// Copy the non-null-terminated SECItem into a null-terminated string. |
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
333 |
char* nullTerminatedURL( |
|
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
334 |
static_cast<char*>(PORT_ArenaAlloc(arena.get(), location.len + 1))); |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
335 |
if (!nullTerminatedURL) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
336 |
return Result::FATAL_ERROR_NO_MEMORY; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
337 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
338 |
memcpy(nullTerminatedURL, location.data, location.len); |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
339 |
nullTerminatedURL[location.len] = 0; |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
340 |
url = nullTerminatedURL; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
341 |
return Success; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
342 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
343 |
current = CERT_GetNextGeneralName(current); |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
344 |
} while (current != aia[i]->location); |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
345 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
346 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
347 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
348 |
return Success; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
349 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
350 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
351 |
Result |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
352 |
NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA, |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
353 |
const CertID& certID, Time time, |
|
243995
1853f12d7d8c336d0689a8d3e0e21e174609f50a
bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
243549
diff
changeset
|
354 |
Duration validityDuration, |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
355 |
/*optional*/ const Input* stapledOCSPResponse, |
|
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
356 |
/*optional*/ const Input* aiaExtension) |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
357 |
{ |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
358 |
// Actively distrusted certificates will have already been blocked by |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
359 |
// GetCertTrust. |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
360 |
|
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
361 |
// TODO: need to verify that IsRevoked isn't called for trust anchors AND |
|
174647
04ea38d3515f3dd7e739cfed8005fa70634c06fb
bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
173430
diff
changeset
|
362 |
// that that fact is documented in mozillapkix. |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
363 |
|
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
364 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
365 |
("NSSCertDBTrustDomain: Top of CheckRevocation\n")); |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
366 |
|
|
185979
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
367 |
// Bug 991815: The BR allow OCSP for intermediates to be up to one year old. |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
368 |
// Since this affects EV there is no reason why DV should be more strict |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
369 |
// so all intermediatates are allowed to have OCSP responses up to one year |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
370 |
// old. |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
371 |
uint16_t maxOCSPLifetimeInDays = 10; |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
372 |
if (endEntityOrCA == EndEntityOrCA::MustBeCA) { |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
373 |
maxOCSPLifetimeInDays = 365; |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
374 |
} |
|
71b7b1f1e87bf233c4d08dd20e04372b1b751549
Bug 991815 - Part 1/2 - Allow intermediate OCSP responses up to 1 year old. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
185639
diff
changeset
|
375 |
|
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
376 |
// If we have a stapled OCSP response then the verification of that response |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
377 |
// determines the result unless the OCSP response is expired. We make an |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
378 |
// exception for expired responses because some servers, nginx in particular, |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
379 |
// are known to serve expired responses due to bugs. |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
380 |
// We keep track of the result of verifying the stapled response but don't |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
381 |
// immediately return failure if the response has expired. |
|
220991
33d139e87c8901cf69ad42ef8cd704a9079b627e
Bug 1107666, Part 2: Further fix for SSL_OCSP_STAPLING telemetry, r=keeler
Brian Smith <brian@briansmith.org>
parents:
220694
diff
changeset
|
382 |
// |
|
33d139e87c8901cf69ad42ef8cd704a9079b627e
Bug 1107666, Part 2: Further fix for SSL_OCSP_STAPLING telemetry, r=keeler
Brian Smith <brian@briansmith.org>
parents:
220694
diff
changeset
|
383 |
// We only set the OCSP stapling status if we're validating the end-entity |
|
33d139e87c8901cf69ad42ef8cd704a9079b627e
Bug 1107666, Part 2: Further fix for SSL_OCSP_STAPLING telemetry, r=keeler
Brian Smith <brian@briansmith.org>
parents:
220694
diff
changeset
|
384 |
// certificate. Non-end-entity certificates would always be |
|
33d139e87c8901cf69ad42ef8cd704a9079b627e
Bug 1107666, Part 2: Further fix for SSL_OCSP_STAPLING telemetry, r=keeler
Brian Smith <brian@briansmith.org>
parents:
220694
diff
changeset
|
385 |
// OCSP_STAPLING_NONE unless/until we implement multi-stapling. |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
386 |
Result stapledOCSPResponseResult = Success; |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
387 |
if (stapledOCSPResponse) { |
|
328037
9957c63c664df44054c7930a5632ba9e07af3f55
Bug 1325107 - Stop using PR_ASSERT() in PSM. r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
327138
diff
changeset
|
388 |
MOZ_ASSERT(endEntityOrCA == EndEntityOrCA::MustBeEndEntity); |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
389 |
bool expired; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
390 |
stapledOCSPResponseResult = |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
391 |
VerifyAndMaybeCacheEncodedOCSPResponse(certID, time, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
392 |
maxOCSPLifetimeInDays, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
393 |
*stapledOCSPResponse, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
394 |
ResponseWasStapled, expired); |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
395 |
if (stapledOCSPResponseResult == Success) { |
|
173430
21ad5a22138200921bbb78e155c2a573974dfd57
bug 969048 - adjust OCSP stapling telemetry for insanity::pkix r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
173228
diff
changeset
|
396 |
// stapled OCSP response present and good |
|
219603
610eb25d2d63d18d7233d21aaf464471545ccab0
Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
Brian Smith <brian@briansmith.org>
parents:
218543
diff
changeset
|
397 |
mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_GOOD; |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
398 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
399 |
("NSSCertDBTrustDomain: stapled OCSP response: good")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
400 |
return Success; |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
401 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
402 |
if (stapledOCSPResponseResult == Result::ERROR_OCSP_OLD_RESPONSE || |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
403 |
expired) { |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
404 |
// stapled OCSP response present but expired |
|
219603
610eb25d2d63d18d7233d21aaf464471545ccab0
Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
Brian Smith <brian@briansmith.org>
parents:
218543
diff
changeset
|
405 |
mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_EXPIRED; |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
406 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
407 |
("NSSCertDBTrustDomain: expired stapled OCSP response")); |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
408 |
} else { |
|
173430
21ad5a22138200921bbb78e155c2a573974dfd57
bug 969048 - adjust OCSP stapling telemetry for insanity::pkix r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
173228
diff
changeset
|
409 |
// stapled OCSP response present but invalid for some reason |
|
219603
610eb25d2d63d18d7233d21aaf464471545ccab0
Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
Brian Smith <brian@briansmith.org>
parents:
218543
diff
changeset
|
410 |
mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_INVALID; |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
411 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
412 |
("NSSCertDBTrustDomain: stapled OCSP response: failure")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
413 |
return stapledOCSPResponseResult; |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
414 |
} |
|
220991
33d139e87c8901cf69ad42ef8cd704a9079b627e
Bug 1107666, Part 2: Further fix for SSL_OCSP_STAPLING telemetry, r=keeler
Brian Smith <brian@briansmith.org>
parents:
220694
diff
changeset
|
415 |
} else if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) { |
|
173430
21ad5a22138200921bbb78e155c2a573974dfd57
bug 969048 - adjust OCSP stapling telemetry for insanity::pkix r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
173228
diff
changeset
|
416 |
// no stapled OCSP response |
|
219603
610eb25d2d63d18d7233d21aaf464471545ccab0
Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
Brian Smith <brian@briansmith.org>
parents:
218543
diff
changeset
|
417 |
mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_NONE; |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
418 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
419 |
("NSSCertDBTrustDomain: no stapled OCSP response")); |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
420 |
} |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
421 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
422 |
Result cachedResponseResult = Success; |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
423 |
Time cachedResponseValidThrough(Time::uninitialized); |
|
323938
80a39e170b4106eae2d15d56ff10d1d0a5feb84b
Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
322401
diff
changeset
|
424 |
bool cachedResponsePresent = mOCSPCache.Get(certID, mOriginAttributes, |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
425 |
cachedResponseResult, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
426 |
cachedResponseValidThrough); |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
427 |
if (cachedResponsePresent) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
428 |
if (cachedResponseResult == Success && cachedResponseValidThrough >= time) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
429 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
430 |
("NSSCertDBTrustDomain: cached OCSP response: good")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
431 |
return Success; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
432 |
} |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
433 |
// If we have a cached revoked response, use it. |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
434 |
if (cachedResponseResult == Result::ERROR_REVOKED_CERTIFICATE) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
435 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
436 |
("NSSCertDBTrustDomain: cached OCSP response: revoked")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
437 |
return Result::ERROR_REVOKED_CERTIFICATE; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
438 |
} |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
439 |
// The cached response may indicate an unknown certificate or it may be |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
440 |
// expired. Don't return with either of these statuses yet - we may be |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
441 |
// able to fetch a more recent one. |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
442 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
279729
d7628ca83e108b55f5aca712db3df4bdf1892a77
Bug 1235188 - Fix -Wformat warnings in security/certverifier/. r=keeler
Chris Peterson <cpeterson@mozilla.com>
parents:
277806
diff
changeset
|
443 |
("NSSCertDBTrustDomain: cached OCSP response: error %d", |
|
343542
495b8a307555744c3b8320098a4e526b9bc6404e
Bug 1060419 - make log_print use Printf.h, r=froydnj
Tom Tromey <tom@tromey.com>
parents:
343531
diff
changeset
|
444 |
static_cast<int>(cachedResponseResult))); |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
445 |
// When a good cached response has expired, it is more convenient |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
446 |
// to convert that to an error code and just deal with |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
447 |
// cachedResponseResult from here on out. |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
448 |
if (cachedResponseResult == Success && cachedResponseValidThrough < time) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
449 |
cachedResponseResult = Result::ERROR_OCSP_OLD_RESPONSE; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
450 |
} |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
451 |
// We may have a cached indication of server failure. Ignore it if |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
452 |
// it has expired. |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
453 |
if (cachedResponseResult != Success && |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
454 |
cachedResponseResult != Result::ERROR_OCSP_UNKNOWN_CERT && |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
455 |
cachedResponseResult != Result::ERROR_OCSP_OLD_RESPONSE && |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
456 |
cachedResponseValidThrough < time) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
457 |
cachedResponseResult = Success; |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
458 |
cachedResponsePresent = false; |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
459 |
} |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
460 |
} else { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
461 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
462 |
("NSSCertDBTrustDomain: no cached OCSP response")); |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
463 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
464 |
// At this point, if and only if cachedErrorResult is Success, there was no |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
465 |
// cached response. |
|
328037
9957c63c664df44054c7930a5632ba9e07af3f55
Bug 1325107 - Stop using PR_ASSERT() in PSM. r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
327138
diff
changeset
|
466 |
MOZ_ASSERT((!cachedResponsePresent && cachedResponseResult == Success) || |
|
9957c63c664df44054c7930a5632ba9e07af3f55
Bug 1325107 - Stop using PR_ASSERT() in PSM. r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
327138
diff
changeset
|
467 |
(cachedResponsePresent && cachedResponseResult != Success)); |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
468 |
|
|
242859
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
469 |
// If we have a fresh OneCRL Blocklist we can skip OCSP for CA certs |
|
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
470 |
bool blocklistIsFresh; |
|
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
471 |
nsresult nsrv = mCertBlocklist->IsBlocklistFresh(&blocklistIsFresh); |
|
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
472 |
if (NS_FAILED(nsrv)) { |
|
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
473 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
474 |
} |
|
a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
Bug 1128607 - Add freshness check for OneCRL (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
240892
diff
changeset
|
475 |
|
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
476 |
// TODO: We still need to handle the fallback for expired responses. But, |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
477 |
// if/when we disable OCSP fetching by default, it would be ambiguous whether |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
478 |
// security.OCSP.enable==0 means "I want the default" or "I really never want |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
479 |
// you to ever fetch OCSP." |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
480 |
|
|
243995
1853f12d7d8c336d0689a8d3e0e21e174609f50a
bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
243549
diff
changeset
|
481 |
Duration shortLifetime(mCertShortLifetimeInDays * Time::ONE_DAY_IN_SECONDS); |
|
1853f12d7d8c336d0689a8d3e0e21e174609f50a
bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
243549
diff
changeset
|
482 |
|
|
244201
8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
Backed out changeset fe10feec1ede because of OCSP test failures
Richard Barnes <rbarnes@mozilla.com>
parents:
244200
diff
changeset
|
483 |
if ((mOCSPFetching == NeverFetchOCSP) || |
|
8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
Backed out changeset fe10feec1ede because of OCSP test failures
Richard Barnes <rbarnes@mozilla.com>
parents:
244200
diff
changeset
|
484 |
(validityDuration < shortLifetime) || |
|
8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
Backed out changeset fe10feec1ede because of OCSP test failures
Richard Barnes <rbarnes@mozilla.com>
parents:
244200
diff
changeset
|
485 |
(endEntityOrCA == EndEntityOrCA::MustBeCA && |
|
8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
Backed out changeset fe10feec1ede because of OCSP test failures
Richard Barnes <rbarnes@mozilla.com>
parents:
244200
diff
changeset
|
486 |
(mOCSPFetching == FetchOCSPForDVHardFail || |
|
8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
Backed out changeset fe10feec1ede because of OCSP test failures
Richard Barnes <rbarnes@mozilla.com>
parents:
244200
diff
changeset
|
487 |
mOCSPFetching == FetchOCSPForDVSoftFail || |
|
8e525037fc7aaebc9d4dc64b058dcdcfedb6dc80
Backed out changeset fe10feec1ede because of OCSP test failures
Richard Barnes <rbarnes@mozilla.com>
parents:
244200
diff
changeset
|
488 |
blocklistIsFresh))) { |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
489 |
// We're not going to be doing any fetching, so if there was a cached |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
490 |
// "unknown" response, say so. |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
491 |
if (cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
492 |
return Result::ERROR_OCSP_UNKNOWN_CERT; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
493 |
} |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
494 |
// If we're doing hard-fail, we want to know if we have a cached response |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
495 |
// that has expired. |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
496 |
if (mOCSPFetching == FetchOCSPForDVHardFail && |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
497 |
cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
498 |
return Result::ERROR_OCSP_OLD_RESPONSE; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
499 |
} |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
500 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
501 |
return Success; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
502 |
} |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
503 |
|
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
504 |
if (mOCSPFetching == LocalOnlyOCSPForEV) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
505 |
if (cachedResponseResult != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
506 |
return cachedResponseResult; |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
507 |
} |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
508 |
return Result::ERROR_OCSP_UNKNOWN_CERT; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
509 |
} |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
510 |
|
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
511 |
UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
512 |
if (!arena) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
513 |
return Result::FATAL_ERROR_NO_MEMORY; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
514 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
515 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
516 |
Result rv; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
517 |
const char* url = nullptr; // owned by the arena |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
518 |
|
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
519 |
if (aiaExtension) { |
|
291949
63c6be19398d5654cd577fc009c3874742f028e7
Bug 1260644 - Use UniquePLArenaPool to manage PLArenaPools in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289505
diff
changeset
|
520 |
rv = GetOCSPAuthorityInfoAccessLocation(arena, *aiaExtension, url); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
521 |
if (rv != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
522 |
return rv; |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
523 |
} |
|
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
524 |
} |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
525 |
|
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
526 |
if (!url) { |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
527 |
if (mOCSPFetching == FetchOCSPForEV || |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
528 |
cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
529 |
return Result::ERROR_OCSP_UNKNOWN_CERT; |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
530 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
531 |
if (cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
532 |
return Result::ERROR_OCSP_OLD_RESPONSE; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
533 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
534 |
if (stapledOCSPResponseResult != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
535 |
return stapledOCSPResponseResult; |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
536 |
} |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
537 |
|
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
538 |
// Nothing to do if we don't have an OCSP responder URI for the cert; just |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
539 |
// assume it is good. Note that this is the confusing, but intended, |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
540 |
// interpretation of "strict" revocation checking in the face of a |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
541 |
// certificate that lacks an OCSP responder URI. |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
542 |
return Success; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
543 |
} |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
544 |
|
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
545 |
// Only request a response if we didn't have a cached indication of failure |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
546 |
// (don't keep requesting responses from a failing server). |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
547 |
Input response; |
|
196235
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
548 |
bool attemptedRequest; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
549 |
if (cachedResponseResult == Success || |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
550 |
cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT || |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
551 |
cachedResponseResult == Result::ERROR_OCSP_OLD_RESPONSE) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
552 |
uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH]; |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
553 |
size_t ocspRequestLength; |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
554 |
rv = CreateEncodedOCSPRequest(*this, certID, ocspRequest, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
555 |
ocspRequestLength); |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
556 |
if (rv != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
557 |
return rv; |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
558 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
559 |
SECItem ocspRequestItem = { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
560 |
siBuffer, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
561 |
ocspRequest, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
562 |
static_cast<unsigned int>(ocspRequestLength) |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
563 |
}; |
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
564 |
// Owned by arena |
|
289505
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
565 |
SECItem* responseSECItem = nullptr; |
|
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
566 |
Result tempRV = |
|
323938
80a39e170b4106eae2d15d56ff10d1d0a5feb84b
Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
322401
diff
changeset
|
567 |
DoOCSPRequest(arena, url, mOriginAttributes, &ocspRequestItem, |
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
568 |
OCSPFetchingTypeToTimeoutTime(mOCSPFetching), |
|
289505
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
569 |
mOCSPGetConfig == CertVerifier::ocspGetEnabled, |
|
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
570 |
responseSECItem); |
|
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
571 |
MOZ_ASSERT((tempRV != Success) || responseSECItem); |
|
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
572 |
if (tempRV != Success) { |
|
8a2c5b46e55b3e0868c9fdc42e6fd161dd619fc6
Bug 1004149 - Return mozilla::pkix::Result values in nsNSSHttpInterface functions. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
289385
diff
changeset
|
573 |
rv = tempRV; |
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
574 |
} else if (response.Init(responseSECItem->data, responseSECItem->len) |
|
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
575 |
!= Success) { |
|
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
576 |
rv = Result::ERROR_OCSP_MALFORMED_RESPONSE; // too big |
|
196235
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
577 |
} |
|
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
578 |
attemptedRequest = true; |
|
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
579 |
} else { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
580 |
rv = cachedResponseResult; |
|
196235
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
581 |
attemptedRequest = false; |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
582 |
} |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
583 |
|
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
584 |
if (response.GetLength() == 0) { |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
585 |
Result error = rv; |
|
196235
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
586 |
if (attemptedRequest) { |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
587 |
Time timeout(time); |
|
216955
b379f1bc58e10c59fdacc7ea5ca3396c77819a84
bug 1079436 - fix validThrough as returned by VerifyEncodedOCSPResponse r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
211185
diff
changeset
|
588 |
if (timeout.AddSeconds(ServerFailureDelaySeconds) != Success) { |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
589 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow |
|
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
590 |
} |
|
323938
80a39e170b4106eae2d15d56ff10d1d0a5feb84b
Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
322401
diff
changeset
|
591 |
rv = mOCSPCache.Put(certID, mOriginAttributes, error, time, timeout); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
592 |
if (rv != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
593 |
return rv; |
|
196235
1ed822e820d355e4fae79631f6f888e0b7389fd1
bug 1040889 - don't re-cache OCSP server failures if no fetch was attempted r=briansmith r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
194387
diff
changeset
|
594 |
} |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
595 |
} |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
596 |
if (mOCSPFetching != FetchOCSPForDVSoftFail) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
597 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
598 |
("NSSCertDBTrustDomain: returning SECFailure after " |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
599 |
"OCSP request failure")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
600 |
return error; |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
601 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
602 |
if (cachedResponseResult == Result::ERROR_OCSP_UNKNOWN_CERT) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
603 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
604 |
("NSSCertDBTrustDomain: returning SECFailure from cached " |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
605 |
"response after OCSP request failure")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
606 |
return cachedResponseResult; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
607 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
608 |
if (stapledOCSPResponseResult != Success) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
609 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
187236
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
610 |
("NSSCertDBTrustDomain: returning SECFailure from expired " |
|
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
611 |
"stapled response after OCSP request failure")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
612 |
return stapledOCSPResponseResult; |
|
187236
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
613 |
} |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
614 |
|
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
615 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
616 |
("NSSCertDBTrustDomain: returning SECSuccess after " |
|
181310
daee17c1458115ef05b91c19a13a407052bf9b9e
bug 982248 - NSSCertDBTrustDomain: specify timeout for OCSP requests r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
181275
diff
changeset
|
617 |
"OCSP request failure")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
618 |
return Success; // Soft fail -> success :( |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
619 |
} |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
620 |
|
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
621 |
// If the response from the network has expired but indicates a revoked |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
622 |
// or unknown certificate, PR_GetError() will return the appropriate error. |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
623 |
// We actually ignore expired here. |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
624 |
bool expired; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
625 |
rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
626 |
maxOCSPLifetimeInDays, |
|
197250
c04d170a0bd9ad169065d5546a1149554a543422
Bug 1041186, Part 1: Improve buffer overflow protection in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197204
diff
changeset
|
627 |
response, ResponseIsFromNetwork, |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
628 |
expired); |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
629 |
if (rv == Success || mOCSPFetching != FetchOCSPForDVSoftFail) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
630 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
631 |
("NSSCertDBTrustDomain: returning after VerifyEncodedOCSPResponse")); |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
632 |
return rv; |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
633 |
} |
|
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
634 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
635 |
if (rv == Result::ERROR_OCSP_UNKNOWN_CERT || |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
636 |
rv == Result::ERROR_REVOKED_CERTIFICATE) { |
|
170833
b7030189c2ca5697c8fba43220511ddc39fcce98
Bug 921885: Use insanity::pkix for EV cert verification when insanity::pkix is the selected implementation, r=cviecco, r=keeler
Brian Smith <brian@briansmith.org>
parents:
170832
diff
changeset
|
637 |
return rv; |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
638 |
} |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
639 |
if (stapledOCSPResponseResult != Success) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
640 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
187236
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
641 |
("NSSCertDBTrustDomain: returning SECFailure from expired stapled " |
|
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
642 |
"response after OCSP request verification failure")); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
643 |
return stapledOCSPResponseResult; |
|
187236
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
644 |
} |
|
3697556d43f79c2eb9dfdfe283e96c4ca065608f
bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
186441
diff
changeset
|
645 |
|
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
646 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
647 |
("NSSCertDBTrustDomain: end of CheckRevocation")); |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
648 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
649 |
return Success; // Soft fail -> success :( |
|
169459
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
650 |
} |
|
302def56019a278411ed9d71e3de7126d1729811
Bug 915931, Part 3: Integrate insanity::pkix OCSP support, r=keeler, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
168822
diff
changeset
|
651 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
652 |
Result |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
653 |
NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse( |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
654 |
const CertID& certID, Time time, uint16_t maxLifetimeInDays, |
|
197251
c989be71f8443b628a15cd0aab16f47de73d3582
Bug 1041186, Part 2: Rename Input to Reader and InputBuffer to Input, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197250
diff
changeset
|
655 |
Input encodedResponse, EncodedResponseSource responseSource, |
|
189910
3d54fd14fb9c6fce3336ea14831ff51b6bbc6b5d
Bug 1026261: Remove CERTCertificate from mozilla::pkix revocation checking API, r=keeler
Brian Smith <brian@briansmith.org>
parents:
189859
diff
changeset
|
656 |
/*out*/ bool& expired) |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
657 |
{ |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
658 |
Time thisUpdate(Time::uninitialized); |
|
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
659 |
Time validThrough(Time::uninitialized); |
|
253509
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
660 |
|
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
661 |
// We use a try and fallback approach which first mandates good signature |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
662 |
// digest algorithms, then falls back to SHA-1 if this fails. If a delegated |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
663 |
// OCSP response signing certificate was issued with a SHA-1 signature, |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
664 |
// verification initially fails. We cache the failure and then re-use that |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
665 |
// result even when doing fallback (i.e. when weak signature digest algorithms |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
666 |
// should succeed). To address this we use an OCSPVerificationTrustDomain |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
667 |
// here, rather than using *this, to ensure verification succeeds for all |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
668 |
// allowed signature digest algorithms. |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
669 |
OCSPVerificationTrustDomain trustDomain(*this); |
|
4caca8feef1fe207d00a1f43bb6859db685000d5
Bug 1183822 - fix OCSP verification failures (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
253462
diff
changeset
|
670 |
Result rv = VerifyEncodedOCSPResponse(trustDomain, certID, time, |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
671 |
maxLifetimeInDays, encodedResponse, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
672 |
expired, &thisUpdate, &validThrough); |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
673 |
// If a response was stapled and expired, we don't want to cache it. Return |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
674 |
// early to simplify the logic here. |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
675 |
if (responseSource == ResponseWasStapled && expired) { |
|
328037
9957c63c664df44054c7930a5632ba9e07af3f55
Bug 1325107 - Stop using PR_ASSERT() in PSM. r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
327138
diff
changeset
|
676 |
MOZ_ASSERT(rv != Success); |
|
189859
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
677 |
return rv; |
|
31310e4551300a8dfa3c35042112900387826ee0
bug 997509 - heed expired Revoked or Unknown OCSP responses r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
187310
diff
changeset
|
678 |
} |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
679 |
// validThrough is only trustworthy if the response successfully verifies |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
680 |
// or it indicates a revoked or unknown certificate. |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
681 |
// If this isn't the case, store an indication of failure (to prevent |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
682 |
// repeatedly requesting a response from a failing server). |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
683 |
if (rv != Success && rv != Result::ERROR_REVOKED_CERTIFICATE && |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
684 |
rv != Result::ERROR_OCSP_UNKNOWN_CERT) { |
|
197619
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
685 |
validThrough = time; |
|
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
686 |
if (validThrough.AddSeconds(ServerFailureDelaySeconds) != Success) { |
|
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
687 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow |
|
a4a8b3b58191206f53748d823cf255fba4042253
Bug 1043041: Use mozilla::pkix::Time instead of PRTime, r=keeler
Brian Smith <brian@briansmith.org>
parents:
197618
diff
changeset
|
688 |
} |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
689 |
} |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
690 |
if (responseSource == ResponseIsFromNetwork || |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
691 |
rv == Success || |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
692 |
rv == Result::ERROR_REVOKED_CERTIFICATE || |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
693 |
rv == Result::ERROR_OCSP_UNKNOWN_CERT) { |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
694 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
695 |
("NSSCertDBTrustDomain: caching OCSP response")); |
|
323938
80a39e170b4106eae2d15d56ff10d1d0a5feb84b
Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
322401
diff
changeset
|
696 |
Result putRV = mOCSPCache.Put(certID, mOriginAttributes, rv, thisUpdate, |
|
318758
4adb7daf5033d99baf8c55483ea7d628f4693424
Bug 1264562 - Part 5: Double key OCSP cache with firstPartyDomain (adapted from Tor Browser patch #13670) r=keeler
Jonathan Hao <jhao@mozilla.com>
parents:
318757
diff
changeset
|
697 |
validThrough); |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
698 |
if (putRV != Success) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
699 |
return putRV; |
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
700 |
} |
|
180773
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
701 |
} |
|
6d813156e49133e6416cfd16873feec564936eb2
bug 977865 - mozilla::pkix: add backoff for ocsp fetching when a responder fails r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
174647
diff
changeset
|
702 |
|
|
173228
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
703 |
return rv; |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
704 |
} |
|
840df518d026f9f7b9bf896fb7ef8d0b3e9fb9da
bug 915932 - cache OCSP responses when using insanity::pkix r=cviecco r=briansmith
David Keeler <dkeeler@mozilla.com>
parents:
171631
diff
changeset
|
705 |
|
|
239764
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
706 |
static const uint8_t CNNIC_ROOT_CA_SUBJECT_DATA[] = |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
707 |
"\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
708 |
"\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
709 |
"\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54"; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
710 |
|
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
711 |
static const uint8_t CNNIC_EV_ROOT_CA_SUBJECT_DATA[] = |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
712 |
"\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
713 |
"\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x43\x68\x69\x6E\x61\x20\x49\x6E\x74" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
714 |
"\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
715 |
"\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x31\x47\x30\x45" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
716 |
"\x06\x03\x55\x04\x03\x0C\x3E\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
717 |
"\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
718 |
"\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x20\x45\x56\x20\x43\x65" |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
719 |
"\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x52\x6F\x6F\x74"; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
720 |
|
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
721 |
class WhitelistedCNNICHashBinarySearchComparator |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
722 |
{ |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
723 |
public: |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
724 |
explicit WhitelistedCNNICHashBinarySearchComparator(const uint8_t* aTarget, |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
725 |
size_t aTargetLength) |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
726 |
: mTarget(aTarget) |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
727 |
{ |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
728 |
MOZ_ASSERT(aTargetLength == CNNIC_WHITELIST_HASH_LEN, |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
729 |
"Hashes should be of the same length."); |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
730 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
731 |
|
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
732 |
int operator()(const WhitelistedCNNICHash val) const { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
733 |
return memcmp(mTarget, val.hash, CNNIC_WHITELIST_HASH_LEN); |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
734 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
735 |
|
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
736 |
private: |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
737 |
const uint8_t* mTarget; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
738 |
}; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
739 |
|
|
319324
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
740 |
static bool |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
741 |
CertIsStartComOrWoSign(const CERTCertificate* cert) |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
742 |
{ |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
743 |
for (const DataAndLength& dn : StartComAndWoSignDNs) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
744 |
if (cert->derSubject.len == dn.len && |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
745 |
PodEqual(cert->derSubject.data, dn.data, dn.len)) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
746 |
return true; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
747 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
748 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
749 |
return false; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
750 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
751 |
|
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
752 |
// If a certificate in the given chain appears to have been issued by one of |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
753 |
// seven roots operated by StartCom and WoSign that are not trusted to issue new |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
754 |
// certificates, verify that the end-entity has a notBefore date before 21 |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
755 |
// October 2016. If the value of notBefore is after this time, the chain is not |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
756 |
// valid. |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
757 |
// (NB: While there are seven distinct roots being checked for, two of them |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
758 |
// share distinguished names, resulting in six distinct distinguished names to |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
759 |
// actually look for.) |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
760 |
static Result |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
761 |
CheckForStartComOrWoSign(const UniqueCERTCertList& certChain) |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
762 |
{ |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
763 |
if (CERT_LIST_EMPTY(certChain)) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
764 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
765 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
766 |
const CERTCertListNode* endEntityNode = CERT_LIST_HEAD(certChain); |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
767 |
if (!endEntityNode || !endEntityNode->cert) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
768 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
769 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
770 |
PRTime notBefore; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
771 |
PRTime notAfter; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
772 |
if (CERT_GetCertTimes(endEntityNode->cert, ¬Before, ¬After) |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
773 |
!= SECSuccess) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
774 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
775 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
776 |
// PRTime is microseconds since the epoch, whereas JS time is milliseconds. |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
777 |
// (new Date("2016-10-21T00:00:00Z")).getTime() * 1000 |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
778 |
static const PRTime OCTOBER_21_2016 = 1477008000000000; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
779 |
if (notBefore <= OCTOBER_21_2016) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
780 |
return Success; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
781 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
782 |
|
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
783 |
for (const CERTCertListNode* node = CERT_LIST_HEAD(certChain); |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
784 |
!CERT_LIST_END(node, certChain); node = CERT_LIST_NEXT(node)) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
785 |
if (!node || !node->cert) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
786 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
787 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
788 |
if (CertIsStartComOrWoSign(node->cert)) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
789 |
return Result::ERROR_REVOKED_CERTIFICATE; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
790 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
791 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
792 |
return Success; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
793 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
794 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
795 |
Result |
|
207509
4f90b7fb1918462222c557100342cdd627e2f3f3
bug 1071308 - (2/2) remove libpkix-style chain validation callback from CertVerifier r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
198606
diff
changeset
|
796 |
NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time) |
|
193195
0ed88d692f42f34802beafcea77797f61c918155
Bug 1035009: Stop using CERTCertList in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192744
diff
changeset
|
797 |
{ |
|
247076
f52c18aac7ce0949190da943ec5d4ee86627d0f8
Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
Eric Rahm <erahm@mozilla.com>
parents:
246724
diff
changeset
|
798 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
207509
4f90b7fb1918462222c557100342cdd627e2f3f3
bug 1071308 - (2/2) remove libpkix-style chain validation callback from CertVerifier r=cviecco
David Keeler <dkeeler@mozilla.com>
parents:
198606
diff
changeset
|
799 |
("NSSCertDBTrustDomain: IsChainValid")); |
|
193195
0ed88d692f42f34802beafcea77797f61c918155
Bug 1035009: Stop using CERTCertList in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192744
diff
changeset
|
800 |
|
|
296399
6fc34759465ee7246858c63d090270797cd1f220
Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
294042
diff
changeset
|
801 |
UniqueCERTCertList certList; |
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
802 |
SECStatus srv = ConstructCERTCertListFromReversedDERArray(certArray, |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
803 |
certList); |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
804 |
if (srv != SECSuccess) { |
|
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
805 |
return MapPRErrorCodeToResult(PR_GetError()); |
|
181113
affd460bc3d7ee6d8a6347bd7ae7faa4c7dc1ecd
Bug 744204 - Allow Certificate key pinning Part 2 - Certverifier Interface. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
180773
diff
changeset
|
806 |
} |
|
243549
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
807 |
if (CERT_LIST_EMPTY(certList)) { |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
808 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
809 |
} |
|
193195
0ed88d692f42f34802beafcea77797f61c918155
Bug 1035009: Stop using CERTCertList in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192744
diff
changeset
|
810 |
|
|
319324
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
811 |
Result rv = CheckForStartComOrWoSign(certList); |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
812 |
if (rv != Success) { |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
813 |
return rv; |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
814 |
} |
|
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
815 |
|
|
239764
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
816 |
// If the certificate appears to have been issued by a CNNIC root, only allow |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
817 |
// it if it is on the whitelist. |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
818 |
CERTCertListNode* rootNode = CERT_LIST_TAIL(certList); |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
819 |
if (!rootNode) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
820 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
821 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
822 |
CERTCertificate* root = rootNode->cert; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
823 |
if (!root) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
824 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
825 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
826 |
if ((root->derSubject.len == sizeof(CNNIC_ROOT_CA_SUBJECT_DATA) - 1 && |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
827 |
memcmp(root->derSubject.data, CNNIC_ROOT_CA_SUBJECT_DATA, |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
828 |
root->derSubject.len) == 0) || |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
829 |
(root->derSubject.len == sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA) - 1 && |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
830 |
memcmp(root->derSubject.data, CNNIC_EV_ROOT_CA_SUBJECT_DATA, |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
831 |
root->derSubject.len) == 0)) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
832 |
CERTCertListNode* certNode = CERT_LIST_HEAD(certList); |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
833 |
if (!certNode) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
834 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
835 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
836 |
CERTCertificate* cert = certNode->cert; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
837 |
if (!cert) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
838 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
839 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
840 |
Digest digest; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
841 |
nsresult nsrv = digest.DigestBuf(SEC_OID_SHA256, cert->derCert.data, |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
842 |
cert->derCert.len); |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
843 |
if (NS_FAILED(nsrv)) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
844 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
845 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
846 |
const uint8_t* certHash( |
|
298159
1ef294cb3b47138416d559cb2f36f35dc0de7151
Bug 1271501 - Use mozilla::BitwiseCast instead of reinterpret_cast in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
297224
diff
changeset
|
847 |
BitwiseCast<uint8_t*, unsigned char*>(digest.get().data)); |
|
239764
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
848 |
size_t certHashLen = digest.get().len; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
849 |
size_t unused; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
850 |
if (!mozilla::BinarySearchIf(WhitelistedCNNICHashes, 0, |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
851 |
ArrayLength(WhitelistedCNNICHashes), |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
852 |
WhitelistedCNNICHashBinarySearchComparator( |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
853 |
certHash, certHashLen), |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
854 |
&unused)) { |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
855 |
return Result::ERROR_REVOKED_CERTIFICATE; |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
856 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
857 |
} |
|
c94a39913b477f2848a4a7ca68548008f5710d5e
bug 1151512 - only allow whitelisted certificates to be issued by CNNIC root certificates r=jcj r=rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
238996
diff
changeset
|
858 |
|
|
243549
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
859 |
bool isBuiltInRoot = false; |
|
319324
77880cde0de11bf9c4e01f03cae985f3b9f04ae3
bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
319180
diff
changeset
|
860 |
rv = IsCertBuiltInRoot(root, isBuiltInRoot); |
|
288627
86c4213bc6289a6d29277d352814620572b0d194
bug 1228175 - fix IsCertBuiltInRoot r=Cykesiopka,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
288368
diff
changeset
|
861 |
if (rv != Success) { |
|
86c4213bc6289a6d29277d352814620572b0d194
bug 1228175 - fix IsCertBuiltInRoot r=Cykesiopka,mgoodwin
David Keeler <dkeeler@mozilla.com>
parents:
288368
diff
changeset
|
862 |
return rv; |
|
243549
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
863 |
} |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
864 |
bool skipPinningChecksBecauseOfMITMMode = |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
865 |
(!isBuiltInRoot && mPinningMode == CertVerifier::pinningAllowUserCAMITM); |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
866 |
// If mHostname isn't set, we're not verifying in the context of a TLS |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
867 |
// handshake, so don't verify HPKP in those cases. |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
868 |
if (mHostname && (mPinningMode != CertVerifier::pinningDisabled) && |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
869 |
!skipPinningChecksBecauseOfMITMMode) { |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
870 |
bool enforceTestMode = |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
871 |
(mPinningMode == CertVerifier::pinningEnforceTestMode); |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
872 |
bool chainHasValidPins; |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
873 |
nsresult nsrv = PublicKeyPinningService::ChainHasValidPins( |
|
343854
9f8bb076c706884356998c48d4e3a79678735a3a
Bug 1323644 - Isolate the HSTS and HPKP storage by first party domain (PSM) r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
343542
diff
changeset
|
874 |
certList, mHostname, time, enforceTestMode, mOriginAttributes, |
|
9f8bb076c706884356998c48d4e3a79678735a3a
Bug 1323644 - Isolate the HSTS and HPKP storage by first party domain (PSM) r=Cykesiopka,keeler
Jonathan Hao <jhao@mozilla.com>
parents:
343542
diff
changeset
|
875 |
chainHasValidPins, mPinningTelemetryInfo); |
|
243549
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
876 |
if (NS_FAILED(nsrv)) { |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
877 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
878 |
} |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
879 |
if (!chainHasValidPins) { |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
880 |
return Result::ERROR_KEY_PINNING_FAILURE; |
|
b46612a5525552a32c511d9b223e1e8291262a13
bug 1102436 - remove PublicKeyPinningService::CheckChainAgainstAllNames r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
243072
diff
changeset
|
881 |
} |
|
181113
affd460bc3d7ee6d8a6347bd7ae7faa4c7dc1ecd
Bug 744204 - Allow Certificate key pinning Part 2 - Certverifier Interface. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
180773
diff
changeset
|
882 |
} |
|
193195
0ed88d692f42f34802beafcea77797f61c918155
Bug 1035009: Stop using CERTCertList in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192744
diff
changeset
|
883 |
|
|
296399
6fc34759465ee7246858c63d090270797cd1f220
Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
294042
diff
changeset
|
884 |
mBuiltChain = Move(certList); |
|
193195
0ed88d692f42f34802beafcea77797f61c918155
Bug 1035009: Stop using CERTCertList in mozilla::pkix, r=keeler
Brian Smith <brian@briansmith.org>
parents:
192744
diff
changeset
|
885 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
886 |
return Success; |
|
181113
affd460bc3d7ee6d8a6347bd7ae7faa4c7dc1ecd
Bug 744204 - Allow Certificate key pinning Part 2 - Certverifier Interface. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
180773
diff
changeset
|
887 |
} |
|
affd460bc3d7ee6d8a6347bd7ae7faa4c7dc1ecd
Bug 744204 - Allow Certificate key pinning Part 2 - Certverifier Interface. r=keeler
Camilo Viecco <cviecco@mozilla.com>
parents:
180773
diff
changeset
|
888 |
|
|
197202
5f7dc391e8611d1f12f77d55f2c5a56ef8f6f29e
Bug 1039064: Use strongly-typed enum instead of NSPR-style error handling, r=keeler
Brian Smith <brian@briansmith.org>
parents:
196235
diff
changeset
|
889 |
Result |
|
252023
31d0ae4d8c62e08a17784a6be2ad185d6b2f4e23
Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
250685
diff
changeset
|
890 |
NSSCertDBTrustDomain::CheckSignatureDigestAlgorithm(DigestAlgorithm aAlg, |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
891 |
EndEntityOrCA endEntityOrCA, |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
892 |
Time notBefore) |
|
230402
99f4f20645206379f887d0914e48745310cad12e
Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228592
diff
changeset
|
893 |
{ |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
894 |
// (new Date("2016-01-01T00:00:00Z")).getTime() / 1000 |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
895 |
static const Time JANUARY_FIRST_2016 = TimeFromEpochInSeconds(1451606400); |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
896 |
|
|
252023
31d0ae4d8c62e08a17784a6be2ad185d6b2f4e23
Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
250685
diff
changeset
|
897 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |
|
31d0ae4d8c62e08a17784a6be2ad185d6b2f4e23
Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
250685
diff
changeset
|
898 |
("NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm")); |
|
31d0ae4d8c62e08a17784a6be2ad185d6b2f4e23
Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
250685
diff
changeset
|
899 |
if (aAlg == DigestAlgorithm::sha1) { |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
900 |
switch (mSHA1Mode) { |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
901 |
case CertVerifier::SHA1Mode::Forbidden: |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
902 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("SHA-1 certificate rejected")); |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
903 |
return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; |
|
314750
5436f8c05f6d05eaf561cba34c845b0328e949df
bug 1302140 - add policy to disable SHA-1 except for certificates issued by non-built-in CAs r=jcj,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
314731
diff
changeset
|
904 |
case CertVerifier::SHA1Mode::ImportedRootOrBefore2016: |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
905 |
if (JANUARY_FIRST_2016 <= notBefore) { |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
906 |
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Post-2015 SHA-1 certificate rejected")); |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
907 |
return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
908 |
} |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
909 |
break; |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
910 |
case CertVerifier::SHA1Mode::Allowed: |
|
280844
bb6bfd172d6e40b5d6a87d8118faf860c02f8545
bug 1239455 - rework telemetry for SHA-1 certificates to reflect possible policy states r=Cykesiopka,mgoodwin,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
279729
diff
changeset
|
911 |
// Enforcing that the resulting chain uses an imported root is only |
|
bb6bfd172d6e40b5d6a87d8118faf860c02f8545
bug 1239455 - rework telemetry for SHA-1 certificates to reflect possible policy states r=Cykesiopka,mgoodwin,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
279729
diff
changeset
|
912 |
// possible at a higher level. This is done in CertVerifier::VerifyCert. |
|
bb6bfd172d6e40b5d6a87d8118faf860c02f8545
bug 1239455 - rework telemetry for SHA-1 certificates to reflect possible policy states r=Cykesiopka,mgoodwin,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
279729
diff
changeset
|
913 |
case CertVerifier::SHA1Mode::ImportedRoot: |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
914 |
default: |
|
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
915 |
break; |
|
314750
5436f8c05f6d05eaf561cba34c845b0328e949df
bug 1302140 - add policy to disable SHA-1 except for certificates issued by non-built-in CAs r=jcj,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
314731
diff
changeset
|
916 |
// MSVC warns unless we explicitly handle this now-unused option. |
|
5436f8c05f6d05eaf561cba34c845b0328e949df
bug 1302140 - add policy to disable SHA-1 except for certificates issued by non-built-in CAs r=jcj,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
314731
diff
changeset
|
917 |
case CertVerifier::SHA1Mode::UsedToBeBefore2016ButNowIsForbidden: |
|
5436f8c05f6d05eaf561cba34c845b0328e949df
bug 1302140 - add policy to disable SHA-1 except for certificates issued by non-built-in CAs r=jcj,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
314731
diff
changeset
|
918 |
MOZ_ASSERT_UNREACHABLE("unexpected SHA1Mode type"); |
|
5436f8c05f6d05eaf561cba34c845b0328e949df
bug 1302140 - add policy to disable SHA-1 except for certificates issued by non-built-in CAs r=jcj,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
314731
diff
changeset
|
919 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
262208
0516d4db29a9d76361dd51331036e0b059b4dd60
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
Richard Barnes <rbarnes@mozilla.com>
parents:
258838
diff
changeset
|
920 |
} |
|
280844
bb6bfd172d6e40b5d6a87d8118faf860c02f8545
bug 1239455 - rework telemetry for SHA-1 certificates to reflect possible policy states r=Cykesiopka,mgoodwin,rbarnes
David Keeler <dkeeler@mozilla.com>
parents:
279729
diff
changeset
|
921 |
} |
|
252023
31d0ae4d8c62e08a17784a6be2ad185d6b2f4e23
Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler)
Mark Goodwin <mgoodwin@mozilla.com>
parents:
250685
diff
changeset
|
922 |
|
|
230402
99f4f20645206379f887d0914e48745310cad12e
Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228592
diff
changeset
|
923 |
return Success; |
|
99f4f20645206379f887d0914e48745310cad12e
Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228592
diff
changeset
|
924 |
} |
|
99f4f20645206379f887d0914e48745310cad12e
Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228592
diff
changeset
|
925 |
|
|
99f4f20645206379f887d0914e48745310cad12e
Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228592
diff
changeset
|
926 |
Result |
|
228533
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
927 |
NSSCertDBTrustDomain::CheckRSAPublicKeyModulusSizeInBits( |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
928 |
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits) |
|
194387
83b81059b2a2c5af28632891978c3ee589958f0f
Bug 360126 - Stop accepting certs that use RSA1023 or weaker; Original patch by Richard van den Berg. r=briansmith
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
193963
diff
changeset
|
929 |
{ |
|
232263
eee856befda3b54b11383be5192ce333de40ea08
Bug 1139177 - RSA public key size checking cleanups. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
231563
diff
changeset
|
930 |
if (modulusSizeInBits < mMinRSABits) { |
|
228533
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
931 |
return Result::ERROR_INADEQUATE_KEY_SIZE; |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
932 |
} |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
933 |
return Success; |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
934 |
} |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
935 |
|
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
936 |
Result |
|
228592
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
937 |
NSSCertDBTrustDomain::VerifyRSAPKCS1SignedDigest( |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
938 |
const SignedDigest& signedDigest, |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
939 |
Input subjectPublicKeyInfo) |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
940 |
{ |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
941 |
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo, |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
942 |
mPinArg); |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
943 |
} |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
944 |
|
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
945 |
Result |
|
228533
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
946 |
NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable( |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
947 |
EndEntityOrCA /*endEntityOrCA*/, NamedCurve curve) |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
948 |
{ |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
949 |
switch (curve) { |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
950 |
case NamedCurve::secp256r1: // fall through |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
951 |
case NamedCurve::secp384r1: // fall through |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
952 |
case NamedCurve::secp521r1: |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
953 |
return Success; |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
954 |
} |
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
955 |
|
|
3fe8d7d7f9f7373d0d3a3341d1a46347c06c85c7
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
Brian Smith <brian@briansmith.org>
parents:
227646
diff
changeset
|
956 |
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE; |
|
194387
83b81059b2a2c5af28632891978c3ee589958f0f
Bug 360126 - Stop accepting certs that use RSA1023 or weaker; Original patch by Richard van den Berg. r=briansmith
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
193963
diff
changeset
|
957 |
} |
|
83b81059b2a2c5af28632891978c3ee589958f0f
Bug 360126 - Stop accepting certs that use RSA1023 or weaker; Original patch by Richard van den Berg. r=briansmith
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
193963
diff
changeset
|
958 |
|
|
228592
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
959 |
Result |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
960 |
NSSCertDBTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest, |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
961 |
Input subjectPublicKeyInfo) |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
962 |
{ |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
963 |
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo, |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
964 |
mPinArg); |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
965 |
} |
|
5e39cbc525ad091f8ee8cd2a9fbfcf49f3e89c36
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
Brian Smith <brian@briansmith.org>
parents:
228533
diff
changeset
|
966 |
|
|
250685
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
967 |
Result |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
968 |
NSSCertDBTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter, |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
969 |
EndEntityOrCA endEntityOrCA, |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
970 |
KeyPurposeId keyPurpose) |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
971 |
{ |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
972 |
if (endEntityOrCA != EndEntityOrCA::MustBeEndEntity) { |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
973 |
return Success; |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
974 |
} |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
975 |
if (keyPurpose == KeyPurposeId::id_kp_OCSPSigning) { |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
976 |
return Success; |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
977 |
} |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
978 |
|
|
272756
63873a854287462ebc9e2075798e871e18382ae4
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
271858
diff
changeset
|
979 |
Duration DURATION_27_MONTHS_PLUS_SLOP((2 * 365 + 3 * 31 + 7) * |
|
63873a854287462ebc9e2075798e871e18382ae4
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
271858
diff
changeset
|
980 |
Time::ONE_DAY_IN_SECONDS); |
|
250685
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
981 |
Duration maxValidityDuration(UINT64_MAX); |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
982 |
Duration validityDuration(notBefore, notAfter); |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
983 |
|
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
984 |
switch (mValidityCheckingMode) { |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
985 |
case ValidityCheckingMode::CheckingOff: |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
986 |
return Success; |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
987 |
case ValidityCheckingMode::CheckForEV: |
|
272756
63873a854287462ebc9e2075798e871e18382ae4
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
271858
diff
changeset
|
988 |
// The EV Guidelines say the maximum is 27 months, but we use a slightly |
|
63873a854287462ebc9e2075798e871e18382ae4
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
271858
diff
changeset
|
989 |
// higher limit here to (hopefully) minimize compatibility breakage. |
|
63873a854287462ebc9e2075798e871e18382ae4
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
271858
diff
changeset
|
990 |
maxValidityDuration = DURATION_27_MONTHS_PLUS_SLOP; |
|
250685
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
991 |
break; |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
992 |
default: |
|
330020
c4abb503bfcddd2c79f998047bbede6672b6bd0c
Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
329164
diff
changeset
|
993 |
MOZ_ASSERT_UNREACHABLE("We're not handling every ValidityCheckingMode type"); |
|
250685
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
994 |
} |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
995 |
|
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
996 |
if (validityDuration > maxValidityDuration) { |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
997 |
return Result::ERROR_VALIDITY_TOO_LONG; |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
998 |
} |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
999 |
|
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
1000 |
return Success; |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
1001 |
} |
|
a2b818a26d8528a8da37b16622e06df4d0c1676f
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
247076
diff
changeset
|
1002 |
|
|
297224
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1003 |
Result |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1004 |
NSSCertDBTrustDomain::NetscapeStepUpMatchesServerAuth(Time notBefore, |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1005 |
/*out*/ bool& matches) |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1006 |
{ |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1007 |
// (new Date("2015-08-23T00:00:00Z")).getTime() / 1000 |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1008 |
static const Time AUGUST_23_2015 = TimeFromEpochInSeconds(1440288000); |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1009 |
// (new Date("2016-08-23T00:00:00Z")).getTime() / 1000 |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1010 |
static const Time AUGUST_23_2016 = TimeFromEpochInSeconds(1471910400); |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1011 |
|
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1012 |
switch (mNetscapeStepUpPolicy) { |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1013 |
case NetscapeStepUpPolicy::AlwaysMatch: |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1014 |
matches = true; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1015 |
return Success; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1016 |
case NetscapeStepUpPolicy::MatchBefore23August2016: |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1017 |
matches = notBefore < AUGUST_23_2016; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1018 |
return Success; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1019 |
case NetscapeStepUpPolicy::MatchBefore23August2015: |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1020 |
matches = notBefore < AUGUST_23_2015; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1021 |
return Success; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1022 |
case NetscapeStepUpPolicy::NeverMatch: |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1023 |
matches = false; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1024 |
return Success; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1025 |
default: |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1026 |
MOZ_ASSERT_UNREACHABLE("unhandled NetscapeStepUpPolicy type"); |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1027 |
} |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1028 |
return Result::FATAL_ERROR_LIBRARY_FAILURE; |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1029 |
} |
|
8b2fb1aabf141e0c9f9d1f75af9b130c56733217
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
David Keeler <dkeeler@mozilla.com>
parents:
297009
diff
changeset
|
1030 |
|
|
303574
990aca9e4d11f4973f71e438f324579e3f217cae
Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
300508
diff
changeset
|
1031 |
void |
|
315367
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1032 |
NSSCertDBTrustDomain::ResetAccumulatedState() |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1033 |
{ |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1034 |
mOCSPStaplingStatus = CertVerifier::OCSP_STAPLING_NEVER_CHECKED; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1035 |
mSCTListFromOCSPStapling = nullptr; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1036 |
mSCTListFromCertificate = nullptr; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1037 |
} |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1038 |
|
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1039 |
static Input |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1040 |
SECItemToInput(const UniqueSECItem& item) |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1041 |
{ |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1042 |
Input result; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1043 |
if (item) { |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1044 |
MOZ_ASSERT(item->type == siBuffer); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1045 |
Result rv = result.Init(item->data, item->len); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1046 |
// As used here, |item| originally comes from an Input, |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1047 |
// so there should be no issues converting it back. |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1048 |
MOZ_ASSERT(rv == Success); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1049 |
Unused << rv; // suppresses warnings in release builds |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1050 |
} |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1051 |
return result; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1052 |
} |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1053 |
|
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1054 |
Input |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1055 |
NSSCertDBTrustDomain::GetSCTListFromCertificate() const |
|
303574
990aca9e4d11f4973f71e438f324579e3f217cae
Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
300508
diff
changeset
|
1056 |
{ |
|
315367
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1057 |
return SECItemToInput(mSCTListFromCertificate); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1058 |
} |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1059 |
|
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1060 |
Input |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1061 |
NSSCertDBTrustDomain::GetSCTListFromOCSPStapling() const |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1062 |
{ |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1063 |
return SECItemToInput(mSCTListFromOCSPStapling); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1064 |
} |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1065 |
|
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1066 |
void |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1067 |
NSSCertDBTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension extension, |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1068 |
Input extensionData) |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1069 |
{ |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1070 |
UniqueSECItem* out = nullptr; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1071 |
switch (extension) { |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1072 |
case AuxiliaryExtension::EmbeddedSCTList: |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1073 |
out = &mSCTListFromCertificate; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1074 |
break; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1075 |
case AuxiliaryExtension::SCTListFromOCSPResponse: |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1076 |
out = &mSCTListFromOCSPStapling; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1077 |
break; |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1078 |
default: |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1079 |
MOZ_ASSERT_UNREACHABLE("unhandled AuxiliaryExtension"); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1080 |
} |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1081 |
if (out) { |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1082 |
SECItem extensionDataItem = UnsafeMapInputToSECItem(extensionData); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1083 |
out->reset(SECITEM_DupItem(&extensionDataItem)); |
|
50143dbdcb47bf47c8827c8777b0e11e92e25418
Bug 1293231 - Certificate Transparency - basic telemetry reports; r=Cykesiopka,keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
314750
diff
changeset
|
1084 |
} |
|
303574
990aca9e4d11f4973f71e438f324579e3f217cae
Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
300508
diff
changeset
|
1085 |
} |
|
990aca9e4d11f4973f71e438f324579e3f217cae
Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
Sergei Chernov <sergei.cv@ndivi.com>
parents:
300508
diff
changeset
|
1086 |
|
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1087 |
SECStatus |
|
271858
a48673c8ee79a9d1e519f4abed406ee549e0bce6
bug 1220223 - don't load PKCS11 modules in safe mode r=mgoodwin r=bsmedberg
David Keeler <dkeeler@mozilla.com>
parents:
262208
diff
changeset
|
1088 |
InitializeNSS(const char* dir, bool readOnly, bool loadPKCS11Modules) |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1089 |
{ |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1090 |
// The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1091 |
// module by NSS_Initialize because we will load it in InstallLoadableRoots |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1092 |
// later. It also allows us to work around a bug in the system NSS in |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1093 |
// Ubuntu 8.04, which loads any nonexistent "<configdir>/libnssckbi.so" as |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1094 |
// "/usr/lib/nss/libnssckbi.so". |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1095 |
uint32_t flags = NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE; |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1096 |
if (readOnly) { |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1097 |
flags |= NSS_INIT_READONLY; |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1098 |
} |
|
271858
a48673c8ee79a9d1e519f4abed406ee549e0bce6
bug 1220223 - don't load PKCS11 modules in safe mode r=mgoodwin r=bsmedberg
David Keeler <dkeeler@mozilla.com>
parents:
262208
diff
changeset
|
1099 |
if (!loadPKCS11Modules) { |
|
a48673c8ee79a9d1e519f4abed406ee549e0bce6
bug 1220223 - don't load PKCS11 modules in safe mode r=mgoodwin r=bsmedberg
David Keeler <dkeeler@mozilla.com>
parents:
262208
diff
changeset
|
1100 |
flags |= NSS_INIT_NOMODDB; |
|
a48673c8ee79a9d1e519f4abed406ee549e0bce6
bug 1220223 - don't load PKCS11 modules in safe mode r=mgoodwin r=bsmedberg
David Keeler <dkeeler@mozilla.com>
parents:
262208
diff
changeset
|
1101 |
} |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1102 |
return ::NSS_Initialize(dir, "", "", SECMOD_DB, flags); |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1103 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1104 |
|
|
165294
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1105 |
void |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1106 |
DisableMD5() |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1107 |
{ |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1108 |
NSS_SetAlgorithmPolicy(SEC_OID_MD5, |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1109 |
0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE); |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1110 |
NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1111 |
0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE); |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1112 |
NSS_SetAlgorithmPolicy(SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC, |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1113 |
0, NSS_USE_ALG_IN_CERT_SIGNATURE | NSS_USE_ALG_IN_CMS_SIGNATURE); |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1114 |
} |
|
e6c9677b89d25bd044cda9d5029eda41b08f42ec
Bug 891066, Part 9: Move DisableMD5 to NSSCertDBTrustDomain, r=dkeeler
Brian Smith <brian@briansmith.org>
parents:
165291
diff
changeset
|
1115 |
|
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1116 |
bool |
|
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1117 |
LoadLoadableRoots(const nsCString& dir, const nsCString& modNameUTF8) |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1118 |
{ |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1119 |
UniquePRLibraryName fullLibraryPath( |
|
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1120 |
PR_GetLibraryName(dir.IsEmpty() ? nullptr : dir.get(), "nssckbi")); |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1121 |
if (!fullLibraryPath) { |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1122 |
return false; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1123 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1124 |
|
|
298427
8c3828aa255c7e23987b5ca9324e20905ac0daaf
Bug 1271953 - Remove nss_addEscape(). r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298159
diff
changeset
|
1125 |
// Escape the \ and " characters. |
|
8c3828aa255c7e23987b5ca9324e20905ac0daaf
Bug 1271953 - Remove nss_addEscape(). r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298159
diff
changeset
|
1126 |
nsAutoCString escapedFullLibraryPath(fullLibraryPath.get()); |
|
8c3828aa255c7e23987b5ca9324e20905ac0daaf
Bug 1271953 - Remove nss_addEscape(). r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298159
diff
changeset
|
1127 |
escapedFullLibraryPath.ReplaceSubstring("\\", "\\\\"); |
|
8c3828aa255c7e23987b5ca9324e20905ac0daaf
Bug 1271953 - Remove nss_addEscape(). r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298159
diff
changeset
|
1128 |
escapedFullLibraryPath.ReplaceSubstring("\"", "\\\""); |
|
8c3828aa255c7e23987b5ca9324e20905ac0daaf
Bug 1271953 - Remove nss_addEscape(). r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
298159
diff
changeset
|
1129 |
if (escapedFullLibraryPath.IsEmpty()) { |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1130 |
return false; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1131 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1132 |
|
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1133 |
// If a module exists with the same name, make a best effort attempt to delete |
|
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1134 |
// it. Note that it isn't possible to delete the internal module, so checking |
|
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1135 |
// the return value would be detrimental in that case. |
|
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1136 |
int unusedModType; |
|
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1137 |
Unused << SECMOD_DeleteModule(modNameUTF8.get(), &unusedModType); |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1138 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1139 |
nsAutoCString pkcs11ModuleSpec; |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1140 |
pkcs11ModuleSpec.AppendPrintf("name=\"%s\" library=\"%s\"", modNameUTF8.get(), |
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1141 |
escapedFullLibraryPath.get()); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1142 |
if (pkcs11ModuleSpec.IsEmpty()) { |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1143 |
return false; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1144 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1145 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1146 |
UniqueSECMODModule rootsModule( |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1147 |
SECMOD_LoadUserModule(const_cast<char*>(pkcs11ModuleSpec.get()), nullptr, |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1148 |
false)); |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1149 |
if (!rootsModule) { |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1150 |
return false; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1151 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1152 |
|
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1153 |
if (!rootsModule->loaded) { |
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1154 |
return false; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1155 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1156 |
|
|
325933
676ca54f13dbfbab36e40b1bbc0e42416c6a3ea8
Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
323938
diff
changeset
|
1157 |
return true; |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1158 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1159 |
|
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1160 |
void |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1161 |
UnloadLoadableRoots(const char* modNameUTF8) |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1162 |
{ |
|
328037
9957c63c664df44054c7930a5632ba9e07af3f55
Bug 1325107 - Stop using PR_ASSERT() in PSM. r=mgoodwin
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
327138
diff
changeset
|
1163 |
MOZ_ASSERT(modNameUTF8); |
|
285182
7d517a67d1a2d6b9f858b4a60deda10246a6bcfd
Bug 1248874 - Replace Scoped.h templates used only by PSM in ScopedNSSTypes.h with UniquePtr equivalents. r=dkeeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
282342
diff
changeset
|
1164 |
UniqueSECMODModule rootsModule(SECMOD_FindModule(modNameUTF8)); |
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1165 |
|
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1166 |
if (rootsModule) { |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1167 |
SECMOD_UnloadUserModule(rootsModule.get()); |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1168 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1169 |
} |
|
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1170 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1171 |
nsresult |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1172 |
DefaultServerNicknameForCert(const CERTCertificate* cert, |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1173 |
/*out*/ nsCString& nickname) |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1174 |
{ |
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1175 |
MOZ_ASSERT(cert); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1176 |
NS_ENSURE_ARG_POINTER(cert); |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1177 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1178 |
UniquePORTString baseName(CERT_GetCommonName(&cert->subject)); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1179 |
if (!baseName) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1180 |
baseName = UniquePORTString(CERT_GetOrgUnitName(&cert->subject)); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1181 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1182 |
if (!baseName) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1183 |
baseName = UniquePORTString(CERT_GetOrgName(&cert->subject)); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1184 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1185 |
if (!baseName) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1186 |
baseName = UniquePORTString(CERT_GetLocalityName(&cert->subject)); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1187 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1188 |
if (!baseName) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1189 |
baseName = UniquePORTString(CERT_GetStateName(&cert->subject)); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1190 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1191 |
if (!baseName) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1192 |
baseName = UniquePORTString(CERT_GetCountryName(&cert->subject)); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1193 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1194 |
if (!baseName) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1195 |
return NS_ERROR_FAILURE; |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1196 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1197 |
|
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1198 |
// This function is only used in contexts where a failure to find a suitable |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1199 |
// nickname does not block the overall task from succeeding. |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1200 |
// As such, we use an arbitrary limit to prevent this nickname searching |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1201 |
// process from taking forever. |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1202 |
static const uint32_t ARBITRARY_LIMIT = 500; |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1203 |
for (uint32_t count = 1; count < ARBITRARY_LIMIT; count++) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1204 |
nickname = baseName.get(); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1205 |
if (count != 1) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1206 |
nickname.AppendPrintf(" #%u", count); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1207 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1208 |
if (nickname.IsEmpty()) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1209 |
return NS_ERROR_FAILURE; |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1210 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1211 |
|
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1212 |
bool conflict = SEC_CertNicknameConflict(nickname.get(), &cert->derSubject, |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1213 |
cert->dbhandle); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1214 |
if (!conflict) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1215 |
return NS_OK; |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1216 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1217 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1218 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1219 |
return NS_ERROR_FAILURE; |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1220 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1221 |
|
|
300508
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1222 |
/** |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1223 |
* Given a list of certificates representing a verified certificate path from an |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1224 |
* end-entity certificate to a trust anchor, imports the intermediate |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1225 |
* certificates into the permanent certificate database. This is an attempt to |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1226 |
* cope with misconfigured servers that don't include the appropriate |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1227 |
* intermediate certificates in the TLS handshake. |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1228 |
* |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1229 |
* @param certList the verified certificate list |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1230 |
*/ |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1231 |
void |
|
296399
6fc34759465ee7246858c63d090270797cd1f220
Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
294042
diff
changeset
|
1232 |
SaveIntermediateCerts(const UniqueCERTCertList& certList) |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1233 |
{ |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1234 |
if (!certList) { |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1235 |
return; |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1236 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1237 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1238 |
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1239 |
if (!slot) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1240 |
return; |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1241 |
} |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1242 |
|
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1243 |
bool isEndEntity = true; |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1244 |
for (CERTCertListNode* node = CERT_LIST_HEAD(certList); |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1245 |
!CERT_LIST_END(node, certList); |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1246 |
node = CERT_LIST_NEXT(node)) { |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1247 |
if (isEndEntity) { |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1248 |
// Skip the end-entity; we only want to store intermediates |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1249 |
isEndEntity = false; |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1250 |
continue; |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1251 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1252 |
|
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1253 |
if (node->cert->slot) { |
|
317610
5efc720972a96354a793e56f83090cec4737df56
Bug 495357 - Update some documentation concerning SaveIntermediateCerts(). r=kaie,me
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
315367
diff
changeset
|
1254 |
// This cert was found on a token; no need to remember it in the permanent |
|
5efc720972a96354a793e56f83090cec4737df56
Bug 495357 - Update some documentation concerning SaveIntermediateCerts(). r=kaie,me
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
315367
diff
changeset
|
1255 |
// database. |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1256 |
continue; |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1257 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1258 |
|
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1259 |
if (node->cert->isperm) { |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1260 |
// We don't need to remember certs already stored in perm db. |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1261 |
continue; |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1262 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1263 |
|
|
300508
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1264 |
// No need to save the trust anchor - it's either already a permanent |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1265 |
// certificate or it's the Microsoft Family Safety root or an enterprise |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1266 |
// root temporarily imported via the child mode or enterprise root features. |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1267 |
// We don't want to import these because they're intended to be temporary |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1268 |
// (and because importing them happens to reset their trust settings, which |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1269 |
// breaks these features). |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1270 |
if (node == CERT_LIST_TAIL(certList)) { |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1271 |
continue; |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1272 |
} |
|
eb3f64c79e83a413c724d785cf7c1739bf0ad04c
bug 1277240 - don't import trust anchors in SaveIntermediateCerts r=Cykesiopka
David Keeler <dkeeler@mozilla.com>
parents:
298730
diff
changeset
|
1273 |
|
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1274 |
nsAutoCString nickname; |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1275 |
nsresult rv = DefaultServerNicknameForCert(node->cert, nickname); |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1276 |
if (NS_FAILED(rv)) { |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1277 |
continue; |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1278 |
} |
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1279 |
|
|
317610
5efc720972a96354a793e56f83090cec4737df56
Bug 495357 - Update some documentation concerning SaveIntermediateCerts(). r=kaie,me
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
315367
diff
changeset
|
1280 |
// As mentioned in the documentation of this function, we're importing only |
|
5efc720972a96354a793e56f83090cec4737df56
Bug 495357 - Update some documentation concerning SaveIntermediateCerts(). r=kaie,me
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
315367
diff
changeset
|
1281 |
// to cope with misconfigured servers. As such, we ignore the return value |
|
5efc720972a96354a793e56f83090cec4737df56
Bug 495357 - Update some documentation concerning SaveIntermediateCerts(). r=kaie,me
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
315367
diff
changeset
|
1282 |
// below, since it doesn't really matter if the import fails. |
|
297009
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1283 |
Unused << PK11_ImportCert(slot.get(), node->cert, CK_INVALID_HANDLE, |
|
0eeddfe247f74a128591a006e2eb85d1a29f7fa3
Bug 160122 - Stop using PR_smprintf in PSM. r=keeler
Cykesiopka <cykesiopka.bmo@gmail.com>
parents:
296847
diff
changeset
|
1284 |
nickname.get(), false); |
|
165291
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1285 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1286 |
} |
|
3e3ddb3ce8d331b9898c04e1bb90764738366edc
Bug 891066, Part 6: Move SSL server cert verification logic to security/certverifier, r=cviecco
Brian Smith <brian@briansmith.org>
parents:
165288
diff
changeset
|
1287 |
|
|
165287
95f848f55c90176dd061a54c6d8d9855dbfed258
Bug 891066, Part 3: Move more initialization of NSS to security/certverifier, r=keeler
Brian Smith <brian@briansmith.org>
parents:
diff
changeset
|
1288 |
} } // namespace mozilla::psm |