Bug 1018018: Remove support/mention of proprietary Netscape certificate extensions from PSM, r=cviecco
authorBrian Smith <brian@briansmith.org>
Thu, 29 May 2014 20:38:25 -0700
changeset 185935 1b779285c164d8a3e34d2d3e4e824197b03300db
parent 185934 e307284f7fa0f46ef9622293e959d10b4a17455a
child 185936 69d7eaad0a504fc6ab08a5759f7e91b4acdce605
push id26871
push userphilringnalda@gmail.com
push dateSun, 01 Jun 2014 03:29:42 +0000
treeherdermozilla-central@0e10c8151654 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco
bugs1018018
milestone32.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1018018: Remove support/mention of proprietary Netscape certificate extensions from PSM, r=cviecco
security/manager/locales/en-US/chrome/pipnss/pipnss.properties
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/nsNSSCertHelper.cpp
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -96,27 +96,16 @@ CertDumpParams=Algorithm Parameters
 CertDumpRSAEncr=PKCS #1 RSA Encryption
 CertDumpRSAPSSSignature=PKCS #1 RSASSA-PSS Signature
 CertDumpRSATemplate=Modulus (%S bits):\n%S\nExponent (%S bits):\n%S
 CertDumpECTemplate=Key size: %S bits\nBase point order length: %S bits\nPublic value:\n%S
 CertDumpIssuerUniqueID=Issuer Unique ID
 CertDumpSubjPubKey=Subject's Public Key
 CertDumpSubjectUniqueID=Subject Unique ID
 CertDumpExtensions=Extensions
-CertDumpCertType=Netscape Certificate Type
-CertDumpNSCertExtBaseUrl=Netscape Certificate Extension Base URL
-CertDumpNSCertExtRevocationUrl=Netscape Certificate Revocation URL
-CertDumpNSCertExtCARevocationUrl=Netscape Certificate Authority Revocation URL
-CertDumpNSCertExtCertRenewalUrl=Netscape Certificate Renewal URL
-CertDumpNSCertExtCAPolicyUrl=Netscape Certificate Authority Policy URL
-CertDumpNSCertExtSslServerName=Netscape Certificate SSL Server Name
-CertDumpNSCertExtComment=Netscape Certificate Comment
-CertDumpNSCertExtLostPasswordUrl=Netscape Lost Password URL
-CertDumpNSCertExtCertRenewalTime=NetscapeCertificate Renewal Time
-CertDumpNetscapeAolScreenname=AOL Screenname
 CertDumpSubjectDirectoryAttr=Certificate Subject Directory Attributes
 CertDumpSubjectKeyID=Certificate Subject Key ID
 CertDumpKeyUsage=Certificate Key Usage
 CertDumpSubjectAltName=Certificate Subject Alt Name
 CertDumpIssuerAltName=Certificate Issuer Alt Name
 CertDumpBasicConstraints=Certificate Basic Constraints
 CertDumpNameConstraints=Certificate Name Constraints
 CertDumpCrlDistPoints=CRL Distribution Points
@@ -124,18 +113,16 @@ CertDumpCertPolicies=Certificate Policie
 CertDumpPolicyMappings=Certificate Policy Mappings
 CertDumpPolicyConstraints=Certificate Policy Constraints
 CertDumpAuthKeyID=Certificate Authority Key Identifier
 CertDumpExtKeyUsage=Extended Key Usage
 CertDumpAuthInfoAccess=Authority Information Access
 CertDumpAnsiX9DsaSignature=ANSI X9.57 DSA Signature
 CertDumpAnsiX9DsaSignatureWithSha1=ANSI X9.57 DSA Signature with SHA1 Digest
 CertDumpAnsiX962ECDsaSignatureWithSha1=ANSI X9.62 ECDSA Signature with SHA1
-CertDumpCertTypeEmail=Email
-CertDumpEmailCA=Email Certificate Authority
 CertDumpKUSign=Signing
 CertDumpKUNonRep=Non-repudiation
 CertDumpKUEnc=Key Encipherment
 CertDumpKUDEnc=Data Encipherment
 CertDumpKUKA=Key Agreement
 CertDumpKUCertSign=Certificate Signer
 CertDumpKUCRLSigner=CRL Signer
 CertDumpCritical=Critical
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -702,23 +702,17 @@ AppendErrorTextMismatch(const nsString &
   nsString allNames;
   uint32_t nameCount = 0;
   bool useSAN = false;
 
   if (nssCert)
     useSAN = GetSubjectAltNames(nssCert.get(), component, allNames, nameCount);
 
   if (!useSAN) {
-    char *certName = nullptr;
-    // currently CERT_FindNSStringExtension is not being exported by NSS.
-    // If it gets exported, enable the following line.
-    //   certName = CERT_FindNSStringExtension(nssCert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
-    // However, it has been discussed to treat the extension as obsolete and ignore it.
-    if (!certName)
-      certName = CERT_GetCommonName(&nssCert->subject);
+    char *certName = CERT_GetCommonName(&nssCert->subject);
     if (certName) {
       ++nameCount;
       allNames.Assign(NS_ConvertUTF8toUTF16(certName));
       PORT_Free(certName);
     }
   }
 
   if (nameCount > 1) {
--- a/security/manager/ssl/src/nsNSSCertHelper.cpp
+++ b/security/manager/ssl/src/nsNSSCertHelper.cpp
@@ -280,49 +280,16 @@ GetOIDText(SECItem *oid, nsINSSComponent
     bundlekey = "CertDumpSHA512WithRSA";
     break;
   case SEC_OID_PKCS1_RSA_ENCRYPTION:
     bundlekey = "CertDumpRSAEncr";
     break;
   case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
     bundlekey = "CertDumpRSAPSSSignature";
     break;
-  case SEC_OID_NS_CERT_EXT_CERT_TYPE:
-    bundlekey = "CertDumpCertType";
-    break;
-  case SEC_OID_NS_CERT_EXT_BASE_URL:
-    bundlekey = "CertDumpNSCertExtBaseUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
-    bundlekey = "CertDumpNSCertExtRevocationUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
-    bundlekey = "CertDumpNSCertExtCARevocationUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
-    bundlekey = "CertDumpNSCertExtCertRenewalUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
-    bundlekey = "CertDumpNSCertExtCAPolicyUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
-    bundlekey = "CertDumpNSCertExtSslServerName";
-    break;
-  case SEC_OID_NS_CERT_EXT_COMMENT:
-    bundlekey = "CertDumpNSCertExtComment";
-    break;
-  case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
-    bundlekey = "CertDumpNSCertExtLostPasswordUrl";
-    break;
-  case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME:
-    bundlekey = "CertDumpNSCertExtCertRenewalTime";
-    break;
-  case SEC_OID_NETSCAPE_AOLSCREENNAME:
-    bundlekey = "CertDumpNetscapeAolScreenname";
-    break;
   case SEC_OID_AVA_COUNTRY_NAME:
     bundlekey = "CertDumpAVACountry";
     break;
   case SEC_OID_AVA_COMMON_NAME:
     bundlekey = "CertDumpAVACN";
     break;
   case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
     bundlekey = "CertDumpAVAOU";
@@ -668,71 +635,16 @@ ProcessRawBytes(nsINSSComponent *nssComp
     if ((i+1)%16 == 0) {
       text.AppendLiteral(SEPARATOR);
     }
   }
   return NS_OK;
 }    
 
 static nsresult
-ProcessNSCertTypeExtensions(SECItem  *extData, 
-                            nsAString &text,
-                            nsINSSComponent *nssComponent)
-{
-  nsAutoString local;
-  SECItem decoded;
-  decoded.data = nullptr;
-  decoded.len  = 0;
-  if (SECSuccess != SEC_ASN1DecodeItem(nullptr, &decoded, 
-		SEC_ASN1_GET(SEC_BitStringTemplate), extData)) {
-    nssComponent->GetPIPNSSBundleString("CertDumpExtensionFailure", local);
-    text.Append(local.get());
-    return NS_OK;
-  }
-  unsigned char nsCertType = decoded.data[0];
-  nsMemory::Free(decoded.data);
-  if (nsCertType & NS_CERT_TYPE_SSL_CLIENT) {
-    nssComponent->GetPIPNSSBundleString("VerifySSLClient", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_SSL_SERVER) {
-    nssComponent->GetPIPNSSBundleString("VerifySSLServer", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_EMAIL) {
-    nssComponent->GetPIPNSSBundleString("CertDumpCertTypeEmail", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_OBJECT_SIGNING) {
-    nssComponent->GetPIPNSSBundleString("VerifyObjSign", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_SSL_CA) {
-    nssComponent->GetPIPNSSBundleString("VerifySSLCA", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_EMAIL_CA) {
-    nssComponent->GetPIPNSSBundleString("CertDumpEmailCA", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  if (nsCertType & NS_CERT_TYPE_OBJECT_SIGNING_CA) {
-    nssComponent->GetPIPNSSBundleString("VerifyObjSign", local);
-    text.Append(local.get());
-    text.AppendLiteral(SEPARATOR);
-  }
-  return NS_OK;
-}
-
-static nsresult
 ProcessKeyUsageExtension(SECItem *extData, nsAString &text,
                          nsINSSComponent *nssComponent)
 {
   nsAutoString local;
   SECItem decoded;
   decoded.data = nullptr;
   decoded.len  = 0;
   if (SECSuccess != SEC_ASN1DecodeItem(nullptr, &decoded, 
@@ -1605,19 +1517,16 @@ ProcessMSCAVersion(SECItem  *extData,
 static nsresult
 ProcessExtensionData(SECOidTag oidTag, SECItem *extData, 
                      nsAString &text, 
                      SECOidTag ev_oid_tag, // SEC_OID_UNKNOWN means: not EV
                      nsINSSComponent *nssComponent)
 {
   nsresult rv;
   switch (oidTag) {
-  case SEC_OID_NS_CERT_EXT_CERT_TYPE:
-    rv = ProcessNSCertTypeExtensions(extData, text, nssComponent);
-    break;
   case SEC_OID_X509_KEY_USAGE:
     rv = ProcessKeyUsageExtension(extData, text, nssComponent);
     break;
   case SEC_OID_X509_BASIC_CONSTRAINTS:
     rv = ProcessBasicConstraints(extData, text, nssComponent);
     break;
   case SEC_OID_X509_EXT_KEY_USAGE:
     rv = ProcessExtKeyUsage(extData, text, nssComponent);
@@ -1636,28 +1545,16 @@ ProcessExtensionData(SECOidTag oidTag, S
     rv = ProcessCertificatePolicies(extData, text, ev_oid_tag, nssComponent);
     break;
   case SEC_OID_X509_CRL_DIST_POINTS:
     rv = ProcessCrlDistPoints(extData, text, nssComponent);
     break;
   case SEC_OID_X509_AUTH_INFO_ACCESS:
     rv = ProcessAuthInfoAccess(extData, text, nssComponent);
     break;
-  case SEC_OID_NS_CERT_EXT_BASE_URL:
-  case SEC_OID_NS_CERT_EXT_REVOCATION_URL:
-  case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL:
-  case SEC_OID_NS_CERT_EXT_CA_CERT_URL:
-  case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL:
-  case SEC_OID_NS_CERT_EXT_CA_POLICY_URL:
-  case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL:
-  case SEC_OID_NS_CERT_EXT_COMMENT:
-  case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME:
-  case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL:
-    rv = ProcessIA5String(extData, text, nssComponent);
-    break;
   default:
     if (oidTag == SEC_OID(MS_CERT_EXT_CERTTYPE)) {
       rv = ProcessBMPString(extData, text, nssComponent);
       break;
     }
     if (oidTag == SEC_OID(MS_CERTSERV_CA_VERSION)) {
       rv = ProcessMSCAVersion(extData, text, nssComponent);
       break;