| author | Wes Kocher <wkocher@mozilla.com> |
| Fri, 18 Mar 2016 11:07:55 -0700 | |
| changeset 289385 | 905d35af02ec40d89e06be71faa05ac584b9ccdb |
| parent 289384 | e14e69dd0ff619f21e8b3072bafc0545fc5c77c5 |
| child 289386 | 0c6d4e1ef9cbb2c1579338c2395f1c085283adec |
| push id | 30102 |
| push user | ryanvm@gmail.com |
| push date | Sat, 19 Mar 2016 15:23:17 +0000 |
| treeherder | mozilla-central@720fb3d55e28 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| bugs | 1004149 |
| milestone | 48.0a1 |
| backs out | e14e69dd0ff619f21e8b3072bafc0545fc5c77c5 7c6888880270b6108fa51dd63d4fa058a1df5741 f164ff25450e14362813120e1c21937d2f5b1012 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -544,25 +544,22 @@ NSSCertDBTrustDomain::CheckRevocation(En return rv; } SECItem ocspRequestItem = { siBuffer, ocspRequest, static_cast<unsigned int>(ocspRequestLength) }; // Owned by arena - SECItem* responseSECItem = nullptr; - Result tempRV = + const SECItem* responseSECItem = DoOCSPRequest(arena.get(), url, &ocspRequestItem, OCSPFetchingTypeToTimeoutTime(mOCSPFetching), - mOCSPGetConfig == CertVerifier::ocspGetEnabled, - responseSECItem); - MOZ_ASSERT((tempRV != Success) || responseSECItem); - if (tempRV != Success) { - rv = tempRV; + mOCSPGetConfig == CertVerifier::ocspGetEnabled); + if (!responseSECItem) { + rv = MapPRErrorCodeToResult(PR_GetError()); } else if (response.Init(responseSECItem->data, responseSECItem->len) != Success) { rv = Result::ERROR_OCSP_MALFORMED_RESPONSE; // too big } attemptedRequest = true; } else { rv = cachedResponseResult; attemptedRequest = false;
--- a/security/certverifier/OCSPRequestor.cpp +++ b/security/certverifier/OCSPRequestor.cpp @@ -65,87 +65,95 @@ AppendEscapedBase64Item(const SECItem* e // http://tools.ietf.org/html/rfc5019#section-5 base64Request.ReplaceSubstring("+", "%2B"); base64Request.ReplaceSubstring("/", "%2F"); base64Request.ReplaceSubstring("=", "%3D"); path.Append(base64Request); return NS_OK; } -Result +SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url, const SECItem* encodedRequest, PRIntervalTime timeout, - bool useGET, - /*out*/ SECItem*& encodedResponse) + bool useGET) { if (!arena || !url || !encodedRequest || !encodedRequest->data) { - return Result::FATAL_ERROR_INVALID_ARGS; + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return nullptr; } uint32_t urlLen = PL_strlen(url); if (urlLen > static_cast<uint32_t>(std::numeric_limits<int32_t>::max())) { - return Result::FATAL_ERROR_INVALID_ARGS; + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return nullptr; } nsCOMPtr<nsIURLParser> urlParser = do_GetService(NS_STDURLPARSER_CONTRACTID); if (!urlParser) { - return Result::FATAL_ERROR_LIBRARY_FAILURE; + PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); + return nullptr; } uint32_t schemePos; int32_t schemeLen; uint32_t authorityPos; int32_t authorityLen; uint32_t pathPos; int32_t pathLen; - nsresult nsrv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen), - &schemePos, &schemeLen, - &authorityPos, &authorityLen, - &pathPos, &pathLen); - if (NS_FAILED(nsrv)) { - return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + nsresult rv = urlParser->ParseURL(url, static_cast<int32_t>(urlLen), + &schemePos, &schemeLen, + &authorityPos, &authorityLen, + &pathPos, &pathLen); + if (NS_FAILED(rv)) { + PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0); + return nullptr; } if (schemeLen < 0 || authorityLen < 0) { - return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0); + return nullptr; } nsAutoCString scheme(url + schemePos, static_cast<nsAutoCString::size_type>(schemeLen)); if (!scheme.LowerCaseEqualsLiteral("http")) { - // We don't support HTTPS to avoid loops. See Bug 92923. - // We also in general only support HTTP. - return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + // We dont support https:// to avoid loops see Bug 92923 + PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0); + return nullptr; } uint32_t hostnamePos; int32_t hostnameLen; int32_t port; - // We ignore user:password sections: if one is present, we send an OCSP - // request to the URL as normal without sending the username or password. - nsrv = urlParser->ParseAuthority(url + authorityPos, authorityLen, - nullptr, nullptr, nullptr, nullptr, - &hostnamePos, &hostnameLen, &port); - if (NS_FAILED(nsrv)) { - return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + // We do not support urls with user@pass sections in the URL, + // In cas we find them we will ignore and try to connect with + rv = urlParser->ParseAuthority(url + authorityPos, authorityLen, + nullptr, nullptr, nullptr, nullptr, + &hostnamePos, &hostnameLen, &port); + if (NS_FAILED(rv)) { + PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0); + return nullptr; } if (hostnameLen < 0) { - return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0); + return nullptr; } if (port == -1) { port = 80; } else if (port < 0 || port > 0xffff) { - return Result::ERROR_CERT_BAD_ACCESS_LOCATION; + PR_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, 0); + return nullptr; } nsAutoCString hostname(url + authorityPos + hostnamePos, static_cast<nsACString_internal::size_type>(hostnameLen)); SEC_HTTP_SERVER_SESSION serverSessionPtr = nullptr; - Result rv = nsNSSHttpInterface::createSessionFcn( - hostname.BeginReading(), static_cast<uint16_t>(port), &serverSessionPtr); - if (rv != Success) { - return rv; + if (nsNSSHttpInterface::createSessionFcn(hostname.BeginReading(), + static_cast<uint16_t>(port), + &serverSessionPtr) != SECSuccess) { + PR_SetError(SEC_ERROR_NO_MEMORY, 0); + return nullptr; } ScopedHTTPServerSession serverSession( reinterpret_cast<nsNSSHttpServerSession*>(serverSessionPtr)); nsAutoCString path; if (pathLen > 0) { path.Assign(url + pathPos, static_cast<nsAutoCString::size_type>(pathLen)); } else { @@ -155,58 +163,64 @@ DoOCSPRequest(PLArenaPool* arena, const ("Setting up OCSP request: pre all path =%s pathlen=%d\n", path.get(), pathLen)); nsAutoCString method("POST"); if (useGET) { method.Assign("GET"); if (!StringEndsWith(path, NS_LITERAL_CSTRING("/"))) { path.Append("/"); } - nsresult nsrv = AppendEscapedBase64Item(encodedRequest, path); - if (NS_WARN_IF(NS_FAILED(nsrv))) { - return Result::FATAL_ERROR_LIBRARY_FAILURE; + nsresult rv = AppendEscapedBase64Item(encodedRequest, path); + if (NS_WARN_IF(NS_FAILED(rv))) { + return nullptr; } } SEC_HTTP_REQUEST_SESSION requestSessionPtr; - rv = nsNSSHttpInterface::createFcn(serverSession.get(), "http", path.get(), - method.get(), timeout, &requestSessionPtr); - if (rv != Success) { - return rv; + if (nsNSSHttpInterface::createFcn(serverSession.get(), "http", + path.get(), method.get(), + timeout, &requestSessionPtr) + != SECSuccess) { + PR_SetError(SEC_ERROR_NO_MEMORY, 0); + return nullptr; } ScopedHTTPRequestSession requestSession( reinterpret_cast<nsNSSHttpRequestSession*>(requestSessionPtr)); if (!useGET) { - rv = nsNSSHttpInterface::setPostDataFcn( - requestSession.get(), reinterpret_cast<char*>(encodedRequest->data), - encodedRequest->len, "application/ocsp-request"); - if (rv != Success) { - return rv; + if (nsNSSHttpInterface::setPostDataFcn(requestSession.get(), + reinterpret_cast<char*>(encodedRequest->data), encodedRequest->len, + "application/ocsp-request") != SECSuccess) { + PR_SetError(SEC_ERROR_NO_MEMORY, 0); + return nullptr; } } uint16_t httpResponseCode; const char* httpResponseData; uint32_t httpResponseDataLen = 0; // 0 means any response size is acceptable - rv = nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr, - &httpResponseCode, nullptr, - nullptr, &httpResponseData, - &httpResponseDataLen); - if (rv != Success) { - return rv; + if (nsNSSHttpInterface::trySendAndReceiveFcn(requestSession.get(), nullptr, + &httpResponseCode, nullptr, + nullptr, &httpResponseData, + &httpResponseDataLen) + != SECSuccess) { + PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0); + return nullptr; } if (httpResponseCode != 200) { - return Result::ERROR_OCSP_SERVER_ERROR; + PR_SetError(SEC_ERROR_OCSP_SERVER_ERROR, 0); + return nullptr; } - encodedResponse = SECITEM_AllocItem(arena, nullptr, httpResponseDataLen); + SECItem* encodedResponse = SECITEM_AllocItem(arena, nullptr, + httpResponseDataLen); if (!encodedResponse) { - return Result::FATAL_ERROR_NO_MEMORY; + PR_SetError(SEC_ERROR_NO_MEMORY, 0); + return nullptr; } memcpy(encodedResponse->data, httpResponseData, httpResponseDataLen); - return Success; + return encodedResponse; } } } // namespace mozilla::psm
--- a/security/certverifier/OCSPRequestor.h +++ b/security/certverifier/OCSPRequestor.h @@ -7,17 +7,16 @@ #ifndef mozilla_psm_OCSPRequestor_h #define mozilla_psm_OCSPRequestor_h #include "CertVerifier.h" #include "secmodt.h" namespace mozilla { namespace psm { -// The memory returned via |encodedResponse| is owned by the given arena. -Result DoOCSPRequest(PLArenaPool* arena, const char* url, - const SECItem* encodedRequest, PRIntervalTime timeout, - bool useGET, - /*out*/ SECItem*& encodedResponse); +// The memory returned is owned by the given arena. +SECItem* DoOCSPRequest(PLArenaPool* arena, const char* url, + const SECItem* encodedRequest, PRIntervalTime timeout, + bool useGET); } } // namespace mozilla::psm #endif // mozilla_psm_OCSPRequestor_h
--- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -93,17 +93,18 @@ nsHTTPDownloadEvent::Run() nsContentUtils::GetSystemPrincipal(), nullptr, // aTriggeringPrincipal nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL, nsIContentPolicy::TYPE_OTHER, getter_AddRefs(chan)); NS_ENSURE_STATE(chan); // Security operations scheduled through normal HTTP channels are given - // high priority to accommodate real time OCSP transactions. + // high priority to accommodate real time OCSP transactions. Background CRL + // fetches happen through a different path (CRLDownloadEvent). nsCOMPtr<nsISupportsPriority> priorityChannel = do_QueryInterface(chan); if (priorityChannel) priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST); chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS | nsIChannel::LOAD_BYPASS_SERVICE_WORKER); // Create a loadgroup for this new channel. This way if the channel @@ -125,17 +126,17 @@ nsHTTPDownloadEvent::Run() rv = uploadChannel->SetUploadStream(uploadStream, mRequestSession->mPostContentType, -1); NS_ENSURE_SUCCESS(rv, rv); } // Do not use SPDY for internal security operations. It could result // in the silent upgrade to ssl, which in turn could require an SSL - // operation to fulfill something like an OCSP fetch, which is an + // operation to fufill something like a CRL fetch, which is an // endless loop. nsCOMPtr<nsIHttpChannelInternal> internalChannel = do_QueryInterface(chan); if (internalChannel) { rv = internalChannel->SetAllowSpdy(false); NS_ENSURE_SUCCESS(rv, rv); } nsCOMPtr<nsIHttpChannel> hchan = do_QueryInterface(chan); @@ -179,59 +180,52 @@ struct nsCancelHTTPDownloadEvent : nsRun NS_IMETHOD Run() { mListener->FreeLoadGroup(true); mListener = nullptr; return NS_OK; } }; -Result -nsNSSHttpServerSession::createSessionFcn(const char* host, - uint16_t portnum, - SEC_HTTP_SERVER_SESSION* pSession) +SECStatus nsNSSHttpServerSession::createSessionFcn(const char *host, + uint16_t portnum, + SEC_HTTP_SERVER_SESSION *pSession) { - if (!host || !pSession) { - return Result::FATAL_ERROR_INVALID_ARGS; - } + if (!host || !pSession) + return SECFailure; - nsNSSHttpServerSession* hss = new nsNSSHttpServerSession; - if (!hss) { - return Result::FATAL_ERROR_NO_MEMORY; - } + nsNSSHttpServerSession *hss = new nsNSSHttpServerSession; + if (!hss) + return SECFailure; hss->mHost = host; hss->mPort = portnum; *pSession = hss; - return Success; + return SECSuccess; } -Result -nsNSSHttpRequestSession::createFcn(SEC_HTTP_SERVER_SESSION session, - const char* http_protocol_variant, - const char* path_and_query_string, - const char* http_request_method, - const PRIntervalTime timeout, - SEC_HTTP_REQUEST_SESSION* pRequest) +SECStatus nsNSSHttpRequestSession::createFcn(SEC_HTTP_SERVER_SESSION session, + const char *http_protocol_variant, + const char *path_and_query_string, + const char *http_request_method, + const PRIntervalTime timeout, + SEC_HTTP_REQUEST_SESSION *pRequest) { - if (!session || !http_protocol_variant || !path_and_query_string || - !http_request_method || !pRequest) { - return Result::FATAL_ERROR_INVALID_ARGS; - } + if (!session || !http_protocol_variant || !path_and_query_string || + !http_request_method || !pRequest) + return SECFailure; nsNSSHttpServerSession* hss = static_cast<nsNSSHttpServerSession*>(session); - if (!hss) { - return Result::FATAL_ERROR_INVALID_ARGS; - } + if (!hss) + return SECFailure; - nsNSSHttpRequestSession* rs = new nsNSSHttpRequestSession; - if (!rs) { - return Result::FATAL_ERROR_NO_MEMORY; - } + nsNSSHttpRequestSession *rs = new nsNSSHttpRequestSession; + if (!rs) + return SECFailure; rs->mTimeoutInterval = timeout; // Use a maximum timeout value of 10 seconds because of bug 404059. // FIXME: Use a better approach once 406120 is ready. uint32_t maxBug404059Timeout = PR_TicksPerSecond() * 10; if (timeout > maxBug404059Timeout) { rs->mTimeoutInterval = maxBug404059Timeout; @@ -242,67 +236,84 @@ nsNSSHttpRequestSession::createFcn(SEC_H rs->mURL.Append(hss->mHost); rs->mURL.Append(':'); rs->mURL.AppendInt(hss->mPort); rs->mURL.Append(path_and_query_string); rs->mRequestMethod = http_request_method; *pRequest = (void*)rs; - return Success; + return SECSuccess; } -Result -nsNSSHttpRequestSession::setPostDataFcn(const char* http_data, - const uint32_t http_data_len, - const char* http_content_type) +SECStatus nsNSSHttpRequestSession::setPostDataFcn(const char *http_data, + const uint32_t http_data_len, + const char *http_content_type) { mHasPostData = true; mPostData.Assign(http_data, http_data_len); mPostContentType.Assign(http_content_type); - return Success; + return SECSuccess; } -Result -nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc** pPollDesc, - uint16_t* http_response_code, - const char** http_response_content_type, - const char** http_response_headers, - const char** http_response_data, - uint32_t* http_response_data_len) +SECStatus nsNSSHttpRequestSession::addHeaderFcn(const char *http_header_name, + const char *http_header_value) +{ + return SECFailure; // not yet implemented + + // All http code needs to be postponed to the UI thread. + // Once this gets implemented, we need to add a string list member to + // nsNSSHttpRequestSession and queue up the headers, + // so they can be added in HandleHTTPDownloadPLEvent. + // + // The header will need to be set using + // mHttpChannel->SetRequestHeader(nsDependentCString(http_header_name), + // nsDependentCString(http_header_value), + // false))); +} + +SECStatus nsNSSHttpRequestSession::trySendAndReceiveFcn(PRPollDesc **pPollDesc, + uint16_t *http_response_code, + const char **http_response_content_type, + const char **http_response_headers, + const char **http_response_data, + uint32_t *http_response_data_len) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSHttpRequestSession::trySendAndReceiveFcn to %s\n", mURL.get())); bool onSTSThread; nsresult nrv; nsCOMPtr<nsIEventTarget> sts = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv); if (NS_FAILED(nrv)) { NS_ERROR("Could not get STS service"); - return Result::FATAL_ERROR_INVALID_STATE; + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; } nrv = sts->IsOnCurrentThread(&onSTSThread); if (NS_FAILED(nrv)) { NS_ERROR("IsOnCurrentThread failed"); - return Result::FATAL_ERROR_INVALID_STATE; + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; } if (onSTSThread) { NS_ERROR("nsNSSHttpRequestSession::trySendAndReceiveFcn called on socket " "thread; this will not work."); - return Result::FATAL_ERROR_INVALID_STATE; + PR_SetError(PR_INVALID_STATE_ERROR, 0); + return SECFailure; } const int max_retries = 2; int retry_count = 0; bool retryable_error = false; - Result rv = Result::ERROR_UNKNOWN_ERROR; + SECStatus result_sec_status = SECFailure; do { if (retry_count > 0) { if (retryable_error) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, @@ -311,17 +322,17 @@ nsNSSHttpRequestSession::trySendAndRecei } PR_Sleep( PR_MillisecondsToInterval(300) * retry_count ); } ++retry_count; retryable_error = false; - rv = + result_sec_status = internal_send_receive_attempt(retryable_error, pPollDesc, http_response_code, http_response_content_type, http_response_headers, http_response_data, http_response_data_len); } while (retryable_error && retry_count < max_retries); if (retry_count > 1) @@ -330,17 +341,17 @@ nsNSSHttpRequestSession::trySendAndRecei MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSHttpRequestSession::trySendAndReceiveFcn - still failing, giving up...\n")); else MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("nsNSSHttpRequestSession::trySendAndReceiveFcn - success at attempt %d\n", retry_count)); } - return rv; + return result_sec_status; } void nsNSSHttpRequestSession::AddRef() { ++mRefCount; } @@ -348,17 +359,17 @@ void nsNSSHttpRequestSession::Release() { int32_t newRefCount = --mRefCount; if (!newRefCount) { delete this; } } -Result +SECStatus nsNSSHttpRequestSession::internal_send_receive_attempt(bool &retryable_error, PRPollDesc **pPollDesc, uint16_t *http_response_code, const char **http_response_content_type, const char **http_response_headers, const char **http_response_data, uint32_t *http_response_data_len) { @@ -370,39 +381,38 @@ nsNSSHttpRequestSession::internal_send_r uint32_t acceptableResultSize = 0; if (http_response_data_len) { acceptableResultSize = *http_response_data_len; *http_response_data_len = 0; } - - if (!mListener) { - return Result::FATAL_ERROR_INVALID_STATE; - } + + if (!mListener) + return SECFailure; Mutex& waitLock = mListener->mLock; CondVar& waitCondition = mListener->mCondition; volatile bool &waitFlag = mListener->mWaitFlag; waitFlag = true; RefPtr<nsHTTPDownloadEvent> event(new nsHTTPDownloadEvent); - if (!event) { - return Result::FATAL_ERROR_NO_MEMORY; - } + if (!event) + return SECFailure; event->mListener = mListener; this->AddRef(); event->mRequestSession = this; nsresult rv = NS_DispatchToMainThread(event); - if (NS_FAILED(rv)) { + if (NS_FAILED(rv)) + { event->mResponsibleForDoneSignal = false; - return Result::FATAL_ERROR_LIBRARY_FAILURE; + return SECFailure; } bool request_canceled = false; { MutexAutoLock locker(waitLock); const PRIntervalTime start_time = PR_IntervalNow(); @@ -489,67 +499,102 @@ nsNSSHttpRequestSession::internal_send_r Telemetry::CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME, event->mStartTime, TimeStamp::Now()); } } else { Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3); } - if (request_canceled) { - return Result::ERROR_OCSP_SERVER_ERROR; - } + if (request_canceled) + return SECFailure; - if (NS_FAILED(mListener->mResultCode)) { - if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED || - mListener->mResultCode == NS_ERROR_NET_RESET) { + if (NS_FAILED(mListener->mResultCode)) + { + if (mListener->mResultCode == NS_ERROR_CONNECTION_REFUSED + || + mListener->mResultCode == NS_ERROR_NET_RESET) + { retryable_error = true; } - return Result::ERROR_OCSP_SERVER_ERROR; + return SECFailure; } if (http_response_code) *http_response_code = mListener->mHttpResponseCode; - if (mListener->mHttpRequestSucceeded && http_response_data && - http_response_data_len) { - *http_response_data_len = mListener->mResultLen; + if (mListener->mHttpRequestSucceeded && http_response_data && http_response_data_len) { + *http_response_data_len = mListener->mResultLen; + // acceptableResultSize == 0 means: any size is acceptable - if (acceptableResultSize != 0 && - acceptableResultSize < mListener->mResultLen) { - return Result::ERROR_OCSP_SERVER_ERROR; + if (acceptableResultSize != 0 + && + acceptableResultSize < mListener->mResultLen) + { + return SECFailure; } - // Return data by reference, result data will be valid until "this" gets - // destroyed. + // return data by reference, result data will be valid + // until "this" gets destroyed by NSS *http_response_data = (const char*)mListener->mResultData; } if (mListener->mHttpRequestSucceeded && http_response_content_type) { if (mListener->mHttpResponseContentType.Length()) { *http_response_content_type = mListener->mHttpResponseContentType.get(); } } - return Success; + return SECSuccess; +} + +SECStatus nsNSSHttpRequestSession::cancelFcn() +{ + // As of today, only the blocking variant of the http interface + // has been implemented. Implementing cancelFcn will be necessary + // as soon as we implement the nonblocking variant. + return SECSuccess; +} + +SECStatus nsNSSHttpRequestSession::freeFcn() +{ + Release(); + return SECSuccess; } nsNSSHttpRequestSession::nsNSSHttpRequestSession() : mRefCount(1), mHasPostData(false), mTimeoutInterval(0), mListener(new nsHTTPListener) { } nsNSSHttpRequestSession::~nsNSSHttpRequestSession() { } +SEC_HttpClientFcn nsNSSHttpInterface::sNSSInterfaceTable; + +void nsNSSHttpInterface::initTable() +{ + sNSSInterfaceTable.version = 1; + SEC_HttpClientFcnV1 &v1 = sNSSInterfaceTable.fcnTable.ftable1; + v1.createSessionFcn = createSessionFcn; + v1.keepAliveSessionFcn = keepAliveFcn; + v1.freeSessionFcn = freeSessionFcn; + v1.createFcn = createFcn; + v1.setPostDataFcn = setPostDataFcn; + v1.addHeaderFcn = addHeaderFcn; + v1.trySendAndReceiveFcn = trySendAndReceiveFcn; + v1.cancelFcn = cancelFcn; + v1.freeFcn = freeFcn; +} + nsHTTPListener::nsHTTPListener() : mResultData(nullptr), mResultLen(0), mLock("nsHTTPListener.mLock"), mCondition(mLock, "nsHTTPListener.mCondition"), mWaitFlag(true), mResponsibleForDoneSignal(false), mLoadGroup(nullptr),
--- a/security/manager/ssl/nsNSSCallbacks.h +++ b/security/manager/ssl/nsNSSCallbacks.h @@ -1,41 +1,37 @@ /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#ifndef nsNSSCallbacks_h -#define nsNSSCallbacks_h +#ifndef _NSNSSCALLBACKS_H_ +#define _NSNSSCALLBACKS_H_ -#include "mozilla/Attributes.h" -#include "mozilla/CondVar.h" -#include "mozilla/Mutex.h" #include "nsAutoPtr.h" #include "nsCOMPtr.h" +#include "pk11func.h" +#include "nspr.h" +#include "ocspt.h" #include "nsIStreamLoader.h" -#include "nspr.h" +#include "mozilla/CondVar.h" +#include "mozilla/Mutex.h" +#include "mozilla/Attributes.h" #include "nsString.h" -#include "pk11func.h" -#include "pkix/pkixtypes.h" - -#include "ocspt.h" // Must be included after pk11func.h. class nsILoadGroup; char* PK11PasswordPrompt(PK11SlotInfo *slot, PRBool retry, void* arg); void HandshakeCallback(PRFileDesc *fd, void *client_data); SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart); -typedef mozilla::pkix::Result Result; - class nsHTTPListener final : public nsIStreamLoaderObserver { private: // For XPCOM implementations that are not a base class for some other // class, it is good practice to make the destructor non-virtual and // private. Then the only way to delete the object is via Release. #ifdef _MSC_VER // C4265: Class has virtual members but destructor is not virtual @@ -54,135 +50,176 @@ public: nsresult mResultCode; bool mHttpRequestSucceeded; uint16_t mHttpResponseCode; nsCString mHttpResponseContentType; const uint8_t* mResultData; // allocated in loader, but owned by listener uint32_t mResultLen; - + mozilla::Mutex mLock; mozilla::CondVar mCondition; volatile bool mWaitFlag; - + bool mResponsibleForDoneSignal; void send_done_signal(); // no nsCOMPtr. When I use it, I get assertions about // loadgroup not being thread safe. // So, let's use a raw pointer and ensure we only create and destroy // it on the network thread ourselves. nsILoadGroup *mLoadGroup; PRThread *mLoadGroupOwnerThread; void FreeLoadGroup(bool aCancelLoad); }; class nsNSSHttpServerSession { public: nsCString mHost; - uint16_t mPort; + uint16_t mPort; - static Result createSessionFcn(const char* host, - uint16_t portnum, - SEC_HTTP_SERVER_SESSION* pSession); + static SECStatus createSessionFcn(const char *host, + uint16_t portnum, + SEC_HTTP_SERVER_SESSION *pSession); }; class nsNSSHttpRequestSession { protected: mozilla::ThreadSafeAutoRefCnt mRefCount; public: - static Result createFcn(SEC_HTTP_SERVER_SESSION session, - const char* httpProtocolVariant, - const char* pathAndQueryString, - const char* httpRequestMethod, - const PRIntervalTime timeout, - SEC_HTTP_REQUEST_SESSION* pRequest); + static SECStatus createFcn(SEC_HTTP_SERVER_SESSION session, + const char *http_protocol_variant, + const char *path_and_query_string, + const char *http_request_method, + const PRIntervalTime timeout, + SEC_HTTP_REQUEST_SESSION *pRequest); + + SECStatus setPostDataFcn(const char *http_data, + const uint32_t http_data_len, + const char *http_content_type); - Result setPostDataFcn(const char* httpData, - const uint32_t httpDataLen, - const char* httpContentType); + SECStatus addHeaderFcn(const char *http_header_name, + const char *http_header_value); - Result trySendAndReceiveFcn(PRPollDesc** pPollDesc, - uint16_t* httpResponseCode, - const char** httpResponseContentType, - const char** httpResponseHeaders, - const char** httpResponseData, - uint32_t* httpResponseDataLen); + SECStatus trySendAndReceiveFcn(PRPollDesc **pPollDesc, + uint16_t *http_response_code, + const char **http_response_content_type, + const char **http_response_headers, + const char **http_response_data, + uint32_t *http_response_data_len); + + SECStatus cancelFcn(); + SECStatus freeFcn(); void AddRef(); void Release(); nsCString mURL; nsCString mRequestMethod; - + bool mHasPostData; nsCString mPostData; nsCString mPostContentType; - + PRIntervalTime mTimeoutInterval; - + RefPtr<nsHTTPListener> mListener; - + protected: nsNSSHttpRequestSession(); ~nsNSSHttpRequestSession(); - Result internal_send_receive_attempt(bool& retryableError, - PRPollDesc** pPollDesc, - uint16_t* httpResponseCode, - const char** httpResponseContentType, - const char** httpResponseHeaders, - const char** httpResponseData, - uint32_t* httpResponseDataLen); + SECStatus internal_send_receive_attempt(bool &retryable_error, + PRPollDesc **pPollDesc, + uint16_t *http_response_code, + const char **http_response_content_type, + const char **http_response_headers, + const char **http_response_data, + uint32_t *http_response_data_len); }; class nsNSSHttpInterface { public: - static Result createSessionFcn(const char* host, - uint16_t portnum, - SEC_HTTP_SERVER_SESSION* pSession) + static SECStatus createSessionFcn(const char *host, + uint16_t portnum, + SEC_HTTP_SERVER_SESSION *pSession) { return nsNSSHttpServerSession::createSessionFcn(host, portnum, pSession); } - static Result createFcn(SEC_HTTP_SERVER_SESSION session, - const char* httpProtocolVariant, - const char* pathAndQueryString, - const char* httpRequestMethod, - const PRIntervalTime timeout, - SEC_HTTP_REQUEST_SESSION* pRequest) + static SECStatus keepAliveFcn(SEC_HTTP_SERVER_SESSION session, + PRPollDesc **pPollDesc) { - return nsNSSHttpRequestSession::createFcn(session, httpProtocolVariant, - pathAndQueryString, - httpRequestMethod, timeout, - pRequest); + // Not yet implemented, however, Necko does transparent keep-alive + // anyway, when enabled in Necko's prefs. + return SECSuccess; + } + + static SECStatus freeSessionFcn(SEC_HTTP_SERVER_SESSION session) + { + delete static_cast<nsNSSHttpServerSession*>(session); + return SECSuccess; } - static Result setPostDataFcn(SEC_HTTP_REQUEST_SESSION request, - const char* httpData, - const uint32_t httpDataLen, - const char* httpContentType) + static SECStatus createFcn(SEC_HTTP_SERVER_SESSION session, + const char *http_protocol_variant, + const char *path_and_query_string, + const char *http_request_method, + const PRIntervalTime timeout, + SEC_HTTP_REQUEST_SESSION *pRequest) + { + return nsNSSHttpRequestSession::createFcn(session, http_protocol_variant, + path_and_query_string, http_request_method, + timeout, pRequest); + } + + static SECStatus setPostDataFcn(SEC_HTTP_REQUEST_SESSION request, + const char *http_data, + const uint32_t http_data_len, + const char *http_content_type) { return static_cast<nsNSSHttpRequestSession*>(request) - ->setPostDataFcn(httpData, httpDataLen, httpContentType); + ->setPostDataFcn(http_data, http_data_len, http_content_type); + } + + static SECStatus addHeaderFcn(SEC_HTTP_REQUEST_SESSION request, + const char *http_header_name, + const char *http_header_value) + { + return static_cast<nsNSSHttpRequestSession*>(request) + ->addHeaderFcn(http_header_name, http_header_value); } - static Result trySendAndReceiveFcn(SEC_HTTP_REQUEST_SESSION request, - PRPollDesc** pPollDesc, - uint16_t* httpResponseCode, - const char** httpResponseContentType, - const char** httpResponseHeaders, - const char** httpResponseData, - uint32_t* httpResponseDataLen) + static SECStatus trySendAndReceiveFcn(SEC_HTTP_REQUEST_SESSION request, + PRPollDesc **pPollDesc, + uint16_t *http_response_code, + const char **http_response_content_type, + const char **http_response_headers, + const char **http_response_data, + uint32_t *http_response_data_len) { return static_cast<nsNSSHttpRequestSession*>(request) - ->trySendAndReceiveFcn(pPollDesc, httpResponseCode, - httpResponseContentType, httpResponseHeaders, - httpResponseData, httpResponseDataLen); + ->trySendAndReceiveFcn(pPollDesc, http_response_code, http_response_content_type, + http_response_headers, http_response_data, http_response_data_len); + } + + static SECStatus cancelFcn(SEC_HTTP_REQUEST_SESSION request) + { + return static_cast<nsNSSHttpRequestSession*>(request) + ->cancelFcn(); } + + static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request) + { + return static_cast<nsNSSHttpRequestSession*>(request) + ->freeFcn(); + } + + static void initTable(); + static SEC_HttpClientFcn sNSSInterfaceTable; }; -#endif // nsNSSCallbacks_h +#endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1098,16 +1098,18 @@ nsNSSComponent::InitializeNSS() nsCOMPtr<nsICertBlocklist> certList = do_GetService(NS_CERTBLOCKLIST_CONTRACTID); if (!certList) { return NS_ERROR_FAILURE; } // dynamic options from prefs setValidationOptions(true, lock); + mHttpForNSS.initTable(); + #ifndef MOZ_NO_SMART_CARDS LaunchSmartCardThreads(); #endif mozilla::pkix::RegisterErrorTable(); // Initialize the site security service nsCOMPtr<nsISiteSecurityService> sssService =
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js @@ -36,41 +36,30 @@ function run_test() { // Enabled so that we can force ocsp failure responses. Services.prefs.setBoolPref("security.OCSP.require", true); Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); Services.prefs.setIntPref("security.OCSP.enabled", 1); - // Note: We don't test the case of a well-formed HTTP URL with an empty port - // because the OCSP code would then send a request to port 80, which we - // can't use in tests. - add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); - add_test(() => { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); - add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); add_test(function() { @@ -118,20 +107,10 @@ function run_test() { add_test(function() { clearOCSPCache(); let ocspResponder = failingOCSPResponder(); check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); ocspResponder.stop(run_next_test); }); - // Note: We currently don't have anything that ensures user:pass sections - // weren't sent. The following test simply checks that such sections - // don't cause failures. - add_test(() => { - clearOCSPCache(); - let ocspResponder = start_ocsp_responder(["user-pass"], [""]); - check_cert_err("user-pass", PRErrorCodeSuccess); - ocspResponder.stop(run_next_test); - }); - run_next_test(); }
--- a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem +++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC4jCCAcygAwIBAgIUCUgBNVFlUc2p60KMe3dO6FhMipkwCwYJKoZIhvcNAQEL +MIIC4TCCAcugAwIBAgIUSVV8GuYeHmRKCpxw+z10gaAfdogwCwYJKoZIhvcNAQEL MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw MDAwWjAVMRMwEQYDVQQDDApiYWQtc2NoZW1lMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo 4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ -Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozEwLzAtBggrBgEFBQcB -AQQhMB8wHQYIKwYBBQUHMAGGES93d3cuZXhhbXBsZS5jb20vMAsGCSqGSIb3DQEB -CwOCAQEAieSkH2D4uXmxuA+Mxs1Pt7GkcWSzzsyx7mohi7B/VPFeo8O+xseELYiZ -dVMg4sUls18B1hBQmv1LmcCJDeLUMhlFSKzg8+YMbeVtmB+SeKrBDY/jihVFxe7R -JzRZmnxIv0fo8IEI5yiLl/k/rLsJxhqQ3xjhVWVFkq6I+7dP6pmyAuW4Gb98Kil+ -7WjiLTxcQH9beepODFGemjJYhId5TjjH9PWgAK79BXbRvOise54pP5mS6gOG6Pmk -KAI0c59vta09h8wBXsfDh3dYEPB15m9JAlsfHEc3BbAD9G9d1lRq3m3sBy7MQ6Sl -tnXePhkS4Zs2u7iGvma6sR267hYQQw== +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAsBggrBgEFBQcB +AQQgMB4wHAYIKwYBBQUHMAGGEC93d3cuZXhhbXBsZS5jb20wCwYJKoZIhvcNAQEL +A4IBAQCLMA8cA3de38Jrr3CeIeugTXhWp7iixVDjeskpXhcWBAB6r4saVgodouDd +rGDd93XqsZ/91iInL5nS4+HrNgpa40SZ9u3nXZj1ji7bhnXGuKIkioeqVC85wZsZ +k0MfNn26t/9GbgKi0EhlBYfLLh7n74Ipf2jW0rNWWX74JSB4vfIILlngHt/7/XLW +HAKZriC+lTWk/Hg4sxd0hzR7YXS1BWf2XWQh8jZcUA826gFWvxOWoPw/fL37MzAJ +JzAnanJ21+1BrFjUd/X3gyTaCrTtv6FFBExxaKCONGZ+fsQVz474RsOYQTkiWk4E +6gHtp2Ms+ZQq8s4LpXHQLVdv5wtP -----END CERTIFICATE----- \ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec +++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec @@ -1,3 +1,3 @@ issuer:int subject:bad-scheme -extension:authorityInformationAccess:/www.example.com/ +extension:authorityInformationAccess:/www.example.com
new file mode 100644 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdOgAwIBAgIUa9Unq2D6UuzOdGrYZUJK1Cu/tAEwCwYJKoZIhvcNAQEL +MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw +MDAwWjAVMRMwEQYDVQQDDAplbXB0eS1wb3J0MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozgwNjA0BggrBgEFBQcB +AQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly93d3cuZXhhbXBsZS5jb206LzALBgkq +hkiG9w0BAQsDggEBACT8keBaJ83r+547Vnhz0Oeb7S5vUFgGD1ppqdRY61HGuH03 +NUeR6x185lFdgJgRj1fS420X3FML51UuldvrnKvBTqJGpVgAIfOKFDTe6myENDr5 +oXYArBR9vMsbafZFRZjskiqokjUmjp0wad6SFhGm+I9YoYI/iGF6zCg24mOmxpWg +EHwoBQ3tF/o3X0oVQx6EAA2YvMdIffu+X++PWVV00GTIi5o2ihilq0ZQAFcsc3ua +VDln/jmCl1KLS9Og4SCMnHIQDANJmBCB2vLBH9ZJDXK8GgqPwjd97LQiYLFApXyu +BJn9Y2XHuJXr00/4sSnmmyPEyNYiVN54oBnAfYI= +-----END CERTIFICATE----- \ No newline at end of file
new file mode 100644 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-port.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:empty-port +extension:authorityInformationAccess:http://www.example.com:/
--- a/security/manager/ssl/tests/unit/test_ocsp_url/moz.build +++ b/security/manager/ssl/tests/unit/test_ocsp_url/moz.build @@ -3,28 +3,28 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # Temporarily disabled. See bug 1256495. #test_certificates = ( # 'bad-scheme.pem', # 'ca.pem', +# 'empty-port.pem', # 'empty-scheme-url.pem', # 'ftp-url.pem', # 'hTTp-url.pem', # 'https-url.pem', # 'int.pem', # 'negative-port.pem', # 'no-host-url.pem', # 'no-path-url.pem', # 'no-scheme-host-port.pem', # 'no-scheme-url.pem', # 'unknown-scheme.pem', -# 'user-pass.pem', #) # #for test_certificate in test_certificates: # GeneratedTestCertificate(test_certificate) # #test_keys = ( # 'int.key', #)
--- a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem +++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7jCCAdigAwIBAgIUaRXYhHMxVLXv0jEa7DzCo4XP3kEwCwYJKoZIhvcNAQEL +MIIC7TCCAdegAwIBAgIUKxb1IEwl2xxr9eYRaSRuSOPVR80wCwYJKoZIhvcNAQEL MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw MDAwWjAYMRYwFAYDVQQDDA1uZWdhdGl2ZS1wb3J0MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk -BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozowODA2BggrBgEF -BQcBAQQqMCgwJgYIKwYBBQUHMAGGGmh0dHA6Ly93d3cuZXhhbXBsZS5jb206LTEv -MAsGCSqGSIb3DQEBCwOCAQEASHTpE/+ZfMfU7A9B+PidfrUaHb1wIb1d56nLzZbw -ZkaCWtos3W/foUS6fqh9N6IB/HnfrH5IYDKemYHX3bdVAKXEvdMIGFWbYq8DCh8G -L6KmHMX96GRHUt6APgj5HnKDGK/gTPCgL7S60Udgt802FCHoprFEOrDP4l3KNOA6 -RkLJVqyTenMr8CNAw6TKOV4mezm1FRRybqSlQesCy6UDQCTyTnp+36tzMS6/znGz -Eg049InNUTKTKV53BJiad14SAG0xcYSDBJ3JOCGprdMSyXViyEgEKY4yXXOEX7T+ -Dx92b/Y6wxgZmrE5vUOxotSwoZl1HvegwtM+yv3oJlPghQ== +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozkwNzA1BggrBgEF +BQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly93d3cuZXhhbXBsZS5jb206LTEw +CwYJKoZIhvcNAQELA4IBAQAw5TQzcQUOXkt6B7sPtCEbSZhYPTXT7S+tDmCOUbuu +59pDHrqcicN6GHs2yjA0VQSppdHM4vJPBv73n3i/v0DtJeDAU0vDKXhL3XYoaiFc +neLFP+igJVKVq+1YGFm6IJzQmAnWO3WaoVRal3i2Fsy9yzD9JfFPozhIDQSnQgOo +jxB5zXAWfPCC6vZs6D2+ERDuGQ8U23iLGt93QRjA/1+jyEX+wVweHhQA0+ThEnQG +P3dvmpxGJmEaN3VwQJJLX/Aa+HP8yIDgPfLWDlVD1GMIN+OzA/34uKUQCanBeKkk +P+NSbiJAGbqck2GkhB1dJvAN4Rocxd1Zz2HwZOQqNEKw -----END CERTIFICATE----- \ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec +++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec @@ -1,3 +1,3 @@ issuer:int subject:negative-port -extension:authorityInformationAccess:http://www.example.com:-1/ +extension:authorityInformationAccess:http://www.example.com:-1
--- a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem +++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC6zCCAdWgAwIBAgIUI5Tv1e1YLCHEMZT5XJ1qU6KnNgAwCwYJKoZIhvcNAQEL +MIIC7jCCAdigAwIBAgIUc3XxC3XHk7zit5PqvQJY/KINaQowCwYJKoZIhvcNAQEL MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw -MDAwWjAZMRcwFQYDVQQDDA51bmtub3duLXNjaGVtZTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 -wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp -k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh -eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW -EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc -JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM2MDQwMgYIKwYB -BQUHAQEEJjAkMCIGCCsGAQUFBzABhhZ0dHA6Ly93d3cuZXhhbXBsZS5jb20vMAsG -CSqGSIb3DQEBCwOCAQEAtcV1bIruR8rwWC+rA+336IIjHD7za6wzDVJzUMnrfZ7u -7e1amMhToNnFHulMKjpVRQaKoYIdtnd32cvvTebwKsIe3fnCcT9JA4w5Lf3T62YF -bPzeoDO+602npGl9br7OmImNqhOLXVO/ISahmfLIyW9kiPrDx/L0jdyulamLCzAh -jsLfawEZdN9n9gWUwVQglboS/SmmNHNhfvutBv9ZnFT/zvrVoV8aBKjkXQOL0G2g -sToq4N+L2O2ow4MTdp0OM7RufMgdJyfBqFHC4/07/xednWUhQ+MeG4gRIidx9lR/ -x/fYCLkAZ/NDyt3Md8lLAPimBkOFt5ce+VGFriZSCw== +MDAwWjAdMRswGQYDVQQDDBJ1bmtub3duLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEG +CCsGAQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVdHRwOi8vd3d3LmV4YW1wbGUuY29t +MAsGCSqGSIb3DQEBCwOCAQEAbWjhsr44kEsgozAd7LKUBy1UfiLcuLRK1//mkONB +Gu9YoOy+/Gh60/fqKUlhEu/xAMqHdJ+LoM5mQvFXIvrNNWjE1TRuew5j0LACSboX +UxDacgbvYckU/wJRTHURimGSU6FHHnIczm/4AzlfRF+RWZL2kmOC5mn7f7aRC/RP +TG1JZqDRt5/7iFOnuRsuR8V5f7vd8d3F29fmnhvZpjvMnoJqqs+rJQCbn/M9bEdM +kRcWrD4X3fEksEFAFcTs6kiLsxJ/UuSAlSXtzYqXqWOgr22LMtqBaOAM1TMwEaba +NjyoWmLVK2i9vTSdRlIfV1PSpiVGNfZL29XO5lR0oR2HMw== -----END CERTIFICATE----- \ No newline at end of file
--- a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec +++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec @@ -1,3 +1,3 @@ issuer:int -subject:unknown-scheme -extension:authorityInformationAccess:ttp://www.example.com/ +subject:unknown-scheme-url +extension:authorityInformationAccess:ttp://www.example.com
deleted file mode 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC9jCCAeCgAwIBAgIUZwBIuhJsl6TtcbJBQ2j36UO5R+wwCwYJKoZIhvcNAQEL -MA4xDDAKBgNVBAMMA2ludDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0MDAw -MDAwWjAUMRIwEAYDVQQDDAl1c2VyLXBhc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg -2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ -5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ -PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj -DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W -iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjRjBEMEIGCCsGAQUFBwEB -BDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL3VzZXI6cGFzc0B3d3cuZXhhbXBsZS5j -b206ODg4OC8wCwYJKoZIhvcNAQELA4IBAQBVI4PnVdDg/lT6bZ/4COoPBbu9Ql0Q -sGVhl/A1zH8xYx8OII0aI7U2OpXC1GNnESyt1nvsfEtnR6ETgGlaRdI8hXpOz0dI -VXh1PZEv9ESdl4FWmqGFM26eOqSS1r6aU2oBfTSzO6Ki4cduSfmiBuCCFzGtuMdG -pu+PWP7ffzgU9lteYvf+uXcD8u/Kz0WOtKwB4nuVWy0PcKlX8z/SizcoaCdG3v7+ -6j9GsLbD8G0mIZVM2Jyrv6M5+RSelp957gPXu3BoYG8QW5I9zSMfQg0w/Y81IR+5 -cXuQ0TBTvHx2QjkOHH4Iy8cIXKxCdiYyVUvlYS5UjTaaZLpcjmA5/Pl1 ------END CERTIFICATE----- \ No newline at end of file