bug 860076 - remove SkipOcsp/SkipOcspOff r=briansmith
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 04 Feb 2014 16:13:47 -0800
changeset 167080 23c20767b49901066c0d1fc51211a225f9d62c11
parent 167079 adc96670dbb8728b215e70ace5ee4d524ad4b052
child 167081 bbc51e586d3f538449f737679873595ee520bf1e
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersbriansmith
bugs860076
milestone30.0a1
bug 860076 - remove SkipOcsp/SkipOcspOff r=briansmith
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsNSSComponent.h
security/manager/ssl/src/nsUsageArrayHelper.cpp
security/manager/ssl/tests/mochitest/browser/browser.ini
security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -1020,42 +1020,16 @@ nsNSSComponent::setEnabledTLSVersions()
           != SECSuccess) {
       return NS_ERROR_UNEXPECTED;
     }
   }
 
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsNSSComponent::SkipOcsp()
-{
-  nsNSSShutDownPreventionLock locker;
-  CERTCertDBHandle* certdb = CERT_GetDefaultCertDB();
-
-  SECStatus rv = CERT_DisableOCSPChecking(certdb);
-  return (rv == SECSuccess) ? NS_OK : NS_ERROR_FAILURE;
-}
-
-NS_IMETHODIMP
-nsNSSComponent::SkipOcspOff()
-{
-  MutexAutoLock lock(mutex);
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(mNSSInitialized);
-  NS_ENSURE_TRUE(mNSSInitialized, NS_ERROR_NOT_INITIALIZED);
-
-  CertVerifier::ocsp_download_config odc; // ignored
-  CertVerifier::ocsp_strict_config osc; // ignored
-  CertVerifier::ocsp_get_config ogc; // ignored
-  SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
-
-  return NS_OK;
-}
-
 static nsresult
 GetNSSProfilePath(nsAutoCString& aProfilePath)
 {
   aProfilePath.Truncate();
   const char* dbDirOverride = getenv("MOZPSM_NSSDBDIR_OVERRIDE");
   if (dbDirOverride && strlen(dbDirOverride) > 0) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("Using specified MOZPSM_NSSDBDIR_OVERRIDE as NSS DB dir: %s\n",
--- a/security/manager/ssl/src/nsNSSComponent.h
+++ b/security/manager/ssl/src/nsNSSComponent.h
@@ -34,27 +34,27 @@ namespace mozilla { namespace psm {
 MOZ_WARN_UNUSED_RESULT
   ::mozilla::TemporaryRef<mozilla::psm::SharedCertVerifier>
   GetDefaultCertVerifier();
 
 } } // namespace mozilla::psm
 
 
 #define NS_NSSCOMPONENT_CID \
-{0xa277189c, 0x1dd1, 0x11b2, {0xa8, 0xc9, 0xe4, 0xe8, 0xbf, 0xb1, 0x33, 0x8e}}
+{0x4cb64dfd, 0xca98, 0x4e24, {0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb}}
 
 #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
 
 //Define an interface that we can use to look up from the
 //callbacks passed to NSS.
 
-#define NS_INSSCOMPONENT_IID_STR "6ffbb526-205b-49c5-ae3f-5959c084075e"
+#define NS_INSSCOMPONENT_IID_STR "538c5093-7cfe-4f13-bc8e-e767766a2d4d"
 #define NS_INSSCOMPONENT_IID \
-  { 0x6ffbb526, 0x205b, 0x49c5, \
-    { 0xae, 0x3f, 0x59, 0x59, 0xc0, 0x84, 0x7, 0x5e } }
+  { 0x538c5093, 0x7cfe, 0x4f13, \
+    { 0xbc, 0x8e, 0xe7, 0x67, 0x76, 0x6a, 0x2d, 0x4d } }
 
 enum EnsureNSSOperator
 {
   nssLoadingComponent = 0,
   nssInitSucceeded = 1,
   nssInitFailed = 2,
   nssShutdown = 3,
   nssEnsure = 100,
@@ -80,24 +80,16 @@ class NS_NO_VTABLE nsINSSComponent : pub
 
   NS_IMETHOD GetNSSBundleString(const char* name,
                                 nsAString& outString) = 0;
   NS_IMETHOD NSSBundleFormatStringFromName(const char* name,
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString) = 0;
 
-  // This method will just disable OCSP in NSS, it will not
-  // alter the respective pref values.
-  NS_IMETHOD SkipOcsp() = 0;
-
-  // This method will set the OCSP value according to the
-  // values in the preferences.
-  NS_IMETHOD SkipOcspOff() = 0;
-
   NS_IMETHOD LogoutAuthenticatedPK11() = 0;
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   NS_IMETHOD LaunchSmartCardThread(SECMODModule* module) = 0;
 
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule* module) = 0;
 
   NS_IMETHOD PostEvent(const nsAString& eventType,
@@ -150,18 +142,16 @@ public:
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString);
   NS_IMETHOD GetNSSBundleString(const char* name, nsAString& outString);
   NS_IMETHOD NSSBundleFormatStringFromName(const char* name,
                                            const char16_t** params,
                                            uint32_t numParams,
                                            nsAString& outString);
-  NS_IMETHOD SkipOcsp();
-  NS_IMETHOD SkipOcspOff();
   NS_IMETHOD LogoutAuthenticatedPK11();
 
 #ifndef MOZ_DISABLE_CRYPTOLEGACY
   NS_IMETHOD LaunchSmartCardThread(SECMODModule* module);
   NS_IMETHOD ShutdownSmartCardThread(SECMODModule* module);
   NS_IMETHOD PostEvent(const nsAString& eventType, const nsAString& token);
   NS_IMETHOD DispatchEvent(const nsAString& eventType, const nsAString& token);
   void LaunchSmartCardThreads();
--- a/security/manager/ssl/src/nsUsageArrayHelper.cpp
+++ b/security/manager/ssl/src/nsUsageArrayHelper.cpp
@@ -197,30 +197,16 @@ nsUsageArrayHelper::GetUsagesArray(const
   NS_ENSURE_TRUE(nssComponent, NS_ERROR_NOT_AVAILABLE);
 
   if (outArraySize < max_returned_out_array_size)
     return NS_ERROR_FAILURE;
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
-  // Bug 860076, this disabling ocsp for all NSS is incorrect.
-  const bool localOSCPDisable
-    = certVerifier->mImplementation == CertVerifier::classic;
-  if (localOSCPDisable) {
-    nsresult rv;
-    nssComponent = do_GetService(kNSSComponentCID, &rv);
-    if (NS_FAILED(rv))
-      return rv;
-    
-    if (nssComponent) {
-      nssComponent->SkipOcsp();
-    }
-  }
-
   uint32_t &count = *_count;
   count = 0;
 
   PRTime now = PR_Now();
   CertVerifier::Flags flags = localOnly ? CertVerifier::FLAG_LOCAL_ONLY : 0;
 
   // The following list of checks must be < max_returned_out_array_size
 
@@ -250,21 +236,16 @@ nsUsageArrayHelper::GetUsagesArray(const
 #endif
   result = check(result, suffix, certVerifier,
                  certificateUsageStatusResponder, now, flags, count, outUsages);
 #if 0
   result = check(result, suffix, certVerifier,
                  certificateUsageAnyCA, now, flags, count, outUsages);
 #endif
 
-  // Bug 860076, this disabling ocsp for all NSS is incorrect
-  if (localOSCPDisable) {
-     nssComponent->SkipOcspOff();
-  }
-
   if (isFatalError(result) || count == 0) {
     MOZ_ASSERT(result != nsIX509Cert::VERIFIED_OK);
 
     // Clear the output usage strings in the case where we encountered a fatal
     // error after we already successfully validated the cert for some usages.
     for (uint32_t i = 0; i < count; ++i) {
       delete outUsages[i];
       outUsages[i] = nullptr;
--- a/security/manager/ssl/tests/mochitest/browser/browser.ini
+++ b/security/manager/ssl/tests/mochitest/browser/browser.ini
@@ -1,5 +1,6 @@
 [DEFAULT]
 support-files = head.js
 
 [browser_bug627234_perwindowpb.js]
 [browser_certificateManagerLeak.js]
+[browser_certViewer.js]
copy from security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js
copy to security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
--- a/security/manager/ssl/tests/mochitest/browser/browser_certificateManagerLeak.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@@ -11,16 +11,30 @@ function onLoad() {
 }
 
 function onUnload() {
   gBugWindow.removeEventListener("unload", onUnload);
   window.focus();
   finish();
 }
 
-// This test opens and then closes the certificate manager to test that it
-// does not leak. The test harness keeps track of and reports leaks, so
-// there are no actual checks here.
+// This test opens and then closes the certificate viewer to test that it
+// does not cause assertion failures.
 function test() {
   waitForExplicitFinish();
-  gBugWindow = window.openDialog("chrome://pippki/content/certManager.xul");
+  let certCache = Cc["@mozilla.org/security/nsscertcache;1"]
+                    .getService(Ci.nsINSSCertCache);
+  certCache.cacheAllCerts();
+  let certList = certCache.getX509CachedCerts();
+  let enumerator = certList.getEnumerator();
+  ok(enumerator.hasMoreElements(), "we have at least one certificate");
+  let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+  ok(cert, "found a certificate to look at");
+  info("looking at certificate with nickname " + cert.nickname);
+  let arg = {
+    QueryInterface: function() this,
+    getISupportAtIndex: function() this.cert,
+    cert: cert
+  };
+  gBugWindow = window.openDialog("chrome://pippki/content/certViewer.xul",
+                                 "", "", arg);
   gBugWindow.addEventListener("load", onLoad);
 }