Bug 853776, Part 1: Back out cset 6a0ed6484811 on Aurora because it uses an NSS feature that did not make the NSS release, r=honzab, a=bbajaj
authorBrian Smith <bsmith@mozilla.com>
Sun, 31 Mar 2013 11:53:37 -0700
changeset 133319 52a2c598a879ee07d9ad5dd60c5caa935e7a1d12
parent 133318 431e6881926bbfe74c85c15dd179cdd14b5db4f4
child 133320 23ea2714ce30760a5a821937c7c15c1e1df22594
push id3601
push userbsmith@mozilla.com
push dateMon, 08 Apr 2013 23:46:45 +0000
treeherdermozilla-aurora@23ea2714ce30 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershonzab, bbajaj
bugs853776
milestone22.0a2
Bug 853776, Part 1: Back out cset 6a0ed6484811 on Aurora because it uses an NSS feature that did not make the NSS release, r=honzab, a=bbajaj
b2g/confvars.sh
configure.in
security/build/Makefile.in
security/build/b2g-app-root-cert.der
security/build/b2g-certdata.mk
security/build/b2g-certdata.txt
security/manager/ssl/tests/unit/test_signed_apps-marketplace.js
security/manager/ssl/tests/unit/test_signed_apps/privileged-app-test-1.0.zip
security/manager/ssl/tests/unit/xpcshell.ini
--- a/b2g/confvars.sh
+++ b/b2g/confvars.sh
@@ -44,15 +44,14 @@ fi
 MOZ_MEDIA_NAVIGATOR=1
 
 MOZ_APP_ID={3c2e2abc-06d4-11e1-ac3b-374f68613e61}
 MOZ_EXTENSION_MANAGER=1
 
 MOZ_SYS_MSG=1
 MOZ_TIME_MANAGER=1
 
-MOZ_B2G_CERTDATA=1
 MOZ_PAY=1
 MOZ_TOOLKIT_SEARCH=
 MOZ_PLACES=
 MOZ_B2G=1
 MOZ_FOLD_LIBS=1
 MOZ_WBMP=1
--- a/configure.in
+++ b/configure.in
@@ -7689,25 +7689,16 @@ MOZ_ARG_ENABLE_BOOL(b2g-camera,
     MOZ_B2G_CAMERA=1,
     MOZ_B2G_CAMERA= )
 if test -n "$MOZ_B2G_CAMERA"; then
    AC_DEFINE(MOZ_B2G_CAMERA)
 fi
 AC_SUBST(MOZ_B2G_CAMERA)
 
 dnl ========================================================
-dnl = Enable Support B2G-specific changes to the NSS
-dnl = certificate trust database.
-dnl ========================================================
-if test -n "$MOZ_B2G_CERTDATA"; then
-    AC_DEFINE(MOZ_B2G_CERTDATA)
-fi
-AC_SUBST(MOZ_B2G_CERTDATA)
-
-dnl ========================================================
 dnl = Enable Support for Payment API
 dnl ========================================================
 if test -n "$MOZ_PAY"; then
     AC_DEFINE(MOZ_PAY)
 fi
 AC_SUBST(MOZ_PAY)
 
 dnl ========================================================
--- a/security/build/Makefile.in
+++ b/security/build/Makefile.in
@@ -267,20 +267,16 @@ DEFAULT_GMAKE_FLAGS += MODULE_INCLUDES='
 
 # Work around NSS's MAKE_OBJDIR being racy. See bug #836220
 DEFAULT_GMAKE_FLAGS += MAKE_OBJDIR='$$(INSTALL) -D $$(OBJDIR)'
 
 # Work around NSS adding IMPORT_LIBRARY to TARGETS with no rule for
 # it, creating race conditions. See bug #836220
 DEFAULT_GMAKE_FLAGS += TARGETS='$$(LIBRARY) $$(SHARED_LIBRARY) $$(PROGRAM)'
 
-ifdef MOZ_B2G_CERTDATA
-include $(srcdir)/b2g-certdata.mk
-endif
-
 ifdef MOZ_NSS_PATCH
 # If we're applying a patch, we'll copy the NSS source to the objdir
 # and build it from there.
 NSS_SRCDIR = $(CURDIR)/nss
 
 # This will copy and patch the NSS source for every build.
 # Since we "cp -p", it won't force rebuilds for most files, just
 # for patched files, but that's easier than trying to track
deleted file mode 100644
index 85c2fed92a963b2ff51ee92165d6ed59fa70aeff..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
deleted file mode 100644
--- a/security/build/b2g-certdata.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# On B2G, we need to remove the trust bits for code signing from all the
-# built-in CAs, because we are redefining the code signing bit to mean
-# "is trusted to issue certs that are trusted for signing apps," which none
-# of the normal built-in CAs are. This is a temporary hack until we can use
-# libpkix to verify the certificates. (libpkix gives the flexibility we need
-# to verify certificates using different sets of trust anchors per validation.)
-#
-# Whenever we change the B2G app signing trust anchor, we need to manually
-# update certdata-b2g.txt. To do so:
-#
-# 1. replace ./b2g-app-root-cert.der with the new DER-encoded root cert
-#
-# 2. In this directory run:
-#
-#     PATH=$NSS/bin:$NSS/lib addbuiltin -n "b2g-app-root-cert" -t ",,Cu" \
-#       < b2g-app-root-cert.der > b2g-certdata.txt
-#
-# Then, commit the changes. We don't do this step as part of the build because
-# we do not build addbuiltin as part of a Gecko build.
-
-# Distrust all existing builtin CAs for code-signing
-hacked-certdata.txt : $(srcdir)/../nss/lib/ckfw/builtins/certdata.txt
-	sed -e "s/^CKA_TRUST_CODE_SIGNING.*CKT_NSS_TRUSTED_DELEGATOR.*/CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST/" \
-			$< > $@
-
-combined-certdata.txt : hacked-certdata.txt $(srcdir)/b2g-certdata.txt
-	cat $^ > $@
-
-libs-nss/lib libs-nss/lib/ckfw: combined-certdata.txt
-
-DEFAULT_GMAKE_FLAGS += NSS_CERTDATA_TXT='$(CURDIR)/combined-certdata.txt'
deleted file mode 100644
--- a/security/build/b2g-certdata.txt
+++ /dev/null
@@ -1,158 +0,0 @@
-
-#
-# Certificate "b2g-app-root-cert"
-#
-# Issuer: CN=root-ca-production-marketplace,OU=Mozilla Marketplace Production Signing Service,O=Mozilla Corporation,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=root-ca-production-marketplace,OU=Mozilla Marketplace Production Signing Service,O=Mozilla Corporation,C=US
-# Not Valid Before: Wed Feb 27 00:14:56 2013
-# Not Valid After : Sat Feb 25 00:14:56 2023
-# Fingerprint (MD5): 88:28:0F:FD:5E:1C:AB:EE:5A:2A:EA:80:40:52:75:8D
-# Fingerprint (SHA1): 1B:EC:5F:10:98:02:35:7F:CD:7C:7E:A9:1B:D0:B0:96:4D:EA:79:34
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "b2g-app-root-cert"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\215\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\034\060\032\006\003\125\004\012\023\023\115\157\172\151\154
-\154\141\040\103\157\162\160\157\162\141\164\151\157\156\061\067
-\060\065\006\003\125\004\013\023\056\115\157\172\151\154\154\141
-\040\115\141\162\153\145\164\160\154\141\143\145\040\120\162\157
-\144\165\143\164\151\157\156\040\123\151\147\156\151\156\147\040
-\123\145\162\166\151\143\145\061\047\060\045\006\003\125\004\003
-\023\036\162\157\157\164\055\143\141\055\160\162\157\144\165\143
-\164\151\157\156\055\155\141\162\153\145\164\160\154\141\143\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\215\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\034\060\032\006\003\125\004\012\023\023\115\157\172\151\154
-\154\141\040\103\157\162\160\157\162\141\164\151\157\156\061\067
-\060\065\006\003\125\004\013\023\056\115\157\172\151\154\154\141
-\040\115\141\162\153\145\164\160\154\141\143\145\040\120\162\157
-\144\165\143\164\151\157\156\040\123\151\147\156\151\156\147\040
-\123\145\162\166\151\143\145\061\047\060\045\006\003\125\004\003
-\023\036\162\157\157\164\055\143\141\055\160\162\157\144\165\143
-\164\151\157\156\055\155\141\162\153\145\164\160\154\141\143\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\225\060\202\003\175\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060
-\201\215\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\115\157\172\151\154\154
-\141\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060
-\065\006\003\125\004\013\023\056\115\157\172\151\154\154\141\040
-\115\141\162\153\145\164\160\154\141\143\145\040\120\162\157\144
-\165\143\164\151\157\156\040\123\151\147\156\151\156\147\040\123
-\145\162\166\151\143\145\061\047\060\045\006\003\125\004\003\023
-\036\162\157\157\164\055\143\141\055\160\162\157\144\165\143\164
-\151\157\156\055\155\141\162\153\145\164\160\154\141\143\145\060
-\036\027\015\061\063\060\062\062\067\060\060\061\064\065\066\132
-\027\015\062\063\060\062\062\065\060\060\061\064\065\066\132\060
-\201\215\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\115\157\172\151\154\154
-\141\040\103\157\162\160\157\162\141\164\151\157\156\061\067\060
-\065\006\003\125\004\013\023\056\115\157\172\151\154\154\141\040
-\115\141\162\153\145\164\160\154\141\143\145\040\120\162\157\144
-\165\143\164\151\157\156\040\123\151\147\156\151\156\147\040\123
-\145\162\166\151\143\145\061\047\060\045\006\003\125\004\003\023
-\036\162\157\157\164\055\143\141\055\160\162\157\144\165\143\164
-\151\157\156\055\155\141\162\153\145\164\160\154\141\143\145\060
-\202\001\040\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\001\015\000\060\202\001\010\002\202\001\001\000
-\247\162\151\213\076\310\222\363\334\154\146\146\016\060\313\203
-\342\133\011\201\206\205\341\236\265\111\162\337\154\163\114\114
-\056\023\374\024\374\157\204\110\223\124\235\112\142\152\007\151
-\376\302\236\315\167\150\150\067\253\207\173\120\035\007\172\016
-\135\263\061\115\251\037\176\377\134\265\267\043\123\255\333\044
-\210\201\276\020\340\164\047\364\126\315\002\156\322\366\064\265
-\063\365\113\326\220\122\213\011\253\053\021\150\235\140\007\252
-\000\127\247\320\111\172\277\061\100\325\176\255\364\366\124\125
-\005\076\355\204\256\011\254\240\373\060\116\350\116\100\014\035
-\337\101\013\372\126\044\243\326\227\322\255\002\020\214\072\124
-\276\211\154\104\246\161\267\172\156\247\333\365\046\056\213\030
-\265\031\213\237\352\255\001\334\303\151\137\130\275\070\044\002
-\344\314\045\276\075\303\255\131\135\053\246\200\060\206\074\130
-\150\055\100\215\227\360\242\160\224\241\103\357\334\120\002\231
-\070\062\375\037\321\150\246\350\265\214\261\030\071\123\110\277
-\155\320\342\315\360\106\071\350\376\024\173\162\341\340\242\377
-\002\001\003\243\201\377\060\201\374\060\014\006\003\125\035\023
-\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\026\006\003\125\035\045\001\001
-\377\004\014\060\012\006\010\053\006\001\005\005\007\003\003\060
-\201\244\006\003\125\035\043\004\201\234\060\201\231\241\201\223
-\244\201\220\060\201\215\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\115\157
-\172\151\154\154\141\040\103\157\162\160\157\162\141\164\151\157
-\156\061\067\060\065\006\003\125\004\013\023\056\115\157\172\151
-\154\154\141\040\115\141\162\153\145\164\160\154\141\143\145\040
-\120\162\157\144\165\143\164\151\157\156\040\123\151\147\156\151
-\156\147\040\123\145\162\166\151\143\145\061\047\060\045\006\003
-\125\004\003\023\036\162\157\157\164\055\143\141\055\160\162\157
-\144\165\143\164\151\157\156\055\155\141\162\153\145\164\160\154
-\141\143\145\202\001\001\060\035\006\003\125\035\016\004\026\004
-\024\143\177\362\340\322\062\041\230\377\266\043\145\112\077\360
-\275\352\307\245\154\060\015\006\011\052\206\110\206\367\015\001
-\001\014\005\000\003\202\001\001\000\063\313\340\240\170\214\253
-\145\170\076\242\217\337\362\037\173\002\344\271\077\272\056\025
-\265\005\055\061\351\104\101\006\246\224\236\013\253\176\046\236
-\233\110\266\225\230\074\036\053\366\105\072\217\165\241\320\205
-\221\212\220\056\014\342\265\075\147\172\371\357\255\004\350\273
-\156\112\166\340\306\302\067\135\067\374\311\127\120\341\013\007
-\300\201\245\174\226\036\253\042\044\217\217\360\034\070\362\152
-\343\113\166\224\371\304\121\034\222\356\255\115\011\204\160\020
-\144\272\361\333\341\151\135\271\061\163\324\010\276\341\252\135
-\023\162\376\175\255\350\165\353\240\063\250\067\132\345\211\170
-\367\344\241\044\156\201\367\010\072\126\010\061\053\125\245\216
-\165\262\047\277\325\064\304\374\055\333\274\332\364\361\210\122
-\213\104\243\342\316\344\037\242\243\047\014\134\223\366\356\363
-\047\065\155\241\130\252\072\320\210\312\354\306\045\260\146\124
-\327\207\117\164\300\131\247\271\165\370\214\253\356\177\071\051
-\303\273\137\365\100\313\143\236\214\133\217\066\150\253\037\112
-\232\045\243\102\140\264\076\054\333
-END
-
-# Trust for "b2g-app-root-cert"
-# Issuer: CN=root-ca-production-marketplace,OU=Mozilla Marketplace Production Signing Service,O=Mozilla Corporation,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=root-ca-production-marketplace,OU=Mozilla Marketplace Production Signing Service,O=Mozilla Corporation,C=US
-# Not Valid Before: Wed Feb 27 00:14:56 2013
-# Not Valid After : Sat Feb 25 00:14:56 2023
-# Fingerprint (MD5): 88:28:0F:FD:5E:1C:AB:EE:5A:2A:EA:80:40:52:75:8D
-# Fingerprint (SHA1): 1B:EC:5F:10:98:02:35:7F:CD:7C:7E:A9:1B:D0:B0:96:4D:EA:79:34
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "b2g-app-root-cert"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\033\354\137\020\230\002\065\177\315\174\176\251\033\320\260\226
-\115\352\171\064
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\210\050\017\375\136\034\253\356\132\052\352\200\100\122\165\215
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\215\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\034\060\032\006\003\125\004\012\023\023\115\157\172\151\154
-\154\141\040\103\157\162\160\157\162\141\164\151\157\156\061\067
-\060\065\006\003\125\004\013\023\056\115\157\172\151\154\154\141
-\040\115\141\162\153\145\164\160\154\141\143\145\040\120\162\157
-\144\165\143\164\151\157\156\040\123\151\147\156\151\156\147\040
-\123\145\162\166\151\143\145\061\047\060\045\006\003\125\004\003
-\023\036\162\157\157\164\055\143\141\055\160\162\157\144\165\143
-\164\151\157\156\055\155\141\162\153\145\164\160\154\141\143\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_signed_apps-marketplace.js
+++ /dev/null
@@ -1,66 +0,0 @@
-"use strict";
-const Cc = Components.classes;
-const Ci = Components.interfaces;
-const Cu = Components.utils;
-const Cr = Components.results;
-
-const isB2G = ("@mozilla.org/b2g-keyboard;1" in Components.classes);
-
-Cu.import("resource://gre/modules/FileUtils.jsm");
-Cu.import("resource://gre/modules/Services.jsm");
-
-do_get_profile(); // must be called before getting nsIX509CertDB
-const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
-
-function run_test() {
-  run_next_test();
-}
-
-// XXX: NSS has many possible error codes for this, e.g.
-// SEC_ERROR_UNTRUSTED_ISSUER and others are also reasonable. Future
-// versions of NSS may return one of these alternate errors; in that case
-// we need to update this test.
-//
-// XXX (bug 812089): Cr.NS_ERROR_SEC_ERROR_UNKNOWN_ISSUER is undefined.
-//
-// XXX: Cannot use operator| instead of operator+ to combine bits because
-// bit 31 trigger's JavaScript's crazy interpretation of the numbers as
-// two's complement negative integers.
-const NS_ERROR_SEC_ERROR_UNKNOWN_ISSUER = 0x80000000 /*unsigned (1 << 31)*/
-				        + (    (0x45 + 21) << 16)
-				        + (-(-0x2000 + 13)      );
-
-function check_open_result(name, expectedRv) {
-  if (expectedRv == Cr.NS_OK && !isB2G) {
-    // We do not trust the marketplace trust anchor on non-B2G builds
-    expectedRv = NS_ERROR_SEC_ERROR_UNKNOWN_ISSUER;
-  }
-
-  return function openSignedJARFileCallback(rv, aZipReader, aSignerCert) {
-    do_print("openSignedJARFileCallback called for " + name);
-    do_check_eq(rv, expectedRv);
-    do_check_eq(aZipReader != null,  Components.isSuccessCode(expectedRv));
-    do_check_eq(aSignerCert != null, Components.isSuccessCode(expectedRv));
-    run_next_test();
-  };
-}
-
-function original_app_path(test_name) {
-  return do_get_file("test_signed_apps/" + test_name + ".zip", false);
-}
-
-// Test that we no longer trust the test root cert that was originally used
-// during development of B2G 1.0.
-add_test(function () {
-  certdb.openSignedJARFileAsync(
-    original_app_path("test-privileged-app-test-1.0"),
-    check_open_result("test-privileged-app-test-1.0",
-                      NS_ERROR_SEC_ERROR_UNKNOWN_ISSUER));
-});
-
-// Test that we trust the root cert used by by the Firefox Marketplace.
-add_test(function () {
-  certdb.openSignedJARFileAsync(
-    original_app_path("privileged-app-test-1.0"),
-    check_open_result("privileged-app-test-1.0", Cr.NS_OK));
-});
deleted file mode 100644
index 3a12106c8fc0ad3f4bccc517eba2a3012ec57103..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
GIT binary patch
literal 0
Hc$@<O00001
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -1,14 +1,13 @@
 [DEFAULT]
 head = 
 tail = 
 
 [test_signed_apps.js]
-[test_signed_apps-marketplace.js]
 [test_datasignatureverifier.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_hash_algorithms.js]
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_hmac.js]
 # Bug 676972: test hangs consistently on Android