--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -5,17 +5,17 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifdef MOZ_LOGGING
#define FORCE_PR_LOG 1
#endif
#include "nsNSSCertificateDB.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include "mozilla/RefPtr.h"
#include "CryptoTask.h"
#include "AppTrustDomain.h"
#include "nsComponentManagerUtils.h"
#include "nsCOMPtr.h"
#include "nsHashKeys.h"
#include "nsIFile.h"
#include "nsIInputStream.h"
@@ -28,17 +28,17 @@
#include "ScopedNSSTypes.h"
#include "base64.h"
#include "certdb.h"
#include "secmime.h"
#include "plstr.h"
#include "prlog.h"
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
using namespace mozilla;
using namespace mozilla::psm;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
namespace {
@@ -520,19 +520,19 @@ ParseMF(const char* filebuf, nsIZipReade
}
return NS_OK;
}
nsresult
VerifySignature(AppTrustedRoot trustedRoot,
const SECItem& buffer, const SECItem& detachedDigest,
- /*out*/ insanity::pkix::ScopedCERTCertList& builtChain)
+ /*out*/ mozilla::pkix::ScopedCERTCertList& builtChain)
{
- insanity::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
+ mozilla::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
nullptr, nullptr, nullptr, nullptr,
nullptr));
if (!cmsMsg) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
@@ -555,23 +555,23 @@ VerifySignature(AppTrustedRoot trustedRo
// Set digest value.
if (NSS_CMSSignedData_SetDigestValue(signedData, SEC_OID_SHA1,
const_cast<SECItem*>(&detachedDigest))) {
return NS_ERROR_CMS_VERIFY_BAD_DIGEST;
}
// Parse the certificates into CERTCertificate objects held in memory, so that
// AppTrustDomain will be able to find them during path building.
- insanity::pkix::ScopedCERTCertList certs(CERT_NewCertList());
+ mozilla::pkix::ScopedCERTCertList certs(CERT_NewCertList());
if (!certs) {
return NS_ERROR_OUT_OF_MEMORY;
}
if (signedData->rawCerts) {
for (size_t i = 0; signedData->rawCerts[i]; ++i) {
- insanity::pkix::ScopedCERTCertificate
+ mozilla::pkix::ScopedCERTCertificate
cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
signedData->rawCerts[i], nullptr, false,
true));
// Skip certificates that fail to parse
if (cert) {
if (CERT_AddCertToListTail(certs.get(), cert.get()) == SECSuccess) {
cert.release(); // ownership transfered
} else {
@@ -661,17 +661,17 @@ OpenSignedAppFile(AppTrustedRoot aTruste
Digest sfCalculatedDigest;
rv = FindAndLoadOneEntry(zip, NS_LITERAL_CSTRING(JAR_SF_SEARCH_STRING),
sfFilename, sfBuffer, &sfCalculatedDigest);
if (NS_FAILED(rv)) {
return NS_ERROR_SIGNED_JAR_MANIFEST_INVALID;
}
sigBuffer.type = siBuffer;
- insanity::pkix::ScopedCERTCertList builtChain;
+ mozilla::pkix::ScopedCERTCertList builtChain;
rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
builtChain);
if (NS_FAILED(rv)) {
return rv;
}
ScopedAutoSECItem mfDigest;
rv = ParseSF(char_ptr_cast(sfBuffer.data), mfDigest);
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -5,30 +5,30 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifdef MOZ_LOGGING
#define FORCE_PR_LOG 1
#endif
#include "AppTrustDomain.h"
#include "certdb.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include "mozilla/ArrayUtils.h"
#include "nsIX509CertDB.h"
#include "prerror.h"
#include "secerr.h"
// Generated in Makefile.in
#include "marketplace-prod-public.inc"
#include "marketplace-prod-reviewers.inc"
#include "marketplace-dev-public.inc"
#include "marketplace-dev-reviewers.inc"
#include "xpcshell.inc"
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
namespace mozilla { namespace psm {
AppTrustDomain::AppTrustDomain(void* pinArg)
@@ -83,17 +83,17 @@ AppTrustDomain::SetTrustedRoot(AppTruste
}
return SECSuccess;
}
SECStatus
AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName,
PRTime time,
- /*out*/ insanity::pkix::ScopedCERTCertList& results)
+ /*out*/ mozilla::pkix::ScopedCERTCertList& results)
{
MOZ_ASSERT(mTrustedRoot);
if (!mTrustedRoot) {
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
@@ -163,17 +163,17 @@ AppTrustDomain::GetCertTrust(EndEntityOr
*trustLevel = InheritsTrust;
return SECSuccess;
}
SECStatus
AppTrustDomain::VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert)
{
- return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
+ return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
}
SECStatus
AppTrustDomain::CheckRevocation(EndEntityOrCA,
const CERTCertificate*,
/*const*/ CERTCertificate*,
PRTime time,
/*optional*/ const SECItem*)
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -2,44 +2,44 @@
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_psm_AppsTrustDomain_h
#define mozilla_psm_AppsTrustDomain_h
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsDebug.h"
#include "nsIX509CertDB.h"
namespace mozilla { namespace psm {
-class AppTrustDomain MOZ_FINAL : public insanity::pkix::TrustDomain
+class AppTrustDomain MOZ_FINAL : public mozilla::pkix::TrustDomain
{
public:
AppTrustDomain(void* pinArg);
SECStatus SetTrustedRoot(AppTrustedRoot trustedRoot);
- SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
+ SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
SECOidTag policy,
const CERTCertificate* candidateCert,
/*out*/ TrustLevel* trustLevel) MOZ_OVERRIDE;
SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName,
PRTime time,
- /*out*/ insanity::pkix::ScopedCERTCertList& results)
+ /*out*/ mozilla::pkix::ScopedCERTCertList& results)
MOZ_OVERRIDE;
SECStatus VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert) MOZ_OVERRIDE;
- SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
+ SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCertToDup,
PRTime time,
/*optional*/ const SECItem* stapledOCSPresponse);
private:
void* mPinArg; // non-owning!
- insanity::pkix::ScopedCERTCertificate mTrustedRoot;
+ mozilla::pkix::ScopedCERTCertificate mTrustedRoot;
};
} } // namespace mozilla::psm
#endif // mozilla_psm_AppsTrustDomain_h
--- a/security/apps/moz.build
+++ b/security/apps/moz.build
@@ -11,15 +11,15 @@ SOURCES += [
]
FAIL_ON_WARNINGS = True
FINAL_LIBRARY = 'xul'
LOCAL_INCLUDES += [
'../certverifier',
- '../insanity/include',
'../manager/ssl/src',
+ '../pkix/include',
]
DEFINES['NSS_ENABLE_ECC'] = 'True'
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
DEFINES[var] = '"%s"' % CONFIG[var]
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -3,28 +3,28 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "CertVerifier.h"
#include <stdint.h>
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "cert.h"
#include "ocsp.h"
#include "secerr.h"
#include "prerror.h"
#include "sslerr.h"
-// ScopedXXX in this file are insanity::pkix::ScopedXXX, not
+// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
// mozilla::ScopedXXX.
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
using namespace mozilla::psm;
#ifdef PR_LOGGING
PRLogModuleInfo* gCertVerifierLog = nullptr;
#endif
namespace mozilla { namespace psm {
@@ -60,17 +60,17 @@ InitCertVerifierLog()
#ifdef PR_LOGGING
if (!gCertVerifierLog) {
gCertVerifierLog = PR_NewLogModule("certverifier");
}
#endif
}
#if 0
-// Once we migrate to insanity::pkix or change the overridable error
+// Once we migrate to mozilla::pkix or change the overridable error
// logic this will become unnecesary.
static SECStatus
insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
CERTVerifyLog* verifyLog){
CERTVerifyLogNode* node;
node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
sizeof(CERTVerifyLogNode));
if (!node) {
@@ -218,27 +218,27 @@ BuildCertChainForOneKeyUsage(TrustDomain
PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
}
}
}
return rv;
}
SECStatus
-CertVerifier::InsanityVerifyCert(
+CertVerifier::MozillaPKIXVerifyCert(
CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponse,
- /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
+ /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy)
{
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of InsanityVerifyCert\n"));
+ PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
PR_ASSERT(cert);
PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
if (validationChain) {
*validationChain = nullptr;
}
if (evOidPolicy) {
@@ -262,17 +262,17 @@ CertVerifier::InsanityVerifyCert(
// TODO(bug 970750): anyExtendedKeyUsage
// TODO: encipherOnly/decipherOnly
// S/MIME Key Usage: http://tools.ietf.org/html/rfc3850#section-4.4.2
// S/MIME EKU: http://tools.ietf.org/html/rfc3850#section-4.4.4
// TODO(bug 915931): Pass in stapled OCSP response in all calls to
// BuildCertChain.
- insanity::pkix::ScopedCERTCertList builtChain;
+ mozilla::pkix::ScopedCERTCertList builtChain;
switch (usage) {
case certificateUsageSSLClient: {
// XXX: We don't really have a trust bit for SSL client authentication so
// just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
pinArg);
rv = BuildCertChain(trustDomain, cert, time, MustBeEndEntity,
KU_DIGITAL_SIGNATURE,
@@ -384,18 +384,18 @@ CertVerifier::InsanityVerifyCert(
}
case certificateUsageVerifyCA:
case certificateUsageStatusResponder: {
// XXX This is a pretty useless way to verify a certificate. It is used
// by the implementation of window.crypto.importCertificates and in the
// certificate viewer UI. Because we don't know what trust bit is
// interesting, we just try them all.
- insanity::pkix::EndEntityOrCA endEntityOrCA;
- insanity::pkix::KeyUsages keyUsage;
+ mozilla::pkix::EndEntityOrCA endEntityOrCA;
+ mozilla::pkix::KeyUsages keyUsage;
SECOidTag eku;
if (usage == certificateUsageVerifyCA) {
endEntityOrCA = MustBeCA;
keyUsage = KU_KEY_CERT_SIGN;
eku = SEC_OID_UNKNOWN;
} else {
endEntityOrCA = MustBeEndEntity;
keyUsage = KU_DIGITAL_SIGNATURE;
@@ -444,20 +444,20 @@ CertVerifier::VerifyCert(CERTCertificate
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
/*optional out*/ ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ CERTVerifyLog* verifyLog)
{
- if (mImplementation == insanity) {
- return InsanityVerifyCert(cert, usage, time, pinArg, flags,
- stapledOCSPResponse, validationChain,
- evOidPolicy);
+ if (mImplementation == mozillapkix) {
+ return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
+ stapledOCSPResponse, validationChain,
+ evOidPolicy);
}
if (!cert)
{
PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -794,17 +794,17 @@ pkix_done:
SECStatus
CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
PRTime time,
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase,
- /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut,
+ /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
/*optional out*/ SECOidTag* evOidPolicy)
{
PR_ASSERT(peerCert);
// XXX: PR_ASSERT(pinarg)
PR_ASSERT(hostname);
PR_ASSERT(hostname[0]);
if (certChainOut) {
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -2,17 +2,17 @@
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_psm__CertVerifier_h
#define mozilla_psm__CertVerifier_h
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "OCSPCache.h"
namespace mozilla { namespace psm {
class CertVerifier
{
public:
typedef unsigned int Flags;
@@ -24,37 +24,37 @@ public:
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported.
SECStatus VerifyCert(CERTCertificate* cert,
/*optional*/ const SECItem* stapledOCSPResponse,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags = 0,
- /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain = nullptr,
+ /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr ,
/*optional out*/ CERTVerifyLog* verifyLog = nullptr);
SECStatus VerifySSLServerCert(
CERTCertificate* peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
PRTime time,
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase = false,
- /*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut = nullptr,
+ /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr);
enum implementation_config {
classic = 0,
#ifndef NSS_NO_LIBPKIX
libpkix = 1,
#endif
- insanity = 2
+ mozillapkix = 2
};
enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
enum crl_download_config { crl_local_only = 0, crl_download_allowed };
enum ocsp_download_config { ocsp_off = 0, ocsp_on };
enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
@@ -75,23 +75,23 @@ public:
const bool mMissingCertDownloadEnabled;
const bool mCRLDownloadEnabled;
#endif
const bool mOCSPDownloadEnabled;
const bool mOCSPStrict;
const bool mOCSPGETEnabled;
private:
- SECStatus InsanityVerifyCert(CERTCertificate* cert,
+ SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponse,
- /*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
+ /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy);
OCSPCache mOCSPCache;
};
void InitCertVerifierLog();
} } // namespace mozilla::psm
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -4,17 +4,17 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ExtendedValidation.h"
#include "cert.h"
#include "certdb.h"
#include "base64.h"
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
#include "pk11pub.h"
#include "secerr.h"
#include "prerror.h"
#include "prinit.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -5,28 +5,28 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "NSSCertDBTrustDomain.h"
#include <stdint.h>
#include "ExtendedValidation.h"
#include "certdb.h"
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include "mozilla/Telemetry.h"
#include "nss.h"
#include "ocsp.h"
#include "pk11pub.h"
#include "prerror.h"
#include "prmem.h"
#include "prprf.h"
#include "secerr.h"
#include "secmod.h"
-using namespace insanity::pkix;
+using namespace mozilla::pkix;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gCertVerifierLog;
#endif
namespace mozilla { namespace psm {
const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[] = "Builtin Roots Module";
@@ -48,17 +48,17 @@ NSSCertDBTrustDomain::NSSCertDBTrustDoma
, mOCSPCache(ocspCache)
, mPinArg(pinArg)
{
}
SECStatus
NSSCertDBTrustDomain::FindPotentialIssuers(
const SECItem* encodedIssuerName, PRTime time,
- /*out*/ insanity::pkix::ScopedCERTCertList& results)
+ /*out*/ mozilla::pkix::ScopedCERTCertList& results)
{
// TODO: normalize encodedIssuerName
// TODO: NSS seems to be ambiguous between "no potential issuers found" and
// "there was an error trying to retrieve the potential issuers."
results = CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
encodedIssuerName, time, true);
return SECSuccess;
}
@@ -126,32 +126,32 @@ NSSCertDBTrustDomain::GetCertTrust(EndEn
*trustLevel = InheritsTrust;
return SECSuccess;
}
SECStatus
NSSCertDBTrustDomain::VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert)
{
- return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
+ return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
}
SECStatus
NSSCertDBTrustDomain::CheckRevocation(
- insanity::pkix::EndEntityOrCA endEntityOrCA,
+ mozilla::pkix::EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCert,
PRTime time,
/*optional*/ const SECItem* stapledOCSPResponse)
{
// Actively distrusted certificates will have already been blocked by
// GetCertTrust.
// TODO: need to verify that IsRevoked isn't called for trust anchors AND
- // that that fact is documented in insanity.
+ // that that fact is documented in mozillapkix.
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("NSSCertDBTrustDomain: Top of CheckRevocation\n"));
PORT_Assert(cert);
PORT_Assert(issuerCert);
if (!cert || !issuerCert) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -2,17 +2,17 @@
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_psm__NSSCertDBTrustDomain_h
#define mozilla_psm__NSSCertDBTrustDomain_h
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "secmodt.h"
#include "CertVerifier.h"
namespace mozilla { namespace psm {
SECStatus InitializeNSS(const char* dir, bool readOnly);
void DisableMD5();
@@ -38,46 +38,46 @@ void UnloadLoadableRoots(const char* mod
void
SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
CertVerifier::ocsp_strict_config strict,
CertVerifier::ocsp_get_config get);
// Caller must free the result with PR_Free
char* DefaultServerNicknameForCert(CERTCertificate* cert);
-void SaveIntermediateCerts(const insanity::pkix::ScopedCERTCertList& certList);
+void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
-class NSSCertDBTrustDomain : public insanity::pkix::TrustDomain
+class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
{
public:
enum OCSPFetching {
NeverFetchOCSP = 0,
FetchOCSPForDVSoftFail = 1,
FetchOCSPForDVHardFail = 2,
FetchOCSPForEV = 3,
LocalOnlyOCSPForEV = 4,
};
NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
OCSPCache& ocspCache, void* pinArg);
virtual SECStatus FindPotentialIssuers(
const SECItem* encodedIssuerName,
PRTime time,
- /*out*/ insanity::pkix::ScopedCERTCertList& results);
+ /*out*/ mozilla::pkix::ScopedCERTCertList& results);
- virtual SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
+ virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
SECOidTag policy,
const CERTCertificate* candidateCert,
/*out*/ TrustLevel* trustLevel);
virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert);
- virtual SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
+ virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCert,
PRTime time,
/*optional*/ const SECItem* stapledOCSPResponse);
private:
SECStatus VerifyAndMaybeCacheEncodedOCSPResponse(
const CERTCertificate* cert, CERTCertificate* issuerCert, PRTime time,
--- a/security/certverifier/OCSPCache.cpp
+++ b/security/certverifier/OCSPCache.cpp
@@ -23,24 +23,24 @@
#ifdef PR_LOGGING
extern PRLogModuleInfo* gCertVerifierLog;
#endif
namespace mozilla { namespace psm {
void
-Insanity_PK11_DestroyContext_true(PK11Context* context)
+MozillaPKIX_PK11_DestroyContext_true(PK11Context* context)
{
PK11_DestroyContext(context, true);
}
-typedef insanity::pkix::ScopedPtr<PK11Context,
- Insanity_PK11_DestroyContext_true>
- ScopedPK11Context;
+typedef mozilla::pkix::ScopedPtr<PK11Context,
+ MozillaPKIX_PK11_DestroyContext_true>
+ ScopedPK11Context;
// Let derIssuer be the DER encoding of the issuer of aCert.
// Let derPublicKey be the DER encoding of the public key of aIssuerCert.
// Let serialNumber be the bytes of the serial number of aCert.
// The value calculated is SHA384(derIssuer || derPublicKey || serialNumber).
// Because the DER encodings include the length of the data encoded,
// there do not exist A(derIssuerA, derPublicKeyA, serialNumberA) and
// B(derIssuerB, derPublicKeyB, serialNumberB) such that the concatenation of
@@ -133,19 +133,19 @@ OCSPCache::FindInternal(const CERTCertif
}
void
OCSPCache::LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
const CERTCertificate* aIssuerCert)
{
#ifdef PR_LOGGING
if (PR_LOG_TEST(gCertVerifierLog, PR_LOG_DEBUG)) {
- insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
+ mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
cn(CERT_GetCommonName(&aCert->subject));
- insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
+ mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
cnIssuer(CERT_GetCommonName(&aIssuerCert->subject));
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, (aMessage, cn.get(), cnIssuer.get()));
}
#endif
}
void
OCSPCache::MakeMostRecentlyUsed(size_t aIndex,
--- a/security/certverifier/OCSPCache.h
+++ b/security/certverifier/OCSPCache.h
@@ -15,17 +15,17 @@
* limitations under the License.
*/
#ifndef mozilla_psm_OCSPCache_h
#define mozilla_psm_OCSPCache_h
#include "certt.h"
#include "hasht.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "mozilla/Mutex.h"
#include "mozilla/Vector.h"
#include "prerror.h"
namespace mozilla { namespace psm {
// make SHA384Buffer be of type "array of uint8_t of length SHA384_LENGTH"
typedef uint8_t SHA384Buffer[SHA384_LENGTH];
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -11,20 +11,20 @@ UNIFIED_SOURCES += [
]
if not CONFIG['NSS_NO_EV_CERTS']:
UNIFIED_SOURCES += [
'ExtendedValidation.cpp',
]
LOCAL_INCLUDES += [
- '../insanity/include',
+ '../pkix/include',
]
DIRS += [
- '../insanity',
+ '../pkix',
]
FAIL_ON_WARNINGS = True
LIBRARY_NAME = 'certverifier'
FINAL_LIBRARY = 'xul'
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -91,17 +91,17 @@
// an SSL handshake) and the PSM NSS I/O layer are not thread-safe, and because
// we need the event to interrupt the PR_Poll that may waiting for I/O on the
// socket for which we are validating the cert.
#include "SSLServerCertVerification.h"
#include <cstring>
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "CertVerifier.h"
#include "CryptoTask.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "nsIBadCertListener2.h"
#include "nsICertOverrideService.h"
#include "nsISiteSecurityService.h"
#include "nsNSSComponent.h"
@@ -309,32 +309,32 @@ MapCertErrorToProbeValue(PRErrorCode err
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
}
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
"handle everything in PRErrorCodeToOverrideType?");
return 0;
}
SECStatus
-InsanityDetermineCertOverrideErrors(CERTCertificate* cert,
- const char* hostName, PRTime now,
- PRErrorCode defaultErrorCodeToReport,
- /*out*/ uint32_t& collectedErrors,
- /*out*/ PRErrorCode& errorCodeTrust,
- /*out*/ PRErrorCode& errorCodeMismatch,
- /*out*/ PRErrorCode& errorCodeExpired)
+MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
+ const char* hostName, PRTime now,
+ PRErrorCode defaultErrorCodeToReport,
+ /*out*/ uint32_t& collectedErrors,
+ /*out*/ PRErrorCode& errorCodeTrust,
+ /*out*/ PRErrorCode& errorCodeMismatch,
+ /*out*/ PRErrorCode& errorCodeExpired)
{
MOZ_ASSERT(cert);
MOZ_ASSERT(hostName);
MOZ_ASSERT(collectedErrors == 0);
MOZ_ASSERT(errorCodeTrust == 0);
MOZ_ASSERT(errorCodeMismatch == 0);
MOZ_ASSERT(errorCodeExpired == 0);
- // Assumes the error prioritization described in insanity::pkix's
+ // Assumes the error prioritization described in mozilla::pkix's
// BuildForward function. Also assumes that CERT_VerifyCertName was only
// called if CertVerifier::VerifyCert succeeded.
switch (defaultErrorCodeToReport) {
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
case SEC_ERROR_UNKNOWN_ISSUER:
{
collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
errorCodeTrust = defaultErrorCodeToReport;
@@ -702,24 +702,24 @@ CreateCertErrorRunnable(CertVerifier& ce
#endif
rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
infoObject, now,
defaultErrorCodeToReport,
collected_errors, errorCodeTrust,
errorCodeMismatch, errorCodeExpired);
break;
- case CertVerifier::insanity:
- rv = InsanityDetermineCertOverrideErrors(cert,
- infoObject->GetHostNameRaw(),
- now, defaultErrorCodeToReport,
- collected_errors,
- errorCodeTrust,
- errorCodeMismatch,
- errorCodeExpired);
+ case CertVerifier::mozillapkix:
+ rv = MozillaPKIXDetermineCertOverrideErrors(cert,
+ infoObject->GetHostNameRaw(),
+ now, defaultErrorCodeToReport,
+ collected_errors,
+ errorCodeTrust,
+ errorCodeMismatch,
+ errorCodeExpired);
break;
default:
MOZ_CRASH("unexpected CertVerifier implementation");
PR_SetError(defaultErrorCodeToReport, 0);
return nullptr;
}
@@ -804,17 +804,17 @@ private:
TransportSecurityInfo* infoObject,
CERTCertificate* cert,
SECItem* stapledOCSPResponse,
uint32_t providerFlags,
PRTime time);
const RefPtr<SharedCertVerifier> mCertVerifier;
const void* const mFdForLogging;
const RefPtr<TransportSecurityInfo> mInfoObject;
- const insanity::pkix::ScopedCERTCertificate mCert;
+ const mozilla::pkix::ScopedCERTCertificate mCert;
const uint32_t mProviderFlags;
const PRTime mTime;
const TimeStamp mJobStartTime;
const ScopedSECItem mStapledOCSPResponse;
};
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
const RefPtr<SharedCertVerifier>& certVerifier, const void* fdForLogging,
@@ -904,17 +904,17 @@ AuthCertificate(CertVerifier& certVerifi
CERTCertificate* cert, SECItem* stapledOCSPResponse,
uint32_t providerFlags, PRTime time)
{
MOZ_ASSERT(infoObject);
MOZ_ASSERT(cert);
SECStatus rv;
- // TODO: Remove this after we switch to insanity::pkix as the
+ // TODO: Remove this after we switch to mozilla::pkix as the
// only option
if (certVerifier.mImplementation == CertVerifier::classic) {
if (stapledOCSPResponse) {
CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
stapledOCSPResponse,
infoObject);
if (rv != SECSuccess) {
@@ -960,17 +960,17 @@ AuthCertificate(CertVerifier& certVerifi
}
}
// We want to avoid storing any intermediate cert information when browsing
// in private, transient contexts.
bool saveIntermediates =
!(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
- insanity::pkix::ScopedCERTCertList certList;
+ mozilla::pkix::ScopedCERTCertList certList;
SECOidTag evOidPolicy;
rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
time, infoObject,
infoObject->GetHostNameRaw(),
saveIntermediates, nullptr,
&evOidPolicy);
// We want to remember the CA certs in the temp db, so that the application can find the
@@ -1085,21 +1085,21 @@ SSLServerCertVerificationJob::Run()
Telemetry::ID failureTelemetry;
switch (mCertVerifier->mImplementation) {
case CertVerifier::classic:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
break;
- case CertVerifier::insanity:
+ case CertVerifier::mozillapkix:
successTelemetry
- = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY;
+ = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
failureTelemetry
- = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY;
+ = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
break;
#ifndef NSS_NO_LIBPKIX
case CertVerifier::libpkix:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
break;
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -1,17 +1,17 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "TransportSecurityInfo.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "nsIWebProgressListener.h"
#include "nsNSSCertificate.h"
#include "nsIX509CertValidity.h"
#include "nsIDateTimeFormat.h"
#include "nsDateTimeFormatCID.h"
#include "nsICertOverrideService.h"
#include "nsIObjectInputStream.h"
@@ -750,17 +750,17 @@ AppendErrorTextMismatch(const nsString &
nsIX509Cert* ix509,
nsINSSComponent *component,
bool wantsHtml,
nsString &returnedMessage)
{
const char16_t *params[1];
nsresult rv;
- insanity::pkix::ScopedCERTCertificate nssCert;
+ mozilla::pkix::ScopedCERTCertificate nssCert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
if (cert2)
nssCert = cert2->GetCert();
if (!nssCert) {
// We are unable to extract the valid names, say "not valid for name".
params[0] = host.get();
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@@ -90,17 +90,17 @@ UNIFIED_SOURCES += [
]
FAIL_ON_WARNINGS = True
FINAL_LIBRARY = 'xul'
LOCAL_INCLUDES += [
'../../../certverifier',
- '../../../insanity/include',
+ '../../../pkix/include',
]
if CONFIG['NSS_DISABLE_DBM']:
DEFINES['NSS_DISABLE_DBM'] = '1'
DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True'
DEFINES['NSS_ENABLE_ECC'] = 'True'
for var in ('DLL_PREFIX', 'DLL_SUFFIX'):
--- a/security/manager/ssl/src/nsCMS.cpp
+++ b/security/manager/ssl/src/nsCMS.cpp
@@ -1,17 +1,17 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsCMS.h"
#include "CertVerifier.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsISupports.h"
#include "nsNSSHelper.h"
#include "nsNSSCertificate.h"
#include "smime.h"
#include "cms.h"
#include "nsICMSMessageErrors.h"
#include "nsIArray.h"
#include "nsArrayUtils.h"
@@ -510,17 +510,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
for (i=0; i<recipientCertCount; i++) {
nsCOMPtr<nsIX509Cert> x509cert = do_QueryElementAt(aRecipientCerts, i);
nssRecipientCert = do_QueryInterface(x509cert);
if (!nssRecipientCert)
return NS_ERROR_FAILURE;
- insanity::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
recipientCerts.set(i, c.get());
}
// Find a bulk key algorithm //
if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipientCerts.getRawArray(), &bulkAlgTag,
&keySize) != SECSuccess) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't find bulk alg for recipients\n"));
rv = NS_ERROR_CMS_ENCRYPT_NO_BULK_ALG;
@@ -548,17 +548,17 @@ NS_IMETHODIMP nsCMSMessage::CreateEncryp
cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
if (NSS_CMSContentInfo_SetContent_Data(m_cmsMsg, cinfo, nullptr, false) != SECSuccess) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't set content data\n"));
goto loser;
}
// Create and attach recipient information //
for (i=0; i < recipientCertCount; i++) {
- insanity::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
+ mozilla::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc.get())) == nullptr) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
goto loser;
}
if (NSS_CMSEnvelopedData_AddRecipient(envd, recipientInfo) != SECSuccess) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't add recipient info\n"));
goto loser;
}
@@ -579,18 +579,18 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateSigned\n"));
NSSCMSContentInfo *cinfo;
NSSCMSSignedData *sigd;
NSSCMSSignerInfo *signerinfo;
- insanity::pkix::ScopedCERTCertificate scert;
- insanity::pkix::ScopedCERTCertificate ecert;
+ mozilla::pkix::ScopedCERTCertificate scert;
+ mozilla::pkix::ScopedCERTCertificate ecert;
nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
nsresult rv = NS_ERROR_FAILURE;
/* Get the certs */
if (aSigningCert2) {
scert = aSigningCert2->GetCert();
}
if (!scert) {
--- a/security/manager/ssl/src/nsCertOverrideService.cpp
+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
@@ -1,17 +1,17 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsCertOverrideService.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsIX509Cert.h"
#include "NSSCertDBTrustDomain.h"
#include "nsNSSCertificate.h"
#include "nsNSSCertHelper.h"
#include "nsCRT.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsStreamUtils.h"
#include "nsNetUtil.h"
@@ -389,17 +389,17 @@ static nsresult
GetCertFingerprintByOidTag(nsIX509Cert *aCert,
SECOidTag aOidTag,
nsCString &fp)
{
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
if (!cert2)
return NS_ERROR_FAILURE;
- insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
return GetCertFingerprintByOidTag(nsscert.get(), aOidTag, fp);
}
static nsresult
GetCertFingerprintByDottedOidString(CERTCertificate* nsscert,
@@ -427,17 +427,17 @@ static nsresult
GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
const nsCString &dottedOid,
nsCString &fp)
{
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
if (!cert2)
return NS_ERROR_FAILURE;
- insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
return GetCertFingerprintByDottedOidString(nsscert.get(), dottedOid, fp);
}
NS_IMETHODIMP
nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, int32_t aPort,
@@ -450,17 +450,17 @@ nsCertOverrideService::RememberValidityO
return NS_ERROR_INVALID_ARG;
if (aPort < -1)
return NS_ERROR_INVALID_ARG;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(aCert);
if (!cert2)
return NS_ERROR_FAILURE;
- insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
char* nickname = DefaultServerNicknameForCert(nsscert.get());
if (!aTemporary && nickname && *nickname)
{
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
--- a/security/manager/ssl/src/nsCertPicker.cpp
+++ b/security/manager/ssl/src/nsCertPicker.cpp
@@ -1,15 +1,15 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsCertPicker.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsMemory.h"
#include "nsCOMPtr.h"
#include "nsXPIDLString.h"
#include "nsIServiceManager.h"
#include "nsNSSComponent.h"
#include "nsNSSCertificate.h"
#include "nsReadableUtils.h"
#include "nsICertPickDialogs.h"
@@ -45,24 +45,24 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(
char16_t **certNicknameList = nullptr;
char16_t **certDetailsList = nullptr;
CERTCertListNode* node = nullptr;
nsresult rv = NS_OK;
{
// Iterate over all certs. This assures that user is logged in to all hardware tokens.
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
- insanity::pkix::ScopedCERTCertList allcerts(
+ mozilla::pkix::ScopedCERTCertList allcerts(
PK11_ListCerts(PK11CertListUnique, ctx));
}
/* find all user certs that are valid and for SSL */
/* note that we are allowing expired certs in this list */
- insanity::pkix::ScopedCERTCertList certList(
+ mozilla::pkix::ScopedCERTCertList certList(
CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
(SECCertUsage)certUsage,
!allowDuplicateNicknames,
!allowInvalid,
ctx));
if (!certList) {
return NS_ERROR_NOT_AVAILABLE;
}
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -1,15 +1,15 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsCertTree.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
#include "nsITreeColumns.h"
#include "nsIX509Cert.h"
#include "nsIX509CertValidity.h"
#include "nsIX509CertDB.h"
#include "nsXPIDLString.h"
#include "nsReadableUtils.h"
#include "nsUnicharUtils.h"
@@ -633,17 +633,17 @@ nsCertTree::GetCertsByTypeFromCertList(C
nsresult
nsCertTree::GetCertsByType(uint32_t aType,
nsCertCompareFunc aCertCmpFn,
void *aCertCmpFnArg)
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
- insanity::pkix::ScopedCERTCertList certList(
+ mozilla::pkix::ScopedCERTCertList certList(
PK11_ListCerts(PK11CertListUnique, cxt));
return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn,
aCertCmpFnArg);
}
nsresult
nsCertTree::GetCertsByTypeFromCache(nsINSSCertCache *aCache,
uint32_t aType,
@@ -804,17 +804,17 @@ nsCertTree::DeleteEntryObject(uint32_t i
}
}
else {
if (addonInfo && addonInfo->mUsageCount > 1) {
// user is trying to delete a perm trusted cert,
// although there are still overrides stored,
// so, we keep the cert, but remove the trust
- insanity::pkix::ScopedCERTCertificate nsscert;
+ mozilla::pkix::ScopedCERTCertificate nsscert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
if (cert2) {
nsscert = cert2->GetCert();
}
if (nsscert) {
CERTCertTrust trust;
--- a/security/manager/ssl/src/nsCrypto.cpp
+++ b/security/manager/ssl/src/nsCrypto.cpp
@@ -65,17 +65,17 @@
#include "pk11pqg.h"
#include "cmmf.h"
#include "nssb64.h"
#include "base64.h"
#include "cert.h"
#include "certdb.h"
#include "secmod.h"
#include "ScopedNSSTypes.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "ssl.h" // For SSL_ClearSessionCache
#include "nsNSSCleaner.h"
#include "nsNSSCertHelper.h"
#include <algorithm>
#include "nsWrapperCacheInlines.h"
@@ -1037,17 +1037,17 @@ nsFreeCertReqMessages(CRMFCertReqMsg **c
static nsresult
nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
nsNSSCertificate *wrappingCert)
{
if (!wrappingCert ||
CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
return NS_ERROR_FAILURE;
}
- insanity::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
if (!cert)
return NS_ERROR_FAILURE;
CRMFEncryptedKey *encrKey =
CRMF_CreateEncryptedKeyWithEncryptedValue(keyInfo->privKey, cert.get());
if (!encrKey)
return NS_ERROR_FAILURE;
@@ -1937,17 +1937,17 @@ nsCrypto::GenerateCRMFRequest(JSContext*
bool willEscrow = false;
if (!aEaCert.IsVoid()) {
SECItem certDer = {siBuffer, nullptr, 0};
SECStatus srv = ATOB_ConvertAsciiToItem(&certDer, aEaCert.get());
if (srv != SECSuccess) {
aRv.Throw(NS_ERROR_FAILURE);
return nullptr;
}
- insanity::pkix::ScopedCERTCertificate cert(
+ mozilla::pkix::ScopedCERTCertificate cert(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&certDer, nullptr, false, true));
if (!cert) {
aRv.Throw(NS_ERROR_FAILURE);
return nullptr;
}
escrowCert = nsNSSCertificate::Create(cert.get());
@@ -2206,17 +2206,17 @@ nsCryptoRunnable::Run()
//Quick helper function to check if a newly issued cert
//already exists in the user's database.
static bool
nsCertAlreadyExists(SECItem *derCert)
{
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
bool retVal = false;
- insanity::pkix::ScopedCERTCertificate cert(
+ mozilla::pkix::ScopedCERTCertificate cert(
CERT_FindCertByDERCert(handle, derCert));
if (cert) {
if (cert->isperm && !cert->nickname && !cert->emailAddr) {
//If the cert doesn't have a nickname or email addr, it is
//bogus cruft, so delete it.
SEC_DeletePermCertificate(cert.get());
} else if (cert->isperm) {
retVal = true;
@@ -2368,17 +2368,17 @@ nsCrypto::ImportUserCertificates(const n
CMMF_DestroyCertResponse(currResponse);
}
//Let the loser: label take care of freeing up our reference to
//nickname (This way we don't free it twice and avoid crashing.
//That would be a good thing.
//Import the root chain into the cert db.
{
- insanity::pkix::ScopedCERTCertList
+ mozilla::pkix::ScopedCERTCertList
caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
if (caPubs) {
int32_t numCAs = nsCertListCount(caPubs.get());
NS_ASSERTION(numCAs > 0, "Invalid number of CA's");
if (numCAs > 0) {
CERTCertListNode *node;
SECItem *derCerts;
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -1,16 +1,16 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSCallbacks.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "mozilla/Telemetry.h"
#include "mozilla/TimeStamp.h"
#include "nsNSSComponent.h"
#include "nsNSSIOLayer.h"
#include "nsIWebProgressListener.h"
#include "nsProtectedAuthThread.h"
#include "nsITokenDialogs.h"
#include "nsIUploadChannel.h"
@@ -1184,17 +1184,17 @@ void HandshakeCallback(PRFileDesc* fd, v
nsAutoString msg;
msg.Append(NS_ConvertASCIItoUTF16(hostName));
msg.Append(NS_LITERAL_STRING(" : server does not support RFC 5746, see CVE-2009-3555"));
nsContentUtils::LogSimpleConsoleError(msg, "SSL");
}
- insanity::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
+ mozilla::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
/* Set the SSL Status information */
RefPtr<nsSSLStatus> status(infoObject->SSLStatus());
if (!status) {
status = new nsSSLStatus();
infoObject->SetSSLStatus(status);
}
--- a/security/manager/ssl/src/nsNSSCertCache.cpp
+++ b/security/manager/ssl/src/nsNSSCertCache.cpp
@@ -41,17 +41,17 @@ NS_IMETHODIMP
nsNSSCertCache::CacheAllCerts()
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
- insanity::pkix::ScopedCERTCertList newList(
+ mozilla::pkix::ScopedCERTCertList newList(
PK11_ListCerts(PK11CertListUnique, cxt));
if (newList) {
MutexAutoLock lock(mutex);
mCertList = new nsNSSCertList(newList, locker);
}
return NS_OK;
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -5,17 +5,17 @@
#include "nsNSSCertificate.h"
#include "prmem.h"
#include "prerror.h"
#include "prprf.h"
#include "CertVerifier.h"
#include "ExtendedValidation.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
#include "nsNSSCleaner.h"
#include "nsCOMPtr.h"
#include "nsIMutableArray.h"
#include "nsNSSCertValidity.h"
#include "nsPKCS12Blob.h"
#include "nsPK11TokenDB.h"
#include "nsIX509Cert.h"
@@ -817,17 +817,17 @@ nsNSSCertificate::GetChain(nsIArray** _r
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
NS_ENSURE_ARG(_rvChain);
nsresult rv;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
- ::insanity::pkix::ScopedCERTCertList nssChain;
+ ::mozilla::pkix::ScopedCERTCertList nssChain;
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
// We want to test all usages, but we start with server because most of the
// time Firefox users care about server certs.
certVerifier->VerifyCert(mCert.get(), nullptr,
certificateUsageSSLServer, PR_Now(),
nullptr, /*XXX fixme*/
@@ -1537,17 +1537,17 @@ nsNSSCertificate::GetValidEVPolicyOid(ns
}
#endif
return NS_OK;
}
NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
-nsNSSCertList::nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
+nsNSSCertList::nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
const nsNSSShutDownPreventionLock& proofOfLock)
{
if (certList) {
mCertList = certList.release();
} else {
mCertList = CERT_NewCertList();
}
}
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -14,17 +14,17 @@
#include "nsIASN1Object.h"
#include "nsISMimeCert.h"
#include "nsIIdentityInfo.h"
#include "nsCOMPtr.h"
#include "nsNSSShutDown.h"
#include "nsISimpleEnumerator.h"
#include "nsISerializable.h"
#include "nsIClassInfo.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "certt.h"
class nsAutoString;
class nsINSSComponent;
class nsIASN1Sequence;
class nsNSSCertificate : public nsIX509Cert3,
public nsIIdentityInfo,
@@ -49,17 +49,17 @@ public:
nsresult FormatUIStrings(const nsAutoString& nickname,
nsAutoString& nickWithSerial,
nsAutoString& details);
static nsNSSCertificate* Create(CERTCertificate*cert = nullptr,
SECOidTag* evOidPolicy = nullptr);
static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen);
private:
- insanity::pkix::ScopedCERTCertificate mCert;
+ mozilla::pkix::ScopedCERTCertificate mCert;
bool mPermDelete;
uint32_t mCertType;
nsresult CreateASN1Struct(nsIASN1Object** aRetVal);
nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence,
nsINSSComponent* nssComponent);
nsresult GetSortableDate(PRTime aTime, nsAString& _aSortableDate);
virtual void virtualDestroyNSSReference();
void destructorSafeDestroyNSSReference();
@@ -76,30 +76,30 @@ private:
class nsNSSCertList: public nsIX509CertList,
public nsNSSShutDownObject
{
public:
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSIX509CERTLIST
// certList is adopted
- nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
+ nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
const nsNSSShutDownPreventionLock& proofOfLock);
nsNSSCertList();
static CERTCertList* DupCertList(CERTCertList* aCertList,
const nsNSSShutDownPreventionLock&
proofOfLock);
private:
virtual ~nsNSSCertList();
virtual void virtualDestroyNSSReference();
void destructorSafeDestroyNSSReference();
- insanity::pkix::ScopedCERTCertList mCertList;
+ mozilla::pkix::ScopedCERTCertList mCertList;
nsNSSCertList(const nsNSSCertList&) MOZ_DELETE;
void operator=(const nsNSSCertList&) MOZ_DELETE;
};
class nsNSSCertListEnumerator: public nsISimpleEnumerator,
public nsNSSShutDownObject
{
@@ -109,17 +109,17 @@ public:
nsNSSCertListEnumerator(CERTCertList* certList,
const nsNSSShutDownPreventionLock& proofOfLock);
private:
virtual ~nsNSSCertListEnumerator();
virtual void virtualDestroyNSSReference();
void destructorSafeDestroyNSSReference();
- insanity::pkix::ScopedCERTCertList mCertList;
+ mozilla::pkix::ScopedCERTCertList mCertList;
nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) MOZ_DELETE;
void operator=(const nsNSSCertListEnumerator&) MOZ_DELETE;
};
#define NS_NSS_LONG 4
#define NS_NSS_GET_LONG(x) ((((unsigned long)((x)[0])) << 24) | \
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -8,17 +8,17 @@
#define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm
#include "nsNSSComponent.h"
#include "nsNSSCertificateDB.h"
#include "CertVerifier.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "mozilla/Base64.h"
#include "nsCOMPtr.h"
#include "nsNSSCertificate.h"
#include "nsNSSHelper.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCertCache.h"
#include "nsCRT.h"
@@ -108,17 +108,17 @@ nsNSSCertificateDB::FindCertByNickname(n
{
NS_ENSURE_ARG_POINTER(_rvCert);
*_rvCert = nullptr;
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));
cert = PK11_FindCertFromNickname(asciiname, nullptr);
if (!cert) {
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname);
}
@@ -154,17 +154,17 @@ nsNSSCertificateDB::FindCertByDBKey(cons
dummy = NSSBase64_DecodeBuffer(nullptr, &keyItem, aDBkey,
(uint32_t)strlen(aDBkey));
if (!dummy || keyItem.len < NS_NSS_LONG*4) {
PR_FREEIF(keyItem.data);
return NS_ERROR_INVALID_ARG;
}
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
// someday maybe we can speed up the search using the moduleID and slotID
// moduleID = NS_NSS_GET_LONG(keyItem.data);
// slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
// build the issuer/SN structure
issuerSN.serialNumber.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*2]);
issuerSN.derIssuer.len = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG*3]);
if (issuerSN.serialNumber.len == 0 || issuerSN.derIssuer.len == 0
@@ -198,17 +198,17 @@ nsNSSCertificateDB::FindCertNicknames(ns
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
nsresult rv = NS_ERROR_FAILURE;
/*
* obtain the cert list from NSS
*/
- insanity::pkix::ScopedCERTCertList certList;
+ mozilla::pkix::ScopedCERTCertList certList;
certList = PK11_ListCerts(PK11CertListUnique, nullptr);
if (!certList)
goto cleanup;
/*
* get list of cert names from list of certs
* XXX also cull the list (NSS only distinguishes based on user/non-user
*/
getCertNames(certList.get(), aType, _count, _certNames, locker);
@@ -353,17 +353,17 @@ nsNSSCertificateDB::handleCACertDownload
SECItem der;
rv=certToShow->GetRawDER(&der.len, (uint8_t **)&der.data);
if (NS_FAILED(rv))
return rv;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
- insanity::pkix::ScopedCERTCertificate tmpCert;
+ mozilla::pkix::ScopedCERTCertificate tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert) {
tmpCert = CERT_NewTempCertificate(certdb, &der,
nullptr, false, true);
}
nsMemory::Free(der.data);
der.data = nullptr;
@@ -410,17 +410,17 @@ nsNSSCertificateDB::handleCACertDownload
trust.GetTrust());
if (srv != SECSuccess)
return NS_ERROR_FAILURE;
// Import additional delivered certificates that can be verified.
// build a CertList for filtering
- insanity::pkix::ScopedCERTCertList certList(CERT_NewCertList());
+ mozilla::pkix::ScopedCERTCertList certList(CERT_NewCertList());
if (!certList) {
return NS_ERROR_FAILURE;
}
// get all remaining certs into temp store
for (uint32_t i=0; i<numCerts; i++) {
if (i == selCertIndex) {
@@ -506,17 +506,17 @@ nsNSSCertificateDB::ImportCertificates(u
}
PORT_FreeArena(arena, false);
return nsrv;
}
static
SECStatus
ImportCertsIntoPermanentStorage(
- const insanity::pkix::ScopedCERTCertList& certChain,
+ const mozilla::pkix::ScopedCERTCertList& certChain,
const SECCertUsage usage, const PRBool caOnly)
{
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
int chainLen = 0;
for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
!CERT_LIST_END(chainNode, certChain);
chainNode = CERT_LIST_NEXT(chainNode)) {
@@ -556,17 +556,17 @@ nsNSSCertificateDB::ImportEmailCertifica
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
SECStatus srv = SECFailure;
nsresult nsrv = NS_OK;
CERTCertDBHandle *certdb;
CERTCertificate **certArray = nullptr;
- insanity::pkix::ScopedCERTCertList certList;
+ mozilla::pkix::ScopedCERTCertList certList;
CERTCertListNode *node;
SECItem **rawArray;
int numcerts;
int i;
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
return NS_ERROR_OUT_OF_MEMORY;
@@ -627,17 +627,17 @@ nsNSSCertificateDB::ImportEmailCertifica
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node,certList);
node = CERT_LIST_NEXT(node)) {
if (!node->cert) {
continue;
}
- insanity::pkix::ScopedCERTCertList certChain;
+ mozilla::pkix::ScopedCERTCertList certChain;
SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
certificateUsageEmailRecipient,
now, ctx, 0, &certChain);
if (rv != SECSuccess) {
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
@@ -668,17 +668,17 @@ nsNSSCertificateDB::ImportServerCertific
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
SECStatus srv = SECFailure;
nsresult nsrv = NS_OK;
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
SECItem **rawCerts = nullptr;
int numcerts;
int i;
nsNSSCertTrust trust;
char *serverNickname = nullptr;
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
@@ -795,17 +795,17 @@ nsNSSCertificateDB::ImportValidCACertsIn
/* go down the remaining list of certs and verify that they have
* valid chains, if yes, then import.
*/
CERTCertListNode *node;
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node,certList);
node = CERT_LIST_NEXT(node)) {
- insanity::pkix::ScopedCERTCertList certChain;
+ mozilla::pkix::ScopedCERTCertList certChain;
SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
certificateUsageVerifyCA,
PR_Now(), ctx, 0, &certChain);
if (rv != SECSuccess) {
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, proofOfLock);
continue;
}
@@ -872,17 +872,17 @@ nsNSSCertificateDB::ImportUserCertificat
ScopedPK11SlotInfo slot;
nsAutoCString nickname;
nsresult rv = NS_ERROR_FAILURE;
int numCACerts;
SECItem *CACerts;
CERTDERCerts * collectArgs;
PLArenaPool *arena;
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
goto loser;
}
collectArgs = getCertsFromPackage(arena, data, length, locker);
if (!collectArgs) {
@@ -949,17 +949,17 @@ loser:
NS_IMETHODIMP
nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
- insanity::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
if (!cert) return NS_ERROR_FAILURE;
SECStatus srv = SECSuccess;
uint32_t certType;
nssCert->GetCertType(&certType);
if (NS_FAILED(nssCert->MarkForPermDeletion()))
{
return NS_ERROR_FAILURE;
@@ -996,17 +996,17 @@ nsNSSCertificateDB::SetCertTrust(nsIX509
return NS_ERROR_NOT_AVAILABLE;
}
nsNSSCertTrust trust;
nsresult rv;
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert, &rv);
if (!pipCert) {
return rv;
}
- insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
rv = attemptToLogInWithDefaultPassword();
if (NS_WARN_IF(rv != NS_OK)) {
return rv;
}
SECStatus srv;
if (type == nsIX509Cert::CA_CERT) {
@@ -1049,17 +1049,17 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
*_isTrusted = false;
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
SECStatus srv;
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
- insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
CERTCertTrust nsstrust;
srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
if (srv != SECSuccess)
return NS_ERROR_FAILURE;
nsNSSCertTrust trust(&nsstrust);
if (certType == nsIX509Cert::CA_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
@@ -1297,17 +1297,17 @@ nsNSSCertificateDB::FindEmailEncryptionC
}
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailRecipient, true, ctx);
if (!cert) {
return NS_OK;
}
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
if (!nssCert) {
@@ -1327,17 +1327,17 @@ nsNSSCertificateDB::FindEmailSigningCert
if (aNickname.IsEmpty())
return NS_OK;
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailSigner, true, ctx);
@@ -1457,17 +1457,17 @@ nsNSSCertificateDB::ConstructX509(const
return NS_ERROR_INVALID_POINTER;
}
SECItem secitem_cert;
secitem_cert.type = siDERCertBuffer;
secitem_cert.data = (unsigned char*)certDER;
secitem_cert.len = lengthDER;
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
cert =
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
nullptr, false, true);
if (!cert)
return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;
nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(cert.get());
@@ -1556,17 +1556,17 @@ nsNSSCertificateDB::get_default_nickname
if (!tmp) {
nickname.Truncate();
return;
}
nickname = tmp;
PR_smprintf_free(tmp);
}
- insanity::pkix::ScopedCERTCertificate dummycert;
+ mozilla::pkix::ScopedCERTCertificate dummycert;
if (PK11_IsInternal(slot)) {
/* look up the nickname to make sure it isn't in use already */
dummycert = CERT_FindCertByNickname(defaultcertdb, nickname.get());
} else {
/*
* Check the cert against others that already live on the smart
@@ -1617,17 +1617,17 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCer
NS_ENSURE_SUCCESS(rv, rv);
SECItem der;
rv = newCert->GetRawDER(&der.len, (uint8_t **)&der.data);
NS_ENSURE_SUCCESS(rv, rv);
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
- insanity::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
+ mozilla::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
if (!tmpCert)
tmpCert = CERT_NewTempCertificate(certdb, &der,
nullptr, false, true);
nsMemory::Free(der.data);
der.data = nullptr;
der.len = 0;
if (!tmpCert) {
@@ -1672,17 +1672,17 @@ nsNSSCertificateDB::SetCertTrustFromStri
CERTCertTrust trust;
// need to calculate the trust bits from the aTrust string.
SECStatus srv = CERT_DecodeTrustString(&trust,
const_cast<char *>(trustString));
if (srv != SECSuccess) {
return MapSECStatus(SECFailure);
}
- insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
nsresult rv = attemptToLogInWithDefaultPassword();
if (NS_WARN_IF(rv != NS_OK)) {
return rv;
}
srv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), nssCert.get(), &trust);
return MapSECStatus(srv);
@@ -1693,17 +1693,17 @@ nsNSSCertificateDB::GetCerts(nsIX509Cert
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsCOMPtr<nsIX509CertList> nssCertList;
- insanity::pkix::ScopedCERTCertList certList(
+ mozilla::pkix::ScopedCERTCertList certList(
PK11_ListCerts(PK11CertListUnique, ctx));
// nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine.
// (returns an empty list)
nssCertList = new nsNSSCertList(certList, locker);
*_retval = nssCertList;
NS_ADDREF(*_retval);
@@ -1763,17 +1763,17 @@ nsNSSCertificateDB::VerifyCertNow(nsIX50
if (!x509Cert) {
return NS_ERROR_INVALID_ARG;
}
ScopedCERTCertificate nssCert(x509Cert->GetCert());
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
- insanity::pkix::ScopedCERTCertList resultChain;
+ mozilla::pkix::ScopedCERTCertList resultChain;
SECOidTag evOidPolicy;
SECStatus srv;
srv = certVerifier->VerifyCert(nssCert, nullptr,
aUsage, PR_Now(),
nullptr, // Assume no context
aFlags,
&resultChain,
@@ -1806,17 +1806,17 @@ nsNSSCertificateDB::ClearOCSPCache()
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
- if (certVerifier->mImplementation == CertVerifier::insanity) {
+ if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
certVerifier->ClearOCSPCache();
} else {
SECStatus srv = CERT_ClearOCSPCache();
if (srv != SECSuccess) {
return MapSECStatus(srv);
}
}
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -966,19 +966,19 @@ void nsNSSComponent::setValidationOption
bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
true);
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
CertVerifier::implementation_config certVerifierImplementation
= CertVerifier::classic;
- // The insanity::pkix pref overrides the libpkix pref
- if (Preferences::GetBool("security.use_insanity_verification", false)) {
- certVerifierImplementation = CertVerifier::insanity;
+ // The mozilla::pkix pref overrides the libpkix pref
+ if (Preferences::GetBool("security.use_mozillapkix_verification", false)) {
+ certVerifierImplementation = CertVerifier::mozillapkix;
} else {
#ifndef NSS_NO_LIBPKIX
if (Preferences::GetBool("security.use_libpkix_verification", false)) {
certVerifierImplementation = CertVerifier::libpkix;
}
#endif
}
@@ -992,19 +992,19 @@ void nsNSSComponent::setValidationOption
#ifndef NSS_NO_LIBPKIX
aiaDownloadEnabled ?
CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
crlDownloading ?
CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
#endif
odc, osc, ogc);
- // insanity::pkix has its own OCSP cache, so disable the NSS cache
+ // mozilla::pkix has its own OCSP cache, so disable the NSS cache
// if appropriate.
- if (certVerifierImplementation == CertVerifier::insanity) {
+ if (certVerifierImplementation == CertVerifier::mozillapkix) {
// Using -1 disables the cache. The other arguments are the default
// values and aren't exposed by the API.
CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
} else {
// Using 1000 enables the cache with the default size of 1000. Again,
// these values are not exposed by the API.
CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
}
@@ -1612,17 +1612,17 @@ nsNSSComponent::Observe(nsISupports* aSu
ALPN_ENABLED_DEFAULT));
} else if (prefName.Equals("security.OCSP.enabled")
|| prefName.Equals("security.CRL_download.enabled")
|| prefName.Equals("security.fresh_revocation_info.require")
|| prefName.Equals("security.missing_cert_download.enabled")
|| prefName.Equals("security.OCSP.require")
|| prefName.Equals("security.OCSP.GET.enabled")
|| prefName.Equals("security.ssl.enable_ocsp_stapling")
- || prefName.Equals("security.use_insanity_verification")
+ || prefName.Equals("security.use_mozillapkix_verification")
|| prefName.Equals("security.use_libpkix_verification")) {
MutexAutoLock lock(mutex);
setValidationOptions(false, lock);
} else if (prefName.Equals("network.ntlm.send-lm-response")) {
bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
SEND_LM_DEFAULT);
nsNTLMAuthModule::SetSendLM(sendLM);
clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -1,17 +1,17 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSIOLayer.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "mozilla/Casting.h"
#include "mozilla/DebugOnly.h"
#include "mozilla/Telemetry.h"
#include "prlog.h"
#include "prnetdb.h"
#include "nsIPrefService.h"
@@ -1865,19 +1865,19 @@ nsNSS_SSLGetClientAuthData(void* arg, PR
return runnable->mRV;
}
void
ClientAuthDataRunnable::RunOnTargetThread()
{
PLArenaPool* arena = nullptr;
char** caNameStrings;
- insanity::pkix::ScopedCERTCertificate cert;
+ mozilla::pkix::ScopedCERTCertificate cert;
ScopedSECKEYPrivateKey privKey;
- insanity::pkix::ScopedCERTCertList certList;
+ mozilla::pkix::ScopedCERTCertList certList;
CERTCertListNode* node;
ScopedCERTCertNicknames nicknames;
char* extracted = nullptr;
int keyError = 0; // used for private key retrieval error
SSM_UserCertChoice certChoice;
int32_t NumberOfCerts = 0;
void* wincx = mSocketInfo;
nsresult rv;
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/src/nsPKCS12Blob.cpp
@@ -1,16 +1,16 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: nsPKCS12Blob.cpp,v 1.49 2007/09/05 07:13:46 jwalden%mit.edu Exp $ */
#include "nsPKCS12Blob.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "prmem.h"
#include "prprf.h"
#include "nsIFile.h"
#include "nsNetUtil.h"
#include "nsIDirectoryService.h"
#include "nsThreadUtils.h"
@@ -302,17 +302,17 @@ nsPKCS12Blob::ExportToFile(nsIFile *file
goto finish;
}
// add password integrity
srv = SEC_PKCS12AddPasswordIntegrity(ecx, &unicodePw, SEC_OID_SHA1);
if (srv) goto finish;
for (i=0; i<numCerts; i++) {
nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
// get it as a CERTCertificate XXX
- insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
+ mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
if (!nssCert) {
rv = NS_ERROR_FAILURE;
goto finish;
}
// We can only successfully export certs that are on
// internal token. Most, if not all, smart card vendors
// won't let you extract the private key (in any way
// shape or form) from the card. So let's punt if
--- a/security/manager/ssl/src/nsRecentBadCerts.cpp
+++ b/security/manager/ssl/src/nsRecentBadCerts.cpp
@@ -1,17 +1,17 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsRecentBadCerts.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "nsIX509Cert.h"
#include "nsIObserverService.h"
#include "mozilla/RefPtr.h"
#include "mozilla/Services.h"
#include "nsSSLStatus.h"
#include "nsCOMPtr.h"
#include "nsNSSCertificate.h"
#include "nsCRT.h"
@@ -67,17 +67,17 @@ nsRecentBadCerts::GetRecentBadCert(const
isNotValidAtThisTime = mCerts[i].isNotValidAtThisTime;
isUntrusted = mCerts[i].isUntrusted;
}
}
}
if (foundDER.len) {
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
- insanity::pkix::ScopedCERTCertificate nssCert(
+ mozilla::pkix::ScopedCERTCertificate nssCert(
CERT_FindCertByDERCert(certdb, &foundDER));
if (!nssCert)
nssCert = CERT_NewTempCertificate(certdb, &foundDER,
nullptr, // no nickname
false, // not perm
true); // copy der
SECITEM_FreeItem(&foundDER, false);
--- a/security/manager/ssl/tests/gtest/moz.build
+++ b/security/manager/ssl/tests/gtest/moz.build
@@ -10,13 +10,13 @@ LIBXUL_LIBRARY = True
SOURCES += [
'OCSPCacheTest.cpp',
'TLSIntoleranceTest.cpp',
]
LOCAL_INCLUDES += [
'../../../../certverifier',
- '../../../../insanity/include',
+ '../../../../pkix/include',
'/security/manager/ssl/src',
]
include('/ipc/chromium/chromium-config.mozbuild')
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -67,76 +67,76 @@ function run_test() {
add_test(function () {
fakeOCSPResponder.stop(check_telemetry);
});
run_next_test();
}
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
- add_simple_tests(useInsanity);
- add_combo_tests(useInsanity);
- add_distrust_tests(useInsanity);
+ add_simple_tests(useMozillaPKIX);
+ add_combo_tests(useMozillaPKIX);
+ add_distrust_tests(useMozillaPKIX);
add_test(function () {
certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
run_next_test();
});
}
-function add_simple_tests(useInsanity) {
+function add_simple_tests(useMozillaPKIX) {
add_cert_override_test("expired.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
add_cert_override_test("selfsigned.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_CA_CERT_INVALID));
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_CA_CERT_INVALID));
add_cert_override_test("unknownissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("expiredissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
add_cert_override_test("md5signature.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
add_cert_override_test("mismatch.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
// A Microsoft IIS utility generates self-signed certificates with
// properties similar to the one this "host" will present (see
// tlsserver/generate_certs.sh).
// One of the errors classic verification collects is that this
// certificate has an inadequate key usage to sign a certificate
// (i.e. itself). As a result, to be able to override this,
// SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
// confusingly, this isn't the main error reported).
- // insanity::pkix just says this certificate's issuer is unknown.
+ // mozilla::pkix just says this certificate's issuer is unknown.
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_CA_CERT_INVALID));
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_CA_CERT_INVALID));
// SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
- // classic verification, but not for insanity::pkix verification.
- if (useInsanity) {
+ // classic verification, but not for mozilla::pkix verification.
+ if (useMozillaPKIX) {
add_connection_test("inadequatekeyusage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
null,
function (securityInfo) {
// bug 754369 - no SSLStatus probably means this is
// a non-overridable error, which is what we're testing
// (although it would be best to test this directly).
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
@@ -144,70 +144,70 @@ function add_simple_tests(useInsanity) {
});
} else {
add_cert_override_test("inadequatekeyusage.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
}
}
-function add_combo_tests(useInsanity) {
+function add_combo_tests(useMozillaPKIX) {
// Note that "untrusted" here really is "unknown issuer" in the
- // insanity::pkix case.
+ // mozilla::pkix case.
add_cert_override_test("mismatch-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
add_cert_override_test("mismatch-untrusted.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("mismatch-untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("md5signature-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
}
-function add_distrust_tests(useInsanity) {
+function add_distrust_tests(useMozillaPKIX) {
// Before we specifically distrust this certificate, it should be trusted.
add_connection_test("untrusted.example.com", Cr.NS_OK);
// XXX(Bug 975777): Active distrust is an overridable error when NSS-based
// verification is used.
add_distrust_override_test("tlsserver/default-ee.der",
"untrusted.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
- useInsanity
+ useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
: Cr.NS_OK);
// XXX(Bug 975777): Active distrust is an overridable error when NSS-based
// verification is used.
add_distrust_override_test("tlsserver/other-test-ca.der",
"untrustedissuer.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
- useInsanity
+ useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
: Cr.NS_OK);
}
function add_distrust_override_test(certFileName, hostName,
expectedResultBefore, expectedResultAfter) {
let certToDistrust = constructCertFromFile(certFileName);
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -44,33 +44,33 @@ function run_test() {
load_ca("ca-rsa");
load_ca("ca-p384");
load_ca("ca-dsa");
run_test_in_mode(true);
run_test_in_mode(false);
}
-function run_test_in_mode(useInsanity) {
- Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
check_ca("ca-rsa");
check_ca("ca-p384");
check_ca("ca-dsa");
- // insanity::pkix does not allow CA certs to be validated for end-entity
+ // mozilla::pkix does not allow CA certs to be validated for end-entity
// usages.
- let int_usage = useInsanity
+ let int_usage = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
- // insanity::pkix doesn't implement the Netscape Object Signer restriction.
- const ee_usage = useInsanity
+ // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
+ const ee_usage = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
let cert2usage = {
// certs without the "int" prefix are end entity certs.
'int-rsa-valid': int_usage,
'rsa-valid': ee_usage,
'int-p384-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -34,207 +34,207 @@ function check_cert_err_generic(cert, ex
do_print("cert issuer cn=" + cert.issuerCommonName);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, usage,
NO_FLAGS, verifiedChain, hasEVPolicy);
do_check_eq(error, expected_error);
};
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity) {
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
// On reset most usages are successful
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); // expected no bc
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useInsanity ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner); // expected
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA); // expected no bc
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); //expected
// Test of active distrust. No usage should pass.
setCertTrust(cert_to_modify_trust, 'p,p,p');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, 'T,T,T');
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
- : 0
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
+ : 0
: 0,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailSigner);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE
- : useInsanity ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_INADEQUATE_CERT_TYPE
+ : useMozillaPKIX ? 0
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the SSL trust bit
setCertTrust(cert_to_modify_trust, 'p,C,C');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, useInsanity ? 0 //XXX Bug 982340
- : SEC_ERROR_UNTRUSTED_ISSUER,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
+ : SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useInsanity ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ',C,C');
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? 0 // XXX Bug 982340
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useInsanity ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, 'C,p,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
- : useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
- : 0, // Insanity is OK, NSS bug
+ : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
+ : 0, // Insanity is OK, NSS bug
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useInsanity ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
//inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, 'C,,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailSigner);
- check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
+ check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useInsanity ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INVALID_ARGS,
+ check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
+ : SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
}
-function run_test_in_mode(useInsanity) {
- Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
let ca_cert = certdb.findCertByNickname(null, 'ca');
do_check_false(!ca_cert)
let int_cert = certdb.findCertByNickname(null, 'int');
do_check_false(!int_cert)
let ee_cert = certdb.findCertByNickname(null, 'ee');
do_check_false(!ee_cert);
setup_basic_trusts(ca_cert, int_cert);
- test_ca_distrust(ee_cert, ca_cert, true, useInsanity);
+ test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
setup_basic_trusts(ca_cert, int_cert);
- test_ca_distrust(ee_cert, int_cert, false, useInsanity);
+ test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
}
function run_test() {
for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
run_test_in_mode(true);
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -30,46 +30,46 @@ function run_test() {
do_print("ca_name=" + ca_name);
var cert = certdb.findCertByNickname(null, ca_name);
}
run_test_in_mode(true);
run_test_in_mode(false);
}
-function run_test_in_mode(useInsanity) {
- Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
- // insanity::pkix does not allow CA certs to be validated for non-CA usages.
- var allCAUsages = useInsanity
+ // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
+ var allCAUsages = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
- // insanity::pkix doesn't allow CA certificates to have the Status Responder
+ // mozilla::pkix doesn't allow CA certificates to have the Status Responder
// EKU.
var ca_usages = [allCAUsages,
'SSL CA',
allCAUsages,
- useInsanity ? ''
- : 'Client,Server,Sign,Encrypt,Status Responder'];
+ useMozillaPKIX ? ''
+ : 'Client,Server,Sign,Encrypt,Status Responder'];
- // insanity::pkix doesn't implement the Netscape Object Signer restriction.
- var basicEndEntityUsages = useInsanity
+ // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
+ var basicEndEntityUsages = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
- // insanity::pkix won't let a certificate with the "Status Responder" EKU get
+ // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
// validated for any other usage.
- var statusResponderUsages = (useInsanity ? "" : "Server,") + "Status Responder";
+ var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
var statusResponderUsagesFull
- = useInsanity ? statusResponderUsages
- : basicEndEntityUsages + ',Object Signer,Status Responder';
+ = useMozillaPKIX ? statusResponderUsages
+ : basicEndEntityUsages + ',Object Signer,Status Responder';
var ee_usages = [
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
statusResponderUsagesFull,
'Client,Server',
@@ -96,26 +96,26 @@ function run_test_in_mode(useInsanity) {
'Sign,Encrypt,Object Signer',
statusResponderUsages
],
// The CA has isCA=true without keyCertSign.
//
// The 'classic' NSS mode uses the 'union' of the
// capabilites so the cert is considered a CA.
- // insanity::pkix and libpkix use the intersection of
+ // mozilla::pkix and libpkix use the intersection of
// capabilites, so the cert is NOT considered a CA.
- [ useInsanity ? '' : basicEndEntityUsages,
- useInsanity ? '' : basicEndEntityUsages,
- useInsanity ? '' : basicEndEntityUsages,
+ [ useMozillaPKIX ? '' : basicEndEntityUsages,
+ useMozillaPKIX ? '' : basicEndEntityUsages,
+ useMozillaPKIX ? '' : basicEndEntityUsages,
'',
- useInsanity ? '' : statusResponderUsagesFull,
- useInsanity ? '' : 'Client,Server',
- useInsanity ? '' : 'Sign,Encrypt,Object Signer',
- useInsanity ? '' : 'Server,Status Responder'
+ useMozillaPKIX ? '' : statusResponderUsagesFull,
+ useMozillaPKIX ? '' : 'Client,Server',
+ useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
+ useMozillaPKIX ? '' : 'Server,Status Responder'
]
];
do_check_eq(gNumCAs, ca_usages.length);
for (var i = 0; i < gNumCAs; i++) {
var ca_name = "ca-" + (i + 1);
var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -114,21 +114,21 @@ function run_test() {
// setup and start ocsp responder
Services.prefs.setCharPref("network.dns.localDomains",
'www.example.com, crl.example.com');
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
add_test(function () {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
@@ -157,18 +157,18 @@ function add_tests_in_mode(useInsanity)
const nsIX509Cert = Ci.nsIX509Cert;
add_test(function() {
let evRootCA = certdb.findCertByNickname(null, evrootnick);
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("ev-valid",
- useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER);
+ useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_UNTRUSTED_ISSUER);
ocspResponder.stop(run_next_test);
});
// bug 917380: Chcek that a trusted EV root is trusted after disabling and
// re-enabling trust.
add_test(function() {
let evRootCA = certdb.findCertByNickname(null, evrootnick);
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
@@ -181,33 +181,33 @@ function add_tests_in_mode(useInsanity)
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
ocspResponder.stop(run_next_test);
});
add_test(function () {
check_no_ocsp_requests("ev-valid",
- useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+ : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+ : SEC_ERROR_EXTENSION_NOT_FOUND));
});
add_test(function () {
check_no_ocsp_requests("non-ev-root",
- useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+ : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
+ : SEC_ERROR_EXTENSION_NOT_FOUND));
});
add_test(function () {
check_no_ocsp_requests("no-ocsp-url-cert",
- useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+ : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+ : SEC_ERROR_EXTENSION_NOT_FOUND));
});
// Test the EV continues to work with flags after successful EV verification
add_test(function () {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
@@ -221,18 +221,18 @@ function add_tests_in_mode(useInsanity)
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
flags, verifiedChain, hasEVPolicy);
do_check_eq(hasEVPolicy.value, isDebugBuild);
do_check_eq(error,
isDebugBuild ? 0
- : (useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
+ : SEC_ERROR_EXTENSION_NOT_FOUND));
failingOcspResponder.stop(run_next_test);
});
});
}
// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
// to prevent spurious OCSP requests that race with OCSP stapling.
// This has the side-effect of saying an EV certificate is not EV if
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -65,18 +65,18 @@ function check_getchain(ee_cert, ssl_ca,
certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
// Do a final test on the case of no trust. The results must
// be cosistent (the actual value is non-deterministic).
check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
}
-function run_test_in_mode(useInsanity) {
- Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
let ee_cert = certdb.findCertByNickname(null, 'ee');
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -33,28 +33,28 @@ function test_cert_for_usages(certChainN
let cert = certs[0];
let verified = {};
let usages = {};
cert.getUsagesString(true, verified, usages);
do_print("usages.value = " + usages.value);
do_check_eq(expected_usages_string, usages.value);
}
-function run_test_in_mode(useInsanity) {
- Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
- // insanity::pkix doesn't support the obsolete Netscape object signing
+ // mozilla::pkix doesn't support the obsolete Netscape object signing
// extension, but NSS does.
- let ee_usage1 = useInsanity
+ let ee_usage1 = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt'
- // insanity::pkix doesn't validate CA certificates for non-CA uses, but
+ // mozilla::pkix doesn't validate CA certificates for non-CA uses, but
// NSS does.
- let ca_usage1 = useInsanity
+ let ca_usage1 = useMozillaPKIX
? "SSL CA"
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// Load the ca into mem
let ca_name = "ca";
load_cert(ca_name, "CTu,CTu,CTu");
do_print("ca_name = " + ca_name);
test_cert_for_usages([ca_name], ca_usage1);
@@ -80,36 +80,36 @@ function run_test_in_mode(useInsanity) {
test_cert_for_usages(["ee-int-limited-depth", "int-limited-depth"],
ee_usage1);
// ca
// int-limited-depth (cA==true, pathLenConstraint==0)
// int-limited-depth-invalid (cA==true)
//
// XXX: It seems the NSS code does not consider the path length of the
- // certificate we're validating, but insanity::pkix does. insanity::pkix's
+ // certificate we're validating, but mozilla::pkix does. mozilla::pkix's
// behavior is correct.
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
- useInsanity ? "" : ca_usage1);
+ useMozillaPKIX ? "" : ca_usage1);
test_cert_for_usages(["ee-int-limited-depth-invalid",
"int-limited-depth-invalid",
"int-limited-depth"],
"");
// int-valid-ku-no-eku has keyCertSign
test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
ee_usage1);
// int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
- // but the KU extension is missing keyCertSign. Note that insanity::pkix
+ // but the KU extension is missing keyCertSign. Note that mozilla::pkix
// doesn't validate certificates with basicConstraints.Ca==true for non-CA
// uses, but NSS does.
test_cert_for_usages(["int-bad-ku-no-eku"],
- useInsanity
+ useMozillaPKIX
? ""
: 'Client,Server,Sign,Encrypt,Status Responder');
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
// int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
// We treat a missing KU as "any key usage is OK".
test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -45,18 +45,18 @@ function check_ok_ca (x) {
function check_fail(x) {
return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
}
function check_fail_ca(x) {
return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
}
-function run_test_in_mode(useInsanity) {
- Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+function run_test_in_mode(useMozillaPKIX) {
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
// Note that CN is only looked at when there is NO subjectAltName!
// Testing with a unconstrained root, and intermediate constrained to PERMIT
// foo.com. All failures on this section are doe to the cert DNS names
// not being under foo.com.
check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
// no dirName
@@ -256,17 +256,17 @@ function run_test_in_mode(useInsanity) {
check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-int-ca-nc-perm-foo.com.der'));
check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
check_ok(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
check_ok(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-int-ca-nc-perm-foo.com.der'));
check_fail(certFromFile('cn-www.foo.org_o-bar_c-us-alt-foo.org-int-ca-nc-perm-foo.com.der'));
check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
// We don't enforce dNSName name constraints on CN unless we're validating
- // for the server EKU. libpkix gets this wrong but insanity::pkix and classic
+ // for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
// NSS get it right.
{
let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
check_cert_err_generic(cert, 0, certificateUsageSSLClient);
}
}
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -42,20 +42,20 @@ function run_test() {
add_tests_in_mode(true);
add_tests_in_mode(false);
add_test(function() { ocspResponder.stop(run_next_test); });
run_next_test();
}
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
// This test assumes that OCSPStaplingServer uses the same cert for
// ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
// Get an Unknown response for the *.exmaple.com cert and put it in the
// OCSP cache.
@@ -102,18 +102,18 @@ function add_tests_in_mode(useInsanity)
add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); });
// A failure to retrieve an OCSP response will result in an error entry being
// added to the cache.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
- // TODO(bug 977865): implement this for insanity
- if (!useInsanity) {
+ // TODO(bug 977865): implement this for mozilla::pkix
+ if (!useMozillaPKIX) {
// The error entry will prevent a fetch from happening for a while.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
}
// The error entry must not prevent a stapled OCSP response from being
// honored.
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -35,28 +35,28 @@ function run_test() {
add_tests_in_mode(true);
add_tests_in_mode(false);
add_test(function () { ocspResponder.stop(run_next_test); });
run_next_test();
}
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_test(function () {
- // TODO(bug 977865): insanity::pkix keeps requesting responses from
+ // TODO(bug 977865): mozilla::pkix keeps requesting responses from
// failing responders
- do_check_eq(gOCSPRequestCount, useInsanity ? 2 : 1);
+ do_check_eq(gOCSPRequestCount, useMozillaPKIX ? 2 : 1);
gOCSPRequestCount = 0;
run_next_test();
});
}
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,20 +16,20 @@ function add_ocsp_test(aHost, aExpectedR
gExpectOCSPRequest = !aStaplingEnabled;
clearOCSPCache();
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
aStaplingEnabled);
});
}
-function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
+function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
// In the absence of OCSP stapling, these should actually all work.
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
@@ -49,17 +49,17 @@ function add_tests_in_mode(useInsanity,
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-revoked.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
// SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
// depends on whether the CA that signed the response is a trusted CA
- // (but only with the classic implementation - insanity::pkix always
+ // (but only with the classic implementation - mozilla::pkix always
// results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
// This stapled response is from a CA that is untrusted and did not issue
// the server's certificate.
add_test(function() {
certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.UNTRUSTED);
run_next_test();
@@ -108,17 +108,17 @@ function add_tests_in_mode(useInsanity,
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
}
);
add_ocsp_test("ocsp-stapling-empty.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
// TODO(bug 979070): NSS can't handle this yet.
- if (useInsanity) {
+ if (useMozillaPKIX) {
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
}
// ocsp-stapling-expired.example.com and
// ocsp-stapling-expired-fresh-ca.example.com are handled in
// test_ocsp_stapling_expired.js
}
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -57,21 +57,21 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true);
add_tests_in_mode(false);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(check_ocsp_stapling_telemetry);
run_next_test();
}
-function add_tests_in_mode(useInsanity)
+function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
// In these tests, the OCSP stapling server gives us a stapled
// response based on the host name ("ocsp-stapling-expired" or
// "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
// properly falling back to fetching revocation information.
// For ocsp-stapling-expired.example.com, the OCSP stapling server
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -39,17 +39,17 @@ function run_test() {
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(function() {
do_check_eq(gOCSPRequestCount, 0);
run_next_test();
});
run_next_test();
}
-function add_tests_in_mode(useInsanity) {
+function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
- Services.prefs.setBoolPref("security.use_insanity_verification",
- useInsanity);
+ Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+ useMozillaPKIX);
run_next_test();
});
add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
}
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
@@ -5,14 +5,14 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
include $(topsrcdir)/config/config.mk
LIBS = \
$(NSPR_LIBS) \
$(NSS_LIBS) \
$(MOZALLOC_LIB) \
- ../../../../../../insanity/$(LIB_PREFIX)insanitypkix.$(LIB_SUFFIX) \
- ../../../../../../insanity/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
+ ../../../../../../pkix/$(LIB_PREFIX)mozillapkix.$(LIB_SUFFIX) \
+ ../../../../../../pkix/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
../lib/$(LIB_PREFIX)tlsserver.$(LIB_SUFFIX) \
$(NULL)
DEFINES += $(TK_CFLAGS)
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@@ -8,16 +8,17 @@
#include "ScopedNSSTypes.h"
#include "TLSServer.h"
#include "pkixtestutil.h"
#include "secerr.h"
using namespace mozilla;
using namespace mozilla::test;
+using namespace mozilla::pkix::test;
SECItemArray *
GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
PLArenaPool *aArena, const char *aAdditionalCertName)
{
if (aORT == ORTNone) {
if (gDebugLevel >= DEBUG_WARNINGS) {
@@ -33,17 +34,17 @@ GetOCSPResponseForType(OCSPResponseType
arr->items[0].len = 0;
return arr;
}
PRTime now = PR_Now();
PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
PRTime oldNow = now - (8 * oneDay);
- insanity::test::OCSPResponseContext context(aArena, aCert, now);
+ OCSPResponseContext context(aArena, aCert, now);
if (aORT == ORTGoodOtherCert) {
context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
if (!context.cert) {
PrintPRError("PK11_FindCertFromNickname failed");
return nullptr;
}
}
@@ -98,17 +99,17 @@ GetOCSPResponseForType(OCSPResponseType
if (aORT == ORTBadSignature) {
context.badSignature = true;
}
if (!context.signerCert) {
context.signerCert = CERT_DupCertificate(context.issuerCert.get());
}
- SECItem* response = insanity::test::CreateEncodedOCSPResponse(context);
+ SECItem* response = CreateEncodedOCSPResponse(context);
if (!response) {
PrintPRError("CreateEncodedOCSPResponse failed");
return nullptr;
}
SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
arr->items[0].data = response ? response->data : nullptr;
arr->items[0].len = response ? response->len : 0;
--- a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build
@@ -5,13 +5,13 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
UNIFIED_SOURCES += [
'OCSPCommon.cpp',
'TLSServer.cpp',
]
LOCAL_INCLUDES += [
- '../../../../../../insanity/include',
- '../../../../../../insanity/test/lib',
+ '../../../../../../pkix/include',
+ '../../../../../../pkix/test/lib',
]
LIBRARY_NAME = 'tlsserver'
rename from security/insanity/include/insanity/ScopedPtr.h
rename to security/pkix/include/pkix/ScopedPtr.h
--- a/security/insanity/include/insanity/ScopedPtr.h
+++ b/security/pkix/include/pkix/ScopedPtr.h
@@ -1,31 +1,31 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* Copyright 2013 Mozilla Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+/* Copyright 2013 Mozilla Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
-#ifndef insanity_pkix__ScopedPtr_h
-#define insanity_pkix__ScopedPtr_h
+#ifndef mozilla_pkix__ScopedPtr_h
+#define mozilla_pkix__ScopedPtr_h
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
// Similar to boost::scoped_ptr and std::unique_ptr. Does not support copying
// or assignment.
template <typename T, void (*Destroyer)(T*)>
class ScopedPtr
{
public:
explicit ScopedPtr(T* value = nullptr) : mValue(value) { }
@@ -89,11 +89,11 @@ operator!=(T* a, const ScopedPtr<T, Dest
template <typename T, void(*Destroyer)(T*)>
inline bool
operator!=(const ScopedPtr<T, Destroyer>& a, T* b)
{
return a.get() != b;
}
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
-#endif // insanity_pkix__ScopedPtr_h
+#endif // mozilla_pkix__ScopedPtr_h
rename from security/insanity/include/insanity/bind.h
rename to security/pkix/include/pkix/bind.h
--- a/security/insanity/include/insanity/bind.h
+++ b/security/pkix/include/pkix/bind.h
@@ -14,28 +14,28 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// Work around missing std::bind, std::ref, std::cref in older compilers. This
// implementation isn't intended to be complete; rather, it is the minimal
// implementation needed to make our use of std::bind work.
-#ifndef insanity_pkix__bind_h
-#define insanity_pkix__bind_h
+#ifndef mozilla_pkix__bind_h
+#define mozilla_pkix__bind_h
#ifdef _MSC_VER
#pragma warning(disable:4275) //Suppress spurious MSVC warning
#endif
#include <functional>
#ifdef _MSC_VER
#pragma warning(default:4275)
#endif
-namespace insanity {
+namespace mozilla { namespace pkix {
#ifdef _MSC_VER
using std::bind;
using std::ref;
using std::cref;
using std::placeholders::_1;
@@ -87,11 +87,11 @@ template <typename R, typename P1, typen
inline internal::Bind2<R, P1, B1, B2>
bind(R (*f)(P1&, B1&, B2&), Placeholder1 &, B1 & b1, B2 & b2)
{
return internal::Bind2<R, P1, B1, B2>(f, b1, b2);
}
#endif // _MSC_VER
-} // namespace insanity
+} } // namespace mozilla::pkix
-#endif // insanity_pkix__bind_h
+#endif // mozilla_pkix__bind_h
rename from security/insanity/include/insanity/nullptr.h
rename to security/pkix/include/pkix/nullptr.h
--- a/security/insanity/include/insanity/nullptr.h
+++ b/security/pkix/include/pkix/nullptr.h
@@ -10,19 +10,19 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity_pkix__nullptr_h
-#define insanity_pkix__nullptr_h
+#ifndef mozilla_pkix__nullptr_h
+#define mozilla_pkix__nullptr_h
// GCC does not understand nullptr until 4.6
#if defined(__GNUC__) && !defined(__clang__)
#if __GNUC__ * 100 + __GNUC_MINOR__ < 406
#define nullptr __null
#endif
#endif
-#endif // insanity_pkix__nullptr_h
+#endif // mozilla_pkix__nullptr_h
rename from security/insanity/include/insanity/pkix.h
rename to security/pkix/include/pkix/pkix.h
--- a/security/insanity/include/insanity/pkix.h
+++ b/security/pkix/include/pkix/pkix.h
@@ -10,23 +10,23 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity_pkix__pkix_h
-#define insanity_pkix__pkix_h
+#ifndef mozilla_pkix__pkix_h
+#define mozilla_pkix__pkix_h
#include "pkixtypes.h"
#include "prtime.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
// ----------------------------------------------------------------------------
// LIMITED SUPPORT FOR CERTIFICATE POLICIES
//
// If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
// parameter then all policy validation will be skipped. Otherwise, path
// building and validation will be done for the given policy.
//
@@ -113,11 +113,11 @@ SECItem* CreateEncodedOCSPRequest(PLAren
SECStatus VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
const CERTCertificate* cert,
CERTCertificate* issuerCert,
PRTime time,
const SECItem* encodedResponse,
/* optional out */ PRTime* thisUpdate,
/* optional out */ PRTime* validThrough);
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
-#endif // insanity_pkix__pkix_h
+#endif // mozilla_pkix__pkix_h
rename from security/insanity/include/insanity/pkixtypes.h
rename to security/pkix/include/pkix/pkixtypes.h
--- a/security/insanity/include/insanity/pkixtypes.h
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -10,25 +10,25 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity_pkix__pkixtypes_h
-#define insanity_pkix__pkixtypes_h
+#ifndef mozilla_pkix__pkixtypes_h
+#define mozilla_pkix__pkixtypes_h
-#include "insanity/ScopedPtr.h"
+#include "pkix/ScopedPtr.h"
#include "plarena.h"
#include "cert.h"
#include "keyhi.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
typedef ScopedPtr<PLArenaPool, PL_FreeArenaPool> ScopedPLArenaPool;
typedef ScopedPtr<CERTCertificate, CERT_DestroyCertificate>
ScopedCERTCertificate;
typedef ScopedPtr<CERTCertList, CERT_DestroyCertList> ScopedCERTCertList;
typedef ScopedPtr<SECKEYPublicKey, SECKEY_DestroyPublicKey>
ScopedSECKEYPublicKey;
@@ -83,17 +83,17 @@ public:
/*out*/ ScopedCERTCertList& results) = 0;
// Verify the given signature using the public key of the given certificate.
// The implementation should be careful to ensure that the given certificate
// has all the public key information needed--i.e. it should ensure that the
// certificate is not trying to use EC(DSA) parameter inheritance.
//
// Most implementations of this function should probably forward the call
- // directly to insanity::pkix::VerifySignedData.
+ // directly to mozilla::pkix::VerifySignedData.
virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert) = 0;
// issuerCertToDup is only non-const so CERT_DupCertificate can be called on
// it.
virtual SECStatus CheckRevocation(EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCertToDup,
@@ -103,11 +103,11 @@ public:
protected:
TrustDomain() { }
private:
TrustDomain(const TrustDomain&) /* = delete */;
void operator=(const TrustDomain&) /* = delete */;
};
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
-#endif // insanity_pkix__pkixtypes_h
+#endif // mozilla_pkix__pkixtypes_h
rename from security/insanity/lib/pkixbind.cpp
rename to security/pkix/lib/pkixbind.cpp
--- a/security/insanity/lib/pkixbind.cpp
+++ b/security/pkix/lib/pkixbind.cpp
@@ -12,17 +12,17 @@
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef _MSC_VER
-#include "insanity/bind.h"
+#include "pkix/bind.h"
-namespace insanity {
+namespace mozilla { namespace pkix {
Placeholder1 _1;
-
-} // namespace insanity
+
+} } // namespace mozilla::pkix
#endif // _MSC_VER
rename from security/insanity/lib/pkixbuild.cpp
rename to security/pkix/lib/pkixbuild.cpp
--- a/security/insanity/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@@ -10,24 +10,24 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include <limits>
#include "pkixcheck.h"
#include "pkixder.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
// We assume ext has been zero-initialized by its constructor and otherwise
// not modified.
//
// TODO(perf): This sorting of extensions should be be moved into the
// certificate decoder so that the results are cached with the certificate, so
// that the decoding doesn't have to happen more than once per cert.
Result
@@ -167,17 +167,17 @@ BuildForwardInner(TrustDomain& trustDoma
return Success;
}
// Recursively build the path from the given subject certificate to the root.
//
// Be very careful about changing the order of checks. The order is significant
// because it affects which error we return when a certificate or certificate
// chain has multiple problems. See the error ranking documentation in
-// insanity/pkix.h.
+// pkix/pkix.h.
static Result
BuildForward(TrustDomain& trustDomain,
BackCert& subject,
PRTime time,
EndEntityOrCA endEntityOrCA,
KeyUsages requiredKeyUsagesIfPresent,
SECOidTag requiredEKUIfPresent,
SECOidTag requiredPolicy,
@@ -358,9 +358,9 @@ BackCert::PrependNSSCertToList(CERTCertL
if (CERT_AddCertToListHead(results, dup) != SECSuccess) { // takes ownership
CERT_DestroyCertificate(dup);
return FatalError;
}
return Success;
}
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.cpp
rename to security/pkix/lib/pkixcheck.cpp
--- a/security/insanity/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -10,23 +10,23 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include "pkixcheck.h"
#include "pkixder.h"
#include "pkixutil.h"
#include "secder.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
Result
CheckTimes(const CERTCertificate* cert, PRTime time)
{
PR_ASSERT(cert);
SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, time, false);
if (validity != secCertTimeValid) {
@@ -474,9 +474,9 @@ CheckIssuerIndependentProperties(TrustDo
rv = CheckTimes(cert.GetNSSCert(), time);
if (rv != Success) {
return rv;
}
return Success;
}
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixcheck.h
rename to security/pkix/lib/pkixcheck.h
--- a/security/insanity/lib/pkixcheck.h
+++ b/security/pkix/lib/pkixcheck.h
@@ -10,32 +10,32 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity__pkixcheck_h
-#define insanity__pkixcheck_h
+#ifndef mozilla_pkix__pkixcheck_h
+#define mozilla_pkix__pkixcheck_h
#include "pkixutil.h"
#include "certt.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
Result CheckIssuerIndependentProperties(
TrustDomain& trustDomain,
BackCert& cert,
PRTime time,
EndEntityOrCA endEntityOrCA,
KeyUsages requiredKeyUsagesIfPresent,
SECOidTag requiredEKUIfPresent,
SECOidTag requiredPolicy,
unsigned int subCACount,
/*optional out*/ TrustDomain::TrustLevel* trustLevel = nullptr);
Result CheckNameConstraints(BackCert& cert);
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
-#endif // insanity__pkixcheck_h
+#endif // mozilla_pkix__pkixcheck_h
rename from security/insanity/lib/pkixder.cpp
rename to security/pkix/lib/pkixder.cpp
--- a/security/insanity/lib/pkixder.cpp
+++ b/security/pkix/lib/pkixder.cpp
@@ -12,17 +12,17 @@
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "pkixder.h"
-namespace insanity { namespace der {
+namespace mozilla { namespace pkix { namespace der {
// not inline
Result
Fail(PRErrorCode errorCode)
{
PR_SetError(errorCode, 0);
return Failure;
}
@@ -73,9 +73,9 @@ ExpectTagAndGetLength(Input& input, uint
} else {
// We don't support lengths larger than 2^16 - 1.
return Fail(SEC_ERROR_BAD_DER);
}
return Success;
}
-} } // namespace insanity::der
+} } } // namespace mozilla::pkix::der
rename from security/insanity/lib/pkixder.h
rename to security/pkix/lib/pkixder.h
--- a/security/insanity/lib/pkixder.h
+++ b/security/pkix/lib/pkixder.h
@@ -10,29 +10,29 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity_pkix__pkixder_h
-#define insanity_pkix__pkixder_h
+#ifndef mozilla_pkix__pkixder_h
+#define mozilla_pkix__pkixder_h
-#include "insanity/nullptr.h"
+#include "pkix/nullptr.h"
#include "prerror.h"
#include "prlog.h"
#include "secder.h"
#include "secerr.h"
#include "secoidt.h"
#include "stdint.h"
-namespace insanity { namespace der {
+namespace mozilla { namespace pkix { namespace der {
enum Class
{
UNIVERSAL = 0 << 6,
// APPLICATION = 1 << 6, // unused
CONTEXT_SPECIFIC = 2 << 6,
// PRIVATE = 3 << 6 // unused
};
@@ -514,11 +514,11 @@ OptionalVersion(Input& input, /*out*/ ui
return Failure;
}
if (version & 0x80) { // negative
return Fail(SEC_ERROR_BAD_DER);
}
return Success;
}
-} } // namespace insanity::der
+} } } // namespace mozilla::pkix::der
-#endif // insanity_pkix__pkixder_h
+#endif // mozilla_pkix__pkixder_h
rename from security/insanity/lib/pkixkey.cpp
rename to security/pkix/lib/pkixkey.cpp
--- a/security/insanity/lib/pkixkey.cpp
+++ b/security/pkix/lib/pkixkey.cpp
@@ -10,27 +10,27 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#include "insanity/pkix.h"
+#include "pkix/pkix.h"
#include <limits>
#include <stdint.h>
#include "cert.h"
#include "cryptohi.h"
#include "prerror.h"
#include "secerr.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
SECStatus
VerifySignedData(const CERTSignedData* sd, const CERTCertificate* cert,
void* pkcs11PinArg)
{
if (!sd || !sd->data.data || !sd->signatureAlgorithm.algorithm.data ||
!sd->signature.data || !cert) {
PR_NOT_REACHED("invalid args to VerifySignedData");
@@ -81,9 +81,9 @@ VerifySignedData(const CERTSignedData* s
if ((policy & requiredPolicy) != requiredPolicy) {
PR_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 0);
return SECFailure;
}
return SECSuccess;
}
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixocsp.cpp
rename to security/pkix/lib/pkixocsp.cpp
--- a/security/insanity/lib/pkixocsp.cpp
+++ b/security/pkix/lib/pkixocsp.cpp
@@ -12,18 +12,18 @@
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <limits>
-#include "insanity/bind.h"
-#include "insanity/pkix.h"
+#include "pkix/bind.h"
+#include "pkix/pkix.h"
#include "pkixcheck.h"
#include "pkixder.h"
#include "hasht.h"
#include "pk11pub.h"
#include "secder.h"
#ifdef _MSC_VER
@@ -31,17 +31,17 @@
#define ENUM_CLASS __pragma(warning(disable: 4480)) enum
#else
#define ENUM_CLASS enum class
#endif
// TODO: use typed/qualified typedefs everywhere?
// TODO: When should we return SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE?
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
static const PRTime ONE_DAY
= INT64_C(24) * INT64_C(60) * INT64_C(60) * PR_USEC_PER_SEC;
static const PRTime SLOP = ONE_DAY;
// These values correspond to the tag values in the ASN.1 CertStatus
ENUM_CLASS CertStatus : uint8_t {
Good = der::CONTEXT_SPECIFIC | 0,
@@ -988,9 +988,9 @@ CreateEncodedOCSPRequest(PLArenaPool* ar
*d++ = cert->serialNumber.data[i];
}
PR_ASSERT(d == encodedRequest->data + totalLen);
return encodedRequest;
}
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
rename from security/insanity/lib/pkixutil.h
rename to security/pkix/lib/pkixutil.h
--- a/security/insanity/lib/pkixutil.h
+++ b/security/pkix/lib/pkixutil.h
@@ -10,25 +10,25 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity_pkix__pkixutil_h
-#define insanity_pkix__pkixutil_h
+#ifndef mozilla_pkix__pkixutil_h
+#define mozilla_pkix__pkixutil_h
-#include "insanity/pkixtypes.h"
+#include "pkix/pkixtypes.h"
#include "prerror.h"
#include "seccomon.h"
#include "secerr.h"
-namespace insanity { namespace pkix {
+namespace mozilla { namespace pkix {
enum Result
{
Success = 0,
FatalError = -1, // An error was encountered that caused path building
// to stop immediately. example: out-of-memory.
RecoverableError = -2 // an error that will cause path building to continue
// searching for alternative paths. example: expired
@@ -136,11 +136,11 @@ private:
ScopedPLArenaPool arena;
CERTGeneralName* constrainedNames;
ConstrainedNameOptions cnOptions;
BackCert(const BackCert&) /* = delete */;
void operator=(const BackCert&); /* = delete */;
};
-} } // namespace insanity::pkix
+} } // namespace mozilla::pkix
-#endif // insanity_pkix__pkixutil_h
+#endif // mozilla_pkix__pkixutil_h
rename from security/insanity/moz.build
rename to security/pkix/moz.build
--- a/security/insanity/moz.build
+++ b/security/pkix/moz.build
@@ -18,11 +18,11 @@ LOCAL_INCLUDES += [
]
DIRS += [
'test/lib',
]
FAIL_ON_WARNINGS = True
-LIBRARY_NAME = 'insanitypkix'
+LIBRARY_NAME = 'mozillapkix'
FINAL_LIBRARY = 'xul'
rename from security/insanity/test/lib/moz.build
rename to security/pkix/test/lib/moz.build
rename from security/insanity/test/lib/pkixtestutil.cpp
rename to security/pkix/test/lib/pkixtestutil.cpp
--- a/security/insanity/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@@ -20,17 +20,17 @@
#include "pkixtestutil.h"
#include "cryptohi.h"
#include "hasht.h"
#include "pk11pub.h"
#include "prinit.h"
#include "secder.h"
-namespace insanity { namespace test {
+namespace mozilla { namespace pkix { namespace test {
class Output
{
public:
Output()
: numItems(0)
, length(0)
{
@@ -627,9 +627,9 @@ CertStatus(OCSPResponseContext& context)
}
default:
PR_NOT_REACHED("CertStatus: bad context.certStatus");
PR_Abort();
}
return nullptr;
}
-} } // namespace insanity::test
+} } } // namespace mozilla::pkix::test
rename from security/insanity/test/lib/pkixtestutil.h
rename to security/pkix/test/lib/pkixtestutil.h
--- a/security/insanity/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@@ -10,24 +10,24 @@
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#ifndef insanity_test__pkixtestutils_h
-#define insanity_test__pkixtestutils_h
+#ifndef mozilla_pkix_test__pkixtestutils_h
+#define mozilla_pkix_test__pkixtestutils_h
-#include "insanity/ScopedPtr.h"
-#include "insanity/pkixtypes.h"
+#include "pkix/ScopedPtr.h"
+#include "pkix/pkixtypes.h"
#include "seccomon.h"
-namespace insanity { namespace test {
+namespace mozilla { namespace pkix { namespace test {
class OCSPResponseContext
{
public:
OCSPResponseContext(PLArenaPool* arena, CERTCertificate* cert, PRTime time);
PLArenaPool* arena;
// TODO(bug 980538): add a way to specify what certificates are included.
@@ -57,11 +57,11 @@ public:
// The return value, if non-null, is owned by the arena in the context
// and MUST NOT be freed.
// This function does its best to respect the NSPR error code convention
// (that is, if it returns null, calling PR_GetError() will return the
// error of the failed operation). However, this is not guaranteed.
SECItem* CreateEncodedOCSPResponse(OCSPResponseContext& context);
-} } // namespace insanity::test
+} } } // namespace mozilla::pkix::test
-#endif // insanity_test__pkixtestutils_h
+#endif // mozilla_pkix_test__pkixtestutils_h
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -4249,23 +4249,23 @@
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in classic mode (ms)"
},
- "SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY" : {
+ "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
- "description": "Time spent on a successful cert verification in insanity mode (ms)"
+ "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in libpix mode (ms)"
@@ -4273,23 +4273,23 @@
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in classic mode (ms)"
},
- "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY" : {
+ "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
- "description": "Time spent on an initially failed cert verification in insanity mode (ms)"
+ "description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
},
"HEALTHREPORT_DB_OPEN_FIRSTRUN_MS": {
"expires_in_version": "never",
"kind": "exponential",
"high": "20000",
"n_buckets": 15,
"description": "Time (ms) spent to open Firefox Health Report's database the first time, including schema setup."
},