--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -49,10 +49,8 @@ pref("security.ssl3.rsa_seed_sha", false
pref("security.default_personal_cert", "Ask Every Time");
pref("security.remember_cert_checkbox_default_setting", true);
pref("security.ask_for_password", 0);
pref("security.password_lifetime", 30);
pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);
-
-pref("security.use_mozillapkix_verification", true);
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -8,17 +8,16 @@
#include <stdint.h>
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "NSSErrorsService.h"
#include "PublicKeyPinningService.h"
#include "cert.h"
-#include "ocsp.h"
#include "pk11pub.h"
#include "pkix/pkix.h"
#include "prerror.h"
#include "secerr.h"
#include "sslerr.h"
// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
// mozilla::ScopedXXX.
@@ -29,31 +28,21 @@ using namespace mozilla::psm;
PRLogModuleInfo* gCertVerifierLog = nullptr;
#endif
namespace mozilla { namespace psm {
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
-CertVerifier::CertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
- missing_cert_download_config mcdc,
- crl_download_config cdc,
-#endif
- ocsp_download_config odc,
+CertVerifier::CertVerifier(ocsp_download_config odc,
ocsp_strict_config osc,
ocsp_get_config ogc,
pinning_enforcement_config pel)
- : mImplementation(ic)
-#ifndef NSS_NO_LIBPKIX
- , mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
- , mCRLDownloadEnabled(cdc == crl_download_allowed)
-#endif
- , mOCSPDownloadEnabled(odc == ocsp_on)
+ : mOCSPDownloadEnabled(odc == ocsp_on)
, mOCSPStrict(osc == ocsp_strict)
, mOCSPGETEnabled(ogc == ocsp_get_enabled)
, mPinningEnforcementLevel(pel)
{
}
CertVerifier::~CertVerifier()
{
@@ -64,47 +53,16 @@ InitCertVerifierLog()
{
#ifdef PR_LOGGING
if (!gCertVerifierLog) {
gCertVerifierLog = PR_NewLogModule("certverifier");
}
#endif
}
-// Once we migrate to mozilla::pkix or change the overridable error
-// logic this will become unnecesary.
-static SECStatus
-insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
- CERTVerifyLog* verifyLog){
- CERTVerifyLogNode* node;
- node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
- sizeof(CERTVerifyLogNode));
- if (!node) {
- PR_SetError(PR_UNKNOWN_ERROR, 0);
- return SECFailure;
- }
- node->cert = CERT_DupCertificate(cert);
- node->error = err;
- node->depth = 0;
- node->arg = nullptr;
- //and at to head!
- node->prev = nullptr;
- node->next = verifyLog->head;
- if (verifyLog->head) {
- verifyLog->head->prev = node;
- }
- verifyLog->head = node;
- if (!verifyLog->tail) {
- verifyLog->tail = node;
- }
- verifyLog->count++;
-
- return SECSuccess;
-}
-
SECStatus
IsCertBuiltInRoot(CERTCertificate* cert, bool& result) {
result = false;
ScopedPtr<PK11SlotList, PK11_FreeSlotList> slots;
slots = PK11_GetAllSlotsForCert(cert, nullptr);
if (!slots) {
if (PORT_GetError() == SEC_ERROR_NO_TOKEN) {
// no list
@@ -194,118 +152,16 @@ SECStatus chainValidationCallback(void*
*chainOK = PublicKeyPinningService::
ChainHasValidPins(certList, callbackState->hostname, callbackState->time,
enforceTestMode);
return SECSuccess;
}
static SECStatus
-ClassicVerifyCert(CERTCertificate* cert,
- const SECCertificateUsage usage,
- const PRTime time,
- void* pinArg,
- ChainValidationCallbackState* callbackState,
- /*optional out*/ ScopedCERTCertList* validationChain,
- /*optional out*/ CERTVerifyLog* verifyLog)
-{
- SECStatus rv;
- SECCertUsage enumUsage;
- switch (usage) {
- case certificateUsageSSLClient:
- enumUsage = certUsageSSLClient;
- break;
- case certificateUsageSSLServer:
- enumUsage = certUsageSSLServer;
- break;
- case certificateUsageSSLCA:
- enumUsage = certUsageSSLCA;
- break;
- case certificateUsageEmailSigner:
- enumUsage = certUsageEmailSigner;
- break;
- case certificateUsageEmailRecipient:
- enumUsage = certUsageEmailRecipient;
- break;
- case certificateUsageObjectSigner:
- enumUsage = certUsageObjectSigner;
- break;
- case certificateUsageVerifyCA:
- enumUsage = certUsageVerifyCA;
- break;
- case certificateUsageStatusResponder:
- enumUsage = certUsageStatusResponder;
- break;
- default:
- PR_NOT_REACHED("unexpected usage");
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- if (usage == certificateUsageSSLServer) {
- // SSL server cert verification has always used CERT_VerifyCert, so we
- // continue to use it for SSL cert verification to minimize the risk of
- // there being any differnce in results between CERT_VerifyCert and
- // CERT_VerifyCertificate.
- rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), cert, true,
- certUsageSSLServer, time, pinArg, verifyLog);
- } else {
- rv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert, true,
- usage, time, pinArg, verifyLog, nullptr);
- }
-
- if (rv == SECSuccess &&
- (validationChain || usage == certificateUsageSSLServer)) {
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
- ("VerifyCert: getting chain in 'classic' \n"));
- ScopedCERTCertList certChain(CERT_GetCertChainFromCert(cert, time,
- enumUsage));
- if (!certChain) {
- return SECFailure;
- }
- if (usage == certificateUsageSSLServer) {
- PRBool chainOK = PR_FALSE;
- SECStatus srv = chainValidationCallback(callbackState, certChain.get(),
- &chainOK);
- if (srv != SECSuccess) {
- return srv;
- }
- if (chainOK != PR_TRUE) {
- if (verifyLog) {
- insertErrorIntoVerifyLog(cert,
- PSM_ERROR_KEY_PINNING_FAILURE,
- verifyLog);
- }
- PR_SetError(PSM_ERROR_KEY_PINNING_FAILURE, 0);
- return SECFailure;
- }
- }
- if (rv == SECSuccess && validationChain) {
- *validationChain = certChain.release();
- }
- }
-
- return rv;
-}
-
-#ifndef NSS_NO_LIBPKIX
-static void
-destroyCertListThatShouldNotExist(CERTCertList** certChain)
-{
- PR_ASSERT(certChain);
- PR_ASSERT(!*certChain);
- if (certChain && *certChain) {
- // There SHOULD not be a validation chain on failure, asserion here for
- // the debug builds AND a fallback for production builds
- CERT_DestroyCertList(*certChain);
- *certChain = nullptr;
- }
-}
-#endif
-
-static SECStatus
BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
PRTime time, KeyUsage ku1, KeyUsage ku2,
KeyUsage ku3, KeyPurposeId eku,
const CertPolicyId& requiredPolicy,
const SECItem* stapledOCSPResponse,
ScopedCERTCertList& builtChain)
{
SECStatus rv = BuildCertChain(trustDomain, cert, time,
@@ -326,28 +182,24 @@ BuildCertChainForOneKeyUsage(TrustDomain
PR_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE, 0);
}
}
}
return rv;
}
SECStatus
-CertVerifier::MozillaPKIXVerifyCert(
- CERTCertificate* cert,
- const SECCertificateUsage usage,
- const PRTime time,
- void* pinArg,
- const Flags flags,
- ChainValidationCallbackState* callbackState,
- /*optional*/ const SECItem* stapledOCSPResponse,
- /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
- /*optional out*/ SECOidTag* evOidPolicy)
+CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
+ PRTime time, void* pinArg, const char* hostname,
+ const Flags flags,
+ /*optional*/ const SECItem* stapledOCSPResponse,
+ /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
+ /*optional out*/ SECOidTag* evOidPolicy)
{
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
+ PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n"));
PR_ASSERT(cert);
PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
if (validationChain) {
*validationChain = nullptr;
}
if (evOidPolicy) {
@@ -355,19 +207,22 @@ CertVerifier::MozillaPKIXVerifyCert(
}
if (!cert ||
(usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV))) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
+ ChainValidationCallbackState callbackState = {
+ hostname, mPinningEnforcementLevel, usage, time
+ };
CERTChainVerifyCallback callbackContainer;
callbackContainer.isChainValid = chainValidationCallback;
- callbackContainer.isChainValidArg = callbackState;
+ callbackContainer.isChainValidArg = &callbackState;
NSSCertDBTrustDomain::OCSPFetching ocspFetching
= !mOCSPDownloadEnabled ||
(flags & FLAG_LOCAL_ONLY) ? NSSCertDBTrustDomain::NeverFetchOCSP
: !mOCSPStrict ? NSSCertDBTrustDomain::FetchOCSPForDVSoftFail
: NSSCertDBTrustDomain::FetchOCSPForDVHardFail;
ocsp_get_config ocspGETConfig = mOCSPGETEnabled ? ocsp_get_enabled
@@ -554,378 +409,16 @@ CertVerifier::MozillaPKIXVerifyCert(
if (validationChain && rv == SECSuccess) {
*validationChain = builtChain.release();
}
return rv;
}
SECStatus
-CertVerifier::VerifyCert(CERTCertificate* cert,
- const SECCertificateUsage usage,
- const PRTime time,
- void* pinArg,
- const char* hostname,
- const Flags flags,
- /*optional in*/ const SECItem* stapledOCSPResponse,
- /*optional out*/ ScopedCERTCertList* validationChain,
- /*optional out*/ SECOidTag* evOidPolicy,
- /*optional out*/ CERTVerifyLog* verifyLog)
-{
- ChainValidationCallbackState callbackState = { hostname,
- mPinningEnforcementLevel,
- usage,
- time };
-
- if (mImplementation == mozillapkix) {
- return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
- &callbackState, stapledOCSPResponse,
- validationChain, evOidPolicy);
- }
-
- if (!cert)
- {
- PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- if (validationChain) {
- *validationChain = nullptr;
- }
- if (evOidPolicy) {
- *evOidPolicy = SEC_OID_UNKNOWN;
- }
-
- switch(usage){
- case certificateUsageSSLClient:
- case certificateUsageSSLServer:
- case certificateUsageSSLCA:
- case certificateUsageEmailSigner:
- case certificateUsageEmailRecipient:
- case certificateUsageObjectSigner:
- case certificateUsageVerifyCA:
- case certificateUsageStatusResponder:
- break;
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
-
- if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
-
-#ifndef NSS_NO_LIBPKIX
- ScopedCERTCertList trustAnchors;
- SECStatus rv;
- SECOidTag evPolicy = SEC_OID_UNKNOWN;
-
- // Do EV checking only for sslserver usage
- if (usage == certificateUsageSSLServer) {
- CertPolicyId unusedPolicyId;
- SECStatus srv = GetFirstEVPolicy(cert, unusedPolicyId, evPolicy);
- if (srv == SECSuccess) {
- if (evPolicy != SEC_OID_UNKNOWN) {
- trustAnchors = GetRootsForOid(evPolicy);
- }
- if (!trustAnchors) {
- return SECFailure;
- }
- // pkix ignores an empty trustanchors list and
- // decides then to use the whole set of trust in the DB
- // so we set the evPolicy to unkown in this case
- if (CERT_LIST_EMPTY(trustAnchors)) {
- evPolicy = SEC_OID_UNKNOWN;
- }
- } else {
- // No known EV policy found
- if (flags & FLAG_MUST_BE_EV) {
- PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
- return SECFailure;
- }
- // Do not setup EV verification params
- evPolicy = SEC_OID_UNKNOWN;
- }
- if ((evPolicy == SEC_OID_UNKNOWN) && (flags & FLAG_MUST_BE_EV)) {
- PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
- return SECFailure;
- }
- }
-
- PR_ASSERT(evPolicy == SEC_OID_UNKNOWN || trustAnchors);
-
- size_t i = 0;
- size_t validationChainLocation = 0;
- size_t validationTrustAnchorLocation = 0;
- CERTValOutParam cvout[4];
- if (verifyLog) {
- cvout[i].type = cert_po_errorLog;
- cvout[i].value.pointer.log = verifyLog;
- ++i;
- }
- if (validationChain) {
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: setting up validation chain outparam.\n"));
- validationChainLocation = i;
- cvout[i].type = cert_po_certList;
- cvout[i].value.pointer.chain = nullptr;
- ++i;
- validationTrustAnchorLocation = i;
- cvout[i].type = cert_po_trustAnchor;
- cvout[i].value.pointer.cert = nullptr;
- ++i;
- }
- cvout[i].type = cert_po_end;
-
- CERTRevocationFlags rev;
-
- CERTRevocationMethodIndex revPreferredMethods[2];
- rev.leafTests.preferred_methods =
- rev.chainTests.preferred_methods = revPreferredMethods;
-
- uint64_t revFlagsPerMethod[2];
- rev.leafTests.cert_rev_flags_per_method =
- rev.chainTests.cert_rev_flags_per_method = revFlagsPerMethod;
- rev.leafTests.number_of_preferred_methods =
- rev.chainTests.number_of_preferred_methods = 1;
-
- rev.leafTests.number_of_defined_methods =
- rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1;
-
- const bool localOnly = flags & FLAG_LOCAL_ONLY;
- CERTValInParam cvin[7];
-
- // Parameters for both EV and DV validation
- cvin[0].type = cert_pi_useAIACertFetch;
- cvin[0].value.scalar.b = mMissingCertDownloadEnabled && !localOnly;
- cvin[1].type = cert_pi_revocationFlags;
- cvin[1].value.pointer.revocation = &rev;
- cvin[2].type = cert_pi_date;
- cvin[2].value.scalar.time = time;
- i = 3;
-
- CERTChainVerifyCallback callbackContainer;
- if (usage == certificateUsageSSLServer) {
- callbackContainer.isChainValid = chainValidationCallback;
- callbackContainer.isChainValidArg = &callbackState;
- cvin[i].type = cert_pi_chainVerifyCallback;
- cvin[i].value.pointer.chainVerifyCallback = &callbackContainer;
- ++i;
- }
-
- const size_t evParamLocation = i;
-
- if (evPolicy != SEC_OID_UNKNOWN) {
- // EV setup!
- // XXX 859872 The current flags are not quite correct. (use
- // of ocsp flags for crl preferences).
- uint64_t ocspRevMethodFlags =
- CERT_REV_M_TEST_USING_THIS_METHOD
- | ((mOCSPDownloadEnabled && !localOnly) ?
- CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
- | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
- | CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
- | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
- | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
- | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
-
- rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
- rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl]
- = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
-
- rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
- rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
- = ocspRevMethodFlags;
-
- rev.leafTests.cert_rev_method_independent_flags =
- rev.chainTests.cert_rev_method_independent_flags =
- // avoiding the network is good, let's try local first
- CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
- // is overall revocation requirement strict or relaxed?
- | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
- ;
-
- rev.leafTests.preferred_methods[0] =
- rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
-
- cvin[i].type = cert_pi_policyOID;
- cvin[i].value.arraySize = 1;
- cvin[i].value.array.oids = &evPolicy;
- ++i;
- PR_ASSERT(trustAnchors);
- cvin[i].type = cert_pi_trustAnchors;
- cvin[i].value.pointer.chain = trustAnchors.get();
- ++i;
-
- cvin[i].type = cert_pi_end;
-
- rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
- if (rv == SECSuccess) {
- if (evOidPolicy) {
- *evOidPolicy = evPolicy;
- }
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
- ("VerifyCert: successful CERT_PKIXVerifyCert(ev) \n"));
- goto pkix_done;
- }
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
- ("VerifyCert: failed CERT_PKIXVerifyCert(ev)\n"));
- if (flags & FLAG_MUST_BE_EV) {
- return rv;
- }
- if (validationChain) {
- destroyCertListThatShouldNotExist(
- &cvout[validationChainLocation].value.pointer.chain);
- }
-
- if (verifyLog) {
- // Cleanup the log so that it is ready the the next validation
- CERTVerifyLogNode* i_node;
- for (i_node = verifyLog->head; i_node; i_node = i_node->next) {
- //destroy cert if any.
- if (i_node->cert) {
- CERT_DestroyCertificate(i_node->cert);
- }
- // No need to cleanup the actual nodes in the arena.
- }
- verifyLog->count = 0;
- verifyLog->head = nullptr;
- verifyLog->tail = nullptr;
- }
-
- }
-#endif
-
- // If we're here, PKIX EV verification failed.
- // If requested, don't do DV fallback.
- if (flags & FLAG_MUST_BE_EV) {
- PR_ASSERT(*evOidPolicy == SEC_OID_UNKNOWN);
-#ifdef NSS_NO_LIBPKIX
- PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
-#else
- PR_SetError(PR_INVALID_STATE_ERROR, 0);
-#endif
- return SECFailure;
- }
-
- if (mImplementation == classic) {
- // XXX: we do not care about the localOnly flag (currently) as the
- // caller that wants localOnly should disable and reenable the fetching.
- return ClassicVerifyCert(cert, usage, time, pinArg, &callbackState,
- validationChain, verifyLog);
- }
-
-#ifdef NSS_NO_LIBPKIX
- PR_NOT_REACHED("libpkix implementation chosen but not even compiled in");
- PR_SetError(PR_INVALID_STATE_ERROR, 0);
- return SECFailure;
-#else
- PR_ASSERT(mImplementation == libpkix);
-
- // The current flags check the chain the same way as the leafs
- rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
- rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
- // implicit default source - makes no sense for CRLs
- CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
-
- // let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
- | CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
-
- // no fresh CRL? well, let other flag decide whether to fail or not
- | CERT_REV_M_IGNORE_MISSING_FRESH_INFO
-
- // testing using local CRLs is always allowed
- | CERT_REV_M_TEST_USING_THIS_METHOD
-
- // no local crl and don't know where to get it from? ignore
- | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
-
- // crl download based on parameter
- | ((mCRLDownloadEnabled && !localOnly) ?
- CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
- ;
-
- rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
- rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
- // use OCSP
- CERT_REV_M_TEST_USING_THIS_METHOD
-
- // if app has a default OCSP responder configured, let's use it
- | CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
-
- // of course OCSP doesn't work without a source. let's accept such certs
- | CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
-
- // if ocsp is required stop on lack of freshness
- | (mOCSPStrict ?
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
-
- // ocsp success is sufficient
- | CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
-
- // ocsp enabled controls network fetching, too
- | ((mOCSPDownloadEnabled && !localOnly) ?
- CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
-
- | (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
- ;
-
- rev.leafTests.preferred_methods[0] =
- rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
-
- rev.leafTests.cert_rev_method_independent_flags =
- rev.chainTests.cert_rev_method_independent_flags =
- // avoiding the network is good, let's try local first
- CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
-
- // Skip EV parameters
- cvin[evParamLocation].type = cert_pi_end;
-
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: calling CERT_PKIXVerifyCert(dv) \n"));
- rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
-
-pkix_done:
- if (validationChain) {
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: validation chain requested\n"));
- ScopedCERTCertificate trustAnchor(cvout[validationTrustAnchorLocation].value.pointer.cert);
-
- if (rv == SECSuccess) {
- if (! cvout[validationChainLocation].value.pointer.chain) {
- PR_SetError(PR_UNKNOWN_ERROR, 0);
- return SECFailure;
- }
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: I have a chain\n"));
- *validationChain = cvout[validationChainLocation].value.pointer.chain;
- if (trustAnchor) {
- // we should only add the issuer to the chain if it is not already
- // present. On CA cert checking, the issuer is the same cert, so in
- // that case we do not add the cert to the chain.
- if (!CERT_CompareCerts(trustAnchor.get(), cert)) {
- PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: adding issuer to tail for display\n"));
- // note: rv is reused to catch errors on cert creation!
- ScopedCERTCertificate tempCert(CERT_DupCertificate(trustAnchor.get()));
- rv = CERT_AddCertToListTail(validationChain->get(), tempCert.get());
- if (rv == SECSuccess) {
- tempCert.release(); // ownership traferred to validationChain
- } else {
- *validationChain = nullptr;
- }
- }
- }
- } else {
- destroyCertListThatShouldNotExist(
- &cvout[validationChainLocation].value.pointer.chain);
- }
- }
-
- return rv;
-#endif
-}
-
-SECStatus
CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
PRTime time,
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
/*optional out*/ SECOidTag* evOidPolicy)
@@ -947,17 +440,17 @@ CertVerifier::VerifySSLServerCert(CERTCe
return SECFailure;
}
// CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
// if VerifyCert succeeded.
ScopedCERTCertList validationChain;
SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
hostname, 0, stapledOCSPResponse, &validationChain,
- evOidPolicy, nullptr);
+ evOidPolicy);
if (rv != SECSuccess) {
return rv;
}
rv = CERT_VerifyCertName(peerCert, hostname);
if (rv != SECSuccess) {
return rv;
}
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -21,91 +21,62 @@ public:
// XXX: FLAG_LOCAL_ONLY is ignored in the classic verification case
static const Flags FLAG_LOCAL_ONLY;
// Don't perform fallback DV validation on EV validation failure.
static const Flags FLAG_MUST_BE_EV;
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported.
SECStatus VerifyCert(CERTCertificate* cert,
- const SECCertificateUsage usage,
- const PRTime time,
+ SECCertificateUsage usage,
+ PRTime time,
void* pinArg,
const char* hostname,
- const Flags flags = 0,
+ Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
- /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
- /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
+ /*optional out*/ SECOidTag* evOidPolicy = nullptr);
SECStatus VerifySSLServerCert(
CERTCertificate* peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
PRTime time,
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase = false,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr);
-
- enum implementation_config {
- classic = 0,
-#ifndef NSS_NO_LIBPKIX
- libpkix = 1,
-#endif
- mozillapkix = 2
- };
-
enum pinning_enforcement_config {
pinningDisabled = 0,
pinningAllowUserCAMITM = 1,
pinningStrict = 2,
pinningEnforceTestMode = 3
};
enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
enum crl_download_config { crl_local_only = 0, crl_download_allowed };
enum ocsp_download_config { ocsp_off = 0, ocsp_on };
enum ocsp_strict_config { ocsp_relaxed = 0, ocsp_strict };
enum ocsp_get_config { ocsp_get_disabled = 0, ocsp_get_enabled = 1 };
bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
- CertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
- missing_cert_download_config ac, crl_download_config cdc,
-#endif
- ocsp_download_config odc, ocsp_strict_config osc,
+ CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
ocsp_get_config ogc,
pinning_enforcement_config pinningEnforcementLevel);
~CertVerifier();
void ClearOCSPCache() { mOCSPCache.Clear(); }
- const implementation_config mImplementation;
-#ifndef NSS_NO_LIBPKIX
- const bool mMissingCertDownloadEnabled;
- const bool mCRLDownloadEnabled;
-#endif
const bool mOCSPDownloadEnabled;
const bool mOCSPStrict;
const bool mOCSPGETEnabled;
const pinning_enforcement_config mPinningEnforcementLevel;
private:
- SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
- const SECCertificateUsage usage,
- const PRTime time,
- void* pinArg,
- const Flags flags,
- ChainValidationCallbackState* callbackState,
- /*optional*/ const SECItem* stapledOCSPResponse,
- /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
- /*optional out*/ SECOidTag* evOidPolicy);
-
OCSPCache mOCSPCache;
};
void InitCertVerifierLog();
} } // namespace mozilla::psm
#endif // mozilla_psm__CertVerifier_h
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -881,65 +881,31 @@ register_oid(const SECItem* oid_item, co
od.oid.data = oid_item->data;
od.offset = SEC_OID_UNKNOWN;
od.desc = oid_name;
od.mechanism = CKM_INVALID_MECHANISM;
od.supportedExtension = INVALID_CERT_EXTENSION;
return SECOID_AddEntry(&od);
}
-#ifndef NSS_NO_LIBPKIX
-static void
-addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
- CERTCertTrust nssTrust;
- if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
- return;
- }
- unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
-
- if (flags & CERTDB_TRUSTED_CA) {
- CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
- }
-}
-#endif
-
static bool
isEVPolicy(SECOidTag policyOIDTag)
{
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (policyOIDTag == entry.oid_tag) {
return true;
}
}
return false;
}
namespace mozilla { namespace psm {
-#ifndef NSS_NO_LIBPKIX
-CERTCertList*
-GetRootsForOid(SECOidTag oid_tag)
-{
- CERTCertList* certList = CERT_NewCertList();
- if (!certList)
- return nullptr;
-
- for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
- nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
- if (entry.oid_tag == oid_tag) {
- addToCertListIfTrusted(certList, entry.cert);
- }
- }
-
- return certList;
-}
-#endif
-
bool
CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy)
{
PR_ASSERT(cert);
if (!cert) {
return false;
}
--- a/security/certverifier/ExtendedValidation.h
+++ b/security/certverifier/ExtendedValidation.h
@@ -21,15 +21,11 @@ SECStatus GetFirstEVPolicy(CERTCertifica
/*out*/ SECOidTag& policyOidTag);
// CertIsAuthoritativeForEVPolicy does NOT evaluate whether the cert is trusted
// or distrusted.
bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy);
#endif
-#ifndef NSS_NO_LIBPKIX
-CERTCertList* GetRootsForOid(SECOidTag oid_tag);
-#endif
-
} } // namespace mozilla::psm
#endif // mozilla_psm_ExtendedValidation_h
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -9,17 +9,16 @@
#include <stdint.h>
#include "ExtendedValidation.h"
#include "NSSErrorsService.h"
#include "OCSPRequestor.h"
#include "certdb.h"
#include "mozilla/Telemetry.h"
#include "nss.h"
-#include "ocsp.h"
#include "pk11pub.h"
#include "pkix/pkix.h"
#include "prerror.h"
#include "prmem.h"
#include "prprf.h"
#include "secerr.h"
#include "secmod.h"
@@ -691,42 +690,16 @@ UnloadLoadableRoots(const char* modNameU
PR_ASSERT(modNameUTF8);
ScopedSECMODModule rootsModule(SECMOD_FindModule(modNameUTF8));
if (rootsModule) {
SECMOD_UnloadUserModule(rootsModule.get());
}
}
-void
-SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
- CertVerifier::ocsp_strict_config strict,
- CertVerifier::ocsp_get_config get)
-{
- CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
- if (enabled == CertVerifier::ocsp_off) {
- CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
- } else {
- CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
- }
-
- SEC_OcspFailureMode failureMode = strict == CertVerifier::ocsp_strict
- ? ocspMode_FailureIsVerificationFailure
- : ocspMode_FailureIsNotAVerificationFailure;
- (void) CERT_SetOCSPFailureMode(failureMode);
-
- CERT_ForcePostMethodForOCSP(get != CertVerifier::ocsp_get_enabled);
-
- uint32_t OCSPTimeoutSeconds = 3u;
- if (strict == CertVerifier::ocsp_strict) {
- OCSPTimeoutSeconds = 10u;
- }
- CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
-}
-
char*
DefaultServerNicknameForCert(CERTCertificate* cert)
{
char* nickname = nullptr;
int count;
bool conflict;
char* servername = nullptr;
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -27,24 +27,16 @@ void PORT_Free_string(char* str);
//
// The modNameUTF8 parameter should usually be
// BUILTIN_ROOTS_MODULE_DEFAULT_NAME.
SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
const char* modNameUTF8);
void UnloadLoadableRoots(const char* modNameUTF8);
-// Controls the OCSP fetching behavior of the classic verification mode. In the
-// classic mode, the OCSP fetching behavior is set globally instead of per
-// validation.
-void
-SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
- CertVerifier::ocsp_strict_config strict,
- CertVerifier::ocsp_get_config get);
-
// Caller must free the result with PR_Free
char* DefaultServerNicknameForCert(CERTCertificate* cert);
void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
{
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -100,17 +100,16 @@
#include "CertVerifier.h"
#include "CryptoTask.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "nsIBadCertListener2.h"
#include "nsICertOverrideService.h"
#include "nsISiteSecurityService.h"
#include "nsNSSComponent.h"
-#include "nsNSSCleaner.h"
#include "nsRecentBadCerts.h"
#include "nsNSSIOLayer.h"
#include "nsNSSShutDown.h"
#include "mozilla/Assertions.h"
#include "mozilla/Mutex.h"
#include "mozilla/Telemetry.h"
#include "mozilla/unused.h"
@@ -122,29 +121,25 @@
#include "PSMRunnable.h"
#include "SharedSSLState.h"
#include "nsContentUtils.h"
#include "ssl.h"
#include "secerr.h"
#include "secport.h"
#include "sslerr.h"
-#include "ocsp.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
namespace mozilla { namespace psm {
namespace {
-NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
-NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
-
// do not use a nsCOMPtr to avoid static initializer/destructor
nsIThreadPool* gCertVerificationThreadPool = nullptr;
// We avoid using a mutex for the success case to avoid lock-related
// performance issues. However, we do use a lock in the error case to simplify
// the code, since performance in the error case is not important.
Mutex* gSSLVerificationTelemetryMutex = nullptr;
@@ -306,23 +301,22 @@ MapCertErrorToProbeValue(PRErrorCode err
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
}
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
"handle everything in PRErrorCodeToOverrideType?");
return 0;
}
SECStatus
-MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
- const char* hostName, PRTime now,
- PRErrorCode defaultErrorCodeToReport,
- /*out*/ uint32_t& collectedErrors,
- /*out*/ PRErrorCode& errorCodeTrust,
- /*out*/ PRErrorCode& errorCodeMismatch,
- /*out*/ PRErrorCode& errorCodeExpired)
+DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
+ PRTime now, PRErrorCode defaultErrorCodeToReport,
+ /*out*/ uint32_t& collectedErrors,
+ /*out*/ PRErrorCode& errorCodeTrust,
+ /*out*/ PRErrorCode& errorCodeMismatch,
+ /*out*/ PRErrorCode& errorCodeExpired)
{
MOZ_ASSERT(cert);
MOZ_ASSERT(hostName);
MOZ_ASSERT(collectedErrors == 0);
MOZ_ASSERT(errorCodeTrust == 0);
MOZ_ASSERT(errorCodeMismatch == 0);
MOZ_ASSERT(errorCodeExpired == 0);
@@ -543,139 +537,16 @@ CertErrorRunnable::RunOnTargetThread()
{
MOZ_ASSERT(NS_IsMainThread());
mResult = CheckCertOverrides();
MOZ_ASSERT(mResult);
}
-// Converts a PRErrorCode into one of
-// nsICertOverrideService::ERROR_UNTRUSTED,
-// nsICertOverrideService::ERROR_MISMATCH,
-// nsICertOverrideService::ERROR_TIME
-// if the given error code is an overridable error.
-// If it is not, then 0 is returned.
-uint32_t
-PRErrorCodeToOverrideType(PRErrorCode errorCode)
-{
- switch (errorCode)
- {
- case SEC_ERROR_UNKNOWN_ISSUER:
- case SEC_ERROR_UNTRUSTED_ISSUER:
- case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
- case SEC_ERROR_UNTRUSTED_CERT:
- case SEC_ERROR_INADEQUATE_KEY_USAGE:
- case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
- // We group all these errors as "cert not trusted"
- return nsICertOverrideService::ERROR_UNTRUSTED;
- case SSL_ERROR_BAD_CERT_DOMAIN:
- return nsICertOverrideService::ERROR_MISMATCH;
- case SEC_ERROR_EXPIRED_CERTIFICATE:
- return nsICertOverrideService::ERROR_TIME;
- default:
- return 0;
- }
-}
-
-SECStatus
-NSSDetermineCertOverrideErrors(CertVerifier& certVerifier,
- CERTCertificate* cert,
- const SECItem* stapledOCSPResponse,
- TransportSecurityInfo* infoObject,
- PRTime now,
- PRErrorCode defaultErrorCodeToReport,
- /*out*/ uint32_t& collectedErrors,
- /*out*/ PRErrorCode& errorCodeTrust,
- /*out*/ PRErrorCode& errorCodeMismatch,
- /*out*/ PRErrorCode& errorCodeExpired)
-{
- MOZ_ASSERT(cert);
- MOZ_ASSERT(infoObject);
- MOZ_ASSERT(defaultErrorCodeToReport != 0);
- MOZ_ASSERT(collectedErrors == 0);
- MOZ_ASSERT(errorCodeTrust == 0);
- MOZ_ASSERT(errorCodeMismatch == 0);
- MOZ_ASSERT(errorCodeExpired == 0);
-
- if (defaultErrorCodeToReport == 0) {
- NS_ERROR("No error code set during certificate validation failure.");
- PR_SetError(PR_INVALID_STATE_ERROR, 0);
- return SECFailure;
- }
-
- // We only allow overrides for certain errors. Return early if the error
- // is not one of them. This is to avoid doing revocation fetching in the
- // case of OCSP stapling and probably for other reasons.
- if (PRErrorCodeToOverrideType(defaultErrorCodeToReport) == 0) {
- PR_SetError(defaultErrorCodeToReport, 0);
- return SECFailure;
- }
-
- PLArenaPool* log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
- if (!log_arena) {
- NS_ERROR("PORT_NewArena failed");
- return SECFailure; // PORT_NewArena set error code
- }
-
- CERTVerifyLog* verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog);
- if (!verify_log) {
- NS_ERROR("PORT_ArenaZNew failed");
- return SECFailure; // PORT_ArenaZNew set error code
- }
- CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log);
- verify_log->arena = log_arena;
-
- // We ignore the result code of the cert verification (i.e. VerifyCert's rv)
- // Either it is a failure, which is expected, and we'll process the
- // verify log below.
- // Or it is a success, then a domain mismatch is the only
- // possible failure.
- // XXX TODO: convert to VerifySSLServerCert
- // XXX TODO: get rid of error log
- certVerifier.VerifyCert(cert, certificateUsageSSLServer,
- now, infoObject, infoObject->GetHostNameRaw(),
- 0, stapledOCSPResponse, nullptr, nullptr, verify_log);
-
- // Check the name field against the desired hostname.
- if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) {
- collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
- errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
- }
-
- CERTVerifyLogNode* i_node;
- for (i_node = verify_log->head; i_node; i_node = i_node->next) {
- uint32_t overrideType = PRErrorCodeToOverrideType(i_node->error);
- // If this isn't an overridable error, set the error and return.
- if (overrideType == 0) {
- PR_SetError(i_node->error, 0);
- return SECFailure;
- }
- collectedErrors |= overrideType;
- if (overrideType == nsICertOverrideService::ERROR_UNTRUSTED) {
- if (errorCodeTrust == 0) {
- errorCodeTrust = i_node->error;
- }
- } else if (overrideType == nsICertOverrideService::ERROR_MISMATCH) {
- if (errorCodeMismatch == 0) {
- errorCodeMismatch = i_node->error;
- }
- } else if (overrideType == nsICertOverrideService::ERROR_TIME) {
- if (errorCodeExpired == 0) {
- errorCodeExpired = i_node->error;
- }
- } else {
- MOZ_CRASH("unexpected return value from PRErrorCodeToOverrideType");
- }
- }
-
- return SECSuccess;
-}
-
// Returns null with the error code (PR_GetError()) set if it does not create
// the CertErrorRunnable.
CertErrorRunnable*
CreateCertErrorRunnable(CertVerifier& certVerifier,
PRErrorCode defaultErrorCodeToReport,
TransportSecurityInfo* infoObject,
CERTCertificate* cert,
const SECItem* stapledOCSPResponse,
@@ -685,47 +556,20 @@ CreateCertErrorRunnable(CertVerifier& ce
{
MOZ_ASSERT(infoObject);
MOZ_ASSERT(cert);
uint32_t collected_errors = 0;
PRErrorCode errorCodeTrust = 0;
PRErrorCode errorCodeMismatch = 0;
PRErrorCode errorCodeExpired = 0;
-
- SECStatus rv;
- switch (certVerifier.mImplementation) {
- case CertVerifier::classic:
-#ifndef NSS_NO_LIBPKIX
- case CertVerifier::libpkix:
-#endif
- rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
- infoObject, now,
- defaultErrorCodeToReport,
- collected_errors, errorCodeTrust,
- errorCodeMismatch, errorCodeExpired);
- break;
-
- case CertVerifier::mozillapkix:
- rv = MozillaPKIXDetermineCertOverrideErrors(cert,
- infoObject->GetHostNameRaw(),
- now, defaultErrorCodeToReport,
- collected_errors,
- errorCodeTrust,
- errorCodeMismatch,
- errorCodeExpired);
- break;
-
- default:
- MOZ_CRASH("unexpected CertVerifier implementation");
- PR_SetError(defaultErrorCodeToReport, 0);
- return nullptr;
-
- }
- if (rv != SECSuccess) {
+ if (DetermineCertOverrideErrors(cert, infoObject->GetHostNameRaw(), now,
+ defaultErrorCodeToReport, collected_errors,
+ errorCodeTrust, errorCodeMismatch,
+ errorCodeExpired) != SECSuccess) {
return nullptr;
}
RefPtr<nsNSSCertificate> nssCert(nsNSSCertificate::Create(cert));
if (!nssCert) {
NS_ERROR("nsNSSCertificate::Create failed");
PR_SetError(SEC_ERROR_NO_MEMORY, 0);
return nullptr;
@@ -901,67 +745,16 @@ AuthCertificate(CertVerifier& certVerifi
CERTCertificate* cert, SECItem* stapledOCSPResponse,
uint32_t providerFlags, PRTime time)
{
MOZ_ASSERT(infoObject);
MOZ_ASSERT(cert);
SECStatus rv;
- // TODO: Remove this after we switch to mozilla::pkix as the
- // only option
- if (certVerifier.mImplementation == CertVerifier::classic) {
- if (stapledOCSPResponse) {
- CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
- rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
- stapledOCSPResponse,
- infoObject);
- if (rv != SECSuccess) {
- // Due to buggy servers that will staple expired OCSP responses
- // (see for example http://trac.nginx.org/nginx/ticket/425),
- // don't terminate the connection if the stapled response is expired.
- // We will fall back to fetching revocation information.
- PRErrorCode ocspErrorCode = PR_GetError();
- if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
- // stapled OCSP response present but invalid for some reason
- Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
- return rv;
- } else {
- // stapled OCSP response present but expired
- Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
- }
- } else {
- // stapled OCSP response present and good
- Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
- }
- } else {
- // no stapled OCSP response
- Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
-
- uint32_t reasonsForNotFetching = 0;
-
- char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
- if (!ocspURI) {
- reasonsForNotFetching |= 1; // invalid/missing OCSP URI
- } else {
- if (std::strncmp(ocspURI, "http://", 7)) { // approximation
- reasonsForNotFetching |= 1; // invalid/missing OCSP URI
- }
- PORT_Free(ocspURI);
- }
-
- if (!certVerifier.mOCSPDownloadEnabled) {
- reasonsForNotFetching |= 2;
- }
-
- Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
- reasonsForNotFetching);
- }
- }
-
// We want to avoid storing any intermediate cert information when browsing
// in private, transient contexts.
bool saveIntermediates =
!(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
mozilla::pkix::ScopedCERTCertList certList;
SECOidTag evOidPolicy;
rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
@@ -1073,44 +866,21 @@ SSLServerCertVerificationJob::Run()
("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
PRErrorCode error;
nsNSSShutDownPreventionLock nssShutdownPrevention;
if (mInfoObject->isAlreadyShutDown()) {
error = SEC_ERROR_USER_CANCELLED;
} else {
- Telemetry::ID successTelemetry;
- Telemetry::ID failureTelemetry;
- switch (mCertVerifier->mImplementation) {
- case CertVerifier::classic:
- successTelemetry
- = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
- failureTelemetry
- = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
- break;
- case CertVerifier::mozillapkix:
- successTelemetry
- = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
- failureTelemetry
- = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
- break;
-#ifndef NSS_NO_LIBPKIX
- case CertVerifier::libpkix:
- successTelemetry
- = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
- failureTelemetry
- = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
- break;
-#endif
- default:
- MOZ_CRASH("Unknown CertVerifier mode");
- }
+ Telemetry::ID successTelemetry
+ = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
+ Telemetry::ID failureTelemetry
+ = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
- // XXX
// Reset the error code here so we can detect if AuthCertificate fails to
// set the error code if/when it fails.
PR_SetError(0, 0);
SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert.get(),
mStapledOCSPResponse, mProviderFlags,
mTime);
if (rv == SECSuccess) {
uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
--- a/security/manager/ssl/src/ScopedNSSTypes.h
+++ b/security/manager/ssl/src/ScopedNSSTypes.h
@@ -17,17 +17,16 @@
#include "cert.h"
#include "cms.h"
#include "keyhi.h"
#include "cryptohi.h"
#include "pk11pub.h"
#include "sechash.h"
#include "secpkcs7.h"
#include "prerror.h"
-#include "ocsp.h"
namespace mozilla {
// It is very common to cast between char* and uint8_t* when doing crypto stuff.
// Here, we provide more type-safe wrappers around reinterpret_cast so you don't
// shoot yourself in the foot by reinterpret_casting completely unrelated types.
inline char *
@@ -78,19 +77,16 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLAT
CERTCertList,
CERT_DestroyCertList)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName,
CERTName,
CERT_DestroyName)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames,
CERTCertNicknames,
CERT_FreeNicknames)
-MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID,
- CERTOCSPCertID,
- CERT_DestroyOCSPCertID)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo,
CERTSubjectPublicKeyInfo,
SECKEY_DestroySubjectPublicKeyInfo)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTValidity,
CERTValidity,
CERT_DestroyValidity)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedNSSCMSMessage,
--- a/security/manager/ssl/src/SharedCertVerifier.h
+++ b/security/manager/ssl/src/SharedCertVerifier.h
@@ -14,28 +14,19 @@ namespace mozilla { namespace psm {
class SharedCertVerifier : public mozilla::psm::CertVerifier
{
protected:
~SharedCertVerifier();
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
- SharedCertVerifier(implementation_config ic,
-#ifndef NSS_NO_LIBPKIX
- missing_cert_download_config ac, crl_download_config cdc,
-#endif
- ocsp_download_config odc, ocsp_strict_config osc,
+ SharedCertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
ocsp_get_config ogc,
pinning_enforcement_config pinningEnforcementLevel)
- : mozilla::psm::CertVerifier(ic,
-#ifndef NSS_NO_LIBPKIX
- ac, cdc,
-#endif
- odc, osc, ogc,
- pinningEnforcementLevel)
+ : mozilla::psm::CertVerifier(odc, osc, ogc, pinningEnforcementLevel)
{
}
};
} } // namespace mozilla::psm
#endif // mozilla_psm__SharedCertVerifier_h
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -581,26 +581,16 @@ void nsNSSHttpInterface::initTable()
v1.createFcn = createFcn;
v1.setPostDataFcn = setPostDataFcn;
v1.addHeaderFcn = addHeaderFcn;
v1.trySendAndReceiveFcn = trySendAndReceiveFcn;
v1.cancelFcn = cancelFcn;
v1.freeFcn = freeFcn;
}
-void nsNSSHttpInterface::registerHttpClient()
-{
- SEC_RegisterDefaultHttpClient(&sNSSInterfaceTable);
-}
-
-void nsNSSHttpInterface::unregisterHttpClient()
-{
- SEC_RegisterDefaultHttpClient(nullptr);
-}
-
nsHTTPListener::nsHTTPListener()
: mResultData(nullptr),
mResultLen(0),
mLock("nsHTTPListener.mLock"),
mCondition(mLock, "nsHTTPListener.mCondition"),
mWaitFlag(true),
mResponsibleForDoneSignal(false),
mLoadGroup(nullptr),
--- a/security/manager/ssl/src/nsNSSCallbacks.h
+++ b/security/manager/ssl/src/nsNSSCallbacks.h
@@ -215,14 +215,11 @@ public:
static SECStatus freeFcn(SEC_HTTP_REQUEST_SESSION request)
{
return static_cast<nsNSSHttpRequestSession*>(request)
->freeFcn();
}
static void initTable();
static SEC_HttpClientFcn sNSSInterfaceTable;
-
- void registerHttpClient();
- void unregisterHttpClient();
};
#endif // _NSNSSCALLBACKS_H_
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -44,17 +44,16 @@
#include "nspr.h"
#include "certdb.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
#include "secder.h"
#include "ssl.h"
-#include "ocsp.h"
#include "plbase64.h"
using namespace mozilla;
using namespace mozilla::psm;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
#endif
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -42,17 +42,16 @@
#include "nspr.h"
#include "certdb.h"
#include "secerr.h"
#include "nssb64.h"
#include "secasn1.h"
#include "secder.h"
#include "ssl.h"
-#include "ocsp.h"
#include "plbase64.h"
using namespace mozilla;
using namespace mozilla::psm;
using mozilla::psm::SharedSSLState;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
@@ -1811,19 +1810,11 @@ nsNSSCertificateDB::ClearOCSPCache()
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
- if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
- certVerifier->ClearOCSPCache();
- } else {
- SECStatus srv = CERT_ClearOCSPCache();
- if (srv != SECSuccess) {
- return MapSECStatus(srv);
- }
- }
-
+ certVerifier->ClearOCSPCache();
return NS_OK;
}
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -53,17 +53,16 @@
#include "SharedSSLState.h"
#include "NSSErrorsService.h"
#include "nss.h"
#include "ssl.h"
#include "sslproto.h"
#include "secmod.h"
#include "secmime.h"
-#include "ocsp.h"
#include "secerr.h"
#include "sslerr.h"
#include "nsXULAppAPI.h"
#ifdef XP_WIN
#include "nsILocalFileWin.h"
#endif
@@ -238,20 +237,20 @@ bool EnsureNSSInitialized(EnsureNSSOpera
default:
NS_ASSERTION(false, "Bad operator to EnsureNSSInitialized");
return false;
}
}
static void
-SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
- /*out*/ CertVerifier::ocsp_strict_config* osc,
- /*out*/ CertVerifier::ocsp_get_config* ogc,
- const MutexAutoLock& /*proofOfLock*/)
+GetOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
+ /*out*/ CertVerifier::ocsp_strict_config* osc,
+ /*out*/ CertVerifier::ocsp_get_config* ogc,
+ const MutexAutoLock& /*proofOfLock*/)
{
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(odc);
MOZ_ASSERT(osc);
MOZ_ASSERT(ogc);
// 0 = disabled, otherwise enabled
*odc = Preferences::GetInt("security.OCSP.enabled", 1)
@@ -262,18 +261,16 @@ SetClassicOCSPBehaviorFromPrefs(/*out*/
? CertVerifier::ocsp_strict
: CertVerifier::ocsp_relaxed;
// XXX: Always use POST for OCSP; see bug 871954 for undoing this.
*ogc = Preferences::GetBool("security.OCSP.GET.enabled", false)
? CertVerifier::ocsp_get_enabled
: CertVerifier::ocsp_get_disabled;
- SetClassicOCSPBehavior(*odc, *osc, *ogc);
-
SSL_ClearSessionCache();
}
nsNSSComponent::nsNSSComponent()
:mutex("nsNSSComponent.mutex"),
mNSSInitialized(false),
#ifndef MOZ_DISABLE_CRYPTOLEGACY
mThreadList(nullptr),
@@ -986,92 +983,38 @@ void nsNSSComponent::setValidationOption
// We measure the setting of the pref at startup only to minimize noise by
// addons that may muck with the settings, though it probably doesn't matter.
if (isInitialSetting) {
Telemetry::Accumulate(Telemetry::CERT_OCSP_ENABLED, ocspEnabled);
Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
}
-#ifndef NSS_NO_LIBPKIX
- bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
- false);
- bool aiaDownloadEnabled =
- Preferences::GetBool("security.missing_cert_download.enabled", false);
-
-#endif
bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
true);
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
- CertVerifier::implementation_config certVerifierImplementation
- = CertVerifier::classic;
-
- // The mozilla::pkix pref overrides the libpkix pref
- if (Preferences::GetBool("security.use_mozillapkix_verification", true)) {
- certVerifierImplementation = CertVerifier::mozillapkix;
- } else {
-#ifndef NSS_NO_LIBPKIX
- if (Preferences::GetBool("security.use_libpkix_verification", false)) {
- certVerifierImplementation = CertVerifier::libpkix;
- }
-#endif
- }
-
- if (isInitialSetting) {
- if (certVerifierImplementation == CertVerifier::classic) {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 1);
-#ifndef NSS_NO_LIBPKIX
- } else if (certVerifierImplementation == CertVerifier::libpkix) {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 2);
-#endif
- } else if (certVerifierImplementation == CertVerifier::mozillapkix) {
- Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 3);
- }
- }
-
// Default pinning enforcement level is disabled.
CertVerifier::pinning_enforcement_config
pinningEnforcementLevel =
static_cast<CertVerifier::pinning_enforcement_config>
(Preferences::GetInt("security.cert_pinning.enforcement_level",
CertVerifier::pinningDisabled));
if (pinningEnforcementLevel > CertVerifier::pinningEnforceTestMode) {
pinningEnforcementLevel = CertVerifier::pinningDisabled;
}
CertVerifier::ocsp_download_config odc;
CertVerifier::ocsp_strict_config osc;
CertVerifier::ocsp_get_config ogc;
- SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
- mDefaultCertVerifier = new SharedCertVerifier(
- certVerifierImplementation,
-#ifndef NSS_NO_LIBPKIX
- aiaDownloadEnabled ?
- CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
- crlDownloading ?
- CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
-#endif
- odc, osc, ogc, pinningEnforcementLevel);
-
- // mozilla::pkix has its own OCSP cache, so disable the NSS cache
- // if appropriate.
- if (certVerifierImplementation == CertVerifier::mozillapkix) {
- // Using -1 disables the cache. The other arguments are the default
- // values and aren't exposed by the API.
- CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
- } else {
- // Using 1000 enables the cache with the default size of 1000. Again,
- // these values are not exposed by the API.
- CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
- }
-
- CERT_ClearOCSPCache();
+ GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
+ mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
+ pinningEnforcementLevel);
}
// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
// version) and TLS 1.2 (max version) when the prefs aren't set or set to
// invalid values.
nsresult
nsNSSComponent::setEnabledTLSVersions()
{
@@ -1270,17 +1213,16 @@ nsNSSComponent::InitializeNSS()
PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to initialize cipher suite settings\n"));
return NS_ERROR_FAILURE;
}
// dynamic options from prefs
setValidationOptions(true, lock);
mHttpForNSS.initTable();
- mHttpForNSS.registerHttpClient();
#ifndef MOZ_DISABLE_CRYPTOLEGACY
LaunchSmartCardThreads();
#endif
RegisterPSMErrorTable();
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
@@ -1296,17 +1238,16 @@ nsNSSComponent::ShutdownNSS()
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ShutdownNSS\n"));
MutexAutoLock lock(mutex);
if (mNSSInitialized) {
mNSSInitialized = false;
PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
- mHttpForNSS.unregisterHttpClient();
Preferences::RemoveObserver(this, "security.");
if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) {
PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("nsNSSComponent::ShutdownNSS cannot stop observing cipher suite change\n"));
}
#ifndef MOZ_DISABLE_CRYPTOLEGACY
ShutdownSmartCardThreads();
@@ -1665,24 +1606,19 @@ nsNSSComponent::Observe(nsISupports* aSu
SSL_OptionSetDefault(SSL_ENABLE_NPN,
Preferences::GetBool("security.ssl.enable_npn",
NPN_ENABLED_DEFAULT));
} else if (prefName.EqualsLiteral("security.ssl.enable_alpn")) {
SSL_OptionSetDefault(SSL_ENABLE_ALPN,
Preferences::GetBool("security.ssl.enable_alpn",
ALPN_ENABLED_DEFAULT));
} else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
- prefName.EqualsLiteral("security.CRL_download.enabled") ||
- prefName.EqualsLiteral("security.fresh_revocation_info.require") ||
- prefName.EqualsLiteral("security.missing_cert_download.enabled") ||
prefName.EqualsLiteral("security.OCSP.require") ||
prefName.EqualsLiteral("security.OCSP.GET.enabled") ||
prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
- prefName.EqualsLiteral("security.use_mozillapkix_verification") ||
- prefName.EqualsLiteral("security.use_libpkix_verification") ||
prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) {
MutexAutoLock lock(mutex);
setValidationOptions(false, lock);
} else if (prefName.EqualsLiteral("network.ntlm.send-lm-response")) {
bool sendLM = Preferences::GetBool("network.ntlm.send-lm-response",
SEND_LM_DEFAULT);
nsNTLMAuthModule::SetSendLM(sendLM);
clearSessionCache = false;
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -8,16 +8,17 @@
#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "mozilla/Casting.h"
#include "mozilla/DebugOnly.h"
#include "mozilla/Telemetry.h"
#include "prlog.h"
+#include "prmem.h"
#include "prnetdb.h"
#include "nsIPrefService.h"
#include "nsIClientAuthDialogs.h"
#include "nsClientAuthRemember.h"
#include "nsISSLErrorListener.h"
#include "nsNetUtil.h"
#include "nsPrintfCString.h"
--- a/security/manager/ssl/tests/unit/test_cert_eku.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -18,17 +18,16 @@ function cert_from_file(filename) {
function load_cert(cert_name, trust_string) {
var cert_filename = cert_name + ".der";
addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
return cert_from_file(cert_filename);
}
function run_test() {
load_cert("ca", "CT,CT,CT");
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLServer);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_KEY_USAGE, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageStatusResponder);
--- a/security/manager/ssl/tests/unit/test_cert_eku/generate.py
+++ b/security/manager/ssl/tests/unit/test_cert_eku/generate.py
@@ -64,17 +64,16 @@ function cert_from_file(filename) {
function load_cert(cert_name, trust_string) {
var cert_filename = cert_name + ".der";
addCertFromFile(certdb, "test_cert_eku/" + cert_filename, trust_string);
return cert_from_file(cert_filename);
}
function run_test() {
load_cert("ca", "CT,CT,CT");
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
"""
js_file_footer = """}
"""
def gen_int_js_output(int_string):
expectedResult = "SEC_ERROR_INADEQUATE_CERT_TYPE"
# For a certificate to verify successfully as a SSL CA, it must either
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -47,214 +47,150 @@ function add_non_overridable_test(aHost,
}
function check_telemetry() {
let histogram = Cc["@mozilla.org/base/telemetry;1"]
.getService(Ci.nsITelemetry)
.getHistogramById("SSL_CERT_ERROR_OVERRIDES")
.snapshot();
do_check_eq(histogram.counts[ 0], 0);
- do_check_eq(histogram.counts[ 2], 8 + 1); // SEC_ERROR_UNKNOWN_ISSUER
- do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
- do_check_eq(histogram.counts[ 4], 0 + 5); // SEC_ERROR_UNTRUSTED_ISSUER
- do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
- do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
- do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
- do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
- do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
- do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
+ do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER
+ do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
+ do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
+ do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
+ do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
+ do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
+ do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+ do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
+ do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
run_next_test();
}
function run_test() {
add_tls_server_setup("BadCertServer");
let fakeOCSPResponder = new HttpServer();
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
});
fakeOCSPResponder.start(8080);
- add_tests_in_mode(true);
- add_tests_in_mode(false);
+ add_simple_tests();
+ add_combo_tests();
+ add_distrust_tests();
add_test(function () {
fakeOCSPResponder.stop(check_telemetry);
});
run_next_test();
}
-function add_tests_in_mode(useMozillaPKIX) {
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
- add_simple_tests(useMozillaPKIX);
- add_combo_tests(useMozillaPKIX);
- add_distrust_tests(useMozillaPKIX);
-
- add_test(function () {
- certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
- run_next_test();
- });
-}
-
-function add_simple_tests(useMozillaPKIX) {
+function add_simple_tests() {
add_cert_override_test("expired.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
- if (useMozillaPKIX) {
- add_cert_override_test("selfsigned.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
- } else {
- add_non_overridable_test("selfsigned.example.com",
- SEC_ERROR_CA_CERT_INVALID);
- }
+ add_cert_override_test("selfsigned.example.com",
+ Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("unknownissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("expiredissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- getXPCOMStatusFromNSS(
- useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("md5signature.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
add_cert_override_test("mismatch.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
// A Microsoft IIS utility generates self-signed certificates with
// properties similar to the one this "host" will present (see
// tlsserver/generate_certs.sh).
- // One of the errors classic verification collects is that this
- // certificate has an inadequate key usage to sign a certificate
- // (i.e. itself). As a result, to be able to override this,
- // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
- // confusingly, this isn't the main error reported).
- // mozilla::pkix just says this certificate's issuer is unknown.
- if (useMozillaPKIX) {
- add_cert_override_test("selfsigned-inadequateEKU.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
- } else {
- add_non_overridable_test("selfsigned-inadequateEKU.example.com",
- SEC_ERROR_CA_CERT_INVALID);
- }
+ add_cert_override_test("selfsigned-inadequateEKU.example.com",
+ Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
- // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
- // classic verification, but not for mozilla::pkix verification.
- if (useMozillaPKIX) {
- add_non_overridable_test("inadequatekeyusage.example.com",
- SEC_ERROR_INADEQUATE_KEY_USAGE);
- } else {
- add_cert_override_test("inadequatekeyusage.example.com",
- Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
- }
+ add_non_overridable_test("inadequatekeyusage.example.com",
+ SEC_ERROR_INADEQUATE_KEY_USAGE);
// Bug 990603: Apache documentation has recommended generating a self-signed
// test certificate with basic constraints: CA:true. For compatibility, this
// is a scenario in which an override is allowed.
add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- getXPCOMStatusFromNSS(
- useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
}
-function add_combo_tests(useMozillaPKIX) {
- // Note that "untrusted" here really is "unknown issuer" in the
- // mozilla::pkix case.
-
+function add_combo_tests() {
add_cert_override_test("mismatch-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
add_cert_override_test("mismatch-untrusted.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
- getXPCOMStatusFromNSS(
- useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
- getXPCOMStatusFromNSS(
- useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("mismatch-untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
- getXPCOMStatusFromNSS(
- useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER));
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("md5signature-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
}
-function add_distrust_tests(useMozillaPKIX) {
+function add_distrust_tests() {
// Before we specifically distrust this certificate, it should be trusted.
add_connection_test("untrusted.example.com", Cr.NS_OK);
- // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
- // verification is used.
add_distrust_override_test("tlsserver/default-ee.der",
"untrusted.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
- : Cr.NS_OK);
+ getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT));
- // XXX(Bug 975777): Active distrust is an overridable error when NSS-based
- // verification is used.
add_distrust_override_test("tlsserver/other-test-ca.der",
"untrustedissuer.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
- : Cr.NS_OK);
+ getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
}
-function add_distrust_override_test(certFileName, hostName,
- expectedResultBefore, expectedResultAfter) {
+function add_distrust_override_test(certFileName, hostName, expectedResult) {
let certToDistrust = constructCertFromFile(certFileName);
add_test(function () {
// Add an entry to the NSS certDB that says to distrust the cert
setCertTrust(certToDistrust, "pu,,");
clearSessionCache();
run_next_test();
});
- add_connection_test(hostName, expectedResultBefore, null,
+ add_connection_test(hostName, expectedResult, null,
function (securityInfo) {
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
// XXX(Bug 754369): SSLStatus isn't available for
// non-overridable errors.
if (securityInfo.SSLStatus) {
certOverrideService.rememberValidityOverride(
hostName, 8443, securityInfo.SSLStatus.serverCert,
Ci.nsICertOverrideService.ERROR_UNTRUSTED, true);
} else {
// A missing SSLStatus probably means (due to bug
// 754369) that the error was non-overridable, which
// is what we're trying to test, though we'd rather
// not test it this way.
- do_check_neq(expectedResultAfter, Cr.NS_OK);
+ do_check_neq(expectedResult, Cr.NS_OK);
}
clearSessionCache();
});
- add_connection_test(hostName, expectedResultAfter, null,
+ add_connection_test(hostName, expectedResult, null,
function () {
setCertTrust(certToDistrust, "u,,");
});
}
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -40,39 +40,29 @@ function check_ca(ca_name) {
}
function run_test() {
// Load the ca into mem
load_ca("ca-rsa");
load_ca("ca-p384");
load_ca("ca-dsa");
- run_test_in_mode(true);
- run_test_in_mode(false);
-}
-
-function run_test_in_mode(useMozillaPKIX) {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
check_ca("ca-rsa");
check_ca("ca-p384");
check_ca("ca-dsa");
// mozilla::pkix does not allow CA certs to be validated for end-entity
// usages.
- let int_usage = useMozillaPKIX
- ? 'SSL CA'
- : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+ const int_usage = 'SSL CA';
// mozilla::pkix doesn't implement the Netscape Object Signer restriction.
- const ee_usage = useMozillaPKIX
- ? 'Client,Server,Sign,Encrypt,Object Signer'
- : 'Client,Server,Sign,Encrypt';
+ const ee_usage = 'Client,Server,Sign,Encrypt,Object Signer';
let cert2usage = {
// certs without the "int" prefix are end entity certs.
'int-rsa-valid': int_usage,
'rsa-valid': ee_usage,
'int-p384-valid': int_usage,
'p384-valid': ee_usage,
'int-dsa-valid': int_usage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -34,223 +34,166 @@ function check_cert_err_generic(cert, ex
do_print("cert issuer cn=" + cert.issuerCommonName);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, usage,
NO_FLAGS, verifiedChain, hasEVPolicy);
do_check_eq(error, expected_error);
};
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
// On reset most usages are successful
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA); // expected no bc
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, 0,
certificateUsageObjectSigner); // expected
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// mozilla::pkix enforces that certificase must have a basic constraints
// extension with cA:true to be a CA certificate, whereas classic does not
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); //expected
// Test of active distrust. No usage should pass.
setCertTrust(cert_to_modify_trust, 'p,p,p');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// In mozilla::pkix (but not classic verification), certificate chain
// properties are checked before the end-entity. Thus, if we're using
// mozilla::pkix and the root certificate has been distrusted, the error
// will be "untrusted issuer" and not "inadequate cert type".
- check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
- ? SEC_ERROR_UNTRUSTED_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert,
+ !isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
-
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, 'T,T,T');
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
- : 0
- : 0,
+ // XXX(Bug 982340)
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailSigner);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE
- : useMozillaPKIX ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the SSL trust bit
setCertTrust(cert_to_modify_trust, 'p,C,C');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
- : SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+
+ //XXX(Bug 982340)
+ check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
- // In mozilla::pkix (but not classic verification), certificate chain
- // properties are checked before the end-entity. Thus, if we're using
- // mozilla::pkix and the root certificate has been distrusted, the error
- // will be "untrusted issuer" and not "inadequate cert type".
- check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
- ? SEC_ERROR_UNTRUSTED_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert,
+ isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
+ : SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageStatusResponder);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ',C,C');
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
- certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ // XXX(Bug 982340)
+ check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, 'C,p,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
- : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
- : 0, // mozilla::pkix is OK, NSS bug
+ check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
//inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, 'C,,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLClient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailSigner);
- check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER
- : 0,
+ check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailRecipient);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageObjectSigner);
- check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
- : 0,
+ check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
+ check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
}
-function run_test_in_mode(useMozillaPKIX) {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
+ for (let i = 0 ; i < certList.length; i++) {
+ load_cert(certList[i], ',,');
+ }
let ca_cert = certdb.findCertByNickname(null, 'ca');
do_check_false(!ca_cert)
let int_cert = certdb.findCertByNickname(null, 'int');
do_check_false(!int_cert)
let ee_cert = certdb.findCertByNickname(null, 'ee');
do_check_false(!ee_cert);
setup_basic_trusts(ca_cert, int_cert);
- test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
+ test_ca_distrust(ee_cert, ca_cert, true);
setup_basic_trusts(ca_cert, int_cert);
- test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
+ test_ca_distrust(ee_cert, int_cert, false);
}
-
-function run_test() {
- for (let i = 0 ; i < certList.length; i++) {
- load_cert(certList[i], ',,');
- }
-
- run_test_in_mode(true);
- run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_cert_version.js
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -39,31 +39,30 @@ function check_ca_err(cert, expected_err
function check_ok(x) {
return check_cert_err(x, 0);
}
function check_ok_ca(x) {
return check_cert_err_generic(x, 0, certificateUsageSSLCA);
}
-function run_tests_in_mode(useMozillaPKIX)
-{
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
+function run_test() {
+ load_cert("v1_ca", "CTu,CTu,CTu");
+ load_cert("v1_ca_bc", "CTu,CTu,CTu");
+ load_cert("v2_ca", "CTu,CTu,CTu");
+ load_cert("v2_ca_bc", "CTu,CTu,CTu");
+ load_cert("v3_ca", "CTu,CTu,CTu");
+ load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
check_ok_ca(cert_from_file('v1_ca.der'));
- check_ca_err(cert_from_file('v1_ca_bc.der'),
- useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
- check_ca_err(cert_from_file('v2_ca.der'),
- useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
- check_ca_err(cert_from_file('v2_ca_bc.der'),
- useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
+ check_ca_err(cert_from_file('v1_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
+ check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
+ check_ca_err(cert_from_file('v2_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
check_ok_ca(cert_from_file('v3_ca.der'));
- check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
- useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
+ check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
// Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
// intermediates when they have a v3 basic constraints extenstion (which
// makes them invalid certs). Insanity only allows v1 certs to be CA in
// anchor position (even if they have invalid encodings), v2 certs are not
// considered CAs in any position.
// Note that currently there are no change of behavior based on the
// version of the end entity.
@@ -71,714 +70,476 @@ function run_tests_in_mode(useMozillaPKI
let ee_error = 0;
let ca_error = 0;
//////////////
// v1 CA supersection
//////////////////
// v1 intermediate with v1 trust anchor
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
// v1 intermediate with v3 extensions. CA is invalid.
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
// A v2 intermediate with a v1 CA
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
// A v2 intermediate with basic constraints (not allowed in insanity)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
// Section is OK. A x509 v3 CA MUST have bc
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
- check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
+ check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
// It is valid for a v1 ca to sign a v3 intemediate.
check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
// The next groups change the v1 ca for a v1 ca with base constraints
// (invalid trust anchor). The error pattern is the same as the groups
// above
// Using A v1 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
// Using a v1 intermediate with v3 extenstions (invalid).
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
// Using v2 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
// Using a v2 intermediate with basic constraints (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
// Using a v3 intermediate that is missing basic constraints (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
// these should pass assuming we are OK with v1 ca signing v3 intermediates
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
//////////////
// v2 CA supersection
//////////////////
// v2 ca, v1 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
// v2 ca, v1 intermediate with basic constraints (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
// v2 ca, v2 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
// v2 ca, v2 intermediate with basic constraints (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
// v2 ca, v3 intermediate missing basic constraints
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
// v2 ca, v3 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
// v2 ca, v1 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
// v2 ca, v1 intermediate with bc (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
// v2 ca, v2 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
// v2 ca, v2 intermediate with bc (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
// v2 ca, invalid v3 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
// v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
//////////////
// v3 CA supersection
//////////////////
// v3 ca, v1 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
// A v1 intermediate with v3 extensions
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
// reject a v2 cert as intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
// v2 intermediate with bc (invalid)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
// invalid v3 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
// I dont think that v3 intermediates should be allowed to sign v1 or v2
// certs, but other thanthat this is what we usually get in the wild.
check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
// v3 CA, invalid v3 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
// Int v1 with BC that is just invalid (classic fail insanity OK)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
// Good section (all fail)
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
// v2 intermediate (even with basic constraints) is invalid
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
// v3 intermediate missing basic constraints is invalid
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
- ee_error = SEC_ERROR_UNKNOWN_ISSUER;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- }
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
// With a v3 root missing bc and valid v3 intermediate
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_CA_CERT_INVALID;
- ee_error = SEC_ERROR_CA_CERT_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_CA_CERT_INVALID;
+ ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
- if (useMozillaPKIX) {
- ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
- } else {
- ca_error = 0;
- ee_error = 0;
- }
+ ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
+ ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
}
-
-function run_test() {
- load_cert("v1_ca", "CTu,CTu,CTu");
- load_cert("v1_ca_bc", "CTu,CTu,CTu");
- load_cert("v2_ca", "CTu,CTu,CTu");
- load_cert("v2_ca_bc", "CTu,CTu,CTu");
- load_cert("v3_ca", "CTu,CTu,CTu");
- load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
-
- run_tests_in_mode(false);
- run_tests_in_mode(true);
-}
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -26,96 +26,74 @@ function run_test() {
for (var i = 0; i < gNumCAs; i++) {
var ca_name = "ca-" + (i + 1);
var ca_filename = ca_name + ".der";
addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu");
do_print("ca_name=" + ca_name);
var cert = certdb.findCertByNickname(null, ca_name);
}
- run_test_in_mode(true);
- run_test_in_mode(false);
-}
-
-function run_test_in_mode(useMozillaPKIX) {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
- clearOCSPCache();
- clearSessionCache();
-
- // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
- var allCAUsages = useMozillaPKIX
- ? 'SSL CA'
- : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
-
// mozilla::pkix doesn't allow CA certificates to have the Status Responder
// EKU.
- var ca_usages = [allCAUsages,
+ var ca_usages = ['SSL CA',
'SSL CA',
- allCAUsages,
- useMozillaPKIX ? ''
- : 'Client,Server,Sign,Encrypt,Status Responder'];
+ 'SSL CA',
+ ''];
// mozilla::pkix doesn't implement the Netscape Object Signer restriction.
- var basicEndEntityUsages = useMozillaPKIX
- ? 'Client,Server,Sign,Encrypt,Object Signer'
- : 'Client,Server,Sign,Encrypt';
+ var basicEndEntityUsages = 'Client,Server,Sign,Encrypt,Object Signer';
var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
- // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
+ // mozilla::pkix won't let a certificate with the 'Status Responder' EKU get
// validated for any other usage.
- var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
- var statusResponderUsagesFull
- = useMozillaPKIX ? statusResponderUsages
- : basicEndEntityUsages + ',Object Signer,Status Responder';
-
var ee_usages = [
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
- statusResponderUsagesFull,
+ 'Status Responder',
'Client,Server',
'Sign,Encrypt,Object Signer',
- statusResponderUsages
+ 'Status Responder'
],
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
- statusResponderUsagesFull,
+ 'Status Responder',
'Client,Server',
'Sign,Encrypt,Object Signer',
- statusResponderUsages
+ 'Status Responder'
],
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
- statusResponderUsagesFull,
+ 'Status Responder',
'Client,Server',
'Sign,Encrypt,Object Signer',
- statusResponderUsages
+ 'Status Responder'
],
// The CA has isCA=true without keyCertSign.
//
// The 'classic' NSS mode uses the 'union' of the
// capabilites so the cert is considered a CA.
// mozilla::pkix and libpkix use the intersection of
// capabilites, so the cert is NOT considered a CA.
- [ useMozillaPKIX ? '' : basicEndEntityUsages,
- useMozillaPKIX ? '' : basicEndEntityUsages,
- useMozillaPKIX ? '' : basicEndEntityUsages,
+ [ '',
+ '',
+ '',
'',
- useMozillaPKIX ? '' : statusResponderUsagesFull,
- useMozillaPKIX ? '' : 'Client,Server',
- useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
- useMozillaPKIX ? '' : 'Server,Status Responder'
+ '',
+ '',
+ '',
+ ''
]
];
do_check_eq(gNumCAs, ca_usages.length);
for (var i = 0; i < gNumCAs; i++) {
var ca_name = "ca-" + (i + 1);
var verified = {};
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -75,28 +75,16 @@ function run_test() {
addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
}
load_ca("evroot");
load_ca("non-evroot-ca");
// setup and start ocsp responder
Services.prefs.setCharPref("network.dns.localDomains",
'www.example.com, crl.example.com');
- add_tests_in_mode(true);
- add_tests_in_mode(false);
- run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
add_test(function () {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
ocspResponder.stop(run_next_test);
@@ -133,19 +121,17 @@ function add_tests_in_mode(useMozillaPKI
// bug 917380: Chcek that an untrusted EV root is untrusted.
const nsIX509Cert = Ci.nsIX509Cert;
add_test(function() {
let evRootCA = certdb.findCertByNickname(null, evrootnick);
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("ev-valid",
- useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_UNTRUSTED_ISSUER);
+ check_cert_err("ev-valid",SEC_ERROR_UNKNOWN_ISSUER);
ocspResponder.stop(run_next_test);
});
// bug 917380: Chcek that a trusted EV root is trusted after disabling and
// re-enabling trust.
add_test(function() {
let evRootCA = certdb.findCertByNickname(null, evrootnick);
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
@@ -157,34 +143,25 @@ function add_tests_in_mode(useMozillaPKI
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
ocspResponder.stop(run_next_test);
});
add_test(function () {
- check_no_ocsp_requests("ev-valid",
- useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
});
add_test(function () {
- check_no_ocsp_requests("non-ev-root",
- useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
});
add_test(function () {
- check_no_ocsp_requests("no-ocsp-url-cert",
- useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
});
// Test the EV continues to work with flags after successful EV verification
add_test(function () {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
@@ -198,19 +175,17 @@ function add_tests_in_mode(useMozillaPKI
let verifiedChain = {};
let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
flags, verifiedChain, hasEVPolicy);
do_check_eq(hasEVPolicy.value, isDebugBuild);
do_check_eq(error,
- isDebugBuild ? 0
- : (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
- : SEC_ERROR_EXTENSION_NOT_FOUND));
+ isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
failingOcspResponder.stop(run_next_test);
});
});
// Bug 991815 old but valid intermediates are OK
add_test(function () {
clearOCSPCache();
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
@@ -230,50 +205,44 @@ function add_tests_in_mode(useMozillaPKI
add_test(function () {
clearOCSPCache();
// Since Mozilla::pkix does not consider the old amost invalid OCSP
// response valid, it does not cache the old response and thus
// makes a separate request for DV
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
let debugResponseArray = ["good", "longvalidityalmostold",
"longvalidityalmostold"];
- if (!useMozillaPKIX) {
- debugCertNickArray = ["int-ev-valid", "ev-valid"];
- debugResponseArray = ["good", "longvalidityalmostold"];
- }
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"],
[], [],
isDebugBuild ? debugResponseArray
: ["longvalidityalmostold"]);
- check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
+ check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test);
});
// Bug 991815 Valid but Ancient (almost two year old) responses are Not OK for
// EV (still OK for soft fail DV)
add_test(function () {
clearOCSPCache();
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
let debugResponseArray = ["good", "ancientstillvalid",
"ancientstillvalid"];
- if (!useMozillaPKIX) {
- debugCertNickArray = ["int-ev-valid", "ev-valid"];
- debugResponseArray = ["good", "ancientstillvalid"];
- }
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"],
[], [],
isDebugBuild ? debugResponseArray
: ["ancientstillvalid"]);
- check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
+ check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test);
});
+
+ run_next_test();
}
// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
// to prevent spurious OCSP requests that race with OCSP stapling.
// This has the side-effect of saying an EV certificate is not EV if
// it hasn't already been verified (e.g. on the verification thread when
// connecting to a site).
// This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -65,31 +65,25 @@ function check_getchain(ee_cert, ssl_ca,
certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
// Do a final test on the case of no trust. The results must
// be cosistent (the actual value is non-deterministic).
check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
}
-function run_test_in_mode(useMozillaPKIX) {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
clearOCSPCache();
clearSessionCache();
for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
let ee_cert = certdb.findCertByNickname(null, 'ee');
do_check_false(!ee_cert);
let ca = get_ca_array();
check_getchain(ee_cert, ca[1], ca[2]);
// Swap ca certs to deal alternate trust settings.
check_getchain(ee_cert, ca[2], ca[1]);
}
-
-function run_test() {
- run_test_in_mode(true);
- run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -33,30 +33,24 @@ function test_cert_for_usages(certChainN
let cert = certs[0];
let verified = {};
let usages = {};
cert.getUsagesString(true, verified, usages);
do_print("usages.value = " + usages.value);
do_check_eq(expected_usages_string, usages.value);
}
-function run_test_in_mode(useMozillaPKIX) {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
-
+function run_test() {
// mozilla::pkix doesn't support the obsolete Netscape object signing
// extension, but NSS does.
- let ee_usage1 = useMozillaPKIX
- ? 'Client,Server,Sign,Encrypt,Object Signer'
- : 'Client,Server,Sign,Encrypt'
+ let ee_usage1 = 'Client,Server,Sign,Encrypt,Object Signer';
// mozilla::pkix doesn't validate CA certificates for non-CA uses, but
// NSS does.
- let ca_usage1 = useMozillaPKIX
- ? "SSL CA"
- : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+ let ca_usage1 = "SSL CA";
// Load the ca into mem
let ca_name = "ca";
load_cert(ca_name, "CTu,CTu,CTu");
do_print("ca_name = " + ca_name);
test_cert_for_usages([ca_name], ca_usage1);
// A certificate with no basicConstraints extension is considered an EE.
@@ -82,36 +76,32 @@ function run_test_in_mode(useMozillaPKIX
// ca
// int-limited-depth (cA==true, pathLenConstraint==0)
// int-limited-depth-invalid (cA==true)
//
// XXX: It seems the NSS code does not consider the path length of the
// certificate we're validating, but mozilla::pkix does. mozilla::pkix's
// behavior is correct.
- test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
- useMozillaPKIX ? "" : ca_usage1);
+ test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], "");
test_cert_for_usages(["ee-int-limited-depth-invalid",
"int-limited-depth-invalid",
"int-limited-depth"],
"");
// int-valid-ku-no-eku has keyCertSign
test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
ee_usage1);
// int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
// but the KU extension is missing keyCertSign. Note that mozilla::pkix
// doesn't validate certificates with basicConstraints.Ca==true for non-CA
// uses, but NSS does.
- test_cert_for_usages(["int-bad-ku-no-eku"],
- useMozillaPKIX
- ? ""
- : 'Client,Server,Sign,Encrypt,Status Responder');
+ test_cert_for_usages(["int-bad-ku-no-eku"], "");
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
// int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
// We treat a missing KU as "any key usage is OK".
test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
// int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
@@ -127,13 +117,8 @@ function run_test_in_mode(useMozillaPKIX
"");
// int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
// EKU=={id-kp-serverAuth,id-kp-clientAuth}.
test_cert_for_usages(["int-no-ku-server-eku"], "SSL CA");
test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
"Client,Server");
}
-
-function run_test() {
- run_test_in_mode(true);
- run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -45,18 +45,19 @@ function check_ok_ca (x) {
function check_fail(x) {
return check_cert_err(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
}
function check_fail_ca(x) {
return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
}
-function run_test_in_mode(useMozillaPKIX) {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
+function run_test() {
+ load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
+ load_cert("ca-nc", "CTu,CTu,CTu");
// Note that CN is only looked at when there is NO subjectAltName!
// Testing with a unconstrained root, and intermediate constrained to PERMIT
// foo.com. All failures on this section are doe to the cert DNS names
// not being under foo.com.
check_ok_ca(load_cert('int-nc-perm-foo.com-ca-nc', ',,'));
// no dirName
@@ -264,16 +265,8 @@ function run_test_in_mode(useMozillaPKIX
// for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
// NSS get it right.
{
let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
check_cert_err_generic(cert, 0, certificateUsageSSLClient);
}
}
-
-function run_test() {
- load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
- load_cert("ca-nc", "CTu,CTu,CTu");
-
- run_test_in_mode(true);
- run_test_in_mode(false);
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -35,30 +35,23 @@ function run_test() {
do_print("returning 200 OK");
response.setStatusLine(request.httpVersion, 200, "OK");
response.setHeader("Content-Type", "application/ocsp-response");
response.write(gGoodOCSPResponse);
});
ocspResponder.start(8080);
- add_tests_in_mode(true);
- add_tests_in_mode(false);
+ add_tests();
add_test(function() { ocspResponder.stop(run_next_test); });
run_next_test();
}
-function add_tests_in_mode(useMozillaPKIX) {
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
+function add_tests() {
// This test assumes that OCSPStaplingServer uses the same cert for
// ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
// Get an Unknown response for the *.exmaple.com cert and put it in the
// OCSP cache.
add_connection_test("ocsp-stapling-unknown.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
@@ -33,29 +33,16 @@ function run_test() {
addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
// Enabled so that we can force ocsp failure responses.
Services.prefs.setBoolPref("security.OCSP.require", true);
Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com");
- add_tests_in_mode(true);
- add_tests_in_mode(false);
- run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
- add_test(function() {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
add_test(function() {
clearOCSPCache();
Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
check_cert_err("a", 0);
ocspResponder.stop(run_next_test);
});
@@ -67,18 +54,16 @@ function add_tests_in_mode(useMozillaPKI
ocspResponder.stop(run_next_test);
});
// GET does fallback on bad entry
add_test(function() {
clearOCSPCache();
Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
// Bug 1016681 mozilla::pkix does not support fallback yet.
- if (!useMozillaPKIX) {
- let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
- check_cert_err("a", 0);
- ocspResponder.stop(run_next_test);
- } else {
- run_next_test();
- }
+ // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
+ // check_cert_err("a", 0);
+ // ocspResponder.stop(run_next_test);
+ run_next_test();
});
+ run_next_test();
}
--- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
@@ -23,40 +23,29 @@ function run_test() {
let ocspResponder = new HttpServer();
ocspResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 200, "OK");
response.setHeader("Content-Type", "application/ocsp-response");
response.write(goodOCSPResponse);
});
ocspResponder.start(8080);
- add_tests_in_mode(true);
- add_tests_in_mode(false);
+ // ocsp-stapling-none.example.com does not staple an OCSP response in the
+ // handshake, so the revocation checking code will attempt to fetch one.
+ // Since the domain of the certificate's OCSP AIA URI is an HSTS host
+ // (as added in the setup of this test, below), a buggy implementation would
+ // upgrade the OCSP request to HTTPS. We specifically prevent this. This
+ // test demonstrates that our implementation is correct in this regard.
+ add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
+ add_test(function () { run_next_test(); });
add_test(function () { ocspResponder.stop(run_next_test); });
let SSService = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
let uri = Services.io.newURI("http://localhost", null, null);
SSService.processHeader(Ci.nsISiteSecurityService.HEADER_HSTS, uri,
"max-age=10000", 0);
do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
"localhost", 0));
run_next_test();
}
-
-function add_tests_in_mode(useMozillaPKIX) {
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
- // ocsp-stapling-none.example.com does not staple an OCSP response in the
- // handshake, so the revocation checking code will attempt to fetch one.
- // Since the domain of the certificate's OCSP AIA URI is an HSTS host
- // (as added in the setup of this test), a buggy implementation would
- // upgrade the OCSP request to HTTPS. We specifically prevent this. This
- // test demonstrates that our implementation is correct in this regard.
- add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
- add_test(function () { run_next_test(); });
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -27,32 +27,25 @@ function run_test() {
ocspResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 200, "OK");
response.setHeader("Content-Type", "application/ocsp-response");
response.write(ocspResponseBadSignature);
gOCSPRequestCount++;
});
ocspResponder.start(8080);
- add_tests_in_mode(true);
- add_tests_in_mode(false);
+ add_tests();
add_test(function () { ocspResponder.stop(run_next_test); });
run_next_test();
}
-function add_tests_in_mode(useMozillaPKIX)
+function add_tests()
{
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_test(function () {
do_check_eq(gOCSPRequestCount, 1);
gOCSPRequestCount = 0;
run_next_test();
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,23 +16,17 @@ function add_ocsp_test(aHost, aExpectedR
gExpectOCSPRequest = !aStaplingEnabled;
clearOCSPCache();
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
aStaplingEnabled);
});
}
-function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
+function add_tests(certDB, otherTestCA) {
// In the absence of OCSP stapling, these should actually all work.
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
@@ -110,26 +104,21 @@ function add_tests_in_mode(useMozillaPKI
clearOCSPCache();
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
}
);
add_ocsp_test("ocsp-stapling-empty.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
- // TODO(bug 979070): NSS can't handle this yet.
- if (useMozillaPKIX) {
- add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
- }
+ add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
add_ocsp_test("ocsp-stapling-critical-extension.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
- : Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions
+ getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
true);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
// TODO(bug 997994): Disallow empty Extensions in responses
add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
@@ -150,21 +139,21 @@ function add_tests_in_mode(useMozillaPKI
// test_ocsp_stapling_expired.js
}
function check_ocsp_stapling_telemetry() {
let histogram = Cc["@mozilla.org/base/telemetry;1"]
.getService(Ci.nsITelemetry)
.getHistogramById("SSL_OCSP_STAPLING")
.snapshot();
- do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
- do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426)
- do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp.
- do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
- do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426)
+ do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+ do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
+ do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
+ do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
+ do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses
run_next_test();
}
function run_test() {
do_get_profile();
let certDB = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
@@ -176,17 +165,16 @@ function run_test() {
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
do_check_true(gExpectOCSPRequest);
});
fakeOCSPResponder.start(8080);
add_tls_server_setup("OCSPStaplingServer");
- add_tests_in_mode(true, certDB, otherTestCA);
- add_tests_in_mode(false, certDB, otherTestCA);
+ add_tests(certDB, otherTestCA);
add_test(function () {
fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
});
run_next_test();
}
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -55,139 +55,112 @@ function run_test() {
} else {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
response.write("Internal Server Error");
}
gOCSPRequestCount++;
});
ocspResponder.start(8080);
add_tls_server_setup("OCSPStaplingServer");
- add_tests_in_mode(true);
- add_tests_in_mode(false);
- add_test(function () { ocspResponder.stop(run_next_test); });
- add_test(check_ocsp_stapling_telemetry);
- run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
// In these tests, the OCSP stapling server gives us a stapled
// response based on the host name ("ocsp-stapling-expired" or
// "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
// properly falling back to fetching revocation information.
// For ocsp-stapling-expired.example.com, the OCSP stapling server
// staples an expired OCSP response. The certificate has not expired.
// For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
// server staples an OCSP response with a recent signature but with an
// out-of-date validity period. The certificate has not expired.
add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
ocspResponseGood);
- // With mozilla::pkix, if we can't fetch a more recent response when
+ // if we can't fetch a more recent response when
// given an expired stapled response, we terminate the connection.
add_ocsp_test("ocsp-stapling-expired.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
- : Cr.NS_OK,
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
- : Cr.NS_OK,
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
- : Cr.NS_OK,
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
- : Cr.NS_OK,
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
- : Cr.NS_OK,
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
null);
add_ocsp_test("ocsp-stapling-expired.example.com",
- useMozillaPKIX
- ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
- : Cr.NS_OK,
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
null);
// Of course, if the newer response indicates Revoked or Unknown,
// that status must be returned.
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
ocspResponseUnknown);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
ocspResponseUnknown);
- if (useMozillaPKIX) {
- // If the response is expired but indicates Revoked or Unknown and a
- // newer status can't be fetched, the Revoked or Unknown status will
- // be returned.
- add_ocsp_test("ocsp-stapling-revoked-old.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
- null);
- add_ocsp_test("ocsp-stapling-unknown-old.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
- null);
- // If the response is expired but indicates Revoked or Unknown and
- // a newer status can be fetched and successfully verified, this
- // should result in a successful certificate verification.
- add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
- ocspResponseGood);
- add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
- ocspResponseGood);
- // If a newer status can be fetched but it fails to verify, the
- // Revoked or Unknown status of the expired stapled response
- // should be returned.
- add_ocsp_test("ocsp-stapling-revoked-old.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
- expiredOCSPResponseGood);
- add_ocsp_test("ocsp-stapling-unknown-old.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
- expiredOCSPResponseGood);
- }
+ // If the response is expired but indicates Revoked or Unknown and a
+ // newer status can't be fetched, the Revoked or Unknown status will
+ // be returned.
+ add_ocsp_test("ocsp-stapling-revoked-old.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+ null);
+ add_ocsp_test("ocsp-stapling-unknown-old.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+ null);
+ // If the response is expired but indicates Revoked or Unknown and
+ // a newer status can be fetched and successfully verified, this
+ // should result in a successful certificate verification.
+ add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
+ ocspResponseGood);
+ add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
+ ocspResponseGood);
+ // If a newer status can be fetched but it fails to verify, the
+ // Revoked or Unknown status of the expired stapled response
+ // should be returned.
+ add_ocsp_test("ocsp-stapling-revoked-old.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+ expiredOCSPResponseGood);
+ add_ocsp_test("ocsp-stapling-unknown-old.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+ expiredOCSPResponseGood);
- if (useMozillaPKIX) {
- // These tests are verifying that an valid but very old response
- // is rejected as a valid stapled response, requiring a fetch
- // from the ocsp responder.
- add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
- ocspResponseGood);
- add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
- ocspResponseRevoked);
- add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
- getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
- ocspResponseUnknown);
- }
+ // These tests are verifying that an valid but very old response
+ // is rejected as a valid stapled response, requiring a fetch
+ // from the ocsp responder.
+ add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
+ ocspResponseGood);
+ add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+ ocspResponseRevoked);
+ add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
+ getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+ ocspResponseUnknown);
+
+ add_test(function () { ocspResponder.stop(run_next_test); });
+ add_test(check_ocsp_stapling_telemetry);
+ run_next_test();
}
function check_ocsp_stapling_telemetry() {
let histogram = Cc["@mozilla.org/base/telemetry;1"]
.getService(Ci.nsITelemetry)
.getHistogramById("SSL_OCSP_STAPLING")
.snapshot();
- do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
- do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
- do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
- do_check_eq(histogram.counts[3], 2 * 12 + 9); // 12 connections with an expired response
- // +9 more mozilla::pkix-only expired responses
- do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
+ do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
+ do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
+ do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
+ do_check_eq(histogram.counts[3], 21); // 21 connections with an expired response
+ do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
run_next_test();
}
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -28,28 +28,17 @@ function run_test() {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
let body = "Refusing to return a response";
response.bodyOutputStream.write(body, body.length);
});
ocspResponder.start(8080);
add_tls_server_setup("OCSPStaplingServer");
- add_tests_in_mode(true);
- add_tests_in_mode(false);
+ add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(function() {
do_check_eq(gOCSPRequestCount, 0);
run_next_test();
});
run_next_test();
}
-
-function add_tests_in_mode(useMozillaPKIX) {
- add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
- add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
-}
--- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js
@@ -33,30 +33,26 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer");
let socket = Cc["@mozilla.org/network/server-socket;1"]
.createInstance(Ci.nsIServerSocket);
socket.init(8080, true, -1);
socket.asyncListen(gSocketListener);
- add_tests_in_mode(true, true);
- add_tests_in_mode(false, true);
- add_tests_in_mode(true, false);
- add_tests_in_mode(false, false);
+ add_tests_in_mode(true);
+ add_tests_in_mode(false);
add_test(function() { socket.close(); run_next_test(); });
run_next_test();
}
-function add_tests_in_mode(useMozillaPKIX, useHardFail) {
+function add_tests_in_mode(useHardFail) {
let startTime;
add_test(function () {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
startTime = new Date();
run_next_test();
});
add_connection_test("ocsp-stapling-none.example.com", useHardFail
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR)
: Cr.NS_OK, clearSessionCache);
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -35,69 +35,48 @@ function run_test() {
addCertFromFile(certdb, "test_ocsp_url/int.der", ',,');
// Enabled so that we can force ocsp failure responses.
Services.prefs.setBoolPref("security.OCSP.require", true);
Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com");
- add_tests_in_mode(true);
- add_tests_in_mode(false);
- run_next_test();
-}
-
-function add_tests_in_mode(useMozillaPKIX)
-{
- add_test(function() {
- Services.prefs.setBoolPref("security.use_mozillapkix_verification",
- useMozillaPKIX);
- run_next_test();
- });
-
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("bad-scheme",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("empty-scheme-url",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("https-url",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
check_cert_err("hTTp-url", 0);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("negative-port",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
// XXX Bug 1013615 parser accepts ":8888" as hostname
check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
@@ -109,33 +88,28 @@ function add_tests_in_mode(useMozillaPKI
let ocspResponder = start_ocsp_responder(["no-path-url"], ['']);
check_cert_err("no-path-url", 0);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("no-scheme-host-port",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("no-scheme-url",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
- check_cert_err("unknown-scheme",
- useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
- : SEC_ERROR_OCSP_MALFORMED_REQUEST);
+ check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
+ run_next_test();
}
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -1242,22 +1242,16 @@
"CERT_VALIDATION_HTTP_REQUEST_FAILED_TIME": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 200,
"extended_statistics_ok": true,
"description": "ms elapsed time of OCSP etc.. that failed"
},
- "CERT_VALIDATION_LIBRARY": {
- "expires_in_version": "never",
- "kind": "enumerated",
- "n_values": 4,
- "description": "Which certificate validation library is in use? (1=classic, 2=libpkix, 3=mozilla::pkix)"
- },
"SSL_KEY_EXCHANGE_ALGORITHM_FULL": {
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 16,
"description": "SSL Handshake Key Exchange Algorithm for full handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
},
"SSL_KEY_EXCHANGE_ALGORITHM_RESUMED": {
"expires_in_version": "never",
@@ -4493,56 +4487,24 @@
"TELEMETRY_MEMORY_REPORTER_MS": {
"expires_in_version": "never",
"kind": "exponential",
"high": "5000",
"n_buckets": 10,
"extended_statistics_ok": true,
"description": "Time (ms) it takes to run memory reporters when sending a telemetry ping"
},
- "SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX": {
- "expires_in_version": "never",
- "kind": "exponential",
- "high": "60000",
- "n_buckets": 50,
- "extended_statistics_ok": true,
- "description": "Time spent on a successful cert verification in libpix mode (ms)"
- },
- "SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
- "expires_in_version": "never",
- "kind": "exponential",
- "high": "60000",
- "n_buckets": 50,
- "extended_statistics_ok": true,
- "description": "Time spent on a successful cert verification in classic mode (ms)"
- },
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
},
- "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
- "expires_in_version": "never",
- "kind": "exponential",
- "high": "60000",
- "n_buckets": 50,
- "extended_statistics_ok": true,
- "description": "Time spent on an initially failed cert verification in libpix mode (ms)"
- },
- "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
- "expires_in_version": "never",
- "kind": "exponential",
- "high": "60000",
- "n_buckets": 50,
- "extended_statistics_ok": true,
- "description": "Time spent on an initially failed cert verification in classic mode (ms)"
- },
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
},