bug 928489 - Bug 928489 - Disable update xml certificate checks on Windows. r=bbondy
authorRobert Strong <robert.bugzilla@gmail.com>
Sat, 19 Oct 2013 22:36:40 -0700
changeset 165279 92c512181d1c24eb877198b43eea642cf9fd4132
parent 165228 4b3b07791e46e31e2503ab788650e72c8efcf5f4
child 165280 06cc867fd5d17b2871de4da824b2e8501f55e752
push id3066
push userakeybl@mozilla.com
push dateMon, 09 Dec 2013 19:58:46 +0000
treeherdermozilla-beta@a31a0dce83aa [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbbondy
bugs928489
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 928489 - Bug 928489 - Disable update xml certificate checks on Windows. r=bbondy
browser/app/profile/firefox.js
browser/metro/profile/metro.js
toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul
toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul
toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul
toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul
toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -91,16 +91,24 @@ pref("app.update.altwindowtype", "Browse
 // Enables some extra Application Update Logging (can reduce performance)
 pref("app.update.log", false);
 
 // The number of general background check failures to allow before notifying the
 // user of the failure. User initiated update checks always notify the user of
 // the failure.
 pref("app.update.backgroundMaxErrors", 10);
 
+// The aus update xml certificate checks for application update are disabled on
+// Windows since the mar signature check which is currently only implemented on
+// Windows is sufficient for preventing us from applying a mar that is not
+// valid.
+#ifdef XP_WIN
+pref("app.update.cert.requireBuiltIn", false);
+pref("app.update.cert.checkAttributes", false);
+#else
 // When |app.update.cert.requireBuiltIn| is true or not specified the
 // final certificate and all certificates the connection is redirected to before
 // the final certificate for the url specified in the |app.update.url|
 // preference must be built-in.
 pref("app.update.cert.requireBuiltIn", true);
 
 // When |app.update.cert.checkAttributes| is true or not specified the
 // certificate attributes specified in the |app.update.certs.| preference branch
@@ -139,16 +147,17 @@ pref("app.update.certs.2.issuerName", "C
 pref("app.update.certs.2.commonName", "aus4.mozilla.org");
 #else
 pref("app.update.certs.1.issuerName", "OU=Equifax Secure Certificate Authority,O=Equifax,C=US");
 pref("app.update.certs.1.commonName", "aus3.mozilla.org");
 
 pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US");
 pref("app.update.certs.2.commonName", "aus3.mozilla.org");
 #endif
+#endif
 
 // Whether or not app updates are enabled
 pref("app.update.enabled", true);
 
 // This preference turns on app.update.mode and allows automatic download and
 // install to take place. We use a separate boolean toggle for this to make
 // the UI easier to construct.
 pref("app.update.auto", true);
--- a/browser/metro/profile/metro.js
+++ b/browser/metro/profile/metro.js
@@ -484,62 +484,32 @@ pref("app.update.timerMinimumDelay", 120
 // Enables some extra Application Update Logging (can reduce performance)
 pref("app.update.log", false);
 
 // The number of general background check failures to allow before notifying the
 // user of the failure. User initiated update checks always notify the user of
 // the failure.
 pref("app.update.backgroundMaxErrors", 10);
 
+// The aus update xml certificate checks for application update are disabled on
+// Windows since the mar signature check which is currently only implemented on
+// Windows is sufficient for preventing us from applying a mar that is not
+// valid.
+
 // When |app.update.cert.requireBuiltIn| is true or not specified the
 // final certificate and all certificates the connection is redirected to before
 // the final certificate for the url specified in the |app.update.url|
 // preference must be built-in.
-pref("app.update.cert.requireBuiltIn", true);
+pref("app.update.cert.requireBuiltIn", false);
 
 // When |app.update.cert.checkAttributes| is true or not specified the
 // certificate attributes specified in the |app.update.certs.| preference branch
 // are checked against the certificate for the url specified by the
 // |app.update.url| preference.
-pref("app.update.cert.checkAttributes", true);
-
-// The number of certificate attribute check failures to allow for background
-// update checks before notifying the user of the failure. User initiated update
-// checks always notify the user of the certificate attribute check failure.
-pref("app.update.cert.maxErrors", 5);
-
-// The |app.update.certs.| preference branch contains branches that are
-// sequentially numbered starting at 1 that contain attribute name / value
-// pairs for the certificate used by the server that hosts the update xml file
-// as specified in the |app.update.url| preference. When these preferences are
-// present the following conditions apply for a successful update check:
-// 1. the uri scheme must be https
-// 2. the preference name must exist as an attribute name on the certificate and
-//    the value for the name must be the same as the value for the attribute name
-//    on the certificate.
-// If these conditions aren't met it will be treated the same as when there is
-// no update available. This validation will not be performed when the
-// |app.update.url.override| user preference has been set for testing updates or
-// when the |app.update.cert.checkAttributes| preference is set to false. Also,
-// the |app.update.url.override| preference should ONLY be used for testing.
-// IMPORTANT! firefox.js should also be updated for updates to certs.X.issuerName
-
-// Non-release builds (Nightly, Aurora, etc.) have been switched over to aus4.mozilla.org.
-// This condition protects us against accidentally using it for release builds.
-#ifndef RELEASE_BUILD
-pref("app.update.certs.1.issuerName", "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US");
-pref("app.update.certs.1.commonName", "aus4.mozilla.org");
-pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US");
-pref("app.update.certs.2.commonName", "aus4.mozilla.org");
-#else
-pref("app.update.certs.1.issuerName", "OU=Equifax Secure Certificate Authority,O=Equifax,C=US");
-pref("app.update.certs.1.commonName", "aus3.mozilla.org");
-pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US");
-pref("app.update.certs.2.commonName", "aus3.mozilla.org");
-#endif
+pref("app.update.cert.checkAttributes", false);
 
 // User-settable override to app.update.url for testing purposes.
 //pref("app.update.url.override", "");
 
 // replace newlines with spaces on paste into single-line text boxes
 pref("editor.singleLine.pasteNewlines", 2);
 
 #ifdef MOZ_SERVICES_SYNC
--- a/toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul
+++ b/toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul
@@ -76,16 +76,19 @@ function testXHRLoad(aEvent) {
   var channel = aEvent.target.channel;
   var cert = channel.securityInfo.QueryInterface(AUS_Ci.nsISSLStatusProvider).
              SSLStatus.QueryInterface(AUS_Ci.nsISSLStatus).serverCert;
   CERT_ATTRS.forEach(function(aCertAttrName) {
     Services.prefs.setCharPref(PREF_APP_UPDATE_CERTS_BRANCH + "1." +
                                aCertAttrName, cert[aCertAttrName]);
   });
 
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, true);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, false);
+
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
   debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
   gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
 
   gRequest = null;
   gUP.checkForUpdates();
--- a/toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
+++ b/toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
@@ -77,16 +77,17 @@ function testXHRLoad(aEvent) {
   var cert = channel.securityInfo.QueryInterface(AUS_Ci.nsISSLStatusProvider).
              SSLStatus.QueryInterface(AUS_Ci.nsISSLStatus).serverCert;
   CERT_ATTRS.forEach(function(aCertAttrName) {
     Services.prefs.setCharPref(PREF_APP_UPDATE_CERTS_BRANCH + "1." +
                                aCertAttrName, cert[aCertAttrName]);
   });
 
   Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
   debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
   gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
 
   gRequest = null;
--- a/toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul
+++ b/toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul
@@ -30,16 +30,18 @@ const TESTS = [ {
 } ];
 
 function runTest() {
   debugDump("entering");
 
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
   Services.prefs.setIntPref(PREF_APP_UPDATE_CERT_ERRORS, 1);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?noUpdates=1";
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
   debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
   gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
 
   gUP.checkForUpdates();
 }
--- a/toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul
+++ b/toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul
@@ -30,16 +30,18 @@ const TESTS = [ {
 } ];
 
 function runTest() {
   debugDump("entering");
 
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
   Services.prefs.setIntPref(PREF_APP_UPDATE_CERT_ERRORS, 1);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
   debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
   gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
 
   gUP.checkForUpdates();
--- a/toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul
+++ b/toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul
@@ -27,16 +27,18 @@ const TESTS = [ {
   buttonClick: "finish"
 } ];
 
 function runTest() {
   debugDump("entering");
 
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?noUpdates=1";
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
   debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
   gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
 
   errorsPrefObserver.init(PREF_APP_UPDATE_CERT_ERRORS,
                           PREF_APP_UPDATE_CERT_MAXERRORS);
--- a/toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul
+++ b/toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul
@@ -27,16 +27,18 @@ const TESTS = [ {
   buttonClick: "finish"
 } ];
 
 function runTest() {
   debugDump("entering");
 
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
   debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
   gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
 
   errorsPrefObserver.init(PREF_APP_UPDATE_CERT_ERRORS,