Bug 1194419 - Remove signature algorithm duplicate use in serial number determination in pycert. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Fri, 23 Oct 2015 05:13:00 -0400
changeset 304393 06db05394add083b2e65a598a5fad7f92bc75438
parent 304392 3cc789ec2bf00cebb80d9e97c7eb1353a0ab6000
child 304394 11ba4c03d2054b6b7f7d80841e455b102b26d664
push id1001
push userraliiev@mozilla.com
push dateMon, 18 Jan 2016 19:06:03 +0000
treeherdermozilla-release@8b89261f3ac4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1194419
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1194419 - Remove signature algorithm duplicate use in serial number determination in pycert. r=keeler
security/certverifier/ExtendedValidation.cpp
security/manager/ssl/tests/unit/pycert.py
security/manager/ssl/tests/unit/test_cert_blocklist.js
security/manager/ssl/tests/unit/test_keysize_ev.js
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -113,21 +113,21 @@ static struct nsMyTrustedEVInfo myTruste
     // extension:basicConstraints:cA,
     // extension:keyUsage:keyCertSign,cRLSign
     //
     // If this ever needs to change, re-generate the certificate and update the
     // following entry with the new fingerprint, issuer, and serial number.
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
-    { 0x85, 0x2A, 0x29, 0x38, 0x31, 0x09, 0x7D, 0x14, 0x0C, 0x83, 0xAB,
-      0x8D, 0x6D, 0x54, 0x32, 0x77, 0x37, 0xC8, 0xBF, 0xB2, 0xC2, 0xEC,
-      0xCC, 0x82, 0xC0, 0xA2, 0x5F, 0x24, 0x9D, 0xFD, 0xFB, 0xAB },
+    { 0xE4, 0xFB, 0x04, 0x16, 0x10, 0x32, 0x67, 0x08, 0x6C, 0x84, 0x2E,
+      0x91, 0xF3, 0xEF, 0x0E, 0x45, 0x99, 0xBC, 0xA8, 0x54, 0x73, 0xF5,
+      0x03, 0x2C, 0x7B, 0xDC, 0x09, 0x70, 0x76, 0x49, 0xBF, 0xAA },
     "MBExDzANBgNVBAMMBmV2cm9vdA==",
-    "GSsFG1fp8SGMxPjAQvdOBN26ij4=",
+    "W9j5PS8YoKgynZdYa9i2Kwexnp8=",
     nullptr
   },
   {
     // This is an RSA root with an inadequate key size. It is used to test that
     // minimum key sizes are enforced when verifying for EV. It can be
     // generated using pycert.py and the following specification:
     //
     // issuer:ev_root_rsa_2040
@@ -138,21 +138,21 @@ static struct nsMyTrustedEVInfo myTruste
     // extension:basicConstraints:cA,
     // extension:keyUsage:cRLSign,keyCertSign
     //
     // If this ever needs to change, re-generate the certificate and update the
     // following entry with the new fingerprint, issuer, and serial number.
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
-    { 0x28, 0x79, 0xB9, 0x6C, 0x08, 0x71, 0x6C, 0x7D, 0xCE, 0x38, 0x8C,
-      0xAB, 0x7E, 0xEB, 0x08, 0xA6, 0xF7, 0x2C, 0xCE, 0xE4, 0x47, 0xF5,
-      0x72, 0xA1, 0xEB, 0x16, 0x9B, 0xC3, 0x49, 0x49, 0x72, 0x5D },
+    { 0x49, 0x46, 0x10, 0xF4, 0xF5, 0xB1, 0x96, 0xE7, 0xFB, 0xFA, 0x4D,
+      0xA6, 0x34, 0x03, 0xD0, 0x99, 0x22, 0xD4, 0x77, 0x20, 0x3F, 0x84,
+      0xE0, 0xDF, 0x1C, 0xAD, 0xB4, 0xC2, 0x76, 0xBB, 0x63, 0x24 },
     "MBsxGTAXBgNVBAMMEGV2X3Jvb3RfcnNhXzIwNDA=",
-    "N2nWLMPfNebIktpezTGThHoXsDU=",
+    "P1iIBgxk6kH+x64EUBTV3qoHuas=",
     nullptr
   },
 #endif
   {
     // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
     "1.2.392.200091.100.721.1",
     "SECOM EV OID",
     SEC_OID_UNKNOWN,
--- a/security/manager/ssl/tests/unit/pycert.py
+++ b/security/manager/ssl/tests/unit/pycert.py
@@ -324,20 +324,16 @@ class Certificate(object):
         this file)."""
         hasher = hashlib.sha256()
         hasher.update(str(self.versionValue))
         hasher.update(self.signature)
         hasher.update(self.issuer)
         hasher.update(str(self.notBefore))
         hasher.update(str(self.notAfter))
         hasher.update(self.subject)
-        # Bug 1194419: This is duplicated so as to not have to
-        # re-generate the EV testing root certificates. At some point
-        # we should clean this up and re-generate them.
-        hasher.update(self.signature)
         if self.extensions:
             for extension in self.extensions:
                 hasher.update(str(extension))
         serialBytes = [ord(c) for c in hasher.digest()[:20]]
         # Ensure that the most significant bit isn't set (which would
         # indicate a negative number, which isn't valid for serial
         # numbers).
         serialBytes[0] &= 0x7f
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js
+++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js
@@ -92,33 +92,33 @@ var blocklist_contents =
     "<serialNumber>some nonsense in serial</serialNumber>" +
     "</certItem><certItem issuerName='some nonsense in both issuer'>" +
     "<serialNumber>and serial</serialNumber></certItem>" +
     // some mixed
     // In this case, the issuer name and the valid serialNumber correspond
     // to test-int.pem in bad_certs/
     "<certItem issuerName='MBIxEDAOBgNVBAMMB1Rlc3QgQ0E='>" +
     "<serialNumber>oops! more nonsense.</serialNumber>" +
-    "<serialNumber>Y1HQqXGtw7ek2v/QAqBL8jf6rbA=</serialNumber></certItem>" +
+    "<serialNumber>BVio/iQ21GCi2iUven8oJ/gae74=</serialNumber></certItem>" +
     // ... and some good
     // In this case, the issuer name and the valid serialNumber correspond
     // to other-test-ca.pem in bad_certs/ (for testing root revocation)
     "<certItem issuerName='MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E='>" +
-    "<serialNumber>Szin5enUEn9TnVq29c4IMPNFuqE=</serialNumber></certItem>" +
+    "<serialNumber>exJUIJpq50jgqOwQluhVrAzTF74=</serialNumber></certItem>" +
     // This item corresponds to an entry in sample_revocations.txt where:
     // isser name is "another imaginary issuer" base-64 encoded, and
     // serialNumbers are:
     // "serial2." base-64 encoded, and
     // "another serial." base-64 encoded
     // We need this to ensure that existing items are retained if they're
     // also in the blocklist
     "<certItem issuerName='YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy'>" +
     "<serialNumber>c2VyaWFsMi4=</serialNumber>" +
     "<serialNumber>YW5vdGhlciBzZXJpYWwu</serialNumber>" +
-    // This item revokes same-issuer-ee.pem by subject and serial number.
+    // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
     "</certItem><certItem subject='MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5'"+
     " pubKeyHash='VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8='>" +
     "</certItem></certItems></blocklist>";
 testserver.registerPathHandler("/push_blocked_cert/",
   function serveResponse(request, response) {
     response.write(blocklist_contents);
   });
 
@@ -269,19 +269,19 @@ function run_test() {
       var line = {};
       hasmore = inputStream.readLine(line);
       contents = contents + (contents.length == 0 ? "" : "\n") + line.value;
     } while (hasmore);
     let expected = "# Auto generated contents. Do not edit.\n" +
                   "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5\n"+
                   "\tVCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=\n"+
                   "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=\n" +
-                  " Y1HQqXGtw7ek2v/QAqBL8jf6rbA=\n" +
+                  " BVio/iQ21GCi2iUven8oJ/gae74=\n" +
                   "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=\n" +
-                  " Szin5enUEn9TnVq29c4IMPNFuqE=\n" +
+                  " exJUIJpq50jgqOwQluhVrAzTF74=\n" +
                   "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy\n" +
                   " YW5vdGhlciBzZXJpYWwu\n" +
                   " c2VyaWFsMi4=";
     equal(contents, expected, "revocations.txt should be as expected");
 
     // Check the blocklisted intermediate now causes a failure
     let file = "test_onecrl/test-int-ee.pem";
     verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -130,17 +130,17 @@ function checkRSAChains(inadequateKeySiz
 
 function run_test() {
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
 
   let smallKeyEVRoot =
     constructCertFromFile("test_keysize_ev/ev_root_rsa_2040.pem");
   equal(smallKeyEVRoot.sha256Fingerprint,
-        "28:79:B9:6C:08:71:6C:7D:CE:38:8C:AB:7E:EB:08:A6:" +
-        "F7:2C:CE:E4:47:F5:72:A1:EB:16:9B:C3:49:49:72:5D",
+        "49:46:10:F4:F5:B1:96:E7:FB:FA:4D:A6:34:03:D0:99:" +
+        "22:D4:77:20:3F:84:E0:DF:1C:AD:B4:C2:76:BB:63:24",
         "test sanity check: the small-key EV root must have the same " +
         "fingerprint as the corresponding entry in ExtendedValidation.cpp");
 
   checkRSAChains(2040, 2048);
 
   run_next_test();
 }