Bug 917380 - Part 1 - Add filters for EV root list. r=briansmith a=abilings
authorCamilo Viecco <cviecco@mozilla.com>
Mon, 21 Oct 2013 14:27:46 -0700
changeset 167594 986074bde47dd276518ba73794a85a11d0999131
parent 167593 3420e1f8907536688d657f2f7e040ccd701a213f
child 167595 72560d160a16a49e8245cce3507d7598834e87c6
push id428
push userbbajaj@mozilla.com
push dateTue, 28 Jan 2014 00:16:25 +0000
treeherdermozilla-release@cd72a7ff3a75 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbriansmith, abilings
bugs917380
milestone27.0a2
Bug 917380 - Part 1 - Add filters for EV root list. r=briansmith a=abilings
security/manager/ssl/src/CertVerifier.cpp
security/manager/ssl/src/nsIdentityChecking.cpp
--- a/security/manager/ssl/src/CertVerifier.cpp
+++ b/security/manager/ssl/src/CertVerifier.cpp
@@ -154,16 +154,22 @@ CertVerifier::VerifyCert(CERTCertificate
     SECStatus srv = getFirstEVPolicy(cert, evPolicy);
     if (srv == SECSuccess) {
       if (evPolicy != SEC_OID_UNKNOWN) {
         trustAnchors = getRootsForOid(evPolicy);
       }
       if (!trustAnchors) {
         return SECFailure;
       }
+      // pkix ignores an empty trustanchors list and
+      // decides then to use the whole set of trust in the DB
+      // so we set the evPolicy to unkown in this case
+      if (CERT_LIST_EMPTY(trustAnchors)) {
+        evPolicy = SEC_OID_UNKNOWN;
+      }
     } else {
       // Do not setup EV verification params
       evPolicy = SEC_OID_UNKNOWN;
     }
   }
   
   MOZ_ASSERT_IF(evPolicy != SEC_OID_UNKNOWN, trustAnchors);
 
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@@ -9,16 +9,17 @@
 #include "nsNSSComponent.h"
 #include "mozilla/RefPtr.h"
 #include "nsAppDirectoryServiceDefs.h"
 #include "nsStreamUtils.h"
 #include "nsNetUtil.h"
 #include "nsILineInputStream.h"
 #include "nsPromiseFlatString.h"
 #include "nsTArray.h"
+#include "nsNSSCertTrust.h"
 
 #include "cert.h"
 #include "base64.h"
 #include "nsSSLStatus.h"
 #include "ScopedNSSTypes.h"
 
 using namespace mozilla;
 
@@ -782,16 +783,29 @@ register_oid(const SECItem *oid_item, co
   od.oid.data = oid_item->data;
   od.offset = SEC_OID_UNKNOWN;
   od.desc = oid_name;
   od.mechanism = CKM_INVALID_MECHANISM;
   od.supportedExtension = INVALID_CERT_EXTENSION;
   return SECOID_AddEntry(&od);
 }
 
+static void
+addToCertListIfTrusted(CERTCertList* certList, CERTCertificate *cert) {
+  CERTCertTrust nssTrust;
+  if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
+    return;
+  }
+  unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
+
+  if (flags & CERTDB_TRUSTED_CA) {
+    CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
+  }
+}
+
 #ifdef PSM_ENABLE_TEST_EV_ROOTS
 class nsMyTrustedEVInfoClass : public nsMyTrustedEVInfo
 {
 public:
   nsMyTrustedEVInfoClass();
   ~nsMyTrustedEVInfoClass();
 };
 
@@ -1032,18 +1046,19 @@ getRootsForOidFromExternalRootsFile(CERT
   int enabled_val = atoi(env_val);
   if (!enabled_val)
     return false;
 
   for (size_t i=0; i<testEVInfos->Length(); ++i) {
     nsMyTrustedEVInfoClass *ev = testEVInfos->ElementAt(i);
     if (!ev)
       continue;
-    if (policyOIDTag == ev->oid_tag)
-      CERT_AddCertToListTail(certList, CERT_DupCertificate(ev->cert));
+    if (policyOIDTag == ev->oid_tag) {
+      addToCertListIfTrusted(certList, ev->cert);
+    }
   }
 
   return false;
 }
 #endif
 
 static bool 
 isEVPolicy(SECOidTag policyOIDTag)
@@ -1074,18 +1089,19 @@ getRootsForOid(SECOidTag oid_tag)
   CERTCertList *certList = CERT_NewCertList();
   if (!certList)
     return nullptr;
 
   for (size_t iEV=0; iEV < (sizeof(myTrustedEVInfos)/sizeof(nsMyTrustedEVInfo)); ++iEV) {
     nsMyTrustedEVInfo &entry = myTrustedEVInfos[iEV];
     if (!entry.oid_name) // invalid or placeholder list entry
       continue;
-    if (entry.oid_tag == oid_tag)
-      CERT_AddCertToListTail(certList, CERT_DupCertificate(entry.cert));
+    if (entry.oid_tag == oid_tag) {
+      addToCertListIfTrusted(certList, entry.cert);
+    }
   }
 
 #ifdef PSM_ENABLE_TEST_EV_ROOTS
   getRootsForOidFromExternalRootsFile(certList, oid_tag);
 #endif
   return certList;
 }