Backed out changeset fb6cbb4ada54 (bug 1183822)
authorMark Goodwin <mgoodwin@mozilla.com>
Fri, 17 Jul 2015 10:36:58 +0100
changeset 286771 99b36484d3bce5f278764fc617981560ca6b46a6
parent 286770 91754a3281fbaf6049241103e4b02d251cfb923d
child 286772 d2f8da515976518f38bdb9916c3e22e9baafb013
push id934
push userraliiev@mozilla.com
push dateMon, 26 Oct 2015 12:58:05 +0000
treeherdermozilla-release@05704e35c1d0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1183822
milestone42.0a1
backs outfb6cbb4ada544b1d4e690b8dad1e067c2e3e609b
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset fb6cbb4ada54 (bug 1183822)
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/OCSPVerificationTrustDomain.cpp
security/certverifier/OCSPVerificationTrustDomain.h
security/certverifier/moz.build
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -5,17 +5,16 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "NSSCertDBTrustDomain.h"
 
 #include <stdint.h>
 
 #include "ExtendedValidation.h"
 #include "OCSPRequestor.h"
-#include "OCSPVerificationTrustDomain.h"
 #include "certdb.h"
 #include "cert.h"
 #include "mozilla/UniquePtr.h"
 #include "nsNSSCertificate.h"
 #include "nss.h"
 #include "NSSErrorsService.h"
 #include "nsServiceManagerUtils.h"
 #include "pk11pub.h"
@@ -634,27 +633,17 @@ NSSCertDBTrustDomain::CheckRevocation(En
 Result
 NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
   const CertID& certID, Time time, uint16_t maxLifetimeInDays,
   Input encodedResponse, EncodedResponseSource responseSource,
   /*out*/ bool& expired)
 {
   Time thisUpdate(Time::uninitialized);
   Time validThrough(Time::uninitialized);
-
-  // We use a try and fallback approach which first mandates good signature
-  // digest algorithms, then falls back to SHA-1 if this fails. If a delegated
-  // OCSP response signing certificate was issued with a SHA-1 signature,
-  // verification initially fails. We cache the failure and then re-use that
-  // result even when doing fallback (i.e. when weak signature digest algorithms
-  // should succeed). To address this we use an OCSPVerificationTrustDomain
-  // here, rather than using *this, to ensure verification succeeds for all
-  // allowed signature digest algorithms.
-  OCSPVerificationTrustDomain trustDomain(*this);
-  Result rv = VerifyEncodedOCSPResponse(trustDomain, certID, time,
+  Result rv = VerifyEncodedOCSPResponse(*this, certID, time,
                                         maxLifetimeInDays, encodedResponse,
                                         expired, &thisUpdate, &validThrough);
   // If a response was stapled and expired, we don't want to cache it. Return
   // early to simplify the logic here.
   if (responseSource == ResponseWasStapled && expired) {
     PR_ASSERT(rv != Success);
     return rv;
   }
deleted file mode 100644
--- a/security/certverifier/OCSPVerificationTrustDomain.cpp
+++ /dev/null
@@ -1,110 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "OCSPVerificationTrustDomain.h"
-
-using namespace mozilla;
-using namespace mozilla::pkix;
-
-OCSPVerificationTrustDomain::OCSPVerificationTrustDomain(
-  NSSCertDBTrustDomain& certDBTrustDomain)
-  : mCertDBTrustDomain(certDBTrustDomain)
-{
-}
-
-Result
-OCSPVerificationTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
-                                          const CertPolicyId& policy,
-                                          Input candidateCertDER,
-                                  /*out*/ TrustLevel& trustLevel)
-{
-  return mCertDBTrustDomain.GetCertTrust(endEntityOrCA, policy,
-                                         candidateCertDER, trustLevel);
-}
-
-
-Result
-OCSPVerificationTrustDomain::FindIssuer(Input, IssuerChecker&, Time)
-{
-  // We do not expect this to be called for OCSP signers
-  return Result::FATAL_ERROR_LIBRARY_FAILURE;
-}
-
-Result
-OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time)
-{
-  // We do not expect this to be called for OCSP signers
-  return Result::FATAL_ERROR_LIBRARY_FAILURE;
-}
-
-Result
-OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&,
-                                             Time, Duration, const Input*,
-                                             const Input*)
-{
-  // We do not expect this to be called for OCSP signers
-  return Result::FATAL_ERROR_LIBRARY_FAILURE;
-}
-
-Result
-OCSPVerificationTrustDomain::CheckSignatureDigestAlgorithm(
-  DigestAlgorithm aAlg, EndEntityOrCA aEEOrCA)
-{
-  // The reason for wrapping the NSSCertDBTrustDomain in an
-  // OCSPVerificationTrustDomain is to allow us to bypass the weaker signature
-  // algorithm check - thus all allowable signature digest algorithms should
-  // always be accepted. This is only needed while we gather telemetry on SHA-1.
-  return Success;
-}
-
-Result
-OCSPVerificationTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
-  EndEntityOrCA aEEOrCA, unsigned int aModulusSizeInBits)
-{
-  return mCertDBTrustDomain.
-      CheckRSAPublicKeyModulusSizeInBits(aEEOrCA, aModulusSizeInBits);
-}
-
-Result
-OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedDigest(
-  const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo)
-{
-  return mCertDBTrustDomain.VerifyRSAPKCS1SignedDigest(aSignedDigest,
-                                                       aSubjectPublicKeyInfo);
-}
-
-Result
-OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable(
-  EndEntityOrCA aEEOrCA, NamedCurve aCurve)
-{
-  return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve);
-}
-
-Result
-OCSPVerificationTrustDomain::VerifyECDSASignedDigest(
-  const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo)
-{
-  return mCertDBTrustDomain.VerifyECDSASignedDigest(aSignedDigest,
-                                                    aSubjectPublicKeyInfo);
-}
-
-Result
-OCSPVerificationTrustDomain::CheckValidityIsAcceptable(
-  Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
-  KeyPurposeId keyPurpose)
-{
-  return mCertDBTrustDomain.CheckValidityIsAcceptable(notBefore, notAfter,
-                                                      endEntityOrCA,
-                                                      keyPurpose);
-}
-
-Result
-OCSPVerificationTrustDomain::DigestBuf(
-  Input item, DigestAlgorithm digestAlg,
-  /*out*/ uint8_t* digestBuf, size_t digestBufLen)
-{
-  return mCertDBTrustDomain.DigestBuf(item, digestAlg, digestBuf, digestBufLen);
-}
deleted file mode 100644
--- a/security/certverifier/OCSPVerificationTrustDomain.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_psm__OCSPVerificationTrustDomain_h
-#define mozilla_psm__OCSPVerificationTrustDomain_h
-
-#include "pkix/pkixtypes.h"
-#include "NSSCertDBTrustDomain.h"
-
-namespace mozilla { namespace psm {
-
-class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain
-{
-public:
-  OCSPVerificationTrustDomain(NSSCertDBTrustDomain& certDBTrustDomain);
-
-  virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
-                            IssuerChecker& checker,
-                            mozilla::pkix::Time time) override;
-
-  virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
-                              const mozilla::pkix::CertPolicyId& policy,
-                              mozilla::pkix::Input candidateCertDER,
-                      /*out*/ mozilla::pkix::TrustLevel& trustLevel)
-                              override;
-
-  virtual Result CheckSignatureDigestAlgorithm(
-                   mozilla::pkix::DigestAlgorithm digestAlg,
-                   mozilla::pkix::EndEntityOrCA endEntityOrCA) override;
-
-  virtual Result CheckRSAPublicKeyModulusSizeInBits(
-                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
-                   unsigned int modulusSizeInBits) override;
-
-  virtual Result VerifyRSAPKCS1SignedDigest(
-                   const mozilla::pkix::SignedDigest& signedDigest,
-                   mozilla::pkix::Input subjectPublicKeyInfo) override;
-
-  virtual Result CheckECDSACurveIsAcceptable(
-                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
-                   mozilla::pkix::NamedCurve curve) override;
-
-  virtual Result VerifyECDSASignedDigest(
-                   const mozilla::pkix::SignedDigest& signedDigest,
-                   mozilla::pkix::Input subjectPublicKeyInfo) override;
-
-  virtual Result DigestBuf(mozilla::pkix::Input item,
-                           mozilla::pkix::DigestAlgorithm digestAlg,
-                   /*out*/ uint8_t* digestBuf,
-                           size_t digestBufLen) override;
-
-  virtual Result CheckValidityIsAcceptable(
-                   mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
-                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
-                   mozilla::pkix::KeyPurposeId keyPurpose) override;
-
-  virtual Result CheckRevocation(
-                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
-                   const mozilla::pkix::CertID& certID,
-                   mozilla::pkix::Time time,
-                   mozilla::pkix::Duration validityDuration,
-      /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
-      /*optional*/ const mozilla::pkix::Input* aiaExtension)
-                   override;
-
-  virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain,
-                              mozilla::pkix::Time time) override;
-
-private:
-  NSSCertDBTrustDomain& mCertDBTrustDomain;
-};
-
-
-} } // namespace mozilla::psm
-
-#endif // mozilla_psm__OCSPVerificationTrustDomain_h
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -9,17 +9,16 @@ EXPORTS += [
     'OCSPCache.h',
 ]
 
 UNIFIED_SOURCES += [
     'CertVerifier.cpp',
     'NSSCertDBTrustDomain.cpp',
     'OCSPCache.cpp',
     'OCSPRequestor.cpp',
-    'OCSPVerificationTrustDomain.cpp',
 ]
 
 if not CONFIG['NSS_NO_EV_CERTS']:
     UNIFIED_SOURCES += [
         'ExtendedValidation.cpp',
     ]
 
 LOCAL_INCLUDES += [