mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 1138332 - re-allow overrides for certificates signed by non-CA certificates r=mmc
This commit is contained in:
parent
890f1bdf16
commit
221fab118c
@ -151,6 +151,7 @@ ErrorIsOverridable(PRErrorCode code)
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
||||
case SEC_ERROR_CA_CERT_INVALID:
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
||||
|
@ -300,6 +300,7 @@ MapOverridableErrorToProbeValue(PRErrorCode errorCode)
|
||||
switch (errorCode)
|
||||
{
|
||||
case SEC_ERROR_UNKNOWN_ISSUER: return 2;
|
||||
case SEC_ERROR_CA_CERT_INVALID: return 3;
|
||||
case SEC_ERROR_UNTRUSTED_ISSUER: return 4;
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5;
|
||||
case SEC_ERROR_UNTRUSTED_CERT: return 6;
|
||||
@ -370,6 +371,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
||||
case SEC_ERROR_UNKNOWN_ISSUER:
|
||||
case SEC_ERROR_CA_CERT_INVALID:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
|
||||
|
@ -53,7 +53,7 @@ function check_telemetry() {
|
||||
.snapshot();
|
||||
do_check_eq(histogram.counts[ 0], 0);
|
||||
do_check_eq(histogram.counts[ 2], 7); // SEC_ERROR_UNKNOWN_ISSUER
|
||||
do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
|
||||
do_check_eq(histogram.counts[ 3], 1); // SEC_ERROR_CA_CERT_INVALID
|
||||
do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
|
||||
do_check_eq(histogram.counts[ 5], 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
|
||||
do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
|
||||
@ -75,7 +75,7 @@ function check_telemetry() {
|
||||
do_check_eq(keySizeHistogram.counts[0], 0);
|
||||
do_check_eq(keySizeHistogram.counts[1], 0); // 0 successful verifications of 2048-bit keys
|
||||
do_check_eq(keySizeHistogram.counts[2], 4); // 4 successful verifications of 1024-bit keys
|
||||
do_check_eq(keySizeHistogram.counts[3], 47); // 47 verification failures
|
||||
do_check_eq(keySizeHistogram.counts[3], 49); // 49 verification failures
|
||||
|
||||
run_next_test();
|
||||
}
|
||||
@ -194,6 +194,12 @@ function add_simple_tests() {
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
// Due to compatibility issues, we allow overrides for certificates issued by
|
||||
// certificates that are not valid CAs.
|
||||
add_cert_override_test("end-entity-issued-by-non-CA.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_CA_CERT_INVALID));
|
||||
|
||||
add_cert_override_test("inadequate-key-size-ee.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE));
|
||||
|
Binary file not shown.
@ -67,6 +67,7 @@ const BadCertHost sBadCertHosts[] =
|
||||
{ "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
|
||||
{ "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
|
||||
{ "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
|
||||
{ "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
|
||||
{ "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
|
||||
{ "badSubjectAltNames.example.com", "badSubjectAltNames" },
|
||||
{ nullptr, nullptr }
|
||||
|
@ -334,6 +334,8 @@ make_V1 v1Cert 'CN=V1 Cert' testCA
|
||||
export_cert v1Cert v1Cert.der
|
||||
make_EE eeIssuedByV1Cert 'CN=EE Issued by V1 Cert' v1Cert "localhost,*.example.com"
|
||||
|
||||
make_EE eeIssuedByNonCA 'CN=EE Issued by non-CA' localhostAndExampleCom "localhost,*.example.com"
|
||||
|
||||
# Make a valid EE using testINT to test OneCRL revocation of testINT
|
||||
make_EE eeIssuedByIntermediate 'CN=EE issued by intermediate' testINT "localhost"
|
||||
export_cert eeIssuedByIntermediate test-int-ee.der
|
||||
|
Binary file not shown.
Loading…
Reference in New Issue
Block a user