wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 975229: Remove NSS-based certificate verification, r=keeler

Browse Source 
--HG--
extra : rebase_source : 49cb20f1b51e2d9993a35decd820764e20ad9be9
This commit is contained in:
Brian Smith 2014-06-16 23:13:29 -07:00
parent 375c508db3
commit 2bd47f2cb9
37 changed files with 363 additions and 1914 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
netwerk/base/public/security-prefs.js
View File

@ -54,5 +54,3 @@ pref("security.password_lifetime", 30);
pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false);
pref("security.use_mozillapkix_verification", true);

535
security/certverifier/CertVerifier.cpp
View File

@ -13,7 +13,6 @@
#include "NSSErrorsService.h"
#include "PublicKeyPinningService.h"
#include "cert.h"
#include "ocsp.h"
#include "pk11pub.h"
#include "pkix/pkix.h"
#include "prerror.h"
@ -34,21 +33,11 @@ namespace mozilla { namespace psm {
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
CertVerifier::CertVerifier(implementation_config ic,
#ifndef NSS_NO_LIBPKIX
missing_cert_download_config mcdc,
crl_download_config cdc,
#endif
ocsp_download_config odc,
CertVerifier::CertVerifier(ocsp_download_config odc,
ocsp_strict_config osc,
ocsp_get_config ogc,
pinning_enforcement_config pel)
: mImplementation(ic)
#ifndef NSS_NO_LIBPKIX
, mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
, mCRLDownloadEnabled(cdc == crl_download_allowed)
#endif
, mOCSPDownloadEnabled(odc == ocsp_on)
: mOCSPDownloadEnabled(odc == ocsp_on)
, mOCSPStrict(osc == ocsp_strict)
, mOCSPGETEnabled(ogc == ocsp_get_enabled)
, mPinningEnforcementLevel(pel)
@ -69,37 +58,6 @@ InitCertVerifierLog()
#endif
}
// Once we migrate to mozilla::pkix or change the overridable error
// logic this will become unnecesary.
static SECStatus
insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
CERTVerifyLog* verifyLog){
CERTVerifyLogNode* node;
node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
sizeof(CERTVerifyLogNode));
if (!node) {
PR_SetError(PR_UNKNOWN_ERROR, 0);
return SECFailure;
}
node->cert = CERT_DupCertificate(cert);
node->error = err;
node->depth = 0;
node->arg = nullptr;
//and at to head!
node->prev = nullptr;
node->next = verifyLog->head;
if (verifyLog->head) {
verifyLog->head->prev = node;
}
verifyLog->head = node;
if (!verifyLog->tail) {
verifyLog->tail = node;
}
verifyLog->count++;
return SECSuccess;
}
SECStatus
IsCertBuiltInRoot(CERTCertificate* cert, bool& result) {
result = false;
@ -198,108 +156,6 @@ SECStatus chainValidationCallback(void* state, const CERTCertList* certList,
return SECSuccess;
}
static SECStatus
ClassicVerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
ChainValidationCallbackState* callbackState,
/*optional out*/ ScopedCERTCertList* validationChain,
/*optional out*/ CERTVerifyLog* verifyLog)
{
SECStatus rv;
SECCertUsage enumUsage;
switch (usage) {
case certificateUsageSSLClient:
enumUsage = certUsageSSLClient;
break;
case certificateUsageSSLServer:
enumUsage = certUsageSSLServer;
break;
case certificateUsageSSLCA:
enumUsage = certUsageSSLCA;
break;
case certificateUsageEmailSigner:
enumUsage = certUsageEmailSigner;
break;
case certificateUsageEmailRecipient:
enumUsage = certUsageEmailRecipient;
break;
case certificateUsageObjectSigner:
enumUsage = certUsageObjectSigner;
break;
case certificateUsageVerifyCA:
enumUsage = certUsageVerifyCA;
break;
case certificateUsageStatusResponder:
enumUsage = certUsageStatusResponder;
break;
default:
PR_NOT_REACHED("unexpected usage");
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (usage == certificateUsageSSLServer) {
// SSL server cert verification has always used CERT_VerifyCert, so we
// continue to use it for SSL cert verification to minimize the risk of
// there being any differnce in results between CERT_VerifyCert and
// CERT_VerifyCertificate.
rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), cert, true,
certUsageSSLServer, time, pinArg, verifyLog);
} else {
rv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert, true,
usage, time, pinArg, verifyLog, nullptr);
}
if (rv == SECSuccess &&
(validationChain || usage == certificateUsageSSLServer)) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("VerifyCert: getting chain in 'classic' \n"));
ScopedCERTCertList certChain(CERT_GetCertChainFromCert(cert, time,
enumUsage));
if (!certChain) {
return SECFailure;
}
if (usage == certificateUsageSSLServer) {
PRBool chainOK = PR_FALSE;
SECStatus srv = chainValidationCallback(callbackState, certChain.get(),
&chainOK);
if (srv != SECSuccess) {
return srv;
}
if (chainOK != PR_TRUE) {
if (verifyLog) {
insertErrorIntoVerifyLog(cert,
PSM_ERROR_KEY_PINNING_FAILURE,
verifyLog);
}
PR_SetError(PSM_ERROR_KEY_PINNING_FAILURE, 0);
return SECFailure;
}
}
if (rv == SECSuccess && validationChain) {
*validationChain = certChain.release();
}
}
return rv;
}
#ifndef NSS_NO_LIBPKIX
static void
destroyCertListThatShouldNotExist(CERTCertList** certChain)
{
PR_ASSERT(certChain);
PR_ASSERT(!*certChain);
if (certChain && *certChain) {
// There SHOULD not be a validation chain on failure, asserion here for
// the debug builds AND a fallback for production builds
CERT_DestroyCertList(*certChain);
*certChain = nullptr;
}
}
#endif
static SECStatus
BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
PRTime time, KeyUsage ku1, KeyUsage ku2,
@ -331,18 +187,14 @@ BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
}
SECStatus
CertVerifier::MozillaPKIXVerifyCert(
CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
ChainValidationCallbackState* callbackState,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy)
CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
PRTime time, void* pinArg, const char* hostname,
const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy)
{
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n"));
PR_ASSERT(cert);
PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
@ -360,9 +212,12 @@ CertVerifier::MozillaPKIXVerifyCert(
return SECFailure;
}
ChainValidationCallbackState callbackState = {
hostname, mPinningEnforcementLevel, usage, time
};
CERTChainVerifyCallback callbackContainer;
callbackContainer.isChainValid = chainValidationCallback;
callbackContainer.isChainValidArg = callbackState;
callbackContainer.isChainValidArg = &callbackState;
NSSCertDBTrustDomain::OCSPFetching ocspFetching
= !mOCSPDownloadEnabled ||
@ -558,368 +413,6 @@ CertVerifier::MozillaPKIXVerifyCert(
return rv;
}
SECStatus
CertVerifier::VerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const char* hostname,
const Flags flags,
/*optional in*/ const SECItem* stapledOCSPResponse,
/*optional out*/ ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ CERTVerifyLog* verifyLog)
{
ChainValidationCallbackState callbackState = { hostname,
mPinningEnforcementLevel,
usage,
time };
if (mImplementation == mozillapkix) {
return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
&callbackState, stapledOCSPResponse,
validationChain, evOidPolicy);
}
if (!cert)
{
PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (validationChain) {
*validationChain = nullptr;
}
if (evOidPolicy) {
*evOidPolicy = SEC_OID_UNKNOWN;
}
switch(usage){
case certificateUsageSSLClient:
case certificateUsageSSLServer:
case certificateUsageSSLCA:
case certificateUsageEmailSigner:
case certificateUsageEmailRecipient:
case certificateUsageObjectSigner:
case certificateUsageVerifyCA:
case certificateUsageStatusResponder:
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
#ifndef NSS_NO_LIBPKIX
ScopedCERTCertList trustAnchors;
SECStatus rv;
SECOidTag evPolicy = SEC_OID_UNKNOWN;
// Do EV checking only for sslserver usage
if (usage == certificateUsageSSLServer) {
CertPolicyId unusedPolicyId;
SECStatus srv = GetFirstEVPolicy(cert, unusedPolicyId, evPolicy);
if (srv == SECSuccess) {
if (evPolicy != SEC_OID_UNKNOWN) {
trustAnchors = GetRootsForOid(evPolicy);
}
if (!trustAnchors) {
return SECFailure;
}
// pkix ignores an empty trustanchors list and
// decides then to use the whole set of trust in the DB
// so we set the evPolicy to unkown in this case
if (CERT_LIST_EMPTY(trustAnchors)) {
evPolicy = SEC_OID_UNKNOWN;
}
} else {
// No known EV policy found
if (flags & FLAG_MUST_BE_EV) {
PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
return SECFailure;
}
// Do not setup EV verification params
evPolicy = SEC_OID_UNKNOWN;
}
if ((evPolicy == SEC_OID_UNKNOWN) && (flags & FLAG_MUST_BE_EV)) {
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
return SECFailure;
}
}
PR_ASSERT(evPolicy == SEC_OID_UNKNOWN || trustAnchors);
size_t i = 0;
size_t validationChainLocation = 0;
size_t validationTrustAnchorLocation = 0;
CERTValOutParam cvout[4];
if (verifyLog) {
cvout[i].type = cert_po_errorLog;
cvout[i].value.pointer.log = verifyLog;
++i;
}
if (validationChain) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: setting up validation chain outparam.\n"));
validationChainLocation = i;
cvout[i].type = cert_po_certList;
cvout[i].value.pointer.chain = nullptr;
++i;
validationTrustAnchorLocation = i;
cvout[i].type = cert_po_trustAnchor;
cvout[i].value.pointer.cert = nullptr;
++i;
}
cvout[i].type = cert_po_end;
CERTRevocationFlags rev;
CERTRevocationMethodIndex revPreferredMethods[2];
rev.leafTests.preferred_methods =
rev.chainTests.preferred_methods = revPreferredMethods;
uint64_t revFlagsPerMethod[2];
rev.leafTests.cert_rev_flags_per_method =
rev.chainTests.cert_rev_flags_per_method = revFlagsPerMethod;
rev.leafTests.number_of_preferred_methods =
rev.chainTests.number_of_preferred_methods = 1;
rev.leafTests.number_of_defined_methods =
rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1;
const bool localOnly = flags & FLAG_LOCAL_ONLY;
CERTValInParam cvin[7];
// Parameters for both EV and DV validation
cvin[0].type = cert_pi_useAIACertFetch;
cvin[0].value.scalar.b = mMissingCertDownloadEnabled && !localOnly;
cvin[1].type = cert_pi_revocationFlags;
cvin[1].value.pointer.revocation = &rev;
cvin[2].type = cert_pi_date;
cvin[2].value.scalar.time = time;
i = 3;
CERTChainVerifyCallback callbackContainer;
if (usage == certificateUsageSSLServer) {
callbackContainer.isChainValid = chainValidationCallback;
callbackContainer.isChainValidArg = &callbackState;
cvin[i].type = cert_pi_chainVerifyCallback;
cvin[i].value.pointer.chainVerifyCallback = &callbackContainer;
++i;
}
const size_t evParamLocation = i;
if (evPolicy != SEC_OID_UNKNOWN) {
// EV setup!
// XXX 859872 The current flags are not quite correct. (use
// of ocsp flags for crl preferences).
uint64_t ocspRevMethodFlags =
CERT_REV_M_TEST_USING_THIS_METHOD
| ((mOCSPDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
| CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
| CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
| CERT_REV_M_IGNORE_MISSING_FRESH_INFO
| CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl]
= CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
= ocspRevMethodFlags;
rev.leafTests.cert_rev_method_independent_flags =
rev.chainTests.cert_rev_method_independent_flags =
// avoiding the network is good, let's try local first
CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
// is overall revocation requirement strict or relaxed?
| CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
;
rev.leafTests.preferred_methods[0] =
rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
cvin[i].type = cert_pi_policyOID;
cvin[i].value.arraySize = 1;
cvin[i].value.array.oids = &evPolicy;
++i;
PR_ASSERT(trustAnchors);
cvin[i].type = cert_pi_trustAnchors;
cvin[i].value.pointer.chain = trustAnchors.get();
++i;
cvin[i].type = cert_pi_end;
rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
if (rv == SECSuccess) {
if (evOidPolicy) {
*evOidPolicy = evPolicy;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("VerifyCert: successful CERT_PKIXVerifyCert(ev) \n"));
goto pkix_done;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("VerifyCert: failed CERT_PKIXVerifyCert(ev)\n"));
if (flags & FLAG_MUST_BE_EV) {
return rv;
}
if (validationChain) {
destroyCertListThatShouldNotExist(
&cvout[validationChainLocation].value.pointer.chain);
}
if (verifyLog) {
// Cleanup the log so that it is ready the the next validation
CERTVerifyLogNode* i_node;
for (i_node = verifyLog->head; i_node; i_node = i_node->next) {
//destroy cert if any.
if (i_node->cert) {
CERT_DestroyCertificate(i_node->cert);
}
// No need to cleanup the actual nodes in the arena.
}
verifyLog->count = 0;
verifyLog->head = nullptr;
verifyLog->tail = nullptr;
}
}
#endif
// If we're here, PKIX EV verification failed.
// If requested, don't do DV fallback.
if (flags & FLAG_MUST_BE_EV) {
PR_ASSERT(*evOidPolicy == SEC_OID_UNKNOWN);
#ifdef NSS_NO_LIBPKIX
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
#else
PR_SetError(PR_INVALID_STATE_ERROR, 0);
#endif
return SECFailure;
}
if (mImplementation == classic) {
// XXX: we do not care about the localOnly flag (currently) as the
// caller that wants localOnly should disable and reenable the fetching.
return ClassicVerifyCert(cert, usage, time, pinArg, &callbackState,
validationChain, verifyLog);
}
#ifdef NSS_NO_LIBPKIX
PR_NOT_REACHED("libpkix implementation chosen but not even compiled in");
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
#else
PR_ASSERT(mImplementation == libpkix);
// The current flags check the chain the same way as the leafs
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
// implicit default source - makes no sense for CRLs
CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
// let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
| CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
// no fresh CRL? well, let other flag decide whether to fail or not
| CERT_REV_M_IGNORE_MISSING_FRESH_INFO
// testing using local CRLs is always allowed
| CERT_REV_M_TEST_USING_THIS_METHOD
// no local crl and don't know where to get it from? ignore
| CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
// crl download based on parameter
| ((mCRLDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
;
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
// use OCSP
CERT_REV_M_TEST_USING_THIS_METHOD
// if app has a default OCSP responder configured, let's use it
| CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
// of course OCSP doesn't work without a source. let's accept such certs
| CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
// if ocsp is required stop on lack of freshness
| (mOCSPStrict ?
CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
// ocsp success is sufficient
| CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
// ocsp enabled controls network fetching, too
| ((mOCSPDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
;
rev.leafTests.preferred_methods[0] =
rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
rev.leafTests.cert_rev_method_independent_flags =
rev.chainTests.cert_rev_method_independent_flags =
// avoiding the network is good, let's try local first
CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
// Skip EV parameters
cvin[evParamLocation].type = cert_pi_end;
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: calling CERT_PKIXVerifyCert(dv) \n"));
rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
pkix_done:
if (validationChain) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: validation chain requested\n"));
ScopedCERTCertificate trustAnchor(cvout[validationTrustAnchorLocation].value.pointer.cert);
if (rv == SECSuccess) {
if (! cvout[validationChainLocation].value.pointer.chain) {
PR_SetError(PR_UNKNOWN_ERROR, 0);
return SECFailure;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: I have a chain\n"));
*validationChain = cvout[validationChainLocation].value.pointer.chain;
if (trustAnchor) {
// we should only add the issuer to the chain if it is not already
// present. On CA cert checking, the issuer is the same cert, so in
// that case we do not add the cert to the chain.
if (!CERT_CompareCerts(trustAnchor.get(), cert)) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: adding issuer to tail for display\n"));
// note: rv is reused to catch errors on cert creation!
ScopedCERTCertificate tempCert(CERT_DupCertificate(trustAnchor.get()));
rv = CERT_AddCertToListTail(validationChain->get(), tempCert.get());
if (rv == SECSuccess) {
tempCert.release(); // ownership traferred to validationChain
} else {
*validationChain = nullptr;
}
}
}
} else {
destroyCertListThatShouldNotExist(
&cvout[validationChainLocation].value.pointer.chain);
}
}
return rv;
#endif
}
SECStatus
CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
/*optional*/ const SECItem* stapledOCSPResponse,
@ -952,7 +445,7 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
ScopedCERTCertList validationChain;
SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
hostname, 0, stapledOCSPResponse, &validationChain,
evOidPolicy, nullptr);
evOidPolicy);
if (rv != SECSuccess) {
return rv;
}

39
security/certverifier/CertVerifier.h
View File

@ -26,15 +26,14 @@ public:
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported.
SECStatus VerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
SECCertificateUsage usage,
PRTime time,
void* pinArg,
const char* hostname,
const Flags flags = 0,
Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr ,
/*optional out*/ CERTVerifyLog* verifyLog = nullptr);
/*optional out*/ SECOidTag* evOidPolicy = nullptr);
SECStatus VerifySSLServerCert(
CERTCertificate* peerCert,
@ -46,15 +45,6 @@ public:
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr);
enum implementation_config {
classic = 0,
#ifndef NSS_NO_LIBPKIX
libpkix = 1,
#endif
mozillapkix = 2
};
enum pinning_enforcement_config {
pinningDisabled = 0,
pinningAllowUserCAMITM = 1,
@ -70,38 +60,19 @@ public:
bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
CertVerifier(implementation_config ic,
#ifndef NSS_NO_LIBPKIX
missing_cert_download_config ac, crl_download_config cdc,
#endif
ocsp_download_config odc, ocsp_strict_config osc,
CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
ocsp_get_config ogc,
pinning_enforcement_config pinningEnforcementLevel);
~CertVerifier();
void ClearOCSPCache() { mOCSPCache.Clear(); }
const implementation_config mImplementation;
#ifndef NSS_NO_LIBPKIX
const bool mMissingCertDownloadEnabled;
const bool mCRLDownloadEnabled;
#endif
const bool mOCSPDownloadEnabled;
const bool mOCSPStrict;
const bool mOCSPGETEnabled;
const pinning_enforcement_config mPinningEnforcementLevel;
private:
SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
ChainValidationCallbackState* callbackState,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy);
OCSPCache mOCSPCache;
};

34
security/certverifier/ExtendedValidation.cpp
View File

@ -886,21 +886,6 @@ register_oid(const SECItem* oid_item, const char* oid_name)
return SECOID_AddEntry(&od);
}
#ifndef NSS_NO_LIBPKIX
static void
addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
CERTCertTrust nssTrust;
if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
return;
}
unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
if (flags & CERTDB_TRUSTED_CA) {
CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
}
}
#endif
static bool
isEVPolicy(SECOidTag policyOIDTag)
{
@ -916,25 +901,6 @@ isEVPolicy(SECOidTag policyOIDTag)
namespace mozilla { namespace psm {
#ifndef NSS_NO_LIBPKIX
CERTCertList*
GetRootsForOid(SECOidTag oid_tag)
{
CERTCertList* certList = CERT_NewCertList();
if (!certList)
return nullptr;
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (entry.oid_tag == oid_tag) {
addToCertListIfTrusted(certList, entry.cert);
}
}
return certList;
}
#endif
bool
CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy)

4
security/certverifier/ExtendedValidation.h
View File

@ -26,10 +26,6 @@ bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy);
#endif
#ifndef NSS_NO_LIBPKIX
CERTCertList* GetRootsForOid(SECOidTag oid_tag);
#endif
} } // namespace mozilla::psm
#endif // mozilla_psm_ExtendedValidation_h

27
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -14,7 +14,6 @@
#include "certdb.h"
#include "mozilla/Telemetry.h"
#include "nss.h"
#include "ocsp.h"
#include "pk11pub.h"
#include "pkix/pkix.h"
#include "prerror.h"
@ -696,32 +695,6 @@ UnloadLoadableRoots(const char* modNameUTF8)
}
}
void
SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
CertVerifier::ocsp_strict_config strict,
CertVerifier::ocsp_get_config get)
{
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
if (enabled == CertVerifier::ocsp_off) {
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
} else {
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
}
SEC_OcspFailureMode failureMode = strict == CertVerifier::ocsp_strict
? ocspMode_FailureIsVerificationFailure
: ocspMode_FailureIsNotAVerificationFailure;
(void) CERT_SetOCSPFailureMode(failureMode);
CERT_ForcePostMethodForOCSP(get != CertVerifier::ocsp_get_enabled);
uint32_t OCSPTimeoutSeconds = 3u;
if (strict == CertVerifier::ocsp_strict) {
OCSPTimeoutSeconds = 10u;
}
CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
}
char*
DefaultServerNicknameForCert(CERTCertificate* cert)
{

8
security/certverifier/NSSCertDBTrustDomain.h
View File

@ -32,14 +32,6 @@ SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
void UnloadLoadableRoots(const char* modNameUTF8);
// Controls the OCSP fetching behavior of the classic verification mode. In the
// classic mode, the OCSP fetching behavior is set globally instead of per
// validation.
void
SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
CertVerifier::ocsp_strict_config strict,
CertVerifier::ocsp_get_config get);
// Caller must free the result with PR_Free
char* DefaultServerNicknameForCert(CERTCertificate* cert);

258
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -105,7 +105,6 @@
#include "nsICertOverrideService.h"
#include "nsISiteSecurityService.h"
#include "nsNSSComponent.h"
#include "nsNSSCleaner.h"
#include "nsRecentBadCerts.h"
#include "nsNSSIOLayer.h"
#include "nsNSSShutDown.h"
@ -127,7 +126,6 @@
#include "secerr.h"
#include "secport.h"
#include "sslerr.h"
#include "ocsp.h"
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
@ -137,9 +135,6 @@ namespace mozilla { namespace psm {
namespace {
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
// do not use a nsCOMPtr to avoid static initializer/destructor
nsIThreadPool* gCertVerificationThreadPool = nullptr;
@ -311,13 +306,12 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
}
SECStatus
MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
const char* hostName, PRTime now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeExpired)
DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
PRTime now, PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeExpired)
{
MOZ_ASSERT(cert);
MOZ_ASSERT(hostName);
@ -548,129 +542,6 @@ CertErrorRunnable::RunOnTargetThread()
MOZ_ASSERT(mResult);
}
// Converts a PRErrorCode into one of
// nsICertOverrideService::ERROR_UNTRUSTED,
// nsICertOverrideService::ERROR_MISMATCH,
// nsICertOverrideService::ERROR_TIME
// if the given error code is an overridable error.
// If it is not, then 0 is returned.
uint32_t
PRErrorCodeToOverrideType(PRErrorCode errorCode)
{
switch (errorCode)
{
case SEC_ERROR_UNKNOWN_ISSUER:
case SEC_ERROR_UNTRUSTED_ISSUER:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SEC_ERROR_UNTRUSTED_CERT:
case SEC_ERROR_INADEQUATE_KEY_USAGE:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
// We group all these errors as "cert not trusted"
return nsICertOverrideService::ERROR_UNTRUSTED;
case SSL_ERROR_BAD_CERT_DOMAIN:
return nsICertOverrideService::ERROR_MISMATCH;
case SEC_ERROR_EXPIRED_CERTIFICATE:
return nsICertOverrideService::ERROR_TIME;
default:
return 0;
}
}
SECStatus
NSSDetermineCertOverrideErrors(CertVerifier& certVerifier,
CERTCertificate* cert,
const SECItem* stapledOCSPResponse,
TransportSecurityInfo* infoObject,
PRTime now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeExpired)
{
MOZ_ASSERT(cert);
MOZ_ASSERT(infoObject);
MOZ_ASSERT(defaultErrorCodeToReport != 0);
MOZ_ASSERT(collectedErrors == 0);
MOZ_ASSERT(errorCodeTrust == 0);
MOZ_ASSERT(errorCodeMismatch == 0);
MOZ_ASSERT(errorCodeExpired == 0);
if (defaultErrorCodeToReport == 0) {
NS_ERROR("No error code set during certificate validation failure.");
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
// We only allow overrides for certain errors. Return early if the error
// is not one of them. This is to avoid doing revocation fetching in the
// case of OCSP stapling and probably for other reasons.
if (PRErrorCodeToOverrideType(defaultErrorCodeToReport) == 0) {
PR_SetError(defaultErrorCodeToReport, 0);
return SECFailure;
}
PLArenaPool* log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
if (!log_arena) {
NS_ERROR("PORT_NewArena failed");
return SECFailure; // PORT_NewArena set error code
}
CERTVerifyLog* verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog);
if (!verify_log) {
NS_ERROR("PORT_ArenaZNew failed");
return SECFailure; // PORT_ArenaZNew set error code
}
CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log);
verify_log->arena = log_arena;
// We ignore the result code of the cert verification (i.e. VerifyCert's rv)
// Either it is a failure, which is expected, and we'll process the
// verify log below.
// Or it is a success, then a domain mismatch is the only
// possible failure.
// XXX TODO: convert to VerifySSLServerCert
// XXX TODO: get rid of error log
certVerifier.VerifyCert(cert, certificateUsageSSLServer,
now, infoObject, infoObject->GetHostNameRaw(),
0, stapledOCSPResponse, nullptr, nullptr, verify_log);
// Check the name field against the desired hostname.
if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) {
collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
}
CERTVerifyLogNode* i_node;
for (i_node = verify_log->head; i_node; i_node = i_node->next) {
uint32_t overrideType = PRErrorCodeToOverrideType(i_node->error);
// If this isn't an overridable error, set the error and return.
if (overrideType == 0) {
PR_SetError(i_node->error, 0);
return SECFailure;
}
collectedErrors |= overrideType;
if (overrideType == nsICertOverrideService::ERROR_UNTRUSTED) {
if (errorCodeTrust == 0) {
errorCodeTrust = i_node->error;
}
} else if (overrideType == nsICertOverrideService::ERROR_MISMATCH) {
if (errorCodeMismatch == 0) {
errorCodeMismatch = i_node->error;
}
} else if (overrideType == nsICertOverrideService::ERROR_TIME) {
if (errorCodeExpired == 0) {
errorCodeExpired = i_node->error;
}
} else {
MOZ_CRASH("unexpected return value from PRErrorCodeToOverrideType");
}
}
return SECSuccess;
}
// Returns null with the error code (PR_GetError()) set if it does not create
// the CertErrorRunnable.
CertErrorRunnable*
@ -690,37 +561,10 @@ CreateCertErrorRunnable(CertVerifier& certVerifier,
PRErrorCode errorCodeTrust = 0;
PRErrorCode errorCodeMismatch = 0;
PRErrorCode errorCodeExpired = 0;
SECStatus rv;
switch (certVerifier.mImplementation) {
case CertVerifier::classic:
#ifndef NSS_NO_LIBPKIX
case CertVerifier::libpkix:
#endif
rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
infoObject, now,
defaultErrorCodeToReport,
collected_errors, errorCodeTrust,
errorCodeMismatch, errorCodeExpired);
break;
case CertVerifier::mozillapkix:
rv = MozillaPKIXDetermineCertOverrideErrors(cert,
infoObject->GetHostNameRaw(),
now, defaultErrorCodeToReport,
collected_errors,
errorCodeTrust,
errorCodeMismatch,
errorCodeExpired);
break;
default:
MOZ_CRASH("unexpected CertVerifier implementation");
PR_SetError(defaultErrorCodeToReport, 0);
return nullptr;
}
if (rv != SECSuccess) {
if (DetermineCertOverrideErrors(cert, infoObject->GetHostNameRaw(), now,
defaultErrorCodeToReport, collected_errors,
errorCodeTrust, errorCodeMismatch,
errorCodeExpired) != SECSuccess) {
return nullptr;
}
@ -906,57 +750,6 @@ AuthCertificate(CertVerifier& certVerifier, TransportSecurityInfo* infoObject,
SECStatus rv;
// TODO: Remove this after we switch to mozilla::pkix as the
// only option
if (certVerifier.mImplementation == CertVerifier::classic) {
if (stapledOCSPResponse) {
CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
stapledOCSPResponse,
infoObject);
if (rv != SECSuccess) {
// Due to buggy servers that will staple expired OCSP responses
// (see for example http://trac.nginx.org/nginx/ticket/425),
// don't terminate the connection if the stapled response is expired.
// We will fall back to fetching revocation information.
PRErrorCode ocspErrorCode = PR_GetError();
if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
// stapled OCSP response present but invalid for some reason
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
return rv;
} else {
// stapled OCSP response present but expired
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
}
} else {
// stapled OCSP response present and good
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
}
} else {
// no stapled OCSP response
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
uint32_t reasonsForNotFetching = 0;
char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
if (!ocspURI) {
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
} else {
if (std::strncmp(ocspURI, "http://", 7)) { // approximation
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
}
PORT_Free(ocspURI);
}
if (!certVerifier.mOCSPDownloadEnabled) {
reasonsForNotFetching |= 2;
}
Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
reasonsForNotFetching);
}
}
// We want to avoid storing any intermediate cert information when browsing
// in private, transient contexts.
bool saveIntermediates =
@ -1078,34 +871,11 @@ SSLServerCertVerificationJob::Run()
if (mInfoObject->isAlreadyShutDown()) {
error = SEC_ERROR_USER_CANCELLED;
} else {
Telemetry::ID successTelemetry;
Telemetry::ID failureTelemetry;
switch (mCertVerifier->mImplementation) {
case CertVerifier::classic:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
break;
case CertVerifier::mozillapkix:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
break;
#ifndef NSS_NO_LIBPKIX
case CertVerifier::libpkix:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
break;
#endif
default:
MOZ_CRASH("Unknown CertVerifier mode");
}
Telemetry::ID successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
Telemetry::ID failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
// XXX
// Reset the error code here so we can detect if AuthCertificate fails to
// set the error code if/when it fails.
PR_SetError(0, 0);

4
security/manager/ssl/src/ScopedNSSTypes.h
View File

@ -22,7 +22,6 @@
#include "sechash.h"
#include "secpkcs7.h"
#include "prerror.h"
#include "ocsp.h"
namespace mozilla {
@ -83,9 +82,6 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName,
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames,
CERTCertNicknames,
CERT_FreeNicknames)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID,
CERTOCSPCertID,
CERT_DestroyOCSPCertID)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo,
CERTSubjectPublicKeyInfo,
SECKEY_DestroySubjectPublicKeyInfo)

13
security/manager/ssl/src/SharedCertVerifier.h
View File

@ -19,19 +19,10 @@ protected:
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
SharedCertVerifier(implementation_config ic,
#ifndef NSS_NO_LIBPKIX
missing_cert_download_config ac, crl_download_config cdc,
#endif
ocsp_download_config odc, ocsp_strict_config osc,
SharedCertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
ocsp_get_config ogc,
pinning_enforcement_config pinningEnforcementLevel)
: mozilla::psm::CertVerifier(ic,
#ifndef NSS_NO_LIBPKIX
ac, cdc,
#endif
odc, osc, ogc,
pinningEnforcementLevel)
: mozilla::psm::CertVerifier(odc, osc, ogc, pinningEnforcementLevel)
{
}
};

10
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@ -586,16 +586,6 @@ void nsNSSHttpInterface::initTable()
v1.freeFcn = freeFcn;
}
void nsNSSHttpInterface::registerHttpClient()
{
SEC_RegisterDefaultHttpClient(&sNSSInterfaceTable);
}
void nsNSSHttpInterface::unregisterHttpClient()
{
SEC_RegisterDefaultHttpClient(nullptr);
}
nsHTTPListener::nsHTTPListener()
: mResultData(nullptr),
mResultLen(0),

3
security/manager/ssl/src/nsNSSCallbacks.h
View File

@ -220,9 +220,6 @@ public:
static void initTable();
static SEC_HttpClientFcn sNSSInterfaceTable;
void registerHttpClient();
void unregisterHttpClient();
};
#endif // _NSNSSCALLBACKS_H_

1
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -49,7 +49,6 @@
#include "secasn1.h"
#include "secder.h"
#include "ssl.h"
#include "ocsp.h"
#include "plbase64.h"
using namespace mozilla;

11
security/manager/ssl/src/nsNSSCertificateDB.cpp
View File

@ -47,7 +47,6 @@
#include "secasn1.h"
#include "secder.h"
#include "ssl.h"
#include "ocsp.h"
#include "plbase64.h"
using namespace mozilla;
@ -1816,14 +1815,6 @@ nsNSSCertificateDB::ClearOCSPCache()
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
certVerifier->ClearOCSPCache();
} else {
SECStatus srv = CERT_ClearOCSPCache();
if (srv != SECSuccess) {
return MapSECStatus(srv);
}
}
certVerifier->ClearOCSPCache();
return NS_OK;
}

78
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -58,7 +58,6 @@
#include "sslproto.h"
#include "secmod.h"
#include "secmime.h"
#include "ocsp.h"
#include "secerr.h"
#include "sslerr.h"
@ -243,10 +242,10 @@ bool EnsureNSSInitialized(EnsureNSSOperator op)
}
static void
SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
/*out*/ CertVerifier::ocsp_strict_config* osc,
/*out*/ CertVerifier::ocsp_get_config* ogc,
const MutexAutoLock& /*proofOfLock*/)
GetOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
/*out*/ CertVerifier::ocsp_strict_config* osc,
/*out*/ CertVerifier::ocsp_get_config* ogc,
const MutexAutoLock& /*proofOfLock*/)
{
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(odc);
@ -267,8 +266,6 @@ SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
? CertVerifier::ocsp_get_enabled
: CertVerifier::ocsp_get_disabled;
SetClassicOCSPBehavior(*odc, *osc, *ogc);
SSL_ClearSessionCache();
}
@ -991,44 +988,11 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
}
#ifndef NSS_NO_LIBPKIX
bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
false);
bool aiaDownloadEnabled =
Preferences::GetBool("security.missing_cert_download.enabled", false);
#endif
bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
true);
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
CertVerifier::implementation_config certVerifierImplementation
= CertVerifier::classic;
// The mozilla::pkix pref overrides the libpkix pref
if (Preferences::GetBool("security.use_mozillapkix_verification", true)) {
certVerifierImplementation = CertVerifier::mozillapkix;
} else {
#ifndef NSS_NO_LIBPKIX
if (Preferences::GetBool("security.use_libpkix_verification", false)) {
certVerifierImplementation = CertVerifier::libpkix;
}
#endif
}
if (isInitialSetting) {
if (certVerifierImplementation == CertVerifier::classic) {
Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 1);
#ifndef NSS_NO_LIBPKIX
} else if (certVerifierImplementation == CertVerifier::libpkix) {
Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 2);
#endif
} else if (certVerifierImplementation == CertVerifier::mozillapkix) {
Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 3);
}
}
// Default pinning enforcement level is disabled.
CertVerifier::pinning_enforcement_config
pinningEnforcementLevel =
@ -1043,30 +1007,9 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
CertVerifier::ocsp_strict_config osc;
CertVerifier::ocsp_get_config ogc;
SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
mDefaultCertVerifier = new SharedCertVerifier(
certVerifierImplementation,
#ifndef NSS_NO_LIBPKIX
aiaDownloadEnabled ?
CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
crlDownloading ?
CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
#endif
odc, osc, ogc, pinningEnforcementLevel);
// mozilla::pkix has its own OCSP cache, so disable the NSS cache
// if appropriate.
if (certVerifierImplementation == CertVerifier::mozillapkix) {
// Using -1 disables the cache. The other arguments are the default
// values and aren't exposed by the API.
CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
} else {
// Using 1000 enables the cache with the default size of 1000. Again,
// these values are not exposed by the API.
CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
}
CERT_ClearOCSPCache();
GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
pinningEnforcementLevel);
}
// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
@ -1275,7 +1218,6 @@ nsNSSComponent::InitializeNSS()
setValidationOptions(true, lock);
mHttpForNSS.initTable();
mHttpForNSS.registerHttpClient();
#ifndef MOZ_DISABLE_CRYPTOLEGACY
LaunchSmartCardThreads();
@ -1301,7 +1243,6 @@ nsNSSComponent::ShutdownNSS()
mNSSInitialized = false;
PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
mHttpForNSS.unregisterHttpClient();
Preferences::RemoveObserver(this, "security.");
if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) {
@ -1670,14 +1611,9 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
Preferences::GetBool("security.ssl.enable_alpn",
ALPN_ENABLED_DEFAULT));
} else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
prefName.EqualsLiteral("security.CRL_download.enabled") ||
prefName.EqualsLiteral("security.fresh_revocation_info.require") ||
prefName.EqualsLiteral("security.missing_cert_download.enabled") ||
prefName.EqualsLiteral("security.OCSP.require") ||
prefName.EqualsLiteral("security.OCSP.GET.enabled") ||
prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
prefName.EqualsLiteral("security.use_mozillapkix_verification") ||
prefName.EqualsLiteral("security.use_libpkix_verification") ||
prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) {
MutexAutoLock lock(mutex);
setValidationOptions(false, lock);

1
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -13,6 +13,7 @@
#include "mozilla/Telemetry.h"
#include "prlog.h"
#include "prmem.h"
#include "prnetdb.h"
#include "nsIPrefService.h"
#include "nsIClientAuthDialogs.h"

1
security/manager/ssl/tests/unit/test_cert_eku.js
View File

@ -23,7 +23,6 @@ function load_cert(cert_name, trust_string) {
function run_test() {
load_cert("ca", "CT,CT,CT");
Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient);

1
security/manager/ssl/tests/unit/test_cert_eku/generate.py
View File

@ -69,7 +69,6 @@ function load_cert(cert_name, trust_string) {
function run_test() {
load_cert("ca", "CT,CT,CT");
Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
"""
js_file_footer = """}

132
security/manager/ssl/tests/unit/test_cert_overrides.js
View File

@ -52,15 +52,15 @@ function check_telemetry() {
.getHistogramById("SSL_CERT_ERROR_OVERRIDES")
.snapshot();
do_check_eq(histogram.counts[ 0], 0);
do_check_eq(histogram.counts[ 2], 8 + 1); // SEC_ERROR_UNKNOWN_ISSUER
do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
do_check_eq(histogram.counts[ 4], 0 + 5); // SEC_ERROR_UNTRUSTED_ISSUER
do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER
do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
run_next_test();
}
@ -73,8 +73,9 @@ function run_test() {
});
fakeOCSPResponder.start(8080);
add_tests_in_mode(true);
add_tests_in_mode(false);
add_simple_tests();
add_combo_tests();
add_distrust_tests();
add_test(function () {
fakeOCSPResponder.stop(check_telemetry);
@ -83,43 +84,19 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_simple_tests(useMozillaPKIX);
add_combo_tests(useMozillaPKIX);
add_distrust_tests(useMozillaPKIX);
add_test(function () {
certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
run_next_test();
});
}
function add_simple_tests(useMozillaPKIX) {
function add_simple_tests() {
add_cert_override_test("expired.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
if (useMozillaPKIX) {
add_cert_override_test("selfsigned.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
} else {
add_non_overridable_test("selfsigned.example.com",
SEC_ERROR_CA_CERT_INVALID);
}
add_cert_override_test("selfsigned.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("unknownissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("expiredissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("md5signature.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
@ -131,46 +108,22 @@ function add_simple_tests(useMozillaPKIX) {
// A Microsoft IIS utility generates self-signed certificates with
// properties similar to the one this "host" will present (see
// tlsserver/generate_certs.sh).
// One of the errors classic verification collects is that this
// certificate has an inadequate key usage to sign a certificate
// (i.e. itself). As a result, to be able to override this,
// SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
// confusingly, this isn't the main error reported).
// mozilla::pkix just says this certificate's issuer is unknown.
if (useMozillaPKIX) {
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
} else {
add_non_overridable_test("selfsigned-inadequateEKU.example.com",
SEC_ERROR_CA_CERT_INVALID);
}
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
// SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
// classic verification, but not for mozilla::pkix verification.
if (useMozillaPKIX) {
add_non_overridable_test("inadequatekeyusage.example.com",
SEC_ERROR_INADEQUATE_KEY_USAGE);
} else {
add_cert_override_test("inadequatekeyusage.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
}
add_non_overridable_test("inadequatekeyusage.example.com",
SEC_ERROR_INADEQUATE_KEY_USAGE);
// Bug 990603: Apache documentation has recommended generating a self-signed
// test certificate with basic constraints: CA:true. For compatibility, this
// is a scenario in which an override is allowed.
add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
}
function add_combo_tests(useMozillaPKIX) {
// Note that "untrusted" here really is "unknown issuer" in the
// mozilla::pkix case.
function add_combo_tests() {
add_cert_override_test("mismatch-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
@ -178,22 +131,16 @@ function add_combo_tests(useMozillaPKIX) {
add_cert_override_test("mismatch-untrusted.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("mismatch-untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("md5signature-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
@ -202,31 +149,20 @@ function add_combo_tests(useMozillaPKIX) {
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
}
function add_distrust_tests(useMozillaPKIX) {
function add_distrust_tests() {
// Before we specifically distrust this certificate, it should be trusted.
add_connection_test("untrusted.example.com", Cr.NS_OK);
// XXX(Bug 975777): Active distrust is an overridable error when NSS-based
// verification is used.
add_distrust_override_test("tlsserver/default-ee.der",
"untrusted.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
: Cr.NS_OK);
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT));
// XXX(Bug 975777): Active distrust is an overridable error when NSS-based
// verification is used.
add_distrust_override_test("tlsserver/other-test-ca.der",
"untrustedissuer.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
: Cr.NS_OK);
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
}
function add_distrust_override_test(certFileName, hostName,
expectedResultBefore, expectedResultAfter) {
function add_distrust_override_test(certFileName, hostName, expectedResult) {
let certToDistrust = constructCertFromFile(certFileName);
add_test(function () {
@ -235,7 +171,7 @@ function add_distrust_override_test(certFileName, hostName,
clearSessionCache();
run_next_test();
});
add_connection_test(hostName, expectedResultBefore, null,
add_connection_test(hostName, expectedResult, null,
function (securityInfo) {
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
// XXX(Bug 754369): SSLStatus isn't available for
@ -249,11 +185,11 @@ function add_distrust_override_test(certFileName, hostName,
// 754369) that the error was non-overridable, which
// is what we're trying to test, though we'd rather
// not test it this way.
do_check_neq(expectedResultAfter, Cr.NS_OK);
do_check_neq(expectedResult, Cr.NS_OK);
}
clearSessionCache();
});
add_connection_test(hostName, expectedResultAfter, null,
add_connection_test(hostName, expectedResult, null,
function () {
setCertTrust(certToDistrust, "u,,");
});

14
security/manager/ssl/tests/unit/test_cert_signatures.js
View File

@ -45,12 +45,6 @@ function run_test() {
load_ca("ca-p384");
load_ca("ca-dsa");
run_test_in_mode(true);
run_test_in_mode(false);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
@ -60,14 +54,10 @@ function run_test_in_mode(useMozillaPKIX) {
// mozilla::pkix does not allow CA certs to be validated for end-entity
// usages.
let int_usage = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
const int_usage = 'SSL CA';
// mozilla::pkix doesn't implement the Netscape Object Signer restriction.
const ee_usage = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
const ee_usage = 'Client,Server,Sign,Encrypt,Object Signer';
let cert2usage = {
// certs without the "int" prefix are end entity certs.

157
security/manager/ssl/tests/unit/test_cert_trust.js
View File

@ -39,20 +39,17 @@ function check_cert_err_generic(cert, expected_error, usage) {
do_check_eq(error, expected_error);
};
function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
// On reset most usages are successful
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA); // expected no bc
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, 0,
certificateUsageObjectSigner); // expected
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// mozilla::pkix enforces that certificase must have a basic constraints
// extension with cA:true to be a CA certificate, whereas classic does not
@ -66,60 +63,45 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// In mozilla::pkix (but not classic verification), certificate chain
// properties are checked before the end-entity. Thus, if we're using
// mozilla::pkix and the root certificate has been distrusted, the error
// will be "untrusted issuer" and not "inadequate cert type".
check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert,
!isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, 'T,T,T');
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
: 0
: 0,
// XXX(Bug 982340)
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE
: useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -129,49 +111,33 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
setCertTrust(cert_to_modify_trust, 'p,C,C');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
//XXX(Bug 982340)
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// In mozilla::pkix (but not classic verification), certificate chain
// properties are checked before the end-entity. Thus, if we're using
// mozilla::pkix and the root certificate has been distrusted, the error
// will be "untrusted issuer" and not "inadequate cert type".
check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert,
isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
: SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageStatusResponder);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ',C,C');
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
// XXX(Bug 982340)
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -179,22 +145,16 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, 'C,p,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
: useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
: 0, // mozilla::pkix is OK, NSS bug
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -203,34 +163,26 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
//inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, 'C,,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
function run_test() {
for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
let ca_cert = certdb.findCertByNickname(null, 'ca');
do_check_false(!ca_cert)
@ -240,17 +192,8 @@ function run_test_in_mode(useMozillaPKIX) {
do_check_false(!ee_cert);
setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
test_ca_distrust(ee_cert, ca_cert, true);
setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
}
function run_test() {
for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
run_test_in_mode(true);
run_test_in_mode(false);
test_ca_distrust(ee_cert, int_cert, false);
}

451
security/manager/ssl/tests/unit/test_cert_version.js
View File

@ -44,21 +44,20 @@ function check_ok_ca(x) {
return check_cert_err_generic(x, 0, certificateUsageSSLCA);
}
function run_tests_in_mode(useMozillaPKIX)
{
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
function run_test() {
load_cert("v1_ca", "CTu,CTu,CTu");
load_cert("v1_ca_bc", "CTu,CTu,CTu");
load_cert("v2_ca", "CTu,CTu,CTu");
load_cert("v2_ca_bc", "CTu,CTu,CTu");
load_cert("v3_ca", "CTu,CTu,CTu");
load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
check_ok_ca(cert_from_file('v1_ca.der'));
check_ca_err(cert_from_file('v1_ca_bc.der'),
useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
check_ca_err(cert_from_file('v2_ca.der'),
useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
check_ca_err(cert_from_file('v2_ca_bc.der'),
useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
check_ca_err(cert_from_file('v1_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
check_ca_err(cert_from_file('v2_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
check_ok_ca(cert_from_file('v3_ca.der'));
check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
// Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
// intermediates when they have a v3 basic constraints extenstion (which
@ -76,33 +75,21 @@ function run_tests_in_mode(useMozillaPKIX)
//////////////////
// v1 intermediate with v1 trust anchor
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
// v1 intermediate with v3 extensions. CA is invalid.
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
@ -113,33 +100,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
// A v2 intermediate with a v1 CA
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
// A v2 intermediate with basic constraints (not allowed in insanity)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
@ -151,21 +126,14 @@ function run_tests_in_mode(useMozillaPKIX)
// Section is OK. A x509 v3 CA MUST have bc
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
@ -176,13 +144,8 @@ function run_tests_in_mode(useMozillaPKIX)
check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
@ -192,33 +155,21 @@ function run_tests_in_mode(useMozillaPKIX)
// above
// Using A v1 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
// Using a v1 intermediate with v3 extenstions (invalid).
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
@ -229,33 +180,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
// Using v2 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
// Using a v2 intermediate with basic constraints (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
@ -266,33 +205,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
// Using a v3 intermediate that is missing basic constraints (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
// these should pass assuming we are OK with v1 ca signing v3 intermediates
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
@ -308,33 +235,21 @@ function run_tests_in_mode(useMozillaPKIX)
//////////////////
// v2 ca, v1 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
// v2 ca, v1 intermediate with basic constraints (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
@ -345,33 +260,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
// v2 ca, v2 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
// v2 ca, v2 intermediate with basic constraints (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
@ -382,77 +285,48 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
// v2 ca, v3 intermediate missing basic constraints
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
// v2 ca, v3 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
// v2 ca, v1 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
// v2 ca, v1 intermediate with bc (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
@ -463,33 +337,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
// v2 ca, v2 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
// v2 ca, v2 intermediate with bc (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
@ -500,33 +362,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
// v2 ca, invalid v3 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
// v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
@ -541,33 +391,21 @@ function run_tests_in_mode(useMozillaPKIX)
//////////////////
// v3 ca, v1 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
// A v1 intermediate with v3 extensions
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
@ -578,33 +416,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
// reject a v2 cert as intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
// v2 intermediate with bc (invalid)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
@ -615,21 +441,14 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
// invalid v3 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
@ -641,45 +460,28 @@ function run_tests_in_mode(useMozillaPKIX)
check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
// v3 CA, invalid v3 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
// Int v1 with BC that is just invalid (classic fail insanity OK)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
@ -690,33 +492,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
// Good section (all fail)
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
// v2 intermediate (even with basic constraints) is invalid
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
@ -727,58 +517,29 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
// v3 intermediate missing basic constraints is invalid
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) {
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
// With a v3 root missing bc and valid v3 intermediate
if (useMozillaPKIX) {
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) {
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
}
function run_test() {
load_cert("v1_ca", "CTu,CTu,CTu");
load_cert("v1_ca_bc", "CTu,CTu,CTu");
load_cert("v2_ca", "CTu,CTu,CTu");
load_cert("v2_ca_bc", "CTu,CTu,CTu");
load_cert("v3_ca", "CTu,CTu,CTu");
load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
run_tests_in_mode(false);
run_tests_in_mode(true);
}

58
security/manager/ssl/tests/unit/test_certificate_usages.js
View File

@ -31,70 +31,48 @@ function run_test() {
var cert = certdb.findCertByNickname(null, ca_name);
}
run_test_in_mode(true);
run_test_in_mode(false);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
// mozilla::pkix does not allow CA certs to be validated for non-CA usages.
var allCAUsages = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// mozilla::pkix doesn't allow CA certificates to have the Status Responder
// EKU.
var ca_usages = [allCAUsages,
var ca_usages = ['SSL CA',
'SSL CA',
allCAUsages,
useMozillaPKIX ? ''
: 'Client,Server,Sign,Encrypt,Status Responder'];
'SSL CA',
''];
// mozilla::pkix doesn't implement the Netscape Object Signer restriction.
var basicEndEntityUsages = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
var basicEndEntityUsages = 'Client,Server,Sign,Encrypt,Object Signer';
var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
// mozilla::pkix won't let a certificate with the "Status Responder" EKU get
// mozilla::pkix won't let a certificate with the 'Status Responder' EKU get
// validated for any other usage.
var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
var statusResponderUsagesFull
= useMozillaPKIX ? statusResponderUsages
: basicEndEntityUsages + ',Object Signer,Status Responder';
var ee_usages = [
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
statusResponderUsagesFull,
'Status Responder',
'Client,Server',
'Sign,Encrypt,Object Signer',
statusResponderUsages
'Status Responder'
],
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
statusResponderUsagesFull,
'Status Responder',
'Client,Server',
'Sign,Encrypt,Object Signer',
statusResponderUsages
'Status Responder'
],
[ basicEndEntityUsages,
basicEndEntityUsages,
basicEndEntityUsages,
'',
statusResponderUsagesFull,
'Status Responder',
'Client,Server',
'Sign,Encrypt,Object Signer',
statusResponderUsages
'Status Responder'
],
// The CA has isCA=true without keyCertSign.
@ -103,14 +81,14 @@ function run_test_in_mode(useMozillaPKIX) {
// capabilites so the cert is considered a CA.
// mozilla::pkix and libpkix use the intersection of
// capabilites, so the cert is NOT considered a CA.
[ useMozillaPKIX ? '' : basicEndEntityUsages,
useMozillaPKIX ? '' : basicEndEntityUsages,
useMozillaPKIX ? '' : basicEndEntityUsages,
[ '',
'',
useMozillaPKIX ? '' : statusResponderUsagesFull,
useMozillaPKIX ? '' : 'Client,Server',
useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
useMozillaPKIX ? '' : 'Server,Status Responder'
'',
'',
'',
'',
'',
''
]
];

49
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@ -80,18 +80,6 @@ function run_test() {
// setup and start ocsp responder
Services.prefs.setCharPref("network.dns.localDomains",
'www.example.com, crl.example.com');
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_test(function () {
clearOCSPCache();
@ -138,9 +126,7 @@ function add_tests_in_mode(useMozillaPKIX)
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("ev-valid",
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER);
check_cert_err("ev-valid",SEC_ERROR_UNKNOWN_ISSUER);
ocspResponder.stop(run_next_test);
});
@ -162,24 +148,15 @@ function add_tests_in_mode(useMozillaPKIX)
});
add_test(function () {
check_no_ocsp_requests("ev-valid",
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
});
add_test(function () {
check_no_ocsp_requests("non-ev-root",
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_EXTENSION_NOT_FOUND));
check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
});
add_test(function () {
check_no_ocsp_requests("no-ocsp-url-cert",
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
});
@ -203,9 +180,7 @@ function add_tests_in_mode(useMozillaPKIX)
flags, verifiedChain, hasEVPolicy);
do_check_eq(hasEVPolicy.value, isDebugBuild);
do_check_eq(error,
isDebugBuild ? 0
: (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: SEC_ERROR_EXTENSION_NOT_FOUND));
isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
failingOcspResponder.stop(run_next_test);
});
});
@ -235,17 +210,13 @@ function add_tests_in_mode(useMozillaPKIX)
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
let debugResponseArray = ["good", "longvalidityalmostold",
"longvalidityalmostold"];
if (!useMozillaPKIX) {
debugCertNickArray = ["int-ev-valid", "ev-valid"];
debugResponseArray = ["good", "longvalidityalmostold"];
}
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"],
[], [],
isDebugBuild ? debugResponseArray
: ["longvalidityalmostold"]);
check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test);
});
@ -256,19 +227,17 @@ function add_tests_in_mode(useMozillaPKIX)
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
let debugResponseArray = ["good", "ancientstillvalid",
"ancientstillvalid"];
if (!useMozillaPKIX) {
debugCertNickArray = ["int-ev-valid", "ev-valid"];
debugResponseArray = ["good", "ancientstillvalid"];
}
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"],
[], [],
isDebugBuild ? debugResponseArray
: ["ancientstillvalid"]);
check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild);
check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test);
});
run_next_test();
}
// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert

8
security/manager/ssl/tests/unit/test_getchain.js
View File

@ -70,8 +70,7 @@ function check_getchain(ee_cert, ssl_ca, email_ca){
check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
function run_test() {
clearOCSPCache();
clearSessionCache();
@ -88,8 +87,3 @@ function run_test_in_mode(useMozillaPKIX) {
// Swap ca certs to deal alternate trust settings.
check_getchain(ee_cert, ca[2], ca[1]);
}
function run_test() {
run_test_in_mode(true);
run_test_in_mode(false);
}

25
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
View File

@ -38,20 +38,14 @@ function test_cert_for_usages(certChainNicks, expected_usages_string) {
do_check_eq(expected_usages_string, usages.value);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
function run_test() {
// mozilla::pkix doesn't support the obsolete Netscape object signing
// extension, but NSS does.
let ee_usage1 = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt'
let ee_usage1 = 'Client,Server,Sign,Encrypt,Object Signer';
// mozilla::pkix doesn't validate CA certificates for non-CA uses, but
// NSS does.
let ca_usage1 = useMozillaPKIX
? "SSL CA"
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
let ca_usage1 = "SSL CA";
// Load the ca into mem
let ca_name = "ca";
@ -87,8 +81,7 @@ function run_test_in_mode(useMozillaPKIX) {
// XXX: It seems the NSS code does not consider the path length of the
// certificate we're validating, but mozilla::pkix does. mozilla::pkix's
// behavior is correct.
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
useMozillaPKIX ? "" : ca_usage1);
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], "");
test_cert_for_usages(["ee-int-limited-depth-invalid",
"int-limited-depth-invalid",
"int-limited-depth"],
@ -103,10 +96,7 @@ function run_test_in_mode(useMozillaPKIX) {
// but the KU extension is missing keyCertSign. Note that mozilla::pkix
// doesn't validate certificates with basicConstraints.Ca==true for non-CA
// uses, but NSS does.
test_cert_for_usages(["int-bad-ku-no-eku"],
useMozillaPKIX
? ""
: 'Client,Server,Sign,Encrypt,Status Responder');
test_cert_for_usages(["int-bad-ku-no-eku"], "");
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
// int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
@ -132,8 +122,3 @@ function run_test_in_mode(useMozillaPKIX) {
test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
"Client,Server");
}
function run_test() {
run_test_in_mode(true);
run_test_in_mode(false);
}

13
security/manager/ssl/tests/unit/test_name_constraints.js
View File

@ -50,8 +50,9 @@ function check_fail_ca(x) {
return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
function run_test() {
load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
load_cert("ca-nc", "CTu,CTu,CTu");
// Note that CN is only looked at when there is NO subjectAltName!
@ -269,11 +270,3 @@ function run_test_in_mode(useMozillaPKIX) {
check_cert_err_generic(cert, 0, certificateUsageSSLClient);
}
}
function run_test() {
load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
load_cert("ca-nc", "CTu,CTu,CTu");
run_test_in_mode(true);
run_test_in_mode(false);
}

11
security/manager/ssl/tests/unit/test_ocsp_caching.js
View File

@ -40,20 +40,13 @@ function run_test() {
});
ocspResponder.start(8080);
add_tests_in_mode(true);
add_tests_in_mode(false);
add_tests();
add_test(function() { ocspResponder.stop(run_next_test); });
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
function add_tests() {
// This test assumes that OCSPStaplingServer uses the same cert for
// ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.

25
security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
View File

@ -38,19 +38,6 @@ function run_test() {
Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com");
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_test(function() {
clearOCSPCache();
Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
@ -72,13 +59,11 @@ function add_tests_in_mode(useMozillaPKIX)
clearOCSPCache();
Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
// Bug 1016681 mozilla::pkix does not support fallback yet.
if (!useMozillaPKIX) {
let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
check_cert_err("a", 0);
ocspResponder.stop(run_next_test);
} else {
run_next_test();
}
// let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
// check_cert_err("a", 0);
// ocspResponder.stop(run_next_test);
run_next_test();
});
run_next_test();
}

27
security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
View File

@ -28,8 +28,14 @@ function run_test() {
});
ocspResponder.start(8080);
add_tests_in_mode(true);
add_tests_in_mode(false);
// ocsp-stapling-none.example.com does not staple an OCSP response in the
// handshake, so the revocation checking code will attempt to fetch one.
// Since the domain of the certificate's OCSP AIA URI is an HSTS host
// (as added in the setup of this test, below), a buggy implementation would
// upgrade the OCSP request to HTTPS. We specifically prevent this. This
// test demonstrates that our implementation is correct in this regard.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
add_test(function () { run_next_test(); });
add_test(function () { ocspResponder.stop(run_next_test); });
@ -43,20 +49,3 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
// ocsp-stapling-none.example.com does not staple an OCSP response in the
// handshake, so the revocation checking code will attempt to fetch one.
// Since the domain of the certificate's OCSP AIA URI is an HSTS host
// (as added in the setup of this test), a buggy implementation would
// upgrade the OCSP request to HTTPS. We specifically prevent this. This
// test demonstrates that our implementation is correct in this regard.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
add_test(function () { run_next_test(); });
}

11
security/manager/ssl/tests/unit/test_ocsp_required.js
View File

@ -32,22 +32,15 @@ function run_test() {
});
ocspResponder.start(8080);
add_tests_in_mode(true);
add_tests_in_mode(false);
add_tests();
add_test(function () { ocspResponder.stop(run_next_test); });
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
function add_tests()
{
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_connection_test("ocsp-stapling-none.example.com",

32
security/manager/ssl/tests/unit/test_ocsp_stapling.js
View File

@ -21,13 +21,7 @@ function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
});
}
function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
function add_tests(certDB, otherTestCA) {
// In the absence of OCSP stapling, these should actually all work.
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
@ -115,16 +109,11 @@ function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
add_ocsp_test("ocsp-stapling-empty.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
// TODO(bug 979070): NSS can't handle this yet.
if (useMozillaPKIX) {
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
}
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
add_ocsp_test("ocsp-stapling-critical-extension.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
: Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
true);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
// TODO(bug 997994): Disallow empty Extensions in responses
@ -155,11 +144,11 @@ function check_ocsp_stapling_telemetry() {
.getService(Ci.nsITelemetry)
.getHistogramById("SSL_OCSP_STAPLING")
.snapshot();
do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426)
do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp.
do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426)
do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses
run_next_test();
}
@ -181,8 +170,7 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true, certDB, otherTestCA);
add_tests_in_mode(false, certDB, otherTestCA);
add_tests(certDB, otherTestCA);
add_test(function () {
fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);

131
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
View File

@ -60,20 +60,6 @@ function run_test() {
});
ocspResponder.start(8080);
add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true);
add_tests_in_mode(false);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(check_ocsp_stapling_telemetry);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
// In these tests, the OCSP stapling server gives us a stapled
// response based on the host name ("ocsp-stapling-expired" or
@ -88,37 +74,25 @@ function add_tests_in_mode(useMozillaPKIX)
ocspResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
ocspResponseGood);
// With mozilla::pkix, if we can't fetch a more recent response when
// if we can't fetch a more recent response when
// given an expired stapled response, we terminate the connection.
add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
null);
add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
null);
// Of course, if the newer response indicates Revoked or Unknown,
// that status must be returned.
@ -135,47 +109,47 @@ function add_tests_in_mode(useMozillaPKIX)
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
ocspResponseUnknown);
if (useMozillaPKIX) {
// If the response is expired but indicates Revoked or Unknown and a
// newer status can't be fetched, the Revoked or Unknown status will
// be returned.
add_ocsp_test("ocsp-stapling-revoked-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
null);
add_ocsp_test("ocsp-stapling-unknown-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
null);
// If the response is expired but indicates Revoked or Unknown and
// a newer status can be fetched and successfully verified, this
// should result in a successful certificate verification.
add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
ocspResponseGood);
// If a newer status can be fetched but it fails to verify, the
// Revoked or Unknown status of the expired stapled response
// should be returned.
add_ocsp_test("ocsp-stapling-revoked-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-unknown-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
expiredOCSPResponseGood);
}
// If the response is expired but indicates Revoked or Unknown and a
// newer status can't be fetched, the Revoked or Unknown status will
// be returned.
add_ocsp_test("ocsp-stapling-revoked-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
null);
add_ocsp_test("ocsp-stapling-unknown-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
null);
// If the response is expired but indicates Revoked or Unknown and
// a newer status can be fetched and successfully verified, this
// should result in a successful certificate verification.
add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
ocspResponseGood);
// If a newer status can be fetched but it fails to verify, the
// Revoked or Unknown status of the expired stapled response
// should be returned.
add_ocsp_test("ocsp-stapling-revoked-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-unknown-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
expiredOCSPResponseGood);
if (useMozillaPKIX) {
// These tests are verifying that an valid but very old response
// is rejected as a valid stapled response, requiring a fetch
// from the ocsp responder.
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
ocspResponseUnknown);
}
// These tests are verifying that an valid but very old response
// is rejected as a valid stapled response, requiring a fetch
// from the ocsp responder.
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
ocspResponseUnknown);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(check_ocsp_stapling_telemetry);
run_next_test();
}
function check_ocsp_stapling_telemetry() {
@ -183,11 +157,10 @@ function check_ocsp_stapling_telemetry() {
.getService(Ci.nsITelemetry)
.getHistogramById("SSL_OCSP_STAPLING")
.snapshot();
do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
do_check_eq(histogram.counts[3], 2 * 12 + 9); // 12 connections with an expired response
// +9 more mozilla::pkix-only expired responses
do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
do_check_eq(histogram.counts[3], 21); // 21 connections with an expired response
do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
run_next_test();
}

13
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
View File

@ -33,8 +33,7 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true);
add_tests_in_mode(false);
add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(function() {
@ -43,13 +42,3 @@ function run_test() {
});
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
}

10
security/manager/ssl/tests/unit/test_ocsp_timeout.js
View File

@ -38,20 +38,16 @@ function run_test() {
socket.init(8080, true, -1);
socket.asyncListen(gSocketListener);
add_tests_in_mode(true, true);
add_tests_in_mode(false, true);
add_tests_in_mode(true, false);
add_tests_in_mode(false, false);
add_tests_in_mode(true);
add_tests_in_mode(false);
add_test(function() { socket.close(); run_next_test(); });
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX, useHardFail) {
function add_tests_in_mode(useHardFail) {
let startTime;
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
startTime = new Date();
run_next_test();

42
security/manager/ssl/tests/unit/test_ocsp_url.js
View File

@ -40,43 +40,24 @@ function run_test() {
Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com");
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("bad-scheme",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("empty-scheme-url",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("https-url",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
@ -90,9 +71,7 @@ function add_tests_in_mode(useMozillaPKIX)
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("negative-port",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
@ -114,28 +93,23 @@ function add_tests_in_mode(useMozillaPKIX)
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("no-scheme-host-port",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("no-scheme-url",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("unknown-scheme",
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
ocspResponder.stop(run_next_test);
});
run_next_test();
}

38
toolkit/components/telemetry/Histograms.json
View File

@ -1247,12 +1247,6 @@
"extended_statistics_ok": true,
"description": "ms elapsed time of OCSP etc.. that failed"
},
"CERT_VALIDATION_LIBRARY": {
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 4,
"description": "Which certificate validation library is in use? (1=classic, 2=libpkix, 3=mozilla::pkix)"
},
"SSL_KEY_EXCHANGE_ALGORITHM_FULL": {
"expires_in_version": "never",
"kind": "enumerated",
@ -4498,22 +4492,6 @@
"extended_statistics_ok": true,
"description": "Time (ms) it takes to run memory reporters when sending a telemetry ping"
},
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in libpix mode (ms)"
},
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in classic mode (ms)"
},
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
@ -4522,22 +4500,6 @@
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in libpix mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in classic mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",