mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Bug 802302: Remove obsolete OCSP responder override UI and API, r=honzab
--HG-- extra : rebase_source : 5d241a8b9573f442c37d0aeef0689ae5054dd08d
This commit is contained in:
parent
4f01c0148b
commit
824cf41577
@ -57,7 +57,6 @@ XPIDLSRCS = \
|
||||
nsICMSMessage.idl \
|
||||
nsICMSMessage2.idl \
|
||||
nsINSSCertCache.idl \
|
||||
nsIOCSPResponder.idl \
|
||||
nsIPK11Token.idl \
|
||||
nsIPKCS11ModuleDB.idl \
|
||||
nsIPKCS11Module.idl \
|
||||
|
@ -1,12 +0,0 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "nsISupports.idl"
|
||||
|
||||
[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
|
||||
interface nsIOCSPResponder : nsISupports {
|
||||
readonly attribute wstring responseSigner;
|
||||
readonly attribute wstring serviceURL;
|
||||
};
|
||||
|
@ -19,7 +19,7 @@ interface nsIInterfaceRequestor;
|
||||
* This represents a service to access and manipulate
|
||||
* X.509 certificates stored in a database.
|
||||
*/
|
||||
[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
|
||||
[scriptable, uuid(eb426311-69cd-4a74-a7db-a4a215854c78)]
|
||||
interface nsIX509CertDB : nsISupports {
|
||||
|
||||
/**
|
||||
@ -240,14 +240,6 @@ interface nsIX509CertDB : nsISupports {
|
||||
in unsigned long count,
|
||||
[array, size_is(count)] in nsIX509Cert aCerts);
|
||||
|
||||
/**
|
||||
* An array of all known OCSP responders within the scope of the
|
||||
* certificate database.
|
||||
*
|
||||
* @return Array of OCSP responders, entries are QIable to nsIOCSPResponder.
|
||||
*/
|
||||
nsIArray getOCSPResponders();
|
||||
|
||||
/**
|
||||
* Whether OCSP is enabled in preferences.
|
||||
*/
|
||||
|
@ -56,7 +56,6 @@ CPPSRCS = \
|
||||
nsNSSCertificateDB.cpp \
|
||||
nsNSSCertTrust.cpp \
|
||||
nsNSSCertValidity.cpp \
|
||||
nsOCSPResponder.cpp \
|
||||
nsUsageArrayHelper.cpp \
|
||||
nsCRLManager.cpp \
|
||||
nsNSSShutDown.cpp \
|
||||
|
@ -20,7 +20,6 @@
|
||||
#include "nsIFile.h"
|
||||
#include "nsPKCS12Blob.h"
|
||||
#include "nsPK11TokenDB.h"
|
||||
#include "nsOCSPResponder.h"
|
||||
#include "nsReadableUtils.h"
|
||||
#include "nsIMutableArray.h"
|
||||
#include "nsArrayUtils.h"
|
||||
@ -1212,85 +1211,6 @@ nsNSSCertificateDB::ExportPKCS12File(nsISupports *aToken,
|
||||
return blob.ExportToFile(aFile, certs, count);
|
||||
}
|
||||
|
||||
|
||||
static SECStatus
|
||||
GetOCSPResponders (CERTCertificate *aCert,
|
||||
SECItem *aDBKey,
|
||||
void *aArg)
|
||||
{
|
||||
nsIMutableArray *array = static_cast<nsIMutableArray*>(aArg);
|
||||
PRUnichar* nn = nullptr;
|
||||
PRUnichar* url = nullptr;
|
||||
char *serviceURL = nullptr;
|
||||
char *nickname = nullptr;
|
||||
uint32_t i, count;
|
||||
|
||||
// Are we interested in this cert //
|
||||
if (!nsOCSPResponder::IncludeCert(aCert)) {
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
// Get the AIA and nickname //
|
||||
serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
|
||||
if (serviceURL) {
|
||||
url = ToNewUnicode(NS_ConvertUTF8toUTF16(serviceURL));
|
||||
PORT_Free(serviceURL);
|
||||
}
|
||||
|
||||
nickname = aCert->nickname;
|
||||
nn = ToNewUnicode(NS_ConvertUTF8toUTF16(nickname));
|
||||
|
||||
nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url);
|
||||
nsMemory::Free(nn);
|
||||
nsMemory::Free(url);
|
||||
|
||||
// Sort the items according to nickname //
|
||||
array->GetLength(&count);
|
||||
for (i=0; i < count; ++i) {
|
||||
nsCOMPtr<nsIOCSPResponder> entry = do_QueryElementAt(array, i);
|
||||
if (nsOCSPResponder::CompareEntries(new_entry, entry) < 0) {
|
||||
array->InsertElementAt(new_entry, i, false);
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i == count) {
|
||||
array->AppendElement(new_entry, false);
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* getOCSPResponders
|
||||
*
|
||||
* Export a set of certs and keys from the database to a PKCS#12 file.
|
||||
*/
|
||||
NS_IMETHODIMP
|
||||
nsNSSCertificateDB::GetOCSPResponders(nsIArray ** aResponders)
|
||||
{
|
||||
nsNSSShutDownPreventionLock locker;
|
||||
SECStatus sec_rv;
|
||||
nsCOMPtr<nsIMutableArray> respondersArray =
|
||||
do_CreateInstance(NS_ARRAY_CONTRACTID);
|
||||
if (!respondersArray) {
|
||||
return NS_ERROR_OUT_OF_MEMORY;
|
||||
}
|
||||
|
||||
sec_rv = PK11_TraverseSlotCerts(::GetOCSPResponders,
|
||||
respondersArray,
|
||||
nullptr);
|
||||
if (sec_rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
*aResponders = respondersArray;
|
||||
NS_IF_ADDREF(*aResponders);
|
||||
return NS_OK;
|
||||
loser:
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
/*
|
||||
* NSS Helper Routines (private to nsNSSCertificateDB)
|
||||
*/
|
||||
|
@ -1044,33 +1044,14 @@ static CipherPref CipherPrefs[] = {
|
||||
static void
|
||||
setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
|
||||
{
|
||||
switch (ocspEnabled) {
|
||||
case 0:
|
||||
// Note: this preference is numeric vs bolean because previously we
|
||||
// supported more than two options.
|
||||
if (!ocspEnabled) {
|
||||
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
|
||||
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||
break;
|
||||
case 1:
|
||||
} else {
|
||||
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
|
||||
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||
break;
|
||||
case 2:
|
||||
{
|
||||
char *signingCA = nullptr;
|
||||
char *url = nullptr;
|
||||
|
||||
// Get the signing CA and service url //
|
||||
pref->GetCharPref("security.OCSP.signingCA", &signingCA);
|
||||
pref->GetCharPref("security.OCSP.URL", &url);
|
||||
|
||||
// Set OCSP up
|
||||
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
|
||||
CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
|
||||
CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
|
||||
|
||||
nsMemory::Free(signingCA);
|
||||
nsMemory::Free(url);
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,125 +0,0 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "nsOCSPResponder.h"
|
||||
|
||||
#include "nsCOMPtr.h"
|
||||
#include "nsIDateTimeFormat.h"
|
||||
#include "nsDateTimeFormatCID.h"
|
||||
#include "nsComponentManagerUtils.h"
|
||||
#include "nsReadableUtils.h"
|
||||
|
||||
#include "certdb.h"
|
||||
|
||||
/* Implementation file */
|
||||
NS_IMPL_ISUPPORTS1(nsOCSPResponder, nsIOCSPResponder)
|
||||
|
||||
nsOCSPResponder::nsOCSPResponder()
|
||||
{
|
||||
/* member initializers and constructor code */
|
||||
}
|
||||
|
||||
nsOCSPResponder::nsOCSPResponder(const PRUnichar * aCA, const PRUnichar * aURL)
|
||||
{
|
||||
mCA.Assign(aCA);
|
||||
mURL.Assign(aURL);
|
||||
}
|
||||
|
||||
nsOCSPResponder::~nsOCSPResponder()
|
||||
{
|
||||
/* destructor code */
|
||||
}
|
||||
|
||||
/* readonly attribute */
|
||||
NS_IMETHODIMP nsOCSPResponder::GetResponseSigner(PRUnichar** aCA)
|
||||
{
|
||||
NS_ENSURE_ARG(aCA);
|
||||
*aCA = ToNewUnicode(mCA);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
/* readonly attribute */
|
||||
NS_IMETHODIMP nsOCSPResponder::GetServiceURL(PRUnichar** aURL)
|
||||
{
|
||||
NS_ENSURE_ARG(aURL);
|
||||
*aURL = ToNewUnicode(mURL);
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
bool nsOCSPResponder::IncludeCert(CERTCertificate *aCert)
|
||||
{
|
||||
CERTCertTrust *trust;
|
||||
char *nickname;
|
||||
|
||||
trust = aCert->trust;
|
||||
nickname = aCert->nickname;
|
||||
|
||||
PR_ASSERT(trust != nullptr);
|
||||
|
||||
// Check that trust is non-null //
|
||||
if (trust == nullptr) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ( ( ( trust->sslFlags & CERTDB_INVISIBLE_CA ) ||
|
||||
(trust->emailFlags & CERTDB_INVISIBLE_CA ) ||
|
||||
(trust->objectSigningFlags & CERTDB_INVISIBLE_CA ) ) ||
|
||||
nickname == NULL) {
|
||||
return false;
|
||||
}
|
||||
if ((trust->sslFlags & CERTDB_VALID_CA) ||
|
||||
(trust->emailFlags & CERTDB_VALID_CA) ||
|
||||
(trust->objectSigningFlags & CERTDB_VALID_CA)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// CmpByCAName
|
||||
//
|
||||
// Compare two responders their token name. Returns -1, 0, 1 as
|
||||
// in strcmp. No token name (null) is treated as >.
|
||||
int32_t nsOCSPResponder::CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b)
|
||||
{
|
||||
int32_t cmp1;
|
||||
nsXPIDLString aTok, bTok;
|
||||
a->GetResponseSigner(getter_Copies(aTok));
|
||||
b->GetResponseSigner(getter_Copies(bTok));
|
||||
if (aTok != nullptr && bTok != nullptr) {
|
||||
cmp1 = Compare(aTok, bTok);
|
||||
} else {
|
||||
cmp1 = (aTok == nullptr) ? 1 : -1;
|
||||
}
|
||||
return cmp1;
|
||||
}
|
||||
|
||||
// ocsp_compare_entries
|
||||
//
|
||||
// Compare two responders. Returns -1, 0, 1 as
|
||||
// in strcmp. Entries with urls come before those without urls.
|
||||
int32_t nsOCSPResponder::CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b)
|
||||
{
|
||||
nsXPIDLString aURL, bURL;
|
||||
nsAutoString aURLAuto, bURLAuto;
|
||||
|
||||
a->GetServiceURL(getter_Copies(aURL));
|
||||
aURLAuto.Assign(aURL);
|
||||
b->GetServiceURL(getter_Copies(bURL));
|
||||
bURLAuto.Assign(bURL);
|
||||
|
||||
if (!aURLAuto.IsEmpty()) {
|
||||
if (!bURLAuto.IsEmpty()) {
|
||||
return nsOCSPResponder::CmpCAName(a, b);
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
} else {
|
||||
if (!bURLAuto.IsEmpty()) {
|
||||
return 1;
|
||||
} else {
|
||||
return nsOCSPResponder::CmpCAName(a, b);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,31 +0,0 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef __NSOCSPRESPONDER_H__
|
||||
#define __NSOCSPRESPONDER_H__
|
||||
|
||||
#include "nsIOCSPResponder.h"
|
||||
#include "nsString.h"
|
||||
|
||||
#include "certt.h"
|
||||
|
||||
class nsOCSPResponder : public nsIOCSPResponder
|
||||
{
|
||||
public:
|
||||
NS_DECL_ISUPPORTS
|
||||
NS_DECL_NSIOCSPRESPONDER
|
||||
|
||||
nsOCSPResponder();
|
||||
nsOCSPResponder(const PRUnichar*, const PRUnichar*);
|
||||
virtual ~nsOCSPResponder();
|
||||
/* additional members */
|
||||
static int32_t CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b);
|
||||
static int32_t CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b);
|
||||
static bool IncludeCert(CERTCertificate *aCert);
|
||||
private:
|
||||
nsString mCA;
|
||||
nsString mURL;
|
||||
};
|
||||
|
||||
#endif
|
@ -5,13 +5,5 @@
|
||||
<!ENTITY ocspDialog.title "Certificate Validation">
|
||||
<!ENTITY enableOCSP.label "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates">
|
||||
<!ENTITY enableOCSP.accesskey "U">
|
||||
<!ENTITY certOCSP2.label "Validate a certificate if it specifies an OCSP server">
|
||||
<!ENTITY certOCSP2.accesskey "V">
|
||||
<!ENTITY proxyOCSP2.label "Validate all certificates using the following OCSP server:">
|
||||
<!ENTITY proxyOCSP2.accesskey "a">
|
||||
<!ENTITY serviceURL.label "Service URL:">
|
||||
<!ENTITY serviceURL.accesskey "S">
|
||||
<!ENTITY signingCA.label "Response Signer:">
|
||||
<!ENTITY signingCA.accesskey "R">
|
||||
<!ENTITY requireOCSP.label "When an OCSP server connection fails, treat the certificate as invalid">
|
||||
<!ENTITY requireOCSP.accesskey "W">
|
||||
|
@ -5,89 +5,18 @@
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
var gOCSPDialog = {
|
||||
_certDB : null,
|
||||
_OCSPResponders : null,
|
||||
_cacheRadio : 0,
|
||||
|
||||
init: function ()
|
||||
{
|
||||
this._certDB = Components.classes["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Components.interfaces.nsIX509CertDB);
|
||||
this._OCSPResponders = this._certDB.getOCSPResponders();
|
||||
|
||||
var signingCA = document.getElementById("signingCA");
|
||||
const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
|
||||
for (var i = 0; i < this._OCSPResponders.length; ++i) {
|
||||
var ocspEntry = this._OCSPResponders.queryElementAt(i, nsIOCSPResponder);
|
||||
var menuitem = document.createElement("menuitem");
|
||||
menuitem.setAttribute("value", ocspEntry.responseSigner);
|
||||
menuitem.setAttribute("label", ocspEntry.responseSigner);
|
||||
signingCA.firstChild.appendChild(menuitem);
|
||||
}
|
||||
|
||||
var signingCAPref = document.getElementById("security.OCSP.signingCA");
|
||||
if (!signingCAPref.hasUserValue)
|
||||
signingCA.selectedIndex = 0;
|
||||
else {
|
||||
// We need to initialize manually since auto-initialization is often
|
||||
// called prior to menulist population above.
|
||||
signingCA.value = signingCAPref.value;
|
||||
}
|
||||
this.chooseServiceURL();
|
||||
},
|
||||
|
||||
_updateUI: function (called_by)
|
||||
{
|
||||
var signingCA = document.getElementById("security.OCSP.signingCA");
|
||||
var serviceURL = document.getElementById("security.OCSP.URL");
|
||||
_updateUI: function (called_by) {
|
||||
var securityOCSPEnabled = document.getElementById("security.OCSP.enabled");
|
||||
var requireWorkingOCSP = document.getElementById("security.OCSP.require");
|
||||
var enableOCSPBox = document.getElementById("enableOCSPBox");
|
||||
var certOCSP = document.getElementById("certOCSP");
|
||||
var proxyOCSP = document.getElementById("proxyOCSP");
|
||||
var enableOCSP = document.getElementById("enableOCSP");
|
||||
var requireOCSP = document.getElementById("requireOCSP");
|
||||
|
||||
var OCSPPrefValue = parseInt(securityOCSPEnabled.value);
|
||||
|
||||
if (called_by == 0) {
|
||||
// the radio button changed, or we init the stored value from prefs
|
||||
enableOCSPBox.checked = (OCSPPrefValue != 0);
|
||||
}
|
||||
else {
|
||||
// the user toggled the checkbox to enable/disable OCSP
|
||||
var new_val = 0;
|
||||
if (enableOCSPBox.checked) {
|
||||
// now enabled. if we have a cached radio val, restore it.
|
||||
// if not, use the first setting
|
||||
new_val = (this._cacheRadio > 0) ? this._cacheRadio : 1;
|
||||
}
|
||||
else {
|
||||
// now disabled. remember current value
|
||||
this._cacheRadio = OCSPPrefValue;
|
||||
}
|
||||
securityOCSPEnabled.value = OCSPPrefValue = new_val;
|
||||
if (called_by) {
|
||||
securityOCSPEnabled.value = enableOCSP.checked ? 1 : 0
|
||||
} else {
|
||||
enableOCSP.checked = parseInt(securityOCSPEnabled.value) != 0;
|
||||
}
|
||||
|
||||
certOCSP.disabled = (OCSPPrefValue == 0);
|
||||
proxyOCSP.disabled = (OCSPPrefValue == 0);
|
||||
signingCA.disabled = serviceURL.disabled = OCSPPrefValue == 0 || OCSPPrefValue == 1;
|
||||
requireWorkingOCSP.disabled = (OCSPPrefValue == 0);
|
||||
|
||||
requireOCSP.disabled = !enableOCSP.checked;
|
||||
return undefined;
|
||||
},
|
||||
|
||||
chooseServiceURL: function ()
|
||||
{
|
||||
var signingCA = document.getElementById("signingCA");
|
||||
var serviceURL = document.getElementById("serviceURL");
|
||||
var CA = signingCA.value;
|
||||
|
||||
const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
|
||||
for (var i = 0; i < this._OCSPResponders.length; ++i) {
|
||||
var ocspEntry = this._OCSPResponders.queryElementAt(i, nsIOCSPResponder);
|
||||
if (CA == ocspEntry.responseSigner) {
|
||||
serviceURL.value = ocspEntry.serviceURL;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
@ -18,53 +18,20 @@
|
||||
dlgbuttons="accept,cancel"
|
||||
title="&ocspDialog.title;">
|
||||
|
||||
<prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog.init();">
|
||||
<prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog._updateUI(0)">
|
||||
<script type="application/javascript" src="chrome://mozapps/content/preferences/ocsp.js"/>
|
||||
|
||||
<preferences>
|
||||
<preference id="security.OCSP.enabled" name="security.OCSP.enabled" type="int"/>
|
||||
<preference id="security.OCSP.signingCA" name="security.OCSP.signingCA" type="string"/>
|
||||
<preference id="security.OCSP.URL" name="security.OCSP.URL" type="string"/>
|
||||
<preference id="security.OCSP.require" name="security.OCSP.require" type="bool"/>
|
||||
</preferences>
|
||||
|
||||
<checkbox id="enableOCSPBox" label="&enableOCSP.label;" accesskey="&enableOCSP.accesskey;"
|
||||
oncommand="gOCSPDialog._updateUI(1);"/>
|
||||
<radiogroup id="securityOCSPEnabled" preference="security.OCSP.enabled"
|
||||
onsyncfrompreference="return gOCSPDialog._updateUI(0);"
|
||||
class="indent">
|
||||
<radio value="0" hidden="true"/>
|
||||
<radio id="certOCSP" value="1" label="&certOCSP2.label;"
|
||||
accesskey="&certOCSP2.accesskey;"/>
|
||||
<radio id="proxyOCSP" value="2" label="&proxyOCSP2.label;"
|
||||
accesskey="&proxyOCSP2.accesskey;"/>
|
||||
|
||||
<grid class="indent" flex="1">
|
||||
<columns>
|
||||
<column/>
|
||||
<column flex="1"/>
|
||||
</columns>
|
||||
|
||||
<rows>
|
||||
<row align="center">
|
||||
<label value="&signingCA.label;" accesskey="&signingCA.accesskey;" control="signingCA"/>
|
||||
<hbox id="signingCABox" flex="1">
|
||||
<menulist id="signingCA" flex="1"
|
||||
preference="security.OCSP.signingCA"
|
||||
oncommand="gOCSPDialog.chooseServiceURL()">
|
||||
<menupopup/>
|
||||
</menulist>
|
||||
</hbox>
|
||||
</row>
|
||||
<row align="center">
|
||||
<label value="&serviceURL.label;" accesskey="&serviceURL.accesskey;" control="serviceURL"/>
|
||||
<textbox id="serviceURL" preference="security.OCSP.URL"/>
|
||||
</row>
|
||||
</rows>
|
||||
</grid>
|
||||
</radiogroup>
|
||||
<separator class="thin"/>
|
||||
<checkbox id="requireWorkingOCSP" preference="security.OCSP.require"
|
||||
<checkbox id="enableOCSP"
|
||||
label="&enableOCSP.label;"
|
||||
accesskey="&enableOCSP.accesskey;"
|
||||
oncommand="gOCSPDialog._updateUI(1)"/>
|
||||
<checkbox id="requireOCSP"
|
||||
preference="security.OCSP.require"
|
||||
label="&requireOCSP.label;"
|
||||
accesskey="&requireOCSP.accesskey;"/>
|
||||
</prefpane>
|
||||
|
Loading…
Reference in New Issue
Block a user