Bug 813418 - Backout fe8c74e402bc due to bustage CLOSED TREE

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -825,45 +825,8 @@ nsNSSCertificate::GetChain(nsIArray **_rvChain)
   nsresult rv;
   /* Get the cert chain from NSS */
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
-
   ScopedCERTCertList nssChain;
-  SECStatus srv;
-  nssChain = nullptr;
-  RefPtr<CertVerifier> certVerifier(GetDefaultCertVerifier());
-  NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
-  CERTCertList *pkixNssChain = nullptr;
-
-  // We want to test all usages, but we start with server because most of the
-  // time Firefox users care about server certs.
-  srv = certVerifier->VerifyCert(mCert,
-                                 certificateUsageSSLServer, PR_Now(),
-                                 nullptr, /*XXX fixme*/
-                                 CertVerifier::FLAG_LOCAL_ONLY,
-                                 &pkixNssChain);
-  for (int usage = certificateUsageSSLClient;
-       usage < certificateUsageAnyCA && !pkixNssChain;
-       usage = usage << 1) {
-    if (usage == certificateUsageSSLServer) {
-      continue;
-    }
-    PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: PKIX attempting chain(%d) for '%s'\n",usage, mCert->nickname));
-    srv = certVerifier->VerifyCert(mCert,
-                                   certificateUsageSSLClient, PR_Now(),
-                                   nullptr, /*XXX fixme*/
-                                   CertVerifier::FLAG_LOCAL_ONLY,
-                                   &pkixNssChain);
-  }
-
-  if (!pkixNssChain) {
-    // There is not verified path for the chain, howeever we still want to 
-    // present to the user as much of a possible chain as possible, in the case
-    // where there was a problem with the cert or the issuers.
-    PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("pipnss: getchain :CertVerify failed to get chain for '%s'\n", mCert->nickname));
-    nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
-  } else {
-    nssChain = pkixNssChain;
-  }
-
+  nssChain = CERT_GetCertChainFromCert(mCert, PR_Now(), certUsageSSLClient);
   if (!nssChain)
     return NS_ERROR_FAILURE;
   /* enumerate the chain for scripting purposes */

security/manager/ssl/src/nsNSSCertificateDB.cpp

@@ -487,20 +487,20 @@ ImportCertsIntoPermanentStorage(const ScopedCERTCertList &certChain, const SECCe
   CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
   const PRTime now = PR_Now();
 
-  int chainLen = 0;
+  int chainLen=0;
+
   for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
        !CERT_LIST_END(chainNode, certChain);
        chainNode = CERT_LIST_NEXT(chainNode)) {
     chainLen++;
   }
-
   SECItem **rawArray;
   rawArray = (SECItem **) PORT_Alloc(chainLen * sizeof(SECItem *));
   if (!rawArray) {
     return SECFailure;
   }
 
-  int i = 0;
+  int i=0;
   for (CERTCertListNode *chainNode = CERT_LIST_HEAD(certChain);
        !CERT_LIST_END(chainNode, certChain);
        chainNode = CERT_LIST_NEXT(chainNode), i++) {
@@ -509,7 +509,9 @@ ImportCertsIntoPermanentStorage(const ScopedCERTCertList &certChain, const SECCe
   CERT_ImportCerts(certdb, usage, chainLen,
                    rawArray,  nullptr, true, caOnly, nullptr);
 
-  PORT_Free(rawArray);   
+  PORT_Free(rawArray);
+
+   
   return SECSuccess;
 } 
 

security/manager/ssl/src/nsUsageArrayHelper.cpp

@@ -32,6 +32,66 @@ nsUsageArrayHelper::nsUsageArrayHelper(CERTCertificate *aCert)
   nssComponent = do_GetService(kNSSComponentCID, &m_rv);
 }
 
+// XXX: old, non-libpkix version of check that will be removed after the switch
+// to libpkix is final.
+void
+nsUsageArrayHelper::check(const char *suffix,
+                        SECCertificateUsage aCertUsage,
+                        uint32_t &aCounter,
+                        PRUnichar **outUsages)
+{
+  if (!aCertUsage) return;
+  nsAutoCString typestr;
+  switch (aCertUsage) {
+  case certificateUsageSSLClient:
+    typestr = "VerifySSLClient";
+    break;
+  case certificateUsageSSLServer:
+    typestr = "VerifySSLServer";
+    break;
+  case certificateUsageSSLServerWithStepUp:
+    typestr = "VerifySSLStepUp";
+    break;
+  case certificateUsageEmailSigner:
+    typestr = "VerifyEmailSigner";
+    break;
+  case certificateUsageEmailRecipient:
+    typestr = "VerifyEmailRecip";
+    break;
+  case certificateUsageObjectSigner:
+    typestr = "VerifyObjSign";
+    break;
+  case certificateUsageProtectedObjectSigner:
+    typestr = "VerifyProtectObjSign";
+    break;
+  case certificateUsageUserCertImport:
+    typestr = "VerifyUserImport";
+    break;
+  case certificateUsageSSLCA:
+    typestr = "VerifySSLCA";
+    break;
+  case certificateUsageVerifyCA:
+    typestr = "VerifyCAVerifier";
+    break;
+  case certificateUsageStatusResponder:
+    typestr = "VerifyStatusResponder";
+    break;
+  case certificateUsageAnyCA:
+    typestr = "VerifyAnyCA";
+    break;
+  default:
+    break;
+  }
+  if (!typestr.IsEmpty()) {
+    typestr.Append(suffix);
+    nsAutoString verifyDesc;
+    m_rv = nssComponent->GetPIPNSSBundleString(typestr.get(), verifyDesc);
+    if (NS_SUCCEEDED(m_rv)) {
+      outUsages[aCounter++] = ToNewUnicode(verifyDesc);
+    }
+  }
+}
+
 namespace {
 
 // Some validation errors are non-fatal in that, we should keep checking the
@@ -199,21 +259,67 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
   if (outArraySize < max_returned_out_array_size)
     return NS_ERROR_FAILURE;
 
-  // Bug 860076, this disabling ocsp for all NSS is incorrect.
-  if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
-    nsresult rv;
-    nssComponent = do_GetService(kNSSComponentCID, &rv);
-    if (NS_FAILED(rv))
-      return rv;
-    
-    if (nssComponent) {
-      nssComponent->SkipOcsp();
-    }
-  }
-
   uint32_t &count = *_count;
   count = 0;
 
+// TODO: This block will be removed as soon as the switch to libpkix is
+// complete.
+if (!nsNSSComponent::globalConstFlagUsePKIXVerification) {
+  if (localOnly) {
+    nssComponent->SkipOcsp();
+  }
+
+  SECCertificateUsage usages = 0;
+  int err = 0;
+  
+  // CERT_VerifyCertificateNow returns SECFailure unless the certificate is
+  // valid for all the given usages. Hoewver, we are only looking for the list
+  // of usages for which the cert *is* valid.
+  (void)
+  CERT_VerifyCertificateNow(defaultcertdb, mCert, true,
+			    certificateUsageSSLClient |
+			    certificateUsageSSLServer |
+			    certificateUsageSSLServerWithStepUp |
+			    certificateUsageEmailSigner |
+			    certificateUsageEmailRecipient |
+			    certificateUsageObjectSigner |
+			    certificateUsageSSLCA |
+			    certificateUsageStatusResponder,
+			    nullptr, &usages);
+  err = PR_GetError();
+
+  if (localOnly) {
+     nssComponent->SkipOcspOff();
+  }
+
+  // The following list of checks must be < max_returned_out_array_size
+  
+  check(suffix, usages & certificateUsageSSLClient, count, outUsages);
+  check(suffix, usages & certificateUsageSSLServer, count, outUsages);
+  check(suffix, usages & certificateUsageEmailSigner, count, outUsages);
+  check(suffix, usages & certificateUsageEmailRecipient, count, outUsages);
+  check(suffix, usages & certificateUsageObjectSigner, count, outUsages);
+#if 0
+  check(suffix, usages & certificateUsageProtectedObjectSigner, count, outUsages);
+  check(suffix, usages & certificateUsageUserCertImport, count, outUsages);
+#endif
+  check(suffix, usages & certificateUsageSSLCA, count, outUsages);
+#if 0
+  check(suffix, usages & certificateUsageVerifyCA, count, outUsages);
+#endif
+  check(suffix, usages & certificateUsageStatusResponder, count, outUsages);
+#if 0
+  check(suffix, usages & certificateUsageAnyCA, count, outUsages);
+#endif
+
+  if (count == 0) {
+    verifyFailed(_verified, err);
+  } else {
+    *_verified = nsNSSCertificate::VERIFIED_OK;
+  }
+  return NS_OK;
+}
+
   RefPtr<CertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
@@ -253,11 +359,6 @@ nsUsageArrayHelper::GetUsagesArray(const char *suffix,
                  certificateUsageAnyCA, now, flags, count, outUsages);
 #endif
 
-  // Bug 860076, this disabling ocsp for all NSS is incorrect
-  if (!nsNSSComponent::globalConstFlagUsePKIXVerification && localOnly) {
-     nssComponent->SkipOcspOff();
-  }
-
   if (isFatalError(result) || count == 0) {
     MOZ_ASSERT(result != nsIX509Cert::VERIFIED_OK);