backout 9692998f547e (bug 1058812 2/3) for mochitest orange on a CLOSED TREE

2024-09-13 09:24:08 -07:00 · 2014-10-08 12:10:10 -07:00 · 2014-10-08 12:10:10 -07:00 · a03f9058f3
commit a03f9058f3
parent 2431907ecb
6 changed files with 35 additions and 28 deletions
--- a/security/pkix/test/gtest/pkixbuild_tests.cpp
+++ b/security/pkix/test/gtest/pkixbuild_tests.cpp
@ -65,7 +65,7 @@ CreateCert(const char* issuerCN,
                       serialNumber, issuerDER,
                       oneDayBeforeNow, oneDayAfterNow,
                       subjectDER, extensions, issuerKey,
-                       sha256WithRSAEncryption,
+                       SignatureAlgorithm::rsa_pkcs1_with_sha256,
                       subjectKey));
  EXPECT_FALSE(ENCODING_FAILED(certDER));
  if (subjectCert) {
@ -400,7 +400,7 @@ TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
                       oneDayBeforeNow - Time::ONE_DAY_IN_SECONDS,
                       oneDayBeforeNow,
                       subjectDER, nullptr, rootKey.get(),
-                       sha256WithRSAEncryption,
+                       SignatureAlgorithm::rsa_pkcs1_with_sha256,
                       unusedSubjectKey));
  EXPECT_FALSE(ENCODING_FAILED(certDER));

--- a/security/pkix/test/gtest/pkixcert_extension_tests.cpp
+++ b/security/pkix/test/gtest/pkixcert_extension_tests.cpp
@ -48,7 +48,7 @@ CreateCert(const char* subjectCN,
                                  oneDayBeforeNow, oneDayAfterNow,
                                  subjectDER, extensions,
                                  nullptr,
-                                  sha256WithRSAEncryption,
+                                  SignatureAlgorithm::rsa_pkcs1_with_sha256,
                                  subjectKey);
 }

--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@ -443,7 +443,7 @@ protected:
                                    serialNumberDER, issuerDER, notBefore,
                                    notAfter, subjectDER, extensions,
                                    signerKeyPair,
-                                    sha256WithRSAEncryption,
+                                    SignatureAlgorithm::rsa_pkcs1_with_sha256,
                                    keyPair);
  }

--- a/security/pkix/test/lib/pkixtestnss.cpp
+++ b/security/pkix/test/lib/pkixtestnss.cpp
@ -73,14 +73,16 @@ public:
  }

  virtual Result SignData(const ByteString& tbs,
-                          const ByteString& signatureAlgorithm,
+                          SignatureAlgorithm signatureAlgorithm,
                          /*out*/ ByteString& signature) const
  {
    SECOidTag signatureAlgorithmOidTag;
-    if (signatureAlgorithm == sha256WithRSAEncryption) {
-      signatureAlgorithmOidTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
-    } else {
-      return Result::FATAL_ERROR_INVALID_ARGS;
+    switch (signatureAlgorithm) {
+      case SignatureAlgorithm::rsa_pkcs1_with_sha256:
+        signatureAlgorithmOidTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+        break;
+      default:
+        return Result::FATAL_ERROR_INVALID_ARGS;
    }

    SECItem signatureItem;
--- a/security/pkix/test/lib/pkixtestutil.cpp
+++ b/security/pkix/test/lib/pkixtestutil.cpp
@ -41,8 +41,7 @@ namespace mozilla { namespace pkix { namespace test {
 static const uint8_t alg_sha256WithRSAEncryption[] = {
  0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
 };
-const ByteString sha256WithRSAEncryption(alg_sha256WithRSAEncryption,
-  MOZILLA_PKIX_ARRAY_LENGTH(alg_sha256WithRSAEncryption));
+const Input sha256WithRSAEncryption(alg_sha256WithRSAEncryption);

 namespace {

@ -343,7 +342,7 @@ YMDHMS(int16_t year, int16_t month, int16_t day,
 static ByteString
 SignedData(const ByteString& tbsData,
           /*optional*/ TestKeyPair* keyPair,
-           const ByteString& signatureAlgorithm,
+           SignatureAlgorithm signatureAlgorithm,
           bool corrupt, /*optional*/ const ByteString* certs)
 {
  ByteString signature;
@ -354,6 +353,16 @@ SignedData(const ByteString& tbsData,
     }
  }

+  ByteString signatureAlgorithmDER;
+  switch (signatureAlgorithm) {
+    case SignatureAlgorithm::rsa_pkcs1_with_sha256:
+      signatureAlgorithmDER.assign(alg_sha256WithRSAEncryption,
+                                   sizeof(alg_sha256WithRSAEncryption));
+      break;
+    default:
+      return ByteString();
+  }
+
  // TODO: add ability to have signatures of bit length not divisible by 8,
  // resulting in unused bits in the bitstring encoding
  ByteString signatureNested(BitString(signature, corrupt));
@ -375,7 +384,7 @@ SignedData(const ByteString& tbsData,

  ByteString value;
  value.append(tbsData);
-  value.append(signatureAlgorithm);
+  value.append(signatureAlgorithmDER);
  value.append(signatureNested);
  value.append(certsNested);
  return TLV(der::SEQUENCE, value);
@ -440,8 +449,7 @@ MaybeLogOutput(const ByteString& result, const char* suffix)
 // Certificates

 static ByteString TBSCertificate(long version, const ByteString& serialNumber,
-                                 const ByteString& signature,
-                                 const ByteString& issuer,
+                                 Input signature, const ByteString& issuer,
                                 time_t notBefore, time_t notAfter,
                                 const ByteString& subject,
                                 const ByteString& subjectPublicKeyInfo,
@ -452,14 +460,14 @@ static ByteString TBSCertificate(long version, const ByteString& serialNumber,
 //         signatureAlgorithm   AlgorithmIdentifier,
 //         signatureValue       BIT STRING  }
 ByteString
-CreateEncodedCertificate(long version, const ByteString& signature,
+CreateEncodedCertificate(long version, Input signature,
                         const ByteString& serialNumber,
                         const ByteString& issuerNameDER,
                         time_t notBefore, time_t notAfter,
                         const ByteString& subjectNameDER,
                         /*optional*/ const ByteString* extensions,
                         /*optional*/ TestKeyPair* issuerKeyPair,
-                         const ByteString& signatureAlgorithm,
+                         SignatureAlgorithm signatureAlgorithm,
                         /*out*/ ScopedTestKeyPair& keyPairResult)
 {
  // It may be the case that privateKeyResult references the same TestKeyPair
@ -510,7 +518,7 @@ CreateEncodedCertificate(long version, const ByteString& signature,
 //                           -- If present, version MUST be v3 --  }
 static ByteString
 TBSCertificate(long versionValue,
-               const ByteString& serialNumber, const ByteString& signature,
+               const ByteString& serialNumber, Input signature,
               const ByteString& issuer, time_t notBeforeTime,
               time_t notAfterTime, const ByteString& subject,
               const ByteString& subjectPublicKeyInfo,
@ -526,7 +534,7 @@ TBSCertificate(long versionValue,
  }

  value.append(serialNumber);
-  value.append(signature);
+  value.append(signature.UnsafeGetData(), signature.GetLength());
  value.append(issuer);

  // Validity ::= SEQUENCE {
@ -758,7 +766,7 @@ BasicOCSPResponse(OCSPResponseContext& context)

  // TODO(bug 980538): certs
  return SignedData(tbsResponseData, context.signerKeyPair.get(),
-                    sha256WithRSAEncryption,
+                    SignatureAlgorithm::rsa_pkcs1_with_sha256,
                    context.badSignature, context.certs);
 }

--- a/security/pkix/test/lib/pkixtestutil.h
+++ b/security/pkix/test/lib/pkixtestutil.h
@ -74,7 +74,7 @@ static const uint8_t tlv_id_kp_serverAuth[] = {
  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01
 };

-extern const ByteString sha256WithRSAEncryption;
+extern const Input sha256WithRSAEncryption;

 // e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
 mozilla::pkix::Time YMDHMS(int16_t year, int16_t month, int16_t day,
@ -96,7 +96,7 @@ public:
  const ByteString subjectPublicKey;

  virtual Result SignData(const ByteString& tbs,
-                          const ByteString& signatureAlgorithm,
+                          SignatureAlgorithm signatureAlgorithm,
                          /*out*/ ByteString& signature) const = 0;

  virtual TestKeyPair* Clone() const = 0;
@ -139,10 +139,7 @@ Result TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,

 enum Version { v1 = 0, v2 = 1, v3 = 2 };

-// signature is assumed to be the DER encoding of an AlgorithmIdentifer. It is
-// put into the signature field of the TBSCertificate. In most cases, it will
-// be the same as signatureAlgorithm, which is the algorithm actually used
-// to sign the certificate.
+// signature is assumed to be the DER encoding of an AlgorithmIdentifer.
 // serialNumber is assumed to be the DER encoding of an INTEGER.
 //
 // If extensions is null, then no extensions will be encoded. Otherwise,
@ -153,14 +150,14 @@ enum Version { v1 = 0, v2 = 1, v3 = 2 };
 // If issuerPrivateKey is null, then the certificate will be self-signed.
 // Parameter order is based on the order of the attributes of the certificate
 // in RFC 5280.
-ByteString CreateEncodedCertificate(long version, const ByteString& signature,
+ByteString CreateEncodedCertificate(long version, Input signature,
                                    const ByteString& serialNumber,
                                    const ByteString& issuerNameDER,
                                    time_t notBefore, time_t notAfter,
                                    const ByteString& subjectNameDER,
                                    /*optional*/ const ByteString* extensions,
                                    /*optional*/ TestKeyPair* issuerKeyPair,
-                                    const ByteString& signatureAlgorithm,
+                                    SignatureAlgorithm signatureAlgorithm,
                                    /*out*/ ScopedTestKeyPair& keyPairResult);

 ByteString CreateEncodedSerialNumber(long value);