bug 982754 - allow some inadequate key usage overrides r=cviecco

2024-09-13 09:24:08 -07:00 · 2014-03-13 16:49:12 -07:00 · 2014-03-13 16:49:12 -07:00 · ed25ed39d5
commit ed25ed39d5
parent 17628b5239
9 changed files with 40 additions and 14 deletions
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@ -303,6 +303,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
    case SEC_ERROR_UNTRUSTED_ISSUER:                   return  4;
    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:         return  5;
    case SEC_ERROR_UNTRUSTED_CERT:                     return  6;
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:               return  7;
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:  return  8;
    case SSL_ERROR_BAD_CERT_DOMAIN:                    return  9;
    case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
@ -566,6 +567,7 @@ PRErrorCodeToOverrideType(PRErrorCode errorCode)
    case SEC_ERROR_UNTRUSTED_ISSUER:
    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
    case SEC_ERROR_UNTRUSTED_CERT:
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
      // We group all these errors as "cert not trusted"
      return nsICertOverrideService::ERROR_UNTRUSTED;
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@ -40,12 +40,12 @@ function check_telemetry() {
                    .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                    .snapshot();
  do_check_eq(histogram.counts[ 0], 0);
-  do_check_eq(histogram.counts[ 2], 6 + 1); // SEC_ERROR_UNKNOWN_ISSUER
-  do_check_eq(histogram.counts[ 3], 0 + 1); // SEC_ERROR_CA_CERT_INVALID
+  do_check_eq(histogram.counts[ 2], 7 + 1); // SEC_ERROR_UNKNOWN_ISSUER
+  do_check_eq(histogram.counts[ 3], 0 + 2); // SEC_ERROR_CA_CERT_INVALID
  do_check_eq(histogram.counts[ 4], 0 + 4); // SEC_ERROR_UNTRUSTED_ISSUER
  do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
  do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
-  do_check_eq(histogram.counts[ 7], 0);     // SEC_ERROR_INADEQUATE_KEY_USAGE
+  do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
  do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
  do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
  do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
@ -114,17 +114,39 @@ function add_simple_tests(useInsanity) {
                         Ci.nsICertOverrideService.ERROR_MISMATCH,
                         getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));

-  // Inadequate key usage is no longer overridable.
-  add_connection_test("inadequatekeyusage.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
-                      null,
-                      function (securityInfo) {
-                        // bug 754369 - no SSLStatus probably means this is
-                        // a non-overridable error, which is what we're testing
-                        // (although it would be best to test this directly).
-                        securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
-                        do_check_eq(securityInfo.SSLStatus, null);
-                      });
+  // A Microsoft IIS utility generates self-signed certificates with
+  // properties similar to the one this "host" will present (see
+  // tlsserver/generate_certs.sh).
+  // One of the errors classic verification collects is that this
+  // certificate has an inadequate key usage to sign a certificate
+  // (i.e. itself). As a result, to be able to override this,
+  // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
+  // confusingly, this isn't the main error reported).
+  // insanity::pkix just says this certificate's issuer is unknown.
+  add_cert_override_test("selfsigned-inadequateEKU.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(
+                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
+                                        : SEC_ERROR_CA_CERT_INVALID));
+
+  // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
+  // classic verification, but not for insanity::pkix verification.
+  if (useInsanity) {
+    add_connection_test("inadequatekeyusage.example.com",
+                        getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
+                        null,
+                        function (securityInfo) {
+                          // bug 754369 - no SSLStatus probably means this is
+                          // a non-overridable error, which is what we're testing
+                          // (although it would be best to test this directly).
+                          securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
+                          do_check_eq(securityInfo.SSLStatus, null);
+                        });
+  } else {
+    add_cert_override_test("inadequatekeyusage.example.com",
+                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                           getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
+  }
 }

 function add_combo_tests(useInsanity) {
--- a/security/manager/ssl/tests/unit/tlsserver/cert8.db
+++ b/security/manager/ssl/tests/unit/tlsserver/cert8.db
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@ -40,6 +40,7 @@ const BadCertHost sBadCertHosts[] =
  { "md5signature-expired.example.com", "md5signature-expired" },
  { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
  { "inadequatekeyusage.example.com", "inadequatekeyusage" },
+  { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
  { nullptr, nullptr }
 };

--- a/security/manager/ssl/tests/unit/tlsserver/default-ee.der
+++ b/security/manager/ssl/tests/unit/tlsserver/default-ee.der
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@ -145,5 +145,6 @@ make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entit
 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"

 make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
+make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"

 cleanup
--- a/security/manager/ssl/tests/unit/tlsserver/key3.db
+++ b/security/manager/ssl/tests/unit/tlsserver/key3.db
--- a/security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
+++ b/security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
--- a/security/manager/ssl/tests/unit/tlsserver/test-ca.der
+++ b/security/manager/ssl/tests/unit/tlsserver/test-ca.der