Bug 1434300 - Update Imminent Distrust status for future Symantec sanctions r=fkiefer,keeler

This patch does a few things: 1) It adds a permament test mechanism for the "imminent distrust" trust status in nsNSSCallbacks: a simple xpcshell test to exercise a clause in the imminent distrust logic in nsNSSCallbacks' IsCertificateDistrustImminent method. 2) This test removes test_symantec_apple_google_unaffected.js as its functionality is rolled into the new test_imminent_distrust.js. 3) It updates the Symantec imminent distrust warning algorithm to remove the validity date exception; this warns of the upcoming distrust for those affected certs in Firefox 63. This patch does not attempt to edit the browser chrome test that checks the console; that is a subsequent patch. MozReview-Commit-ID: 1HyVLfmEOP7
2018-02-21 07:39:36 -05:00
parent bb682b5194
commit 0318041b58
11 changed files with 110 additions and 55 deletions
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -39,7 +39,7 @@
 #include "TrustOverrideUtils.h"
 #include "TrustOverride-SymantecData.inc"
 #include "TrustOverride-AppleGoogleData.inc"
-
+#include "TrustOverride-TestImminentDistrustData.inc"

 using namespace mozilla;
 using namespace mozilla::pkix;
@@ -1255,30 +1255,25 @@ IsCertificateDistrustImminent(nsIX509CertList* aCertList,
    return rv;
  }

-  // We need to verify the age of the end entity
-  nsCOMPtr<nsIX509CertValidity> validity;
-  rv = eeCert->GetValidity(getter_AddRefs(validity));
-  if (NS_FAILED(rv)) {
-    return rv;
+  // Check the test certificate condition first; this is a special certificate
+  // that gets the 'imminent distrust' treatment; this is so that the distrust
+  // UX code does not become stale, as it will need regular use. See Bug 1409257
+  // for context. Please do not remove this when adjusting the rest of the
+  // method.
+  UniqueCERTCertificate nssEECert(eeCert->GetCert());
+  if (!nssEECert) {
+    return NS_ERROR_FAILURE;
  }
-
-  PRTime notBefore;
-  rv = validity->GetNotBefore(&notBefore);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  // PRTime is microseconds since the epoch, whereas JS time is milliseconds.
-  // (new Date("2016-06-01T00:00:00Z")).getTime() * 1000
-  static const PRTime JUNE_1_2016 = 1464739200000000;
-
-  // If the end entity's notBefore date is after 2016-06-01, this algorithm
-  // doesn't apply, so exit false before we do any iterating
-  if (notBefore >= JUNE_1_2016) {
-    aResult = false;
+  aResult = CertDNIsInList(nssEECert.get(), TestImminentDistrustEndEntityDNs);
+  if (aResult) {
+    // Exit early
    return NS_OK;
  }

+  // Proceed with the Symantec imminent distrust algorithm. This algorithm is
+  // to be removed in Firefox 63, when the validity period check will also be
+  // removed from the code in NSSCertDBTrustDomain.
+
  // We need an owning handle when calling nsIX509Cert::GetCert().
  UniqueCERTCertificate nssRootCert(rootCert->GetCert());
  // If the root is not one of the Symantec roots, exit false