corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 975229: Remove NSS-based certificate verification, r=keeler

Browse Source
This commit is contained in:
Brian Smith
2014-06-16 23:13:29 -07:00
parent 788f956961
commit 6a5fd68bb9
37 changed files with 363 additions and 1914 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
netwerk/base/public/security-prefs.js
View File

@@ -54,5 +54,3 @@ pref("security.password_lifetime", 30);
pref("security.OCSP.enabled", 1); pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", false); pref("security.OCSP.require", false);
pref("security.OCSP.GET.enabled", false); pref("security.OCSP.GET.enabled", false);
pref("security.use_mozillapkix_verification", true);

535
security/certverifier/CertVerifier.cpp
View File

@@ -13,7 +13,6 @@
#include "NSSErrorsService.h" #include "NSSErrorsService.h"
#include "PublicKeyPinningService.h" #include "PublicKeyPinningService.h"
#include "cert.h" #include "cert.h"
#include "ocsp.h"
#include "pk11pub.h" #include "pk11pub.h"
#include "pkix/pkix.h" #include "pkix/pkix.h"
#include "prerror.h" #include "prerror.h"
@@ -34,21 +33,11 @@ namespace mozilla { namespace psm {
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1; const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2; const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
CertVerifier::CertVerifier(implementation_config ic, CertVerifier::CertVerifier(ocsp_download_config odc,
#ifndef NSS_NO_LIBPKIX
missing_cert_download_config mcdc,
crl_download_config cdc,
#endif
ocsp_download_config odc,
ocsp_strict_config osc, ocsp_strict_config osc,
ocsp_get_config ogc, ocsp_get_config ogc,
pinning_enforcement_config pel) pinning_enforcement_config pel)
: mImplementation(ic) : mOCSPDownloadEnabled(odc == ocsp_on)
#ifndef NSS_NO_LIBPKIX
, mMissingCertDownloadEnabled(mcdc == missing_cert_download_on)
, mCRLDownloadEnabled(cdc == crl_download_allowed)
#endif
, mOCSPDownloadEnabled(odc == ocsp_on)
, mOCSPStrict(osc == ocsp_strict) , mOCSPStrict(osc == ocsp_strict)
, mOCSPGETEnabled(ogc == ocsp_get_enabled) , mOCSPGETEnabled(ogc == ocsp_get_enabled)
, mPinningEnforcementLevel(pel) , mPinningEnforcementLevel(pel)
@@ -69,37 +58,6 @@ InitCertVerifierLog()
#endif #endif
} }
// Once we migrate to mozilla::pkix or change the overridable error
// logic this will become unnecesary.
static SECStatus
insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
CERTVerifyLog* verifyLog){
CERTVerifyLogNode* node;
node = (CERTVerifyLogNode *)PORT_ArenaAlloc(verifyLog->arena,
sizeof(CERTVerifyLogNode));
if (!node) {
PR_SetError(PR_UNKNOWN_ERROR, 0);
return SECFailure;
}
node->cert = CERT_DupCertificate(cert);
node->error = err;
node->depth = 0;
node->arg = nullptr;
//and at to head!
node->prev = nullptr;
node->next = verifyLog->head;
if (verifyLog->head) {
verifyLog->head->prev = node;
}
verifyLog->head = node;
if (!verifyLog->tail) {
verifyLog->tail = node;
}
verifyLog->count++;
return SECSuccess;
}
SECStatus SECStatus
IsCertBuiltInRoot(CERTCertificate* cert, bool& result) { IsCertBuiltInRoot(CERTCertificate* cert, bool& result) {
result = false; result = false;
@@ -198,108 +156,6 @@ SECStatus chainValidationCallback(void* state, const CERTCertList* certList,
return SECSuccess; return SECSuccess;
} }
static SECStatus
ClassicVerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
ChainValidationCallbackState* callbackState,
/*optional out*/ ScopedCERTCertList* validationChain,
/*optional out*/ CERTVerifyLog* verifyLog)
{
SECStatus rv;
SECCertUsage enumUsage;
switch (usage) {
case certificateUsageSSLClient:
enumUsage = certUsageSSLClient;
break;
case certificateUsageSSLServer:
enumUsage = certUsageSSLServer;
break;
case certificateUsageSSLCA:
enumUsage = certUsageSSLCA;
break;
case certificateUsageEmailSigner:
enumUsage = certUsageEmailSigner;
break;
case certificateUsageEmailRecipient:
enumUsage = certUsageEmailRecipient;
break;
case certificateUsageObjectSigner:
enumUsage = certUsageObjectSigner;
break;
case certificateUsageVerifyCA:
enumUsage = certUsageVerifyCA;
break;
case certificateUsageStatusResponder:
enumUsage = certUsageStatusResponder;
break;
default:
PR_NOT_REACHED("unexpected usage");
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (usage == certificateUsageSSLServer) {
// SSL server cert verification has always used CERT_VerifyCert, so we
// continue to use it for SSL cert verification to minimize the risk of
// there being any differnce in results between CERT_VerifyCert and
// CERT_VerifyCertificate.
rv = CERT_VerifyCert(CERT_GetDefaultCertDB(), cert, true,
certUsageSSLServer, time, pinArg, verifyLog);
} else {
rv = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), cert, true,
usage, time, pinArg, verifyLog, nullptr);
}
if (rv == SECSuccess &&
(validationChain || usage == certificateUsageSSLServer)) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("VerifyCert: getting chain in 'classic' \n"));
ScopedCERTCertList certChain(CERT_GetCertChainFromCert(cert, time,
enumUsage));
if (!certChain) {
return SECFailure;
}
if (usage == certificateUsageSSLServer) {
PRBool chainOK = PR_FALSE;
SECStatus srv = chainValidationCallback(callbackState, certChain.get(),
&chainOK);
if (srv != SECSuccess) {
return srv;
}
if (chainOK != PR_TRUE) {
if (verifyLog) {
insertErrorIntoVerifyLog(cert,
PSM_ERROR_KEY_PINNING_FAILURE,
verifyLog);
}
PR_SetError(PSM_ERROR_KEY_PINNING_FAILURE, 0);
return SECFailure;
}
}
if (rv == SECSuccess && validationChain) {
*validationChain = certChain.release();
}
}
return rv;
}
#ifndef NSS_NO_LIBPKIX
static void
destroyCertListThatShouldNotExist(CERTCertList** certChain)
{
PR_ASSERT(certChain);
PR_ASSERT(!*certChain);
if (certChain && *certChain) {
// There SHOULD not be a validation chain on failure, asserion here for
// the debug builds AND a fallback for production builds
CERT_DestroyCertList(*certChain);
*certChain = nullptr;
}
}
#endif
static SECStatus static SECStatus
BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert, BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
PRTime time, KeyUsage ku1, KeyUsage ku2, PRTime time, KeyUsage ku1, KeyUsage ku2,
@@ -331,18 +187,14 @@ BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
} }
SECStatus SECStatus
CertVerifier::MozillaPKIXVerifyCert( CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
CERTCertificate* cert, PRTime time, void* pinArg, const char* hostname,
const SECCertificateUsage usage, const Flags flags,
const PRTime time, /*optional*/ const SECItem* stapledOCSPResponse,
void* pinArg, /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
const Flags flags, /*optional out*/ SECOidTag* evOidPolicy)
ChainValidationCallbackState* callbackState,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy)
{ {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n")); PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of VerifyCert\n"));
PR_ASSERT(cert); PR_ASSERT(cert);
PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV)); PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
@@ -360,9 +212,12 @@ CertVerifier::MozillaPKIXVerifyCert(
return SECFailure; return SECFailure;
} }
ChainValidationCallbackState callbackState = {
hostname, mPinningEnforcementLevel, usage, time
};
CERTChainVerifyCallback callbackContainer; CERTChainVerifyCallback callbackContainer;
callbackContainer.isChainValid = chainValidationCallback; callbackContainer.isChainValid = chainValidationCallback;
callbackContainer.isChainValidArg = callbackState; callbackContainer.isChainValidArg = &callbackState;
NSSCertDBTrustDomain::OCSPFetching ocspFetching NSSCertDBTrustDomain::OCSPFetching ocspFetching
= !mOCSPDownloadEnabled || = !mOCSPDownloadEnabled ||
@@ -558,368 +413,6 @@ CertVerifier::MozillaPKIXVerifyCert(
return rv; return rv;
} }
SECStatus
CertVerifier::VerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const char* hostname,
const Flags flags,
/*optional in*/ const SECItem* stapledOCSPResponse,
/*optional out*/ ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ CERTVerifyLog* verifyLog)
{
ChainValidationCallbackState callbackState = { hostname,
mPinningEnforcementLevel,
usage,
time };
if (mImplementation == mozillapkix) {
return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
&callbackState, stapledOCSPResponse,
validationChain, evOidPolicy);
}
if (!cert)
{
PR_NOT_REACHED("Invalid arguments to CertVerifier::VerifyCert");
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (validationChain) {
*validationChain = nullptr;
}
if (evOidPolicy) {
*evOidPolicy = SEC_OID_UNKNOWN;
}
switch(usage){
case certificateUsageSSLClient:
case certificateUsageSSLServer:
case certificateUsageSSLCA:
case certificateUsageEmailSigner:
case certificateUsageEmailRecipient:
case certificateUsageObjectSigner:
case certificateUsageVerifyCA:
case certificateUsageStatusResponder:
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
#ifndef NSS_NO_LIBPKIX
ScopedCERTCertList trustAnchors;
SECStatus rv;
SECOidTag evPolicy = SEC_OID_UNKNOWN;
// Do EV checking only for sslserver usage
if (usage == certificateUsageSSLServer) {
CertPolicyId unusedPolicyId;
SECStatus srv = GetFirstEVPolicy(cert, unusedPolicyId, evPolicy);
if (srv == SECSuccess) {
if (evPolicy != SEC_OID_UNKNOWN) {
trustAnchors = GetRootsForOid(evPolicy);
}
if (!trustAnchors) {
return SECFailure;
}
// pkix ignores an empty trustanchors list and
// decides then to use the whole set of trust in the DB
// so we set the evPolicy to unkown in this case
if (CERT_LIST_EMPTY(trustAnchors)) {
evPolicy = SEC_OID_UNKNOWN;
}
} else {
// No known EV policy found
if (flags & FLAG_MUST_BE_EV) {
PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
return SECFailure;
}
// Do not setup EV verification params
evPolicy = SEC_OID_UNKNOWN;
}
if ((evPolicy == SEC_OID_UNKNOWN) && (flags & FLAG_MUST_BE_EV)) {
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
return SECFailure;
}
}
PR_ASSERT(evPolicy == SEC_OID_UNKNOWN || trustAnchors);
size_t i = 0;
size_t validationChainLocation = 0;
size_t validationTrustAnchorLocation = 0;
CERTValOutParam cvout[4];
if (verifyLog) {
cvout[i].type = cert_po_errorLog;
cvout[i].value.pointer.log = verifyLog;
++i;
}
if (validationChain) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: setting up validation chain outparam.\n"));
validationChainLocation = i;
cvout[i].type = cert_po_certList;
cvout[i].value.pointer.chain = nullptr;
++i;
validationTrustAnchorLocation = i;
cvout[i].type = cert_po_trustAnchor;
cvout[i].value.pointer.cert = nullptr;
++i;
}
cvout[i].type = cert_po_end;
CERTRevocationFlags rev;
CERTRevocationMethodIndex revPreferredMethods[2];
rev.leafTests.preferred_methods =
rev.chainTests.preferred_methods = revPreferredMethods;
uint64_t revFlagsPerMethod[2];
rev.leafTests.cert_rev_flags_per_method =
rev.chainTests.cert_rev_flags_per_method = revFlagsPerMethod;
rev.leafTests.number_of_preferred_methods =
rev.chainTests.number_of_preferred_methods = 1;
rev.leafTests.number_of_defined_methods =
rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp + 1;
const bool localOnly = flags & FLAG_LOCAL_ONLY;
CERTValInParam cvin[7];
// Parameters for both EV and DV validation
cvin[0].type = cert_pi_useAIACertFetch;
cvin[0].value.scalar.b = mMissingCertDownloadEnabled && !localOnly;
cvin[1].type = cert_pi_revocationFlags;
cvin[1].value.pointer.revocation = &rev;
cvin[2].type = cert_pi_date;
cvin[2].value.scalar.time = time;
i = 3;
CERTChainVerifyCallback callbackContainer;
if (usage == certificateUsageSSLServer) {
callbackContainer.isChainValid = chainValidationCallback;
callbackContainer.isChainValidArg = &callbackState;
cvin[i].type = cert_pi_chainVerifyCallback;
cvin[i].value.pointer.chainVerifyCallback = &callbackContainer;
++i;
}
const size_t evParamLocation = i;
if (evPolicy != SEC_OID_UNKNOWN) {
// EV setup!
// XXX 859872 The current flags are not quite correct. (use
// of ocsp flags for crl preferences).
uint64_t ocspRevMethodFlags =
CERT_REV_M_TEST_USING_THIS_METHOD
| ((mOCSPDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
| CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
| CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
| CERT_REV_M_IGNORE_MISSING_FRESH_INFO
| CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl]
= CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD;
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp]
= ocspRevMethodFlags;
rev.leafTests.cert_rev_method_independent_flags =
rev.chainTests.cert_rev_method_independent_flags =
// avoiding the network is good, let's try local first
CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
// is overall revocation requirement strict or relaxed?
| CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
;
rev.leafTests.preferred_methods[0] =
rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
cvin[i].type = cert_pi_policyOID;
cvin[i].value.arraySize = 1;
cvin[i].value.array.oids = &evPolicy;
++i;
PR_ASSERT(trustAnchors);
cvin[i].type = cert_pi_trustAnchors;
cvin[i].value.pointer.chain = trustAnchors.get();
++i;
cvin[i].type = cert_pi_end;
rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
if (rv == SECSuccess) {
if (evOidPolicy) {
*evOidPolicy = evPolicy;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("VerifyCert: successful CERT_PKIXVerifyCert(ev) \n"));
goto pkix_done;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("VerifyCert: failed CERT_PKIXVerifyCert(ev)\n"));
if (flags & FLAG_MUST_BE_EV) {
return rv;
}
if (validationChain) {
destroyCertListThatShouldNotExist(
&cvout[validationChainLocation].value.pointer.chain);
}
if (verifyLog) {
// Cleanup the log so that it is ready the the next validation
CERTVerifyLogNode* i_node;
for (i_node = verifyLog->head; i_node; i_node = i_node->next) {
//destroy cert if any.
if (i_node->cert) {
CERT_DestroyCertificate(i_node->cert);
}
// No need to cleanup the actual nodes in the arena.
}
verifyLog->count = 0;
verifyLog->head = nullptr;
verifyLog->tail = nullptr;
}
}
#endif
// If we're here, PKIX EV verification failed.
// If requested, don't do DV fallback.
if (flags & FLAG_MUST_BE_EV) {
PR_ASSERT(*evOidPolicy == SEC_OID_UNKNOWN);
#ifdef NSS_NO_LIBPKIX
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
#else
PR_SetError(PR_INVALID_STATE_ERROR, 0);
#endif
return SECFailure;
}
if (mImplementation == classic) {
// XXX: we do not care about the localOnly flag (currently) as the
// caller that wants localOnly should disable and reenable the fetching.
return ClassicVerifyCert(cert, usage, time, pinArg, &callbackState,
validationChain, verifyLog);
}
#ifdef NSS_NO_LIBPKIX
PR_NOT_REACHED("libpkix implementation chosen but not even compiled in");
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
#else
PR_ASSERT(mImplementation == libpkix);
// The current flags check the chain the same way as the leafs
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
// implicit default source - makes no sense for CRLs
CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
// let's not stop on fresh CRL. If OCSP is enabled, too, let's check it
| CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
// no fresh CRL? well, let other flag decide whether to fail or not
| CERT_REV_M_IGNORE_MISSING_FRESH_INFO
// testing using local CRLs is always allowed
| CERT_REV_M_TEST_USING_THIS_METHOD
// no local crl and don't know where to get it from? ignore
| CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
// crl download based on parameter
| ((mCRLDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
;
rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
// use OCSP
CERT_REV_M_TEST_USING_THIS_METHOD
// if app has a default OCSP responder configured, let's use it
| CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
// of course OCSP doesn't work without a source. let's accept such certs
| CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
// if ocsp is required stop on lack of freshness
| (mOCSPStrict ?
CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO : CERT_REV_M_IGNORE_MISSING_FRESH_INFO)
// ocsp success is sufficient
| CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
// ocsp enabled controls network fetching, too
| ((mOCSPDownloadEnabled && !localOnly) ?
CERT_REV_M_ALLOW_NETWORK_FETCHING : CERT_REV_M_FORBID_NETWORK_FETCHING)
| (mOCSPGETEnabled ? 0 : CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP);
;
rev.leafTests.preferred_methods[0] =
rev.chainTests.preferred_methods[0] = cert_revocation_method_ocsp;
rev.leafTests.cert_rev_method_independent_flags =
rev.chainTests.cert_rev_method_independent_flags =
// avoiding the network is good, let's try local first
CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
// Skip EV parameters
cvin[evParamLocation].type = cert_pi_end;
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: calling CERT_PKIXVerifyCert(dv) \n"));
rv = CERT_PKIXVerifyCert(cert, usage, cvin, cvout, pinArg);
pkix_done:
if (validationChain) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: validation chain requested\n"));
ScopedCERTCertificate trustAnchor(cvout[validationTrustAnchorLocation].value.pointer.cert);
if (rv == SECSuccess) {
if (! cvout[validationChainLocation].value.pointer.chain) {
PR_SetError(PR_UNKNOWN_ERROR, 0);
return SECFailure;
}
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: I have a chain\n"));
*validationChain = cvout[validationChainLocation].value.pointer.chain;
if (trustAnchor) {
// we should only add the issuer to the chain if it is not already
// present. On CA cert checking, the issuer is the same cert, so in
// that case we do not add the cert to the chain.
if (!CERT_CompareCerts(trustAnchor.get(), cert)) {
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("VerifyCert: adding issuer to tail for display\n"));
// note: rv is reused to catch errors on cert creation!
ScopedCERTCertificate tempCert(CERT_DupCertificate(trustAnchor.get()));
rv = CERT_AddCertToListTail(validationChain->get(), tempCert.get());
if (rv == SECSuccess) {
tempCert.release(); // ownership traferred to validationChain
} else {
*validationChain = nullptr;
}
}
}
} else {
destroyCertListThatShouldNotExist(
&cvout[validationChainLocation].value.pointer.chain);
}
}
return rv;
#endif
}
SECStatus SECStatus
CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert, CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
/*optional*/ const SECItem* stapledOCSPResponse, /*optional*/ const SECItem* stapledOCSPResponse,
@@ -952,7 +445,7 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
ScopedCERTCertList validationChain; ScopedCERTCertList validationChain;
SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg, SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
hostname, 0, stapledOCSPResponse, &validationChain, hostname, 0, stapledOCSPResponse, &validationChain,
evOidPolicy, nullptr); evOidPolicy);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return rv; return rv;
} }

39
security/certverifier/CertVerifier.h
View File

@@ -26,15 +26,14 @@ public:
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported. // Only one usage per verification is supported.
SECStatus VerifyCert(CERTCertificate* cert, SECStatus VerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage, SECCertificateUsage usage,
const PRTime time, PRTime time,
void* pinArg, void* pinArg,
const char* hostname, const char* hostname,
const Flags flags = 0, Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr, /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr, /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr , /*optional out*/ SECOidTag* evOidPolicy = nullptr);
/*optional out*/ CERTVerifyLog* verifyLog = nullptr);
SECStatus VerifySSLServerCert( SECStatus VerifySSLServerCert(
CERTCertificate* peerCert, CERTCertificate* peerCert,
@@ -46,15 +45,6 @@ public:
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr, /*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr); /*optional out*/ SECOidTag* evOidPolicy = nullptr);
enum implementation_config {
classic = 0,
#ifndef NSS_NO_LIBPKIX
libpkix = 1,
#endif
mozillapkix = 2
};
enum pinning_enforcement_config { enum pinning_enforcement_config {
pinningDisabled = 0, pinningDisabled = 0,
pinningAllowUserCAMITM = 1, pinningAllowUserCAMITM = 1,
@@ -70,38 +60,19 @@ public:
bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; } bool IsOCSPDownloadEnabled() const { return mOCSPDownloadEnabled; }
CertVerifier(implementation_config ic, CertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
#ifndef NSS_NO_LIBPKIX
missing_cert_download_config ac, crl_download_config cdc,
#endif
ocsp_download_config odc, ocsp_strict_config osc,
ocsp_get_config ogc, ocsp_get_config ogc,
pinning_enforcement_config pinningEnforcementLevel); pinning_enforcement_config pinningEnforcementLevel);
~CertVerifier(); ~CertVerifier();
void ClearOCSPCache() { mOCSPCache.Clear(); } void ClearOCSPCache() { mOCSPCache.Clear(); }
const implementation_config mImplementation;
#ifndef NSS_NO_LIBPKIX
const bool mMissingCertDownloadEnabled;
const bool mCRLDownloadEnabled;
#endif
const bool mOCSPDownloadEnabled; const bool mOCSPDownloadEnabled;
const bool mOCSPStrict; const bool mOCSPStrict;
const bool mOCSPGETEnabled; const bool mOCSPGETEnabled;
const pinning_enforcement_config mPinningEnforcementLevel; const pinning_enforcement_config mPinningEnforcementLevel;
private: private:
SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
ChainValidationCallbackState* callbackState,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy);
OCSPCache mOCSPCache; OCSPCache mOCSPCache;
}; };

34
security/certverifier/ExtendedValidation.cpp
View File

@@ -886,21 +886,6 @@ register_oid(const SECItem* oid_item, const char* oid_name)
return SECOID_AddEntry(&od); return SECOID_AddEntry(&od);
} }
#ifndef NSS_NO_LIBPKIX
static void
addToCertListIfTrusted(CERTCertList* certList, CERTCertificate* cert) {
CERTCertTrust nssTrust;
if (CERT_GetCertTrust(cert, &nssTrust) != SECSuccess) {
return;
}
unsigned int flags = SEC_GET_TRUST_FLAGS(&nssTrust, trustSSL);
if (flags & CERTDB_TRUSTED_CA) {
CERT_AddCertToListTail(certList, CERT_DupCertificate(cert));
}
}
#endif
static bool static bool
isEVPolicy(SECOidTag policyOIDTag) isEVPolicy(SECOidTag policyOIDTag)
{ {
@@ -916,25 +901,6 @@ isEVPolicy(SECOidTag policyOIDTag)
namespace mozilla { namespace psm { namespace mozilla { namespace psm {
#ifndef NSS_NO_LIBPKIX
CERTCertList*
GetRootsForOid(SECOidTag oid_tag)
{
CERTCertList* certList = CERT_NewCertList();
if (!certList)
return nullptr;
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (entry.oid_tag == oid_tag) {
addToCertListIfTrusted(certList, entry.cert);
}
}
return certList;
}
#endif
bool bool
CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert, CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy) const mozilla::pkix::CertPolicyId& policy)

4
security/certverifier/ExtendedValidation.h
View File

@@ -26,10 +26,6 @@ bool CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy); const mozilla::pkix::CertPolicyId& policy);
#endif #endif
#ifndef NSS_NO_LIBPKIX
CERTCertList* GetRootsForOid(SECOidTag oid_tag);
#endif
} } // namespace mozilla::psm } } // namespace mozilla::psm
#endif // mozilla_psm_ExtendedValidation_h #endif // mozilla_psm_ExtendedValidation_h

27
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@@ -14,7 +14,6 @@
#include "certdb.h" #include "certdb.h"
#include "mozilla/Telemetry.h" #include "mozilla/Telemetry.h"
#include "nss.h" #include "nss.h"
#include "ocsp.h"
#include "pk11pub.h" #include "pk11pub.h"
#include "pkix/pkix.h" #include "pkix/pkix.h"
#include "prerror.h" #include "prerror.h"
@@ -696,32 +695,6 @@ UnloadLoadableRoots(const char* modNameUTF8)
} }
} }
void
SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
CertVerifier::ocsp_strict_config strict,
CertVerifier::ocsp_get_config get)
{
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
if (enabled == CertVerifier::ocsp_off) {
CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
} else {
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
}
SEC_OcspFailureMode failureMode = strict == CertVerifier::ocsp_strict
? ocspMode_FailureIsVerificationFailure
: ocspMode_FailureIsNotAVerificationFailure;
(void) CERT_SetOCSPFailureMode(failureMode);
CERT_ForcePostMethodForOCSP(get != CertVerifier::ocsp_get_enabled);
uint32_t OCSPTimeoutSeconds = 3u;
if (strict == CertVerifier::ocsp_strict) {
OCSPTimeoutSeconds = 10u;
}
CERT_SetOCSPTimeout(OCSPTimeoutSeconds);
}
char* char*
DefaultServerNicknameForCert(CERTCertificate* cert) DefaultServerNicknameForCert(CERTCertificate* cert)
{ {

8
security/certverifier/NSSCertDBTrustDomain.h
View File

@@ -32,14 +32,6 @@ SECStatus LoadLoadableRoots(/*optional*/ const char* dir,
void UnloadLoadableRoots(const char* modNameUTF8); void UnloadLoadableRoots(const char* modNameUTF8);
// Controls the OCSP fetching behavior of the classic verification mode. In the
// classic mode, the OCSP fetching behavior is set globally instead of per
// validation.
void
SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
CertVerifier::ocsp_strict_config strict,
CertVerifier::ocsp_get_config get);
// Caller must free the result with PR_Free // Caller must free the result with PR_Free
char* DefaultServerNicknameForCert(CERTCertificate* cert); char* DefaultServerNicknameForCert(CERTCertificate* cert);

258
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@@ -105,7 +105,6 @@
#include "nsICertOverrideService.h" #include "nsICertOverrideService.h"
#include "nsISiteSecurityService.h" #include "nsISiteSecurityService.h"
#include "nsNSSComponent.h" #include "nsNSSComponent.h"
#include "nsNSSCleaner.h"
#include "nsRecentBadCerts.h" #include "nsRecentBadCerts.h"
#include "nsNSSIOLayer.h" #include "nsNSSIOLayer.h"
#include "nsNSSShutDown.h" #include "nsNSSShutDown.h"
@@ -127,7 +126,6 @@
#include "secerr.h" #include "secerr.h"
#include "secport.h" #include "secport.h"
#include "sslerr.h" #include "sslerr.h"
#include "ocsp.h"
#ifdef PR_LOGGING #ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog; extern PRLogModuleInfo* gPIPNSSLog;
@@ -137,9 +135,6 @@ namespace mozilla { namespace psm {
namespace { namespace {
NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
NSSCleanupAutoPtrClass_WithParam(PLArenaPool, PORT_FreeArena, FalseParam, false)
// do not use a nsCOMPtr to avoid static initializer/destructor // do not use a nsCOMPtr to avoid static initializer/destructor
nsIThreadPool* gCertVerificationThreadPool = nullptr; nsIThreadPool* gCertVerificationThreadPool = nullptr;
@@ -311,13 +306,12 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
} }
SECStatus SECStatus
MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert, DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
const char* hostName, PRTime now, PRTime now, PRErrorCode defaultErrorCodeToReport,
PRErrorCode defaultErrorCodeToReport, /*out*/ uint32_t& collectedErrors,
/*out*/ uint32_t& collectedErrors, /*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeTrust, /*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeMismatch, /*out*/ PRErrorCode& errorCodeExpired)
/*out*/ PRErrorCode& errorCodeExpired)
{ {
MOZ_ASSERT(cert); MOZ_ASSERT(cert);
MOZ_ASSERT(hostName); MOZ_ASSERT(hostName);
@@ -548,129 +542,6 @@ CertErrorRunnable::RunOnTargetThread()
MOZ_ASSERT(mResult); MOZ_ASSERT(mResult);
} }
// Converts a PRErrorCode into one of
// nsICertOverrideService::ERROR_UNTRUSTED,
// nsICertOverrideService::ERROR_MISMATCH,
// nsICertOverrideService::ERROR_TIME
// if the given error code is an overridable error.
// If it is not, then 0 is returned.
uint32_t
PRErrorCodeToOverrideType(PRErrorCode errorCode)
{
switch (errorCode)
{
case SEC_ERROR_UNKNOWN_ISSUER:
case SEC_ERROR_UNTRUSTED_ISSUER:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SEC_ERROR_UNTRUSTED_CERT:
case SEC_ERROR_INADEQUATE_KEY_USAGE:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
// We group all these errors as "cert not trusted"
return nsICertOverrideService::ERROR_UNTRUSTED;
case SSL_ERROR_BAD_CERT_DOMAIN:
return nsICertOverrideService::ERROR_MISMATCH;
case SEC_ERROR_EXPIRED_CERTIFICATE:
return nsICertOverrideService::ERROR_TIME;
default:
return 0;
}
}
SECStatus
NSSDetermineCertOverrideErrors(CertVerifier& certVerifier,
CERTCertificate* cert,
const SECItem* stapledOCSPResponse,
TransportSecurityInfo* infoObject,
PRTime now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeExpired)
{
MOZ_ASSERT(cert);
MOZ_ASSERT(infoObject);
MOZ_ASSERT(defaultErrorCodeToReport != 0);
MOZ_ASSERT(collectedErrors == 0);
MOZ_ASSERT(errorCodeTrust == 0);
MOZ_ASSERT(errorCodeMismatch == 0);
MOZ_ASSERT(errorCodeExpired == 0);
if (defaultErrorCodeToReport == 0) {
NS_ERROR("No error code set during certificate validation failure.");
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
// We only allow overrides for certain errors. Return early if the error
// is not one of them. This is to avoid doing revocation fetching in the
// case of OCSP stapling and probably for other reasons.
if (PRErrorCodeToOverrideType(defaultErrorCodeToReport) == 0) {
PR_SetError(defaultErrorCodeToReport, 0);
return SECFailure;
}
PLArenaPool* log_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
PLArenaPoolCleanerFalseParam log_arena_cleaner(log_arena);
if (!log_arena) {
NS_ERROR("PORT_NewArena failed");
return SECFailure; // PORT_NewArena set error code
}
CERTVerifyLog* verify_log = PORT_ArenaZNew(log_arena, CERTVerifyLog);
if (!verify_log) {
NS_ERROR("PORT_ArenaZNew failed");
return SECFailure; // PORT_ArenaZNew set error code
}
CERTVerifyLogContentsCleaner verify_log_cleaner(verify_log);
verify_log->arena = log_arena;
// We ignore the result code of the cert verification (i.e. VerifyCert's rv)
// Either it is a failure, which is expected, and we'll process the
// verify log below.
// Or it is a success, then a domain mismatch is the only
// possible failure.
// XXX TODO: convert to VerifySSLServerCert
// XXX TODO: get rid of error log
certVerifier.VerifyCert(cert, certificateUsageSSLServer,
now, infoObject, infoObject->GetHostNameRaw(),
0, stapledOCSPResponse, nullptr, nullptr, verify_log);
// Check the name field against the desired hostname.
if (CERT_VerifyCertName(cert, infoObject->GetHostNameRaw()) != SECSuccess) {
collectedErrors |= nsICertOverrideService::ERROR_MISMATCH;
errorCodeMismatch = SSL_ERROR_BAD_CERT_DOMAIN;
}
CERTVerifyLogNode* i_node;
for (i_node = verify_log->head; i_node; i_node = i_node->next) {
uint32_t overrideType = PRErrorCodeToOverrideType(i_node->error);
// If this isn't an overridable error, set the error and return.
if (overrideType == 0) {
PR_SetError(i_node->error, 0);
return SECFailure;
}
collectedErrors |= overrideType;
if (overrideType == nsICertOverrideService::ERROR_UNTRUSTED) {
if (errorCodeTrust == 0) {
errorCodeTrust = i_node->error;
}
} else if (overrideType == nsICertOverrideService::ERROR_MISMATCH) {
if (errorCodeMismatch == 0) {
errorCodeMismatch = i_node->error;
}
} else if (overrideType == nsICertOverrideService::ERROR_TIME) {
if (errorCodeExpired == 0) {
errorCodeExpired = i_node->error;
}
} else {
MOZ_CRASH("unexpected return value from PRErrorCodeToOverrideType");
}
}
return SECSuccess;
}
// Returns null with the error code (PR_GetError()) set if it does not create // Returns null with the error code (PR_GetError()) set if it does not create
// the CertErrorRunnable. // the CertErrorRunnable.
CertErrorRunnable* CertErrorRunnable*
@@ -690,37 +561,10 @@ CreateCertErrorRunnable(CertVerifier& certVerifier,
PRErrorCode errorCodeTrust = 0; PRErrorCode errorCodeTrust = 0;
PRErrorCode errorCodeMismatch = 0; PRErrorCode errorCodeMismatch = 0;
PRErrorCode errorCodeExpired = 0; PRErrorCode errorCodeExpired = 0;
if (DetermineCertOverrideErrors(cert, infoObject->GetHostNameRaw(), now,
SECStatus rv; defaultErrorCodeToReport, collected_errors,
switch (certVerifier.mImplementation) { errorCodeTrust, errorCodeMismatch,
case CertVerifier::classic: errorCodeExpired) != SECSuccess) {
#ifndef NSS_NO_LIBPKIX
case CertVerifier::libpkix:
#endif
rv = NSSDetermineCertOverrideErrors(certVerifier, cert, stapledOCSPResponse,
infoObject, now,
defaultErrorCodeToReport,
collected_errors, errorCodeTrust,
errorCodeMismatch, errorCodeExpired);
break;
case CertVerifier::mozillapkix:
rv = MozillaPKIXDetermineCertOverrideErrors(cert,
infoObject->GetHostNameRaw(),
now, defaultErrorCodeToReport,
collected_errors,
errorCodeTrust,
errorCodeMismatch,
errorCodeExpired);
break;
default:
MOZ_CRASH("unexpected CertVerifier implementation");
PR_SetError(defaultErrorCodeToReport, 0);
return nullptr;
}
if (rv != SECSuccess) {
return nullptr; return nullptr;
} }
@@ -906,57 +750,6 @@ AuthCertificate(CertVerifier& certVerifier, TransportSecurityInfo* infoObject,
SECStatus rv; SECStatus rv;
// TODO: Remove this after we switch to mozilla::pkix as the
// only option
if (certVerifier.mImplementation == CertVerifier::classic) {
if (stapledOCSPResponse) {
CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
rv = CERT_CacheOCSPResponseFromSideChannel(handle, cert, PR_Now(),
stapledOCSPResponse,
infoObject);
if (rv != SECSuccess) {
// Due to buggy servers that will staple expired OCSP responses
// (see for example http://trac.nginx.org/nginx/ticket/425),
// don't terminate the connection if the stapled response is expired.
// We will fall back to fetching revocation information.
PRErrorCode ocspErrorCode = PR_GetError();
if (ocspErrorCode != SEC_ERROR_OCSP_OLD_RESPONSE) {
// stapled OCSP response present but invalid for some reason
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
return rv;
} else {
// stapled OCSP response present but expired
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
}
} else {
// stapled OCSP response present and good
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
}
} else {
// no stapled OCSP response
Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
uint32_t reasonsForNotFetching = 0;
char* ocspURI = CERT_GetOCSPAuthorityInfoAccessLocation(cert);
if (!ocspURI) {
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
} else {
if (std::strncmp(ocspURI, "http://", 7)) { // approximation
reasonsForNotFetching |= 1; // invalid/missing OCSP URI
}
PORT_Free(ocspURI);
}
if (!certVerifier.mOCSPDownloadEnabled) {
reasonsForNotFetching |= 2;
}
Telemetry::Accumulate(Telemetry::SSL_OCSP_MAY_FETCH,
reasonsForNotFetching);
}
}
// We want to avoid storing any intermediate cert information when browsing // We want to avoid storing any intermediate cert information when browsing
// in private, transient contexts. // in private, transient contexts.
bool saveIntermediates = bool saveIntermediates =
@@ -1078,34 +871,11 @@ SSLServerCertVerificationJob::Run()
if (mInfoObject->isAlreadyShutDown()) { if (mInfoObject->isAlreadyShutDown()) {
error = SEC_ERROR_USER_CANCELLED; error = SEC_ERROR_USER_CANCELLED;
} else { } else {
Telemetry::ID successTelemetry; Telemetry::ID successTelemetry
Telemetry::ID failureTelemetry; = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
switch (mCertVerifier->mImplementation) { Telemetry::ID failureTelemetry
case CertVerifier::classic: = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
break;
case CertVerifier::mozillapkix:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
break;
#ifndef NSS_NO_LIBPKIX
case CertVerifier::libpkix:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX;
break;
#endif
default:
MOZ_CRASH("Unknown CertVerifier mode");
}
// XXX
// Reset the error code here so we can detect if AuthCertificate fails to // Reset the error code here so we can detect if AuthCertificate fails to
// set the error code if/when it fails. // set the error code if/when it fails.
PR_SetError(0, 0); PR_SetError(0, 0);

4
security/manager/ssl/src/ScopedNSSTypes.h
View File

@@ -22,7 +22,6 @@
#include "sechash.h" #include "sechash.h"
#include "secpkcs7.h" #include "secpkcs7.h"
#include "prerror.h" #include "prerror.h"
#include "ocsp.h"
namespace mozilla { namespace mozilla {
@@ -83,9 +82,6 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTName,
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames, MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTCertNicknames,
CERTCertNicknames, CERTCertNicknames,
CERT_FreeNicknames) CERT_FreeNicknames)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTOCSPCertID,
CERTOCSPCertID,
CERT_DestroyOCSPCertID)
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo, MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTSubjectPublicKeyInfo,
CERTSubjectPublicKeyInfo, CERTSubjectPublicKeyInfo,
SECKEY_DestroySubjectPublicKeyInfo) SECKEY_DestroySubjectPublicKeyInfo)

13
security/manager/ssl/src/SharedCertVerifier.h
View File

@@ -19,19 +19,10 @@ protected:
public: public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier) NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
SharedCertVerifier(implementation_config ic, SharedCertVerifier(ocsp_download_config odc, ocsp_strict_config osc,
#ifndef NSS_NO_LIBPKIX
missing_cert_download_config ac, crl_download_config cdc,
#endif
ocsp_download_config odc, ocsp_strict_config osc,
ocsp_get_config ogc, ocsp_get_config ogc,
pinning_enforcement_config pinningEnforcementLevel) pinning_enforcement_config pinningEnforcementLevel)
: mozilla::psm::CertVerifier(ic, : mozilla::psm::CertVerifier(odc, osc, ogc, pinningEnforcementLevel)
#ifndef NSS_NO_LIBPKIX
ac, cdc,
#endif
odc, osc, ogc,
pinningEnforcementLevel)
{ {
} }
}; };

10
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@@ -586,16 +586,6 @@ void nsNSSHttpInterface::initTable()
v1.freeFcn = freeFcn; v1.freeFcn = freeFcn;
} }
void nsNSSHttpInterface::registerHttpClient()
{
SEC_RegisterDefaultHttpClient(&sNSSInterfaceTable);
}
void nsNSSHttpInterface::unregisterHttpClient()
{
SEC_RegisterDefaultHttpClient(nullptr);
}
nsHTTPListener::nsHTTPListener() nsHTTPListener::nsHTTPListener()
: mResultData(nullptr), : mResultData(nullptr),
mResultLen(0), mResultLen(0),

3
security/manager/ssl/src/nsNSSCallbacks.h
View File

@@ -220,9 +220,6 @@ public:
static void initTable(); static void initTable();
static SEC_HttpClientFcn sNSSInterfaceTable; static SEC_HttpClientFcn sNSSInterfaceTable;
void registerHttpClient();
void unregisterHttpClient();
}; };
#endif // _NSNSSCALLBACKS_H_ #endif // _NSNSSCALLBACKS_H_

1
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@@ -49,7 +49,6 @@
#include "secasn1.h" #include "secasn1.h"
#include "secder.h" #include "secder.h"
#include "ssl.h" #include "ssl.h"
#include "ocsp.h"
#include "plbase64.h" #include "plbase64.h"
using namespace mozilla; using namespace mozilla;

11
security/manager/ssl/src/nsNSSCertificateDB.cpp
View File

@@ -47,7 +47,6 @@
#include "secasn1.h" #include "secasn1.h"
#include "secder.h" #include "secder.h"
#include "ssl.h" #include "ssl.h"
#include "ocsp.h"
#include "plbase64.h" #include "plbase64.h"
using namespace mozilla; using namespace mozilla;
@@ -1816,14 +1815,6 @@ nsNSSCertificateDB::ClearOCSPCache()
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE); NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
if (certVerifier->mImplementation == CertVerifier::mozillapkix) { certVerifier->ClearOCSPCache();
certVerifier->ClearOCSPCache();
} else {
SECStatus srv = CERT_ClearOCSPCache();
if (srv != SECSuccess) {
return MapSECStatus(srv);
}
}
return NS_OK; return NS_OK;
} }

78
security/manager/ssl/src/nsNSSComponent.cpp
View File

@@ -58,7 +58,6 @@
#include "sslproto.h" #include "sslproto.h"
#include "secmod.h" #include "secmod.h"
#include "secmime.h" #include "secmime.h"
#include "ocsp.h"
#include "secerr.h" #include "secerr.h"
#include "sslerr.h" #include "sslerr.h"
@@ -243,10 +242,10 @@ bool EnsureNSSInitialized(EnsureNSSOperator op)
} }
static void static void
SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc, GetOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
/*out*/ CertVerifier::ocsp_strict_config* osc, /*out*/ CertVerifier::ocsp_strict_config* osc,
/*out*/ CertVerifier::ocsp_get_config* ogc, /*out*/ CertVerifier::ocsp_get_config* ogc,
const MutexAutoLock& /*proofOfLock*/) const MutexAutoLock& /*proofOfLock*/)
{ {
MOZ_ASSERT(NS_IsMainThread()); MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(odc); MOZ_ASSERT(odc);
@@ -267,8 +266,6 @@ SetClassicOCSPBehaviorFromPrefs(/*out*/ CertVerifier::ocsp_download_config* odc,
? CertVerifier::ocsp_get_enabled ? CertVerifier::ocsp_get_enabled
: CertVerifier::ocsp_get_disabled; : CertVerifier::ocsp_get_disabled;
SetClassicOCSPBehavior(*odc, *osc, *ogc);
SSL_ClearSessionCache(); SSL_ClearSessionCache();
} }
@@ -991,44 +988,11 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired); Telemetry::Accumulate(Telemetry::CERT_OCSP_REQUIRED, ocspRequired);
} }
#ifndef NSS_NO_LIBPKIX
bool crlDownloading = Preferences::GetBool("security.CRL_download.enabled",
false);
bool aiaDownloadEnabled =
Preferences::GetBool("security.missing_cert_download.enabled", false);
#endif
bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling", bool ocspStaplingEnabled = Preferences::GetBool("security.ssl.enable_ocsp_stapling",
true); true);
PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); PublicSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled); PrivateSSLState()->SetOCSPStaplingEnabled(ocspStaplingEnabled);
CertVerifier::implementation_config certVerifierImplementation
= CertVerifier::classic;
// The mozilla::pkix pref overrides the libpkix pref
if (Preferences::GetBool("security.use_mozillapkix_verification", true)) {
certVerifierImplementation = CertVerifier::mozillapkix;
} else {
#ifndef NSS_NO_LIBPKIX
if (Preferences::GetBool("security.use_libpkix_verification", false)) {
certVerifierImplementation = CertVerifier::libpkix;
}
#endif
}
if (isInitialSetting) {
if (certVerifierImplementation == CertVerifier::classic) {
Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 1);
#ifndef NSS_NO_LIBPKIX
} else if (certVerifierImplementation == CertVerifier::libpkix) {
Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 2);
#endif
} else if (certVerifierImplementation == CertVerifier::mozillapkix) {
Telemetry::Accumulate(Telemetry::CERT_VALIDATION_LIBRARY, 3);
}
}
// Default pinning enforcement level is disabled. // Default pinning enforcement level is disabled.
CertVerifier::pinning_enforcement_config CertVerifier::pinning_enforcement_config
pinningEnforcementLevel = pinningEnforcementLevel =
@@ -1043,30 +1007,9 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
CertVerifier::ocsp_strict_config osc; CertVerifier::ocsp_strict_config osc;
CertVerifier::ocsp_get_config ogc; CertVerifier::ocsp_get_config ogc;
SetClassicOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock); GetOCSPBehaviorFromPrefs(&odc, &osc, &ogc, lock);
mDefaultCertVerifier = new SharedCertVerifier( mDefaultCertVerifier = new SharedCertVerifier(odc, osc, ogc,
certVerifierImplementation, pinningEnforcementLevel);
#ifndef NSS_NO_LIBPKIX
aiaDownloadEnabled ?
CertVerifier::missing_cert_download_on : CertVerifier::missing_cert_download_off,
crlDownloading ?
CertVerifier::crl_download_allowed : CertVerifier::crl_local_only,
#endif
odc, osc, ogc, pinningEnforcementLevel);
// mozilla::pkix has its own OCSP cache, so disable the NSS cache
// if appropriate.
if (certVerifierImplementation == CertVerifier::mozillapkix) {
// Using -1 disables the cache. The other arguments are the default
// values and aren't exposed by the API.
CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
} else {
// Using 1000 enables the cache with the default size of 1000. Again,
// these values are not exposed by the API.
CERT_OCSPCacheSettings(1000, 1*60*60L, 24*60*60L);
}
CERT_ClearOCSPCache();
} }
// Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min // Enable the TLS versions given in the prefs, defaulting to SSL 3.0 (min
@@ -1275,7 +1218,6 @@ nsNSSComponent::InitializeNSS()
setValidationOptions(true, lock); setValidationOptions(true, lock);
mHttpForNSS.initTable(); mHttpForNSS.initTable();
mHttpForNSS.registerHttpClient();
#ifndef MOZ_DISABLE_CRYPTOLEGACY #ifndef MOZ_DISABLE_CRYPTOLEGACY
LaunchSmartCardThreads(); LaunchSmartCardThreads();
@@ -1301,7 +1243,6 @@ nsNSSComponent::ShutdownNSS()
mNSSInitialized = false; mNSSInitialized = false;
PK11_SetPasswordFunc((PK11PasswordFunc)nullptr); PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
mHttpForNSS.unregisterHttpClient();
Preferences::RemoveObserver(this, "security."); Preferences::RemoveObserver(this, "security.");
if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) { if (NS_FAILED(CipherSuiteChangeObserver::StopObserve())) {
@@ -1670,14 +1611,9 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
Preferences::GetBool("security.ssl.enable_alpn", Preferences::GetBool("security.ssl.enable_alpn",
ALPN_ENABLED_DEFAULT)); ALPN_ENABLED_DEFAULT));
} else if (prefName.EqualsLiteral("security.OCSP.enabled") || } else if (prefName.EqualsLiteral("security.OCSP.enabled") ||
prefName.EqualsLiteral("security.CRL_download.enabled") ||
prefName.EqualsLiteral("security.fresh_revocation_info.require") ||
prefName.EqualsLiteral("security.missing_cert_download.enabled") ||
prefName.EqualsLiteral("security.OCSP.require") || prefName.EqualsLiteral("security.OCSP.require") ||
prefName.EqualsLiteral("security.OCSP.GET.enabled") || prefName.EqualsLiteral("security.OCSP.GET.enabled") ||
prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") || prefName.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
prefName.EqualsLiteral("security.use_mozillapkix_verification") ||
prefName.EqualsLiteral("security.use_libpkix_verification") ||
prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) { prefName.EqualsLiteral("security.cert_pinning.enforcement_level")) {
MutexAutoLock lock(mutex); MutexAutoLock lock(mutex);
setValidationOptions(false, lock); setValidationOptions(false, lock);

1
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@@ -13,6 +13,7 @@
#include "mozilla/Telemetry.h" #include "mozilla/Telemetry.h"
#include "prlog.h" #include "prlog.h"
#include "prmem.h"
#include "prnetdb.h" #include "prnetdb.h"
#include "nsIPrefService.h" #include "nsIPrefService.h"
#include "nsIClientAuthDialogs.h" #include "nsIClientAuthDialogs.h"

1
security/manager/ssl/tests/unit/test_cert_eku.js
View File

@@ -23,7 +23,6 @@ function load_cert(cert_name, trust_string) {
function run_test() { function run_test() {
load_cert("ca", "CT,CT,CT"); load_cert("ca", "CT,CT,CT");
Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA); checkCertErrorGeneric(certdb, load_cert('int-EKU-CA', ',,'), SEC_ERROR_INADEQUATE_CERT_TYPE, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient); checkCertErrorGeneric(certdb, cert_from_file('ee-EKU-CA-int-EKU-CA.der'), 0, certificateUsageSSLClient);

1
security/manager/ssl/tests/unit/test_cert_eku/generate.py
View File

@@ -69,7 +69,6 @@ function load_cert(cert_name, trust_string) {
function run_test() { function run_test() {
load_cert("ca", "CT,CT,CT"); load_cert("ca", "CT,CT,CT");
Services.prefs.setBoolPref("security.use_mozillapkix_verification", true);
""" """
js_file_footer = """} js_file_footer = """}

132
security/manager/ssl/tests/unit/test_cert_overrides.js
View File

@@ -52,15 +52,15 @@ function check_telemetry() {
.getHistogramById("SSL_CERT_ERROR_OVERRIDES") .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
.snapshot(); .snapshot();
do_check_eq(histogram.counts[ 0], 0); do_check_eq(histogram.counts[ 0], 0);
do_check_eq(histogram.counts[ 2], 8 + 1); // SEC_ERROR_UNKNOWN_ISSUER do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER
do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
do_check_eq(histogram.counts[ 4], 0 + 5); // SEC_ERROR_UNTRUSTED_ISSUER do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
run_next_test(); run_next_test();
} }
@@ -73,8 +73,9 @@ function run_test() {
}); });
fakeOCSPResponder.start(8080); fakeOCSPResponder.start(8080);
add_tests_in_mode(true); add_simple_tests();
add_tests_in_mode(false); add_combo_tests();
add_distrust_tests();
add_test(function () { add_test(function () {
fakeOCSPResponder.stop(check_telemetry); fakeOCSPResponder.stop(check_telemetry);
@@ -83,43 +84,19 @@ function run_test() {
run_next_test(); run_next_test();
} }
function add_tests_in_mode(useMozillaPKIX) { function add_simple_tests() {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_simple_tests(useMozillaPKIX);
add_combo_tests(useMozillaPKIX);
add_distrust_tests(useMozillaPKIX);
add_test(function () {
certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
run_next_test();
});
}
function add_simple_tests(useMozillaPKIX) {
add_cert_override_test("expired.example.com", add_cert_override_test("expired.example.com",
Ci.nsICertOverrideService.ERROR_TIME, Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE)); getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
if (useMozillaPKIX) { add_cert_override_test("selfsigned.example.com",
add_cert_override_test("selfsigned.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED,
Ci.nsICertOverrideService.ERROR_UNTRUSTED, getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
} else {
add_non_overridable_test("selfsigned.example.com",
SEC_ERROR_CA_CERT_INVALID);
}
add_cert_override_test("unknownissuer.example.com", add_cert_override_test("unknownissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED, Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("expiredissuer.example.com", add_cert_override_test("expiredissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED, Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
add_cert_override_test("md5signature.example.com", add_cert_override_test("md5signature.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED, Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(
@@ -131,46 +108,22 @@ function add_simple_tests(useMozillaPKIX) {
// A Microsoft IIS utility generates self-signed certificates with // A Microsoft IIS utility generates self-signed certificates with
// properties similar to the one this "host" will present (see // properties similar to the one this "host" will present (see
// tlsserver/generate_certs.sh). // tlsserver/generate_certs.sh).
// One of the errors classic verification collects is that this add_cert_override_test("selfsigned-inadequateEKU.example.com",
// certificate has an inadequate key usage to sign a certificate Ci.nsICertOverrideService.ERROR_UNTRUSTED,
// (i.e. itself). As a result, to be able to override this, getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
// SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
// confusingly, this isn't the main error reported).
// mozilla::pkix just says this certificate's issuer is unknown.
if (useMozillaPKIX) {
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
} else {
add_non_overridable_test("selfsigned-inadequateEKU.example.com",
SEC_ERROR_CA_CERT_INVALID);
}
// SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for add_non_overridable_test("inadequatekeyusage.example.com",
// classic verification, but not for mozilla::pkix verification. SEC_ERROR_INADEQUATE_KEY_USAGE);
if (useMozillaPKIX) {
add_non_overridable_test("inadequatekeyusage.example.com",
SEC_ERROR_INADEQUATE_KEY_USAGE);
} else {
add_cert_override_test("inadequatekeyusage.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
}
// Bug 990603: Apache documentation has recommended generating a self-signed // Bug 990603: Apache documentation has recommended generating a self-signed
// test certificate with basic constraints: CA:true. For compatibility, this // test certificate with basic constraints: CA:true. For compatibility, this
// is a scenario in which an override is allowed. // is a scenario in which an override is allowed.
add_cert_override_test("self-signed-end-entity-with-cA-true.example.com", add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED, Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
} }
function add_combo_tests(useMozillaPKIX) { function add_combo_tests() {
// Note that "untrusted" here really is "unknown issuer" in the
// mozilla::pkix case.
add_cert_override_test("mismatch-expired.example.com", add_cert_override_test("mismatch-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME, Ci.nsICertOverrideService.ERROR_TIME,
@@ -178,22 +131,16 @@ function add_combo_tests(useMozillaPKIX) {
add_cert_override_test("mismatch-untrusted.example.com", add_cert_override_test("mismatch-untrusted.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED, Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("untrusted-expired.example.com", add_cert_override_test("untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME, Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("mismatch-untrusted-expired.example.com", add_cert_override_test("mismatch-untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME, Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS( getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("md5signature-expired.example.com", add_cert_override_test("md5signature-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_UNTRUSTED |
@@ -202,31 +149,20 @@ function add_combo_tests(useMozillaPKIX) {
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
} }
function add_distrust_tests(useMozillaPKIX) { function add_distrust_tests() {
// Before we specifically distrust this certificate, it should be trusted. // Before we specifically distrust this certificate, it should be trusted.
add_connection_test("untrusted.example.com", Cr.NS_OK); add_connection_test("untrusted.example.com", Cr.NS_OK);
// XXX(Bug 975777): Active distrust is an overridable error when NSS-based
// verification is used.
add_distrust_override_test("tlsserver/default-ee.der", add_distrust_override_test("tlsserver/default-ee.der",
"untrusted.example.com", "untrusted.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT), getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT));
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
: Cr.NS_OK);
// XXX(Bug 975777): Active distrust is an overridable error when NSS-based
// verification is used.
add_distrust_override_test("tlsserver/other-test-ca.der", add_distrust_override_test("tlsserver/other-test-ca.der",
"untrustedissuer.example.com", "untrustedissuer.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER), getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
: Cr.NS_OK);
} }
function add_distrust_override_test(certFileName, hostName, function add_distrust_override_test(certFileName, hostName, expectedResult) {
expectedResultBefore, expectedResultAfter) {
let certToDistrust = constructCertFromFile(certFileName); let certToDistrust = constructCertFromFile(certFileName);
add_test(function () { add_test(function () {
@@ -235,7 +171,7 @@ function add_distrust_override_test(certFileName, hostName,
clearSessionCache(); clearSessionCache();
run_next_test(); run_next_test();
}); });
add_connection_test(hostName, expectedResultBefore, null, add_connection_test(hostName, expectedResult, null,
function (securityInfo) { function (securityInfo) {
securityInfo.QueryInterface(Ci.nsISSLStatusProvider); securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
// XXX(Bug 754369): SSLStatus isn't available for // XXX(Bug 754369): SSLStatus isn't available for
@@ -249,11 +185,11 @@ function add_distrust_override_test(certFileName, hostName,
// 754369) that the error was non-overridable, which // 754369) that the error was non-overridable, which
// is what we're trying to test, though we'd rather // is what we're trying to test, though we'd rather
// not test it this way. // not test it this way.
do_check_neq(expectedResultAfter, Cr.NS_OK); do_check_neq(expectedResult, Cr.NS_OK);
} }
clearSessionCache(); clearSessionCache();
}); });
add_connection_test(hostName, expectedResultAfter, null, add_connection_test(hostName, expectedResult, null,
function () { function () {
setCertTrust(certToDistrust, "u,,"); setCertTrust(certToDistrust, "u,,");
}); });

14
security/manager/ssl/tests/unit/test_cert_signatures.js
View File

@@ -45,12 +45,6 @@ function run_test() {
load_ca("ca-p384"); load_ca("ca-p384");
load_ca("ca-dsa"); load_ca("ca-dsa");
run_test_in_mode(true);
run_test_in_mode(false);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache(); clearOCSPCache();
clearSessionCache(); clearSessionCache();
@@ -60,14 +54,10 @@ function run_test_in_mode(useMozillaPKIX) {
// mozilla::pkix does not allow CA certs to be validated for end-entity // mozilla::pkix does not allow CA certs to be validated for end-entity
// usages. // usages.
let int_usage = useMozillaPKIX const int_usage = 'SSL CA';
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// mozilla::pkix doesn't implement the Netscape Object Signer restriction. // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
const ee_usage = useMozillaPKIX const ee_usage = 'Client,Server,Sign,Encrypt,Object Signer';
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
let cert2usage = { let cert2usage = {
// certs without the "int" prefix are end entity certs. // certs without the "int" prefix are end entity certs.

157
security/manager/ssl/tests/unit/test_cert_trust.js
View File

@@ -39,20 +39,17 @@ function check_cert_err_generic(cert, expected_error, usage) {
do_check_eq(error, expected_error); do_check_eq(error, expected_error);
}; };
function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) { function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
// On reset most usages are successful // On reset most usages are successful
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient); check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); // expected no bc certificateUsageSSLCA); // expected no bc
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 check_cert_err_generic(ee_cert, 0,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner); // expected certificateUsageObjectSigner); // expected
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
// mozilla::pkix enforces that certificase must have a basic constraints // mozilla::pkix enforces that certificase must have a basic constraints
// extension with cA:true to be a CA certificate, whereas classic does not // extension with cA:true to be a CA certificate, whereas classic does not
@@ -66,60 +63,45 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
certificateUsageSSLServer); certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient); certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner); certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient); certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner); certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
// In mozilla::pkix (but not classic verification), certificate chain // In mozilla::pkix (but not classic verification), certificate chain
// properties are checked before the end-entity. Thus, if we're using // properties are checked before the end-entity. Thus, if we're using
// mozilla::pkix and the root certificate has been distrusted, the error // mozilla::pkix and the root certificate has been distrusted, the error
// will be "untrusted issuer" and not "inadequate cert type". // will be "untrusted issuer" and not "inadequate cert type".
check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX) check_cert_err_generic(ee_cert,
? SEC_ERROR_UNTRUSTED_ISSUER !isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE, : SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); certificateUsageStatusResponder);
// Trust set to T - trusted CA to issue client certs, where client cert is // Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient. // usageSSLClient.
setCertTrust(cert_to_modify_trust, 'T,T,T'); setCertTrust(cert_to_modify_trust, 'T,T,T');
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLServer); certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340 // XXX(Bug 982340)
: 0 check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: 0,
certificateUsageSSLClient); certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA); certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailSigner); certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailRecipient); certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_INADEQUATE_CERT_TYPE
: useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner); certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); certificateUsageStatusResponder);
@@ -129,49 +111,33 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
setCertTrust(cert_to_modify_trust, 'p,C,C'); setCertTrust(cert_to_modify_trust, 'p,C,C');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer); certificateUsageSSLServer);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER, //XXX(Bug 982340)
certificateUsageSSLClient); check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
: SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
// In mozilla::pkix (but not classic verification), certificate chain check_cert_err_generic(ee_cert,
// properties are checked before the end-entity. Thus, if we're using isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
// mozilla::pkix and the root certificate has been distrusted, the error : SEC_ERROR_UNTRUSTED_ISSUER,
// will be "untrusted issuer" and not "inadequate cert type".
check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); certificateUsageStatusResponder);
// Inherited trust SSL // Inherited trust SSL
setCertTrust(cert_to_modify_trust, ',C,C'); setCertTrust(cert_to_modify_trust, ',C,C');
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLServer); certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340 // XXX(Bug 982340)
: SEC_ERROR_UNTRUSTED_ISSUER check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
: 0, check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
: SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); certificateUsageStatusResponder);
@@ -179,22 +145,16 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
// Now tests on the EMAIL trust bit // Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, 'C,p,C'); setCertTrust(cert_to_modify_trust, 'C,p,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
: useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
: 0, // mozilla::pkix is OK, NSS bug
certificateUsageSSLClient); certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner); certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient); certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
: SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); certificateUsageStatusResponder);
@@ -203,34 +163,26 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKI
//inherited EMAIL Trust //inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, 'C,,C'); setCertTrust(cert_to_modify_trust, 'C,,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLClient); certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailSigner); certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : 0,
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailRecipient); certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 check_cert_err_generic(ee_cert, 0, certificateUsageObjectSigner);
: SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: 0,
certificateUsageVerifyCA); certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); certificateUsageStatusResponder);
} }
function run_test_in_mode(useMozillaPKIX) { function run_test() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
let ca_cert = certdb.findCertByNickname(null, 'ca'); let ca_cert = certdb.findCertByNickname(null, 'ca');
do_check_false(!ca_cert) do_check_false(!ca_cert)
@@ -240,17 +192,8 @@ function run_test_in_mode(useMozillaPKIX) {
do_check_false(!ee_cert); do_check_false(!ee_cert);
setup_basic_trusts(ca_cert, int_cert); setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX); test_ca_distrust(ee_cert, ca_cert, true);
setup_basic_trusts(ca_cert, int_cert); setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX); test_ca_distrust(ee_cert, int_cert, false);
}
function run_test() {
for (let i = 0 ; i < certList.length; i++) {
load_cert(certList[i], ',,');
}
run_test_in_mode(true);
run_test_in_mode(false);
} }

451
security/manager/ssl/tests/unit/test_cert_version.js
View File

@@ -44,21 +44,20 @@ function check_ok_ca(x) {
return check_cert_err_generic(x, 0, certificateUsageSSLCA); return check_cert_err_generic(x, 0, certificateUsageSSLCA);
} }
function run_tests_in_mode(useMozillaPKIX) function run_test() {
{ load_cert("v1_ca", "CTu,CTu,CTu");
Services.prefs.setBoolPref("security.use_mozillapkix_verification", load_cert("v1_ca_bc", "CTu,CTu,CTu");
useMozillaPKIX); load_cert("v2_ca", "CTu,CTu,CTu");
load_cert("v2_ca_bc", "CTu,CTu,CTu");
load_cert("v3_ca", "CTu,CTu,CTu");
load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
check_ok_ca(cert_from_file('v1_ca.der')); check_ok_ca(cert_from_file('v1_ca.der'));
check_ca_err(cert_from_file('v1_ca_bc.der'), check_ca_err(cert_from_file('v1_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
check_ca_err(cert_from_file('v2_ca.der'), check_ca_err(cert_from_file('v2_ca_bc.der'), SEC_ERROR_EXTENSION_VALUE_INVALID);
useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
check_ca_err(cert_from_file('v2_ca_bc.der'),
useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
check_ok_ca(cert_from_file('v3_ca.der')); check_ok_ca(cert_from_file('v3_ca.der'));
check_ca_err(cert_from_file('v3_ca_missing_bc.der'), check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
// Classic allows v1 and v2 certs to be CA certs in trust anchor positions and // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
// intermediates when they have a v3 basic constraints extenstion (which // intermediates when they have a v3 basic constraints extenstion (which
@@ -76,33 +75,21 @@ function run_tests_in_mode(useMozillaPKIX)
////////////////// //////////////////
// v1 intermediate with v1 trust anchor // v1 intermediate with v1 trust anchor
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error); check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
// v1 intermediate with v3 extensions. CA is invalid. // v1 intermediate with v3 extensions. CA is invalid.
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error); check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
@@ -113,33 +100,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
// A v2 intermediate with a v1 CA // A v2 intermediate with a v1 CA
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error); check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
// A v2 intermediate with basic constraints (not allowed in insanity) // A v2 intermediate with basic constraints (not allowed in insanity)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error); check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
@@ -151,21 +126,14 @@ function run_tests_in_mode(useMozillaPKIX)
// Section is OK. A x509 v3 CA MUST have bc // Section is OK. A x509 v3 CA MUST have bc
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9 // http://tools.ietf.org/html/rfc5280#section-4.2.1.9
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID; check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
@@ -176,13 +144,8 @@ function run_tests_in_mode(useMozillaPKIX)
check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der')); check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der')); check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der')); check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
@@ -192,33 +155,21 @@ function run_tests_in_mode(useMozillaPKIX)
// above // above
// Using A v1 intermediate // Using A v1 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
// Using a v1 intermediate with v3 extenstions (invalid). // Using a v1 intermediate with v3 extenstions (invalid).
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
@@ -229,33 +180,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
// Using v2 intermediate // Using v2 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
// Using a v2 intermediate with basic constraints (invalid) // Using a v2 intermediate with basic constraints (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
@@ -266,33 +205,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
// Using a v3 intermediate that is missing basic constraints (invalid) // Using a v3 intermediate that is missing basic constraints (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
// these should pass assuming we are OK with v1 ca signing v3 intermediates // these should pass assuming we are OK with v1 ca signing v3 intermediates
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
@@ -308,33 +235,21 @@ function run_tests_in_mode(useMozillaPKIX)
////////////////// //////////////////
// v2 ca, v1 intermediate // v2 ca, v1 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error); check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error) check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
// v2 ca, v1 intermediate with basic constraints (invalid) // v2 ca, v1 intermediate with basic constraints (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error); check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
@@ -345,33 +260,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
// v2 ca, v2 intermediate // v2 ca, v2 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error); check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error) check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
// v2 ca, v2 intermediate with basic constraints (invalid) // v2 ca, v2 intermediate with basic constraints (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error); check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
@@ -382,77 +285,48 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
// v2 ca, v3 intermediate missing basic constraints // v2 ca, v3 intermediate missing basic constraints
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error); check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
// v2 ca, v3 intermediate // v2 ca, v3 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error); check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
// v2 ca, v1 intermediate // v2 ca, v1 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
// v2 ca, v1 intermediate with bc (invalid) // v2 ca, v1 intermediate with bc (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
@@ -463,33 +337,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
// v2 ca, v2 intermediate // v2 ca, v2 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
// v2 ca, v2 intermediate with bc (invalid) // v2 ca, v2 intermediate with bc (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
@@ -500,33 +362,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
// v2 ca, invalid v3 intermediate // v2 ca, invalid v3 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error) check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
// v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics) // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error); check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
@@ -541,33 +391,21 @@ function run_tests_in_mode(useMozillaPKIX)
////////////////// //////////////////
// v3 ca, v1 intermediate // v3 ca, v1 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error); check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
// A v1 intermediate with v3 extensions // A v1 intermediate with v3 extensions
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error); check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
@@ -578,33 +416,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error) check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
// reject a v2 cert as intermediate // reject a v2 cert as intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error); check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
// v2 intermediate with bc (invalid) // v2 intermediate with bc (invalid)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error); check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
@@ -615,21 +441,14 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
// invalid v3 intermediate // invalid v3 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error); check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
@@ -641,45 +460,28 @@ function run_tests_in_mode(useMozillaPKIX)
check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der')); check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der')); check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der')); check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
// v3 CA, invalid v3 intermediate // v3 CA, invalid v3 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error); check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
// Int v1 with BC that is just invalid (classic fail insanity OK) // Int v1 with BC that is just invalid (classic fail insanity OK)
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error); check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
@@ -690,33 +492,21 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
// Good section (all fail) // Good section (all fail)
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error); check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
// v2 intermediate (even with basic constraints) is invalid // v2 intermediate (even with basic constraints) is invalid
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error); check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
@@ -727,58 +517,29 @@ function run_tests_in_mode(useMozillaPKIX)
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
// v3 intermediate missing basic constraints is invalid // v3 intermediate missing basic constraints is invalid
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
ee_error = SEC_ERROR_UNKNOWN_ISSUER;
}
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error); check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) { ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
// With a v3 root missing bc and valid v3 intermediate // With a v3 root missing bc and valid v3 intermediate
if (useMozillaPKIX) { ca_error = SEC_ERROR_CA_CERT_INVALID;
ca_error = SEC_ERROR_CA_CERT_INVALID; ee_error = SEC_ERROR_CA_CERT_INVALID;
ee_error = SEC_ERROR_CA_CERT_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error); check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
if (useMozillaPKIX) { ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
} else {
ca_error = 0;
ee_error = 0;
}
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
} }
function run_test() {
load_cert("v1_ca", "CTu,CTu,CTu");
load_cert("v1_ca_bc", "CTu,CTu,CTu");
load_cert("v2_ca", "CTu,CTu,CTu");
load_cert("v2_ca_bc", "CTu,CTu,CTu");
load_cert("v3_ca", "CTu,CTu,CTu");
load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
run_tests_in_mode(false);
run_tests_in_mode(true);
}

58
security/manager/ssl/tests/unit/test_certificate_usages.js
View File

@@ -31,70 +31,48 @@ function run_test() {
var cert = certdb.findCertByNickname(null, ca_name); var cert = certdb.findCertByNickname(null, ca_name);
} }
run_test_in_mode(true);
run_test_in_mode(false);
}
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
// mozilla::pkix does not allow CA certs to be validated for non-CA usages.
var allCAUsages = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// mozilla::pkix doesn't allow CA certificates to have the Status Responder // mozilla::pkix doesn't allow CA certificates to have the Status Responder
// EKU. // EKU.
var ca_usages = [allCAUsages, var ca_usages = ['SSL CA',
'SSL CA', 'SSL CA',
allCAUsages, 'SSL CA',
useMozillaPKIX ? '' ''];
: 'Client,Server,Sign,Encrypt,Status Responder'];
// mozilla::pkix doesn't implement the Netscape Object Signer restriction. // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
var basicEndEntityUsages = useMozillaPKIX var basicEndEntityUsages = 'Client,Server,Sign,Encrypt,Object Signer';
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer" var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
// mozilla::pkix won't let a certificate with the "Status Responder" EKU get // mozilla::pkix won't let a certificate with the 'Status Responder' EKU get
// validated for any other usage. // validated for any other usage.
var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
var statusResponderUsagesFull
= useMozillaPKIX ? statusResponderUsages
: basicEndEntityUsages + ',Object Signer,Status Responder';
var ee_usages = [ var ee_usages = [
[ basicEndEntityUsages, [ basicEndEntityUsages,
basicEndEntityUsages, basicEndEntityUsages,
basicEndEntityUsages, basicEndEntityUsages,
'', '',
statusResponderUsagesFull, 'Status Responder',
'Client,Server', 'Client,Server',
'Sign,Encrypt,Object Signer', 'Sign,Encrypt,Object Signer',
statusResponderUsages 'Status Responder'
], ],
[ basicEndEntityUsages, [ basicEndEntityUsages,
basicEndEntityUsages, basicEndEntityUsages,
basicEndEntityUsages, basicEndEntityUsages,
'', '',
statusResponderUsagesFull, 'Status Responder',
'Client,Server', 'Client,Server',
'Sign,Encrypt,Object Signer', 'Sign,Encrypt,Object Signer',
statusResponderUsages 'Status Responder'
], ],
[ basicEndEntityUsages, [ basicEndEntityUsages,
basicEndEntityUsages, basicEndEntityUsages,
basicEndEntityUsages, basicEndEntityUsages,
'', '',
statusResponderUsagesFull, 'Status Responder',
'Client,Server', 'Client,Server',
'Sign,Encrypt,Object Signer', 'Sign,Encrypt,Object Signer',
statusResponderUsages 'Status Responder'
], ],
// The CA has isCA=true without keyCertSign. // The CA has isCA=true without keyCertSign.
@@ -103,14 +81,14 @@ function run_test_in_mode(useMozillaPKIX) {
// capabilites so the cert is considered a CA. // capabilites so the cert is considered a CA.
// mozilla::pkix and libpkix use the intersection of // mozilla::pkix and libpkix use the intersection of
// capabilites, so the cert is NOT considered a CA. // capabilites, so the cert is NOT considered a CA.
[ useMozillaPKIX ? '' : basicEndEntityUsages, [ '',
useMozillaPKIX ? '' : basicEndEntityUsages,
useMozillaPKIX ? '' : basicEndEntityUsages,
'', '',
useMozillaPKIX ? '' : statusResponderUsagesFull, '',
useMozillaPKIX ? '' : 'Client,Server', '',
useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer', '',
useMozillaPKIX ? '' : 'Server,Status Responder' '',
'',
''
] ]
]; ];

49
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@@ -80,18 +80,6 @@ function run_test() {
// setup and start ocsp responder // setup and start ocsp responder
Services.prefs.setCharPref("network.dns.localDomains", Services.prefs.setCharPref("network.dns.localDomains",
'www.example.com, crl.example.com'); 'www.example.com, crl.example.com');
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_test(function () { add_test(function () {
clearOCSPCache(); clearOCSPCache();
@@ -138,9 +126,7 @@ function add_tests_in_mode(useMozillaPKIX)
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("ev-valid", check_cert_err("ev-valid",SEC_ERROR_UNKNOWN_ISSUER);
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
@@ -162,24 +148,15 @@ function add_tests_in_mode(useMozillaPKIX)
}); });
add_test(function () { add_test(function () {
check_no_ocsp_requests("ev-valid", check_no_ocsp_requests("ev-valid", SEC_ERROR_POLICY_VALIDATION_FAILED);
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
}); });
add_test(function () { add_test(function () {
check_no_ocsp_requests("non-ev-root", check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_EXTENSION_NOT_FOUND));
}); });
add_test(function () { add_test(function () {
check_no_ocsp_requests("no-ocsp-url-cert", check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
}); });
@@ -203,9 +180,7 @@ function add_tests_in_mode(useMozillaPKIX)
flags, verifiedChain, hasEVPolicy); flags, verifiedChain, hasEVPolicy);
do_check_eq(hasEVPolicy.value, isDebugBuild); do_check_eq(hasEVPolicy.value, isDebugBuild);
do_check_eq(error, do_check_eq(error,
isDebugBuild ? 0 isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
: (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: SEC_ERROR_EXTENSION_NOT_FOUND));
failingOcspResponder.stop(run_next_test); failingOcspResponder.stop(run_next_test);
}); });
}); });
@@ -235,17 +210,13 @@ function add_tests_in_mode(useMozillaPKIX)
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"]; let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
let debugResponseArray = ["good", "longvalidityalmostold", let debugResponseArray = ["good", "longvalidityalmostold",
"longvalidityalmostold"]; "longvalidityalmostold"];
if (!useMozillaPKIX) {
debugCertNickArray = ["int-ev-valid", "ev-valid"];
debugResponseArray = ["good", "longvalidityalmostold"];
}
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [], let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs", "test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"], isDebugBuild ? debugCertNickArray : ["ev-valid"],
[], [], [], [],
isDebugBuild ? debugResponseArray isDebugBuild ? debugResponseArray
: ["longvalidityalmostold"]); : ["longvalidityalmostold"]);
check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild); check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
@@ -256,19 +227,17 @@ function add_tests_in_mode(useMozillaPKIX)
let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"]; let debugCertNickArray = ["int-ev-valid", "ev-valid", "ev-valid"];
let debugResponseArray = ["good", "ancientstillvalid", let debugResponseArray = ["good", "ancientstillvalid",
"ancientstillvalid"]; "ancientstillvalid"];
if (!useMozillaPKIX) {
debugCertNickArray = ["int-ev-valid", "ev-valid"];
debugResponseArray = ["good", "ancientstillvalid"];
}
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [], let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs", "test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"], isDebugBuild ? debugCertNickArray : ["ev-valid"],
[], [], [], [],
isDebugBuild ? debugResponseArray isDebugBuild ? debugResponseArray
: ["ancientstillvalid"]); : ["ancientstillvalid"]);
check_ee_for_ev("ev-valid", !useMozillaPKIX && isDebugBuild); check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
run_next_test();
} }
// bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert

8
security/manager/ssl/tests/unit/test_getchain.js
View File

@@ -70,8 +70,7 @@ function check_getchain(ee_cert, ssl_ca, email_ca){
check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert); check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
} }
function run_test_in_mode(useMozillaPKIX) { function run_test() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache(); clearOCSPCache();
clearSessionCache(); clearSessionCache();
@@ -88,8 +87,3 @@ function run_test_in_mode(useMozillaPKIX) {
// Swap ca certs to deal alternate trust settings. // Swap ca certs to deal alternate trust settings.
check_getchain(ee_cert, ca[2], ca[1]); check_getchain(ee_cert, ca[2], ca[1]);
} }
function run_test() {
run_test_in_mode(true);
run_test_in_mode(false);
}

25
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
View File

@@ -38,20 +38,14 @@ function test_cert_for_usages(certChainNicks, expected_usages_string) {
do_check_eq(expected_usages_string, usages.value); do_check_eq(expected_usages_string, usages.value);
} }
function run_test_in_mode(useMozillaPKIX) { function run_test() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
// mozilla::pkix doesn't support the obsolete Netscape object signing // mozilla::pkix doesn't support the obsolete Netscape object signing
// extension, but NSS does. // extension, but NSS does.
let ee_usage1 = useMozillaPKIX let ee_usage1 = 'Client,Server,Sign,Encrypt,Object Signer';
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt'
// mozilla::pkix doesn't validate CA certificates for non-CA uses, but // mozilla::pkix doesn't validate CA certificates for non-CA uses, but
// NSS does. // NSS does.
let ca_usage1 = useMozillaPKIX let ca_usage1 = "SSL CA";
? "SSL CA"
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// Load the ca into mem // Load the ca into mem
let ca_name = "ca"; let ca_name = "ca";
@@ -87,8 +81,7 @@ function run_test_in_mode(useMozillaPKIX) {
// XXX: It seems the NSS code does not consider the path length of the // XXX: It seems the NSS code does not consider the path length of the
// certificate we're validating, but mozilla::pkix does. mozilla::pkix's // certificate we're validating, but mozilla::pkix does. mozilla::pkix's
// behavior is correct. // behavior is correct.
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"], "");
useMozillaPKIX ? "" : ca_usage1);
test_cert_for_usages(["ee-int-limited-depth-invalid", test_cert_for_usages(["ee-int-limited-depth-invalid",
"int-limited-depth-invalid", "int-limited-depth-invalid",
"int-limited-depth"], "int-limited-depth"],
@@ -103,10 +96,7 @@ function run_test_in_mode(useMozillaPKIX) {
// but the KU extension is missing keyCertSign. Note that mozilla::pkix // but the KU extension is missing keyCertSign. Note that mozilla::pkix
// doesn't validate certificates with basicConstraints.Ca==true for non-CA // doesn't validate certificates with basicConstraints.Ca==true for non-CA
// uses, but NSS does. // uses, but NSS does.
test_cert_for_usages(["int-bad-ku-no-eku"], test_cert_for_usages(["int-bad-ku-no-eku"], "");
useMozillaPKIX
? ""
: 'Client,Server,Sign,Encrypt,Status Responder');
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], ""); test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
// int-no-ku-no-eku has basicConstraints.cA==true and no KU extension. // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
@@ -132,8 +122,3 @@ function run_test_in_mode(useMozillaPKIX) {
test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"], test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
"Client,Server"); "Client,Server");
} }
function run_test() {
run_test_in_mode(true);
run_test_in_mode(false);
}

13
security/manager/ssl/tests/unit/test_name_constraints.js
View File

@@ -50,8 +50,9 @@ function check_fail_ca(x) {
return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA); return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
} }
function run_test_in_mode(useMozillaPKIX) { function run_test() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
load_cert("ca-nc", "CTu,CTu,CTu");
// Note that CN is only looked at when there is NO subjectAltName! // Note that CN is only looked at when there is NO subjectAltName!
@@ -269,11 +270,3 @@ function run_test_in_mode(useMozillaPKIX) {
check_cert_err_generic(cert, 0, certificateUsageSSLClient); check_cert_err_generic(cert, 0, certificateUsageSSLClient);
} }
} }
function run_test() {
load_cert("ca-nc-perm-foo.com", "CTu,CTu,CTu");
load_cert("ca-nc", "CTu,CTu,CTu");
run_test_in_mode(true);
run_test_in_mode(false);
}

11
security/manager/ssl/tests/unit/test_ocsp_caching.js
View File

@@ -40,20 +40,13 @@ function run_test() {
}); });
ocspResponder.start(8080); ocspResponder.start(8080);
add_tests_in_mode(true); add_tests();
add_tests_in_mode(false);
add_test(function() { ocspResponder.stop(run_next_test); }); add_test(function() { ocspResponder.stop(run_next_test); });
run_next_test(); run_next_test();
} }
function add_tests_in_mode(useMozillaPKIX) { function add_tests() {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
// This test assumes that OCSPStaplingServer uses the same cert for // This test assumes that OCSPStaplingServer uses the same cert for
// ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com. // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.

25
security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
View File

@@ -38,19 +38,6 @@ function run_test() {
Services.prefs.setCharPref("network.dns.localDomains", Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com"); "www.example.com");
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
Services.prefs.setBoolPref("security.OCSP.GET.enabled", false); Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
@@ -72,13 +59,11 @@ function add_tests_in_mode(useMozillaPKIX)
clearOCSPCache(); clearOCSPCache();
Services.prefs.setBoolPref("security.OCSP.GET.enabled", true); Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
// Bug 1016681 mozilla::pkix does not support fallback yet. // Bug 1016681 mozilla::pkix does not support fallback yet.
if (!useMozillaPKIX) { // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]); // check_cert_err("a", 0);
check_cert_err("a", 0); // ocspResponder.stop(run_next_test);
ocspResponder.stop(run_next_test); run_next_test();
} else {
run_next_test();
}
}); });
run_next_test();
} }

27
security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js
View File

@@ -28,8 +28,14 @@ function run_test() {
}); });
ocspResponder.start(8080); ocspResponder.start(8080);
add_tests_in_mode(true); // ocsp-stapling-none.example.com does not staple an OCSP response in the
add_tests_in_mode(false); // handshake, so the revocation checking code will attempt to fetch one.
// Since the domain of the certificate's OCSP AIA URI is an HSTS host
// (as added in the setup of this test, below), a buggy implementation would
// upgrade the OCSP request to HTTPS. We specifically prevent this. This
// test demonstrates that our implementation is correct in this regard.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
add_test(function () { run_next_test(); });
add_test(function () { ocspResponder.stop(run_next_test); }); add_test(function () { ocspResponder.stop(run_next_test); });
@@ -43,20 +49,3 @@ function run_test() {
run_next_test(); run_next_test();
} }
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
// ocsp-stapling-none.example.com does not staple an OCSP response in the
// handshake, so the revocation checking code will attempt to fetch one.
// Since the domain of the certificate's OCSP AIA URI is an HSTS host
// (as added in the setup of this test), a buggy implementation would
// upgrade the OCSP request to HTTPS. We specifically prevent this. This
// test demonstrates that our implementation is correct in this regard.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
add_test(function () { run_next_test(); });
}

11
security/manager/ssl/tests/unit/test_ocsp_required.js
View File

@@ -32,22 +32,15 @@ function run_test() {
}); });
ocspResponder.start(8080); ocspResponder.start(8080);
add_tests_in_mode(true); add_tests();
add_tests_in_mode(false);
add_test(function () { ocspResponder.stop(run_next_test); }); add_test(function () { ocspResponder.stop(run_next_test); });
run_next_test(); run_next_test();
} }
function add_tests_in_mode(useMozillaPKIX) function add_tests()
{ {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_connection_test("ocsp-stapling-none.example.com", add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_connection_test("ocsp-stapling-none.example.com", add_connection_test("ocsp-stapling-none.example.com",

32
security/manager/ssl/tests/unit/test_ocsp_stapling.js
View File

@@ -21,13 +21,7 @@ function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
}); });
} }
function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) { function add_tests(certDB, otherTestCA) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
// In the absence of OCSP stapling, these should actually all work. // In the absence of OCSP stapling, these should actually all work.
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false); add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
@@ -115,16 +109,11 @@ function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
add_ocsp_test("ocsp-stapling-empty.example.com", add_ocsp_test("ocsp-stapling-empty.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
// TODO(bug 979070): NSS can't handle this yet. add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
if (useMozillaPKIX) { getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
}
add_ocsp_test("ocsp-stapling-critical-extension.example.com", add_ocsp_test("ocsp-stapling-critical-extension.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
: Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions
true); true);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
// TODO(bug 997994): Disallow empty Extensions in responses // TODO(bug 997994): Disallow empty Extensions in responses
@@ -155,11 +144,11 @@ function check_ocsp_stapling_telemetry() {
.getService(Ci.nsITelemetry) .getService(Ci.nsITelemetry)
.getHistogramById("SSL_OCSP_STAPLING") .getHistogramById("SSL_OCSP_STAPLING")
.snapshot(); .snapshot();
do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426) do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp. do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426) do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses
run_next_test(); run_next_test();
} }
@@ -181,8 +170,7 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer"); add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true, certDB, otherTestCA); add_tests(certDB, otherTestCA);
add_tests_in_mode(false, certDB, otherTestCA);
add_test(function () { add_test(function () {
fakeOCSPResponder.stop(check_ocsp_stapling_telemetry); fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);

131
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
View File

@@ -60,20 +60,6 @@ function run_test() {
}); });
ocspResponder.start(8080); ocspResponder.start(8080);
add_tls_server_setup("OCSPStaplingServer"); add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true);
add_tests_in_mode(false);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(check_ocsp_stapling_telemetry);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
// In these tests, the OCSP stapling server gives us a stapled // In these tests, the OCSP stapling server gives us a stapled
// response based on the host name ("ocsp-stapling-expired" or // response based on the host name ("ocsp-stapling-expired" or
@@ -88,37 +74,25 @@ function add_tests_in_mode(useMozillaPKIX)
ocspResponseGood); ocspResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
ocspResponseGood); ocspResponseGood);
// With mozilla::pkix, if we can't fetch a more recent response when // if we can't fetch a more recent response when
// given an expired stapled response, we terminate the connection. // given an expired stapled response, we terminate the connection.
add_ocsp_test("ocsp-stapling-expired.example.com", add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
expiredOCSPResponseGood); expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
expiredOCSPResponseGood); expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com", add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
oldValidityPeriodOCSPResponseGood); oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
oldValidityPeriodOCSPResponseGood); oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com", add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
null); null);
add_ocsp_test("ocsp-stapling-expired.example.com", add_ocsp_test("ocsp-stapling-expired.example.com",
useMozillaPKIX getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
: Cr.NS_OK,
null); null);
// Of course, if the newer response indicates Revoked or Unknown, // Of course, if the newer response indicates Revoked or Unknown,
// that status must be returned. // that status must be returned.
@@ -135,47 +109,47 @@ function add_tests_in_mode(useMozillaPKIX)
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
ocspResponseUnknown); ocspResponseUnknown);
if (useMozillaPKIX) { // If the response is expired but indicates Revoked or Unknown and a
// If the response is expired but indicates Revoked or Unknown and a // newer status can't be fetched, the Revoked or Unknown status will
// newer status can't be fetched, the Revoked or Unknown status will // be returned.
// be returned. add_ocsp_test("ocsp-stapling-revoked-old.example.com",
add_ocsp_test("ocsp-stapling-revoked-old.example.com", getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), null);
null); add_ocsp_test("ocsp-stapling-unknown-old.example.com",
add_ocsp_test("ocsp-stapling-unknown-old.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), null);
null); // If the response is expired but indicates Revoked or Unknown and
// If the response is expired but indicates Revoked or Unknown and // a newer status can be fetched and successfully verified, this
// a newer status can be fetched and successfully verified, this // should result in a successful certificate verification.
// should result in a successful certificate verification. add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK, ocspResponseGood);
ocspResponseGood); add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK, ocspResponseGood);
ocspResponseGood); // If a newer status can be fetched but it fails to verify, the
// If a newer status can be fetched but it fails to verify, the // Revoked or Unknown status of the expired stapled response
// Revoked or Unknown status of the expired stapled response // should be returned.
// should be returned. add_ocsp_test("ocsp-stapling-revoked-old.example.com",
add_ocsp_test("ocsp-stapling-revoked-old.example.com", getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), expiredOCSPResponseGood);
expiredOCSPResponseGood); add_ocsp_test("ocsp-stapling-unknown-old.example.com",
add_ocsp_test("ocsp-stapling-unknown-old.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), expiredOCSPResponseGood);
expiredOCSPResponseGood);
}
if (useMozillaPKIX) { // These tests are verifying that an valid but very old response
// These tests are verifying that an valid but very old response // is rejected as a valid stapled response, requiring a fetch
// is rejected as a valid stapled response, requiring a fetch // from the ocsp responder.
// from the ocsp responder. add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK, ocspResponseGood);
ocspResponseGood); add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), ocspResponseRevoked);
ocspResponseRevoked); add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), ocspResponseUnknown);
ocspResponseUnknown);
} add_test(function () { ocspResponder.stop(run_next_test); });
add_test(check_ocsp_stapling_telemetry);
run_next_test();
} }
function check_ocsp_stapling_telemetry() { function check_ocsp_stapling_telemetry() {
@@ -183,11 +157,10 @@ function check_ocsp_stapling_telemetry() {
.getService(Ci.nsITelemetry) .getService(Ci.nsITelemetry)
.getHistogramById("SSL_OCSP_STAPLING") .getHistogramById("SSL_OCSP_STAPLING")
.snapshot(); .snapshot();
do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp. do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
do_check_eq(histogram.counts[3], 2 * 12 + 9); // 12 connections with an expired response do_check_eq(histogram.counts[3], 21); // 21 connections with an expired response
// +9 more mozilla::pkix-only expired responses do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
run_next_test(); run_next_test();
} }

13
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
View File

@@ -33,8 +33,7 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer"); add_tls_server_setup("OCSPStaplingServer");
add_tests_in_mode(true); add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
add_tests_in_mode(false);
add_test(function () { ocspResponder.stop(run_next_test); }); add_test(function () { ocspResponder.stop(run_next_test); });
add_test(function() { add_test(function() {
@@ -43,13 +42,3 @@ function run_test() {
}); });
run_next_test(); run_next_test();
} }
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
}

10
security/manager/ssl/tests/unit/test_ocsp_timeout.js
View File

@@ -38,20 +38,16 @@ function run_test() {
socket.init(8080, true, -1); socket.init(8080, true, -1);
socket.asyncListen(gSocketListener); socket.asyncListen(gSocketListener);
add_tests_in_mode(true, true); add_tests_in_mode(true);
add_tests_in_mode(false, true); add_tests_in_mode(false);
add_tests_in_mode(true, false);
add_tests_in_mode(false, false);
add_test(function() { socket.close(); run_next_test(); }); add_test(function() { socket.close(); run_next_test(); });
run_next_test(); run_next_test();
} }
function add_tests_in_mode(useMozillaPKIX, useHardFail) { function add_tests_in_mode(useHardFail) {
let startTime; let startTime;
add_test(function () { add_test(function () {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
Services.prefs.setBoolPref("security.OCSP.require", useHardFail); Services.prefs.setBoolPref("security.OCSP.require", useHardFail);
startTime = new Date(); startTime = new Date();
run_next_test(); run_next_test();

42
security/manager/ssl/tests/unit/test_ocsp_url.js
View File

@@ -40,43 +40,24 @@ function run_test() {
Services.prefs.setCharPref("network.dns.localDomains", Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com"); "www.example.com");
add_tests_in_mode(true);
add_tests_in_mode(false);
run_next_test();
}
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function() {
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("bad-scheme", check_cert_err("bad-scheme",SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("empty-scheme-url", check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("https-url", check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
@@ -90,9 +71,7 @@ function add_tests_in_mode(useMozillaPKIX)
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("negative-port", check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
@@ -114,28 +93,23 @@ function add_tests_in_mode(useMozillaPKIX)
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("no-scheme-host-port", check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("no-scheme-url", check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
add_test(function() { add_test(function() {
clearOCSPCache(); clearOCSPCache();
let ocspResponder = failingOCSPResponder(); let ocspResponder = failingOCSPResponder();
check_cert_err("unknown-scheme", check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
: SEC_ERROR_OCSP_MALFORMED_REQUEST);
ocspResponder.stop(run_next_test); ocspResponder.stop(run_next_test);
}); });
run_next_test();
} }

38
toolkit/components/telemetry/Histograms.json
View File

@@ -1247,12 +1247,6 @@
"extended_statistics_ok": true, "extended_statistics_ok": true,
"description": "ms elapsed time of OCSP etc.. that failed" "description": "ms elapsed time of OCSP etc.. that failed"
}, },
"CERT_VALIDATION_LIBRARY": {
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 4,
"description": "Which certificate validation library is in use? (1=classic, 2=libpkix, 3=mozilla::pkix)"
},
"SSL_KEY_EXCHANGE_ALGORITHM_FULL": { "SSL_KEY_EXCHANGE_ALGORITHM_FULL": {
"expires_in_version": "never", "expires_in_version": "never",
"kind": "enumerated", "kind": "enumerated",
@@ -4498,22 +4492,6 @@
"extended_statistics_ok": true, "extended_statistics_ok": true,
"description": "Time (ms) it takes to run memory reporters when sending a telemetry ping" "description": "Time (ms) it takes to run memory reporters when sending a telemetry ping"
}, },
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_LIBPKIX": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in libpix mode (ms)"
},
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_CLASSIC": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in classic mode (ms)"
},
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : { "SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never", "expires_in_version": "never",
"kind": "exponential", "kind": "exponential",
@@ -4522,22 +4500,6 @@
"extended_statistics_ok": true, "extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)" "description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
}, },
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in libpix mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC": {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in classic mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : { "SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never", "expires_in_version": "never",
"kind": "exponential", "kind": "exponential",