Backed out 2 changesets (bug 1899656, bug 1893335) for causing build bustages

Backed out changeset 4cb2f1a1280b (bug 1893335)
Backed out changeset d5833f6d4c07 (bug 1899656)

Cargo.lock

@@ -579,7 +579,6 @@ name = "builtins-static"
 version = "0.1.0"
 dependencies = [
  "bindgen 0.69.4",
- "mozbuild",
  "mozilla-central-workspace-hack",
  "nom",
  "pkcs11-bindings",
@@ -5680,18 +5679,6 @@ dependencies = [
 name = "terminal_size"
 version = "0.3.999"
 
-[[package]]
-name = "test-builtins-static"
-version = "0.1.0"
-dependencies = [
- "bindgen 0.69.4",
- "mozbuild",
- "mozilla-central-workspace-hack",
- "nom",
- "pkcs11-bindings",
- "smallvec",
-]
-
 [[package]]
 name = "textwrap"
 version = "0.16.1"

Cargo.toml

@@ -10,7 +10,6 @@ members = [
   "js/src/rust",
   "netwerk/test/http3server",
   "security/manager/ssl/builtins",
-  "security/manager/ssl/tests/unit/test_builtins",
   "security/manager/ssl/ipcclientcerts",
   "security/manager/ssl/osclientcerts",
   "testing/geckodriver",

build/workspace-hack/Cargo.toml

@@ -224,4 +224,3 @@ jsrust = ["dep:arrayvec", "dep:cc", "dep:env_logger", "dep:getrandom", "dep:hash
 mozwer_s = ["dep:getrandom", "dep:hashbrown", "dep:indexmap", "dep:log", "dep:once_cell", "dep:serde_json", "dep:uuid", "dep:windows-sys"]
 nmhproxy = ["dep:bitflags", "dep:hashbrown", "dep:indexmap", "dep:once_cell", "dep:serde_json", "dep:smallvec", "dep:unicode-bidi", "dep:url", "dep:windows-sys"]
 osclientcerts-static = ["dep:bindgen", "dep:bitflags", "dep:core-foundation-sys", "dep:env_logger", "dep:itertools", "dep:log", "dep:memchr", "dep:nom", "dep:regex"]
-test-builtins-static = ["dep:bindgen", "dep:bitflags", "dep:itertools", "dep:memchr", "dep:nom", "dep:regex", "dep:smallvec"]

security/certverifier/NSSCertDBTrustDomain.cpp

@@ -31,7 +31,6 @@
 #include "mozilla/glean/GleanMetrics.h"
 #include "mozpkix/Result.h"
 #include "mozpkix/pkix.h"
-#include "mozpkix/pkixcheck.h"
 #include "mozpkix/pkixnss.h"
 #include "mozpkix/pkixutil.h"
 #include "nsCRTGlue.h"
@@ -1266,6 +1265,20 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
   return rv;
 }
 
+SECStatus GetCertDistrustAfterValue(const SECItem* distrustItem,
+                                    PRTime& distrustTime) {
+  if (!distrustItem || !distrustItem->data || distrustItem->len != 13) {
+    PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
+    return SECFailure;
+  }
+  return DER_DecodeTimeChoice(&distrustTime, distrustItem);
+}
+
+SECStatus GetCertNotBeforeValue(const CERTCertificate* cert,
+                                PRTime& distrustTime) {
+  return DER_DecodeTimeChoice(&distrustTime, &cert->validity.notBefore);
+}
+
 nsresult isDistrustedCertificateChain(
     const nsTArray<nsTArray<uint8_t>>& certArray,
     const SECTrustType certDBTrustType, bool& isDistrusted) {
@@ -1276,94 +1289,93 @@ nsresult isDistrustedCertificateChain(
   // Set the default result to be distrusted.
   isDistrusted = true;
 
-  CK_ATTRIBUTE_TYPE attrType;
-  switch (certDBTrustType) {
-    case trustSSL:
-      attrType = CKA_NSS_SERVER_DISTRUST_AFTER;
-      break;
-    case trustEmail:
-      attrType = CKA_NSS_EMAIL_DISTRUST_AFTER;
-      break;
-    default:
   // There is no distrust to set if the certDBTrustType is not SSL or Email.
+  if (certDBTrustType != trustSSL && certDBTrustType != trustEmail) {
     isDistrusted = false;
     return NS_OK;
   }
 
-  Input endEntityDER;
+  SECStatus runnableRV = SECFailure;
-  mozilla::pkix::Result rv = endEntityDER.Init(
+
-      certArray.ElementAt(0).Elements(), certArray.ElementAt(0).Length());
+  RefPtr<Runnable> isDistrustedChainTask =
-  if (rv != Success) {
+      NS_NewRunnableFunction("isDistrustedCertificateChain", [&]() {
-    return NS_ERROR_FAILURE;
+        if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
+          runnableRV = SECFailure;
+          return;
+        }
+        // Allocate objects and retreive the root and end-entity certificates.
+        CERTCertDBHandle* certDB(CERT_GetDefaultCertDB());
+        const nsTArray<uint8_t>& certRootDER = certArray.LastElement();
+        SECItem certRootDERItem = {
+            siBuffer, const_cast<unsigned char*>(certRootDER.Elements()),
+            AssertedCast<unsigned int>(certRootDER.Length())};
+        UniqueCERTCertificate certRoot(CERT_NewTempCertificate(
+            certDB, &certRootDERItem, nullptr, false, true));
+        if (!certRoot) {
+          runnableRV = SECFailure;
+          return;
+        }
+        const nsTArray<uint8_t>& certLeafDER = certArray.ElementAt(0);
+        SECItem certLeafDERItem = {
+            siBuffer, const_cast<unsigned char*>(certLeafDER.Elements()),
+            AssertedCast<unsigned int>(certLeafDER.Length())};
+        UniqueCERTCertificate certLeaf(CERT_NewTempCertificate(
+            certDB, &certLeafDERItem, nullptr, false, true));
+        if (!certLeaf) {
+          runnableRV = SECFailure;
+          return;
         }
 
-  BackCert endEntityBackCert(endEntityDER, EndEntityOrCA::MustBeEndEntity,
+        // Set isDistrusted to false if there is no distrust for the root.
-                             nullptr);
+        if (!certRoot->distrust) {
-  rv = endEntityBackCert.Init();
-  if (rv != Success) {
-    return NS_ERROR_FAILURE;
-  }
-
-  Time endEntityNotBefore(Time::uninitialized);
-  rv = ParseValidity(endEntityBackCert.GetValidity(), &endEntityNotBefore,
-                     nullptr);
-  if (rv != Success) {
-    return NS_ERROR_FAILURE;
-  }
-
-  Input rootDER;
-  rv = rootDER.Init(certArray.LastElement().Elements(),
-                    certArray.LastElement().Length());
-  if (rv != Success) {
-    return NS_ERROR_FAILURE;
-  }
-  SECItem rootDERItem(UnsafeMapInputToSECItem(rootDER));
-
-  PRBool distrusted;
-  PRTime distrustAfter;  // time since epoch in microseconds
-  bool foundDistrust = false;
-
-  // This strategy for searching for the builtins module is borrowed
-  // from CertVerifier::IsCertBuiltInRoot. See the comment on that
-  // function for more information.
-  AutoSECMODListReadLock lock;
-  for (SECMODModuleList* list = SECMOD_GetDefaultModuleList();
-       list && !foundDistrust; list = list->next) {
-    for (int i = 0; i < list->module->slotCount; i++) {
-      PK11SlotInfo* slot = list->module->slots[i];
-      if (!PK11_IsPresent(slot) || !PK11_HasRootCerts(slot)) {
-        continue;
-      }
-      CK_OBJECT_HANDLE handle =
-          PK11_FindEncodedCertInSlot(slot, &rootDERItem, nullptr);
-      if (handle == CK_INVALID_HANDLE) {
-        continue;
-      }
-      // Distrust attributes are only set on builtin roots, so ensure this
-      // certificate has the CKA_NSS_MOZILLA_CA_POLICY attribute.
-      if (!PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
-                                false)) {
-        continue;
-      }
-      SECStatus srv = PK11_ReadDistrustAfterAttribute(
-          slot, handle, attrType, &distrusted, &distrustAfter);
-      if (srv == SECSuccess) {
-        foundDistrust = true;
-      }
-    }
-  }
-
-  if (!foundDistrust || distrusted == PR_FALSE) {
           isDistrusted = false;
-    return NS_OK;
+          runnableRV = SECSuccess;
+          return;
         }
 
-  Time distrustAfterTime =
+        // Create a pointer to refer to the selected distrust struct.
-      mozilla::pkix::TimeFromEpochInSeconds(distrustAfter / PR_USEC_PER_SEC);
+        SECItem* distrustPtr = nullptr;
-  if (endEntityNotBefore <= distrustAfterTime) {
+        if (certDBTrustType == trustSSL) {
+          distrustPtr = &certRoot->distrust->serverDistrustAfter;
+        }
+        if (certDBTrustType == trustEmail) {
+          distrustPtr = &certRoot->distrust->emailDistrustAfter;
+        }
+
+        // Get validity for the current end-entity certificate
+        // and get the distrust field for the root certificate.
+        PRTime certRootDistrustAfter;
+        PRTime certLeafNotBefore;
+
+        runnableRV =
+            GetCertDistrustAfterValue(distrustPtr, certRootDistrustAfter);
+        if (runnableRV != SECSuccess) {
+          return;
+        }
+
+        runnableRV = GetCertNotBeforeValue(certLeaf.get(), certLeafNotBefore);
+        if (runnableRV != SECSuccess) {
+          return;
+        }
+
+        // Compare the validity of the end-entity certificate with
+        // the distrust value of the root.
+        if (certLeafNotBefore <= certRootDistrustAfter) {
           isDistrusted = false;
         }
 
+        runnableRV = SECSuccess;
+      });
+  nsCOMPtr<nsIEventTarget> socketThread(
+      do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
+  if (!socketThread) {
+    return NS_ERROR_FAILURE;
+  }
+  nsresult rv =
+      SyncRunnable::DispatchToThread(socketThread, isDistrustedChainTask);
+  if (NS_FAILED(rv) || runnableRV != SECSuccess) {
+    return NS_ERROR_FAILURE;
+  }
   return NS_OK;
 }
 

security/manager/ssl/builtins/Cargo.toml

@@ -12,7 +12,6 @@ mozilla-central-workspace-hack = { version = "0.1", features = ["builtins-static
 
 [build-dependencies]
 bindgen = { default-features = false, features = ["runtime"], version = "0.69" }
-mozbuild = "0.1"
 nom = "7.1.1"
 
 [lib]

security/manager/ssl/builtins/build.rs

@@ -9,8 +9,6 @@ extern crate nom;
 use bindgen::callbacks::*;
 use bindgen::*;
 
-use mozbuild::TOPSRCDIR;
-
 use nom::branch::alt;
 use nom::bytes::complete::{tag, take_until};
 use nom::character::complete::{
@@ -316,16 +314,11 @@ macro_rules! emit_build_error {
 }
 
 fn main() -> std::io::Result<()> {
-    let testlib_certdata =
+    println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/certdata.txt");
-        TOPSRCDIR.join("security/manager/ssl/tests/unit/test_builtins/certdata.txt");
+    println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/nssckbi.h");
-    let mozilla_certdata = TOPSRCDIR.join("security/nss/lib/ckfw/builtins/certdata.txt");
-    let nssckbi_header = TOPSRCDIR.join("security/nss/lib/ckfw/builtins/nssckbi.h");
-    println!("cargo:rerun-if-changed={}", testlib_certdata.display());
-    println!("cargo:rerun-if-changed={}", mozilla_certdata.display());
-    println!("cargo:rerun-if-changed={}", nssckbi_header.display());
 
     let bindings = Builder::default()
-        .header(nssckbi_header.display().to_string())
+        .header("../../../nss/lib/ckfw/builtins/nssckbi.h")
         .allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR")
         .allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MINOR")
         .allowlist_var("NSS_BUILTINS_LIBRARY_VERSION_MAJOR")
@@ -347,15 +340,8 @@ fn main() -> std::io::Result<()> {
         File::create(out_path.join("builtins.rs")).expect("Could not write builtins.rs."),
     );
 
-    // If we are building the test module, use the certdata.txt in the test directory.
+    let mut input: String = std::fs::read_to_string("../../../nss/lib/ckfw/builtins/certdata.txt")
-    #[cfg(feature = "testlib")]
+        .expect("Unable to read certdata.txt.");
-    let mut input =
-        std::fs::read_to_string(testlib_certdata).expect("Unable to read certdata.txt.");
-
-    // Otherwise, use the official certdata.txt for the Mozilla root store.
-    #[cfg(not(feature = "testlib"))]
-    let mut input =
-        std::fs::read_to_string(mozilla_certdata).expect("Unable to read certdata.txt.");
 
     // Add a trailing newline to simplify parsing.
     input.push('\n');

security/manager/ssl/builtins/src/lib.rs

@@ -3,8 +3,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-// certdata may include dead code depending on the contents of certdata.txt
-#[allow(dead_code)]
 mod certdata;
 mod internal;
 mod pkcs11;

security/manager/ssl/tests/unit/moz.build

@@ -4,7 +4,7 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-DIRS += ["tlsserver", "test_builtins", "test_signed_apps"]
+DIRS += ["tlsserver", "test_signed_apps"]
 
 if not CONFIG["MOZ_NO_SMART_CARDS"]:
     DIRS += ["pkcs11testmodule"]

security/manager/ssl/tests/unit/test_builtins.js

@@ -1,82 +0,0 @@
-// Any copyright is dedicated to the Public Domain.
-// http://creativecommons.org/publicdomain/zero/1.0/
-"use strict";
-
-// Tests that use a mock builtins module.
-
-// Ensure that the appropriate initialization has happened.
-do_get_profile();
-const gCertDb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-  Ci.nsIX509CertDB
-);
-
-add_setup(function load_nssckbi_testlib() {
-  let moduleName = "Mock Builtins";
-  let libraryName = "test-builtins";
-
-  checkPKCS11ModuleNotPresent(moduleName, libraryName);
-
-  let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
-  libraryFile.append("test_builtins");
-  libraryFile.append(ctypes.libraryName(libraryName));
-  loadPKCS11Module(libraryFile, moduleName, true);
-  let testModule = checkPKCS11ModuleExists(moduleName, libraryName);
-
-  // Check that listing the slots for the test module works.
-  let testModuleSlotNames = Array.from(
-    testModule.listSlots(),
-    slot => slot.name
-  );
-  testModuleSlotNames.sort();
-  const expectedSlotNames = ["NSS Builtin Objects"];
-  deepEqual(
-    testModuleSlotNames,
-    expectedSlotNames,
-    "Actual and expected slot names should be equal"
-  );
-});
-
-add_task(async function test_distrust_after() {
-  let ee_pre_distrust_cert = addCertFromFile(
-    gCertDb,
-    "test_builtins/ee-notBefore-2021.pem",
-    ",,"
-  );
-  notEqual(
-    ee_pre_distrust_cert,
-    null,
-    "EE cert should have successfully loaded"
-  );
-
-  let ee_post_distrust_cert = addCertFromFile(
-    gCertDb,
-    "test_builtins/ee-notBefore-2023.pem",
-    ",,"
-  );
-  notEqual(
-    ee_post_distrust_cert,
-    null,
-    "EE cert should have successfully loaded"
-  );
-
-  let int_cert = addCertFromFile(gCertDb, "test_builtins/int.pem", ",,");
-  notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
-
-  // A certificate with a notBefore before the distrustAfter date
-  // should verify.
-  await checkCertErrorGeneric(
-    gCertDb,
-    ee_pre_distrust_cert,
-    PRErrorCodeSuccess,
-    certificateUsageSSLServer
-  );
-
-  // A certificate with a notBefore after the distrustAfter date
-  // should not verify.
-  await checkCertErrorGeneric(
-    gCertDb,
-    ee_post_distrust_cert,
-    SEC_ERROR_UNTRUSTED_ISSUER,
-    certificateUsageSSLServer
-  );
-});

security/manager/ssl/tests/unit/test_builtins/Cargo.toml

@@ -1,25 +0,0 @@
-[package]
-name = "test-builtins-static"
-version = "0.1.0"
-authors = ["John Schanck <jschanck@mozilla.com>"]
-edition = "2021"
-license = "MPL-2.0"
-build = "../../../builtins/build.rs"
-
-[features]
-default = ["testlib"]
-testlib = []
-
-[dependencies]
-pkcs11-bindings = "0.1.1"
-smallvec = { version = "1.9.0", features = ["const_new"] }
-mozilla-central-workspace-hack = { version = "0.1", features = ["test-builtins-static"], optional = true }
-
-[build-dependencies]
-bindgen = { default-features = false, features = ["runtime"], version = "0.69" }
-mozbuild = "0.1"
-nom = "7.1.1"
-
-[lib]
-crate-type = ["staticlib"]
-path = "../../../builtins/src/lib.rs"

security/manager/ssl/tests/unit/test_builtins/ca.pem

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyTCCAbGgAwIBAgIUW/YBtJLWl0w/qHon39NEQVe2CjgwDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMDAxMDEwMDAwMDBaGA8yMDUxMDEwMTAw
-MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
-m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
-bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
-SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
-/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
-FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
-VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAnMP8E3DsBOlwY0ak3BWdj0HBu
-ij1Fr8pAhd/SU4H39LhMwU71nKSdIjXEYhKlM6xHsVZw5E0ROckSXdFVNqmX0PeX
-EeTY2U/SZLnPNvd9rk6hcJNHgIG0/2yPGkwz3kpPLDNU8zdjLwuPINqT6hlPrmkP
-IlmyXurIWTkpY8B5wzcUDD4DULL9I1v3npPbVR059t6Nd4jGwsotYPjBGKRFtcwE
-By/EXMotFnaZzBlgcgGd6nT/zcutCL0EGpsFLhpslX4nl74pcLxDerCYifkt4lEp
-Z7/MgtwnXCy5yAMprWdTKY2vuTtPlSEhSohdYLcklRG6hdBWq9jy9BQaktP/
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_builtins/ca.pem.certspec

@@ -1,5 +0,0 @@
-issuer:ca
-subject:ca
-validity:20200101-20510101
-extension:basicConstraints:cA,
-extension:keyUsage:keyCertSign,cRLSign

security/manager/ssl/tests/unit/test_builtins/certdata.txt

@@ -1,128 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-BEGINDATA
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Test Roots"
-
-#
-# Certificate "Distrusted After Jan 1 2022 Root"
-#
-# Issuer: CN=ca
-# Serial Number:5b:f6:01:b4:92:d6:97:4c:3f:a8:7a:27:df:d3:44:41:57:b6:0a:38
-# Subject: CN=ca
-# Not Valid Before: Wed Jan 01 00:00:00 2020
-# Not Valid After : Sun Jan 01 00:00:00 2051
-# Fingerprint (SHA-256): 5C:E9:72:28:D9:8A:BC:FE:63:23:33:5E:97:5D:6C:42:B5:48:FD:E7:8A:B9:F8:2E:CC:44:B1:16:69:A3:F5:B0
-# Fingerprint (SHA1): 6B:15:70:37:F1:81:D0:B6:F7:0C:D9:86:C2:E7:FD:38:E7:53:7B:BE
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Distrusted After Jan 1 2022 Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\024\133\366\001\264\222\326\227\114\077\250\172\047\337\323
-\104\101\127\266\012\070
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\311\060\202\001\261\240\003\002\001\002\002\024\133
-\366\001\264\222\326\227\114\077\250\172\047\337\323\104\101\127
-\266\012\070\060\015\006\011\052\206\110\206\367\015\001\001\013
-\005\000\060\015\061\013\060\011\006\003\125\004\003\014\002\143
-\141\060\042\030\017\062\060\062\060\060\061\060\061\060\060\060
-\060\060\060\132\030\017\062\060\065\061\060\061\060\061\060\060
-\060\060\060\060\132\060\015\061\013\060\011\006\003\125\004\003
-\014\002\143\141\060\202\001\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
-\002\202\001\001\000\272\210\121\250\104\216\026\326\101\375\156
-\266\210\006\066\020\075\074\023\331\352\344\065\112\264\354\365
-\150\127\154\044\173\301\307\045\250\340\330\037\275\261\234\006
-\233\156\032\206\362\153\342\257\132\165\153\152\144\161\010\172
-\245\132\247\105\207\367\034\325\044\234\002\176\315\103\374\036
-\151\320\070\040\051\223\253\040\303\111\344\333\271\114\302\153
-\154\016\355\025\202\017\361\176\255\151\032\261\323\002\072\213
-\052\101\356\247\160\340\017\015\215\375\146\013\053\260\044\222
-\244\175\271\210\141\171\220\261\127\220\075\322\073\305\340\270
-\110\037\250\067\323\210\103\357\047\026\330\125\267\146\132\252
-\176\002\220\057\072\173\020\200\006\044\314\034\154\227\255\226
-\141\133\267\342\226\022\300\165\061\243\014\221\335\264\312\367
-\374\255\035\045\323\011\357\271\027\016\247\150\341\263\173\057
-\042\157\151\343\264\212\225\141\035\356\046\326\045\235\253\221
-\010\116\066\313\034\044\004\054\277\026\213\057\345\361\217\231
-\027\061\270\263\376\111\043\372\162\121\304\061\325\003\254\332
-\030\012\065\355\215\002\003\001\000\001\243\035\060\033\060\014
-\006\003\125\035\023\004\005\060\003\001\001\377\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\015\006\011\052\206\110
-\206\367\015\001\001\013\005\000\003\202\001\001\000\047\060\377
-\004\334\073\001\072\134\030\321\251\067\005\147\143\320\160\156
-\212\075\105\257\312\100\205\337\322\123\201\367\364\270\114\301
-\116\365\234\244\235\042\065\304\142\022\245\063\254\107\261\126
-\160\344\115\021\071\311\022\135\321\125\066\251\227\320\367\227
-\021\344\330\331\117\322\144\271\317\066\367\175\256\116\241\160
-\223\107\200\201\264\377\154\217\032\114\063\336\112\117\054\063
-\124\363\067\143\057\013\217\040\332\223\352\031\117\256\151\017
-\042\131\262\136\352\310\131\071\051\143\300\171\303\067\024\014
-\076\003\120\262\375\043\133\367\236\223\333\125\035\071\366\336
-\215\167\210\306\302\312\055\140\370\301\030\244\105\265\314\004
-\007\057\304\134\312\055\026\166\231\314\031\140\162\001\235\352
-\164\377\315\313\255\010\275\004\032\233\005\056\032\154\225\176
-\047\227\276\051\160\274\103\172\260\230\211\371\055\342\121\051
-\147\277\314\202\334\047\134\054\271\310\003\051\255\147\123\051
-\215\257\271\073\117\225\041\041\112\210\135\140\267\044\225\021
-\272\205\320\126\253\330\362\364\024\032\222\323\377
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-# For Server Distrust After: Sat Jan 01 00:00:00 2022
-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
-\062\062\060\061\060\061\060\060\060\060\060\060\132
-END
-# For Email Distrust After: Sat Jan 01 00:00:00 2022
-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
-\062\062\060\061\060\061\060\060\060\060\060\060\132
-END
-
-# Trust for "Distrusted After Jan 1 2022 Root"
-# Issuer: CN=ca
-# Serial Number:5b:f6:01:b4:92:d6:97:4c:3f:a8:7a:27:df:d3:44:41:57:b6:0a:38
-# Subject: CN=ca
-# Not Valid Before: Wed Jan 01 00:00:00 2020
-# Not Valid After : Sun Jan 01 00:00:00 2051
-# Fingerprint (SHA-256): 5C:E9:72:28:D9:8A:BC:FE:63:23:33:5E:97:5D:6C:42:B5:48:FD:E7:8A:B9:F8:2E:CC:44:B1:16:69:A3:F5:B0
-# Fingerprint (SHA1): 6B:15:70:37:F1:81:D0:B6:F7:0C:D9:86:C2:E7:FD:38:E7:53:7B:BE
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Distrusted After Jan 1 2022 Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\153\025\160\067\361\201\320\266\367\014\331\206\302\347\375\070
-\347\123\173\276
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\342\152\137\376\222\257\271\255\024\346\353\305\132\017\156\341
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\024\133\366\001\264\222\326\227\114\077\250\172\047\337\323
-\104\101\127\266\012\070
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-

security/manager/ssl/tests/unit/test_builtins/dynamic-library/builtins.symbols

@@ -1 +0,0 @@
-C_GetFunctionList

security/manager/ssl/tests/unit/test_builtins/dynamic-library/moz.build

@@ -1,46 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/test_builtins"
-
-USE_LIBS += ["test-builtins-static"]
-
-# see notes in ipcclientcerts/dynamic-library/moz.build
-
-if CONFIG["OS_ARCH"] == "Linux" and CONFIG["OS_TARGET"] != "Android":
-    SOURCES += [
-        "stub.cpp",
-    ]
-else:
-    SOURCES += [
-        "stub.c",
-    ]
-
-if CONFIG["OS_TARGET"] == "Android":
-    OS_LIBS += ["m"]
-
-if CONFIG["OS_ARCH"] == "WINNT":
-    OS_LIBS += [
-        "advapi32",
-        "userenv",
-        "ws2_32",
-    ]
-    OS_LIBS += [
-        "bcrypt",
-        "ntdll",
-    ]
-    # Version string comparison is generally wrong, but by the time it would
-    # actually matter, either bug 1489995 would be fixed, or the build would
-    # require version >= 1.78.
-    if CONFIG["RUSTC_VERSION"] and CONFIG["RUSTC_VERSION"] >= "1.78.0":
-        OS_LIBS += [
-            "synchronization",
-        ]
-
-SharedLibrary("test-builtins")
-
-NoVisibilityFlags()
-SYMBOLS_FILE = "builtins.symbols"

security/manager/ssl/tests/unit/test_builtins/dynamic-library/stub.c

@@ -1,27 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "pkcs11.h"
-
-// see notes in ipcclientcerts/dynamic-library/stub.c
-
-CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
-
-CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
-  return BUILTINSC_GetFunctionList(ppFunctionList);
-}
-
-#ifdef __MINGW32__
-#  include "mozilla/Assertions.h"
-void _Unwind_Resume() { MOZ_CRASH("Unexpected call to _Unwind_*"); }
-void _Unwind_GetDataRelBase() { _Unwind_Resume(); }
-void _Unwind_GetTextRelBase() { _Unwind_Resume(); }
-void _Unwind_GetLanguageSpecificData() { _Unwind_Resume(); }
-void _Unwind_GetIPInfo() { _Unwind_Resume(); }
-void _Unwind_GetRegionStart() { _Unwind_Resume(); }
-void _Unwind_SetGR() { _Unwind_Resume(); }
-void _Unwind_SetIP() { _Unwind_Resume(); }
-void _GCC_specific_handler() { _Unwind_Resume(); }
-#endif

security/manager/ssl/tests/unit/test_builtins/dynamic-library/stub.cpp

@@ -1,17 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "pkcs11.h"
-
-// see notes in ipcclientcerts/dynamic-library/stub.cpp
-
-extern "C" {
-
-CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
-
-CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
-  return BUILTINSC_GetFunctionList(ppFunctionList);
-}
-}

security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2021.pem

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICxDCCAaygAwIBAgIUDXOR6KaexWFGr7UDYphMtEeezXkwDQYJKoZIhvcNAQEL
-BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjEwMTAxMDAwMDAwWhgPMjA1MTAxMDEw
-MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
-BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
-a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
-uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
-9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
-mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEF
-BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAn2fhudWV+cpqIsRWpfHZc0BhW0sFX/Jq
-nPn5kOjlEy9XDp0fKW3iIeo1hipevRgJnvpzeFUU0AzV+v5RhPumxyTioIeybkX5
-uVtIz4llubAP5ymFBtIMVtKaKM9JWrmQxxCQyiaGmh/VTNQoyPXRX6sjA/lTFOn/
-gyrcDnWi/6Fi3I1qiWxE4Gytk7a6qrKhVlq+UyiLlyHvPfiw6TksltJoSyE7iyno
-cFBK98ei1Wq//7tFLSUoCIya3tnccMgPUhkWwhzxc94xuo1ROav8mzS4vh24p3S6
-w4hvAylJhRt3BfQDPU14sCnEDjFd/PydAYntdJ66zcujs2YBO6iy8w==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2021.pem.certspec

@@ -1,4 +0,0 @@
-issuer:int
-subject:ee
-validity:20210101-20510101
-extension:extKeyUsage:serverAuth

security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2023.pem

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICxDCCAaygAwIBAgIUQbAFBAJcR+nWt1dATlPDuABJgEAwDQYJKoZIhvcNAQEL
-BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjMwMTAxMDAwMDAwWhgPMjA1MTAxMDEw
-MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
-BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
-a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
-uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
-9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
-mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEF
-BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAfd1W1LYT+JnTb7ZXdz7lJcwdowimjUWR
-ylhXpqyMbJmldogIoWXG+wPo9XosdLeaR0H7xizrhpiod6DXvqtXUjzfhdzbH8i8
-3sBL3dyO/RAm1IWuDTNmT9d2SX+fty7M7mHH1TLuRda4VItiWyPK+QQIZHcTlhQz
-qRebW6ggpWzRb9nqUWieHlvyaVgqWkv9LiCkJYqXXL6nBvQAh8ukf6g127c0hbMO
-DIQtoAT6XFbApM6GPuovaiMf0h8n7S2ekIcRBEeadvZOMsy7hdTNMKlS706wQETd
-U0jwYTk728Oz0MCdgn488iRWGeDJWi544JZldErK75lWHAU5svaHIQ==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2023.pem.certspec

@@ -1,4 +0,0 @@
-issuer:int
-subject:ee
-validity:20230101-20510101
-extension:extKeyUsage:serverAuth

security/manager/ssl/tests/unit/test_builtins/int.pem

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL
-BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
-MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
-BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
-a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
-uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
-9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
-mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
-A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO
-H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc
-WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD
-fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3
-ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN
-yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A==
------END CERTIFICATE-----

security/manager/ssl/tests/unit/test_builtins/int.pem.certspec

@@ -1,4 +0,0 @@
-issuer:ca
-subject:int
-extension:basicConstraints:cA,
-extension:keyUsage:keyCertSign,cRLSign

security/manager/ssl/tests/unit/test_builtins/moz.build

@@ -1,11 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-DIRS += ["dynamic-library"]
-
-OS_LIBS += CONFIG["DL_LIBS"]
-
-RustLibrary("test-builtins-static")

security/manager/ssl/tests/unit/xpcshell.toml

@@ -9,7 +9,6 @@ support-files = [
   "ocsp_certs/**",
   "test_baseline_requirements/**",
   "test_broken_fips/**",
-  "test_builtins/**",
   "test_cert_eku/**",
   "test_cert_embedded_null/**",
   "test_cert_keyUsage/**",
@@ -72,8 +71,6 @@ skip-if = [
   "os == 'linux'"
 ]
 
-["test_builtins.js"]
-
 ["test_certDB_export_pkcs12.js"]
 
 ["test_certDB_export_pkcs12_with_primary_password.js"]

security/nss.symbols

@@ -438,7 +438,6 @@ PK11_PubEncryptPKCS1
 PK11_PubUnwrapSymKey
 PK11_PubWrapSymKey
 PK11_RandomUpdate
-PK11_ReadDistrustAfterAttribute
 PK11_ReadRawAttribute
 PK11_ReferenceSlot
 PK11_ReferenceSymKey