зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1390131 - Modify GenerateOCSPResponse.cpp to allow thisUpdate to be modified r=keeler
MozReview-Commit-ID: EL9E4UtZg17 --HG-- extra : rebase_source : 5b72ddc51ffd6dabeb9e3afc45b9851336b0db88
This commit is contained in:
Родитель
28f9c7c84f
Коммит
13a30dd299
|
@ -541,7 +541,7 @@ function _setupTLSServerTest(serverBinName, certsPath) {
|
|||
// Returns an Array of OCSP responses for a given ocspRespArray and a location
|
||||
// for a nssDB where the certs and public keys are prepopulated.
|
||||
// ocspRespArray is an array of arrays like:
|
||||
// [ [typeOfResponse, certnick, extracertnick]...]
|
||||
// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...]
|
||||
function generateOCSPResponses(ocspRespArray, nssDBlocation) {
|
||||
let utilBinName = "GenerateOCSPResponse";
|
||||
let ocspGenBin = _getBinaryUtil(utilBinName);
|
||||
|
@ -556,13 +556,14 @@ function generateOCSPResponses(ocspRespArray, nssDBlocation) {
|
|||
argArray.push(ocspRespArray[i][0]); // ocsRespType;
|
||||
argArray.push(ocspRespArray[i][1]); // nick;
|
||||
argArray.push(ocspRespArray[i][2]); // extranickname
|
||||
argArray.push(ocspRespArray[i][3]); // thisUpdate skew
|
||||
argArray.push(filename);
|
||||
do_print("argArray = " + argArray);
|
||||
|
||||
let process = Cc["@mozilla.org/process/util;1"]
|
||||
.createInstance(Ci.nsIProcess);
|
||||
process.init(ocspGenBin);
|
||||
process.run(true, argArray, 5);
|
||||
process.run(true, argArray, argArray.length);
|
||||
Assert.equal(0, process.exitValue, "Process exit value should be 0");
|
||||
let ocspFile = do_get_file(i.toString() + ".ocsp", false);
|
||||
retArray.push(readFile(ocspFile));
|
||||
|
@ -617,7 +618,7 @@ function startOCSPResponder(serverPort, identity, nssDBLocation,
|
|||
if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
|
||||
responseType = expectedResponseTypes.shift();
|
||||
}
|
||||
return [responseType, expectedNick, "unused"];
|
||||
return [responseType, expectedNick, "unused", 0];
|
||||
}
|
||||
);
|
||||
let ocspResponses = generateOCSPResponses(ocspResponseGenerationArgs,
|
||||
|
|
|
@ -24,7 +24,7 @@ function respondWithSHA1OCSP(request, response) {
|
|||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "application/ocsp-response");
|
||||
|
||||
let args = [ ["good-delegated", "default-ee", "delegatedSHA1Signer" ] ];
|
||||
let args = [ ["good-delegated", "default-ee", "delegatedSHA1Signer", 0 ] ];
|
||||
let responses = generateOCSPResponses(args, "ocsp_certs");
|
||||
response.write(responses[0]);
|
||||
}
|
||||
|
@ -37,7 +37,7 @@ function respondWithError(request, response) {
|
|||
}
|
||||
|
||||
function generateGoodOCSPResponse() {
|
||||
let args = [ ["good", "default-ee", "unused" ] ];
|
||||
let args = [ ["good", "default-ee", "unused", 0 ] ];
|
||||
let responses = generateOCSPResponses(args, "ocsp_certs");
|
||||
return responses[0];
|
||||
}
|
||||
|
|
|
@ -16,7 +16,7 @@ function run_test() {
|
|||
// get a TLS connection.
|
||||
add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
|
||||
|
||||
let args = [["good", "default-ee", "unused"]];
|
||||
let args = [["good", "default-ee", "unused", 0]];
|
||||
let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
|
||||
let goodOCSPResponse = ocspResponses[0];
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ function run_test() {
|
|||
// get a TLS connection.
|
||||
add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
|
||||
|
||||
let args = [["bad-signature", "default-ee", "unused"]];
|
||||
let args = [["bad-signature", "default-ee", "unused", 0]];
|
||||
let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
|
||||
let ocspResponseBadSignature = ocspResponses[0];
|
||||
|
||||
|
|
|
@ -32,11 +32,11 @@ do_get_profile();
|
|||
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
|
||||
Services.prefs.setIntPref("security.OCSP.enabled", 1);
|
||||
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
|
||||
var args = [["good", "default-ee", "unused"],
|
||||
["expiredresponse", "default-ee", "unused"],
|
||||
["oldvalidperiod", "default-ee", "unused"],
|
||||
["revoked", "default-ee", "unused"],
|
||||
["unknown", "default-ee", "unused"],
|
||||
var args = [["good", "default-ee", "unused", 0],
|
||||
["expiredresponse", "default-ee", "unused", 0],
|
||||
["oldvalidperiod", "default-ee", "unused", 0],
|
||||
["revoked", "default-ee", "unused", 0],
|
||||
["unknown", "default-ee", "unused", 0],
|
||||
];
|
||||
var ocspResponses = generateOCSPResponses(args, "ocsp_certs");
|
||||
// Fresh response, certificate is good.
|
||||
|
|
|
@ -113,10 +113,10 @@ int
|
|||
main(int argc, char* argv[])
|
||||
{
|
||||
|
||||
if (argc < 6 || (argc - 6) % 4 != 0) {
|
||||
if (argc < 7 || (argc - 7) % 5 != 0) {
|
||||
PR_fprintf(PR_STDERR, "usage: %s <NSS DB directory> <responsetype> "
|
||||
"<cert_nick> <extranick> <outfilename> [<resptype> "
|
||||
"<cert_nick> <extranick> <outfilename>]* \n",
|
||||
"<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> "
|
||||
"<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n",
|
||||
argv[0]);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
@ -131,11 +131,12 @@ main(int argc, char* argv[])
|
|||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
for (int i = 2; i + 3 < argc; i += 4) {
|
||||
for (int i = 2; i + 3 < argc; i += 5) {
|
||||
const char* ocspTypeText = argv[i];
|
||||
const char* certNick = argv[i + 1];
|
||||
const char* extraCertname = argv[i + 2];
|
||||
const char* filename = argv[i + 3];
|
||||
const char* skewChars = argv[i + 3];
|
||||
const char* filename = argv[i + 4];
|
||||
|
||||
OCSPResponseType ORT;
|
||||
if (!StringToOCSPResponseType(ocspTypeText, &ORT)) {
|
||||
|
@ -152,8 +153,10 @@ main(int argc, char* argv[])
|
|||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
time_t skew = static_cast<time_t>(atoll(skewChars));
|
||||
|
||||
SECItemArray* response = GetOCSPResponseForType(ORT, cert, arena,
|
||||
extraCertname);
|
||||
extraCertname, skew);
|
||||
if (!response) {
|
||||
PR_fprintf(PR_STDERR, "Failed to generate OCSP response of type %s "
|
||||
"for %s\n", ocspTypeText, certNick);
|
||||
|
|
|
@ -102,7 +102,7 @@ DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
|
|||
|
||||
// response is contained by the arena - freeing the arena will free it
|
||||
SECItemArray *response = GetOCSPResponseForType(host->mORT, cert, arena,
|
||||
host->mAdditionalCertName);
|
||||
host->mAdditionalCertName, 0);
|
||||
if (!response) {
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
|
|
@ -42,7 +42,7 @@ CreateTestKeyPairFromCert(const UniqueCERTCertificate& cert)
|
|||
SECItemArray*
|
||||
GetOCSPResponseForType(OCSPResponseType aORT, const UniqueCERTCertificate& aCert,
|
||||
const UniquePLArenaPool& aArena,
|
||||
const char* aAdditionalCertName)
|
||||
const char* aAdditionalCertName, time_t aThisUpdateSkew)
|
||||
{
|
||||
MOZ_ASSERT(aArena);
|
||||
MOZ_ASSERT(aCert);
|
||||
|
@ -64,7 +64,7 @@ GetOCSPResponseForType(OCSPResponseType aORT, const UniqueCERTCertificate& aCert
|
|||
return arr;
|
||||
}
|
||||
|
||||
time_t now = time(nullptr);
|
||||
time_t now = time(nullptr) + aThisUpdateSkew;
|
||||
time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS);
|
||||
|
||||
mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get()));
|
||||
|
|
|
@ -56,6 +56,7 @@ SECItemArray*
|
|||
GetOCSPResponseForType(OCSPResponseType aORT,
|
||||
const mozilla::UniqueCERTCertificate& aCert,
|
||||
const mozilla::UniquePLArenaPool& aArena,
|
||||
const char* aAdditionalCertName);
|
||||
const char* aAdditionalCertName,
|
||||
time_t aThisUpdateSkew);
|
||||
|
||||
#endif // OCSPCommon_h
|
||||
|
|
Загрузка…
Ссылка в новой задаче