зеркало из https://github.com/mozilla/gecko-dev.git
bug 1049095 - re-verify joinee certificate with joining hostname when joining connections r=briansmith r=mcmanus r=cviecco r=mmc r=rbarnes
This commit is contained in:
David Keeler
Родитель
0b4beaf18a
Коммит
1f84bc411b
|
|
@ -432,6 +432,7 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
|
|||
/*optional*/ void* pinarg,
|
||||
const char* hostname,
|
||||
bool saveIntermediatesInPermanentDatabase,
|
||||
Flags flags,
|
||||
/*optional out*/ ScopedCERTCertList* builtChain,
|
||||
/*optional out*/ SECOidTag* evOidPolicy)
|
||||
{
|
||||
|
|
@ -456,8 +457,8 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
|
|||
// CreateCertErrorRunnable assumes that CERT_VerifyCertName is only called
|
||||
// if VerifyCert succeeded.
|
||||
SECStatus rv = VerifyCert(peerCert, certificateUsageSSLServer, time, pinarg,
|
||||
hostname, 0, stapledOCSPResponse, &builtChainTemp,
|
||||
evOidPolicy);
|
||||
hostname, flags, stapledOCSPResponse,
|
||||
&builtChainTemp, evOidPolicy);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ public:
|
|||
/*optional*/ void* pinarg,
|
||||
const char* hostname,
|
||||
bool saveIntermediatesInPermanentDatabase = false,
|
||||
Flags flags = 0,
|
||||
/*optional out*/ ScopedCERTCertList* builtChain = nullptr,
|
||||
/*optional out*/ SECOidTag* evOidPolicy = nullptr);
|
||||
|
||||
|
|
|
|||
|
|
@ -759,7 +759,7 @@ AuthCertificate(CertVerifier& certVerifier,
|
|||
rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
|
||||
time, infoObject,
|
||||
infoObject->GetHostNameRaw(),
|
||||
saveIntermediates, nullptr,
|
||||
saveIntermediates, 0, nullptr,
|
||||
&evOidPolicy);
|
||||
|
||||
// We want to remember the CA certs in the temp db, so that the application can find the
|
||||
|
|
|
|||
|
|
@ -432,9 +432,35 @@ nsNSSSocketInfo::JoinConnection(const nsACString& npnProtocol,
|
|||
return NS_OK;
|
||||
}
|
||||
|
||||
if (CERT_VerifyCertName(nssCert, PromiseFlatCString(hostname).get()) !=
|
||||
SECSuccess) {
|
||||
return NS_OK;
|
||||
// Attempt to verify the joinee's certificate using the joining hostname.
|
||||
// This ensures that any hostname-specific verification logic (e.g. key
|
||||
// pinning) is satisfied by the joinee's certificate chain.
|
||||
// This verification only uses local information; since we're on the network
|
||||
// thread, we would be blocking on ourselves if we attempted any network i/o.
|
||||
// TODO(bug 1056935): The certificate chain built by this verification may be
|
||||
// different than the certificate chain originally built during the joined
|
||||
// connection's TLS handshake. Consequently, we may report a wrong and/or
|
||||
// misleading certificate chain for HTTP transactions coalesced onto this
|
||||
// connection. This may become problematic in the future. For example,
|
||||
// if/when we begin relying on intermediate certificates being stored in the
|
||||
// securityInfo of a cached HTTPS response, that cached certificate chain may
|
||||
// actually be the wrong chain. We should consider having JoinConnection
|
||||
// return the certificate chain built here, so that the calling Necko code
|
||||
// can associate the correct certificate chain with the HTTP transactions it
|
||||
// is trying to join onto this connection.
|
||||
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
|
||||
if (!certVerifier) {
|
||||
return NS_OK;
|
||||
}
|
||||
nsAutoCString hostnameFlat(PromiseFlatCString(hostname));
|
||||
CertVerifier::Flags flags = CertVerifier::FLAG_LOCAL_ONLY;
|
||||
SECStatus rv = certVerifier->VerifySSLServerCert(nssCert, nullptr,
|
||||
mozilla::pkix::Now(),
|
||||
nullptr, hostnameFlat.get(),
|
||||
false, flags, nullptr,
|
||||
nullptr);
|
||||
if (rv != SECSuccess) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// All tests pass - this is joinable
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче