Backed out changeset 7e50f86ea20b (bug 1666567) for security related bustage CLOSED TREE

UPGRADE_NSS_RELEASE
2020-09-24 03:57:00 +03:00 · 2020-09-24 03:57:00 +03:00 · 24d9b1dbae
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-8ebee3cec9cf
+c28e20f61e5d
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
@ -152,11 +152,14 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*,
-                         /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
+                         Time validityBeginning, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
                         override
  {
+    // All of the certificates in this test for which this is called have a
+    // validity period that begins "one day before now".
+    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -302,11 +305,14 @@ public:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*,
-                         /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
+                         Time validityBeginning, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
                         override
  {
+    // All of the certificates in this test for which this is called have a
+    // validity period that begins "one day before now".
+    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -323,9 +329,8 @@ public:
  {
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*,
-                         /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
                         override
  {
    ADD_FAILURE();
@ -445,11 +450,14 @@ public:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*,
-                         /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
+                         Time validityBeginning, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
                         override
  {
+    // All of the certificates in this test for which this is called have a
+    // validity period that begins "one day before now".
+    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -669,11 +677,14 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
+                         Time validityBeginning, Duration,
                         /*optional*/ const Input*,
                         /*optional*/ const Input*) override
  {
+    // All of the certificates in this test for which this is called have a
+    // validity period that begins "one day before now".
+    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -728,8 +739,8 @@ class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain
 {
 public:
  Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time,
-                         Duration, /*optional*/ const Input*,
-                         /*optional*/ const Input*, /*optional*/ const Input*) override
+                         Time, Duration, /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
  {
    if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
      return Result::ERROR_REVOKED_CERTIFICATE;
@ -833,11 +844,14 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*,
-                         /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
+                         Time validityBeginning, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
                         override
  {
+    // All of the certificates in this test for which this is called have a
+    // validity period that begins "one day before now".
+    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

--- a/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
@ -70,9 +70,8 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*,
-                         /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
                         override
  {
    return Success;
--- a/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
@ -92,8 +92,8 @@ private:
    return checker.Check(issuerCert, nullptr, keepGoing);
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         const Input*, const Input*, const Input*) override
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
+                         const Input*, const Input*) override
  {
    return Success;
  }
--- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
@ -558,8 +558,8 @@ private:
    return checker.Check(derCert, nullptr, keepGoing);
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         const Input*, const Input*, const Input*) override
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
+                         const Input*, const Input*) override
  {
    return Success;
  }
--- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
@ -302,8 +302,7 @@ public:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
                         /*optional*/ const Input*,
                         /*optional*/ const Input*) override
  {
--- a/security/nss/gtests/mozpkix_gtest/pkixgtest.h
+++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.h
@ -100,8 +100,7 @@ class EverythingFailsByDefaultTrustDomain : public TrustDomain {
                      Result::FATAL_ERROR_LIBRARY_FAILURE);
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
-                         /*optional*/ const Input*,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
                         /*optional*/ const Input*,
                         /*optional*/ const Input*) override {
    ADD_FAILURE();
--- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
+++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
@ -278,10 +278,10 @@ class TrustDomain {

  virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
                                 const CertID& certID, Time time,
+                                 Time validityBeginning,
                                 Duration validityDuration,
                                 /*optional*/ const Input* stapledOCSPresponse,
-                                 /*optional*/ const Input* aiaExtension,
-                                 /*optional*/ const Input* sctExtension) = 0;
+                                 /*optional*/ const Input* aiaExtension) = 0;

  // Check that the given digest algorithm is acceptable for use in signatures.
  //
--- a/security/nss/lib/mozpkix/lib/pkixbuild.cpp
+++ b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
@ -252,9 +252,9 @@ PathBuildingStep::Check(Input potentialIssuerDER,
    }
    Duration validityDuration(notAfter, notBefore);
    rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
-                                     validityDuration, stapledOCSPResponse,
-                                     subject.GetAuthorityInfoAccess(),
-                                     subject.GetSignedCertificateTimestamps());
+                                     notBefore, validityDuration,
+                                     stapledOCSPResponse,
+                                     subject.GetAuthorityInfoAccess());
    if (rv != Success) {
      // Since this is actually a problem with the current subject certificate
      // (rather than the issuer), it doesn't make sense to keep going; all