From 24d9b1dbaec2bcd36619ed86436e38496b0ada24 Mon Sep 17 00:00:00 2001 From: Bogdan Tara Date: Thu, 24 Sep 2020 03:57:00 +0300 Subject: [PATCH] Backed out changeset 7e50f86ea20b (bug 1666567) for security related bustage CLOSED TREE UPGRADE_NSS_RELEASE --- security/nss/TAG-INFO | 2 +- security/nss/coreconf/coreconf.dep | 1 + .../gtests/mozpkix_gtest/pkixbuild_tests.cpp | 52 ++++++++++++------- .../pkixcert_extension_tests.cpp | 5 +- .../pkixcert_signature_algorithm_tests.cpp | 4 +- .../pkixcheck_CheckExtendedKeyUsage_tests.cpp | 4 +- ...kixcheck_CheckSignatureAlgorithm_tests.cpp | 3 +- security/nss/gtests/mozpkix_gtest/pkixgtest.h | 3 +- .../nss/lib/mozpkix/include/pkix/pkixtypes.h | 4 +- security/nss/lib/mozpkix/lib/pkixbuild.cpp | 6 +-- 10 files changed, 48 insertions(+), 36 deletions(-) diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index cc417133487a..d38ae44a3790 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -8ebee3cec9cf \ No newline at end of file +c28e20f61e5d \ No newline at end of file diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp index c5ac86e62aae..c1c81b3a7c13 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp @@ -152,11 +152,14 @@ private: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*, - /*optional*/ const Input*) + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, + Time validityBeginning, Duration, + /*optional*/ const Input*, /*optional*/ const Input*) override { + // All of the certificates in this test for which this is called have a + // validity period that begins "one day before now". + EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning); return Success; } @@ -302,11 +305,14 @@ public: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*, - /*optional*/ const Input*) + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, + Time validityBeginning, Duration, + /*optional*/ const Input*, /*optional*/ const Input*) override { + // All of the certificates in this test for which this is called have a + // validity period that begins "one day before now". + EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning); return Success; } @@ -323,9 +329,8 @@ public: { } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*, - /*optional*/ const Input*) + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, + /*optional*/ const Input*, /*optional*/ const Input*) override { ADD_FAILURE(); @@ -445,11 +450,14 @@ public: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*, - /*optional*/ const Input*) + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, + Time validityBeginning, Duration, + /*optional*/ const Input*, /*optional*/ const Input*) override { + // All of the certificates in this test for which this is called have a + // validity period that begins "one day before now". + EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning); return Success; } @@ -669,11 +677,14 @@ private: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, + Time validityBeginning, Duration, /*optional*/ const Input*, /*optional*/ const Input*) override { + // All of the certificates in this test for which this is called have a + // validity period that begins "one day before now". + EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning); return Success; } @@ -728,8 +739,8 @@ class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain { public: Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time, - Duration, /*optional*/ const Input*, - /*optional*/ const Input*, /*optional*/ const Input*) override + Time, Duration, /*optional*/ const Input*, + /*optional*/ const Input*) override { if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) { return Result::ERROR_REVOKED_CERTIFICATE; @@ -833,11 +844,14 @@ private: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*, - /*optional*/ const Input*) + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, + Time validityBeginning, Duration, + /*optional*/ const Input*, /*optional*/ const Input*) override { + // All of the certificates in this test for which this is called have a + // validity period that begins "one day before now". + EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning); return Success; } diff --git a/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp index e2dcc8e02148..71399a26bd40 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp @@ -70,9 +70,8 @@ private: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*, - /*optional*/ const Input*) + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, + /*optional*/ const Input*, /*optional*/ const Input*) override { return Success; diff --git a/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp index 5719d1045d99..54e19fc3d263 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp @@ -92,8 +92,8 @@ private: return checker.Check(issuerCert, nullptr, keepGoing); } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - const Input*, const Input*, const Input*) override + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, + const Input*, const Input*) override { return Success; } diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp index 364be47e6523..9fd1e52f1a71 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp @@ -558,8 +558,8 @@ private: return checker.Check(derCert, nullptr, keepGoing); } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - const Input*, const Input*, const Input*) override + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, + const Input*, const Input*) override { return Success; } diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp index d3a57c3e6f2c..e1f35e5b40ee 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp @@ -302,8 +302,7 @@ public: return Success; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, /*optional*/ const Input*, /*optional*/ const Input*) override { diff --git a/security/nss/gtests/mozpkix_gtest/pkixgtest.h b/security/nss/gtests/mozpkix_gtest/pkixgtest.h index 719b87d54f08..0a203c5e1ea9 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixgtest.h +++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.h @@ -100,8 +100,7 @@ class EverythingFailsByDefaultTrustDomain : public TrustDomain { Result::FATAL_ERROR_LIBRARY_FAILURE); } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, /*optional*/ const Input*, /*optional*/ const Input*) override { ADD_FAILURE(); diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h index 6c391681f3a2..bfa5c780ac23 100644 --- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h +++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h @@ -278,10 +278,10 @@ class TrustDomain { virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID& certID, Time time, + Time validityBeginning, Duration validityDuration, /*optional*/ const Input* stapledOCSPresponse, - /*optional*/ const Input* aiaExtension, - /*optional*/ const Input* sctExtension) = 0; + /*optional*/ const Input* aiaExtension) = 0; // Check that the given digest algorithm is acceptable for use in signatures. // diff --git a/security/nss/lib/mozpkix/lib/pkixbuild.cpp b/security/nss/lib/mozpkix/lib/pkixbuild.cpp index afe7e2a24772..b95907a947b3 100644 --- a/security/nss/lib/mozpkix/lib/pkixbuild.cpp +++ b/security/nss/lib/mozpkix/lib/pkixbuild.cpp @@ -252,9 +252,9 @@ PathBuildingStep::Check(Input potentialIssuerDER, } Duration validityDuration(notAfter, notBefore); rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time, - validityDuration, stapledOCSPResponse, - subject.GetAuthorityInfoAccess(), - subject.GetSignedCertificateTimestamps()); + notBefore, validityDuration, + stapledOCSPResponse, + subject.GetAuthorityInfoAccess()); if (rv != Success) { // Since this is actually a problem with the current subject certificate // (rather than the issuer), it doesn't make sense to keep going; all