mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 531067: Remove hard-coded default OCSP responders on trunk, r=briansmith 

--HG--
extra : rebase_source : 23bc45569bba9f417a51c13530f0319144f07b03
This commit is contained in:
Kai Engert 2013-07-11 23:33:55 -07:00
Родитель 92ac44f63e
Коммит 2cc3aac4b8
3 изменённых файлов: 0 добавлений и 194 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

185
security/manager/ssl/src/nsNSSCallbacks.cpp
Просмотреть файл

@ -13,23 +13,17 @@
#include "nsIWebProgressListener.h"
#include "nsProtectedAuthThread.h"
#include "nsITokenDialogs.h"
#include "nsNSSShutDown.h"
#include "nsIUploadChannel.h"
#include "nsThreadUtils.h"
#include "nsIPrompt.h"
#include "nsProxyRelease.h"
#include "PSMRunnable.h"
#include "ScopedNSSTypes.h"
#include "nsIConsoleService.h"
#include "nsIHttpChannelInternal.h"
#include "nsCRT.h"
#include "nsNetUtil.h"
#include "SharedSSLState.h"
#include "ssl.h"
#include "sslproto.h"
#include "ocsp.h"
#include "nssb64.h"
using namespace mozilla;
using namespace mozilla::psm;
@ -1131,182 +1125,3 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
infoObject->NoteTimeUntilReady();
infoObject->SetHandshakeCompleted(isResumedSession);
}
struct OCSPDefaultResponders {
const char *issuerName_string;
CERTName *issuerName;
const char *issuerKeyID_base64;
SECItem *issuerKeyID;
const char *ocspUrl;
};
static struct OCSPDefaultResponders myDefaultOCSPResponders[] = {
/* COMODO */
{
"CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE",
nullptr, "rb2YejS0Jvf6xCZU7wO94CTLVBo=", nullptr,
"http://ocsp.comodoca.com"
},
{
"CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
nullptr, "C1jli8ZMFTekQKkwqSG+RzZaVv8=", nullptr,
"http://ocsp.comodoca.com"
},
{
"CN=COMODO EV SGC CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
nullptr, "f/ZMNigUrs0eN6/eWvJbw6CsK/4=", nullptr,
"http://ocsp.comodoca.com"
},
{
"CN=COMODO EV SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB",
nullptr, "aRZJ7LZ1ZFrpAyNgL1RipTRcPuI=", nullptr,
"http://ocsp.comodoca.com"
},
{
"CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US",
nullptr, "UzLRs89/+uDxoF2FTpLSnkUdtE8=", nullptr,
"http://ocsp.usertrust.com"
},
{
"CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US",
nullptr, "oXJfJhsomEOVXQc31YWWnUvSw0U=", nullptr,
"http://ocsp.usertrust.com"
},
/* Network Solutions */
{
"CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US",
nullptr, "ITDJ+wDXTpjah6oq0KcusUAxp0w=", nullptr,
"http://ocsp.netsolssl.com"
},
{
"CN=Network Solutions EV SSL CA,O=Network Solutions L.L.C.,C=US",
nullptr, "tk6FnYQfGx3UUolOB5Yt+d7xj8w=", nullptr,
"http://ocsp.netsolssl.com"
},
/* GlobalSign */
{
"CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE",
nullptr, "YHtmGkUNl8qJUC99BM00qP/8/Us=", nullptr,
"http://ocsp.globalsign.com/ExtendedSSLCACross"
},
{
"CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2",
nullptr, "m+IHV2ccHsBqBt5ZtJot39wZhi4=", nullptr,
"http://ocsp.globalsign.com/ExtendedSSLCA"
},
{
"CN=GlobalSign Extended Validation CA,O=GlobalSign,OU=Extended Validation CA",
nullptr, "NLH5yYxrNUTMCGkK7uOjuVy/FuA=", nullptr,
"http://ocsp.globalsign.com/ExtendedSSL"
},
/* Trustwave */
{
"CN=SecureTrust CA,O=SecureTrust Corporation,C=US",
nullptr, "QjK2FvoE/f5dS3rD/fdMQB1aQ68=", nullptr,
"http://ocsp.trustwave.com"
}
};
static const unsigned int numResponders =
(sizeof myDefaultOCSPResponders) / (sizeof myDefaultOCSPResponders[0]);
static CERT_StringFromCertFcn oldOCSPAIAInfoCallback = nullptr;
/*
* See if we have a hard-coded default responder for this certificate's
* issuer (unless this certificate is a root certificate).
*
* The result needs to be freed (PORT_Free) when no longer in use.
*/
char* MyAlternateOCSPAIAInfoCallback(CERTCertificate *cert) {
if (cert && !cert->isRoot) {
unsigned int i;
for (i=0; i < numResponders; i++) {
if (!(myDefaultOCSPResponders[i].issuerName));
else if (!(myDefaultOCSPResponders[i].issuerKeyID));
else if (!(cert->authKeyID));
else if (CERT_CompareName(myDefaultOCSPResponders[i].issuerName,
&(cert->issuer)) != SECEqual);
else if (SECITEM_CompareItem(myDefaultOCSPResponders[i].issuerKeyID,
&(cert->authKeyID->keyID)) != SECEqual);
else // Issuer Name and Key Identifier match, so use this OCSP URL.
return PORT_Strdup(myDefaultOCSPResponders[i].ocspUrl);
}
}
// If we've not found a hard-coded default responder, chain to the old
// callback function (if there is one).
if (oldOCSPAIAInfoCallback)
return (*oldOCSPAIAInfoCallback)(cert);
return nullptr;
}
void cleanUpMyDefaultOCSPResponders() {
unsigned int i;
for (i=0; i < numResponders; i++) {
if (myDefaultOCSPResponders[i].issuerName) {
CERT_DestroyName(myDefaultOCSPResponders[i].issuerName);
myDefaultOCSPResponders[i].issuerName = nullptr;
}
if (myDefaultOCSPResponders[i].issuerKeyID) {
SECITEM_FreeItem(myDefaultOCSPResponders[i].issuerKeyID, true);
myDefaultOCSPResponders[i].issuerKeyID = nullptr;
}
}
}
SECStatus RegisterMyOCSPAIAInfoCallback() {
// Prevent multiple registrations.
if (myDefaultOCSPResponders[0].issuerName)
return SECSuccess; // Already registered ok.
// Populate various fields in the myDefaultOCSPResponders[] array.
SECStatus rv = SECFailure;
unsigned int i;
for (i=0; i < numResponders; i++) {
// Create a CERTName structure from the issuer name string.
myDefaultOCSPResponders[i].issuerName = CERT_AsciiToName(
const_cast<char*>(myDefaultOCSPResponders[i].issuerName_string));
if (!(myDefaultOCSPResponders[i].issuerName))
goto loser;
// Create a SECItem from the Base64 authority key identifier keyID.
myDefaultOCSPResponders[i].issuerKeyID = NSSBase64_DecodeBuffer(nullptr,
nullptr, myDefaultOCSPResponders[i].issuerKeyID_base64,
(uint32_t)PORT_Strlen(myDefaultOCSPResponders[i].issuerKeyID_base64));
if (!(myDefaultOCSPResponders[i].issuerKeyID))
goto loser;
}
// Register our alternate OCSP Responder URL lookup function.
rv = CERT_RegisterAlternateOCSPAIAInfoCallBack(MyAlternateOCSPAIAInfoCallback,
&oldOCSPAIAInfoCallback);
if (rv != SECSuccess)
goto loser;
return SECSuccess;
loser:
cleanUpMyDefaultOCSPResponders();
return rv;
}
SECStatus UnregisterMyOCSPAIAInfoCallback() {
SECStatus rv;
// Only allow unregistration if we're already registered.
if (!(myDefaultOCSPResponders[0].issuerName))
return SECFailure;
// Unregister our alternate OCSP Responder URL lookup function.
rv = CERT_RegisterAlternateOCSPAIAInfoCallBack(oldOCSPAIAInfoCallback,
nullptr);
if (rv != SECSuccess)
return rv;
// Tidy up.
oldOCSPAIAInfoCallback = nullptr;
cleanUpMyDefaultOCSPResponders();
return SECSuccess;
}

6
security/manager/ssl/src/nsNSSCallbacks.h
Просмотреть файл

@ -26,9 +26,6 @@ void HandshakeCallback(PRFileDesc *fd, void *client_data);
SECStatus CanFalseStartCallback(PRFileDesc* fd, void* client_data,
PRBool *canFalseStart);
SECStatus RegisterMyOCSPAIAInfoCallback();
SECStatus UnregisterMyOCSPAIAInfoCallback();
class nsHTTPListener MOZ_FINAL : public nsIStreamLoaderObserver
{
private:
@ -224,6 +221,3 @@ public:
};
#endif // _NSNSSCALLBACKS_H_

3
security/manager/ssl/src/nsNSSComponent.cpp
Просмотреть файл

@ -1256,8 +1256,6 @@ nsNSSComponent::InitializeNSS(bool showWarningBox)
// dynamic options from prefs
setValidationOptions(mPrefBranch);
RegisterMyOCSPAIAInfoCallback();
mHttpForNSS.initTable();
mHttpForNSS.registerHttpClient();
@ -1301,7 +1299,6 @@ nsNSSComponent::ShutdownNSS()
PK11_SetPasswordFunc((PK11PasswordFunc)nullptr);
mHttpForNSS.unregisterHttpClient();
UnregisterMyOCSPAIAInfoCallback();
if (mPrefBranch) {
mPrefBranch->RemoveObserver("security.", this);