зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1024809 - (OneCRL) Create a blocklist mechanism to revoke intermediate certs (r=keeler,Unfocused)
This commit is contained in:
Родитель
9c078e03a4
Коммит
2f0aec9246
|
@ -9,11 +9,12 @@
|
|||
#include <stdint.h>
|
||||
|
||||
#include "ExtendedValidation.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "NSSErrorsService.h"
|
||||
#include "OCSPRequestor.h"
|
||||
#include "certdb.h"
|
||||
#include "nsNSSCertificate.h"
|
||||
#include "nss.h"
|
||||
#include "NSSErrorsService.h"
|
||||
#include "nsServiceManagerUtils.h"
|
||||
#include "pk11pub.h"
|
||||
#include "pkix/pkix.h"
|
||||
#include "pkix/pkixnss.h"
|
||||
|
@ -67,6 +68,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
|
|||
, mMinimumNonECCBits(forEV ? MINIMUM_NON_ECC_BITS_EV : MINIMUM_NON_ECC_BITS_DV)
|
||||
, mHostname(hostname)
|
||||
, mBuiltChain(builtChain)
|
||||
, mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID))
|
||||
, mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED)
|
||||
{
|
||||
}
|
||||
|
@ -366,6 +368,27 @@ NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
|
|||
maxOCSPLifetimeInDays = 365;
|
||||
}
|
||||
|
||||
if (!mCertBlocklist) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
bool isCertRevoked;
|
||||
nsresult nsrv = mCertBlocklist->IsCertRevoked(
|
||||
certID.issuer.UnsafeGetData(),
|
||||
certID.issuer.GetLength(),
|
||||
certID.serialNumber.UnsafeGetData(),
|
||||
certID.serialNumber.GetLength(),
|
||||
&isCertRevoked);
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
if (isCertRevoked) {
|
||||
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
|
||||
("NSSCertDBTrustDomain: certificate is in blocklist"));
|
||||
return Result::ERROR_REVOKED_CERTIFICATE;
|
||||
}
|
||||
|
||||
// If we have a stapled OCSP response then the verification of that response
|
||||
// determines the result unless the OCSP response is expired. We make an
|
||||
// exception for expired responses because some servers, nginx in particular,
|
||||
|
|
|
@ -7,9 +7,10 @@
|
|||
#ifndef mozilla_psm__NSSCertDBTrustDomain_h
|
||||
#define mozilla_psm__NSSCertDBTrustDomain_h
|
||||
|
||||
#include "CertVerifier.h"
|
||||
#include "nsICertBlocklist.h"
|
||||
#include "pkix/pkixtypes.h"
|
||||
#include "secmodt.h"
|
||||
#include "CertVerifier.h"
|
||||
|
||||
namespace mozilla { namespace psm {
|
||||
|
||||
|
@ -120,6 +121,7 @@ private:
|
|||
const unsigned int mMinimumNonECCBits;
|
||||
const char* mHostname; // non-owning - only used for pinning checks
|
||||
ScopedCERTCertList* mBuiltChain; // non-owning
|
||||
nsCOMPtr<nsICertBlocklist> mCertBlocklist;
|
||||
CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
|
||||
};
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
XPIDL_SOURCES += [
|
||||
'nsIBufEntropyCollector.idl',
|
||||
'nsICertBlocklist.idl',
|
||||
'nsISecurityUITelemetry.idl',
|
||||
'nsISecurityWarningDialogs.idl',
|
||||
'nsISSLStatusProvider.idl',
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "nsISupports.idl"
|
||||
|
||||
interface nsIX509Cert;
|
||||
|
||||
%{C++
|
||||
#define NS_CERTBLOCKLIST_CONTRACTID "@mozilla.org/security/certblocklist;1"
|
||||
%}
|
||||
|
||||
/**
|
||||
* Represents a service to add certificates as explicitly blocked/distrusted.
|
||||
*/
|
||||
[scriptable, uuid(44b0ee42-1af3-45e7-b601-7f17bd67c5cc)]
|
||||
interface nsICertBlocklist : nsISupports {
|
||||
/**
|
||||
* Add details of a revoked certificate :
|
||||
* issuer name (base-64 encoded DER) and serial number (base-64 encoded DER).
|
||||
*/
|
||||
void addRevokedCert(in string issuer, in string serialNumber);
|
||||
|
||||
/**
|
||||
* Persist (fresh) blocklist entries to the profile (if a profile directory is
|
||||
* available). Note: calling this will result in synchronous I/O.
|
||||
*/
|
||||
void saveEntries();
|
||||
|
||||
/**
|
||||
* Check if a certificate is blocked.
|
||||
* isser - issuer name, DER encoded
|
||||
* serial - serial number, DER encoded
|
||||
*/
|
||||
boolean isCertRevoked([const, array, size_is(issuer_length)] in octet issuer,
|
||||
in unsigned long issuer_length,
|
||||
[const, array, size_is(serial_length)] in octet serial,
|
||||
in unsigned long serial_length);
|
||||
};
|
|
@ -0,0 +1,468 @@
|
|||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "CertBlocklist.h"
|
||||
#include "mozilla/Base64.h"
|
||||
#include "mozilla/unused.h"
|
||||
#include "nsAppDirectoryServiceDefs.h"
|
||||
#include "nsCRTGlue.h"
|
||||
#include "nsDirectoryServiceUtils.h"
|
||||
#include "nsIFileStreams.h"
|
||||
#include "nsILineInputStream.h"
|
||||
#include "nsIX509Cert.h"
|
||||
#include "nsNetCID.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsTHashtable.h"
|
||||
#include "nsThreadUtils.h"
|
||||
#include "pkix/Input.h"
|
||||
#include "prlog.h"
|
||||
|
||||
NS_IMPL_ISUPPORTS(CertBlocklist, nsICertBlocklist)
|
||||
|
||||
static PRLogModuleInfo* gCertBlockPRLog;
|
||||
|
||||
CertBlocklistItem::CertBlocklistItem(mozilla::pkix::Input aIssuer,
|
||||
mozilla::pkix::Input aSerial)
|
||||
: mIsCurrent(false)
|
||||
{
|
||||
mIssuerData = new uint8_t[aIssuer.GetLength()];
|
||||
memcpy(mIssuerData, aIssuer.UnsafeGetData(), aIssuer.GetLength());
|
||||
mozilla::unused << mIssuer.Init(mIssuerData, aIssuer.GetLength());
|
||||
|
||||
mSerialData = new uint8_t[aSerial.GetLength()];
|
||||
memcpy(mSerialData, aSerial.UnsafeGetData(), aSerial.GetLength());
|
||||
mozilla::unused << mSerial.Init(mSerialData, aSerial.GetLength());
|
||||
}
|
||||
|
||||
CertBlocklistItem::CertBlocklistItem(const CertBlocklistItem& aItem)
|
||||
{
|
||||
uint32_t issuerLength = aItem.mIssuer.GetLength();
|
||||
mIssuerData = new uint8_t[issuerLength];
|
||||
memcpy(mIssuerData, aItem.mIssuerData, issuerLength);
|
||||
mozilla::unused << mIssuer.Init(mIssuerData, issuerLength);
|
||||
|
||||
uint32_t serialLength = aItem.mSerial.GetLength();
|
||||
mSerialData = new uint8_t[serialLength];
|
||||
memcpy(mSerialData, aItem.mSerialData, serialLength);
|
||||
mozilla::unused << mSerial.Init(mSerialData, serialLength);
|
||||
mIsCurrent = aItem.mIsCurrent;
|
||||
}
|
||||
|
||||
CertBlocklistItem::~CertBlocklistItem()
|
||||
{
|
||||
delete[] mIssuerData;
|
||||
delete[] mSerialData;
|
||||
}
|
||||
|
||||
nsresult
|
||||
CertBlocklistItem::ToBase64(nsACString& b64IssuerOut, nsACString& b64SerialOut)
|
||||
{
|
||||
nsDependentCSubstring issuerString(reinterpret_cast<char*>(mIssuerData),
|
||||
mIssuer.GetLength());
|
||||
nsDependentCSubstring serialString(reinterpret_cast<char*>(mSerialData),
|
||||
mSerial.GetLength());
|
||||
nsresult rv = mozilla::Base64Encode(issuerString, b64IssuerOut);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
rv = mozilla::Base64Encode(serialString, b64SerialOut);
|
||||
return rv;
|
||||
}
|
||||
|
||||
bool
|
||||
CertBlocklistItem::operator==(const CertBlocklistItem& aItem) const
|
||||
{
|
||||
bool retval = InputsAreEqual(aItem.mIssuer, mIssuer) &&
|
||||
InputsAreEqual(aItem.mSerial, mSerial);
|
||||
return retval;
|
||||
}
|
||||
|
||||
uint32_t
|
||||
CertBlocklistItem::Hash() const
|
||||
{
|
||||
uint32_t hash;
|
||||
uint32_t serialLength = mSerial.GetLength();
|
||||
// there's no requirement for a serial to be as large as 32 bits; if it's
|
||||
// smaller, fall back to the first octet (otherwise, the last four)
|
||||
if (serialLength >= 4) {
|
||||
hash = *(uint32_t *)(mSerialData + serialLength - 4);
|
||||
} else {
|
||||
hash = *mSerialData;
|
||||
}
|
||||
return hash;
|
||||
}
|
||||
|
||||
CertBlocklist::CertBlocklist()
|
||||
: mMutex("CertBlocklist::mMutex")
|
||||
, mModified(false)
|
||||
{
|
||||
if (!gCertBlockPRLog) {
|
||||
gCertBlockPRLog = PR_NewLogModule("CertBlock");
|
||||
}
|
||||
}
|
||||
|
||||
CertBlocklist::~CertBlocklist()
|
||||
{
|
||||
}
|
||||
|
||||
nsresult
|
||||
CertBlocklist::Init()
|
||||
{
|
||||
mozilla::MutexAutoLock lock(mMutex);
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_DEBUG, ("CertBlocklist::Init"));
|
||||
|
||||
// Load the revocations file into the cert blocklist
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_DEBUG,
|
||||
("CertBlocklist::Init - not initialized; initializing"));
|
||||
nsresult rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
|
||||
getter_AddRefs(mBackingFile));
|
||||
if (NS_FAILED(rv) || !mBackingFile) {
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_DEBUG,
|
||||
("CertBlocklist::Init - couldn't get profile dir"));
|
||||
return NS_OK;
|
||||
}
|
||||
rv = mBackingFile->Append(NS_LITERAL_STRING("revocations.txt"));
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
nsAutoCString path;
|
||||
rv = mBackingFile->GetNativePath(path);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_DEBUG,
|
||||
("CertBlocklist::Init certList path: %s", path.get()));
|
||||
|
||||
bool exists = false;
|
||||
rv = mBackingFile->Exists(&exists);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
if (!exists) {
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_WARN,
|
||||
("CertBlocklist::Init no revocations file"));
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsIFileInputStream> fileStream(
|
||||
do_CreateInstance(NS_LOCALFILEINPUTSTREAM_CONTRACTID, &rv));
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
rv = fileStream->Init(mBackingFile, -1, -1, false);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsILineInputStream> lineStream(do_QueryInterface(fileStream, &rv));
|
||||
nsAutoCString line;
|
||||
nsAutoCString issuer;
|
||||
nsAutoCString serial;
|
||||
// read in the revocations file. The file format is as follows: each line
|
||||
// contains a comment, base64 encoded DER for an issuer or base64 encoded DER
|
||||
// for a serial number. Comment lines start with '#', serial number lines, ' '
|
||||
// (a space) and anything else is assumed to be an issuer.
|
||||
bool more = true;
|
||||
do {
|
||||
rv = lineStream->ReadLine(line, &more);
|
||||
if (NS_FAILED(rv)) {
|
||||
break;
|
||||
}
|
||||
// ignore comments and empty lines
|
||||
if (line.IsEmpty() || line.First() == '#') {
|
||||
continue;
|
||||
}
|
||||
if (line.First() != ' ') {
|
||||
issuer = line;
|
||||
continue;
|
||||
}
|
||||
serial = line;
|
||||
serial.Trim(" ", true, false, false);
|
||||
// serial numbers 'belong' to the last issuer line seen; if no issuer has
|
||||
// been seen, the serial number is ignored
|
||||
if (issuer.IsEmpty() || serial.IsEmpty()) {
|
||||
continue;
|
||||
}
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_DEBUG,
|
||||
("CertBlocklist::Init adding: %s %s", issuer.get(), serial.get()));
|
||||
rv = AddRevokedCertInternal(issuer.get(),
|
||||
serial.get(),
|
||||
CertOldFromLocalCache,
|
||||
lock);
|
||||
if (NS_FAILED(rv)) {
|
||||
// we warn here, rather than abandoning, since we need to
|
||||
// ensure that as many items as possible are read
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_WARN,
|
||||
("CertBlocklist::Init adding revoked cert failed"));
|
||||
}
|
||||
} while (more);
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// void addRevokedCert (in string issuer, in string serialNumber);
|
||||
NS_IMETHODIMP
|
||||
CertBlocklist::AddRevokedCert(const char* aIssuer,
|
||||
const char* aSerialNumber)
|
||||
{
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_DEBUG,
|
||||
("CertBlocklist::addRevokedCert - issuer is: %s and serial: %s",
|
||||
aIssuer, aSerialNumber));
|
||||
mozilla::MutexAutoLock lock(mMutex);
|
||||
return AddRevokedCertInternal(aIssuer,
|
||||
aSerialNumber,
|
||||
CertNewFromBlocklist,
|
||||
lock);
|
||||
}
|
||||
|
||||
nsresult
|
||||
CertBlocklist::AddRevokedCertInternal(const char* aIssuer,
|
||||
const char* aSerialNumber,
|
||||
CertBlocklistItemState aItemState,
|
||||
mozilla::MutexAutoLock& /*proofOfLock*/)
|
||||
{
|
||||
nsCString decodedIssuer;
|
||||
nsCString decodedSerial;
|
||||
|
||||
nsresult rv;
|
||||
rv = mozilla::Base64Decode(nsDependentCString(aIssuer), decodedIssuer);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
rv = mozilla::Base64Decode(nsDependentCString(aSerialNumber), decodedSerial);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
mozilla::pkix::Input issuer;
|
||||
mozilla::pkix::Input serial;
|
||||
|
||||
mozilla::pkix::Result pkrv;
|
||||
pkrv = issuer.Init(reinterpret_cast<const uint8_t*>(decodedIssuer.get()),
|
||||
decodedIssuer.Length());
|
||||
if (pkrv != mozilla::pkix::Success) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
pkrv = serial.Init(reinterpret_cast<const uint8_t*>(decodedSerial.get()),
|
||||
decodedSerial.Length());
|
||||
if (pkrv != mozilla::pkix::Success) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
CertBlocklistItem item(issuer, serial);
|
||||
|
||||
if (aItemState == CertNewFromBlocklist) {
|
||||
// we want SaveEntries to be a no-op if no new entries are added
|
||||
if (!mBlocklist.Contains(item)) {
|
||||
mModified = true;
|
||||
}
|
||||
|
||||
// Ensure that any existing item is replaced by a fresh one so we can
|
||||
// use mIsCurrent to decide which entries to write out
|
||||
mBlocklist.RemoveEntry(item);
|
||||
item.mIsCurrent = true;
|
||||
}
|
||||
mBlocklist.PutEntry(item);
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// Data needed for writing blocklist items out to the revocations file
|
||||
struct BlocklistSaveInfo
|
||||
{
|
||||
IssuerTable issuerTable;
|
||||
BlocklistStringSet issuers;
|
||||
nsCOMPtr<nsIOutputStream> outputStream;
|
||||
bool success;
|
||||
};
|
||||
|
||||
// Write a line for a given string in the output stream
|
||||
nsresult
|
||||
WriteLine(nsIOutputStream* outputStream, const nsACString& string)
|
||||
{
|
||||
nsAutoCString line(string);
|
||||
line.Append('\n');
|
||||
|
||||
const char* data = line.get();
|
||||
uint32_t length = line.Length();
|
||||
nsresult rv = NS_OK;
|
||||
while (NS_SUCCEEDED(rv) && length) {
|
||||
uint32_t bytesWritten = 0;
|
||||
rv = outputStream->Write(data, length, &bytesWritten);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
// if no data is written, something is wrong
|
||||
if (!bytesWritten) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
length -= bytesWritten;
|
||||
data += bytesWritten;
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
// sort blocklist items into lists of serials for each issuer
|
||||
PLDHashOperator
|
||||
ProcessEntry(BlocklistItemKey* aHashKey, void* aUserArg)
|
||||
{
|
||||
BlocklistSaveInfo* saveInfo = reinterpret_cast<BlocklistSaveInfo*>(aUserArg);
|
||||
CertBlocklistItem item = aHashKey->GetKey();
|
||||
|
||||
if (!item.mIsCurrent) {
|
||||
return PL_DHASH_NEXT;
|
||||
}
|
||||
|
||||
nsAutoCString encIssuer;
|
||||
nsAutoCString encSerial;
|
||||
|
||||
nsresult rv = item.ToBase64(encIssuer, encSerial);
|
||||
if (NS_FAILED(rv)) {
|
||||
saveInfo->success = false;
|
||||
return PL_DHASH_STOP;
|
||||
}
|
||||
|
||||
saveInfo->issuers.PutEntry(encIssuer);
|
||||
BlocklistStringSet* issuerSet = saveInfo->issuerTable.Get(encIssuer);
|
||||
if (!issuerSet) {
|
||||
issuerSet = new BlocklistStringSet();
|
||||
saveInfo->issuerTable.Put(encIssuer, issuerSet);
|
||||
}
|
||||
issuerSet->PutEntry(encSerial);
|
||||
return PL_DHASH_NEXT;
|
||||
}
|
||||
|
||||
// write serial data to the output stream
|
||||
PLDHashOperator
|
||||
WriteSerial(nsCStringHashKey* aHashKey, void* aUserArg)
|
||||
{
|
||||
BlocklistSaveInfo* saveInfo = reinterpret_cast<BlocklistSaveInfo*>(aUserArg);
|
||||
|
||||
nsresult rv = WriteLine(saveInfo->outputStream,
|
||||
NS_LITERAL_CSTRING(" ") + aHashKey->GetKey());
|
||||
if (NS_FAILED(rv)) {
|
||||
saveInfo->success = false;
|
||||
return PL_DHASH_STOP;
|
||||
}
|
||||
return PL_DHASH_NEXT;
|
||||
}
|
||||
|
||||
// Write issuer data to the output stream
|
||||
PLDHashOperator
|
||||
WriteIssuer(nsCStringHashKey* aHashKey, void* aUserArg)
|
||||
{
|
||||
BlocklistSaveInfo* saveInfo = reinterpret_cast<BlocklistSaveInfo*>(aUserArg);
|
||||
nsAutoPtr<BlocklistStringSet> issuerSet;
|
||||
|
||||
saveInfo->issuerTable.RemoveAndForget(aHashKey->GetKey(), issuerSet);
|
||||
|
||||
nsresult rv = WriteLine(saveInfo->outputStream, aHashKey->GetKey());
|
||||
if (NS_FAILED(rv)) {
|
||||
return PL_DHASH_STOP;
|
||||
}
|
||||
|
||||
issuerSet->EnumerateEntries(WriteSerial, saveInfo);
|
||||
if (!saveInfo->success) {
|
||||
saveInfo->success = false;
|
||||
return PL_DHASH_STOP;
|
||||
}
|
||||
return PL_DHASH_NEXT;
|
||||
}
|
||||
|
||||
// void saveEntries();
|
||||
// Store the blockist in a text file containing base64 encoded issuers and
|
||||
// serial numbers.
|
||||
//
|
||||
// Each item is stored on a separate line; each issuer is followed by its
|
||||
// revoked serial numbers, indented by one space.
|
||||
//
|
||||
// lines starting with a # character are ignored
|
||||
NS_IMETHODIMP
|
||||
CertBlocklist::SaveEntries()
|
||||
{
|
||||
mozilla::MutexAutoLock lock(mMutex);
|
||||
if (!mModified) {
|
||||
return NS_OK;
|
||||
}
|
||||
if (!mBackingFile) {
|
||||
// We allow this to succeed with no profile directory for tests
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_WARN,
|
||||
("CertBlocklist::SaveEntries no file in profile to write to"));
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
BlocklistSaveInfo saveInfo;
|
||||
saveInfo.success = true;
|
||||
nsresult rv;
|
||||
rv = NS_NewAtomicFileOutputStream(getter_AddRefs(saveInfo.outputStream),
|
||||
mBackingFile, -1, -1, 0);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
mBlocklist.EnumerateEntries(ProcessEntry, &saveInfo);
|
||||
if (!saveInfo.success) {
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_WARN,
|
||||
("CertBlocklist::SaveEntries writing revocation data failed"));
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
rv = WriteLine(saveInfo.outputStream,
|
||||
NS_LITERAL_CSTRING("# Auto generated contents. Do not edit."));
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
saveInfo.issuers.EnumerateEntries(WriteIssuer, &saveInfo);
|
||||
if (!saveInfo.success) {
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_WARN,
|
||||
("CertBlocklist::SaveEntries writing revocation data failed"));
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
nsCOMPtr<nsISafeOutputStream> safeStream =
|
||||
do_QueryInterface(saveInfo.outputStream);
|
||||
NS_ASSERTION(safeStream, "expected a safe output stream!");
|
||||
if (!safeStream) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
rv = safeStream->Finish();
|
||||
if (NS_FAILED(rv)) {
|
||||
PR_LOG(gCertBlockPRLog, PR_LOG_WARN,
|
||||
("CertBlocklist::SaveEntries saving revocation data failed"));
|
||||
return rv;
|
||||
}
|
||||
mModified = false;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// boolean isCertRevoked([const, array, size_is(issuerLength)] in octet issuer,
|
||||
// in unsigned long issuerLength,
|
||||
// [const, array, size_is(serialLength)] in octet serial,
|
||||
// in unsigned long serialLength);
|
||||
NS_IMETHODIMP CertBlocklist::IsCertRevoked(const uint8_t* aIssuer, uint32_t aIssuerLength,
|
||||
const uint8_t* aSerial, uint32_t aSerialLength,
|
||||
bool* _retval)
|
||||
{
|
||||
mozilla::MutexAutoLock lock(mMutex);
|
||||
|
||||
mozilla::pkix::Input issuer;
|
||||
mozilla::pkix::Input serial;
|
||||
if (issuer.Init(aIssuer, aIssuerLength) != mozilla::pkix::Success) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
if (serial.Init(aSerial, aSerialLength) != mozilla::pkix::Success) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
CertBlocklistItem item(issuer, serial);
|
||||
|
||||
*_retval = mBlocklist.Contains(item);
|
||||
|
||||
return NS_OK;
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef CertBlocklist_h
|
||||
#define CertBlocklist_h
|
||||
|
||||
#include "mozilla/Mutex.h"
|
||||
#include "nsClassHashtable.h"
|
||||
#include "nsCOMPtr.h"
|
||||
#include "nsICertBlocklist.h"
|
||||
#include "nsIOutputStream.h"
|
||||
#include "nsTHashtable.h"
|
||||
#include "nsIX509CertDB.h"
|
||||
#include "pkix/Input.h"
|
||||
|
||||
#define NS_CERT_BLOCKLIST_CID \
|
||||
{0x11aefd53, 0x2fbb, 0x4c92, {0xa0, 0xc1, 0x05, 0x32, 0x12, 0xae, 0x42, 0xd0} }
|
||||
|
||||
enum CertBlocklistItemState {
|
||||
CertNewFromBlocklist,
|
||||
CertOldFromLocalCache
|
||||
};
|
||||
|
||||
class CertBlocklistItem
|
||||
{
|
||||
public:
|
||||
CertBlocklistItem(mozilla::pkix::Input aIssuer, mozilla::pkix::Input aSerial);
|
||||
CertBlocklistItem(const CertBlocklistItem& aItem);
|
||||
~CertBlocklistItem();
|
||||
nsresult ToBase64(nsACString& b64IssuerOut, nsACString& b64SerialOut);
|
||||
bool operator==(const CertBlocklistItem& aItem) const;
|
||||
uint32_t Hash() const;
|
||||
bool mIsCurrent;
|
||||
|
||||
private:
|
||||
mozilla::pkix::Input mIssuer;
|
||||
uint8_t* mIssuerData;
|
||||
mozilla::pkix::Input mSerial;
|
||||
uint8_t* mSerialData;
|
||||
};
|
||||
|
||||
typedef nsGenericHashKey<CertBlocklistItem> BlocklistItemKey;
|
||||
typedef nsTHashtable<BlocklistItemKey> BlocklistTable;
|
||||
typedef nsTHashtable<nsCStringHashKey> BlocklistStringSet;
|
||||
typedef nsClassHashtable<nsCStringHashKey, BlocklistStringSet> IssuerTable;
|
||||
|
||||
class CertBlocklist : public nsICertBlocklist
|
||||
{
|
||||
public:
|
||||
NS_DECL_THREADSAFE_ISUPPORTS
|
||||
NS_DECL_NSICERTBLOCKLIST
|
||||
CertBlocklist();
|
||||
nsresult Init();
|
||||
|
||||
private:
|
||||
BlocklistTable mBlocklist;
|
||||
nsresult AddRevokedCertInternal(const char* aIssuer,
|
||||
const char* aSerial,
|
||||
CertBlocklistItemState aItemState,
|
||||
mozilla::MutexAutoLock& /*proofOfLock*/);
|
||||
mozilla::Mutex mMutex;
|
||||
bool mModified;
|
||||
nsCOMPtr<nsIFile> mBackingFile;
|
||||
|
||||
protected:
|
||||
virtual ~CertBlocklist();
|
||||
};
|
||||
|
||||
#endif // CertBlocklist_h
|
|
@ -9,6 +9,7 @@ EXPORTS.mozilla += [
|
|||
]
|
||||
|
||||
UNIFIED_SOURCES += [
|
||||
'CertBlocklist.cpp',
|
||||
'DataStorage.cpp',
|
||||
'nsBOOTModule.cpp',
|
||||
'nsEntropyCollector.cpp',
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
#include "mozilla/ModuleUtils.h"
|
||||
|
||||
#include "CertBlocklist.h"
|
||||
#include "nsEntropyCollector.h"
|
||||
#include "nsSecureBrowserUIImpl.h"
|
||||
#include "nsSecurityWarningDialogs.h"
|
||||
|
@ -12,6 +13,7 @@
|
|||
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR(nsEntropyCollector)
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR(nsSecureBrowserUIImpl)
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(CertBlocklist, Init)
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsSecurityWarningDialogs, Init)
|
||||
NS_GENERIC_FACTORY_CONSTRUCTOR_INIT(nsSiteSecurityService, Init)
|
||||
|
||||
|
@ -19,12 +21,14 @@ NS_DEFINE_NAMED_CID(NS_ENTROPYCOLLECTOR_CID);
|
|||
NS_DEFINE_NAMED_CID(NS_SECURITYWARNINGDIALOGS_CID);
|
||||
NS_DEFINE_NAMED_CID(NS_SECURE_BROWSER_UI_CID);
|
||||
NS_DEFINE_NAMED_CID(NS_SITE_SECURITY_SERVICE_CID);
|
||||
NS_DEFINE_NAMED_CID(NS_CERT_BLOCKLIST_CID);
|
||||
|
||||
static const mozilla::Module::CIDEntry kBOOTCIDs[] = {
|
||||
{ &kNS_ENTROPYCOLLECTOR_CID, false, nullptr, nsEntropyCollectorConstructor },
|
||||
{ &kNS_SECURITYWARNINGDIALOGS_CID, false, nullptr, nsSecurityWarningDialogsConstructor },
|
||||
{ &kNS_SECURE_BROWSER_UI_CID, false, nullptr, nsSecureBrowserUIImplConstructor },
|
||||
{ &kNS_SITE_SECURITY_SERVICE_CID, false, nullptr, nsSiteSecurityServiceConstructor },
|
||||
{ &kNS_CERT_BLOCKLIST_CID, false, nullptr, CertBlocklistConstructor},
|
||||
{ nullptr }
|
||||
};
|
||||
|
||||
|
@ -33,6 +37,7 @@ static const mozilla::Module::ContractIDEntry kBOOTContracts[] = {
|
|||
{ NS_SECURITYWARNINGDIALOGS_CONTRACTID, &kNS_SECURITYWARNINGDIALOGS_CID },
|
||||
{ NS_SECURE_BROWSER_UI_CONTRACTID, &kNS_SECURE_BROWSER_UI_CID },
|
||||
{ NS_SSSERVICE_CONTRACTID, &kNS_SITE_SECURITY_SERVICE_CID },
|
||||
{ NS_CERTBLOCKLIST_CONTRACTID, &kNS_CERT_BLOCKLIST_CID },
|
||||
{ nullptr }
|
||||
};
|
||||
|
||||
|
|
|
@ -0,0 +1,271 @@
|
|||
/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
// This test checks a number of things:
|
||||
// * it ensures that data loaded from revocations.txt on startup is present
|
||||
// * it ensures that certItems in blocklist.xml are persisted correctly
|
||||
// * it ensures that items in the CertBlocklist are seen as revoked by the
|
||||
// cert verifier
|
||||
// * it does a sanity check to ensure other cert verifier behavior is
|
||||
// unmodified
|
||||
|
||||
let { XPCOMUtils } = Cu.import("resource://gre/modules/XPCOMUtils.jsm", {});
|
||||
|
||||
// First, we need to setup appInfo for the blocklist service to work
|
||||
let id = "xpcshell@tests.mozilla.org";
|
||||
let appName = "XPCShell";
|
||||
let version = "1";
|
||||
let platformVersion = "1.9.2";
|
||||
let appInfo = {
|
||||
// nsIXULAppInfo
|
||||
vendor: "Mozilla",
|
||||
name: appName,
|
||||
ID: id,
|
||||
version: version,
|
||||
appBuildID: "2007010101",
|
||||
platformVersion: platformVersion ? platformVersion : "1.0",
|
||||
platformBuildID: "2007010101",
|
||||
|
||||
// nsIXULRuntime
|
||||
inSafeMode: false,
|
||||
logConsoleErrors: true,
|
||||
OS: "XPCShell",
|
||||
XPCOMABI: "noarch-spidermonkey",
|
||||
invalidateCachesOnRestart: function invalidateCachesOnRestart() {
|
||||
// Do nothing
|
||||
},
|
||||
|
||||
// nsICrashReporter
|
||||
annotations: {},
|
||||
|
||||
annotateCrashReport: function(key, data) {
|
||||
this.annotations[key] = data;
|
||||
},
|
||||
|
||||
QueryInterface: XPCOMUtils.generateQI([Ci.nsIXULAppInfo,
|
||||
Ci.nsIXULRuntime,
|
||||
Ci.nsICrashReporter,
|
||||
Ci.nsISupports])
|
||||
};
|
||||
|
||||
let XULAppInfoFactory = {
|
||||
createInstance: function (outer, iid) {
|
||||
appInfo.QueryInterface(iid);
|
||||
if (outer != null) {
|
||||
throw Cr.NS_ERROR_NO_AGGREGATION;
|
||||
}
|
||||
return appInfo.QueryInterface(iid);
|
||||
}
|
||||
};
|
||||
|
||||
let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
|
||||
const XULAPPINFO_CONTRACTID = "@mozilla.org/xre/app-info;1";
|
||||
const XULAPPINFO_CID = Components.ID("{c763b610-9d49-455a-bbd2-ede71682a1ac}");
|
||||
registrar.registerFactory(XULAPPINFO_CID, "XULAppInfo",
|
||||
XULAPPINFO_CONTRACTID, XULAppInfoFactory);
|
||||
|
||||
// we need to ensure we setup revocation data before certDB, or we'll start with
|
||||
// no revocation.txt in the profile
|
||||
let profile = do_get_profile();
|
||||
let revocations = profile.clone();
|
||||
revocations.append("revocations.txt");
|
||||
if (!revocations.exists()) {
|
||||
let existing = do_get_file("test_onecrl/sample_revocations.txt", false);
|
||||
existing.copyTo(profile,"revocations.txt");
|
||||
}
|
||||
|
||||
let certDB = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
|
||||
// set up a test server to serve the blocklist.xml
|
||||
let testserver = new HttpServer();
|
||||
|
||||
let blocklist_contents =
|
||||
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
|
||||
"<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
|
||||
// test with some bad data ...
|
||||
"<certItems><certItem issuerName='Some nonsense in issuer'>" +
|
||||
"<serialNumber>AkHVNA==</serialNumber>" +
|
||||
"</certItem><certItem issuerName='MA0xCzAJBgNVBAMMAmNh'>" +
|
||||
"<serialNumber>some nonsense in serial</serialNumber>" +
|
||||
"</certItem><certItem issuerName='some nonsense in both issuer'>" +
|
||||
"<serialNumber>and serial</serialNumber></certItem>" +
|
||||
// some mixed
|
||||
// In this case, the issuer name and the valid serialNumber correspond
|
||||
// to test-int.der in tlsserver/
|
||||
"<certItem issuerName='MBIxEDAOBgNVBAMTB1Rlc3QgQ0E='>" +
|
||||
"<serialNumber>oops! more nonsense.</serialNumber>" +
|
||||
"<serialNumber>X1o=</serialNumber></certItem>" +
|
||||
// ... and some good
|
||||
// This item corresponds to an entry in sample_revocations.txt where:
|
||||
// isser name is "another imaginary issuer" base-64 encoded, and
|
||||
// serialNumbers are:
|
||||
// "serial2." base-64 encoded, and
|
||||
// "another serial." base-64 encoded
|
||||
// We need this to ensure that existing items are retained if they're
|
||||
// also in the blocklist
|
||||
"<certItem issuerName='YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy'>" +
|
||||
"<serialNumber>c2VyaWFsMi4=</serialNumber>" +
|
||||
"<serialNumber>YW5vdGhlciBzZXJpYWwu</serialNumber>" +
|
||||
"</certItem></certItems></blocklist>";
|
||||
testserver.registerPathHandler("/push_blocked_cert/",
|
||||
function serveResponse(request, response) {
|
||||
response.write(blocklist_contents);
|
||||
});
|
||||
|
||||
// start the test server
|
||||
testserver.start(-1);
|
||||
let port = testserver.identity.primaryPort;
|
||||
|
||||
// Setup the addonManager
|
||||
let addonManager = Cc["@mozilla.org/addons/integration;1"]
|
||||
.getService(Ci.nsIObserver)
|
||||
.QueryInterface(Ci.nsITimerCallback);
|
||||
addonManager.observe(null, "addons-startup", null);
|
||||
|
||||
let converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"]
|
||||
.createInstance(Ci.nsIScriptableUnicodeConverter);
|
||||
converter.charset = "UTF-8";
|
||||
|
||||
function verify_cert(file, expectedError) {
|
||||
let cert_der = readFile(do_get_file(file));
|
||||
let ee = certDB.constructX509(cert_der, cert_der.length);
|
||||
equal(expectedError, certDB.verifyCertNow(ee, certificateUsageSSLServer,
|
||||
NO_FLAGS, {}, {}));
|
||||
}
|
||||
|
||||
function load_cert(cert, trust) {
|
||||
let file = "tlsserver/" + cert + ".der";
|
||||
addCertFromFile(certDB, file, trust);
|
||||
}
|
||||
|
||||
function test_is_revoked(certList, issuerString, serialString) {
|
||||
let issuer = converter.convertToByteArray(issuerString, {});
|
||||
let serial = converter.convertToByteArray(serialString, {});
|
||||
return certList.isCertRevoked(issuer,
|
||||
issuerString.length,
|
||||
serial,
|
||||
serialString.length);
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
// import the certificates we need
|
||||
load_cert("test-ca", "CTu,CTu,CTu");
|
||||
load_cert("test-int", ",,");
|
||||
|
||||
let certList = Cc["@mozilla.org/security/certblocklist;1"]
|
||||
.getService(Ci.nsICertBlocklist);
|
||||
|
||||
// check some existing items in revocations.txt are blocked. Since the
|
||||
// CertBlocklistItems don't know about the data they contain, we can use
|
||||
// arbitrary data (not necessarily DER) to test if items are revoked or not.
|
||||
// This test corresponds to:
|
||||
// issuer: c29tZSBpbWFnaW5hcnkgaXNzdWVy
|
||||
// serial: c2VyaWFsLg==
|
||||
ok(test_is_revoked(certList, "some imaginary issuer", "serial."),
|
||||
"issuer / serial pair should be blocked");
|
||||
|
||||
// This test corresponds to:
|
||||
// issuer: YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy
|
||||
// serial: c2VyaWFsLg==
|
||||
ok(test_is_revoked(certList, "another imaginary issuer", "serial."),
|
||||
"issuer / serial pair should be blocked");
|
||||
|
||||
// And this test corresponds to:
|
||||
// issuer: YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy
|
||||
// serial: c2VyaWFsMi4=
|
||||
// (we test this issuer twice to ensure we can read multiple serials)
|
||||
ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
|
||||
"issuer / serial pair should be blocked");
|
||||
|
||||
// Soon we'll load a blocklist which revokes test-int.der, which issued
|
||||
// test-int-ee.der.
|
||||
// Check the cert validates before we load the blocklist
|
||||
let file = "tlsserver/test-int-ee.der";
|
||||
verify_cert(file, Cr.NS_OK);
|
||||
|
||||
// blocklist load is async so we must use add_test from here
|
||||
add_test(function() {
|
||||
let certblockObserver = {
|
||||
observe: function(aSubject, aTopic, aData) {
|
||||
Services.obs.removeObserver(this, "blocklist-updated");
|
||||
run_next_test();
|
||||
}
|
||||
}
|
||||
|
||||
Services.obs.addObserver(certblockObserver, "blocklist-updated", false);
|
||||
Services.prefs.setCharPref("extensions.blocklist.url", "http://localhost:" +
|
||||
port + "/push_blocked_cert/");
|
||||
let blocklist = Cc["@mozilla.org/extensions/blocklist;1"]
|
||||
.getService(Ci.nsITimerCallback);
|
||||
blocklist.notify(null);
|
||||
});
|
||||
|
||||
add_test(function() {
|
||||
// The blocklist will be loaded now. Let's check the data is sane.
|
||||
// In particular, we should still have the revoked issuer / serial pair
|
||||
// that was in both revocations.txt and the blocklist.xml
|
||||
ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
|
||||
"issuer / serial pair should be blocked");
|
||||
|
||||
// Check that both serials in the certItem with multiple serials were read
|
||||
// properly
|
||||
ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
|
||||
"issuer / serial pair should be blocked");
|
||||
ok(test_is_revoked(certList, "another imaginary issuer", "another serial."),
|
||||
"issuer / serial pair should be blocked");
|
||||
|
||||
// Check the blocklist entry has been persisted properly to the backing
|
||||
// file
|
||||
let profile = do_get_profile();
|
||||
let revocations = profile.clone();
|
||||
revocations.append("revocations.txt");
|
||||
ok(revocations.exists(), "the revocations file should exist");
|
||||
let inputStream = Cc["@mozilla.org/network/file-input-stream;1"]
|
||||
.createInstance(Ci.nsIFileInputStream);
|
||||
inputStream.init(revocations,-1, -1, 0);
|
||||
inputStream.QueryInterface(Ci.nsILineInputStream);
|
||||
let contents = "";
|
||||
let hasmore = false;
|
||||
do {
|
||||
var line = {};
|
||||
hasmore = inputStream.readLine(line);
|
||||
contents = contents + (contents.length == 0 ? "" : "\n") + line.value;
|
||||
} while (hasmore);
|
||||
let expected = "# Auto generated contents. Do not edit.\n" +
|
||||
"MBIxEDAOBgNVBAMTB1Rlc3QgQ0E=\n" +
|
||||
" X1o=\n" +
|
||||
"YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy\n" +
|
||||
" YW5vdGhlciBzZXJpYWwu\n" +
|
||||
" c2VyaWFsMi4=";
|
||||
equal(contents, expected, "revocations.txt should be as expected");
|
||||
|
||||
// Check the blocklisted intermediate now causes a failure
|
||||
let file = "tlsserver/test-int-ee.der";
|
||||
verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
|
||||
|
||||
// Check a non-blocklisted chain still validates OK
|
||||
file = "tlsserver/default-ee.der";
|
||||
verify_cert(file, Cr.NS_OK);
|
||||
|
||||
// Check a bad cert is still bad (unknown issuer)
|
||||
file = "tlsserver/unknown-issuer.der";
|
||||
verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
|
||||
|
||||
// check that save with no further update is a no-op
|
||||
let lastModified = revocations.lastModifiedTime;
|
||||
// add an already existing entry
|
||||
certList.addRevokedCert("YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy","c2VyaWFsMi4=");
|
||||
certList.saveEntries();
|
||||
let newModified = revocations.lastModifiedTime;
|
||||
equal(lastModified, newModified,
|
||||
"saveEntries with no modifications should not update the backing file");
|
||||
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
// we need to start the async portions of the test
|
||||
run_next_test();
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# a sample revocations.txt for tests
|
||||
# Lines starting with '#' are ignored - as are empty lines like this:
|
||||
|
||||
# otherwise:
|
||||
# non-empty lines are treated as base-64 encoded DER issuer data
|
||||
# ...unless the line starts with a ' ' (space) character, in which case it's
|
||||
# assumed to be base-64 encoded DER serial data.
|
||||
|
||||
# First a serial with no issuer to ensure this doesn't cause parsing to fail
|
||||
# (there should be an issuer first, but we need to test this won't fail)
|
||||
dGVzdA==
|
||||
# next, let's ensure data that isn't valid base64 doesn't cause breakage.
|
||||
this serial isn't valid base64 (but then there's no issuer anyway)
|
||||
Neither is this issuer, though the serial is fine
|
||||
dGVzdA==
|
||||
dGVzdA==
|
||||
in this case, issuer is fine but not the serial
|
||||
# Next two entries; we can add valid base-64 encoded data for some basic tests:
|
||||
# issuer is "some imaginary issuer" base-64 encoded
|
||||
# and serial "serial." base-64 encoded
|
||||
c29tZSBpbWFnaW5hcnkgaXNzdWVy
|
||||
c2VyaWFsLg==
|
||||
# issuer is "another imaginary issuer" base-64 encoded
|
||||
# serials are "serial." and "serial2." base-64 encoded
|
||||
YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy
|
||||
c2VyaWFsLg==
|
||||
c2VyaWFsMi4=
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert9.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert9.db
Двоичный файл не отображается.
|
@ -267,6 +267,7 @@ export_cert localhostAndExampleCom default-ee.der
|
|||
make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
|
||||
|
||||
make_INT testINT 'CN=Test Intermediate' testCA
|
||||
export_cert testINT test-int.der
|
||||
make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
|
||||
make_EE expired 'CN=Expired Test End-entity' testCA "expired.example.com" "-w -400"
|
||||
export_cert expired expired-ee.der
|
||||
|
@ -279,6 +280,7 @@ make_EE selfsigned 'CN=Self-signed Test End-entity' testCA "selfsigned.example.c
|
|||
# get regenerated. Either way, deletedINT will then be removed again.
|
||||
make_INT deletedINT 'CN=Test Intermediate to delete' testCA
|
||||
make_EE unknownissuer 'CN=Test End-entity from unknown issuer' deletedINT "unknownissuer.example.com"
|
||||
export_cert unknownissuer unknown-issuer.der
|
||||
|
||||
$RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -D -n deletedINT
|
||||
|
||||
|
@ -320,4 +322,8 @@ make_V1 v1Cert 'CN=V1 Cert' testCA
|
|||
export_cert v1Cert v1Cert.der
|
||||
make_EE eeIssuedByV1Cert 'CN=EE Issued by V1 Cert' v1Cert "localhost,*.example.com"
|
||||
|
||||
# Make a valid EE using testINT to test OneCRL revocation of testINT
|
||||
make_EE eeIssuedByIntermediate 'CN=EE issued by intermediate' testINT "localhost"
|
||||
export_cert eeIssuedByIntermediate test-int-ee.der
|
||||
|
||||
cleanup
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key4.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key4.db
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
|
@ -18,6 +18,7 @@ support-files =
|
|||
test_ocsp_fetch_method/**
|
||||
test_keysize/**
|
||||
test_pinning_dynamic/**
|
||||
test_onecrl/**
|
||||
|
||||
[test_datasignatureverifier.js]
|
||||
[test_hash_algorithms.js]
|
||||
|
@ -41,6 +42,8 @@ support-files =
|
|||
[test_certificate_usages.js]
|
||||
[test_ocsp_stapling.js]
|
||||
run-sequentially = hardcoded ports
|
||||
[test_cert_blocklist.js]
|
||||
skip-if = buildapp == "b2g"
|
||||
[test_ocsp_stapling_expired.js]
|
||||
run-sequentially = hardcoded ports
|
||||
[test_ocsp_stapling_with_intermediate.js]
|
||||
|
|
|
@ -74,6 +74,10 @@ XPCOMUtils.defineLazyServiceGetter(this, "gVersionChecker",
|
|||
"@mozilla.org/xpcom/version-comparator;1",
|
||||
"nsIVersionComparator");
|
||||
|
||||
XPCOMUtils.defineLazyServiceGetter(this, "gCertBlocklistService",
|
||||
"@mozilla.org/security/certblocklist;1",
|
||||
"nsICertBlocklist");
|
||||
|
||||
XPCOMUtils.defineLazyGetter(this, "gPref", function bls_gPref() {
|
||||
return Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefService).
|
||||
QueryInterface(Ci.nsIPrefBranch);
|
||||
|
@ -725,6 +729,13 @@ Blocklist.prototype = {
|
|||
# <match name="description" exp="1[.]2[.]3"/>
|
||||
# </pluginItem>
|
||||
# </pluginItems>
|
||||
# <certItems>
|
||||
# <!-- issuerName is the DER issuer name data base64 encoded... -->
|
||||
# <certItem issuerName="MA0xCzAJBgNVBAMMAmNh">
|
||||
# <!-- ... as is the serial number DER data -->
|
||||
# <serialNumber>AkHVNA==</serialNumber>
|
||||
# </certItem>
|
||||
# </certItems>
|
||||
# </blocklist>
|
||||
*/
|
||||
|
||||
|
@ -862,12 +873,17 @@ Blocklist.prototype = {
|
|||
this._pluginEntries = this._processItemNodes(element.childNodes, "plugin",
|
||||
this._handlePluginItemNode);
|
||||
break;
|
||||
case "certItems":
|
||||
this._processItemNodes(element.childNodes, "cert",
|
||||
this._handleCertItemNode.bind(this));
|
||||
break;
|
||||
default:
|
||||
Services.obs.notifyObservers(element,
|
||||
"blocklist-data-" + element.localName,
|
||||
null);
|
||||
}
|
||||
}
|
||||
gCertBlocklistService.saveEntries();
|
||||
}
|
||||
catch (e) {
|
||||
LOG("Blocklist::_loadBlocklistFromFile: Error constructing blocklist " + e);
|
||||
|
@ -889,6 +905,20 @@ Blocklist.prototype = {
|
|||
return result;
|
||||
},
|
||||
|
||||
_handleCertItemNode: function Blocklist_handleCertItemNode(blocklistElement,
|
||||
result) {
|
||||
let issuer = blocklistElement.getAttribute("issuerName");
|
||||
for (let snElement of blocklistElement.children) {
|
||||
try {
|
||||
gCertBlocklistService.addRevokedCert(issuer, snElement.textContent);
|
||||
} catch (e) {
|
||||
// we want to keep trying other elements since missing all items
|
||||
// is worse than missing one
|
||||
LOG("Blocklist::_handleCertItemNode: Error adding revoked cert " + e);
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
_handleEmItemNode: function Blocklist_handleEmItemNode(blocklistElement, result) {
|
||||
if (!matchesOSABI(blocklistElement))
|
||||
return;
|
||||
|
|
Загрузка…
Ссылка в новой задаче