зеркало из https://github.com/mozilla/gecko-dev.git
Backed out 2 changesets (bug 1562773) for build bustages. CLOSED TREE
Backed out changeset 154b23d4a214 (bug 1562773) Backed out changeset f32f7a644981 (bug 1562773)
This commit is contained in:
Razvan Maries
Родитель
0a750ccc81
Коммит
2fb41871a9
|
|
@ -67,8 +67,6 @@ interface nsITransportSecurityInfo : nsISupports {
|
|||
[must_use]
|
||||
readonly attribute unsigned short certificateTransparencyStatus;
|
||||
|
||||
[must_use]
|
||||
readonly attribute boolean isDelegatedCredential;
|
||||
[must_use]
|
||||
readonly attribute boolean isDomainMismatch;
|
||||
[must_use]
|
||||
|
|
|
|||
|
|
@ -33,7 +33,6 @@ STAGE = mozpath.join(buildconfig.topobjdir, 'dist', 'test-stage')
|
|||
|
||||
TEST_HARNESS_BINS = [
|
||||
'BadCertAndPinningServer',
|
||||
'DelegatedCredentialsServer',
|
||||
'GenerateOCSPResponse',
|
||||
'OCSPStaplingServer',
|
||||
'SanctionsTestServer',
|
||||
|
|
|
|||
|
|
@ -114,7 +114,6 @@ class ArtifactJob(object):
|
|||
# to dist/.
|
||||
test_artifact_patterns = {
|
||||
('bin/BadCertAndPinningServer', ('bin', 'bin')),
|
||||
('bin/DelegatedCredentialsServer', ('bin', 'bin')),
|
||||
('bin/GenerateOCSPResponse', ('bin', 'bin')),
|
||||
('bin/OCSPStaplingServer', ('bin', 'bin')),
|
||||
('bin/SanctionsTestServer', ('bin', 'bin')),
|
||||
|
|
@ -556,7 +555,6 @@ class WinArtifactJob(ArtifactJob):
|
|||
# These are a subset of TEST_HARNESS_BINS in testing/mochitest/Makefile.in.
|
||||
test_artifact_patterns = {
|
||||
('bin/BadCertAndPinningServer.exe', ('bin', 'bin')),
|
||||
('bin/DelegatedCredentialsServer.exe', ('bin', 'bin')),
|
||||
('bin/GenerateOCSPResponse.exe', ('bin', 'bin')),
|
||||
('bin/OCSPStaplingServer.exe', ('bin', 'bin')),
|
||||
('bin/SanctionsTestServer.exe', ('bin', 'bin')),
|
||||
|
|
|
|||
|
|
@ -48,7 +48,6 @@ TransportSecurityInfo::TransportSecurityInfo()
|
|||
nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE),
|
||||
mKeaGroup(),
|
||||
mSignatureSchemeName(),
|
||||
mIsDelegatedCredential(false),
|
||||
mIsDomainMismatch(false),
|
||||
mIsNotValidAtThisTime(false),
|
||||
mIsUntrusted(false),
|
||||
|
|
@ -193,7 +192,7 @@ TransportSecurityInfo::Write(nsIObjectOutputStream* aStream) {
|
|||
// Re-purpose mErrorMessageCached to represent serialization version
|
||||
// If string doesn't match exact version it will be treated as older
|
||||
// serialization.
|
||||
rv = aStream->WriteWStringZ(NS_ConvertUTF8toUTF16("2").get());
|
||||
rv = aStream->WriteWStringZ(NS_ConvertUTF8toUTF16("1").get());
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
|
@ -246,10 +245,6 @@ TransportSecurityInfo::Write(nsIObjectOutputStream* aStream) {
|
|||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
rv = aStream->WriteBoolean(mIsDelegatedCredential);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
|
@ -451,7 +446,7 @@ TransportSecurityInfo::Read(nsIObjectInputStream* aStream) {
|
|||
}
|
||||
|
||||
// moved from nsISSLStatus
|
||||
if (!serVersion.EqualsASCII("1") && !serVersion.EqualsASCII("2")) {
|
||||
if (!serVersion.EqualsASCII("1")) {
|
||||
// nsISSLStatus may be present
|
||||
rv = ReadSSLStatus(aStream);
|
||||
CHILD_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv),
|
||||
|
|
@ -548,16 +543,6 @@ TransportSecurityInfo::Read(nsIObjectInputStream* aStream) {
|
|||
}
|
||||
mFailedCertChain = do_QueryInterface(failedCertChainSupports);
|
||||
|
||||
// mIsDelegatedCredential added in bug 1562773
|
||||
if (serVersion.EqualsASCII("2")) {
|
||||
rv = aStream->ReadBoolean(&mIsDelegatedCredential);
|
||||
CHILD_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv),
|
||||
"Deserialization should not fail");
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
|
|
@ -585,7 +570,6 @@ void TransportSecurityInfo::SerializeToIPC(IPC::Message* aMsg) {
|
|||
WriteParam(aMsg, mSignatureSchemeName);
|
||||
WriteParam(aMsg, mSucceededCertChain);
|
||||
WriteParam(aMsg, mFailedCertChain);
|
||||
WriteParam(aMsg, mIsDelegatedCredential);
|
||||
}
|
||||
|
||||
bool TransportSecurityInfo::DeserializeFromIPC(const IPC::Message* aMsg,
|
||||
|
|
@ -610,8 +594,7 @@ bool TransportSecurityInfo::DeserializeFromIPC(const IPC::Message* aMsg,
|
|||
!ReadParam(aMsg, aIter, &mKeaGroup) ||
|
||||
!ReadParam(aMsg, aIter, &mSignatureSchemeName) ||
|
||||
!ReadParam(aMsg, aIter, &mSucceededCertChain) ||
|
||||
!ReadParam(aMsg, aIter, &mFailedCertChain) ||
|
||||
!ReadParam(aMsg, aIter, &mIsDelegatedCredential)) {
|
||||
!ReadParam(aMsg, aIter, &mFailedCertChain)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -983,15 +966,5 @@ TransportSecurityInfo::GetIsExtendedValidation(bool* aIsEV) {
|
|||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
|
||||
NS_IMETHODIMP
|
||||
TransportSecurityInfo::GetIsDelegatedCredential(bool* aIsDelegCred) {
|
||||
NS_ENSURE_ARG_POINTER(aIsDelegCred);
|
||||
if (!mHaveCipherSuiteAndProtocol) {
|
||||
return NS_ERROR_NOT_AVAILABLE;
|
||||
}
|
||||
*aIsDelegCred = mIsDelegatedCredential;
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
} // namespace psm
|
||||
} // namespace mozilla
|
||||
|
|
|
|||
|
|
@ -90,7 +90,6 @@ class TransportSecurityInfo : public nsITransportSecurityInfo,
|
|||
nsCString mKeaGroup;
|
||||
nsCString mSignatureSchemeName;
|
||||
|
||||
bool mIsDelegatedCredential;
|
||||
bool mIsDomainMismatch;
|
||||
bool mIsNotValidAtThisTime;
|
||||
bool mIsUntrusted;
|
||||
|
|
|
|||
|
|
@ -707,7 +707,6 @@ static void PreliminaryHandshakeDone(PRFileDesc* fd) {
|
|||
infoObject->SetKEAUsed(channelInfo.keaType);
|
||||
infoObject->SetKEAKeyBits(channelInfo.keaKeyBits);
|
||||
infoObject->SetMACAlgorithmUsed(cipherInfo.macAlgorithm);
|
||||
infoObject->mIsDelegatedCredential = channelInfo.peerDelegCred;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -75,7 +75,6 @@ const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2;
|
|||
const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
|
||||
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
|
||||
const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132;
|
||||
const SSL_ERROR_DC_INVALID_KEY_USAGE = SSL_ERROR_BASE + 184;
|
||||
|
||||
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
|
||||
const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY =
|
||||
|
|
|
|||
|
|
@ -37,7 +37,6 @@ nameConstraints:{permitted,excluded}:[<dNSName|directoryName>,...]
|
|||
nsCertType:sslServer
|
||||
TLSFeature:[<TLSFeature>,...]
|
||||
embeddedSCTList:[<key specification>:<YYYYMMDD>,...]
|
||||
delegationUsage:
|
||||
|
||||
Where:
|
||||
[] indicates an optional field or component of a field
|
||||
|
|
@ -197,14 +196,6 @@ class UnknownTLSFeature(UnknownBaseError):
|
|||
self.category = 'TLSFeature'
|
||||
|
||||
|
||||
class UnknownDelegatedCredentialError(UnknownBaseError):
|
||||
"""Helper exception type to handle unknown Delegated Credential args."""
|
||||
|
||||
def __init__(self, value):
|
||||
UnknownBaseError.__init__(self, value)
|
||||
self.category = 'delegatedCredential'
|
||||
|
||||
|
||||
class InvalidSCTSpecification(Error):
|
||||
"""Helper exception type to handle invalid SCT specifications."""
|
||||
|
||||
|
|
@ -510,8 +501,6 @@ class Certificate(object):
|
|||
self.addTLSFeature(value, critical)
|
||||
elif extensionType == 'embeddedSCTList':
|
||||
self.savedEmbeddedSCTListData = (value, critical)
|
||||
elif extensionType == 'delegationUsage':
|
||||
self.addDelegationUsage(critical)
|
||||
else:
|
||||
raise UnknownExtensionTypeError(extensionType)
|
||||
|
||||
|
|
@ -646,12 +635,6 @@ class Certificate(object):
|
|||
self.addExtension(univ.ObjectIdentifier('2.16.840.1.113730.1.1'), univ.BitString("'01'B"),
|
||||
critical)
|
||||
|
||||
def addDelegationUsage(self, critical):
|
||||
if critical:
|
||||
raise UnknownDelegatedCredentialError(critical)
|
||||
self.addExtension(univ.ObjectIdentifier('1.3.6.1.4.1.44363.44'), univ.Null(),
|
||||
critical)
|
||||
|
||||
def addTLSFeature(self, features, critical):
|
||||
namedFeatures = {'OCSPMustStaple': 5}
|
||||
featureList = [f.strip() for f in features.split(',')]
|
||||
|
|
|
|||
|
|
@ -1,91 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
"use strict";
|
||||
|
||||
// Tests handling of certificates marked as permitting delegated credentials
|
||||
|
||||
function shouldBeDelegatedCredential(aTransportSecurityInfo) {
|
||||
Assert.ok(
|
||||
aTransportSecurityInfo.isDelegatedCredential,
|
||||
"This host should have used a delegated credential"
|
||||
);
|
||||
}
|
||||
|
||||
function shouldNotBeDelegatedCredential(aTransportSecurityInfo) {
|
||||
Assert.ok(
|
||||
!aTransportSecurityInfo.isDelegatedCredential,
|
||||
"This host should not have used a delegated credential"
|
||||
);
|
||||
}
|
||||
|
||||
do_get_profile();
|
||||
|
||||
add_tls_server_setup(
|
||||
"DelegatedCredentialsServer",
|
||||
"test_delegated_credentials"
|
||||
);
|
||||
|
||||
// Test:
|
||||
// Server certificate supports DC
|
||||
// Server DC support enabled
|
||||
// Client DC support disabled
|
||||
// Result: Successful connection without DC
|
||||
add_test(function() {
|
||||
clearSessionCache();
|
||||
Services.prefs.setBoolPref(
|
||||
"security.tls.enable_delegated_credentials",
|
||||
false
|
||||
);
|
||||
run_next_test();
|
||||
});
|
||||
add_connection_test(
|
||||
"delegated-enabled.example.com",
|
||||
PRErrorCodeSuccess,
|
||||
null,
|
||||
shouldNotBeDelegatedCredential
|
||||
);
|
||||
|
||||
// Test:
|
||||
// Server certificate does not support DC
|
||||
// Server DC support enabled
|
||||
// Client DC support enabled
|
||||
// Result: SSL_ERROR_DC_INVALID_KEY_USAGE from client when
|
||||
// checking DC against EE cert, no DC in aTransportSecurityInfo.
|
||||
add_test(function() {
|
||||
clearSessionCache();
|
||||
Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true);
|
||||
run_next_test();
|
||||
});
|
||||
add_connection_test(
|
||||
"standard-enabled.example.com",
|
||||
SSL_ERROR_DC_INVALID_KEY_USAGE,
|
||||
null,
|
||||
// We'll never |mHaveCipherSuiteAndProtocol|,
|
||||
// and therefore can't check IsDelegatedCredential
|
||||
function() {}
|
||||
);
|
||||
|
||||
// Test:
|
||||
// Server certificate supports DC
|
||||
// Server DC support disabled
|
||||
// Client DC support enabled
|
||||
// Result: Successful connection without DC
|
||||
add_connection_test(
|
||||
"delegated-disabled.example.com",
|
||||
PRErrorCodeSuccess,
|
||||
null,
|
||||
shouldNotBeDelegatedCredential
|
||||
);
|
||||
|
||||
// Test:
|
||||
// Server certificate supports DC
|
||||
// Server DC support enabled
|
||||
// Client DC support enabled
|
||||
// Result: Successful connection with DC
|
||||
add_connection_test(
|
||||
"delegated-enabled.example.com",
|
||||
PRErrorCodeSuccess,
|
||||
null,
|
||||
shouldBeDelegatedCredential
|
||||
);
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM
|
||||
1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48
|
||||
9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
|
@ -1 +0,0 @@
|
|||
secp256r1
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICSTCCATGgAwIBAgIUQ2q6l0cjlPXxxJFtId7XLpMUpKMwDQYJKoZIhvcNAQEL
|
||||
BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
|
||||
MCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBYxFDASBgNVBAMM
|
||||
C2VlLXN0YW5kYXJkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx
|
||||
pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H
|
||||
owTqoEqmwKNAMD4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwJwYDVR0RBCAwHoIcc3Rh
|
||||
bmRhcmQtZW5hYmxlZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAlVb9
|
||||
zRb+Q3Z3yLfIq/RzU0nkHqUbtZ6SKC7GTqPSMjavcspV3RB7AamV324kod9vf6UB
|
||||
uRlpW6u1xcILMQqtqy8RVZMr85WZXgxrAmPsIGXJ8MQGRgVqzQRWF4YX1Hcf6dIi
|
||||
+9v/fA8UVVZGfHUMnKYPBCOBtz2bS7jFwIycHhv6uF+AvHCAlj9sYhDDfHPe3P2t
|
||||
9W8hNAkzZhuqWfZYaSzBb46JT8YVaLDeBLL2k4oUpua6MCfY3VTa8wI/o/F28ECM
|
||||
sIA31gqmDdszEh1NIRN7vzWZxHJqoKYEeDMa66ldWvHqhBjKfFo8GJSsfhlI81G2
|
||||
UVRcUDqdiPSo8M01Nw==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
issuer:delegated-credential-intermediate
|
||||
subjectKey:secp256r1
|
||||
subject:ee-standard
|
||||
extension:extKeyUsage:serverAuth
|
||||
extension:subjectAlternativeName:standard-enabled.example.com
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICiTCCAXGgAwIBAgIUPUgqfWW1ljbVjLQd6LE6gS+ZcrAwDQYJKoZIhvcNAQEL
|
||||
BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
|
||||
MCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBcxFTATBgNVBAMM
|
||||
DGVlLWRlbGVnYXRlZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5
|
||||
saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st
|
||||
B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI
|
||||
BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh
|
||||
dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI
|
||||
hvcNAQELBQADggEBADZXKk69BKj5nOy0NUdI75t/7wIxEIxntovOOVNwvl9GhzpZ
|
||||
UuwRMWJ/iWWEwJ83hz4ZNUyrl66GFRq/xELs515iWyF4mpTnkFpTAMLo4xN+uyEc
|
||||
26qStODbf8tWZuhOKAf1bKgiXNJ+UmJxBoJljX2Cq96ev29rXF9aDnpxtxf7lDZY
|
||||
lNCnwJd639Eg6qVXvrJGn3xHILt5cw9BVqtH7hRbV07PXxcF7iwVDkHpt8TwHDvn
|
||||
LSIKZcSIVBqbUzH57I/SU8CQHUJzHAFL6Ce/Vq/a/+FLcNxueYiZyP+cs4qoljAJ
|
||||
ymg4gYiKRqOjkvVMLR/CRcgXkggKR273oxBo+80=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
issuer:delegated-credential-intermediate
|
||||
subject:ee-delegated
|
||||
subjectKey:secp256r1
|
||||
extension:extKeyUsage:serverAuth
|
||||
extension:keyUsage:digitalSignature,keyEncipherment
|
||||
extension:subjectAlternativeName:delegated-enabled.example.com,delegated-disabled.example.com
|
||||
extension:delegationUsage:
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
-----BEGIN EC PRIVATE KEY-----
|
||||
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDADXHobENn6/oN7ZK2S
|
||||
8i9c7QeJGGU4ZptcbYcs7D2SYSKzk3crV2Av8xNl7+E5MkahZANiAAShaHJDNitc
|
||||
exiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbl
|
||||
uoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/wAvBa9xof3cyDdKpuqc4=
|
||||
-----END EC PRIVATE KEY-----
|
||||
|
|
@ -1 +0,0 @@
|
|||
secp384r1
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICEDCB+aADAgECAhRx0mqEIfhjVHVBEUnIoG+JzuAGMDANBgkqhkiG9w0BAQsF
|
||||
ADAZMRcwFQYDVQQDDA5EZWZhdWx0IElzc3VlcjAiGA8yMDE3MTEyNzAwMDAwMFoY
|
||||
DzIwMjAwMjA1MDAwMDAwWjAWMRQwEgYDVQQDDAtzZWxmLXNpZ25lZDB2MBAGByqG
|
||||
SM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3k
|
||||
txMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiI
|
||||
z/AC8Fr3Gh/dzIN0qm6pzjANBgkqhkiG9w0BAQsFAAOCAQEARJWWl1ikJe5usXuR
|
||||
zvgiVnNduUw/ovMti9H65Hc3PfXTabEos7awWn+62ThMkOOx3tx7TCde4Szj7b3S
|
||||
hKXnLlHuKiX4zW5A6/pDGQDy7HXhlNQ7bXgIFWYLOj+FqMIoyZ+wNjDV0dGwSVxS
|
||||
nTtc4iExEtLTu5u4khTNdWWglOLrGoDhGL8xT4SVqAIW+ynarhAo3rRGaeZl88zY
|
||||
8aKsg21WbXDH9pqm6/Z1h3keKK/PpgbKw6e8p5ljRJTVp44lEME9gIxjRygvl2Sm
|
||||
N2XtiZC7RShscbKo07ZEKS1c54x+XLu4v4qClX48ZCrSQWCnbLzUiOMuk8HzZZHb
|
||||
X3RbBg==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
subject:self-signed
|
||||
subjectKey:secp384r1
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
# Temporarily disabled. See bug 1256495.
|
||||
#test_certificates = (
|
||||
# 'test-ca.pem',
|
||||
# 'test-int.pem',
|
||||
# 'delegated-ee.pem',
|
||||
# 'default-ee.pem',
|
||||
#)
|
||||
#
|
||||
#for test_certificate in test_certificates:
|
||||
# GeneratedTestCertificate(test_certificate)
|
||||
#
|
||||
#test_keys = (
|
||||
# 'default-ee.key',
|
||||
#)
|
||||
#
|
||||
#for test_key in test_keys:
|
||||
# GeneratedTestKey(test_key)
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIC8zCCAdugAwIBAgIUZWEzCkuo2Tbhe7ja1soN3tMh7gQwDQYJKoZIhvcNAQEL
|
||||
BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAxNzEx
|
||||
MjcwMDAwMDBaGA8yMDIwMDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk
|
||||
LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
|
||||
iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
|
||||
4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
|
||||
8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
|
||||
Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
|
||||
77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
|
||||
I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
|
||||
AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB1A2t1D7g1pYkvQFBSdbg2zDXoePKMEkru
|
||||
uCPFb7sTqsO17RXKG+mbmZ8wYqu8R8OWI26r+9PFBErNKmwAeCkoQDFXY+9a6r28
|
||||
cMpsHOxWDzq4m0+Ly6CwdGryXc4l+FePl54l+sLjiqg2NJ1X5tyfAUML16mxMVcv
|
||||
O/bgEiOxFUm7PMuPFo6o4pv7Ppw0/QCJRvTYfdt8tQDfGsx++jmLIpuaRrr03vP5
|
||||
Aa6Pe0JCSM6sIF5pTEcvSARo7CwttF5ctikPTha1DdZ9w8nPjs80H8UcxJmX/NQw
|
||||
hPALvWf2w8fI9q86qQjAY9yYqEimbnlbcMZggHo7SAHfw945FagN
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
issuer:delegated-credential-ca
|
||||
subject:delegated-credential-ca
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIC/TCCAeWgAwIBAgIUazE59EMte5Z75fNl2tR7/Lw+TrIwDQYJKoZIhvcNAQEL
|
||||
BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAxNzEx
|
||||
MjcwMDAwMDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk
|
||||
LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
||||
MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
|
||||
vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
|
||||
uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
|
||||
O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
|
||||
3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
|
||||
5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/
|
||||
MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAH6vFPIjmkWYAURv66bcz
|
||||
wiBbk530kCAm9nQwGqsVtfQQBV1tqzjwSdee6XB0tX+a35Q6n/YI4OW94/MetrMD
|
||||
/Q8Dy9CxprnAUNwl5erHj62xmSSxW9NK7goZqulbxEXttE4S7WuacgIM0WGT0mTB
|
||||
avghqfNsPHLBZZm2sfODEo6iKz1ER6TBmjdDsP9pTi5f4TQXMPdJqwY/ymmbvHhh
|
||||
VNfcvWxeIJVAtFo615YEDSPwCxbMHeeglZ6lnp/5YndfXnPdm+RAkZ/gGzYHWBb6
|
||||
1Vqvu5RqlZ1h2SppSIVSyx/WBO3K9TcyKt3BVkpHPQd9kYeP1NJCyltay/6ZncV4
|
||||
bw==
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
issuer:delegated-credential-ca
|
||||
subject:delegated-credential-intermediate
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
|
|
@ -1,132 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
// This is a standalone server used to test Delegated Credentials
|
||||
// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03).
|
||||
//
|
||||
// The client is expected to connect, initiate an SSL handshake (with SNI
|
||||
// to indicate which "server" to connect to), and verify the certificate.
|
||||
// If all is good, the client then sends one encrypted byte and receives that
|
||||
// same byte back.
|
||||
// This server also has the ability to "call back" another process waiting on
|
||||
// it. That is, when the server is all set up and ready to receive connections,
|
||||
// it will connect to a specified port and issue a simple HTTP request.
|
||||
|
||||
#include <iostream>
|
||||
|
||||
#include "TLSServer.h"
|
||||
|
||||
#include "sslexp.h"
|
||||
|
||||
using namespace mozilla;
|
||||
using namespace mozilla::test;
|
||||
|
||||
struct DelegatedCertHost {
|
||||
const char* mHostName;
|
||||
const char* mCertName;
|
||||
const char* mDelegatedCertName;
|
||||
bool mEnableDelegatedCredentials;
|
||||
};
|
||||
|
||||
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
|
||||
|
||||
// {host, eeCert, dcCert, enableDC}
|
||||
const DelegatedCertHost sDelegatedCertHosts[] = {
|
||||
{"delegated-enabled.example.com", "delegated-ee", "delegated-selfsigned",
|
||||
true},
|
||||
{"delegated-disabled.example.com", "delegated-ee",
|
||||
/* anything non-null */ "delegated-selfsigned", false},
|
||||
{"standard-enabled.example.com", "default-ee", "delegated-selfsigned",
|
||||
true},
|
||||
{nullptr, nullptr, nullptr, false}};
|
||||
|
||||
int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
|
||||
uint32_t aSrvNameArrSize, void* aArg) {
|
||||
const DelegatedCertHost* host =
|
||||
GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts);
|
||||
if (!host) {
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
if (gDebugLevel >= DEBUG_VERBOSE) {
|
||||
std::cerr << "Identified host " << host->mHostName << std::endl;
|
||||
}
|
||||
|
||||
UniqueCERTCertificate delegatorCert(
|
||||
PK11_FindCertFromNickname(host->mCertName, nullptr));
|
||||
if (!delegatorCert) {
|
||||
PrintPRError("PK11_FindCertFromNickname failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueCERTCertificate delegatedCert(
|
||||
PK11_FindCertFromNickname(host->mDelegatedCertName, nullptr));
|
||||
if (!delegatedCert) {
|
||||
PrintPRError("PK11_FindCertFromNickname failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
if (!slot) {
|
||||
PrintPRError("PK11_GetInternalKeySlot failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
SSLExtraServerCertData extra_data = {ssl_auth_null,
|
||||
/* Filled in by callee */ nullptr,
|
||||
nullptr,
|
||||
nullptr,
|
||||
/* DC */ nullptr,
|
||||
/* DC PrivKey */ nullptr};
|
||||
UniqueSECKEYPrivateKey dcPriv(
|
||||
PK11_FindKeyByDERCert(slot.get(), delegatedCert.get(), nullptr));
|
||||
if (!dcPriv) {
|
||||
PrintPRError("PK11_FindKeyByDERCert failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueSECKEYPublicKey dcPub(
|
||||
SECKEY_ExtractPublicKey(&delegatedCert->subjectPublicKeyInfo));
|
||||
if (!dcPub) {
|
||||
PrintPRError("SECKEY_ExtractPublicKey failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueSECKEYPrivateKey delegatorPriv(
|
||||
PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr));
|
||||
if (!dcPriv) {
|
||||
PrintPRError("PK11_FindKeyByDERCert failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
ScopedAutoSECItem dc;
|
||||
if (host->mEnableDelegatedCredentials) {
|
||||
if (gDebugLevel >= DEBUG_VERBOSE) {
|
||||
std::cerr << "Enabling a delegated credential for host "
|
||||
<< host->mHostName << std::endl;
|
||||
}
|
||||
|
||||
if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
|
||||
dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384,
|
||||
kDCValidFor, PR_Now(), &dc) != SECSuccess) {
|
||||
PrintPRError("SSL_DelegateCredential failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
extra_data.delegCred = &dc;
|
||||
extra_data.delegCredPrivKey = dcPriv.get();
|
||||
}
|
||||
|
||||
if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr,
|
||||
&extra_data) != SECSuccess) {
|
||||
PrintPRError("ConfigSecureServerWithNamedCert failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char* argv[]) {
|
||||
return StartServer(argc, argv, DoSNISocketConfig, nullptr);
|
||||
}
|
||||
|
|
@ -6,7 +6,6 @@
|
|||
|
||||
GeckoSimplePrograms([
|
||||
'BadCertAndPinningServer',
|
||||
'DelegatedCredentialsServer',
|
||||
'GenerateOCSPResponse',
|
||||
'OCSPStaplingServer',
|
||||
'SanctionsTestServer',
|
||||
|
|
|
|||
|
|
@ -27,7 +27,6 @@
|
|||
#include "prnetdb.h"
|
||||
#include "prtime.h"
|
||||
#include "ssl.h"
|
||||
#include "sslproto.h"
|
||||
|
||||
namespace mozilla {
|
||||
namespace test {
|
||||
|
|
@ -572,20 +571,6 @@ int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
|
|||
return 1;
|
||||
}
|
||||
|
||||
SSLVersionRange range = {0, 0};
|
||||
if (SSL_VersionRangeGet(modelSocket.get(), &range) != SECSuccess) {
|
||||
PrintPRError("SSL_VersionRangeGet failed");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (range.max < SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
range.max = SSL_LIBRARY_VERSION_TLS_1_3;
|
||||
if (SSL_VersionRangeSet(modelSocket.get(), &range) != SECSuccess) {
|
||||
PrintPRError("SSL_VersionRangeSet failed");
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig,
|
||||
sniSocketConfigArg) != SECSuccess) {
|
||||
PrintPRError("SSL_SNISocketConfigHook failed");
|
||||
|
|
@ -595,17 +580,9 @@ int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig,
|
|||
// We have to configure the server with a certificate, but it's not one
|
||||
// we're actually going to end up using. In the SNI callback, we pick
|
||||
// the right certificate for the connection.
|
||||
//
|
||||
// Provide an empty |extra_data| to force config via SSL_ConfigServerCert.
|
||||
// This is a temporary mechanism to work around inconsistent setting of
|
||||
// |authType| in the deprecated API (preventing the default cert from
|
||||
// being removed in favor of the SNI-selected cert). This may be removed
|
||||
// after Bug 1569222 removes the deprecated mechanism.
|
||||
SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr,
|
||||
nullptr, nullptr, nullptr};
|
||||
if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME,
|
||||
nullptr, nullptr,
|
||||
&extra_data) != SECSuccess) {
|
||||
nullptr) != SECSuccess) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ support-files =
|
|||
test_certviewer_invalid_oids/**
|
||||
test_content_signing/**
|
||||
test_ct/**
|
||||
test_delegated_credentials/**
|
||||
test_ev_certs/**
|
||||
test_intermediate_basic_usage_constraints/**
|
||||
test_intermediate_preloads/**
|
||||
|
|
@ -107,7 +106,6 @@ run-sequentially = hardcoded ports
|
|||
# Android always has and always will use the new format, so
|
||||
# this test doesn't apply.
|
||||
skip-if = toolkit == 'android'
|
||||
[test_delegated_credentials.js]
|
||||
[test_der.js]
|
||||
[test_enterprise_roots.js]
|
||||
# This feature is implemented for Windows and OS X. However, we don't currently
|
||||
|
|
|
|||
|
|
@ -399,7 +399,6 @@ class XPCShellRemote(xpcshell.XPCShellTests, object):
|
|||
"certutil",
|
||||
"pk12util",
|
||||
"BadCertAndPinningServer",
|
||||
"DelegatedCredentialsServer",
|
||||
"OCSPStaplingServer",
|
||||
"GenerateOCSPResponse",
|
||||
"SanctionsTestServer"]
|
||||
|
|
|
|||
|
|
@ -280,7 +280,6 @@ NO_PKG_FILES += \
|
|||
certutil* \
|
||||
pk12util* \
|
||||
BadCertAndPinningServer* \
|
||||
DelegatedCredentialsServer* \
|
||||
OCSPStaplingServer* \
|
||||
SanctionsTestServer* \
|
||||
GenerateOCSPResponse* \
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче