зеркало из https://github.com/mozilla/gecko-dev.git
bug 1397837 - remove vestigial references to "code signing" from PSM r=Cykesiopka,snorp
As of bug 1257362, the platform does not verify code signing certificates in general, so anything involving the code signing trust of certificates can go. MozReview-Commit-ID: 9g9kM62xfYZ --HG-- extra : rebase_source : 5bec64e5f451c8433aff0de82a91f7bd54c24608
This commit is contained in:
Родитель
89e27ffc78
Коммит
36f5d05cd8
|
@ -92,8 +92,7 @@ NSSDialogs.prototype = {
|
|||
], aCtx);
|
||||
|
||||
prompt.addCheckbox({ id: "trustSSL", label: this.getString("downloadCert.trustSSL"), checked: false })
|
||||
.addCheckbox({ id: "trustEmail", label: this.getString("downloadCert.trustEmail"), checked: false })
|
||||
.addCheckbox({ id: "trustSign", label: this.getString("downloadCert.trustObjSign"), checked: false });
|
||||
.addCheckbox({ id: "trustEmail", label: this.getString("downloadCert.trustEmail"), checked: false });
|
||||
let response = this.showPrompt(prompt);
|
||||
|
||||
// they hit the "view cert" button, so show the cert and try again
|
||||
|
@ -107,7 +106,6 @@ NSSDialogs.prototype = {
|
|||
aTrust.value = Ci.nsIX509CertDB.UNTRUSTED;
|
||||
if (response.trustSSL) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_SSL;
|
||||
if (response.trustEmail) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_EMAIL;
|
||||
if (response.trustSign) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_OBJSIGN;
|
||||
return true;
|
||||
}
|
||||
},
|
||||
|
|
|
@ -11,7 +11,6 @@ downloadCert.message1=You have been asked to trust a new Certificate Authority (
|
|||
downloadCert.viewCert.label=View
|
||||
downloadCert.trustSSL=Trust to identify websites.
|
||||
downloadCert.trustEmail=Trust to identify email users.
|
||||
downloadCert.trustObjSign=Trust to identify software developers.
|
||||
pkcs12.getpassword.title=Password Entry Dialog
|
||||
pkcs12.getpassword.message=Please enter the password that was used to encrypt this certificate backup.
|
||||
clientAuthAsk.title=User Identification Request
|
||||
|
|
|
@ -38,7 +38,6 @@
|
|||
<!ENTITY certmgr.editcert.edittrust "Edit trust settings:">
|
||||
<!ENTITY certmgr.editcert.trustssl "This certificate can identify websites.">
|
||||
<!ENTITY certmgr.editcert.trustemail "This certificate can identify mail users.">
|
||||
<!ENTITY certmgr.editcert.trustobjsign "This certificate can identify software makers.">
|
||||
|
||||
<!ENTITY certmgr.deletecert.title "Delete Certificate">
|
||||
|
||||
|
|
|
@ -20,7 +20,6 @@
|
|||
<!ENTITY downloadCert.message1 "You have been asked to trust a new Certificate Authority (CA).">
|
||||
<!ENTITY downloadCert.trustSSL "Trust this CA to identify websites.">
|
||||
<!ENTITY downloadCert.trustEmail "Trust this CA to identify email users.">
|
||||
<!ENTITY downloadCert.trustObjSign "Trust this CA to identify software developers.">
|
||||
<!ENTITY downloadCert.message3 "Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available).">
|
||||
<!ENTITY downloadCert.viewCert.label "View">
|
||||
<!ENTITY downloadCert.viewCert.text "Examine CA certificate">
|
||||
|
|
|
@ -153,16 +153,9 @@ nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx,
|
|||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
bool trustForObjSign = false;
|
||||
rv = retVals->GetPropertyAsBool(NS_LITERAL_STRING("trustForObjSign"),
|
||||
&trustForObjSign);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
*trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0;
|
||||
*trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0;
|
||||
*trust |= trustForObjSign ? nsIX509CertDB::TRUSTED_OBJSIGN : 0;
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
|
|
@ -27,9 +27,6 @@
|
|||
* @property {Boolean} trustForEmail
|
||||
* Set to true if the cert should be trusted for e-mail, false
|
||||
* otherwise. Undefined value if |importConfirmed| is not true.
|
||||
* @property {Boolean} trustForObjSign
|
||||
* Set to true if the cert should be trusted for object signing, false
|
||||
* otherwise. Undefined value if |importConfirmed| is not true.
|
||||
*/
|
||||
|
||||
const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
|
||||
|
@ -70,13 +67,11 @@ function viewCert() {
|
|||
function onDialogAccept() {
|
||||
let checkSSL = document.getElementById("trustSSL");
|
||||
let checkEmail = document.getElementById("trustEmail");
|
||||
let checkObjSign = document.getElementById("trustObjSign");
|
||||
|
||||
let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
|
||||
retVals.setPropertyAsBool("importConfirmed", true);
|
||||
retVals.setPropertyAsBool("trustForSSL", checkSSL.checked);
|
||||
retVals.setPropertyAsBool("trustForEmail", checkEmail.checked);
|
||||
retVals.setPropertyAsBool("trustForObjSign", checkObjSign.checked);
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -33,7 +33,6 @@
|
|||
- "do you want to?"
|
||||
- * trust for SSL
|
||||
- * trust for email
|
||||
- * trust for object signing
|
||||
-->
|
||||
<vbox>
|
||||
<description id="trustHeader"/>
|
||||
|
@ -41,8 +40,6 @@
|
|||
id="trustSSL"/>
|
||||
<checkbox label="&downloadCert.trustEmail;"
|
||||
id="trustEmail"/>
|
||||
<checkbox label="&downloadCert.trustObjSign;"
|
||||
id="trustObjSign"/>
|
||||
</vbox>
|
||||
|
||||
<separator/>
|
||||
|
|
|
@ -31,11 +31,6 @@ function onLoad() {
|
|||
let emailCheckbox = document.getElementById("trustEmail");
|
||||
emailCheckbox.checked = gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL);
|
||||
|
||||
let objSignCheckbox = document.getElementById("trustObjSign");
|
||||
objSignCheckbox.checked =
|
||||
gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -46,13 +41,9 @@ function onLoad() {
|
|||
function onDialogAccept() {
|
||||
let sslCheckbox = document.getElementById("trustSSL");
|
||||
let emailCheckbox = document.getElementById("trustEmail");
|
||||
let objSignCheckbox = document.getElementById("trustObjSign");
|
||||
let trustSSL = sslCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_SSL : 0;
|
||||
let trustEmail = emailCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_EMAIL : 0;
|
||||
let trustObjSign = objSignCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_OBJSIGN
|
||||
: 0;
|
||||
|
||||
gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
trustSSL | trustEmail | trustObjSign);
|
||||
gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, trustSSL | trustEmail);
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -29,8 +29,6 @@
|
|||
id="trustSSL"/>
|
||||
<checkbox label="&certmgr.editcert.trustemail;"
|
||||
id="trustEmail"/>
|
||||
<checkbox label="&certmgr.editcert.trustobjsign;"
|
||||
id="trustObjSign"/>
|
||||
</vbox>
|
||||
|
||||
</dialog>
|
||||
|
|
|
@ -67,7 +67,6 @@ interface nsIX509CertDB : nsISupports {
|
|||
const unsigned long UNTRUSTED = 0;
|
||||
const unsigned long TRUSTED_SSL = 1 << 0;
|
||||
const unsigned long TRUSTED_EMAIL = 1 << 1;
|
||||
const unsigned long TRUSTED_OBJSIGN = 1 << 2;
|
||||
|
||||
/**
|
||||
* Will find a certificate based on its dbkey
|
||||
|
@ -155,8 +154,11 @@ interface nsIX509CertDB : nsISupports {
|
|||
/**
|
||||
* @param cert The certificate for which to modify trust.
|
||||
* @param trustString decoded by CERT_DecodeTrustString. 3 comma separated
|
||||
* characters, indicating SSL, Email, and Obj signing
|
||||
* trust.
|
||||
* characters, indicating SSL, Email, and Object signing
|
||||
* trust. The object signing trust flags are effectively
|
||||
* ignored by gecko, but they still must be specified (at
|
||||
* least by a final trailing comma) because this argument
|
||||
* is passed to CERT_DecodeTrustString.
|
||||
*/
|
||||
[must_use]
|
||||
void setCertTrustFromString(in nsIX509Cert cert, in ACString trustString);
|
||||
|
@ -284,7 +286,10 @@ interface nsIX509CertDB : nsISupports {
|
|||
* @param trust String describing the trust settings to assign the
|
||||
* certificate. Decoded by CERT_DecodeTrustString. Consists of 3
|
||||
* comma separated sets of characters, indicating SSL, Email, and
|
||||
* Object signing trust.
|
||||
* Object signing trust. The object signing trust flags are
|
||||
* effectively ignored by gecko, but they still must be specified
|
||||
* (at least by a final trailing comma) because this argument is
|
||||
* passed to CERT_DecodeTrustString.
|
||||
* @return nsIX509Cert the resulting certificate
|
||||
*/
|
||||
[must_use]
|
||||
|
@ -359,7 +364,10 @@ interface nsIX509CertDB : nsISupports {
|
|||
* @param trust String describing the trust settings to assign the
|
||||
* certificate. Decoded by CERT_DecodeTrustString. Consists of 3
|
||||
* comma separated sets of characters, indicating SSL, Email, and
|
||||
* Object signing trust.
|
||||
* Object signing trust. The object signing trust flags are
|
||||
* effectively ignored by gecko, but they still must be specified
|
||||
* (at least by a final trailing comma) because this argument is
|
||||
* passed to CERT_DecodeTrustString.
|
||||
* @return nsIX509Cert the resulting certificate
|
||||
*/
|
||||
[must_use]
|
||||
|
|
|
@ -2039,9 +2039,9 @@ getCertType(CERTCertificate* cert)
|
|||
return nsIX509Cert::USER_CERT;
|
||||
if (trust.HasAnyCA())
|
||||
return nsIX509Cert::CA_CERT;
|
||||
if (trust.HasPeer(true, false, false))
|
||||
if (trust.HasPeer(true, false))
|
||||
return nsIX509Cert::SERVER_CERT;
|
||||
if (trust.HasPeer(false, true, false) && cert->emailAddr)
|
||||
if (trust.HasPeer(false, true) && cert->emailAddr)
|
||||
return nsIX509Cert::EMAIL_CERT;
|
||||
if (CERT_IsCACert(cert, nullptr))
|
||||
return nsIX509Cert::CA_CERT;
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
#include "nsNSSCertTrust.h"
|
||||
|
||||
void
|
||||
nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
|
||||
nsNSSCertTrust::AddCATrust(bool ssl, bool email)
|
||||
{
|
||||
if (ssl) {
|
||||
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
|
||||
|
@ -15,21 +15,15 @@ nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
|
|||
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
|
||||
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
|
||||
}
|
||||
if (objSign) {
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign)
|
||||
nsNSSCertTrust::AddPeerTrust(bool ssl, bool email)
|
||||
{
|
||||
if (ssl)
|
||||
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
|
||||
if (email)
|
||||
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
|
||||
if (objSign)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
|
||||
}
|
||||
|
||||
nsNSSCertTrust::nsNSSCertTrust()
|
||||
|
@ -37,14 +31,11 @@ nsNSSCertTrust::nsNSSCertTrust()
|
|||
memset(&mTrust, 0, sizeof(CERTCertTrust));
|
||||
}
|
||||
|
||||
nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
|
||||
unsigned int email,
|
||||
unsigned int objsign)
|
||||
nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, unsigned int email)
|
||||
{
|
||||
memset(&mTrust, 0, sizeof(CERTCertTrust));
|
||||
addTrust(&mTrust.sslFlags, ssl);
|
||||
addTrust(&mTrust.emailFlags, email);
|
||||
addTrust(&mTrust.objectSigningFlags, objsign);
|
||||
}
|
||||
|
||||
nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
|
||||
|
@ -103,28 +94,6 @@ nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer,
|
|||
addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
|
||||
}
|
||||
|
||||
void
|
||||
nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer,
|
||||
bool ca, bool tCA, bool tClientCA,
|
||||
bool user, bool warn)
|
||||
{
|
||||
mTrust.objectSigningFlags = 0;
|
||||
if (peer || tPeer)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
|
||||
if (tPeer)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
|
||||
if (ca || tCA)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
|
||||
if (tClientCA)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
|
||||
if (tCA)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
|
||||
if (user)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
|
||||
if (warn)
|
||||
addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
|
||||
}
|
||||
|
||||
void
|
||||
nsNSSCertTrust::SetValidCA()
|
||||
{
|
||||
|
@ -134,9 +103,6 @@ nsNSSCertTrust::SetValidCA()
|
|||
SetEmailTrust(false, false,
|
||||
true, false, false,
|
||||
false, false);
|
||||
SetObjSignTrust(false, false,
|
||||
true, false, false,
|
||||
false, false);
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -148,9 +114,6 @@ nsNSSCertTrust::SetValidPeer()
|
|||
SetEmailTrust(true, false,
|
||||
false, false, false,
|
||||
false, false);
|
||||
SetObjSignTrust(true, false,
|
||||
false, false, false,
|
||||
false, false);
|
||||
}
|
||||
|
||||
bool
|
||||
|
@ -164,16 +127,12 @@ nsNSSCertTrust::HasAnyCA()
|
|||
}
|
||||
|
||||
bool
|
||||
nsNSSCertTrust::HasPeer(bool checkSSL,
|
||||
bool checkEmail,
|
||||
bool checkObjSign)
|
||||
nsNSSCertTrust::HasPeer(bool checkSSL, bool checkEmail)
|
||||
{
|
||||
if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
|
||||
return false;
|
||||
if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
|
||||
return false;
|
||||
if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -188,9 +147,7 @@ nsNSSCertTrust::HasAnyUser()
|
|||
}
|
||||
|
||||
bool
|
||||
nsNSSCertTrust::HasTrustedCA(bool checkSSL,
|
||||
bool checkEmail,
|
||||
bool checkObjSign)
|
||||
nsNSSCertTrust::HasTrustedCA(bool checkSSL, bool checkEmail)
|
||||
{
|
||||
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
|
||||
hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
|
||||
|
@ -198,25 +155,16 @@ nsNSSCertTrust::HasTrustedCA(bool checkSSL,
|
|||
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
|
||||
hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
|
||||
return false;
|
||||
if (checkObjSign &&
|
||||
!(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
|
||||
hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
bool
|
||||
nsNSSCertTrust::HasTrustedPeer(bool checkSSL,
|
||||
bool checkEmail,
|
||||
bool checkObjSign)
|
||||
nsNSSCertTrust::HasTrustedPeer(bool checkSSL, bool checkEmail)
|
||||
{
|
||||
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
|
||||
return false;
|
||||
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
|
||||
return false;
|
||||
if (checkObjSign &&
|
||||
!(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -15,22 +15,16 @@ class nsNSSCertTrust
|
|||
{
|
||||
public:
|
||||
nsNSSCertTrust();
|
||||
nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign);
|
||||
nsNSSCertTrust(unsigned int ssl, unsigned int email);
|
||||
explicit nsNSSCertTrust(CERTCertTrust *t);
|
||||
virtual ~nsNSSCertTrust();
|
||||
|
||||
/* query */
|
||||
bool HasAnyCA();
|
||||
bool HasAnyUser();
|
||||
bool HasPeer(bool checkSSL = true,
|
||||
bool checkEmail = true,
|
||||
bool checkObjSign = true);
|
||||
bool HasTrustedCA(bool checkSSL = true,
|
||||
bool checkEmail = true,
|
||||
bool checkObjSign = true);
|
||||
bool HasTrustedPeer(bool checkSSL = true,
|
||||
bool checkEmail = true,
|
||||
bool checkObjSign = true);
|
||||
bool HasPeer(bool checkSSL = true, bool checkEmail = true);
|
||||
bool HasTrustedCA(bool checkSSL = true, bool checkEmail = true);
|
||||
bool HasTrustedPeer(bool checkSSL = true, bool checkEmail = true);
|
||||
|
||||
/* common defaults */
|
||||
/* equivalent to "c,c,c" */
|
||||
|
@ -48,14 +42,10 @@ public:
|
|||
bool ca, bool tCA, bool tClientCA,
|
||||
bool user, bool warn);
|
||||
|
||||
void SetObjSignTrust(bool peer, bool tPeer,
|
||||
bool ca, bool tCA, bool tClientCA,
|
||||
bool user, bool warn);
|
||||
|
||||
/* set c <--> CT */
|
||||
void AddCATrust(bool ssl, bool email, bool objSign);
|
||||
void AddCATrust(bool ssl, bool email);
|
||||
/* set p <--> P */
|
||||
void AddPeerTrust(bool ssl, bool email, bool objSign);
|
||||
void AddPeerTrust(bool ssl, bool email);
|
||||
|
||||
CERTCertTrust& GetTrust() { return mTrust; }
|
||||
|
||||
|
|
|
@ -382,8 +382,7 @@ nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs,
|
|||
nsNSSCertTrust trust;
|
||||
trust.SetValidCA();
|
||||
trust.AddCATrust(!!(trustBits & nsIX509CertDB::TRUSTED_SSL),
|
||||
!!(trustBits & nsIX509CertDB::TRUSTED_EMAIL),
|
||||
!!(trustBits & nsIX509CertDB::TRUSTED_OBJSIGN));
|
||||
!!(trustBits & nsIX509CertDB::TRUSTED_EMAIL));
|
||||
|
||||
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
|
||||
|
@ -737,7 +736,7 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
|
|||
// want to do that with user certs, because a user may re-store
|
||||
// the cert onto the card again at which point we *will* want to
|
||||
// trust that cert if it chains up properly.
|
||||
nsNSSCertTrust trust(0, 0, 0);
|
||||
nsNSSCertTrust trust(0, 0);
|
||||
srv = ChangeCertTrustWithPossibleAuthentication(cert, trust.GetTrust(),
|
||||
nullptr);
|
||||
}
|
||||
|
@ -768,17 +767,15 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
|
|||
case nsIX509Cert::CA_CERT:
|
||||
trust.SetValidCA();
|
||||
trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL),
|
||||
!!(trusted & nsIX509CertDB::TRUSTED_EMAIL),
|
||||
!!(trusted & nsIX509CertDB::TRUSTED_OBJSIGN));
|
||||
!!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
|
||||
break;
|
||||
case nsIX509Cert::SERVER_CERT:
|
||||
trust.SetValidPeer();
|
||||
trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false, false);
|
||||
trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false);
|
||||
break;
|
||||
case nsIX509Cert::EMAIL_CERT:
|
||||
trust.SetValidPeer();
|
||||
trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL),
|
||||
false);
|
||||
trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
|
||||
break;
|
||||
default:
|
||||
// Ignore any other type of certificate (including invalid types).
|
||||
|
@ -821,31 +818,25 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
|
|||
nsNSSCertTrust trust(&nsstrust);
|
||||
if (certType == nsIX509Cert::CA_CERT) {
|
||||
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
|
||||
*_isTrusted = trust.HasTrustedCA(true, false, false);
|
||||
*_isTrusted = trust.HasTrustedCA(true, false);
|
||||
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
|
||||
*_isTrusted = trust.HasTrustedCA(false, true, false);
|
||||
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
|
||||
*_isTrusted = trust.HasTrustedCA(false, false, true);
|
||||
*_isTrusted = trust.HasTrustedCA(false, true);
|
||||
} else {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
} else if (certType == nsIX509Cert::SERVER_CERT) {
|
||||
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
|
||||
*_isTrusted = trust.HasTrustedPeer(true, false, false);
|
||||
*_isTrusted = trust.HasTrustedPeer(true, false);
|
||||
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
|
||||
*_isTrusted = trust.HasTrustedPeer(false, true, false);
|
||||
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
|
||||
*_isTrusted = trust.HasTrustedPeer(false, false, true);
|
||||
*_isTrusted = trust.HasTrustedPeer(false, true);
|
||||
} else {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
} else if (certType == nsIX509Cert::EMAIL_CERT) {
|
||||
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
|
||||
*_isTrusted = trust.HasTrustedPeer(true, false, false);
|
||||
*_isTrusted = trust.HasTrustedPeer(true, false);
|
||||
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
|
||||
*_isTrusted = trust.HasTrustedPeer(false, true, false);
|
||||
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
|
||||
*_isTrusted = trust.HasTrustedPeer(false, false, true);
|
||||
*_isTrusted = trust.HasTrustedPeer(false, true);
|
||||
} else {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
|
|
@ -122,7 +122,6 @@ add_task(async function testAcceptDialogReturnValues() {
|
|||
let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert);
|
||||
win.document.getElementById("trustSSL").checked = true;
|
||||
win.document.getElementById("trustEmail").checked = false;
|
||||
win.document.getElementById("trustObjSign").checked = true;
|
||||
info("Accepting dialog");
|
||||
win.document.getElementById("download_cert").acceptDialog();
|
||||
await BrowserTestUtils.windowClosed(win);
|
||||
|
@ -133,8 +132,6 @@ add_task(async function testAcceptDialogReturnValues() {
|
|||
"Return value should signal SSL trust checkbox was checked");
|
||||
Assert.ok(!retVals.get("trustForEmail"),
|
||||
"Return value should signal E-mail trust checkbox was unchecked");
|
||||
Assert.ok(retVals.get("trustForObjSign"),
|
||||
"Return value should signal Obj Sign trust checkbox was checked");
|
||||
});
|
||||
|
||||
// Test that the right values are returned when the dialog is canceled.
|
||||
|
|
|
@ -33,7 +33,7 @@ function openEditCertTrustDialog() {
|
|||
}
|
||||
|
||||
add_task(async function setup() {
|
||||
// Initially trust ca.pem for SSL, but not e-mail or object signing.
|
||||
// Initially trust ca.pem for SSL but not e-mail.
|
||||
gCert = await readCertificate("ca.pem", "CT,,");
|
||||
Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_SSL),
|
||||
|
@ -41,9 +41,6 @@ add_task(async function setup() {
|
|||
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL),
|
||||
"Sanity check: ca.pem should not be trusted for e-mail");
|
||||
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN),
|
||||
"Sanity check: ca.pem should not be trusted for object signing");
|
||||
});
|
||||
|
||||
// Tests the following:
|
||||
|
@ -55,13 +52,10 @@ add_task(async function testAcceptDialog() {
|
|||
|
||||
let sslCheckbox = win.document.getElementById("trustSSL");
|
||||
let emailCheckbox = win.document.getElementById("trustEmail");
|
||||
let objSignCheckbox = win.document.getElementById("trustObjSign");
|
||||
Assert.ok(sslCheckbox.checked,
|
||||
"Cert should be trusted for SSL in UI");
|
||||
Assert.ok(!emailCheckbox.checked,
|
||||
"Cert should not be trusted for e-mail in UI");
|
||||
Assert.ok(!objSignCheckbox.checked,
|
||||
"Cert should not be trusted for object signing in UI");
|
||||
|
||||
sslCheckbox.checked = false;
|
||||
emailCheckbox.checked = true;
|
||||
|
@ -76,9 +70,6 @@ add_task(async function testAcceptDialog() {
|
|||
Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL),
|
||||
"Cert should now be trusted for e-mail");
|
||||
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN),
|
||||
"Cert should still not be trusted for object signing");
|
||||
});
|
||||
|
||||
// Tests the following:
|
||||
|
@ -90,17 +81,13 @@ add_task(async function testCancelDialog() {
|
|||
|
||||
let sslCheckbox = win.document.getElementById("trustSSL");
|
||||
let emailCheckbox = win.document.getElementById("trustEmail");
|
||||
let objSignCheckbox = win.document.getElementById("trustObjSign");
|
||||
Assert.ok(!sslCheckbox.checked,
|
||||
"Cert should not be trusted for SSL in UI");
|
||||
Assert.ok(emailCheckbox.checked,
|
||||
"Cert should be trusted for e-mail in UI");
|
||||
Assert.ok(!objSignCheckbox.checked,
|
||||
"Cert should not be trusted for object signing in UI");
|
||||
|
||||
sslCheckbox.checked = true;
|
||||
emailCheckbox.checked = false;
|
||||
objSignCheckbox.checked = true;
|
||||
|
||||
info("Canceling dialog");
|
||||
win.document.getElementById("editCaCert").cancelDialog();
|
||||
|
@ -112,7 +99,4 @@ add_task(async function testCancelDialog() {
|
|||
Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL),
|
||||
"Cert should still be trusted for e-mail");
|
||||
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN),
|
||||
"Cert should still not be trusted for object signing");
|
||||
});
|
||||
|
|
|
@ -18,8 +18,7 @@ function load_cert(cert_name, trust_string) {
|
|||
function setup_basic_trusts(ca_cert, int_cert) {
|
||||
certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_SSL |
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL |
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL);
|
||||
|
||||
certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче