mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

bug 1397837 - remove vestigial references to "code signing" from PSM r=Cykesiopka,snorp 

As of bug 1257362, the platform does not verify code signing certificates in
general, so anything involving the code signing trust of certificates can go.

MozReview-Commit-ID: 9g9kM62xfYZ

--HG--
extra : rebase_source : 5bec64e5f451c8433aff0de82a91f7bd54c24608
This commit is contained in:
David Keeler 2017-12-01 16:16:20 -08:00
Родитель 89e27ffc78
Коммит 36f5d05cd8
17 изменённых файлов: 42 добавлений и 156 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
mobile/android/components/NSSDialogService.js
Просмотреть файл

@ -92,8 +92,7 @@ NSSDialogs.prototype = {
], aCtx);
prompt.addCheckbox({ id: "trustSSL", label: this.getString("downloadCert.trustSSL"), checked: false })
.addCheckbox({ id: "trustEmail", label: this.getString("downloadCert.trustEmail"), checked: false })
.addCheckbox({ id: "trustSign", label: this.getString("downloadCert.trustObjSign"), checked: false });
.addCheckbox({ id: "trustEmail", label: this.getString("downloadCert.trustEmail"), checked: false });
let response = this.showPrompt(prompt);
// they hit the "view cert" button, so show the cert and try again
@ -107,7 +106,6 @@ NSSDialogs.prototype = {
aTrust.value = Ci.nsIX509CertDB.UNTRUSTED;
if (response.trustSSL) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_SSL;
if (response.trustEmail) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_EMAIL;
if (response.trustSign) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_OBJSIGN;
return true;
}
},

1
mobile/android/locales/en-US/chrome/pippki.properties
Просмотреть файл

@ -11,7 +11,6 @@ downloadCert.message1=You have been asked to trust a new Certificate Authority (
downloadCert.viewCert.label=View
downloadCert.trustSSL=Trust to identify websites.
downloadCert.trustEmail=Trust to identify email users.
downloadCert.trustObjSign=Trust to identify software developers.
pkcs12.getpassword.title=Password Entry Dialog
pkcs12.getpassword.message=Please enter the password that was used to encrypt this certificate backup.
clientAuthAsk.title=User Identification Request

1
security/manager/locales/en-US/chrome/pippki/certManager.dtd
Просмотреть файл

@ -38,7 +38,6 @@
<!ENTITY certmgr.editcert.edittrust "Edit trust settings:">
<!ENTITY certmgr.editcert.trustssl "This certificate can identify websites.">
<!ENTITY certmgr.editcert.trustemail "This certificate can identify mail users.">
<!ENTITY certmgr.editcert.trustobjsign "This certificate can identify software makers.">
<!ENTITY certmgr.deletecert.title "Delete Certificate">

1
security/manager/locales/en-US/chrome/pippki/pippki.dtd
Просмотреть файл

@ -20,7 +20,6 @@
<!ENTITY downloadCert.message1 "You have been asked to trust a new Certificate Authority (CA).">
<!ENTITY downloadCert.trustSSL "Trust this CA to identify websites.">
<!ENTITY downloadCert.trustEmail "Trust this CA to identify email users.">
<!ENTITY downloadCert.trustObjSign "Trust this CA to identify software developers.">
<!ENTITY downloadCert.message3 "Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available).">
<!ENTITY downloadCert.viewCert.label "View">
<!ENTITY downloadCert.viewCert.text "Examine CA certificate">

7
security/manager/pki/nsNSSDialogs.cpp
Просмотреть файл

@ -153,16 +153,9 @@ nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx,
if (NS_FAILED(rv)) {
return rv;
}
bool trustForObjSign = false;
rv = retVals->GetPropertyAsBool(NS_LITERAL_STRING("trustForObjSign"),
&trustForObjSign);
if (NS_FAILED(rv)) {
return rv;
}
*trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0;
*trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0;
*trust |= trustForObjSign ? nsIX509CertDB::TRUSTED_OBJSIGN : 0;
return NS_OK;
}

5
security/manager/pki/resources/content/downloadcert.js
Просмотреть файл

@ -27,9 +27,6 @@
* @property {Boolean} trustForEmail
* Set to true if the cert should be trusted for e-mail, false
* otherwise. Undefined value if |importConfirmed| is not true.
* @property {Boolean} trustForObjSign
* Set to true if the cert should be trusted for object signing, false
* otherwise. Undefined value if |importConfirmed| is not true.
*/
const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components;
@ -70,13 +67,11 @@ function viewCert() {
function onDialogAccept() {
let checkSSL = document.getElementById("trustSSL");
let checkEmail = document.getElementById("trustEmail");
let checkObjSign = document.getElementById("trustObjSign");
let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2);
retVals.setPropertyAsBool("importConfirmed", true);
retVals.setPropertyAsBool("trustForSSL", checkSSL.checked);
retVals.setPropertyAsBool("trustForEmail", checkEmail.checked);
retVals.setPropertyAsBool("trustForObjSign", checkObjSign.checked);
return true;
}

3
security/manager/pki/resources/content/downloadcert.xul
Просмотреть файл

@ -33,7 +33,6 @@
- "do you want to?"
- * trust for SSL
- * trust for email
- * trust for object signing
-->
<vbox>
<description id="trustHeader"/>
@ -41,8 +40,6 @@
id="trustSSL"/>
<checkbox label="&downloadCert.trustEmail;"
id="trustEmail"/>
<checkbox label="&downloadCert.trustObjSign;"
id="trustObjSign"/>
</vbox>
<separator/>

11
security/manager/pki/resources/content/editcacert.js
Просмотреть файл

@ -31,11 +31,6 @@ function onLoad() {
let emailCheckbox = document.getElementById("trustEmail");
emailCheckbox.checked = gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_EMAIL);
let objSignCheckbox = document.getElementById("trustObjSign");
objSignCheckbox.checked =
gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
}
/**
@ -46,13 +41,9 @@ function onLoad() {
function onDialogAccept() {
let sslCheckbox = document.getElementById("trustSSL");
let emailCheckbox = document.getElementById("trustEmail");
let objSignCheckbox = document.getElementById("trustObjSign");
let trustSSL = sslCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_SSL : 0;
let trustEmail = emailCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_EMAIL : 0;
let trustObjSign = objSignCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_OBJSIGN
: 0;
gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT,
trustSSL | trustEmail | trustObjSign);
gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, trustSSL | trustEmail);
return true;
}

2
security/manager/pki/resources/content/editcacert.xul
Просмотреть файл

@ -29,8 +29,6 @@
id="trustSSL"/>
<checkbox label="&certmgr.editcert.trustemail;"
id="trustEmail"/>
<checkbox label="&certmgr.editcert.trustobjsign;"
id="trustObjSign"/>
</vbox>
</dialog>

18
security/manager/ssl/nsIX509CertDB.idl
Просмотреть файл

@ -67,7 +67,6 @@ interface nsIX509CertDB : nsISupports {
const unsigned long UNTRUSTED = 0;
const unsigned long TRUSTED_SSL = 1 << 0;
const unsigned long TRUSTED_EMAIL = 1 << 1;
const unsigned long TRUSTED_OBJSIGN = 1 << 2;
/**
* Will find a certificate based on its dbkey
@ -155,8 +154,11 @@ interface nsIX509CertDB : nsISupports {
/**
* @param cert The certificate for which to modify trust.
* @param trustString decoded by CERT_DecodeTrustString. 3 comma separated
* characters, indicating SSL, Email, and Obj signing
* trust.
* characters, indicating SSL, Email, and Object signing
* trust. The object signing trust flags are effectively
* ignored by gecko, but they still must be specified (at
* least by a final trailing comma) because this argument
* is passed to CERT_DecodeTrustString.
*/
[must_use]
void setCertTrustFromString(in nsIX509Cert cert, in ACString trustString);
@ -284,7 +286,10 @@ interface nsIX509CertDB : nsISupports {
* @param trust String describing the trust settings to assign the
* certificate. Decoded by CERT_DecodeTrustString. Consists of 3
* comma separated sets of characters, indicating SSL, Email, and
* Object signing trust.
* Object signing trust. The object signing trust flags are
* effectively ignored by gecko, but they still must be specified
* (at least by a final trailing comma) because this argument is
* passed to CERT_DecodeTrustString.
* @return nsIX509Cert the resulting certificate
*/
[must_use]
@ -359,7 +364,10 @@ interface nsIX509CertDB : nsISupports {
* @param trust String describing the trust settings to assign the
* certificate. Decoded by CERT_DecodeTrustString. Consists of 3
* comma separated sets of characters, indicating SSL, Email, and
* Object signing trust.
* Object signing trust. The object signing trust flags are
* effectively ignored by gecko, but they still must be specified
* (at least by a final trailing comma) because this argument is
* passed to CERT_DecodeTrustString.
* @return nsIX509Cert the resulting certificate
*/
[must_use]

4
security/manager/ssl/nsNSSCertHelper.cpp
Просмотреть файл

@ -2039,9 +2039,9 @@ getCertType(CERTCertificate* cert)
return nsIX509Cert::USER_CERT;
if (trust.HasAnyCA())
return nsIX509Cert::CA_CERT;
if (trust.HasPeer(true, false, false))
if (trust.HasPeer(true, false))
return nsIX509Cert::SERVER_CERT;
if (trust.HasPeer(false, true, false) && cert->emailAddr)
if (trust.HasPeer(false, true) && cert->emailAddr)
return nsIX509Cert::EMAIL_CERT;
if (CERT_IsCACert(cert, nullptr))
return nsIX509Cert::CA_CERT;

64
security/manager/ssl/nsNSSCertTrust.cpp
Просмотреть файл

@ -5,7 +5,7 @@
#include "nsNSSCertTrust.h"
void
nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
nsNSSCertTrust::AddCATrust(bool ssl, bool email)
{
if (ssl) {
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA);
@ -15,21 +15,15 @@ nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign)
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA);
}
if (objSign) {
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
}
}
void
nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign)
nsNSSCertTrust::AddPeerTrust(bool ssl, bool email)
{
if (ssl)
addTrust(&mTrust.sslFlags, CERTDB_TRUSTED);
if (email)
addTrust(&mTrust.emailFlags, CERTDB_TRUSTED);
if (objSign)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
}
nsNSSCertTrust::nsNSSCertTrust()
@ -37,14 +31,11 @@ nsNSSCertTrust::nsNSSCertTrust()
memset(&mTrust, 0, sizeof(CERTCertTrust));
}
nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl,
unsigned int email,
unsigned int objsign)
nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, unsigned int email)
{
memset(&mTrust, 0, sizeof(CERTCertTrust));
addTrust(&mTrust.sslFlags, ssl);
addTrust(&mTrust.emailFlags, email);
addTrust(&mTrust.objectSigningFlags, objsign);
}
nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t)
@ -103,28 +94,6 @@ nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer,
addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN);
}
void
nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer,
bool ca, bool tCA, bool tClientCA,
bool user, bool warn)
{
mTrust.objectSigningFlags = 0;
if (peer || tPeer)
addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD);
if (tPeer)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED);
if (ca || tCA)
addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA);
if (tClientCA)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA);
if (tCA)
addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA);
if (user)
addTrust(&mTrust.objectSigningFlags, CERTDB_USER);
if (warn)
addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN);
}
void
nsNSSCertTrust::SetValidCA()
{
@ -134,9 +103,6 @@ nsNSSCertTrust::SetValidCA()
SetEmailTrust(false, false,
true, false, false,
false, false);
SetObjSignTrust(false, false,
true, false, false,
false, false);
}
void
@ -148,9 +114,6 @@ nsNSSCertTrust::SetValidPeer()
SetEmailTrust(true, false,
false, false, false,
false, false);
SetObjSignTrust(true, false,
false, false, false,
false, false);
}
bool
@ -164,16 +127,12 @@ nsNSSCertTrust::HasAnyCA()
}
bool
nsNSSCertTrust::HasPeer(bool checkSSL,
bool checkEmail,
bool checkObjSign)
nsNSSCertTrust::HasPeer(bool checkSSL, bool checkEmail)
{
if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD))
return false;
if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD))
return false;
if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD))
return false;
return true;
}
@ -188,9 +147,7 @@ nsNSSCertTrust::HasAnyUser()
}
bool
nsNSSCertTrust::HasTrustedCA(bool checkSSL,
bool checkEmail,
bool checkObjSign)
nsNSSCertTrust::HasTrustedCA(bool checkSSL, bool checkEmail)
{
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA)))
@ -198,25 +155,16 @@ nsNSSCertTrust::HasTrustedCA(bool checkSSL,
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
if (checkObjSign &&
!(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) ||
hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA)))
return false;
return true;
}
bool
nsNSSCertTrust::HasTrustedPeer(bool checkSSL,
bool checkEmail,
bool checkObjSign)
nsNSSCertTrust::HasTrustedPeer(bool checkSSL, bool checkEmail)
{
if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED)))
return false;
if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED)))
return false;
if (checkObjSign &&
!(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED)))
return false;
return true;
}

22
security/manager/ssl/nsNSSCertTrust.h
Просмотреть файл

@ -15,22 +15,16 @@ class nsNSSCertTrust
{
public:
nsNSSCertTrust();
nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign);
nsNSSCertTrust(unsigned int ssl, unsigned int email);
explicit nsNSSCertTrust(CERTCertTrust *t);
virtual ~nsNSSCertTrust();
/* query */
bool HasAnyCA();
bool HasAnyUser();
bool HasPeer(bool checkSSL = true,
bool checkEmail = true,
bool checkObjSign = true);
bool HasTrustedCA(bool checkSSL = true,
bool checkEmail = true,
bool checkObjSign = true);
bool HasTrustedPeer(bool checkSSL = true,
bool checkEmail = true,
bool checkObjSign = true);
bool HasPeer(bool checkSSL = true, bool checkEmail = true);
bool HasTrustedCA(bool checkSSL = true, bool checkEmail = true);
bool HasTrustedPeer(bool checkSSL = true, bool checkEmail = true);
/* common defaults */
/* equivalent to "c,c,c" */
@ -48,14 +42,10 @@ public:
bool ca, bool tCA, bool tClientCA,
bool user, bool warn);
void SetObjSignTrust(bool peer, bool tPeer,
bool ca, bool tCA, bool tClientCA,
bool user, bool warn);
/* set c <--> CT */
void AddCATrust(bool ssl, bool email, bool objSign);
void AddCATrust(bool ssl, bool email);
/* set p <--> P */
void AddPeerTrust(bool ssl, bool email, bool objSign);
void AddPeerTrust(bool ssl, bool email);
CERTCertTrust& GetTrust() { return mTrust; }

31
security/manager/ssl/nsNSSCertificateDB.cpp
Просмотреть файл

@ -382,8 +382,7 @@ nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs,
nsNSSCertTrust trust;
trust.SetValidCA();
trust.AddCATrust(!!(trustBits & nsIX509CertDB::TRUSTED_SSL),
!!(trustBits & nsIX509CertDB::TRUSTED_EMAIL),
!!(trustBits & nsIX509CertDB::TRUSTED_OBJSIGN));
!!(trustBits & nsIX509CertDB::TRUSTED_EMAIL));
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE,
@ -737,7 +736,7 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
// want to do that with user certs, because a user may re-store
// the cert onto the card again at which point we *will* want to
// trust that cert if it chains up properly.
nsNSSCertTrust trust(0, 0, 0);
nsNSSCertTrust trust(0, 0);
srv = ChangeCertTrustWithPossibleAuthentication(cert, trust.GetTrust(),
nullptr);
}
@ -768,17 +767,15 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
case nsIX509Cert::CA_CERT:
trust.SetValidCA();
trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL),
!!(trusted & nsIX509CertDB::TRUSTED_EMAIL),
!!(trusted & nsIX509CertDB::TRUSTED_OBJSIGN));
!!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
break;
case nsIX509Cert::SERVER_CERT:
trust.SetValidPeer();
trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false, false);
trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false);
break;
case nsIX509Cert::EMAIL_CERT:
trust.SetValidPeer();
trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL),
false);
trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
break;
default:
// Ignore any other type of certificate (including invalid types).
@ -821,31 +818,25 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
nsNSSCertTrust trust(&nsstrust);
if (certType == nsIX509Cert::CA_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedCA(true, false, false);
*_isTrusted = trust.HasTrustedCA(true, false);
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedCA(false, true, false);
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedCA(false, false, true);
*_isTrusted = trust.HasTrustedCA(false, true);
} else {
return NS_ERROR_FAILURE;
}
} else if (certType == nsIX509Cert::SERVER_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedPeer(true, false, false);
*_isTrusted = trust.HasTrustedPeer(true, false);
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedPeer(false, true, false);
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedPeer(false, false, true);
*_isTrusted = trust.HasTrustedPeer(false, true);
} else {
return NS_ERROR_FAILURE;
}
} else if (certType == nsIX509Cert::EMAIL_CERT) {
if (trustType & nsIX509CertDB::TRUSTED_SSL) {
*_isTrusted = trust.HasTrustedPeer(true, false, false);
*_isTrusted = trust.HasTrustedPeer(true, false);
} else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) {
*_isTrusted = trust.HasTrustedPeer(false, true, false);
} else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) {
*_isTrusted = trust.HasTrustedPeer(false, false, true);
*_isTrusted = trust.HasTrustedPeer(false, true);
} else {
return NS_ERROR_FAILURE;
}

3
security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js
Просмотреть файл

@ -122,7 +122,6 @@ add_task(async function testAcceptDialogReturnValues() {
let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert);
win.document.getElementById("trustSSL").checked = true;
win.document.getElementById("trustEmail").checked = false;
win.document.getElementById("trustObjSign").checked = true;
info("Accepting dialog");
win.document.getElementById("download_cert").acceptDialog();
await BrowserTestUtils.windowClosed(win);
@ -133,8 +132,6 @@ add_task(async function testAcceptDialogReturnValues() {
"Return value should signal SSL trust checkbox was checked");
Assert.ok(!retVals.get("trustForEmail"),
"Return value should signal E-mail trust checkbox was unchecked");
Assert.ok(retVals.get("trustForObjSign"),
"Return value should signal Obj Sign trust checkbox was checked");
});
// Test that the right values are returned when the dialog is canceled.

18
security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js
Просмотреть файл

@ -33,7 +33,7 @@ function openEditCertTrustDialog() {
}
add_task(async function setup() {
// Initially trust ca.pem for SSL, but not e-mail or object signing.
// Initially trust ca.pem for SSL but not e-mail.
gCert = await readCertificate("ca.pem", "CT,,");
Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL),
@ -41,9 +41,6 @@ add_task(async function setup() {
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_EMAIL),
"Sanity check: ca.pem should not be trusted for e-mail");
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_OBJSIGN),
"Sanity check: ca.pem should not be trusted for object signing");
});
// Tests the following:
@ -55,13 +52,10 @@ add_task(async function testAcceptDialog() {
let sslCheckbox = win.document.getElementById("trustSSL");
let emailCheckbox = win.document.getElementById("trustEmail");
let objSignCheckbox = win.document.getElementById("trustObjSign");
Assert.ok(sslCheckbox.checked,
"Cert should be trusted for SSL in UI");
Assert.ok(!emailCheckbox.checked,
"Cert should not be trusted for e-mail in UI");
Assert.ok(!objSignCheckbox.checked,
"Cert should not be trusted for object signing in UI");
sslCheckbox.checked = false;
emailCheckbox.checked = true;
@ -76,9 +70,6 @@ add_task(async function testAcceptDialog() {
Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_EMAIL),
"Cert should now be trusted for e-mail");
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_OBJSIGN),
"Cert should still not be trusted for object signing");
});
// Tests the following:
@ -90,17 +81,13 @@ add_task(async function testCancelDialog() {
let sslCheckbox = win.document.getElementById("trustSSL");
let emailCheckbox = win.document.getElementById("trustEmail");
let objSignCheckbox = win.document.getElementById("trustObjSign");
Assert.ok(!sslCheckbox.checked,
"Cert should not be trusted for SSL in UI");
Assert.ok(emailCheckbox.checked,
"Cert should be trusted for e-mail in UI");
Assert.ok(!objSignCheckbox.checked,
"Cert should not be trusted for object signing in UI");
sslCheckbox.checked = true;
emailCheckbox.checked = false;
objSignCheckbox.checked = true;
info("Canceling dialog");
win.document.getElementById("editCaCert").cancelDialog();
@ -112,7 +99,4 @@ add_task(async function testCancelDialog() {
Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_EMAIL),
"Cert should still be trusted for e-mail");
Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_OBJSIGN),
"Cert should still not be trusted for object signing");
});

3
security/manager/ssl/tests/unit/test_cert_trust.js
Просмотреть файл

@ -18,8 +18,7 @@ function load_cert(cert_name, trust_string) {
function setup_basic_trusts(ca_cert, int_cert) {
certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL |
Ci.nsIX509CertDB.TRUSTED_EMAIL |
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
Ci.nsIX509CertDB.TRUSTED_EMAIL);
certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
}