From 36f5d05cd8d55ec42c946517915b9411d82f3c94 Mon Sep 17 00:00:00 2001 From: David Keeler Date: Fri, 1 Dec 2017 16:16:20 -0800 Subject: [PATCH] bug 1397837 - remove vestigial references to "code signing" from PSM r=Cykesiopka,snorp As of bug 1257362, the platform does not verify code signing certificates in general, so anything involving the code signing trust of certificates can go. MozReview-Commit-ID: 9g9kM62xfYZ --HG-- extra : rebase_source : 5bec64e5f451c8433aff0de82a91f7bd54c24608 --- mobile/android/components/NSSDialogService.js | 4 +- .../locales/en-US/chrome/pippki.properties | 1 - .../en-US/chrome/pippki/certManager.dtd | 1 - .../locales/en-US/chrome/pippki/pippki.dtd | 1 - security/manager/pki/nsNSSDialogs.cpp | 7 -- .../pki/resources/content/downloadcert.js | 5 -- .../pki/resources/content/downloadcert.xul | 3 - .../pki/resources/content/editcacert.js | 11 +--- .../pki/resources/content/editcacert.xul | 2 - security/manager/ssl/nsIX509CertDB.idl | 18 ++++-- security/manager/ssl/nsNSSCertHelper.cpp | 4 +- security/manager/ssl/nsNSSCertTrust.cpp | 64 ++----------------- security/manager/ssl/nsNSSCertTrust.h | 22 ++----- security/manager/ssl/nsNSSCertificateDB.cpp | 31 ++++----- .../browser/browser_downloadCert_ui.js | 3 - .../browser/browser_editCACertTrust.js | 18 +----- .../manager/ssl/tests/unit/test_cert_trust.js | 3 +- 17 files changed, 42 insertions(+), 156 deletions(-) diff --git a/mobile/android/components/NSSDialogService.js b/mobile/android/components/NSSDialogService.js index f71a617659cb..9e0f8e777ea1 100644 --- a/mobile/android/components/NSSDialogService.js +++ b/mobile/android/components/NSSDialogService.js @@ -92,8 +92,7 @@ NSSDialogs.prototype = { ], aCtx); prompt.addCheckbox({ id: "trustSSL", label: this.getString("downloadCert.trustSSL"), checked: false }) - .addCheckbox({ id: "trustEmail", label: this.getString("downloadCert.trustEmail"), checked: false }) - .addCheckbox({ id: "trustSign", label: this.getString("downloadCert.trustObjSign"), checked: false }); + .addCheckbox({ id: "trustEmail", label: this.getString("downloadCert.trustEmail"), checked: false }); let response = this.showPrompt(prompt); // they hit the "view cert" button, so show the cert and try again @@ -107,7 +106,6 @@ NSSDialogs.prototype = { aTrust.value = Ci.nsIX509CertDB.UNTRUSTED; if (response.trustSSL) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_SSL; if (response.trustEmail) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_EMAIL; - if (response.trustSign) aTrust.value |= Ci.nsIX509CertDB.TRUSTED_OBJSIGN; return true; } }, diff --git a/mobile/android/locales/en-US/chrome/pippki.properties b/mobile/android/locales/en-US/chrome/pippki.properties index 1102f0b00a3f..edd8a890f7e8 100644 --- a/mobile/android/locales/en-US/chrome/pippki.properties +++ b/mobile/android/locales/en-US/chrome/pippki.properties @@ -11,7 +11,6 @@ downloadCert.message1=You have been asked to trust a new Certificate Authority ( downloadCert.viewCert.label=View downloadCert.trustSSL=Trust to identify websites. downloadCert.trustEmail=Trust to identify email users. -downloadCert.trustObjSign=Trust to identify software developers. pkcs12.getpassword.title=Password Entry Dialog pkcs12.getpassword.message=Please enter the password that was used to encrypt this certificate backup. clientAuthAsk.title=User Identification Request diff --git a/security/manager/locales/en-US/chrome/pippki/certManager.dtd b/security/manager/locales/en-US/chrome/pippki/certManager.dtd index 880321cd444f..e6318e1ce096 100644 --- a/security/manager/locales/en-US/chrome/pippki/certManager.dtd +++ b/security/manager/locales/en-US/chrome/pippki/certManager.dtd @@ -38,7 +38,6 @@ - diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.dtd b/security/manager/locales/en-US/chrome/pippki/pippki.dtd index 3bc3c1f85957..00e1f6a30a4e 100644 --- a/security/manager/locales/en-US/chrome/pippki/pippki.dtd +++ b/security/manager/locales/en-US/chrome/pippki/pippki.dtd @@ -20,7 +20,6 @@ - diff --git a/security/manager/pki/nsNSSDialogs.cpp b/security/manager/pki/nsNSSDialogs.cpp index 8e41d4f778ad..fcba770c1d97 100644 --- a/security/manager/pki/nsNSSDialogs.cpp +++ b/security/manager/pki/nsNSSDialogs.cpp @@ -153,16 +153,9 @@ nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx, if (NS_FAILED(rv)) { return rv; } - bool trustForObjSign = false; - rv = retVals->GetPropertyAsBool(NS_LITERAL_STRING("trustForObjSign"), - &trustForObjSign); - if (NS_FAILED(rv)) { - return rv; - } *trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0; *trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0; - *trust |= trustForObjSign ? nsIX509CertDB::TRUSTED_OBJSIGN : 0; return NS_OK; } diff --git a/security/manager/pki/resources/content/downloadcert.js b/security/manager/pki/resources/content/downloadcert.js index 892e34be081c..c5cda01a1831 100644 --- a/security/manager/pki/resources/content/downloadcert.js +++ b/security/manager/pki/resources/content/downloadcert.js @@ -27,9 +27,6 @@ * @property {Boolean} trustForEmail * Set to true if the cert should be trusted for e-mail, false * otherwise. Undefined value if |importConfirmed| is not true. - * @property {Boolean} trustForObjSign - * Set to true if the cert should be trusted for object signing, false - * otherwise. Undefined value if |importConfirmed| is not true. */ const { classes: Cc, interfaces: Ci, utils: Cu, results: Cr } = Components; @@ -70,13 +67,11 @@ function viewCert() { function onDialogAccept() { let checkSSL = document.getElementById("trustSSL"); let checkEmail = document.getElementById("trustEmail"); - let checkObjSign = document.getElementById("trustObjSign"); let retVals = window.arguments[1].QueryInterface(Ci.nsIWritablePropertyBag2); retVals.setPropertyAsBool("importConfirmed", true); retVals.setPropertyAsBool("trustForSSL", checkSSL.checked); retVals.setPropertyAsBool("trustForEmail", checkEmail.checked); - retVals.setPropertyAsBool("trustForObjSign", checkObjSign.checked); return true; } diff --git a/security/manager/pki/resources/content/downloadcert.xul b/security/manager/pki/resources/content/downloadcert.xul index 9ddc88a17ce8..7e19de2c88d0 100644 --- a/security/manager/pki/resources/content/downloadcert.xul +++ b/security/manager/pki/resources/content/downloadcert.xul @@ -33,7 +33,6 @@ - "do you want to?" - * trust for SSL - * trust for email - - * trust for object signing --> @@ -41,8 +40,6 @@ id="trustSSL"/> - diff --git a/security/manager/pki/resources/content/editcacert.js b/security/manager/pki/resources/content/editcacert.js index 405d5281a42c..1414ac653cac 100644 --- a/security/manager/pki/resources/content/editcacert.js +++ b/security/manager/pki/resources/content/editcacert.js @@ -31,11 +31,6 @@ function onLoad() { let emailCheckbox = document.getElementById("trustEmail"); emailCheckbox.checked = gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_EMAIL); - - let objSignCheckbox = document.getElementById("trustObjSign"); - objSignCheckbox.checked = - gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, - Ci.nsIX509CertDB.TRUSTED_OBJSIGN); } /** @@ -46,13 +41,9 @@ function onLoad() { function onDialogAccept() { let sslCheckbox = document.getElementById("trustSSL"); let emailCheckbox = document.getElementById("trustEmail"); - let objSignCheckbox = document.getElementById("trustObjSign"); let trustSSL = sslCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_SSL : 0; let trustEmail = emailCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_EMAIL : 0; - let trustObjSign = objSignCheckbox.checked ? Ci.nsIX509CertDB.TRUSTED_OBJSIGN - : 0; - gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, - trustSSL | trustEmail | trustObjSign); + gCertDB.setCertTrust(gCert, Ci.nsIX509Cert.CA_CERT, trustSSL | trustEmail); return true; } diff --git a/security/manager/pki/resources/content/editcacert.xul b/security/manager/pki/resources/content/editcacert.xul index 46ea4f1f928d..0cba6d6d3cb6 100644 --- a/security/manager/pki/resources/content/editcacert.xul +++ b/security/manager/pki/resources/content/editcacert.xul @@ -29,8 +29,6 @@ id="trustSSL"/> - diff --git a/security/manager/ssl/nsIX509CertDB.idl b/security/manager/ssl/nsIX509CertDB.idl index d3c795c03c84..d7983be77230 100644 --- a/security/manager/ssl/nsIX509CertDB.idl +++ b/security/manager/ssl/nsIX509CertDB.idl @@ -67,7 +67,6 @@ interface nsIX509CertDB : nsISupports { const unsigned long UNTRUSTED = 0; const unsigned long TRUSTED_SSL = 1 << 0; const unsigned long TRUSTED_EMAIL = 1 << 1; - const unsigned long TRUSTED_OBJSIGN = 1 << 2; /** * Will find a certificate based on its dbkey @@ -155,8 +154,11 @@ interface nsIX509CertDB : nsISupports { /** * @param cert The certificate for which to modify trust. * @param trustString decoded by CERT_DecodeTrustString. 3 comma separated - * characters, indicating SSL, Email, and Obj signing - * trust. + * characters, indicating SSL, Email, and Object signing + * trust. The object signing trust flags are effectively + * ignored by gecko, but they still must be specified (at + * least by a final trailing comma) because this argument + * is passed to CERT_DecodeTrustString. */ [must_use] void setCertTrustFromString(in nsIX509Cert cert, in ACString trustString); @@ -284,7 +286,10 @@ interface nsIX509CertDB : nsISupports { * @param trust String describing the trust settings to assign the * certificate. Decoded by CERT_DecodeTrustString. Consists of 3 * comma separated sets of characters, indicating SSL, Email, and - * Object signing trust. + * Object signing trust. The object signing trust flags are + * effectively ignored by gecko, but they still must be specified + * (at least by a final trailing comma) because this argument is + * passed to CERT_DecodeTrustString. * @return nsIX509Cert the resulting certificate */ [must_use] @@ -359,7 +364,10 @@ interface nsIX509CertDB : nsISupports { * @param trust String describing the trust settings to assign the * certificate. Decoded by CERT_DecodeTrustString. Consists of 3 * comma separated sets of characters, indicating SSL, Email, and - * Object signing trust. + * Object signing trust. The object signing trust flags are + * effectively ignored by gecko, but they still must be specified + * (at least by a final trailing comma) because this argument is + * passed to CERT_DecodeTrustString. * @return nsIX509Cert the resulting certificate */ [must_use] diff --git a/security/manager/ssl/nsNSSCertHelper.cpp b/security/manager/ssl/nsNSSCertHelper.cpp index 1ede4d242577..4735606bbdc5 100644 --- a/security/manager/ssl/nsNSSCertHelper.cpp +++ b/security/manager/ssl/nsNSSCertHelper.cpp @@ -2039,9 +2039,9 @@ getCertType(CERTCertificate* cert) return nsIX509Cert::USER_CERT; if (trust.HasAnyCA()) return nsIX509Cert::CA_CERT; - if (trust.HasPeer(true, false, false)) + if (trust.HasPeer(true, false)) return nsIX509Cert::SERVER_CERT; - if (trust.HasPeer(false, true, false) && cert->emailAddr) + if (trust.HasPeer(false, true) && cert->emailAddr) return nsIX509Cert::EMAIL_CERT; if (CERT_IsCACert(cert, nullptr)) return nsIX509Cert::CA_CERT; diff --git a/security/manager/ssl/nsNSSCertTrust.cpp b/security/manager/ssl/nsNSSCertTrust.cpp index d7dd266691b7..46dd005f201d 100644 --- a/security/manager/ssl/nsNSSCertTrust.cpp +++ b/security/manager/ssl/nsNSSCertTrust.cpp @@ -5,7 +5,7 @@ #include "nsNSSCertTrust.h" void -nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign) +nsNSSCertTrust::AddCATrust(bool ssl, bool email) { if (ssl) { addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); @@ -15,21 +15,15 @@ nsNSSCertTrust::AddCATrust(bool ssl, bool email, bool objSign) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); } - if (objSign) { - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); - } } void -nsNSSCertTrust::AddPeerTrust(bool ssl, bool email, bool objSign) +nsNSSCertTrust::AddPeerTrust(bool ssl, bool email) { if (ssl) addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); if (email) addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); - if (objSign) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); } nsNSSCertTrust::nsNSSCertTrust() @@ -37,14 +31,11 @@ nsNSSCertTrust::nsNSSCertTrust() memset(&mTrust, 0, sizeof(CERTCertTrust)); } -nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, - unsigned int email, - unsigned int objsign) +nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, unsigned int email) { memset(&mTrust, 0, sizeof(CERTCertTrust)); addTrust(&mTrust.sslFlags, ssl); addTrust(&mTrust.emailFlags, email); - addTrust(&mTrust.objectSigningFlags, objsign); } nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t) @@ -103,28 +94,6 @@ nsNSSCertTrust::SetEmailTrust(bool peer, bool tPeer, addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN); } -void -nsNSSCertTrust::SetObjSignTrust(bool peer, bool tPeer, - bool ca, bool tCA, bool tClientCA, - bool user, bool warn) -{ - mTrust.objectSigningFlags = 0; - if (peer || tPeer) - addTrust(&mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD); - if (tPeer) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); - if (ca || tCA) - addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA); - if (tClientCA) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); - if (tCA) - addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); - if (user) - addTrust(&mTrust.objectSigningFlags, CERTDB_USER); - if (warn) - addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN); -} - void nsNSSCertTrust::SetValidCA() { @@ -134,9 +103,6 @@ nsNSSCertTrust::SetValidCA() SetEmailTrust(false, false, true, false, false, false, false); - SetObjSignTrust(false, false, - true, false, false, - false, false); } void @@ -148,9 +114,6 @@ nsNSSCertTrust::SetValidPeer() SetEmailTrust(true, false, false, false, false, false, false); - SetObjSignTrust(true, false, - false, false, false, - false, false); } bool @@ -164,16 +127,12 @@ nsNSSCertTrust::HasAnyCA() } bool -nsNSSCertTrust::HasPeer(bool checkSSL, - bool checkEmail, - bool checkObjSign) +nsNSSCertTrust::HasPeer(bool checkSSL, bool checkEmail) { if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_TERMINAL_RECORD)) return false; if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_TERMINAL_RECORD)) return false; - if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_TERMINAL_RECORD)) - return false; return true; } @@ -188,9 +147,7 @@ nsNSSCertTrust::HasAnyUser() } bool -nsNSSCertTrust::HasTrustedCA(bool checkSSL, - bool checkEmail, - bool checkObjSign) +nsNSSCertTrust::HasTrustedCA(bool checkSSL, bool checkEmail) { if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) || hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA))) @@ -198,25 +155,16 @@ nsNSSCertTrust::HasTrustedCA(bool checkSSL, if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) || hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA))) return false; - if (checkObjSign && - !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) || - hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA))) - return false; return true; } bool -nsNSSCertTrust::HasTrustedPeer(bool checkSSL, - bool checkEmail, - bool checkObjSign) +nsNSSCertTrust::HasTrustedPeer(bool checkSSL, bool checkEmail) { if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) return false; if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED))) return false; - if (checkObjSign && - !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED))) - return false; return true; } diff --git a/security/manager/ssl/nsNSSCertTrust.h b/security/manager/ssl/nsNSSCertTrust.h index 26617dcb1d93..8f546376346b 100644 --- a/security/manager/ssl/nsNSSCertTrust.h +++ b/security/manager/ssl/nsNSSCertTrust.h @@ -15,22 +15,16 @@ class nsNSSCertTrust { public: nsNSSCertTrust(); - nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign); + nsNSSCertTrust(unsigned int ssl, unsigned int email); explicit nsNSSCertTrust(CERTCertTrust *t); virtual ~nsNSSCertTrust(); /* query */ bool HasAnyCA(); bool HasAnyUser(); - bool HasPeer(bool checkSSL = true, - bool checkEmail = true, - bool checkObjSign = true); - bool HasTrustedCA(bool checkSSL = true, - bool checkEmail = true, - bool checkObjSign = true); - bool HasTrustedPeer(bool checkSSL = true, - bool checkEmail = true, - bool checkObjSign = true); + bool HasPeer(bool checkSSL = true, bool checkEmail = true); + bool HasTrustedCA(bool checkSSL = true, bool checkEmail = true); + bool HasTrustedPeer(bool checkSSL = true, bool checkEmail = true); /* common defaults */ /* equivalent to "c,c,c" */ @@ -48,14 +42,10 @@ public: bool ca, bool tCA, bool tClientCA, bool user, bool warn); - void SetObjSignTrust(bool peer, bool tPeer, - bool ca, bool tCA, bool tClientCA, - bool user, bool warn); - /* set c <--> CT */ - void AddCATrust(bool ssl, bool email, bool objSign); + void AddCATrust(bool ssl, bool email); /* set p <--> P */ - void AddPeerTrust(bool ssl, bool email, bool objSign); + void AddPeerTrust(bool ssl, bool email); CERTCertTrust& GetTrust() { return mTrust; } diff --git a/security/manager/ssl/nsNSSCertificateDB.cpp b/security/manager/ssl/nsNSSCertificateDB.cpp index d5cda5499861..46e77e660add 100644 --- a/security/manager/ssl/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -382,8 +382,7 @@ nsNSSCertificateDB::handleCACertDownload(NotNull x509Certs, nsNSSCertTrust trust; trust.SetValidCA(); trust.AddCATrust(!!(trustBits & nsIX509CertDB::TRUSTED_SSL), - !!(trustBits & nsIX509CertDB::TRUSTED_EMAIL), - !!(trustBits & nsIX509CertDB::TRUSTED_OBJSIGN)); + !!(trustBits & nsIX509CertDB::TRUSTED_EMAIL)); UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); SECStatus srv = PK11_ImportCert(slot.get(), tmpCert.get(), CK_INVALID_HANDLE, @@ -737,7 +736,7 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert) // want to do that with user certs, because a user may re-store // the cert onto the card again at which point we *will* want to // trust that cert if it chains up properly. - nsNSSCertTrust trust(0, 0, 0); + nsNSSCertTrust trust(0, 0); srv = ChangeCertTrustWithPossibleAuthentication(cert, trust.GetTrust(), nullptr); } @@ -768,17 +767,15 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert, case nsIX509Cert::CA_CERT: trust.SetValidCA(); trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL), - !!(trusted & nsIX509CertDB::TRUSTED_EMAIL), - !!(trusted & nsIX509CertDB::TRUSTED_OBJSIGN)); + !!(trusted & nsIX509CertDB::TRUSTED_EMAIL)); break; case nsIX509Cert::SERVER_CERT: trust.SetValidPeer(); - trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false, false); + trust.AddPeerTrust(trusted & nsIX509CertDB::TRUSTED_SSL, false); break; case nsIX509Cert::EMAIL_CERT: trust.SetValidPeer(); - trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL), - false); + trust.AddPeerTrust(false, !!(trusted & nsIX509CertDB::TRUSTED_EMAIL)); break; default: // Ignore any other type of certificate (including invalid types). @@ -821,31 +818,25 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert, nsNSSCertTrust trust(&nsstrust); if (certType == nsIX509Cert::CA_CERT) { if (trustType & nsIX509CertDB::TRUSTED_SSL) { - *_isTrusted = trust.HasTrustedCA(true, false, false); + *_isTrusted = trust.HasTrustedCA(true, false); } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { - *_isTrusted = trust.HasTrustedCA(false, true, false); - } else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) { - *_isTrusted = trust.HasTrustedCA(false, false, true); + *_isTrusted = trust.HasTrustedCA(false, true); } else { return NS_ERROR_FAILURE; } } else if (certType == nsIX509Cert::SERVER_CERT) { if (trustType & nsIX509CertDB::TRUSTED_SSL) { - *_isTrusted = trust.HasTrustedPeer(true, false, false); + *_isTrusted = trust.HasTrustedPeer(true, false); } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { - *_isTrusted = trust.HasTrustedPeer(false, true, false); - } else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) { - *_isTrusted = trust.HasTrustedPeer(false, false, true); + *_isTrusted = trust.HasTrustedPeer(false, true); } else { return NS_ERROR_FAILURE; } } else if (certType == nsIX509Cert::EMAIL_CERT) { if (trustType & nsIX509CertDB::TRUSTED_SSL) { - *_isTrusted = trust.HasTrustedPeer(true, false, false); + *_isTrusted = trust.HasTrustedPeer(true, false); } else if (trustType & nsIX509CertDB::TRUSTED_EMAIL) { - *_isTrusted = trust.HasTrustedPeer(false, true, false); - } else if (trustType & nsIX509CertDB::TRUSTED_OBJSIGN) { - *_isTrusted = trust.HasTrustedPeer(false, false, true); + *_isTrusted = trust.HasTrustedPeer(false, true); } else { return NS_ERROR_FAILURE; } diff --git a/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js index c1e466f9aefc..f63a58331843 100644 --- a/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js +++ b/security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js @@ -122,7 +122,6 @@ add_task(async function testAcceptDialogReturnValues() { let [win, retVals] = await openCertDownloadDialog(TEST_CASES[0].cert); win.document.getElementById("trustSSL").checked = true; win.document.getElementById("trustEmail").checked = false; - win.document.getElementById("trustObjSign").checked = true; info("Accepting dialog"); win.document.getElementById("download_cert").acceptDialog(); await BrowserTestUtils.windowClosed(win); @@ -133,8 +132,6 @@ add_task(async function testAcceptDialogReturnValues() { "Return value should signal SSL trust checkbox was checked"); Assert.ok(!retVals.get("trustForEmail"), "Return value should signal E-mail trust checkbox was unchecked"); - Assert.ok(retVals.get("trustForObjSign"), - "Return value should signal Obj Sign trust checkbox was checked"); }); // Test that the right values are returned when the dialog is canceled. diff --git a/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js index bebc9ba2b305..cb2490c14273 100644 --- a/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js +++ b/security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js @@ -33,7 +33,7 @@ function openEditCertTrustDialog() { } add_task(async function setup() { - // Initially trust ca.pem for SSL, but not e-mail or object signing. + // Initially trust ca.pem for SSL but not e-mail. gCert = await readCertificate("ca.pem", "CT,,"); Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_SSL), @@ -41,9 +41,6 @@ add_task(async function setup() { Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_EMAIL), "Sanity check: ca.pem should not be trusted for e-mail"); - Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, - Ci.nsIX509CertDB.TRUSTED_OBJSIGN), - "Sanity check: ca.pem should not be trusted for object signing"); }); // Tests the following: @@ -55,13 +52,10 @@ add_task(async function testAcceptDialog() { let sslCheckbox = win.document.getElementById("trustSSL"); let emailCheckbox = win.document.getElementById("trustEmail"); - let objSignCheckbox = win.document.getElementById("trustObjSign"); Assert.ok(sslCheckbox.checked, "Cert should be trusted for SSL in UI"); Assert.ok(!emailCheckbox.checked, "Cert should not be trusted for e-mail in UI"); - Assert.ok(!objSignCheckbox.checked, - "Cert should not be trusted for object signing in UI"); sslCheckbox.checked = false; emailCheckbox.checked = true; @@ -76,9 +70,6 @@ add_task(async function testAcceptDialog() { Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_EMAIL), "Cert should now be trusted for e-mail"); - Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, - Ci.nsIX509CertDB.TRUSTED_OBJSIGN), - "Cert should still not be trusted for object signing"); }); // Tests the following: @@ -90,17 +81,13 @@ add_task(async function testCancelDialog() { let sslCheckbox = win.document.getElementById("trustSSL"); let emailCheckbox = win.document.getElementById("trustEmail"); - let objSignCheckbox = win.document.getElementById("trustObjSign"); Assert.ok(!sslCheckbox.checked, "Cert should not be trusted for SSL in UI"); Assert.ok(emailCheckbox.checked, "Cert should be trusted for e-mail in UI"); - Assert.ok(!objSignCheckbox.checked, - "Cert should not be trusted for object signing in UI"); sslCheckbox.checked = true; emailCheckbox.checked = false; - objSignCheckbox.checked = true; info("Canceling dialog"); win.document.getElementById("editCaCert").cancelDialog(); @@ -112,7 +99,4 @@ add_task(async function testCancelDialog() { Assert.ok(gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_EMAIL), "Cert should still be trusted for e-mail"); - Assert.ok(!gCertDB.isCertTrusted(gCert, Ci.nsIX509Cert.CA_CERT, - Ci.nsIX509CertDB.TRUSTED_OBJSIGN), - "Cert should still not be trusted for object signing"); }); diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js index 560b1a3f702c..8bd3e32fb70b 100644 --- a/security/manager/ssl/tests/unit/test_cert_trust.js +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -18,8 +18,7 @@ function load_cert(cert_name, trust_string) { function setup_basic_trusts(ca_cert, int_cert) { certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_SSL | - Ci.nsIX509CertDB.TRUSTED_EMAIL | - Ci.nsIX509CertDB.TRUSTED_OBJSIGN); + Ci.nsIX509CertDB.TRUSTED_EMAIL); certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0); }