зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1441914 - Make security.pki.distrust_ca_policy a bitmask r=fkiefer r=keeler
Per Bug 1437754 comment 10, the pref security.pki.distrust_ca_policy makes more sense as a bitmask than a state. To permit future nuance, let's go ahead and do that before people start implementing atop Bug 1456112. This does permit both 0b10 and 0b11 to enable the functionality for Firefox 63. --HG-- extra : transplant_source : %84%AF%89%E0%89dT%01%10%84%A0%3B%A5%28%2A%D3%E1%B0%0D%E7
This commit is contained in:
Родитель
96d372ed8f
Коммит
4139925b80
|
@ -63,11 +63,16 @@ enum class SHA1ModeResult {
|
|||
|
||||
// Whether or not we are enforcing one of our CA distrust policies. For context,
|
||||
// see Bug 1437754 and Bug 1409257.
|
||||
enum class DistrustedCAPolicy : uint32_t {
|
||||
Permit = 0,
|
||||
DistrustSymantecRoots = 1,
|
||||
DistrustSymantecRootsRegardlessOfDate = 2,
|
||||
enum DistrustedCAPolicy : uint32_t {
|
||||
Permit = 0b0000,
|
||||
DistrustSymantecRoots = 0b0001,
|
||||
DistrustSymantecRootsRegardlessOfDate = 0b0010,
|
||||
};
|
||||
MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(DistrustedCAPolicy)
|
||||
|
||||
// Bitmask by nsNSSComponent to check for wholly-invalid values; be sure to
|
||||
// update this to account for new entries in DistrustedCAPolicy.
|
||||
const uint32_t DistrustedCAPolicyMaxAllowedValueMask = 0b0011;
|
||||
|
||||
enum class NetscapeStepUpPolicy : uint32_t;
|
||||
|
||||
|
|
|
@ -877,7 +877,8 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
|
|||
// handshake. To determine this, we check mHostname: If it isn't set, this is
|
||||
// not TLS, so don't run the algorithm.
|
||||
if (mHostname && CertDNIsInList(root.get(), RootSymantecDNs) &&
|
||||
mDistrustedCAPolicy != DistrustedCAPolicy::Permit) {
|
||||
((mDistrustedCAPolicy & DistrustedCAPolicy::DistrustSymantecRoots) ||
|
||||
(mDistrustedCAPolicy & DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate))) {
|
||||
|
||||
rootCert = nullptr; // Clear the state for Segment...
|
||||
nsCOMPtr<nsIX509CertList> intCerts;
|
||||
|
@ -893,9 +894,9 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
|
|||
// (new Date("2016-06-01T00:00:00Z")).getTime() * 1000
|
||||
static const PRTime JUNE_1_2016 = 1464739200000000;
|
||||
|
||||
PRTime permitAfterDate = 0; // 0 indicates there is no permitAfterDate
|
||||
if (mDistrustedCAPolicy == DistrustedCAPolicy::DistrustSymantecRoots) {
|
||||
permitAfterDate = JUNE_1_2016;
|
||||
PRTime permitAfterDate = JUNE_1_2016;
|
||||
if (mDistrustedCAPolicy & DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate) {
|
||||
permitAfterDate = 0; // 0 indicates there is no permitAfterDate
|
||||
}
|
||||
|
||||
bool isDistrusted = false;
|
||||
|
|
|
@ -1684,14 +1684,10 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)
|
|||
static_cast<DistrustedCAPolicy>
|
||||
(Preferences::GetUint("security.pki.distrust_ca_policy",
|
||||
static_cast<uint32_t>(defaultCAPolicyMode)));
|
||||
switch(distrustedCAPolicy) {
|
||||
case DistrustedCAPolicy::Permit:
|
||||
case DistrustedCAPolicy::DistrustSymantecRoots:
|
||||
case DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate:
|
||||
break;
|
||||
default:
|
||||
distrustedCAPolicy = defaultCAPolicyMode;
|
||||
break;
|
||||
// If distrustedCAPolicy sets any bits larger than the maximum mask, fall back
|
||||
// to the default.
|
||||
if (distrustedCAPolicy & ~DistrustedCAPolicyMaxAllowedValueMask) {
|
||||
distrustedCAPolicy = defaultCAPolicyMode;
|
||||
}
|
||||
|
||||
CertVerifier::OcspDownloadConfig odc;
|
||||
|
|
|
@ -40,11 +40,11 @@ add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
|
|||
null, null);
|
||||
|
||||
// Enable the Firefox 63 total distrust; before or after cutoff should now all
|
||||
// behave the same.
|
||||
// behave the same. This will be made the default in Bug 1460062.
|
||||
add_test(function() {
|
||||
clearSessionCache();
|
||||
Services.prefs.setIntPref("security.pki.distrust_ca_policy",
|
||||
/* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 2);
|
||||
/* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 0b10);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
|
@ -60,7 +60,7 @@ add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
|
|||
add_test(function() {
|
||||
clearSessionCache();
|
||||
Services.prefs.setIntPref("security.pki.distrust_ca_policy",
|
||||
/* DistrustedCAPolicy::Permit */ 0);
|
||||
/* DistrustedCAPolicy::Permit */ 0b00);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
|
@ -96,7 +96,7 @@ add_task(async function() {
|
|||
|
||||
// Try with the policy for 60
|
||||
Services.prefs.setIntPref("security.pki.distrust_ca_policy",
|
||||
/* DistrustedCAPolicy::DistrustSymantecRoots */ 1);
|
||||
/* DistrustedCAPolicy::DistrustSymantecRoots */ 0b01);
|
||||
|
||||
// (new Date("2018-02-16")).getTime() / 1000
|
||||
const VALIDATION_TIME = 1518739200;
|
||||
|
@ -106,8 +106,23 @@ add_task(async function() {
|
|||
|
||||
// Try with the policy for 63
|
||||
Services.prefs.setIntPref("security.pki.distrust_ca_policy",
|
||||
/* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 2);
|
||||
/* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 0b10);
|
||||
|
||||
await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
|
||||
certificateUsageSSLServer, VALIDATION_TIME);
|
||||
});
|
||||
|
||||
// Check invalid policy values; should default to current default
|
||||
add_test(function() {
|
||||
clearSessionCache();
|
||||
Services.prefs.setIntPref("security.pki.distrust_ca_policy",
|
||||
/* Larger than Max Value */ 0b1111);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
|
||||
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
|
||||
null, null);
|
||||
|
||||
add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
|
||||
PRErrorCodeSuccess, null, shouldBeImminentlyDistrusted);
|
||||
|
|
Загрузка…
Ссылка в новой задаче