Bug 1441914 - Make security.pki.distrust_ca_policy a bitmask r=fkiefer r=keeler

Per Bug 1437754 comment 10, the pref security.pki.distrust_ca_policy makes more
sense as a bitmask than a state. To permit future nuance, let's go ahead and do
that before people start implementing atop Bug 1456112.

This does permit both 0b10 and 0b11 to enable the functionality for Firefox 63.

--HG--
extra : transplant_source : %84%AF%89%E0%89dT%01%10%84%A0%3B%A5%28%2A%D3%E1%B0%0D%E7

security/certverifier/CertVerifier.h

@@ -63,11 +63,16 @@ enum class SHA1ModeResult {
 
 // Whether or not we are enforcing one of our CA distrust policies. For context,
 // see Bug 1437754 and Bug 1409257.
-enum class DistrustedCAPolicy : uint32_t {
-  Permit = 0,
-  DistrustSymantecRoots = 1,
-  DistrustSymantecRootsRegardlessOfDate = 2,
+enum DistrustedCAPolicy : uint32_t {
+  Permit = 0b0000,
+  DistrustSymantecRoots = 0b0001,
+  DistrustSymantecRootsRegardlessOfDate = 0b0010,
 };
+MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(DistrustedCAPolicy)
+
+// Bitmask by nsNSSComponent to check for wholly-invalid values; be sure to
+// update this to account for new entries in DistrustedCAPolicy.
+const uint32_t DistrustedCAPolicyMaxAllowedValueMask = 0b0011;
 
 enum class NetscapeStepUpPolicy : uint32_t;
 

security/certverifier/NSSCertDBTrustDomain.cpp

@@ -877,7 +877,8 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
   // handshake. To determine this, we check mHostname: If it isn't set, this is
   // not TLS, so don't run the algorithm.
   if (mHostname && CertDNIsInList(root.get(), RootSymantecDNs) &&
-      mDistrustedCAPolicy != DistrustedCAPolicy::Permit) {
+      ((mDistrustedCAPolicy & DistrustedCAPolicy::DistrustSymantecRoots) ||
+       (mDistrustedCAPolicy & DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate))) {
 
     rootCert = nullptr; // Clear the state for Segment...
     nsCOMPtr<nsIX509CertList> intCerts;
@@ -893,9 +894,9 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
     // (new Date("2016-06-01T00:00:00Z")).getTime() * 1000
     static const PRTime JUNE_1_2016 = 1464739200000000;
 
-    PRTime permitAfterDate = 0; // 0 indicates there is no permitAfterDate
-    if (mDistrustedCAPolicy == DistrustedCAPolicy::DistrustSymantecRoots) {
-      permitAfterDate = JUNE_1_2016;
+    PRTime permitAfterDate = JUNE_1_2016;
+    if (mDistrustedCAPolicy & DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate) {
+      permitAfterDate = 0; // 0 indicates there is no permitAfterDate
     }
 
     bool isDistrusted = false;

security/manager/ssl/nsNSSComponent.cpp

@@ -1684,14 +1684,10 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)
     static_cast<DistrustedCAPolicy>
       (Preferences::GetUint("security.pki.distrust_ca_policy",
                             static_cast<uint32_t>(defaultCAPolicyMode)));
-  switch(distrustedCAPolicy) {
-    case DistrustedCAPolicy::Permit:
-    case DistrustedCAPolicy::DistrustSymantecRoots:
-    case DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate:
-      break;
-    default:
+  // If distrustedCAPolicy sets any bits larger than the maximum mask, fall back
+  // to the default.
+  if (distrustedCAPolicy & ~DistrustedCAPolicyMaxAllowedValueMask) {
     distrustedCAPolicy = defaultCAPolicyMode;
-      break;
   }
 
   CertVerifier::OcspDownloadConfig odc;

security/manager/ssl/tests/unit/test_symantec_apple_google.js

@@ -40,11 +40,11 @@ add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
                     null, null);
 
 // Enable the Firefox 63 total distrust; before or after cutoff should now all
-// behave the same.
+// behave the same. This will be made the default in Bug 1460062.
 add_test(function() {
   clearSessionCache();
   Services.prefs.setIntPref("security.pki.distrust_ca_policy",
-              /* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 2);
+              /* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 0b10);
   run_next_test();
 });
 
@@ -60,7 +60,7 @@ add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
 add_test(function() {
   clearSessionCache();
   Services.prefs.setIntPref("security.pki.distrust_ca_policy",
-                            /* DistrustedCAPolicy::Permit */ 0);
+                            /* DistrustedCAPolicy::Permit */ 0b00);
   run_next_test();
 });
 
@@ -96,7 +96,7 @@ add_task(async function() {
 
   // Try with the policy for 60
   Services.prefs.setIntPref("security.pki.distrust_ca_policy",
-                            /* DistrustedCAPolicy::DistrustSymantecRoots */ 1);
+                            /* DistrustedCAPolicy::DistrustSymantecRoots */ 0b01);
 
   // (new Date("2018-02-16")).getTime() / 1000
   const VALIDATION_TIME = 1518739200;
@@ -106,8 +106,23 @@ add_task(async function() {
 
   // Try with the policy for 63
   Services.prefs.setIntPref("security.pki.distrust_ca_policy",
-                            /* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 2);
+                            /* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 0b10);
 
   await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
                                     certificateUsageSSLServer, VALIDATION_TIME);
 });
+
+// Check invalid policy values; should default to current default
+add_test(function() {
+  clearSessionCache();
+  Services.prefs.setIntPref("security.pki.distrust_ca_policy",
+                            /* Larger than Max Value */ 0b1111);
+  run_next_test();
+});
+
+add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
+                    MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+                    null, null);
+
+add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldBeImminentlyDistrusted);