diff --git a/build/pgo/certs/bug1665057cert.certspec b/build/pgo/certs/bug1665057cert.certspec index 358e31b0b302..ee338b8d1ab6 100644 --- a/build/pgo/certs/bug1665057cert.certspec +++ b/build/pgo/certs/bug1665057cert.certspec @@ -1,2 +1,3 @@ subject:www.suggestion-example.com +extension:subjectAlternativeName:www.suggestion-example.com issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization diff --git a/build/pgo/certs/bug1706126cert.certspec b/build/pgo/certs/bug1706126cert.certspec index 6f48648e76bc..5fd2d894ff5c 100644 --- a/build/pgo/certs/bug1706126cert.certspec +++ b/build/pgo/certs/bug1706126cert.certspec @@ -1,2 +1,3 @@ subject:www.redirect-example.com +extension:subjectAlternativeName:www.redirect-example.com issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization diff --git a/build/pgo/certs/cert9.db b/build/pgo/certs/cert9.db index 22e7226618bf..d34eaa8cf98a 100644 Binary files a/build/pgo/certs/cert9.db and b/build/pgo/certs/cert9.db differ diff --git a/build/pgo/certs/key4.db b/build/pgo/certs/key4.db index 8caf40f1aa91..01bdc4afa518 100644 Binary files a/build/pgo/certs/key4.db and b/build/pgo/certs/key4.db differ diff --git a/build/pgo/certs/mochitest.client b/build/pgo/certs/mochitest.client index 7ac76facc695..5b038dc61079 100644 Binary files a/build/pgo/certs/mochitest.client and b/build/pgo/certs/mochitest.client differ diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp index ccc12f6b5a8c..6f554d87958e 100644 --- a/docshell/base/nsDocShell.cpp +++ b/docshell/base/nsDocShell.cpp @@ -234,7 +234,6 @@ #include "nsXULAppAPI.h" #include "ThirdPartyUtil.h" -#include "BRNameMatchingPolicy.h" #include "GeckoProfiler.h" #include "mozilla/NullPrincipal.h" #include "Navigator.h" @@ -6090,10 +6089,7 @@ already_AddRefed nsDocShell::MaybeFixBadCertDomainErrorURI( // Check if adding a "www." prefix to the request's hostname will // cause the response's certificate to match. - mozilla::psm::BRNameMatchingPolicy nameMatchingPolicy( - mozilla::psm::BRNameMatchingPolicy::Mode::Enforce); - rv1 = mozilla::pkix::CheckCertHostname(serverCertInput, newHostInput, - nameMatchingPolicy); + rv1 = mozilla::pkix::CheckCertHostname(serverCertInput, newHostInput); if (rv1 != mozilla::pkix::Success) { return nullptr; } diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index b3c73579429a..a078809d8122 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -111,18 +111,6 @@ pref("security.pki.sha1_enforcement_level", 3); // x_11_x: COSE is required, PKCS#7 disabled (fail when present) pref("security.signed_app_signatures.policy", 2); -// security.pki.name_matching_mode controls how the platform matches hostnames -// to name information in TLS certificates. The possible values are: -// 0: always fall back to the subject common name if necessary (as in, if the -// subject alternative name extension is either not present or does not -// contain any DNS names or IP addresses) -// 1: fall back to the subject common name for certificates valid before 23 -// August 2016 if necessary -// 2: fall back to the subject common name for certificates valid before 23 -// August 2015 if necessary -// 3: only use name information from the subject alternative name extension -pref("security.pki.name_matching_mode", 3); - // security.pki.netscape_step_up_policy controls how the platform handles the // id-Netscape-stepUp OID in extended key usage extensions of CA certificates. // 0: id-Netscape-stepUp is always considered equivalent to id-kp-serverAuth diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp index 035e3264c4f0..be0b39efee78 100644 --- a/netwerk/base/nsIOService.cpp +++ b/netwerk/base/nsIOService.cpp @@ -252,7 +252,6 @@ static const char* gCallbackSecurityPrefs[] = { "security.ssl.enable_ocsp_stapling", "security.ssl.enable_ocsp_must_staple", "security.pki.certificate_transparency.mode", - "security.pki.name_matching_mode", nullptr, }; @@ -407,8 +406,7 @@ void nsIOService::OnTLSPrefChange(const char* aPref, void* aSelf) { LOG(("HandleTLSPrefChange done")); } else if (pref.EqualsLiteral("security.ssl.enable_ocsp_stapling") || pref.EqualsLiteral("security.ssl.enable_ocsp_must_staple") || - pref.EqualsLiteral("security.pki.certificate_transparency.mode") || - pref.EqualsLiteral("security.pki.name_matching_mode")) { + pref.EqualsLiteral("security.pki.certificate_transparency.mode")) { SetValidationOptionsCommon(); } } diff --git a/security/certverifier/BRNameMatchingPolicy.cpp b/security/certverifier/BRNameMatchingPolicy.cpp deleted file mode 100644 index c70801adcd29..000000000000 --- a/security/certverifier/BRNameMatchingPolicy.cpp +++ /dev/null @@ -1,42 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=8 sts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "BRNameMatchingPolicy.h" - -#include "mozilla/Assertions.h" - -using namespace mozilla::psm; -using namespace mozilla::pkix; - -Result BRNameMatchingPolicy::FallBackToCommonName( - Time notBefore, - /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) { - // (new Date("2015-08-23T00:00:00Z")).getTime() / 1000 - static const Time AUGUST_23_2015 = TimeFromEpochInSeconds(1440288000); - // (new Date("2016-08-23T00:00:00Z")).getTime() / 1000 - static const Time AUGUST_23_2016 = TimeFromEpochInSeconds(1471910400); - switch (mMode) { - case Mode::Enforce: - fallBackToCommonName = FallBackToSearchWithinSubject::No; - break; - case Mode::EnforceAfter23August2015: - fallBackToCommonName = notBefore > AUGUST_23_2015 - ? FallBackToSearchWithinSubject::No - : FallBackToSearchWithinSubject::Yes; - break; - case Mode::EnforceAfter23August2016: - fallBackToCommonName = notBefore > AUGUST_23_2016 - ? FallBackToSearchWithinSubject::No - : FallBackToSearchWithinSubject::Yes; - break; - case Mode::DoNotEnforce: - fallBackToCommonName = FallBackToSearchWithinSubject::Yes; - break; - default: - MOZ_CRASH("Unexpected Mode"); - } - return Success; -} diff --git a/security/certverifier/BRNameMatchingPolicy.h b/security/certverifier/BRNameMatchingPolicy.h deleted file mode 100644 index 1f9910cee20a..000000000000 --- a/security/certverifier/BRNameMatchingPolicy.h +++ /dev/null @@ -1,57 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=8 sts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef BRNameMatchingPolicy_h -#define BRNameMatchingPolicy_h - -#include "mozpkix/pkixtypes.h" - -namespace mozilla { -namespace psm { - -// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a, -// the requirements of the subject common name field are as follows: -// "If present, this field MUST contain a single IP address or Fully‐Qualified -// Domain Name that is one of the values contained in the Certificate’s -// subjectAltName extension". Consequently, since any name information present -// in the common name must be present in the subject alternative name extension, -// when performing name matching, it should not be necessary to fall back to the -// common name. Because this consequence has not commonly been enforced, this -// implementation provides a mechanism to start enforcing it gradually while -// maintaining some backwards compatibility. If configured with the mode -// "EnforceAfter23August2016", name matching will only fall back to using the -// subject common name for certificates where the notBefore field is before 23 -// August 2016. Similarly, the mode "EnforceAfter23August2015" is also -// available. This is to provide a balance between allowing preexisting -// long-lived certificates and detecting newly-issued problematic certificates. -// Note that this implementation does not actually directly enforce that if the -// subject common name is present, its value corresponds to a dNSName or -// iPAddress entry in the subject alternative name extension. - -class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy { - public: - enum class Mode { - DoNotEnforce = 0, - EnforceAfter23August2016 = 1, - EnforceAfter23August2015 = 2, - Enforce = 3, - }; - - explicit BRNameMatchingPolicy(Mode mode) : mMode(mode) {} - - virtual mozilla::pkix::Result FallBackToCommonName( - mozilla::pkix::Time notBefore, - /*out*/ mozilla::pkix::FallBackToSearchWithinSubject& - fallBacktoCommonName) override; - - private: - Mode mMode; -}; - -} // namespace psm -} // namespace mozilla - -#endif // BRNameMatchingPolicy_h diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index f2cb8b459fb1..dc8b5a41d370 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -105,7 +105,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, mozilla::TimeDuration ocspTimeoutSoft, mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode, - BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode, CRLiteMode crliteMode, @@ -116,7 +115,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, mOCSPTimeoutHard(ocspTimeoutHard), mCertShortLifetimeInDays(certShortLifetimeInDays), mSHA1Mode(sha1Mode), - mNameMatchingMode(nameMatchingMode), mNetscapeStepUpPolicy(netscapeStepUpPolicy), mCTMode(ctMode), mCRLiteMode(crliteMode) { @@ -990,11 +988,7 @@ Result CertVerifier::VerifySSLServerCert( return Result::FATAL_ERROR_INVALID_ARGS; } - BRNameMatchingPolicy nameMatchingPolicy( - isBuiltChainRootBuiltInRootLocal - ? mNameMatchingMode - : BRNameMatchingPolicy::Mode::DoNotEnforce); - rv = CheckCertHostname(peerCertInput, hostnameInput, nameMatchingPolicy); + rv = CheckCertHostname(peerCertInput, hostnameInput); if (rv != Success) { // Treat malformed name information as a domain mismatch. if (rv == Result::ERROR_BAD_DER) { diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h index f3a9ba9db494..b69a4b209490 100644 --- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -7,7 +7,6 @@ #ifndef CertVerifier_h #define CertVerifier_h -#include "BRNameMatchingPolicy.h" #include "CTPolicyEnforcer.h" #include "CTVerifyResult.h" #include "EnterpriseRoots.h" @@ -220,7 +219,6 @@ class CertVerifier { mozilla::TimeDuration ocspTimeoutSoft, mozilla::TimeDuration ocspTimeoutHard, uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode, - BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode, CRLiteMode crliteMode, const Vector& thirdPartyCerts); @@ -234,7 +232,6 @@ class CertVerifier { const mozilla::TimeDuration mOCSPTimeoutHard; const uint32_t mCertShortLifetimeInDays; const SHA1Mode mSHA1Mode; - const BRNameMatchingPolicy::Mode mNameMatchingMode; const NetscapeStepUpPolicy mNetscapeStepUpPolicy; const CertificateTransparencyMode mCTMode; const CRLiteMode mCRLiteMode; diff --git a/security/certverifier/moz.build b/security/certverifier/moz.build index 268618d1e430..bf9ac0a38cf5 100644 --- a/security/certverifier/moz.build +++ b/security/certverifier/moz.build @@ -8,13 +8,11 @@ with Files("**"): BUG_COMPONENT = ("Core", "Security: PSM") EXPORTS += [ - "BRNameMatchingPolicy.h", "CertVerifier.h", "OCSPCache.h", ] UNIFIED_SOURCES += [ - "BRNameMatchingPolicy.cpp", "CertVerifier.cpp", "NSSCertDBTrustDomain.cpp", "OCSPCache.cpp", diff --git a/security/ct/MultiLogCTVerifier.h b/security/ct/MultiLogCTVerifier.h index 8f3047df7f7f..983f96677b59 100644 --- a/security/ct/MultiLogCTVerifier.h +++ b/security/ct/MultiLogCTVerifier.h @@ -19,7 +19,7 @@ namespace mozilla { namespace ct { -void DecodeSCTs(Input encodedSctList, +void DecodeSCTs(pkix::Input encodedSctList, std::vector& decodedSCTs, size_t& decodingErrors); diff --git a/security/manager/ssl/CommonSocketControl.cpp b/security/manager/ssl/CommonSocketControl.cpp index bb6fd19e2f66..2623ad96201a 100644 --- a/security/manager/ssl/CommonSocketControl.cpp +++ b/security/manager/ssl/CommonSocketControl.cpp @@ -6,7 +6,6 @@ #include "CommonSocketControl.h" -#include "BRNameMatchingPolicy.h" #include "PublicKeyPinningService.h" #include "SharedCertVerifier.h" #include "nsNSSComponent.h" @@ -192,11 +191,7 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname, return NS_OK; } - mozilla::psm::BRNameMatchingPolicy nameMatchingPolicy( - mIsBuiltCertChainRootBuiltInRoot - ? mozilla::psm::PublicSSLState()->NameMatchingMode() - : mozilla::psm::BRNameMatchingPolicy::Mode::DoNotEnforce); - rv = CheckCertHostname(serverCertInput, hostnameInput, nameMatchingPolicy); + rv = CheckCertHostname(serverCertInput, hostnameInput); if (rv != Success) { return NS_OK; } diff --git a/security/manager/ssl/ContentSignatureVerifier.cpp b/security/manager/ssl/ContentSignatureVerifier.cpp index a0a8eecde6aa..688bad668444 100644 --- a/security/manager/ssl/ContentSignatureVerifier.cpp +++ b/security/manager/ssl/ContentSignatureVerifier.cpp @@ -6,7 +6,6 @@ #include "ContentSignatureVerifier.h" -#include "BRNameMatchingPolicy.h" #include "CryptoTask.h" #include "CSTrustDomain.h" #include "ScopedNSSTypes.h" @@ -279,8 +278,7 @@ static nsresult VerifyContentSignatureInternal( return NS_ERROR_FAILURE; } - BRNameMatchingPolicy nameMatchingPolicy(BRNameMatchingPolicy::Mode::Enforce); - result = CheckCertHostname(certInput, hostnameInput, nameMatchingPolicy); + result = CheckCertHostname(certInput, hostnameInput); if (result != Success) { // EE cert isnot valid for the given host name. aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err7; diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp index ba14c1ab4832..e6db9703a336 100644 --- a/security/manager/ssl/SSLServerCertVerification.cpp +++ b/security/manager/ssl/SSLServerCertVerification.cpp @@ -95,7 +95,6 @@ #include -#include "BRNameMatchingPolicy.h" #include "CertVerifier.h" #include "CryptoTask.h" #include "ExtendedValidation.h" @@ -372,10 +371,6 @@ SECStatus DetermineCertOverrideErrors(const nsCOMPtr& cert, PR_SetError(SEC_ERROR_INVALID_ARGS, 0); return SECFailure; } - // Use a lax policy so as to not generate potentially spurious name - // mismatch "hints". - BRNameMatchingPolicy nameMatchingPolicy( - BRNameMatchingPolicy::Mode::DoNotEnforce); // CheckCertHostname expects that its input represents a certificate that // has already been successfully validated by BuildCertChain. This is // obviously not the case, however, because we're in the error path of @@ -383,7 +378,7 @@ SECStatus DetermineCertOverrideErrors(const nsCOMPtr& cert, // would be nice to remove this optimistic additional error checking and // simply punt to the front-end, which can more easily (and safely) perform // extra checks to give the user hints as to why verification failed. - result = CheckCertHostname(certInput, hostnameInput, nameMatchingPolicy); + result = CheckCertHostname(certInput, hostnameInput); // Treat malformed name information as a domain mismatch. if (result == Result::ERROR_BAD_DER || result == Result::ERROR_BAD_CERT_DOMAIN) { diff --git a/security/manager/ssl/SharedCertVerifier.h b/security/manager/ssl/SharedCertVerifier.h index 73ee1dbfa9d7..a48936a89395 100644 --- a/security/manager/ssl/SharedCertVerifier.h +++ b/security/manager/ssl/SharedCertVerifier.h @@ -24,14 +24,13 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier { mozilla::TimeDuration ocspSoftTimeout, mozilla::TimeDuration ocspHardTimeout, uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode, - BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode, CRLiteMode crliteMode, const Vector& thirdPartyCerts) : mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays, sha1Mode, - nameMatchingMode, netscapeStepUpPolicy, - ctMode, crliteMode, thirdPartyCerts) {} + netscapeStepUpPolicy, ctMode, crliteMode, + thirdPartyCerts) {} }; } // namespace psm diff --git a/security/manager/ssl/SharedSSLState.h b/security/manager/ssl/SharedSSLState.h index b6597967f089..31562fc76bee 100644 --- a/security/manager/ssl/SharedSSLState.h +++ b/security/manager/ssl/SharedSSLState.h @@ -36,9 +36,6 @@ class SharedSSLState { void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) { mSignedCertTimestampsEnabled = signedCertTimestampsEnabled; } - void SetNameMatchingMode(BRNameMatchingPolicy::Mode aMode) { - mNameMatchingMode = aMode; - } // The following methods may be called from any thread bool SocketCreated(); @@ -49,7 +46,6 @@ class SharedSSLState { bool IsSignedCertTimestampsEnabled() const { return mSignedCertTimestampsEnabled; } - BRNameMatchingPolicy::Mode NameMatchingMode() { return mNameMatchingMode; } private: ~SharedSSLState(); @@ -67,7 +63,6 @@ class SharedSSLState { bool mOCSPStaplingEnabled; bool mOCSPMustStapleEnabled; bool mSignedCertTimestampsEnabled; - BRNameMatchingPolicy::Mode mNameMatchingMode; }; SharedSSLState* PublicSSLState(); diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 53eef93d0940..b2b076c01c1e 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -1340,23 +1340,6 @@ void SetValidationOptionsCommon() { ctMode != CertVerifier::CertificateTransparencyMode::Disabled; PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled); PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled); - - BRNameMatchingPolicy::Mode nameMatchingMode = - static_cast(Preferences::GetInt( - "security.pki.name_matching_mode", - static_cast(BRNameMatchingPolicy::Mode::DoNotEnforce))); - switch (nameMatchingMode) { - case BRNameMatchingPolicy::Mode::Enforce: - case BRNameMatchingPolicy::Mode::EnforceAfter23August2015: - case BRNameMatchingPolicy::Mode::EnforceAfter23August2016: - case BRNameMatchingPolicy::Mode::DoNotEnforce: - break; - default: - nameMatchingMode = BRNameMatchingPolicy::Mode::DoNotEnforce; - break; - } - PublicSSLState()->SetNameMatchingMode(nameMatchingMode); - PrivateSSLState()->SetNameMatchingMode(nameMatchingMode); } namespace { @@ -1558,8 +1541,7 @@ void nsNSSComponent::setValidationOptions( mDefaultCertVerifier = new SharedCertVerifier( odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays, sha1Mode, - PublicSSLState()->NameMatchingMode(), netscapeStepUpPolicy, ctMode, - crliteMode, mEnterpriseCerts); + netscapeStepUpPolicy, ctMode, crliteMode, mEnterpriseCerts); } void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() { @@ -1576,7 +1558,6 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() { : CertVerifier::ocspRelaxed, oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard, oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mSHA1Mode, - oldCertVerifier->mNameMatchingMode, oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode, oldCertVerifier->mCRLiteMode, mEnterpriseCerts); } @@ -2384,7 +2365,6 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic, prefName.EqualsLiteral( "security.pki.certificate_transparency.mode") || prefName.EqualsLiteral("security.pki.sha1_enforcement_level") || - prefName.EqualsLiteral("security.pki.name_matching_mode") || prefName.EqualsLiteral("security.pki.netscape_step_up_policy") || prefName.EqualsLiteral( "security.OCSP.timeoutMilliseconds.soft") || diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js index 56de79ae7cd1..d33ad8b27505 100644 --- a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js +++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js @@ -3,16 +3,6 @@ // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. -// The preference security.pki.name_matching_mode controls whether or not -// mozilla::pkix will fall back to using a certificate's subject common name -// during name matching. If the Baseline Requirements are followed, fallback -// should not be necessary (because any name information in the subject common -// name should be present in the subject alternative name extension). Due to -// compatibility concerns, the platform can be configured to fall back for -// certificates that are valid before 23 August 2016. Note that for certificates -// issued by an imported root, the platform will fall back if necessary, -// regardless of the value of the preference. - "use strict"; do_get_profile(); // must be called before getting nsIX509CertDB @@ -48,8 +38,6 @@ function checkCertOn25August2016(cert, expectedResult) { add_task(async function() { registerCleanupFunction(() => { - Services.prefs.clearUserPref("security.pki.name_matching_mode"); - Services.prefs.clearUserPref("security.test.built_in_root_hash"); Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); }); @@ -57,239 +45,34 @@ add_task(async function() { loadCertWithTrust("ca", "CTu,,"); - // When verifying a certificate, if the trust anchor is not a built-in root, - // name matching will fall back to using the subject common name if necessary - // (i.e. if there is no subject alternative name extension or it does not - // contain any dNSName or iPAddress entries). Thus, since imported roots are - // not in general treated as built-ins, these should all successfully verify - // regardless of the value of the pref. - Services.prefs.setIntPref("security.pki.name_matching_mode", 0); - info("current mode: always fall back, root not built-in"); + // At one time there was a preference security.pki.name_matching_mode that + // controlled whether or not mozilla::pkix would fall back to using a + // certificate's subject common name during name matching. This no longer + // exists, and certificates that previously required the fallback should fail + // to verify. + await checkCertOn25August2016( certFromFile("no-san-recent"), - PRErrorCodeSuccess + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("no-san-old"), + SSL_ERROR_BAD_CERT_DOMAIN ); - await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess); await checkCertOn25August2016( certFromFile("no-san-older"), - PRErrorCodeSuccess + SSL_ERROR_BAD_CERT_DOMAIN ); await checkCertOn25August2016( certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess + SSL_ERROR_BAD_CERT_DOMAIN ); await checkCertOn25August2016( certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess + SSL_ERROR_BAD_CERT_DOMAIN ); await checkCertOn25August2016( certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess + SSL_ERROR_BAD_CERT_DOMAIN ); - - Services.prefs.setIntPref("security.pki.name_matching_mode", 1); - info( - "current mode: fall back for notBefore < August 23, 2016, root " + - "not built-in" - ); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess); - await checkCertOn25August2016( - certFromFile("no-san-older"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess - ); - - Services.prefs.setIntPref("security.pki.name_matching_mode", 2); - info( - "current mode: fall back for notBefore < August 23, 2015, root " + - "not built-in" - ); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess); - await checkCertOn25August2016( - certFromFile("no-san-older"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess - ); - - Services.prefs.setIntPref("security.pki.name_matching_mode", 3); - info("current mode: never fall back, root not built-in"); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess); - await checkCertOn25August2016( - certFromFile("no-san-older"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess - ); - - // In debug builds, we can treat an imported root as a built-in, and thus we - // can actually test the different values of the pref. - if (isDebugBuild) { - let root = certFromFile("ca"); - Services.prefs.setCharPref( - "security.test.built_in_root_hash", - root.sha256Fingerprint - ); - - // Always fall back if necessary. - Services.prefs.setIntPref("security.pki.name_matching_mode", 0); - info("current mode: always fall back, root built-in"); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("no-san-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("no-san-older"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess - ); - - // Only fall back if notBefore < 23 August 2016 - Services.prefs.setIntPref("security.pki.name_matching_mode", 1); - info( - "current mode: fall back for notBefore < August 23, 2016, root " + - "built-in" - ); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("no-san-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("no-san-older"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess - ); - - // Only fall back if notBefore < 23 August 2015 - Services.prefs.setIntPref("security.pki.name_matching_mode", 2); - info( - "current mode: fall back for notBefore < August 23, 2015, root " + - "built-in" - ); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("no-san-old"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("no-san-older"), - PRErrorCodeSuccess - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess - ); - - // Never fall back. - Services.prefs.setIntPref("security.pki.name_matching_mode", 3); - info("current mode: never fall back, root built-in"); - await checkCertOn25August2016( - certFromFile("no-san-recent"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("no-san-old"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("no-san-older"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-recent"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-old"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - await checkCertOn25August2016( - certFromFile("san-contains-no-hostnames-older"), - SSL_ERROR_BAD_CERT_DOMAIN - ); - } }); diff --git a/testing/tools/iceserver/iceserver.py b/testing/tools/iceserver/iceserver.py index a8a113a9d2c4..a909229a1705 100644 --- a/testing/tools/iceserver/iceserver.py +++ b/testing/tools/iceserver/iceserver.py @@ -882,6 +882,9 @@ def create_self_signed_cert(name): cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) + cert.add_extensions( + [crypto.X509Extension(b"subjectAltName", False, f"DNS:{name}".encode())] + ) cert.sign(k, "sha1") open(CERT_FILE, "wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))