зеркало из https://github.com/mozilla/gecko-dev.git
bug 977870 - insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response r=briansmith
This commit is contained in:
Родитель
71abad65d5
Коммит
6426e9ea55
|
@ -163,6 +163,11 @@ public:
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void SkipToEnd()
|
||||||
|
{
|
||||||
|
input = end;
|
||||||
|
}
|
||||||
|
|
||||||
bool AtEnd() const { return input == end; }
|
bool AtEnd() const { return input == end; }
|
||||||
|
|
||||||
class Mark
|
class Mark
|
||||||
|
|
|
@ -603,6 +603,11 @@ SingleResponse(der::Input& input, Context& context)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!match) {
|
if (!match) {
|
||||||
|
// This response does not reference the certificate we're interested in.
|
||||||
|
// By consuming the rest of our input and returning successfully, we can
|
||||||
|
// continue processing and examine another response that might have what
|
||||||
|
// we want.
|
||||||
|
input.SkipToEnd();
|
||||||
return der::Success;
|
return der::Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -745,6 +750,10 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
|
||||||
const CERTCertificate& issuerCert = context.issuerCert;
|
const CERTCertificate& issuerCert = context.issuerCert;
|
||||||
|
|
||||||
if (!SECITEM_ItemsAreEqual(&serialNumber, &cert.serialNumber)) {
|
if (!SECITEM_ItemsAreEqual(&serialNumber, &cert.serialNumber)) {
|
||||||
|
// This does not reference the certificate we're interested in.
|
||||||
|
// Consume the rest of the input and return successfully to
|
||||||
|
// potentially continue processing other responses.
|
||||||
|
input.SkipToEnd();
|
||||||
return der::Success;
|
return der::Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -752,6 +761,8 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
|
||||||
|
|
||||||
SECOidTag hashAlg = SECOID_GetAlgorithmTag(&hashAlgorithm);
|
SECOidTag hashAlg = SECOID_GetAlgorithmTag(&hashAlgorithm);
|
||||||
if (hashAlg != SEC_OID_SHA1) {
|
if (hashAlg != SEC_OID_SHA1) {
|
||||||
|
// Again, not interested in this response. Consume input, return success.
|
||||||
|
input.SkipToEnd();
|
||||||
return der::Success;
|
return der::Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -768,6 +779,8 @@ CertID(der::Input& input, const Context& context, /*out*/ bool& match)
|
||||||
return der::Failure;
|
return der::Failure;
|
||||||
}
|
}
|
||||||
if (memcmp(hashBuf, issuerNameHash.data, issuerNameHash.len)) {
|
if (memcmp(hashBuf, issuerNameHash.data, issuerNameHash.len)) {
|
||||||
|
// Again, not interested in this response. Consume input, return success.
|
||||||
|
input.SkipToEnd();
|
||||||
return der::Success;
|
return der::Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -95,11 +95,8 @@ function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
|
||||||
true);
|
true);
|
||||||
add_ocsp_test("ocsp-stapling-unknown.example.com",
|
add_ocsp_test("ocsp-stapling-unknown.example.com",
|
||||||
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
||||||
// TODO(bug 977870): this should not result in SEC_ERROR_BAD_DER
|
|
||||||
add_ocsp_test("ocsp-stapling-good-other.example.com",
|
add_ocsp_test("ocsp-stapling-good-other.example.com",
|
||||||
getXPCOMStatusFromNSS(
|
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
||||||
useInsanity ? SEC_ERROR_BAD_DER
|
|
||||||
: SEC_ERROR_OCSP_UNKNOWN_CERT), true);
|
|
||||||
// If the server doesn't staple an OCSP response, we continue as normal
|
// If the server doesn't staple an OCSP response, we continue as normal
|
||||||
// (this means that even though stapling is enabled, we expect an OCSP
|
// (this means that even though stapling is enabled, we expect an OCSP
|
||||||
// request).
|
// request).
|
||||||
|
|
Загрузка…
Ссылка в новой задаче