bug 1257362 - remove the code-signing usage from certverifier as nothing uses it r=Cykesiopka

MozReview-Commit-ID: 6nWy8k6fMvw --HG-- extra : rebase_source : fa9f78d39b89bfd3416a7a869bf6436d19ac74bc
2017-10-02 16:24:38 -07:00 · 2017-10-02 16:24:38 -07:00 · 65f33e8410
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@ -843,25 +843,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
      break;
    }

-    case certificateUsageObjectSigner: {
-      NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
-                                       mOCSPCache, pinArg, ocspGETConfig,
-                                       mOCSPTimeoutSoft, mOCSPTimeoutHard,
-                                       mCertShortLifetimeInDays,
-                                       pinningDisabled, MIN_RSA_BITS_WEAK,
-                                       ValidityCheckingMode::CheckingOff,
-                                       SHA1Mode::Allowed,
-                                       NetscapeStepUpPolicy::NeverMatch,
-                                       originAttributes, builtChain, nullptr,
-                                       nullptr);
-      rv = BuildCertChain(trustDomain, certDER, time,
-                          EndEntityOrCA::MustBeEndEntity,
-                          KeyUsage::digitalSignature,
-                          KeyPurposeId::id_kp_codeSigning,
-                          CertPolicyId::anyPolicy, stapledOCSPResponse);
-      break;
-    }
-
    default:
      rv = Result::FATAL_ERROR_INVALID_ARGS;
  }
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@ -46,7 +46,6 @@ VerifySSLServer=SSL Server Certificate
 VerifySSLCA=SSL Certificate Authority
 VerifyEmailSigner=Email Signer Certificate
 VerifyEmailRecip=Email Recipient Certificate
-VerifyObjSign=Object Signer
 HighGrade=High Grade
 MediumGrade=Medium Grade
 # LOCALIZATION NOTE (nick_template): $1s is the common name from a cert (e.g. "Mozilla"), $2s is the CA name (e.g. VeriSign)
--- a/security/manager/pki/resources/content/certViewer.js
+++ b/security/manager/pki/resources/content/certViewer.js
@ -92,7 +92,6 @@ const certificateUsageSSLServer              = 0x0002;
 const certificateUsageSSLCA                  = 0x0008;
 const certificateUsageEmailSigner            = 0x0010;
 const certificateUsageEmailRecipient         = 0x0020;
-const certificateUsageObjectSigner           = 0x0040;

 // A map from the name of a certificate usage to the value of the usage.
 // Useful for printing debugging information and for enumerating all supported
@ -103,7 +102,6 @@ const certificateUsages = {
  certificateUsageSSLCA,
  certificateUsageEmailSigner,
  certificateUsageEmailRecipient,
-  certificateUsageObjectSigner,
 };

 // Map of certificate usage name to localization identifier.
@ -113,7 +111,6 @@ const certificateUsageToStringBundleName = {
  certificateUsageSSLCA: "VerifySSLCA",
  certificateUsageEmailSigner: "VerifyEmailSigner",
  certificateUsageEmailRecipient: "VerifyEmailRecip",
-  certificateUsageObjectSigner: "VerifyObjSign",
 };

 const PRErrorCodeSuccess = 0;
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@ -642,6 +642,34 @@ nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit)
  return NS_OK;
 }

+static nsresult
+UniqueCERTCertListToMutableArray(/*in*/ UniqueCERTCertList& nssChain,
+                                /*out*/ nsIArray** x509CertArray)
+{
+  if (!x509CertArray) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create();
+  if (!array) {
+    return NS_ERROR_FAILURE;
+  }
+
+  CERTCertListNode* node;
+  for (node = CERT_LIST_HEAD(nssChain.get());
+       !CERT_LIST_END(node, nssChain.get());
+       node = CERT_LIST_NEXT(node)) {
+    nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
+    nsresult rv = array->AppendElement(cert, false);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+  }
+
+  array.forget(x509CertArray);
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNSSCertificate::GetChain(nsIArray** _rvChain)
 {
@ -657,68 +685,34 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
  NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);

  UniqueCERTCertList nssChain;
-  // We want to test all usages, but we start with server because most of the
-  // time Firefox users care about server certs.
-  if (certVerifier->VerifyCert(mCert.get(), certificateUsageSSLServer, now,
-                               nullptr, /*XXX fixme*/
-                               nullptr, /* hostname */
-                               nssChain,
-                               CertVerifier::FLAG_LOCAL_ONLY)
-        != mozilla::pkix::Success) {
-    nssChain = nullptr;
-    // keep going
-  }
-
-  // This is the whitelist of all non-SSLServer usages that are supported by
-  // verifycert.
-  const int otherUsagesToTest = certificateUsageSSLClient |
-                                certificateUsageSSLCA |
-                                certificateUsageEmailSigner |
-                                certificateUsageEmailRecipient |
-                                certificateUsageObjectSigner;
-  for (int usage = certificateUsageSSLClient;
-       usage < certificateUsageAnyCA && !nssChain;
-       usage = usage << 1) {
-    if ((usage & otherUsagesToTest) == 0) {
-      continue;
-    }
+  // We want to test all usages supported by the certificate verifier, but we
+  // start with TLS server because most of the time Firefox users care about
+  // server certs.
+  const int usagesToTest[] = { certificateUsageSSLServer,
+                               certificateUsageSSLClient,
+                               certificateUsageSSLCA,
+                               certificateUsageEmailSigner,
+                               certificateUsageEmailRecipient };
+  for (auto usage : usagesToTest) {
    if (certVerifier->VerifyCert(mCert.get(), usage, now,
                                 nullptr, /*XXX fixme*/
                                 nullptr, /*hostname*/
                                 nssChain,
                                 CertVerifier::FLAG_LOCAL_ONLY)
-          != mozilla::pkix::Success) {
-      nssChain = nullptr;
-      // keep going
+          == mozilla::pkix::Success) {
+      return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
    }
  }

-  if (!nssChain) {
-    // There is not verified path for the chain, however we still want to
-    // present to the user as much of a possible chain as possible, in the case
-    // where there was a problem with the cert or the issuers.
-    nssChain = UniqueCERTCertList(
-      CERT_GetCertChainFromCert(mCert.get(), PR_Now(), certUsageSSLClient));
-  }
+  // There is no verified path for the chain, however we still want to
+  // present to the user as much of a possible chain as possible, in the case
+  // where there was a problem with the cert or the issuers.
+  nssChain = UniqueCERTCertList(
+    CERT_GetCertChainFromCert(mCert.get(), PR_Now(), certUsageSSLClient));
  if (!nssChain) {
    return NS_ERROR_FAILURE;
  }
-
-  // enumerate the chain for scripting purposes
-  nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create();
-  if (!array) {
-    return NS_ERROR_FAILURE;
-  }
-  CERTCertListNode* node;
-  for (node = CERT_LIST_HEAD(nssChain.get());
-       !CERT_LIST_END(node, nssChain.get());
-       node = CERT_LIST_NEXT(node)) {
-    nsCOMPtr<nsIX509Cert> cert = nsNSSCertificate::Create(node->cert);
-    array->AppendElement(cert, false);
-  }
-  *_rvChain = array;
-  NS_IF_ADDREF(*_rvChain);
-  return NS_OK;
+  return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
 }

 NS_IMETHODIMP
--- a/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certViewer.js
@ -39,7 +39,7 @@ add_task(async function testEmailEndEntity() {
 add_task(async function testCodeSignEndEntity() {
  let cert = await readCertificate("code-ee.pem", ",,");
  let win = await displayCertificate(cert);
-  checkUsages(win, ["Object Signer"]);
+  checkError(win, "Could not verify this certificate for unknown reasons.");
  await BrowserTestUtils.closeWindow(win);
 });

@ -48,15 +48,15 @@ add_task(async function testExpired() {
  let win = await displayCertificate(cert);
  checkError(win, "Could not verify this certificate because it has expired.");
  await BrowserTestUtils.closeWindow(win);
-});

-add_task(async function testIssuerExpired() {
-  let cert = await readCertificate("ee-from-expired-ca.pem", ",,");
-  let win = await displayCertificate(cert);
-  checkError(win,
+  // These tasks may run in any order, so we run this additional testcase in the
+  // same task.
+  let eeCert = await readCertificate("ee-from-expired-ca.pem", ",,");
+  let eeWin = await displayCertificate(eeCert);
+  checkError(eeWin,
             "Could not verify this certificate because the CA certificate " +
             "is invalid.");
-  await BrowserTestUtils.closeWindow(win);
+  await BrowserTestUtils.closeWindow(eeWin);
 });

 add_task(async function testUnknownIssuer() {
@ -84,15 +84,15 @@ add_task(async function testUntrusted() {
  checkError(win,
             "Could not verify this certificate because it is not trusted.");
  await BrowserTestUtils.closeWindow(win);
-});

-add_task(async function testUntrustedIssuer() {
-  let cert = await readCertificate("ee-from-untrusted-ca.pem", ",,");
-  let win = await displayCertificate(cert);
-  checkError(win,
+  // These tasks may run in any order, so we run this additional testcase in the
+  // same task.
+  let eeCert = await readCertificate("ee-from-untrusted-ca.pem", ",,");
+  let eeWin = await displayCertificate(eeCert);
+  checkError(eeWin,
             "Could not verify this certificate because the issuer is not " +
             "trusted.");
-  await BrowserTestUtils.closeWindow(win);
+  await BrowserTestUtils.closeWindow(eeWin);
 });

 add_task(async function testRevoked() {
@ -110,7 +110,7 @@ add_task(async function testRevoked() {
  // this certificate will actually verify successfully for every end-entity
  // usage except TLS web server.
  checkUsages(win, ["Email Recipient Certificate", "Email Signer Certificate",
-                    "Object Signer", "SSL Client Certificate"]);
+                    "SSL Client Certificate"]);
  await BrowserTestUtils.closeWindow(win);
 });

--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@ -90,7 +90,6 @@ const certificateUsageSSLServer              = 0x0002;
 const certificateUsageSSLCA                  = 0x0008;
 const certificateUsageEmailSigner            = 0x0010;
 const certificateUsageEmailRecipient         = 0x0020;
-const certificateUsageObjectSigner           = 0x0040;

 // A map from the name of a certificate usage to the value of the usage.
 // Useful for printing debugging information and for enumerating all supported
@ -101,7 +100,6 @@ const allCertificateUsages = {
  certificateUsageSSLCA,
  certificateUsageEmailSigner,
  certificateUsageEmailRecipient,
-  certificateUsageObjectSigner,
 };

 const NO_FLAGS = 0;
--- a/security/manager/ssl/tests/unit/test_cert_keyUsage.js
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
@ -16,8 +16,8 @@ const eeList = [ "ee-no-keyUsage-extension", "ee-keyCertSign-only",

 const caUsage = [ certificateUsageSSLCA ];
 const allEEUsages = [ certificateUsageSSLClient, certificateUsageSSLServer,
-                      certificateUsageEmailSigner, certificateUsageEmailRecipient,
-                      certificateUsageObjectSigner ];
+                      certificateUsageEmailSigner,
+                      certificateUsageEmailRecipient ];
 const serverEEUsages = [ certificateUsageSSLServer,
                         certificateUsageEmailRecipient ];

--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@ -36,8 +36,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);


  // Test of active distrust. No usage should pass.
@ -52,8 +50,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
-                        certificateUsageObjectSigner);

  // Trust set to T  -  trusted CA to issue client certs, where client cert is
  // usageSSLClient.
@ -76,9 +72,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
                                                  : PRErrorCodeSuccess,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
-                                                  : PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);


  // Now tests on the SSL trust bit
@ -95,8 +88,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);

  // Inherited trust SSL
  setCertTrust(cert_to_modify_trust, ",C,C");
@ -112,8 +103,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);

  // Now tests on the EMAIL trust bit
  setCertTrust(cert_to_modify_trust, "C,p,C");
@ -127,8 +116,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);


  // inherited EMAIL Trust
@ -146,8 +133,6 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
  checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
                                                  : PRErrorCodeSuccess,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);
 }


@ -191,8 +176,6 @@ function run_test() {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
-                        certificateUsageObjectSigner);

  // Now make a CA trust anchor available.
  setCertTrust(ca_cert, "CTu,CTu,CTu");
@ -204,6 +187,4 @@ function run_test() {
                        certificateUsageEmailSigner);
  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
                        certificateUsageEmailRecipient);
-  checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
-                        certificateUsageObjectSigner);
 }
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@ -25,8 +25,8 @@ function test_cert_for_usages(certChainNicks, expected_usages) {

 add_task(async function() {
  let ee_usages = [ certificateUsageSSLClient, certificateUsageSSLServer,
-                    certificateUsageEmailSigner, certificateUsageEmailRecipient,
-                    certificateUsageObjectSigner ];
+                    certificateUsageEmailSigner,
+                    certificateUsageEmailRecipient ];
  let ca_usages = [ certificateUsageSSLCA ];
  let eku_usages = [ certificateUsageSSLClient, certificateUsageSSLServer ];