mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1512451 - Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc 

Read OneCRL blocklist from security-states/onecrl

Differential Revision: https://phabricator.services.mozilla.com/D23645

--HG--
rename : services/common/tests/unit/test_blocklist_certificates.js => services/common/tests/unit/test_blocklist_onecrl.js
extra : moz-landing-system : lando
This commit is contained in:
Mathieu Leplatre 2019-04-23 18:40:40 +00:00
Родитель cc3ea31460
Коммит 6e4798bb72
13 изменённых файлов: 64 добавлений и 69 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
browser/installer/package-manifest.in
Просмотреть файл

@ -291,6 +291,7 @@
@RESPATH@/browser/defaults/settings/blocklists
@RESPATH@/browser/defaults/settings/pinning
@RESPATH@/browser/defaults/settings/main
@RESPATH@/browser/defaults/settings/security-state
; Warning: changing the path to channel-prefs.js can cause bugs (Bug 756325)
; Technically this is an app pref file, but we are keeping it in the original

2
mobile/android/installer/package-manifest.in
Просмотреть файл

@ -95,7 +95,7 @@
@BINPATH@/platform.ini
@BINPATH@/blocklist.xml
@BINPATH@/defaults/settings/blocklists/addons.json
@BINPATH@/defaults/settings/blocklists/certificates.json
@BINPATH@/defaults/settings/security-state/onecrl.json
; [Components]
@BINPATH@/components/components.manifest

9
modules/libpref/init/all.js
Просмотреть файл

@ -2780,6 +2780,12 @@ pref("services.settings.default_signer", "remote-settings.content-signature.mozi
// other channels always report events.
pref("services.common.uptake.sampleRate", 1); // 1%
// Security state OneCRL.
pref("services.settings.security.onecrl.bucket", "security-state");
pref("services.settings.security.onecrl.collection", "onecrl");
pref("services.settings.security.onecrl.signer", "onecrl.content-signature.mozilla.org");
pref("services.settings.security.onecrl.checked", 0);
// Blocklist preferences
pref("extensions.blocklist.enabled", true);
// OneCRL freshness checking depends on this value, so if you change it,
@ -2796,9 +2802,6 @@ pref("extensions.blocklist.itemURL", "https://blocked.cdn.mozilla.net/%blockID%.
pref("extensions.blocklist.level", 2);
// Blocklist via settings server (Kinto)
pref("services.blocklist.bucket", "blocklists");
pref("services.blocklist.onecrl.collection", "certificates");
pref("services.blocklist.onecrl.checked", 0);
pref("services.blocklist.onecrl.signer", "onecrl.content-signature.mozilla.org");
pref("services.blocklist.addons.collection", "addons");
pref("services.blocklist.addons.checked", 0);
pref("services.blocklist.addons.signer", "remote-settings.content-signature.mozilla.org");

4
security/manager/ssl/cert_storage/src/lib.rs
Просмотреть файл

@ -389,7 +389,7 @@ impl SecurityState {
pub fn is_blocklist_fresh(&self) -> Result<bool, SecurityStateError> {
self.is_data_fresh(
"services.blocklist.onecrl.checked",
"services.settings.security.onecrl.checked",
"security.onecrl.maximum_staleness_in_seconds",
)
}
@ -661,7 +661,7 @@ struct InitCertStorage {
impl CertStorage {
unsafe fn setup_prefs(&self) -> Result<(), SecurityStateError> {
let int_prefs = [
"services.blocklist.onecrl.checked",
"services.settings.security.onecrl.checked",
"services.blocklist.intermediates.checked",
"services.blocklist.crlite.checked",
"security.onecrl.maximum_staleness_in_seconds",

8
security/manager/ssl/tests/unit/test_cert_storage.js
Просмотреть файл

@ -56,8 +56,8 @@ const kintoChangesJSON = `{
"host": "firefox.settings.services.mozilla.com",
"id": "3ace9d8e-00b5-a353-7fd5-1f081ff482ba",
"last_modified": 100000000000000000001,
"bucket": "blocklists",
"collection": "certificates"
"bucket": "security-state",
"collection": "onecrl"
}
]
}`;
@ -147,9 +147,9 @@ testserver.registerPathHandler("/v1/",
serveResponse(kintoHelloViewJSON));
testserver.registerPathHandler("/v1/buckets/monitor/collections/changes/records",
serveResponse(kintoChangesJSON));
testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates",
testserver.registerPathHandler("/v1/buckets/security-state/collections/onecrl",
serveResponse(certMetadataJSON));
testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates/records",
testserver.registerPathHandler("/v1/buckets/security-state/collections/onecrl/records",
serveResponse(certBlocklistJSON));
// start the test server

16
security/manager/ssl/tests/unit/test_ev_certs.js
Просмотреть файл

@ -245,7 +245,7 @@ add_task(async function oneCRLTests() {
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
108000);
// set the blocklist-background-update-timer value to the recent past
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
Services.prefs.setIntPref("services.settings.security.onecrl.checked",
Math.floor(Date.now() / 1000) - 1);
Services.prefs.setIntPref(
"app.update.lastUpdateTime.blocklist-background-update-timer",
@ -269,7 +269,7 @@ add_task(async function oneCRLTests() {
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
108000);
// set the blocklist-background-update-timer value to the more distant past
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
Services.prefs.setIntPref("services.settings.security.onecrl.checked",
Math.floor(Date.now() / 1000) - 108080);
Services.prefs.setIntPref(
"app.update.lastUpdateTime.blocklist-background-update-timer",
@ -279,13 +279,13 @@ add_task(async function oneCRLTests() {
await ensureVerifiesAsEV("test-oid-path");
clearOCSPCache();
// test the OCSP behavior when services.blocklist.onecrl.checked is in the
// test the OCSP behavior when services.settings.security.onecrl.checked is in the
// distant past and blacklist-background-update-timer is recent
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
108000);
// set the blocklist-background-update-timer value to the recent past
// (services.blocklist.onecrl.checked defaults to 0)
// (services.settings.security.onecrl.checked defaults to 0)
Services.prefs.setIntPref(
"app.update.lastUpdateTime.blocklist-background-update-timer",
Math.floor(Date.now() / 1000) - 1);
@ -295,19 +295,19 @@ add_task(async function oneCRLTests() {
await ensureVerifiesAsEV("test-oid-path");
clearOCSPCache();
// test the OCSP behavior when services.blocklist.onecrl.checked is recent
// test the OCSP behavior when services.settings.security.onecrl.checked is recent
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
108000);
// now set services.blocklist.onecrl.checked to a recent value
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
// now set services.settings.security.onecrl.checked to a recent value
Services.prefs.setIntPref("services.settings.security.onecrl.checked",
Math.floor(Date.now() / 1000) - 1);
await ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
await ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
await ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
Services.prefs.clearUserPref("services.settings.security.onecrl.checked");
Services.prefs.clearUserPref(
"app.update.lastUpdateTime.blocklist-background-update-timer");
});

16
services/common/blocklist-clients.js
Просмотреть файл

@ -15,10 +15,12 @@ const { OS } = ChromeUtils.import("resource://gre/modules/osfile.jsm");
ChromeUtils.defineModuleGetter(this, "RemoteSettings", "resource://services-settings/remote-settings.js");
ChromeUtils.defineModuleGetter(this, "jexlFilterFunc", "resource://services-settings/remote-settings.js");
const PREF_SECURITY_SETTINGS_ONECRL_BUCKET = "services.settings.security.onecrl.bucket";
const PREF_SECURITY_SETTINGS_ONECRL_COLLECTION = "services.settings.security.onecrl.collection";
const PREF_SECURITY_SETTINGS_ONECRL_SIGNER = "services.settings.security.onecrl.signer";
const PREF_SECURITY_SETTINGS_ONECRL_CHECKED = "services.settings.security.onecrl.checked";
const PREF_BLOCKLIST_BUCKET = "services.blocklist.bucket";
const PREF_BLOCKLIST_ONECRL_COLLECTION = "services.blocklist.onecrl.collection";
const PREF_BLOCKLIST_ONECRL_CHECKED_SECONDS = "services.blocklist.onecrl.checked";
const PREF_BLOCKLIST_ONECRL_SIGNER = "services.blocklist.onecrl.signer";
const PREF_BLOCKLIST_ADDONS_COLLECTION = "services.blocklist.addons.collection";
const PREF_BLOCKLIST_ADDONS_CHECKED_SECONDS = "services.blocklist.addons.checked";
const PREF_BLOCKLIST_ADDONS_SIGNER = "services.blocklist.addons.signer";
@ -198,10 +200,10 @@ var PluginBlocklistClient;
var RemoteSecuritySettingsClient;
function initialize() {
OneCRLBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_BLOCKLIST_ONECRL_COLLECTION), {
bucketNamePref: PREF_BLOCKLIST_BUCKET,
lastCheckTimePref: PREF_BLOCKLIST_ONECRL_CHECKED_SECONDS,
signerName: Services.prefs.getCharPref(PREF_BLOCKLIST_ONECRL_SIGNER),
OneCRLBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_SECURITY_SETTINGS_ONECRL_COLLECTION), {
bucketNamePref: PREF_SECURITY_SETTINGS_ONECRL_BUCKET,
lastCheckTimePref: PREF_SECURITY_SETTINGS_ONECRL_CHECKED,
signerName: Services.prefs.getCharPref(PREF_SECURITY_SETTINGS_ONECRL_SIGNER),
});
OneCRLBlocklistClient.on("sync", updateCertBlocklist);

25
services/common/tests/unit/test_blocklist_certificates.js → services/common/tests/unit/test_blocklist_onecrl.js
Просмотреть файл

@ -14,7 +14,7 @@ let server;
// xpcshell tests under /services/common
add_task(async function test_something() {
const configPath = "/v1/";
const recordsPath = "/v1/buckets/blocklists/collections/certificates/records";
const recordsPath = "/v1/buckets/security-state/collections/onecrl/records";
const dummyServerURL = `http://localhost:${server.identity.primaryPort}/v1`;
Services.prefs.setCharPref("services.settings.server", dummyServerURL);
@ -48,8 +48,8 @@ add_task(async function test_something() {
server.registerPathHandler(configPath, handleResponse);
server.registerPathHandler(recordsPath, handleResponse);
// Test an empty db populates
await OneCRLBlocklistClient.maybeSync(2000);
// Test an empty db populates from JSON dump.
await OneCRLBlocklistClient.maybeSync(42);
// Open the collection, verify it's been populated:
const list = await OneCRLBlocklistClient.get();
@ -59,7 +59,7 @@ add_task(async function test_something() {
// No sync will be intented if maybeSync() is up-to-date.
Services.prefs.clearUserPref("services.settings.server");
Services.prefs.setIntPref("services.blocklist.onecrl.checked", 0);
Services.prefs.setIntPref("services.settings.security.onecrl.checked", 0);
// Use any last_modified older than highest shipped in JSON dump.
await OneCRLBlocklistClient.maybeSync(123456);
@ -154,18 +154,7 @@ function getSampleResponse(req, port) {
"hello": "kinto",
}),
},
"GET:/v1/buckets/blocklists/collections/certificates/records?_sort=-last_modified": {
"sampleHeaders": [
"Access-Control-Allow-Origin: *",
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
"Content-Type: application/json; charset=UTF-8",
"Server: waitress",
"Etag: \"1000\"",
],
"status": {status: 200, statusText: "OK"},
"responseBody": JSON.stringify({"data": [{}]}),
},
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=2000&_sort=-last_modified&_since=1000": {
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=2000&_sort=-last_modified&_since=1000": {
"sampleHeaders": [
"Access-Control-Allow-Origin: *",
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
@ -181,7 +170,7 @@ function getSampleResponse(req, port) {
"last_modified": 3000,
}]}),
},
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=4000&_sort=-last_modified&_since=3000": {
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=4000&_sort=-last_modified&_since=3000": {
"sampleHeaders": [
"Access-Control-Allow-Origin: *",
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
@ -202,7 +191,7 @@ function getSampleResponse(req, port) {
"last_modified": 4000,
}]}),
},
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified&_since=4000": {
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified&_since=4000": {
"sampleHeaders": [
"Access-Control-Allow-Origin: *",
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",

44
services/common/tests/unit/test_blocklist_signatures.js
Просмотреть файл

@ -280,9 +280,9 @@ add_task(async function test_check_signatures() {
const emptyCollectionResponses = {
"GET:/test_blocklist_signatures/test_cert_chain.pem?": [RESPONSE_CERT_CHAIN],
"GET:/v1/?": [RESPONSE_SERVER_SETTINGS],
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=1000&_sort=-last_modified":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=1000&_sort=-last_modified":
[RESPONSE_EMPTY_INITIAL],
"GET:/v1/buckets/blocklists/collections/certificates?_expected=1000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=1000":
[RESPONSE_META_EMPTY_SIG],
};
@ -326,9 +326,9 @@ add_task(async function test_check_signatures() {
"RESPONSE_META_TWO_ITEMS_SIG");
const twoItemsResponses = {
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=3000&_sort=-last_modified&_since=1000":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=3000&_sort=-last_modified&_since=1000":
[RESPONSE_TWO_ADDED],
"GET:/v1/buckets/blocklists/collections/certificates?_expected=3000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=3000":
[RESPONSE_META_TWO_ITEMS_SIG],
};
registerHandlers(twoItemsResponses);
@ -358,9 +358,9 @@ add_task(async function test_check_signatures() {
"RESPONSE_META_THREE_ITEMS_SIG");
const oneAddedOneRemovedResponses = {
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=4000&_sort=-last_modified&_since=3000":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=4000&_sort=-last_modified&_since=3000":
[RESPONSE_ONE_ADDED_ONE_REMOVED],
"GET:/v1/buckets/blocklists/collections/certificates?_expected=4000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=4000":
[RESPONSE_META_THREE_ITEMS_SIG],
};
registerHandlers(oneAddedOneRemovedResponses);
@ -380,9 +380,9 @@ add_task(async function test_check_signatures() {
};
const noOpResponses = {
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=4100&_sort=-last_modified&_since=4000":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=4100&_sort=-last_modified&_since=4000":
[RESPONSE_EMPTY_NO_UPDATE],
"GET:/v1/buckets/blocklists/collections/certificates?_expected=4100":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=4100":
[RESPONSE_META_THREE_ITEMS_SIG],
};
registerHandlers(noOpResponses);
@ -423,20 +423,20 @@ add_task(async function test_check_signatures() {
// In this test, we deliberately serve a bad signature initially. The
// subsequent signature returned is a valid one for the three item
// collection.
"GET:/v1/buckets/blocklists/collections/certificates?_expected=5000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=5000":
[RESPONSE_META_BAD_SIG, RESPONSE_META_THREE_ITEMS_SIG],
// The first collection state is the three item collection (since
// there's a sync with no updates) - but, since the signature is wrong,
// another request will be made...
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified&_since=4000":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified&_since=4000":
[RESPONSE_EMPTY_NO_UPDATE],
// The next request is for the full collection. This will be checked
// against the valid signature - so the sync should succeed.
"GET:/v1/buckets/blocklists/collections/certificates/records?_sort=-last_modified":
"GET:/v1/buckets/security-state/collections/onecrl/records?_sort=-last_modified":
[RESPONSE_COMPLETE_INITIAL],
// The next request is for the full collection sorted by id. This will be
// checked against the valid signature - so the sync should succeed.
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=id":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=id":
[RESPONSE_COMPLETE_INITIAL_SORTED_BY_ID],
};
@ -466,17 +466,17 @@ add_task(async function test_check_signatures() {
// In this test, we deliberately serve a bad signature initially. The
// subsequent sitnature returned is a valid one for the three item
// collection.
"GET:/v1/buckets/blocklists/collections/certificates?_expected=5000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=5000":
[RESPONSE_META_BAD_SIG, RESPONSE_META_EMPTY_SIG],
// The first collection state is the current state (since there's no update
// - but, since the signature is wrong, another request will be made)
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified&_since=4000":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified&_since=4000":
[RESPONSE_EMPTY_NO_UPDATE],
// The next request is for the full collection sorted by id. This will be
// checked against the valid signature and last_modified times will be
// compared. Sync should fail, even though the signature is good,
// because the local collection is newer.
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=id":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=id":
[RESPONSE_EMPTY_INITIAL],
};
@ -498,15 +498,15 @@ add_task(async function test_check_signatures() {
// In this test, we deliberately serve a bad signature initially. The
// subsequent signature returned is a valid one for the three item
// collection.
"GET:/v1/buckets/blocklists/collections/certificates?_expected=5000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=5000":
[RESPONSE_META_BAD_SIG, RESPONSE_META_THREE_ITEMS_SIG],
// The next request is for the full collection. This will be checked
// against the valid signature - so the sync should succeed.
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified":
[RESPONSE_COMPLETE_INITIAL],
// The next request is for the full collection sorted by id. This will be
// checked against the valid signature - so the sync should succeed.
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=id":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=id":
[RESPONSE_COMPLETE_INITIAL_SORTED_BY_ID],
};
@ -539,16 +539,16 @@ add_task(async function test_check_signatures() {
const allBadSigResponses = {
// In this test, we deliberately serve only a bad signature.
"GET:/v1/buckets/blocklists/collections/certificates?_expected=6000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=6000":
[RESPONSE_META_BAD_SIG],
// The first collection state is the three item collection (since
// there's a sync with no updates) - but, since the signature is wrong,
// another request will be made...
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=6000&_sort=-last_modified&_since=4000":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=6000&_sort=-last_modified&_since=4000":
[RESPONSE_EMPTY_NO_UPDATE],
// The next request is for the full collection sorted by id. This will be
// checked against the valid signature - so the sync should succeed.
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=6000&_sort=id":
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=6000&_sort=id":
[RESPONSE_COMPLETE_INITIAL_SORTED_BY_ID],
};
@ -570,7 +570,7 @@ add_task(async function test_check_signatures() {
const missingSigResponses = {
// In this test, we deliberately serve metadata without the signature attribute.
// As if the collection was not signed.
"GET:/v1/buckets/blocklists/collections/certificates?_expected=6000":
"GET:/v1/buckets/security-state/collections/onecrl?_expected=6000":
[RESPONSE_META_NO_SIG],
};

2
services/common/tests/unit/xpcshell.ini
Просмотреть файл

@ -8,7 +8,7 @@ support-files =
# Test load modules first so syntax failures are caught early.
[test_load_modules.js]
[test_blocklist_certificates.js]
[test_blocklist_onecrl.js]
# Skip signature tests for Thunderbird (Bug 1341983).
skip-if = appname == "thunderbird"
tags = blocklist

1
services/settings/dumps/blocklists/moz.build
Просмотреть файл

@ -8,7 +8,6 @@ with Files('**'):
BUG_COMPONENT = ('Toolkit', 'Blocklist Implementation')
FINAL_TARGET_FILES.defaults.settings.blocklists += ['addons.json',
'certificates.json',
'gfx.json',
'plugins.json']

3
services/settings/dumps/security-state/moz.build
Просмотреть файл

@ -3,7 +3,8 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
FINAL_TARGET_FILES.defaults.settings['security-state'] += [
'intermediates.json'
'intermediates.json',
'onecrl.json',
]
if CONFIG['MOZ_BUILD_APP'] == 'browser':

2
services/settings/dumps/blocklists/certificates.json → services/settings/dumps/security-state/onecrl.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны