bug 982754 - allow some inadequate key usage overrides r=cviecco

This commit is contained in:
David Keeler 2014-03-13 16:49:12 -07:00
Родитель ecb4f7cb34
Коммит 71abad65d5
9 изменённых файлов: 40 добавлений и 14 удалений

Просмотреть файл

@ -303,6 +303,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
case SEC_ERROR_UNTRUSTED_ISSUER: return 4;
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5;
case SEC_ERROR_UNTRUSTED_CERT: return 6;
case SEC_ERROR_INADEQUATE_KEY_USAGE: return 7;
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8;
case SSL_ERROR_BAD_CERT_DOMAIN: return 9;
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
@ -566,6 +567,7 @@ PRErrorCodeToOverrideType(PRErrorCode errorCode)
case SEC_ERROR_UNTRUSTED_ISSUER:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SEC_ERROR_UNTRUSTED_CERT:
case SEC_ERROR_INADEQUATE_KEY_USAGE:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
// We group all these errors as "cert not trusted"
return nsICertOverrideService::ERROR_UNTRUSTED;

Просмотреть файл

@ -40,12 +40,12 @@ function check_telemetry() {
.getHistogramById("SSL_CERT_ERROR_OVERRIDES")
.snapshot();
do_check_eq(histogram.counts[ 0], 0);
do_check_eq(histogram.counts[ 2], 6 + 1); // SEC_ERROR_UNKNOWN_ISSUER
do_check_eq(histogram.counts[ 3], 0 + 1); // SEC_ERROR_CA_CERT_INVALID
do_check_eq(histogram.counts[ 2], 7 + 1); // SEC_ERROR_UNKNOWN_ISSUER
do_check_eq(histogram.counts[ 3], 0 + 2); // SEC_ERROR_CA_CERT_INVALID
do_check_eq(histogram.counts[ 4], 0 + 4); // SEC_ERROR_UNTRUSTED_ISSUER
do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
@ -114,17 +114,39 @@ function add_simple_tests(useInsanity) {
Ci.nsICertOverrideService.ERROR_MISMATCH,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
// Inadequate key usage is no longer overridable.
add_connection_test("inadequatekeyusage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
null,
function (securityInfo) {
// bug 754369 - no SSLStatus probably means this is
// a non-overridable error, which is what we're testing
// (although it would be best to test this directly).
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
do_check_eq(securityInfo.SSLStatus, null);
});
// A Microsoft IIS utility generates self-signed certificates with
// properties similar to the one this "host" will present (see
// tlsserver/generate_certs.sh).
// One of the errors classic verification collects is that this
// certificate has an inadequate key usage to sign a certificate
// (i.e. itself). As a result, to be able to override this,
// SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
// confusingly, this isn't the main error reported).
// insanity::pkix just says this certificate's issuer is unknown.
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_CA_CERT_INVALID));
// SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
// classic verification, but not for insanity::pkix verification.
if (useInsanity) {
add_connection_test("inadequatekeyusage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
null,
function (securityInfo) {
// bug 754369 - no SSLStatus probably means this is
// a non-overridable error, which is what we're testing
// (although it would be best to test this directly).
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
do_check_eq(securityInfo.SSLStatus, null);
});
} else {
add_cert_override_test("inadequatekeyusage.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
}
}
function add_combo_tests(useInsanity) {

Двоичный файл не отображается.

Просмотреть файл

@ -40,6 +40,7 @@ const BadCertHost sBadCertHosts[] =
{ "md5signature-expired.example.com", "md5signature-expired" },
{ "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
{ "inadequatekeyusage.example.com", "inadequatekeyusage" },
{ "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
{ nullptr, nullptr }
};

Двоичный файл не отображается.

Просмотреть файл

@ -145,5 +145,6 @@ make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entit
NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
cleanup

Двоичный файл не отображается.

Двоичный файл не отображается.

Двоичный файл не отображается.