зеркало из https://github.com/mozilla/gecko-dev.git
bug 982754 - allow some inadequate key usage overrides r=cviecco
This commit is contained in:
Родитель
ecb4f7cb34
Коммит
71abad65d5
|
@ -303,6 +303,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
|
|||
case SEC_ERROR_UNTRUSTED_ISSUER: return 4;
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5;
|
||||
case SEC_ERROR_UNTRUSTED_CERT: return 6;
|
||||
case SEC_ERROR_INADEQUATE_KEY_USAGE: return 7;
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8;
|
||||
case SSL_ERROR_BAD_CERT_DOMAIN: return 9;
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
|
||||
|
@ -566,6 +567,7 @@ PRErrorCodeToOverrideType(PRErrorCode errorCode)
|
|||
case SEC_ERROR_UNTRUSTED_ISSUER:
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
||||
case SEC_ERROR_UNTRUSTED_CERT:
|
||||
case SEC_ERROR_INADEQUATE_KEY_USAGE:
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
// We group all these errors as "cert not trusted"
|
||||
return nsICertOverrideService::ERROR_UNTRUSTED;
|
||||
|
|
|
@ -40,12 +40,12 @@ function check_telemetry() {
|
|||
.getHistogramById("SSL_CERT_ERROR_OVERRIDES")
|
||||
.snapshot();
|
||||
do_check_eq(histogram.counts[ 0], 0);
|
||||
do_check_eq(histogram.counts[ 2], 6 + 1); // SEC_ERROR_UNKNOWN_ISSUER
|
||||
do_check_eq(histogram.counts[ 3], 0 + 1); // SEC_ERROR_CA_CERT_INVALID
|
||||
do_check_eq(histogram.counts[ 2], 7 + 1); // SEC_ERROR_UNKNOWN_ISSUER
|
||||
do_check_eq(histogram.counts[ 3], 0 + 2); // SEC_ERROR_CA_CERT_INVALID
|
||||
do_check_eq(histogram.counts[ 4], 0 + 4); // SEC_ERROR_UNTRUSTED_ISSUER
|
||||
do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
|
||||
do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
|
||||
do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
|
||||
do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
|
||||
do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
|
||||
do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
|
||||
do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
|
||||
|
@ -114,17 +114,39 @@ function add_simple_tests(useInsanity) {
|
|||
Ci.nsICertOverrideService.ERROR_MISMATCH,
|
||||
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
|
||||
|
||||
// Inadequate key usage is no longer overridable.
|
||||
add_connection_test("inadequatekeyusage.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
|
||||
null,
|
||||
function (securityInfo) {
|
||||
// bug 754369 - no SSLStatus probably means this is
|
||||
// a non-overridable error, which is what we're testing
|
||||
// (although it would be best to test this directly).
|
||||
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
|
||||
do_check_eq(securityInfo.SSLStatus, null);
|
||||
});
|
||||
// A Microsoft IIS utility generates self-signed certificates with
|
||||
// properties similar to the one this "host" will present (see
|
||||
// tlsserver/generate_certs.sh).
|
||||
// One of the errors classic verification collects is that this
|
||||
// certificate has an inadequate key usage to sign a certificate
|
||||
// (i.e. itself). As a result, to be able to override this,
|
||||
// SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
|
||||
// confusingly, this isn't the main error reported).
|
||||
// insanity::pkix just says this certificate's issuer is unknown.
|
||||
add_cert_override_test("selfsigned-inadequateEKU.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(
|
||||
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
|
||||
: SEC_ERROR_CA_CERT_INVALID));
|
||||
|
||||
// SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
|
||||
// classic verification, but not for insanity::pkix verification.
|
||||
if (useInsanity) {
|
||||
add_connection_test("inadequatekeyusage.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
|
||||
null,
|
||||
function (securityInfo) {
|
||||
// bug 754369 - no SSLStatus probably means this is
|
||||
// a non-overridable error, which is what we're testing
|
||||
// (although it would be best to test this directly).
|
||||
securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
|
||||
do_check_eq(securityInfo.SSLStatus, null);
|
||||
});
|
||||
} else {
|
||||
add_cert_override_test("inadequatekeyusage.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
|
||||
}
|
||||
}
|
||||
|
||||
function add_combo_tests(useInsanity) {
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert8.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert8.db
Двоичный файл не отображается.
|
@ -40,6 +40,7 @@ const BadCertHost sBadCertHosts[] =
|
|||
{ "md5signature-expired.example.com", "md5signature-expired" },
|
||||
{ "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
|
||||
{ "inadequatekeyusage.example.com", "inadequatekeyusage" },
|
||||
{ "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
|
||||
{ nullptr, nullptr }
|
||||
};
|
||||
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/default-ee.der
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/default-ee.der
Двоичный файл не отображается.
|
@ -145,5 +145,6 @@ make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entit
|
|||
NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
|
||||
|
||||
make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
|
||||
make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
|
||||
|
||||
cleanup
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key3.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key3.db
Двоичный файл не отображается.
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
Двоичный файл не отображается.
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/test-ca.der
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/test-ca.der
Двоичный файл не отображается.
Загрузка…
Ссылка в новой задаче