mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out changeset 81a11a25d25d (bug 1315143)

This commit is contained in:
Carsten "Tomcat" Book 2016-11-14 12:52:16 +01:00
Родитель 06ffb1f775
Коммит 788a6efc4c
21 изменённых файлов: 138 добавлений и 196 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

26
security/certverifier/CertVerifier.cpp
Просмотреть файл

@ -328,7 +328,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
/*optional*/ const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponseSECItem,
/*optional*/ const SECItem* sctsFromTLSSECItem,
/*optional*/ const NeckoOriginAttributes& originAttributes,
/*optional*/ const char* firstPartyDomain,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
/*optional out*/ KeySizeStatus* keySizeStatus,
@ -422,7 +422,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes,
firstPartyDomain,
builtChain, nullptr, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
@ -496,7 +496,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
originAttributes, builtChain, pinningTelemetryInfo,
firstPartyDomain, builtChain, pinningTelemetryInfo,
hostname);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,// (EC)DHE
@ -584,7 +584,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
sha1ModeConfigurations[j],
mNetscapeStepUpPolicy,
originAttributes, builtChain,
firstPartyDomain, builtChain,
pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,//(EC)DHE
@ -649,7 +649,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
originAttributes, builtChain, nullptr,
firstPartyDomain, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
@ -666,7 +666,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain, nullptr,
firstPartyDomain, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
@ -694,7 +694,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain, nullptr,
firstPartyDomain, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
@ -719,7 +719,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain, nullptr,
firstPartyDomain, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
@ -753,7 +753,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain, nullptr,
firstPartyDomain, builtChain, nullptr,
nullptr);
rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
@ -766,7 +766,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain, nullptr,
firstPartyDomain, builtChain, nullptr,
nullptr);
rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
@ -781,7 +781,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain,
firstPartyDomain, builtChain,
nullptr, nullptr);
rv = BuildCertChain(objectSigningTrust, certDER, time,
endEntityOrCA, keyUsage, eku,
@ -813,7 +813,7 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ bool saveIntermediatesInPermanentDatabase,
/*optional*/ Flags flags,
/*optional*/ const NeckoOriginAttributes& originAttributes,
/*optional*/ const char* firstPartyDomain,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
/*optional out*/ KeySizeStatus* keySizeStatus,
@ -838,7 +838,7 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
// if VerifyCert succeeded.
Result rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time,
pinarg, hostname, builtChain, flags,
stapledOCSPResponse, sctsFromTLS, originAttributes,
stapledOCSPResponse, sctsFromTLS, firstPartyDomain,
evOidPolicy, ocspStaplingStatus, keySizeStatus,
sha1ModeResult, pinningTelemetryInfo, ctInfo);
if (rv != Success) {

7
security/certverifier/CertVerifier.h
Просмотреть файл

@ -11,7 +11,6 @@
#include "CTVerifyResult.h"
#include "OCSPCache.h"
#include "ScopedNSSTypes.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/Telemetry.h"
#include "mozilla/UniquePtr.h"
#include "pkix/pkixtypes.h"
@ -110,8 +109,7 @@ public:
Flags flags = 0,
/*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
/*optional in*/ const SECItem* sctsFromTLS = nullptr,
/*optional in*/ const NeckoOriginAttributes& originAttributes =
NeckoOriginAttributes(),
/*optional in*/ const char* firstPartyDomain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
@ -129,8 +127,7 @@ public:
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ bool saveIntermediatesInPermanentDatabase = false,
/*optional*/ Flags flags = 0,
/*optional*/ const NeckoOriginAttributes& originAttributes =
NeckoOriginAttributes(),
/*optional*/ const char* firstPartyDomain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,

12
security/certverifier/NSSCertDBTrustDomain.cpp
Просмотреть файл

@ -57,7 +57,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
const NeckoOriginAttributes& originAttributes,
const char* firstPartyDomain,
UniqueCERTCertList& builtChain,
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional*/ const char* hostname)
@ -72,7 +72,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
, mValidityCheckingMode(validityCheckingMode)
, mSHA1Mode(sha1Mode)
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
, mOriginAttributes(originAttributes)
, mFirstPartyDomain(firstPartyDomain)
, mBuiltChain(builtChain)
, mPinningTelemetryInfo(pinningTelemetryInfo)
, mHostname(hostname)
@ -415,7 +415,7 @@ NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
Result cachedResponseResult = Success;
Time cachedResponseValidThrough(Time::uninitialized);
bool cachedResponsePresent = mOCSPCache.Get(certID, mOriginAttributes,
bool cachedResponsePresent = mOCSPCache.Get(certID, mFirstPartyDomain,
cachedResponseResult,
cachedResponseValidThrough);
if (cachedResponsePresent) {
@ -558,7 +558,7 @@ NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
// Owned by arena
SECItem* responseSECItem = nullptr;
Result tempRV =
DoOCSPRequest(arena, url, mOriginAttributes, &ocspRequestItem,
DoOCSPRequest(arena, url, mFirstPartyDomain, &ocspRequestItem,
OCSPFetchingTypeToTimeoutTime(mOCSPFetching),
mOCSPGetConfig == CertVerifier::ocspGetEnabled,
responseSECItem);
@ -582,7 +582,7 @@ NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA,
if (timeout.AddSeconds(ServerFailureDelaySeconds) != Success) {
return Result::FATAL_ERROR_LIBRARY_FAILURE; // integer overflow
}
rv = mOCSPCache.Put(certID, mOriginAttributes, error, time, timeout);
rv = mOCSPCache.Put(certID, mFirstPartyDomain, error, time, timeout);
if (rv != Success) {
return rv;
}
@ -687,7 +687,7 @@ NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
rv == Result::ERROR_OCSP_UNKNOWN_CERT) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain: caching OCSP response"));
Result putRV = mOCSPCache.Put(certID, mOriginAttributes, rv, thisUpdate,
Result putRV = mOCSPCache.Put(certID, mFirstPartyDomain, rv, thisUpdate,
validThrough);
if (putRV != Success) {
return putRV;

5
security/certverifier/NSSCertDBTrustDomain.h
Просмотреть файл

@ -9,7 +9,6 @@
#include "CertVerifier.h"
#include "ScopedNSSTypes.h"
#include "mozilla/BasePrincipal.h"
#include "nsICertBlocklist.h"
#include "nsString.h"
#include "pkix/pkixtypes.h"
@ -81,7 +80,7 @@ public:
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
const NeckoOriginAttributes& originAttributes,
const char* firstPartyDomain,
UniqueCERTCertList& builtChain,
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional*/ const char* hostname = nullptr);
@ -185,7 +184,7 @@ private:
ValidityCheckingMode mValidityCheckingMode;
CertVerifier::SHA1Mode mSHA1Mode;
NetscapeStepUpPolicy mNetscapeStepUpPolicy;
const NeckoOriginAttributes& mOriginAttributes;
const char* mFirstPartyDomain;
UniqueCERTCertList& mBuiltChain; // non-owning
PinningTelemetryInfo* mPinningTelemetryInfo;
const char* mHostname; // non-owning - only used for pinning checks

74
security/certverifier/OCSPCache.cpp
Просмотреть файл

@ -56,21 +56,20 @@ DigestLength(UniquePK11Context& context, uint32_t length)
return PK11_DigestOp(context.get(), array, MOZ_ARRAY_LENGTH(array));
}
// Let derIssuer be the DER encoding of the issuer of certID.
// Let derPublicKey be the DER encoding of the public key of certID.
// Let serialNumber be the bytes of the serial number of certID.
// Let derIssuer be the DER encoding of the issuer of aCert.
// Let derPublicKey be the DER encoding of the public key of aIssuerCert.
// Let serialNumber be the bytes of the serial number of aCert.
// Let serialNumberLen be the number of bytes of serialNumber.
// Let firstPartyDomain be the first party domain of originAttributes.
// It is only non-empty when "privacy.firstParty.isolate" is enabled, in order
// to isolate OCSP cache by first party.
// The first party domain is only non-empty when "privacy.firstParty.isolate"
// is enabled, in order to isolate OCSP cache by first party.
// Let firstPartyDomainLen be the number of bytes of firstPartyDomain.
// The value calculated is SHA384(derIssuer || derPublicKey || serialNumberLen
// || serialNumber || firstPartyDomainLen || firstPartyDomain).
// Because the DER encodings include the length of the data encoded, and we also
// include the length of serialNumber and originAttributes, there do not exist
// include the length of serialNumber and firstPartyDomain, there do not exist
// A(derIssuerA, derPublicKeyA, serialNumberLenA, serialNumberA,
// originAttributesLenA, originAttributesA) and B(derIssuerB, derPublicKeyB,
// serialNumberLenB, serialNumberB, originAttributesLenB, originAttributesB)
// firstPartyDomainLenA, firstPartyDomainA) and B(derIssuerB, derPublicKeyB,
// serialNumberLenB, serialNumberB, firstPartyDomainLenB, firstPartyDomainB)
// such that the concatenation of each tuple results in the same string of
// bytes but where each part in A is not equal to its counterpart in B. This is
// important because as a result it is computationally infeasible to find
@ -78,7 +77,7 @@ DigestLength(UniquePK11Context& context, uint32_t length)
// cryptographically-secure hash function).
static SECStatus
CertIDHash(SHA384Buffer& buf, const CertID& certID,
const NeckoOriginAttributes& originAttributes)
const char* firstPartyDomain)
{
UniquePK11Context context(PK11_CreateDigestContext(SEC_OID_SHA384));
if (!context) {
@ -111,17 +110,15 @@ CertIDHash(SHA384Buffer& buf, const CertID& certID,
if (rv != SECSuccess) {
return rv;
}
// OCSP should not be isolated by containers.
NS_ConvertUTF16toUTF8 firstPartyDomain(originAttributes.mFirstPartyDomain);
if (!firstPartyDomain.IsEmpty()) {
rv = DigestLength(context, firstPartyDomain.Length());
if (firstPartyDomain) {
uint32_t firstPartyDomainLen = strlen(firstPartyDomain);
rv = DigestLength(context, firstPartyDomainLen);
if (rv != SECSuccess) {
return rv;
}
rv = PK11_DigestOp(context.get(),
BitwiseCast<const unsigned char*>(firstPartyDomain.get()),
firstPartyDomain.Length());
BitwiseCast<const unsigned char*>(firstPartyDomain),
firstPartyDomainLen);
if (rv != SECSuccess) {
return rv;
}
@ -135,10 +132,9 @@ CertIDHash(SHA384Buffer& buf, const CertID& certID,
}
Result
OCSPCache::Entry::Init(const CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes)
OCSPCache::Entry::Init(const CertID& aCertID, const char* aFirstPartyDomain)
{
SECStatus srv = CertIDHash(mIDHash, aCertID, aOriginAttributes);
SECStatus srv = CertIDHash(mIDHash, aCertID, aFirstPartyDomain);
if (srv != SECSuccess) {
return MapPRErrorCodeToResult(PR_GetError());
}
@ -158,8 +154,7 @@ OCSPCache::~OCSPCache()
// Returns false with index in an undefined state if no matching entry was
// found.
bool
OCSPCache::FindInternal(const CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes,
OCSPCache::FindInternal(const CertID& aCertID, const char* aFirstPartyDomain,
/*out*/ size_t& index,
const MutexAutoLock& /* aProofOfLock */)
{
@ -168,7 +163,7 @@ OCSPCache::FindInternal(const CertID& aCertID,
}
SHA384Buffer idHash;
SECStatus rv = CertIDHash(idHash, aCertID, aOriginAttributes);
SECStatus rv = CertIDHash(idHash, aCertID, aFirstPartyDomain);
if (rv != SECSuccess) {
return false;
}
@ -187,11 +182,10 @@ OCSPCache::FindInternal(const CertID& aCertID,
static inline void
LogWithCertID(const char* aMessage, const CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes)
const char* aFirstPartyDomain)
{
NS_ConvertUTF16toUTF8 firstPartyDomain(aOriginAttributes.mFirstPartyDomain);
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
(aMessage, &aCertID, firstPartyDomain.get()));
(aMessage, &aCertID, aFirstPartyDomain));
}
void
@ -208,20 +202,19 @@ OCSPCache::MakeMostRecentlyUsed(size_t aIndex,
}
bool
OCSPCache::Get(const CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes,
OCSPCache::Get(const CertID& aCertID, const char* aFirstPartyDomain,
Result& aResult, Time& aValidThrough)
{
MutexAutoLock lock(mMutex);
size_t index;
if (!FindInternal(aCertID, aOriginAttributes, index, lock)) {
if (!FindInternal(aCertID, aFirstPartyDomain, index, lock)) {
LogWithCertID("OCSPCache::Get(%p,\"%s\") not in cache", aCertID,
aOriginAttributes);
aFirstPartyDomain);
return false;
}
LogWithCertID("OCSPCache::Get(%p,\"%s\") in cache", aCertID,
aOriginAttributes);
aFirstPartyDomain);
aResult = mEntries[index]->mResult;
aValidThrough = mEntries[index]->mValidThrough;
MakeMostRecentlyUsed(index, lock);
@ -229,18 +222,17 @@ OCSPCache::Get(const CertID& aCertID,
}
Result
OCSPCache::Put(const CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes,
OCSPCache::Put(const CertID& aCertID, const char* aFirstPartyDomain,
Result aResult, Time aThisUpdate, Time aValidThrough)
{
MutexAutoLock lock(mMutex);
size_t index;
if (FindInternal(aCertID, aOriginAttributes, index, lock)) {
if (FindInternal(aCertID, aFirstPartyDomain, index, lock)) {
// Never replace an entry indicating a revoked certificate.
if (mEntries[index]->mResult == Result::ERROR_REVOKED_CERTIFICATE) {
LogWithCertID("OCSPCache::Put(%p, \"%s\") already in cache as revoked - "
"not replacing", aCertID, aOriginAttributes);
"not replacing", aCertID, aFirstPartyDomain);
MakeMostRecentlyUsed(index, lock);
return Success;
}
@ -251,7 +243,7 @@ OCSPCache::Put(const CertID& aCertID,
aResult != Result::ERROR_REVOKED_CERTIFICATE) {
LogWithCertID("OCSPCache::Put(%p, \"%s\") already in cache with more "
"recent validity - not replacing", aCertID,
aOriginAttributes);
aFirstPartyDomain);
MakeMostRecentlyUsed(index, lock);
return Success;
}
@ -263,13 +255,13 @@ OCSPCache::Put(const CertID& aCertID,
aResult != Result::ERROR_REVOKED_CERTIFICATE) {
LogWithCertID("OCSPCache::Put(%p, \"%s\") already in cache - not "
"replacing with less important status", aCertID,
aOriginAttributes);
aFirstPartyDomain);
MakeMostRecentlyUsed(index, lock);
return Success;
}
LogWithCertID("OCSPCache::Put(%p, \"%s\") already in cache - replacing",
aCertID, aOriginAttributes);
aCertID, aFirstPartyDomain);
mEntries[index]->mResult = aResult;
mEntries[index]->mThisUpdate = aThisUpdate;
mEntries[index]->mValidThrough = aValidThrough;
@ -279,7 +271,7 @@ OCSPCache::Put(const CertID& aCertID,
if (mEntries.length() == MaxEntries) {
LogWithCertID("OCSPCache::Put(%p, \"%s\") too full - evicting an entry",
aCertID, aOriginAttributes);
aCertID, aFirstPartyDomain);
for (Entry** toEvict = mEntries.begin(); toEvict != mEntries.end();
toEvict++) {
// Never evict an entry that indicates a revoked or unknokwn certificate,
@ -311,7 +303,7 @@ OCSPCache::Put(const CertID& aCertID,
if (!newEntry) {
return Result::FATAL_ERROR_NO_MEMORY;
}
Result rv = newEntry->Init(aCertID, aOriginAttributes);
Result rv = newEntry->Init(aCertID, aFirstPartyDomain);
if (rv != Success) {
delete newEntry;
return rv;
@ -321,7 +313,7 @@ OCSPCache::Put(const CertID& aCertID,
return Result::FATAL_ERROR_NO_MEMORY;
}
LogWithCertID("OCSPCache::Put(%p, \"%s\") added to cache", aCertID,
aOriginAttributes);
aFirstPartyDomain);
return Success;
}

22
security/certverifier/OCSPCache.h
Просмотреть файл

@ -33,10 +33,6 @@
#include "prerror.h"
#include "seccomon.h"
namespace mozilla {
class NeckoOriginAttributes;
}
namespace mozilla { namespace pkix {
struct CertID;
} } // namespace mozilla::pkix
@ -60,17 +56,18 @@ public:
// Returns true if the status of the given certificate (issued by the given
// issuer) is in the cache, and false otherwise.
// The first party domain is only non-empty when "privacy.firstParty.isolate"
// is enabled, in order to isolate OCSP cache by first party.
// If it is in the cache, returns by reference the error code of the cached
// status and the time through which the status is considered trustworthy.
// The passed in origin attributes are used to isolate the OCSP cache.
// We currently only use the first party domain portion of the attributes, and
// it is non-empty only when "privacy.firstParty.isolate" is enabled.
bool Get(const mozilla::pkix::CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes,
const char* aFirstPartyDomain,
/*out*/ mozilla::pkix::Result& aResult,
/*out*/ mozilla::pkix::Time& aValidThrough);
// Caches the status of the given certificate (issued by the given issuer).
// The first party domain is only non-empty when "privacy.firstParty.isolate"
// is enabled, in order to isolate OCSP cache by first party.
// The status is considered trustworthy through the given time.
// A status with an error code of SEC_ERROR_REVOKED_CERTIFICATE will not
// be replaced or evicted.
@ -79,11 +76,8 @@ public:
// A status with a more recent thisUpdate will not be replaced with a
// status with a less recent thisUpdate unless the less recent status
// indicates the certificate is revoked.
// The passed in origin attributes are used to isolate the OCSP cache.
// We currently only use the first party domain portion of the attributes, and
// it is non-empty only when "privacy.firstParty.isolate" is enabled.
mozilla::pkix::Result Put(const mozilla::pkix::CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes,
const char* aFirstPartyDomain,
mozilla::pkix::Result aResult,
mozilla::pkix::Time aThisUpdate,
mozilla::pkix::Time aValidThrough);
@ -104,7 +98,7 @@ private:
{
}
mozilla::pkix::Result Init(const mozilla::pkix::CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes);
const char* aFirstPartyDomain);
mozilla::pkix::Result mResult;
mozilla::pkix::Time mThisUpdate;
@ -118,7 +112,7 @@ private:
};
bool FindInternal(const mozilla::pkix::CertID& aCertID,
const NeckoOriginAttributes& aOriginAttributes,
const char* aFirstPartyDomain,
/*out*/ size_t& index,
const MutexAutoLock& aProofOfLock);
void MakeMostRecentlyUsed(size_t aIndex, const MutexAutoLock& aProofOfLock);

7
security/certverifier/OCSPRequestor.cpp
Просмотреть файл

@ -74,9 +74,8 @@ AppendEscapedBase64Item(const SECItem* encodedRequest, nsACString& path)
Result
DoOCSPRequest(const UniquePLArenaPool& arena, const char* url,
const NeckoOriginAttributes& originAttributes,
const SECItem* encodedRequest, PRIntervalTime timeout,
bool useGET,
const char* firstPartyDomain, const SECItem* encodedRequest,
PRIntervalTime timeout, bool useGET,
/*out*/ SECItem*& encodedResponse)
{
MOZ_ASSERT(arena.get());
@ -174,7 +173,7 @@ DoOCSPRequest(const UniquePLArenaPool& arena, const char* url,
nsNSSHttpRequestSession* requestSessionPtr;
rv = nsNSSHttpInterface::createFcn(serverSession.get(), "http", path.get(),
method.get(), originAttributes, timeout,
method.get(), firstPartyDomain, timeout,
&requestSessionPtr);
if (rv != Success) {
return rv;

6
security/certverifier/OCSPRequestor.h
Просмотреть файл

@ -10,15 +10,11 @@
#include "CertVerifier.h"
#include "secmodt.h"
namespace mozilla {
class NeckoOriginAttributes;
}
namespace mozilla { namespace psm {
// The memory returned via |encodedResponse| is owned by the given arena.
Result DoOCSPRequest(const UniquePLArenaPool& arena, const char* url,
const NeckoOriginAttributes& originAttributes,
const char* firstPartyDomain,
const SECItem* encodedRequest, PRIntervalTime timeout,
bool useGET,
/*out*/ SECItem*& encodedResponse);

2
security/manager/ssl/SSLServerCertVerification.cpp
Просмотреть файл

@ -1340,7 +1340,7 @@ AuthCertificate(CertVerifier& certVerifier,
infoObject->GetHostNameRaw(),
certList, saveIntermediates,
flags, infoObject->
GetOriginAttributes(),
GetFirstPartyDomainRaw(),
&evOidPolicy,
&ocspStaplingStatus,
&keySizeStatus, &sha1ModeResult,

5
security/manager/ssl/TransportSecurityInfo.cpp
Просмотреть файл

@ -99,10 +99,9 @@ TransportSecurityInfo::GetPort(int32_t *aPort)
}
nsresult
TransportSecurityInfo::SetOriginAttributes(
const NeckoOriginAttributes& aOriginAttributes)
TransportSecurityInfo::SetFirstPartyDomain(const nsACString& aFirstPartyDomain)
{
mOriginAttributes = aOriginAttributes;
mFirstPartyDomain.Assign(aFirstPartyDomain);
return NS_OK;
}

9
security/manager/ssl/TransportSecurityInfo.h
Просмотреть файл

@ -9,7 +9,6 @@
#include "ScopedNSSTypes.h"
#include "certt.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/Mutex.h"
#include "mozilla/RefPtr.h"
#include "nsDataHashtable.h"
@ -63,10 +62,8 @@ public:
nsresult GetPort(int32_t *aPort);
nsresult SetPort(int32_t aPort);
const NeckoOriginAttributes& GetOriginAttributes() const {
return mOriginAttributes;
}
nsresult SetOriginAttributes(const NeckoOriginAttributes& aOriginAttributes);
const char* GetFirstPartyDomainRaw() const { return mFirstPartyDomain.get(); }
nsresult SetFirstPartyDomain(const nsACString& aFirstPartyDomain);
PRErrorCode GetErrorCode() const;
@ -106,7 +103,7 @@ private:
int32_t mPort;
nsXPIDLCString mHostName;
NeckoOriginAttributes mOriginAttributes;
nsCString mFirstPartyDomain;
/* SSL Status */
RefPtr<nsSSLStatus> mSSLStatus;

13
security/manager/ssl/nsNSSCallbacks.cpp
Просмотреть файл

@ -114,13 +114,10 @@ nsHTTPDownloadEvent::Run()
chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS |
nsIChannel::LOAD_BYPASS_SERVICE_WORKER);
// For OCSP requests, only the first party domain aspect of origin attributes
// is used. This means that OCSP requests are shared across different
// containers.
if (mRequestSession->mOriginAttributes != NeckoOriginAttributes()) {
if (!mRequestSession->mFirstPartyDomain.IsEmpty()) {
NeckoOriginAttributes attrs;
attrs.mFirstPartyDomain =
mRequestSession->mOriginAttributes.mFirstPartyDomain;
NS_ConvertUTF8toUTF16(mRequestSession->mFirstPartyDomain);
nsCOMPtr<nsILoadInfo> loadInfo = chan->GetLoadInfo();
if (loadInfo) {
@ -233,7 +230,7 @@ nsNSSHttpRequestSession::createFcn(const nsNSSHttpServerSession* session,
const char* http_protocol_variant,
const char* path_and_query_string,
const char* http_request_method,
const NeckoOriginAttributes& origin_attributes,
const char* first_party_domain,
const PRIntervalTime timeout,
/*out*/ nsNSSHttpRequestSession** pRequest)
{
@ -263,7 +260,7 @@ nsNSSHttpRequestSession::createFcn(const nsNSSHttpServerSession* session,
rs->mURL.AppendInt(session->mPort);
rs->mURL.Append(path_and_query_string);
rs->mOriginAttributes = origin_attributes;
rs->mFirstPartyDomain.Assign(first_party_domain);
rs->mRequestMethod = http_request_method;
@ -1172,7 +1169,7 @@ DetermineEVStatusAndSetNewCert(RefPtr<nsSSLStatus> sslStatus, PRFileDesc* fd,
unusedBuiltChain,
saveIntermediates,
flags,
infoObject->GetOriginAttributes(),
infoObject->GetFirstPartyDomainRaw(),
&evOidPolicy);
RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(cert.get()));

11
security/manager/ssl/nsNSSCallbacks.h
Просмотреть файл

@ -8,7 +8,6 @@
#define nsNSSCallbacks_h
#include "mozilla/Attributes.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/CondVar.h"
#include "mozilla/Mutex.h"
#include "nsAutoPtr.h"
@ -21,8 +20,6 @@
#include "ocspt.h" // Must be included after pk11func.h.
using mozilla::NeckoOriginAttributes;
class nsILoadGroup;
char*
@ -102,7 +99,7 @@ public:
const char* httpProtocolVariant,
const char* pathAndQueryString,
const char* httpRequestMethod,
const NeckoOriginAttributes& originAttributes,
const char* firstPartyDomain,
const PRIntervalTime timeout,
/*out*/ nsNSSHttpRequestSession** pRequest);
@ -127,7 +124,7 @@ public:
nsCString mPostData;
nsCString mPostContentType;
NeckoOriginAttributes mOriginAttributes;
nsCString mFirstPartyDomain;
PRIntervalTime mTimeoutInterval;
@ -162,13 +159,13 @@ public:
const char* httpProtocolVariant,
const char* pathAndQueryString,
const char* httpRequestMethod,
const NeckoOriginAttributes& originAttributes,
const char* firstPartyDomain,
const PRIntervalTime timeout,
/*out*/ nsNSSHttpRequestSession** pRequest)
{
return nsNSSHttpRequestSession::createFcn(session, httpProtocolVariant,
pathAndQueryString,
httpRequestMethod, originAttributes,
httpRequestMethod, firstPartyDomain,
timeout, pRequest);
}

4
security/manager/ssl/nsNSSCertificateDB.cpp
Просмотреть файл

@ -1497,7 +1497,7 @@ VerifyCertAtTime(nsIX509Cert* aCert,
resultChain,
false, // don't save intermediates
aFlags,
NeckoOriginAttributes(),
nullptr, // firstPartyDomain
&evOidPolicy);
} else {
result = certVerifier->VerifyCert(nssCert.get(), aUsage, aTime,
@ -1507,7 +1507,7 @@ VerifyCertAtTime(nsIX509Cert* aCert,
aFlags,
nullptr, // stapledOCSPResponse
nullptr, // sctsFromTLSExtension
NeckoOriginAttributes(),
nullptr, // firstPartyDomain
&evOidPolicy);
}

8
security/manager/ssl/nsNSSIOLayer.cpp
Просмотреть файл

@ -1860,7 +1860,7 @@ nsSSLIOLayerNewSocket(int32_t family,
const char* host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes& originAttributes,
const nsACString& firstPartyDomain,
PRFileDesc** fd,
nsISupports** info,
bool forSTARTTLS,
@ -1871,7 +1871,7 @@ nsSSLIOLayerNewSocket(int32_t family,
if (!sock) return NS_ERROR_OUT_OF_MEMORY;
nsresult rv = nsSSLIOLayerAddToSocket(family, host, port, proxy,
originAttributes, sock, info,
firstPartyDomain, sock, info,
forSTARTTLS, flags);
if (NS_FAILED(rv)) {
PR_Close(sock);
@ -2578,7 +2578,7 @@ nsSSLIOLayerAddToSocket(int32_t family,
const char* host,
int32_t port,
nsIProxyInfo* proxy,
const NeckoOriginAttributes& originAttributes,
const nsACString& firstPartyDomain,
PRFileDesc* fd,
nsISupports** info,
bool forSTARTTLS,
@ -2599,7 +2599,7 @@ nsSSLIOLayerAddToSocket(int32_t family,
infoObject->SetForSTARTTLS(forSTARTTLS);
infoObject->SetHostName(host);
infoObject->SetPort(port);
infoObject->SetOriginAttributes(originAttributes);
infoObject->SetFirstPartyDomain(firstPartyDomain);
bool haveProxy = false;
if (proxy) {

7
security/manager/ssl/nsNSSIOLayer.h
Просмотреть файл

@ -19,14 +19,11 @@
#include "sslt.h"
namespace mozilla {
class NeckoOriginAttributes;
namespace psm {
class SharedSSLState;
} // namespace psm
} // namespace mozilla
using mozilla::NeckoOriginAttributes;
class nsIObserver;
class nsNSSSocketInfo final : public mozilla::psm::TransportSecurityInfo,
@ -241,7 +238,7 @@ nsresult nsSSLIOLayerNewSocket(int32_t family,
const char* host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes& originAttributes,
const nsACString& firstPartyDomain,
PRFileDesc** fd,
nsISupports** securityInfo,
bool forSTARTTLS,
@ -251,7 +248,7 @@ nsresult nsSSLIOLayerAddToSocket(int32_t family,
const char* host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes& originAttributes,
const nsACString& firstPartyDomain,
PRFileDesc* fd,
nsISupports** securityInfo,
bool forSTARTTLS,

11
security/manager/ssl/nsSSLSocketProvider.cpp
Просмотреть файл

@ -4,13 +4,10 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mozilla/BasePrincipal.h"
#include "nsSSLSocketProvider.h"
#include "nsNSSIOLayer.h"
#include "nsError.h"
using mozilla::NeckoOriginAttributes;
nsSSLSocketProvider::nsSSLSocketProvider()
{
}
@ -26,7 +23,7 @@ nsSSLSocketProvider::NewSocket(int32_t family,
const char *host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes &originAttributes,
const nsACString &firstPartyDomain,
uint32_t flags,
PRFileDesc **_result,
nsISupports **securityInfo)
@ -35,7 +32,7 @@ nsSSLSocketProvider::NewSocket(int32_t family,
host,
port,
proxy,
originAttributes,
firstPartyDomain,
_result,
securityInfo,
false,
@ -49,7 +46,7 @@ nsSSLSocketProvider::AddToSocket(int32_t family,
const char *host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes &originAttributes,
const nsACString &firstPartyDomain,
uint32_t flags,
PRFileDesc *aSocket,
nsISupports **securityInfo)
@ -58,7 +55,7 @@ nsSSLSocketProvider::AddToSocket(int32_t family,
host,
port,
proxy,
originAttributes,
firstPartyDomain,
aSocket,
securityInfo,
false,

11
security/manager/ssl/nsTLSSocketProvider.cpp
Просмотреть файл

@ -4,13 +4,10 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mozilla/BasePrincipal.h"
#include "nsTLSSocketProvider.h"
#include "nsNSSIOLayer.h"
#include "nsError.h"
using mozilla::NeckoOriginAttributes;
nsTLSSocketProvider::nsTLSSocketProvider()
{
}
@ -26,7 +23,7 @@ nsTLSSocketProvider::NewSocket(int32_t family,
const char *host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes &originAttributes,
const nsACString &firstPartyDomain,
uint32_t flags,
PRFileDesc **_result,
nsISupports **securityInfo)
@ -35,7 +32,7 @@ nsTLSSocketProvider::NewSocket(int32_t family,
host,
port,
proxy,
originAttributes,
firstPartyDomain,
_result,
securityInfo,
true,
@ -50,7 +47,7 @@ nsTLSSocketProvider::AddToSocket(int32_t family,
const char *host,
int32_t port,
nsIProxyInfo *proxy,
const NeckoOriginAttributes &originAttributes,
const nsACString &firstPartyDomain,
uint32_t flags,
PRFileDesc *aSocket,
nsISupports **securityInfo)
@ -59,7 +56,7 @@ nsTLSSocketProvider::AddToSocket(int32_t family,
host,
port,
proxy,
originAttributes,
firstPartyDomain,
aSocket,
securityInfo,
true,

70
security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
Просмотреть файл

@ -7,7 +7,6 @@
#include "CertVerifier.h"
#include "OCSPCache.h"
#include "gtest/gtest.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/Casting.h"
#include "mozilla/Sprintf.h"
#include "nss.h"
@ -19,8 +18,6 @@
using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
using mozilla::NeckoOriginAttributes;
template <size_t N>
inline Input
LiteralInput(const char(&valueString)[N])
@ -49,8 +46,7 @@ protected:
static void
PutAndGet(mozilla::psm::OCSPCache& cache, const CertID& certID, Result result,
Time time,
const NeckoOriginAttributes& originAttributes = NeckoOriginAttributes())
Time time, const char* firstPartyDomain = nullptr)
{
// The first time is thisUpdate. The second is validUntil.
// The caller is expecting the validUntil returned with Get
@ -58,11 +54,11 @@ PutAndGet(mozilla::psm::OCSPCache& cache, const CertID& certID, Result result,
// be different in practice, make thisUpdate less than validUntil.
Time thisUpdate(time);
ASSERT_EQ(Success, thisUpdate.SubtractSeconds(10));
Result rv = cache.Put(certID, originAttributes, result, thisUpdate, time);
Result rv = cache.Put(certID, firstPartyDomain, result, thisUpdate, time);
ASSERT_TRUE(rv == Success);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(certID, originAttributes, resultOut, timeOut));
ASSERT_TRUE(cache.Get(certID, firstPartyDomain, resultOut, timeOut));
ASSERT_EQ(result, resultOut);
ASSERT_EQ(time, timeOut);
}
@ -83,7 +79,7 @@ TEST_F(psm_OCSPCacheTest, TestPutAndGet)
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial000),
NeckoOriginAttributes(), resultOut, timeOut));
nullptr, resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestVariousGets)
@ -107,11 +103,11 @@ TEST_F(psm_OCSPCacheTest, TestVariousGets)
// This will be at the end of the list in the cache
CertID cert0000(fakeIssuer1, fakeKey000, fakeSerial0000);
ASSERT_TRUE(cache.Get(cert0000, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(cert0000, nullptr, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeIn, timeOut);
// Once we access it, it goes to the front
ASSERT_TRUE(cache.Get(cert0000, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(cert0000, nullptr, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeIn, timeOut);
@ -121,17 +117,17 @@ TEST_F(psm_OCSPCacheTest, TestVariousGets)
static const Input fakeSerial0512(LiteralInput("0512"));
CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512);
ASSERT_TRUE(cache.Get(cert0512, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(cert0512, nullptr, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeInPlus512, timeOut);
ASSERT_TRUE(cache.Get(cert0512, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(cert0512, nullptr, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeInPlus512, timeOut);
// We've never seen this certificate
static const Input fakeSerial1111(LiteralInput("1111"));
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111),
NeckoOriginAttributes(), resultOut, timeOut));
nullptr, resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestEviction)
@ -154,7 +150,7 @@ TEST_F(psm_OCSPCacheTest, TestEviction)
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial0000),
NeckoOriginAttributes(), resultOut, timeOut));
nullptr, resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestNoEvictionForRevokedResponses)
@ -178,13 +174,13 @@ TEST_F(psm_OCSPCacheTest, TestNoEvictionForRevokedResponses)
}
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(notEvicted, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(notEvicted, nullptr, resultOut, timeOut));
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
ASSERT_EQ(timeIn, timeOut);
Input fakeSerial0001(LiteralInput("0001"));
CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001);
ASSERT_FALSE(cache.Get(evicted, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_FALSE(cache.Get(evicted, nullptr, resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked)
@ -211,12 +207,12 @@ TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked)
ASSERT_EQ(Success, timeInPlus1025.AddSeconds(1025));
Time timeInPlus1025Minus50(timeInPlus1025);
ASSERT_EQ(Success, timeInPlus1025Minus50.SubtractSeconds(50));
Result result = cache.Put(good, NeckoOriginAttributes(), Success, timeInPlus1025Minus50,
Result result = cache.Put(good, nullptr, Success, timeInPlus1025Minus50,
timeInPlus1025);
ASSERT_EQ(Success, result);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_FALSE(cache.Get(good, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_FALSE(cache.Get(good, nullptr, resultOut, timeOut));
static const Input fakeSerial1026(LiteralInput("1026"));
CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026);
@ -225,7 +221,7 @@ TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked)
ASSERT_EQ(Success, timeInPlus1026.AddSeconds(1026));
Time timeInPlus1026Minus50(timeInPlus1026);
ASSERT_EQ(Success, timeInPlus1026Minus50.SubtractSeconds(50));
result = cache.Put(revoked, NeckoOriginAttributes(), Result::ERROR_REVOKED_CERTIFICATE,
result = cache.Put(revoked, nullptr, Result::ERROR_REVOKED_CERTIFICATE,
timeInPlus1026Minus50, timeInPlus1026);
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, result);
}
@ -240,15 +236,15 @@ TEST_F(psm_OCSPCacheTest, VariousIssuers)
PutAndGet(cache, subject, Success, now);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(subject, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(subject, nullptr, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeIn, timeOut);
// Test that we don't match a different issuer DN
ASSERT_FALSE(cache.Get(CertID(fakeIssuer2, fakeKey000, fakeSerial001),
NeckoOriginAttributes(), resultOut, timeOut));
nullptr, resultOut, timeOut));
// Test that we don't match a different issuer key
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial001),
NeckoOriginAttributes(), resultOut, timeOut));
nullptr, resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, Times)
@ -260,12 +256,12 @@ TEST_F(psm_OCSPCacheTest, Times)
PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
// This should not override the more recent entry.
ASSERT_EQ(Success,
cache.Put(certID, NeckoOriginAttributes(), Result::ERROR_OCSP_UNKNOWN_CERT,
cache.Put(certID, nullptr, Result::ERROR_OCSP_UNKNOWN_CERT,
TimeFromElapsedSecondsAD(100),
TimeFromElapsedSecondsAD(100)));
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(certID, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(certID, nullptr, resultOut, timeOut));
// Here we see the more recent time.
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
@ -284,12 +280,12 @@ TEST_F(psm_OCSPCacheTest, NetworkFailure)
PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
// This should not override the already present entry.
ASSERT_EQ(Success,
cache.Put(certID, NeckoOriginAttributes(), Result::ERROR_CONNECT_REFUSED,
cache.Put(certID, nullptr, Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(300),
TimeFromElapsedSecondsAD(350)));
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(certID, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(certID, nullptr, resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
@ -297,10 +293,10 @@ TEST_F(psm_OCSPCacheTest, NetworkFailure)
TimeFromElapsedSecondsAD(400));
// This should not override the already present entry.
ASSERT_EQ(Success,
cache.Put(certID, NeckoOriginAttributes(), Result::ERROR_CONNECT_REFUSED,
cache.Put(certID, nullptr, Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(500),
TimeFromElapsedSecondsAD(550)));
ASSERT_TRUE(cache.Get(certID, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(certID, nullptr, resultOut, timeOut));
ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(400), timeOut);
@ -308,30 +304,22 @@ TEST_F(psm_OCSPCacheTest, NetworkFailure)
TimeFromElapsedSecondsAD(600));
// This should not override the already present entry.
ASSERT_EQ(Success,
cache.Put(certID, NeckoOriginAttributes(), Result::ERROR_CONNECT_REFUSED,
cache.Put(certID, nullptr, Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(700),
TimeFromElapsedSecondsAD(750)));
ASSERT_TRUE(cache.Get(certID, NeckoOriginAttributes(), resultOut, timeOut));
ASSERT_TRUE(cache.Get(certID, nullptr, resultOut, timeOut));
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(600), timeOut);
}
TEST_F(psm_OCSPCacheTest, TestOriginAttributes)
TEST_F(psm_OCSPCacheTest, TestFirstPartyDomain)
{
CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
SCOPED_TRACE("");
NeckoOriginAttributes attrs;
attrs.mFirstPartyDomain.AssignLiteral("foo.com");
PutAndGet(cache, certID, Success, now, attrs);
PutAndGet(cache, certID, Success, now, "foo.com");
Result resultOut;
Time timeOut(Time::uninitialized);
attrs.mFirstPartyDomain.AssignLiteral("bar.com");
ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
// OCSP cache should not be isolated by containers.
attrs.mUserContextId = 1;
attrs.mFirstPartyDomain.AssignLiteral("foo.com");
ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
ASSERT_FALSE(cache.Get(certID, "bar.com", resultOut, timeOut));
}

13
security/manager/ssl/tests/unit/head_psm.js
Просмотреть файл

@ -324,15 +324,12 @@ function add_tls_server_setup(serverBinName, certsPath) {
* @param {Function} aAfterStreamOpen
* A callback function that is called with the nsISocketTransport once the
* output stream is ready.
* @param {OriginAttributes} aOriginAttributes (optional)
* The origin attributes that the socket transport will have. This parameter
* affects OCSP because OCSP cache is double-keyed by origin attributes' first
* party domain.
* @param {String} aFirstPartyDomain
* The first party domain which will be used to double-key the OCSP cache.
*/
function add_connection_test(aHost, aExpectedResult,
aBeforeConnect, aWithSecurityInfo,
aAfterStreamOpen,
/*optional*/ aOriginAttributes) {
aAfterStreamOpen, aFirstPartyDomain) {
const REMOTE_PORT = 8443;
function Connection(host) {
@ -348,8 +345,8 @@ function add_connection_test(aHost, aExpectedResult,
// listening on 127.0.0.1 causes frequent failures on OS X 10.10.
this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6;
this.transport.setEventSink(this, this.thread);
if (aOriginAttributes) {
this.transport.originAttributes = aOriginAttributes;
if (aFirstPartyDomain) {
this.transport.firstPartyDomain = aFirstPartyDomain;
}
this.inputStream = null;
this.outputStream = null;

11
security/manager/ssl/tests/unit/test_ocsp_caching.js
Просмотреть файл

@ -43,7 +43,7 @@ function generateGoodOCSPResponse() {
}
function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage,
aOriginAttributes) {
aFirstPartyDomain) {
add_connection_test(aHost, aExpectedResult,
function() {
clearSessionCache();
@ -56,7 +56,7 @@ function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage,
equal(gFetchCount, aResponses.length,
"should have made " + aResponses.length +
" OCSP request" + (aResponses.length == 1 ? "" : "s"));
}, null, aOriginAttributes);
}, null, aFirstPartyDomain);
}
function run_test() {
@ -259,13 +259,12 @@ function add_tests() {
add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
[respondWithGoodOCSP],
"No stapled response (firstPartyDomain = foo.com) -> a fetch " +
"should have been attempted", { firstPartyDomain: "foo.com" });
"should have been attempted", "foo.com");
// The cache will prevent a fetch from happening.
add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, [],
"Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
"fetch should not have been attempted",
{ firstPartyDomain: "foo.com" });
"fetch should not have been attempted", "foo.com");
add_test(function() {
stopObservingChannels();
@ -283,7 +282,7 @@ function add_tests() {
add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
[respondWithGoodOCSP],
"No stapled response (firstPartyDomain = bar.com) -> a fetch " +
"should have been attempted", { firstPartyDomain: "bar.com" });
"should have been attempted", "bar.com");
add_test(function() {
stopObservingChannels();