mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out 2 changesets (bug 1899656, bug 1893335) for causing build bustages 

Backed out changeset 4cb2f1a1280b (bug 1893335)
Backed out changeset d5833f6d4c07 (bug 1899656)
This commit is contained in:
Norisz Fay 2024-06-01 03:09:13 +03:00
Родитель 32333031ed
Коммит adb0e480f5
26 изменённых файлов: 102 добавлений и 548 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

13
Cargo.lock сгенерированный
Просмотреть файл

@ -579,7 +579,6 @@ name = "builtins-static"
version = "0.1.0"
dependencies = [
"bindgen 0.69.4",
"mozbuild",
"mozilla-central-workspace-hack",
"nom",
"pkcs11-bindings",
@ -5680,18 +5679,6 @@ dependencies = [
name = "terminal_size"
version = "0.3.999"
[[package]]
name = "test-builtins-static"
version = "0.1.0"
dependencies = [
"bindgen 0.69.4",
"mozbuild",
"mozilla-central-workspace-hack",
"nom",
"pkcs11-bindings",
"smallvec",
]
[[package]]
name = "textwrap"
version = "0.16.1"

1
Cargo.toml
Просмотреть файл

@ -10,7 +10,6 @@ members = [
"js/src/rust",
"netwerk/test/http3server",
"security/manager/ssl/builtins",
"security/manager/ssl/tests/unit/test_builtins",
"security/manager/ssl/ipcclientcerts",
"security/manager/ssl/osclientcerts",
"testing/geckodriver",

1
build/workspace-hack/Cargo.toml
Просмотреть файл

@ -224,4 +224,3 @@ jsrust = ["dep:arrayvec", "dep:cc", "dep:env_logger", "dep:getrandom", "dep:hash
mozwer_s = ["dep:getrandom", "dep:hashbrown", "dep:indexmap", "dep:log", "dep:once_cell", "dep:serde_json", "dep:uuid", "dep:windows-sys"]
nmhproxy = ["dep:bitflags", "dep:hashbrown", "dep:indexmap", "dep:once_cell", "dep:serde_json", "dep:smallvec", "dep:unicode-bidi", "dep:url", "dep:windows-sys"]
osclientcerts-static = ["dep:bindgen", "dep:bitflags", "dep:core-foundation-sys", "dep:env_logger", "dep:itertools", "dep:log", "dep:memchr", "dep:nom", "dep:regex"]
test-builtins-static = ["dep:bindgen", "dep:bitflags", "dep:itertools", "dep:memchr", "dep:nom", "dep:regex", "dep:smallvec"]

164
security/certverifier/NSSCertDBTrustDomain.cpp
Просмотреть файл

@ -31,7 +31,6 @@
#include "mozilla/glean/GleanMetrics.h"
#include "mozpkix/Result.h"
#include "mozpkix/pkix.h"
#include "mozpkix/pkixcheck.h"
#include "mozpkix/pkixnss.h"
#include "mozpkix/pkixutil.h"
#include "nsCRTGlue.h"
@ -1266,6 +1265,20 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
return rv;
}
SECStatus GetCertDistrustAfterValue(const SECItem* distrustItem,
PRTime& distrustTime) {
if (!distrustItem || !distrustItem->data || distrustItem->len != 13) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
return DER_DecodeTimeChoice(&distrustTime, distrustItem);
}
SECStatus GetCertNotBeforeValue(const CERTCertificate* cert,
PRTime& distrustTime) {
return DER_DecodeTimeChoice(&distrustTime, &cert->validity.notBefore);
}
nsresult isDistrustedCertificateChain(
const nsTArray<nsTArray<uint8_t>>& certArray,
const SECTrustType certDBTrustType, bool& isDistrusted) {
@ -1276,94 +1289,93 @@ nsresult isDistrustedCertificateChain(
// Set the default result to be distrusted.
isDistrusted = true;
CK_ATTRIBUTE_TYPE attrType;
switch (certDBTrustType) {
case trustSSL:
attrType = CKA_NSS_SERVER_DISTRUST_AFTER;
break;
case trustEmail:
attrType = CKA_NSS_EMAIL_DISTRUST_AFTER;
break;
default:
// There is no distrust to set if the certDBTrustType is not SSL or Email.
if (certDBTrustType != trustSSL && certDBTrustType != trustEmail) {
isDistrusted = false;
return NS_OK;
}
Input endEntityDER;
mozilla::pkix::Result rv = endEntityDER.Init(
certArray.ElementAt(0).Elements(), certArray.ElementAt(0).Length());
if (rv != Success) {
return NS_ERROR_FAILURE;
SECStatus runnableRV = SECFailure;
RefPtr<Runnable> isDistrustedChainTask =
NS_NewRunnableFunction("isDistrustedCertificateChain", [&]() {
if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
runnableRV = SECFailure;
return;
}
// Allocate objects and retreive the root and end-entity certificates.
CERTCertDBHandle* certDB(CERT_GetDefaultCertDB());
const nsTArray<uint8_t>& certRootDER = certArray.LastElement();
SECItem certRootDERItem = {
siBuffer, const_cast<unsigned char*>(certRootDER.Elements()),
AssertedCast<unsigned int>(certRootDER.Length())};
UniqueCERTCertificate certRoot(CERT_NewTempCertificate(
certDB, &certRootDERItem, nullptr, false, true));
if (!certRoot) {
runnableRV = SECFailure;
return;
}
const nsTArray<uint8_t>& certLeafDER = certArray.ElementAt(0);
SECItem certLeafDERItem = {
siBuffer, const_cast<unsigned char*>(certLeafDER.Elements()),
AssertedCast<unsigned int>(certLeafDER.Length())};
UniqueCERTCertificate certLeaf(CERT_NewTempCertificate(
certDB, &certLeafDERItem, nullptr, false, true));
if (!certLeaf) {
runnableRV = SECFailure;
return;
}
BackCert endEntityBackCert(endEntityDER, EndEntityOrCA::MustBeEndEntity,
nullptr);
rv = endEntityBackCert.Init();
if (rv != Success) {
return NS_ERROR_FAILURE;
}
Time endEntityNotBefore(Time::uninitialized);
rv = ParseValidity(endEntityBackCert.GetValidity(), &endEntityNotBefore,
nullptr);
if (rv != Success) {
return NS_ERROR_FAILURE;
}
Input rootDER;
rv = rootDER.Init(certArray.LastElement().Elements(),
certArray.LastElement().Length());
if (rv != Success) {
return NS_ERROR_FAILURE;
}
SECItem rootDERItem(UnsafeMapInputToSECItem(rootDER));
PRBool distrusted;
PRTime distrustAfter; // time since epoch in microseconds
bool foundDistrust = false;
// This strategy for searching for the builtins module is borrowed
// from CertVerifier::IsCertBuiltInRoot. See the comment on that
// function for more information.
AutoSECMODListReadLock lock;
for (SECMODModuleList* list = SECMOD_GetDefaultModuleList();
list && !foundDistrust; list = list->next) {
for (int i = 0; i < list->module->slotCount; i++) {
PK11SlotInfo* slot = list->module->slots[i];
if (!PK11_IsPresent(slot) || !PK11_HasRootCerts(slot)) {
continue;
}
CK_OBJECT_HANDLE handle =
PK11_FindEncodedCertInSlot(slot, &rootDERItem, nullptr);
if (handle == CK_INVALID_HANDLE) {
continue;
}
// Distrust attributes are only set on builtin roots, so ensure this
// certificate has the CKA_NSS_MOZILLA_CA_POLICY attribute.
if (!PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
false)) {
continue;
}
SECStatus srv = PK11_ReadDistrustAfterAttribute(
slot, handle, attrType, &distrusted, &distrustAfter);
if (srv == SECSuccess) {
foundDistrust = true;
}
}
}
if (!foundDistrust || distrusted == PR_FALSE) {
// Set isDistrusted to false if there is no distrust for the root.
if (!certRoot->distrust) {
isDistrusted = false;
return NS_OK;
runnableRV = SECSuccess;
return;
}
Time distrustAfterTime =
mozilla::pkix::TimeFromEpochInSeconds(distrustAfter / PR_USEC_PER_SEC);
if (endEntityNotBefore <= distrustAfterTime) {
// Create a pointer to refer to the selected distrust struct.
SECItem* distrustPtr = nullptr;
if (certDBTrustType == trustSSL) {
distrustPtr = &certRoot->distrust->serverDistrustAfter;
}
if (certDBTrustType == trustEmail) {
distrustPtr = &certRoot->distrust->emailDistrustAfter;
}
// Get validity for the current end-entity certificate
// and get the distrust field for the root certificate.
PRTime certRootDistrustAfter;
PRTime certLeafNotBefore;
runnableRV =
GetCertDistrustAfterValue(distrustPtr, certRootDistrustAfter);
if (runnableRV != SECSuccess) {
return;
}
runnableRV = GetCertNotBeforeValue(certLeaf.get(), certLeafNotBefore);
if (runnableRV != SECSuccess) {
return;
}
// Compare the validity of the end-entity certificate with
// the distrust value of the root.
if (certLeafNotBefore <= certRootDistrustAfter) {
isDistrusted = false;
}
runnableRV = SECSuccess;
});
nsCOMPtr<nsIEventTarget> socketThread(
do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
if (!socketThread) {
return NS_ERROR_FAILURE;
}
nsresult rv =
SyncRunnable::DispatchToThread(socketThread, isDistrustedChainTask);
if (NS_FAILED(rv) || runnableRV != SECSuccess) {
return NS_ERROR_FAILURE;
}
return NS_OK;
}

1
security/manager/ssl/builtins/Cargo.toml
Просмотреть файл

@ -12,7 +12,6 @@ mozilla-central-workspace-hack = { version = "0.1", features = ["builtins-static
[build-dependencies]
bindgen = { default-features = false, features = ["runtime"], version = "0.69" }
mozbuild = "0.1"
nom = "7.1.1"
[lib]

24
security/manager/ssl/builtins/build.rs
Просмотреть файл

@ -9,8 +9,6 @@ extern crate nom;
use bindgen::callbacks::*;
use bindgen::*;
use mozbuild::TOPSRCDIR;
use nom::branch::alt;
use nom::bytes::complete::{tag, take_until};
use nom::character::complete::{
@ -316,16 +314,11 @@ macro_rules! emit_build_error {
}
fn main() -> std::io::Result<()> {
let testlib_certdata =
TOPSRCDIR.join("security/manager/ssl/tests/unit/test_builtins/certdata.txt");
let mozilla_certdata = TOPSRCDIR.join("security/nss/lib/ckfw/builtins/certdata.txt");
let nssckbi_header = TOPSRCDIR.join("security/nss/lib/ckfw/builtins/nssckbi.h");
println!("cargo:rerun-if-changed={}", testlib_certdata.display());
println!("cargo:rerun-if-changed={}", mozilla_certdata.display());
println!("cargo:rerun-if-changed={}", nssckbi_header.display());
println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/certdata.txt");
println!("cargo:rerun-if-changed=../../../nss/lib/ckfw/builtins/nssckbi.h");
let bindings = Builder::default()
.header(nssckbi_header.display().to_string())
.header("../../../nss/lib/ckfw/builtins/nssckbi.h")
.allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR")
.allowlist_var("NSS_BUILTINS_CRYPTOKI_VERSION_MINOR")
.allowlist_var("NSS_BUILTINS_LIBRARY_VERSION_MAJOR")
@ -347,15 +340,8 @@ fn main() -> std::io::Result<()> {
File::create(out_path.join("builtins.rs")).expect("Could not write builtins.rs."),
);
// If we are building the test module, use the certdata.txt in the test directory.
#[cfg(feature = "testlib")]
let mut input =
std::fs::read_to_string(testlib_certdata).expect("Unable to read certdata.txt.");
// Otherwise, use the official certdata.txt for the Mozilla root store.
#[cfg(not(feature = "testlib"))]
let mut input =
std::fs::read_to_string(mozilla_certdata).expect("Unable to read certdata.txt.");
let mut input: String = std::fs::read_to_string("../../../nss/lib/ckfw/builtins/certdata.txt")
.expect("Unable to read certdata.txt.");
// Add a trailing newline to simplify parsing.
input.push('\n');

2
security/manager/ssl/builtins/src/lib.rs
Просмотреть файл

@ -3,8 +3,6 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// certdata may include dead code depending on the contents of certdata.txt
#[allow(dead_code)]
mod certdata;
mod internal;
mod pkcs11;

2
security/manager/ssl/tests/unit/moz.build
Просмотреть файл

@ -4,7 +4,7 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
DIRS += ["tlsserver", "test_builtins", "test_signed_apps"]
DIRS += ["tlsserver", "test_signed_apps"]
if not CONFIG["MOZ_NO_SMART_CARDS"]:
DIRS += ["pkcs11testmodule"]

82
security/manager/ssl/tests/unit/test_builtins.js
Просмотреть файл

@ -1,82 +0,0 @@
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";
// Tests that use a mock builtins module.
// Ensure that the appropriate initialization has happened.
do_get_profile();
const gCertDb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
add_setup(function load_nssckbi_testlib() {
let moduleName = "Mock Builtins";
let libraryName = "test-builtins";
checkPKCS11ModuleNotPresent(moduleName, libraryName);
let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
libraryFile.append("test_builtins");
libraryFile.append(ctypes.libraryName(libraryName));
loadPKCS11Module(libraryFile, moduleName, true);
let testModule = checkPKCS11ModuleExists(moduleName, libraryName);
// Check that listing the slots for the test module works.
let testModuleSlotNames = Array.from(
testModule.listSlots(),
slot => slot.name
);
testModuleSlotNames.sort();
const expectedSlotNames = ["NSS Builtin Objects"];
deepEqual(
testModuleSlotNames,
expectedSlotNames,
"Actual and expected slot names should be equal"
);
});
add_task(async function test_distrust_after() {
let ee_pre_distrust_cert = addCertFromFile(
gCertDb,
"test_builtins/ee-notBefore-2021.pem",
",,"
);
notEqual(
ee_pre_distrust_cert,
null,
"EE cert should have successfully loaded"
);
let ee_post_distrust_cert = addCertFromFile(
gCertDb,
"test_builtins/ee-notBefore-2023.pem",
",,"
);
notEqual(
ee_post_distrust_cert,
null,
"EE cert should have successfully loaded"
);
let int_cert = addCertFromFile(gCertDb, "test_builtins/int.pem", ",,");
notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
// A certificate with a notBefore before the distrustAfter date
// should verify.
await checkCertErrorGeneric(
gCertDb,
ee_pre_distrust_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
);
// A certificate with a notBefore after the distrustAfter date
// should not verify.
await checkCertErrorGeneric(
gCertDb,
ee_post_distrust_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer
);
});

25
security/manager/ssl/tests/unit/test_builtins/Cargo.toml
Просмотреть файл

@ -1,25 +0,0 @@
[package]
name = "test-builtins-static"
version = "0.1.0"
authors = ["John Schanck <jschanck@mozilla.com>"]
edition = "2021"
license = "MPL-2.0"
build = "../../../builtins/build.rs"
[features]
default = ["testlib"]
testlib = []
[dependencies]
pkcs11-bindings = "0.1.1"
smallvec = { version = "1.9.0", features = ["const_new"] }
mozilla-central-workspace-hack = { version = "0.1", features = ["test-builtins-static"], optional = true }
[build-dependencies]
bindgen = { default-features = false, features = ["runtime"], version = "0.69" }
mozbuild = "0.1"
nom = "7.1.1"
[lib]
crate-type = ["staticlib"]
path = "../../../builtins/src/lib.rs"

17
security/manager/ssl/tests/unit/test_builtins/ca.pem
Просмотреть файл

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICyTCCAbGgAwIBAgIUW/YBtJLWl0w/qHon39NEQVe2CjgwDQYJKoZIhvcNAQEL
BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMDAxMDEwMDAwMDBaGA8yMDUxMDEwMTAw
MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAnMP8E3DsBOlwY0ak3BWdj0HBu
ij1Fr8pAhd/SU4H39LhMwU71nKSdIjXEYhKlM6xHsVZw5E0ROckSXdFVNqmX0PeX
EeTY2U/SZLnPNvd9rk6hcJNHgIG0/2yPGkwz3kpPLDNU8zdjLwuPINqT6hlPrmkP
IlmyXurIWTkpY8B5wzcUDD4DULL9I1v3npPbVR059t6Nd4jGwsotYPjBGKRFtcwE
By/EXMotFnaZzBlgcgGd6nT/zcutCL0EGpsFLhpslX4nl74pcLxDerCYifkt4lEp
Z7/MgtwnXCy5yAMprWdTKY2vuTtPlSEhSohdYLcklRG6hdBWq9jy9BQaktP/
-----END CERTIFICATE-----

5
security/manager/ssl/tests/unit/test_builtins/ca.pem.certspec
Просмотреть файл

@ -1,5 +0,0 @@
issuer:ca
subject:ca
validity:20200101-20510101
extension:basicConstraints:cA,
extension:keyUsage:keyCertSign,cRLSign

128
security/manager/ssl/tests/unit/test_builtins/certdata.txt
Просмотреть файл

@ -1,128 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
BEGINDATA
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Test Roots"
#
# Certificate "Distrusted After Jan 1 2022 Root"
#
# Issuer: CN=ca
# Serial Number:5b:f6:01:b4:92:d6:97:4c:3f:a8:7a:27:df:d3:44:41:57:b6:0a:38
# Subject: CN=ca
# Not Valid Before: Wed Jan 01 00:00:00 2020
# Not Valid After : Sun Jan 01 00:00:00 2051
# Fingerprint (SHA-256): 5C:E9:72:28:D9:8A:BC:FE:63:23:33:5E:97:5D:6C:42:B5:48:FD:E7:8A:B9:F8:2E:CC:44:B1:16:69:A3:F5:B0
# Fingerprint (SHA1): 6B:15:70:37:F1:81:D0:B6:F7:0C:D9:86:C2:E7:FD:38:E7:53:7B:BE
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrusted After Jan 1 2022 Root"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\133\366\001\264\222\326\227\114\077\250\172\047\337\323
\104\101\127\266\012\070
END
CKA_VALUE MULTILINE_OCTAL
\060\202\002\311\060\202\001\261\240\003\002\001\002\002\024\133
\366\001\264\222\326\227\114\077\250\172\047\337\323\104\101\127
\266\012\070\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\060\015\061\013\060\011\006\003\125\004\003\014\002\143
\141\060\042\030\017\062\060\062\060\060\061\060\061\060\060\060
\060\060\060\132\030\017\062\060\065\061\060\061\060\061\060\060
\060\060\060\060\132\060\015\061\013\060\011\006\003\125\004\003
\014\002\143\141\060\202\001\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
\002\202\001\001\000\272\210\121\250\104\216\026\326\101\375\156
\266\210\006\066\020\075\074\023\331\352\344\065\112\264\354\365
\150\127\154\044\173\301\307\045\250\340\330\037\275\261\234\006
\233\156\032\206\362\153\342\257\132\165\153\152\144\161\010\172
\245\132\247\105\207\367\034\325\044\234\002\176\315\103\374\036
\151\320\070\040\051\223\253\040\303\111\344\333\271\114\302\153
\154\016\355\025\202\017\361\176\255\151\032\261\323\002\072\213
\052\101\356\247\160\340\017\015\215\375\146\013\053\260\044\222
\244\175\271\210\141\171\220\261\127\220\075\322\073\305\340\270
\110\037\250\067\323\210\103\357\047\026\330\125\267\146\132\252
\176\002\220\057\072\173\020\200\006\044\314\034\154\227\255\226
\141\133\267\342\226\022\300\165\061\243\014\221\335\264\312\367
\374\255\035\045\323\011\357\271\027\016\247\150\341\263\173\057
\042\157\151\343\264\212\225\141\035\356\046\326\045\235\253\221
\010\116\066\313\034\044\004\054\277\026\213\057\345\361\217\231
\027\061\270\263\376\111\043\372\162\121\304\061\325\003\254\332
\030\012\065\355\215\002\003\001\000\001\243\035\060\033\060\014
\006\003\125\035\023\004\005\060\003\001\001\377\060\013\006\003
\125\035\017\004\004\003\002\001\006\060\015\006\011\052\206\110
\206\367\015\001\001\013\005\000\003\202\001\001\000\047\060\377
\004\334\073\001\072\134\030\321\251\067\005\147\143\320\160\156
\212\075\105\257\312\100\205\337\322\123\201\367\364\270\114\301
\116\365\234\244\235\042\065\304\142\022\245\063\254\107\261\126
\160\344\115\021\071\311\022\135\321\125\066\251\227\320\367\227
\021\344\330\331\117\322\144\271\317\066\367\175\256\116\241\160
\223\107\200\201\264\377\154\217\032\114\063\336\112\117\054\063
\124\363\067\143\057\013\217\040\332\223\352\031\117\256\151\017
\042\131\262\136\352\310\131\071\051\143\300\171\303\067\024\014
\076\003\120\262\375\043\133\367\236\223\333\125\035\071\366\336
\215\167\210\306\302\312\055\140\370\301\030\244\105\265\314\004
\007\057\304\134\312\055\026\166\231\314\031\140\162\001\235\352
\164\377\315\313\255\010\275\004\032\233\005\056\032\154\225\176
\047\227\276\051\160\274\103\172\260\230\211\371\055\342\121\051
\147\277\314\202\334\047\134\054\271\310\003\051\255\147\123\051
\215\257\271\073\117\225\041\041\112\210\135\140\267\044\225\021
\272\205\320\126\253\330\362\364\024\032\222\323\377
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# For Server Distrust After: Sat Jan 01 00:00:00 2022
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\062\060\061\060\061\060\060\060\060\060\060\132
END
# For Email Distrust After: Sat Jan 01 00:00:00 2022
CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
\062\062\060\061\060\061\060\060\060\060\060\060\132
END
# Trust for "Distrusted After Jan 1 2022 Root"
# Issuer: CN=ca
# Serial Number:5b:f6:01:b4:92:d6:97:4c:3f:a8:7a:27:df:d3:44:41:57:b6:0a:38
# Subject: CN=ca
# Not Valid Before: Wed Jan 01 00:00:00 2020
# Not Valid After : Sun Jan 01 00:00:00 2051
# Fingerprint (SHA-256): 5C:E9:72:28:D9:8A:BC:FE:63:23:33:5E:97:5D:6C:42:B5:48:FD:E7:8A:B9:F8:2E:CC:44:B1:16:69:A3:F5:B0
# Fingerprint (SHA1): 6B:15:70:37:F1:81:D0:B6:F7:0C:D9:86:C2:E7:FD:38:E7:53:7B:BE
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrusted After Jan 1 2022 Root"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\153\025\160\067\361\201\320\266\367\014\331\206\302\347\375\070
\347\123\173\276
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\342\152\137\376\222\257\271\255\024\346\353\305\132\017\156\341
END
CKA_ISSUER MULTILINE_OCTAL
\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\133\366\001\264\222\326\227\114\077\250\172\047\337\323
\104\101\127\266\012\070
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

1
security/manager/ssl/tests/unit/test_builtins/dynamic-library/builtins.symbols
Просмотреть файл

@ -1 +0,0 @@
C_GetFunctionList

46
security/manager/ssl/tests/unit/test_builtins/dynamic-library/moz.build
Просмотреть файл

@ -1,46 +0,0 @@
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/test_builtins"
USE_LIBS += ["test-builtins-static"]
# see notes in ipcclientcerts/dynamic-library/moz.build
if CONFIG["OS_ARCH"] == "Linux" and CONFIG["OS_TARGET"] != "Android":
SOURCES += [
"stub.cpp",
]
else:
SOURCES += [
"stub.c",
]
if CONFIG["OS_TARGET"] == "Android":
OS_LIBS += ["m"]
if CONFIG["OS_ARCH"] == "WINNT":
OS_LIBS += [
"advapi32",
"userenv",
"ws2_32",
]
OS_LIBS += [
"bcrypt",
"ntdll",
]
# Version string comparison is generally wrong, but by the time it would
# actually matter, either bug 1489995 would be fixed, or the build would
# require version >= 1.78.
if CONFIG["RUSTC_VERSION"] and CONFIG["RUSTC_VERSION"] >= "1.78.0":
OS_LIBS += [
"synchronization",
]
SharedLibrary("test-builtins")
NoVisibilityFlags()
SYMBOLS_FILE = "builtins.symbols"

27
security/manager/ssl/tests/unit/test_builtins/dynamic-library/stub.c
Просмотреть файл

@ -1,27 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "pkcs11.h"
// see notes in ipcclientcerts/dynamic-library/stub.c
CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
return BUILTINSC_GetFunctionList(ppFunctionList);
}
#ifdef __MINGW32__
# include "mozilla/Assertions.h"
void _Unwind_Resume() { MOZ_CRASH("Unexpected call to _Unwind_*"); }
void _Unwind_GetDataRelBase() { _Unwind_Resume(); }
void _Unwind_GetTextRelBase() { _Unwind_Resume(); }
void _Unwind_GetLanguageSpecificData() { _Unwind_Resume(); }
void _Unwind_GetIPInfo() { _Unwind_Resume(); }
void _Unwind_GetRegionStart() { _Unwind_Resume(); }
void _Unwind_SetGR() { _Unwind_Resume(); }
void _Unwind_SetIP() { _Unwind_Resume(); }
void _GCC_specific_handler() { _Unwind_Resume(); }
#endif

17
security/manager/ssl/tests/unit/test_builtins/dynamic-library/stub.cpp
Просмотреть файл

@ -1,17 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "pkcs11.h"
// see notes in ipcclientcerts/dynamic-library/stub.cpp
extern "C" {
CK_RV BUILTINSC_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
return BUILTINSC_GetFunctionList(ppFunctionList);
}
}

17
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2021.pem
Просмотреть файл

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICxDCCAaygAwIBAgIUDXOR6KaexWFGr7UDYphMtEeezXkwDQYJKoZIhvcNAQEL
BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjEwMTAxMDAwMDAwWhgPMjA1MTAxMDEw
MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEF
BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAn2fhudWV+cpqIsRWpfHZc0BhW0sFX/Jq
nPn5kOjlEy9XDp0fKW3iIeo1hipevRgJnvpzeFUU0AzV+v5RhPumxyTioIeybkX5
uVtIz4llubAP5ymFBtIMVtKaKM9JWrmQxxCQyiaGmh/VTNQoyPXRX6sjA/lTFOn/
gyrcDnWi/6Fi3I1qiWxE4Gytk7a6qrKhVlq+UyiLlyHvPfiw6TksltJoSyE7iyno
cFBK98ei1Wq//7tFLSUoCIya3tnccMgPUhkWwhzxc94xuo1ROav8mzS4vh24p3S6
w4hvAylJhRt3BfQDPU14sCnEDjFd/PydAYntdJ66zcujs2YBO6iy8w==
-----END CERTIFICATE-----

4
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2021.pem.certspec
Просмотреть файл

@ -1,4 +0,0 @@
issuer:int
subject:ee
validity:20210101-20510101
extension:extKeyUsage:serverAuth

17
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2023.pem
Просмотреть файл

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICxDCCAaygAwIBAgIUQbAFBAJcR+nWt1dATlPDuABJgEAwDQYJKoZIhvcNAQEL
BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjMwMTAxMDAwMDAwWhgPMjA1MTAxMDEw
MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEF
BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAfd1W1LYT+JnTb7ZXdz7lJcwdowimjUWR
ylhXpqyMbJmldogIoWXG+wPo9XosdLeaR0H7xizrhpiod6DXvqtXUjzfhdzbH8i8
3sBL3dyO/RAm1IWuDTNmT9d2SX+fty7M7mHH1TLuRda4VItiWyPK+QQIZHcTlhQz
qRebW6ggpWzRb9nqUWieHlvyaVgqWkv9LiCkJYqXXL6nBvQAh8ukf6g127c0hbMO
DIQtoAT6XFbApM6GPuovaiMf0h8n7S2ekIcRBEeadvZOMsy7hdTNMKlS706wQETd
U0jwYTk728Oz0MCdgn488iRWGeDJWi544JZldErK75lWHAU5svaHIQ==
-----END CERTIFICATE-----

4
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2023.pem.certspec
Просмотреть файл

@ -1,4 +0,0 @@
issuer:int
subject:ee
validity:20230101-20510101
extension:extKeyUsage:serverAuth

17
security/manager/ssl/tests/unit/test_builtins/int.pem
Просмотреть файл

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL
BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO
H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc
WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD
fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3
ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN
yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A==
-----END CERTIFICATE-----

4
security/manager/ssl/tests/unit/test_builtins/int.pem.certspec
Просмотреть файл

@ -1,4 +0,0 @@
issuer:ca
subject:int
extension:basicConstraints:cA,
extension:keyUsage:keyCertSign,cRLSign

11
security/manager/ssl/tests/unit/test_builtins/moz.build
Просмотреть файл

@ -1,11 +0,0 @@
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
DIRS += ["dynamic-library"]
OS_LIBS += CONFIG["DL_LIBS"]
RustLibrary("test-builtins-static")

3
security/manager/ssl/tests/unit/xpcshell.toml
Просмотреть файл

@ -9,7 +9,6 @@ support-files = [
"ocsp_certs/**",
"test_baseline_requirements/**",
"test_broken_fips/**",
"test_builtins/**",
"test_cert_eku/**",
"test_cert_embedded_null/**",
"test_cert_keyUsage/**",
@ -72,8 +71,6 @@ skip-if = [
"os == 'linux'"
]
["test_builtins.js"]
["test_certDB_export_pkcs12.js"]
["test_certDB_export_pkcs12_with_primary_password.js"]

1
security/nss.symbols
Просмотреть файл

@ -438,7 +438,6 @@ PK11_PubEncryptPKCS1
PK11_PubUnwrapSymKey
PK11_PubWrapSymKey
PK11_RandomUpdate
PK11_ReadDistrustAfterAttribute
PK11_ReadRawAttribute
PK11_ReferenceSlot
PK11_ReferenceSymKey