mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1359428 - Remove preference to select OneCRL update mechanism r=keeler,leplatrem,rhelmer 

MozReview-Commit-ID: A6CwZrIDmTn

--HG--
extra : rebase_source : 41e17d29f982d23f30f48a6f85ad20fc84b018c6
This commit is contained in:
Mark Goodwin 2017-09-29 10:47:27 +01:00
Родитель 1a8efc0e83
Коммит ae55f5a197
8 изменённых файлов: 161 добавлений и 198 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
modules/libpref/init/all.js
Просмотреть файл

@ -2655,9 +2655,6 @@ pref("services.blocklist.signing.enforced", true);
// Enable blocklists via the services settings mechanism
pref("services.blocklist.update_enabled", true);
// Enable certificate blocklist updates via services settings
pref("security.onecrl.via.amo", false);
// Modifier key prefs: default to Windows settings,
// menu access key = alt, accelerator key = control.

42
security/manager/ssl/CertBlocklist.cpp
Просмотреть файл

@ -37,14 +37,11 @@ using namespace mozilla::pkix;
#define PREF_BACKGROUND_UPDATE_TIMER "app.update.lastUpdateTime.blocklist-background-update-timer"
#define PREF_BLOCKLIST_ONECRL_CHECKED "services.blocklist.onecrl.checked"
#define PREF_MAX_STALENESS_IN_SECONDS "security.onecrl.maximum_staleness_in_seconds"
#define PREF_ONECRL_VIA_AMO "security.onecrl.via.amo"
static LazyLogModule gCertBlockPRLog("CertBlock");
uint32_t CertBlocklist::sLastBlocklistUpdate = 0U;
uint32_t CertBlocklist::sLastKintoUpdate = 0U;
uint32_t CertBlocklist::sMaxStaleness = 0U;
bool CertBlocklist::sUseAMO = true;
CertBlocklistItem::CertBlocklistItem(const uint8_t* DNData,
size_t DNLength,
@ -139,15 +136,9 @@ CertBlocklist::CertBlocklist()
CertBlocklist::~CertBlocklist()
{
Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
PREF_BACKGROUND_UPDATE_TIMER,
this);
Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
PREF_MAX_STALENESS_IN_SECONDS,
this);
Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
PREF_ONECRL_VIA_AMO,
this);
Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
PREF_BLOCKLIST_ONECRL_CHECKED,
this);
@ -166,25 +157,12 @@ CertBlocklist::Init()
}
// Register preference callbacks
nsresult rv =
Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
PREF_BACKGROUND_UPDATE_TIMER,
this);
if (NS_FAILED(rv)) {
return rv;
}
rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
nsresult rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
PREF_MAX_STALENESS_IN_SECONDS,
this);
if (NS_FAILED(rv)) {
return rv;
}
rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
PREF_ONECRL_VIA_AMO,
this);
if (NS_FAILED(rv)) {
return rv;
}
rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
PREF_BLOCKLIST_ONECRL_CHECKED,
this);
@ -631,13 +609,12 @@ CertBlocklist::IsBlocklistFresh(bool* _retval)
*_retval = false;
uint32_t now = uint32_t(PR_Now() / PR_USEC_PER_SEC);
uint32_t lastUpdate = sUseAMO ? sLastBlocklistUpdate : sLastKintoUpdate;
MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
("CertBlocklist::IsBlocklistFresh using AMO? %i lastUpdate is %i",
sUseAMO, lastUpdate));
("CertBlocklist::IsBlocklistFresh ? lastUpdate is %i",
sLastBlocklistUpdate));
if (now > lastUpdate) {
int64_t interval = now - lastUpdate;
if (now > sLastBlocklistUpdate) {
int64_t interval = now - sLastBlocklistUpdate;
MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
("CertBlocklist::IsBlocklistFresh we're after the last BlocklistUpdate "
"interval is %" PRId64 ", staleness %u", interval, sMaxStaleness));
@ -659,16 +636,11 @@ CertBlocklist::PreferenceChanged(const char* aPref, void* aClosure)
MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
("CertBlocklist::PreferenceChanged %s changed", aPref));
if (strcmp(aPref, PREF_BACKGROUND_UPDATE_TIMER) == 0) {
sLastBlocklistUpdate = Preferences::GetUint(PREF_BACKGROUND_UPDATE_TIMER,
if (strcmp(aPref, PREF_BLOCKLIST_ONECRL_CHECKED) == 0) {
sLastBlocklistUpdate = Preferences::GetUint(PREF_BLOCKLIST_ONECRL_CHECKED,
uint32_t(0));
} else if (strcmp(aPref, PREF_BLOCKLIST_ONECRL_CHECKED) == 0) {
sLastKintoUpdate = Preferences::GetUint(PREF_BLOCKLIST_ONECRL_CHECKED,
uint32_t(0));
} else if (strcmp(aPref, PREF_MAX_STALENESS_IN_SECONDS) == 0) {
sMaxStaleness = Preferences::GetUint(PREF_MAX_STALENESS_IN_SECONDS,
uint32_t(0));
} else if (strcmp(aPref, PREF_ONECRL_VIA_AMO) == 0) {
sUseAMO = Preferences::GetBool(PREF_ONECRL_VIA_AMO, true);
}
}

230
security/manager/ssl/tests/unit/test_cert_blocklist.js
Просмотреть файл

@ -6,12 +6,14 @@
// This test checks a number of things:
// * it ensures that data loaded from revocations.txt on startup is present
// * it ensures that certItems in blocklist.xml are persisted correctly
// * it ensures that data served from OneCRL are persisted correctly
// * it ensures that items in the CertBlocklist are seen as revoked by the
// cert verifier
// * it does a sanity check to ensure other cert verifier behavior is
// unmodified
const { setTimeout } = Cu.import("resource://gre/modules/Timer.jsm", {});
// First, we need to setup appInfo for the blocklist service to work
var id = "xpcshell@tests.mozilla.org";
var appName = "XPCShell";
@ -31,25 +33,6 @@ updateAppInfo({
// no revocation.txt in the profile
var gProfile = do_get_profile();
// Write out an empty blocklist.xml file to the profile to ensure nothing
// is blocklisted by default
var blockFile = gProfile.clone();
blockFile.append("blocklist.xml");
var stream = Cc["@mozilla.org/network/file-output-stream;1"]
.createInstance(Ci.nsIFileOutputStream);
stream.init(blockFile,
FileUtils.MODE_WRONLY | FileUtils.MODE_CREATE | FileUtils.MODE_TRUNCATE,
FileUtils.PERMS_FILE, 0);
var data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">\n" +
"</blocklist>\n";
stream.write(data, data.length);
stream.close();
const PREF_BLOCKLIST_UPDATE_ENABLED = "services.blocklist.update_enabled";
const PREF_ONECRL_VIA_AMO = "security.onecrl.via.amo";
var gRevocations = gProfile.clone();
gRevocations.append("revocations.txt");
if (!gRevocations.exists()) {
@ -60,65 +43,112 @@ if (!gRevocations.exists()) {
var certDB = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
// set up a test server to serve the blocklist.xml
// set up a test server to serve the kinto views.
var testserver = new HttpServer();
var initialBlocklist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
// test with some bad data ...
"<certItems><certItem issuerName='Some nonsense in issuer'>" +
"<serialNumber>AkHVNA==</serialNumber>" +
"</certItem><certItem issuerName='MA0xCzAJBgNVBAMMAmNh'>" +
"<serialNumber>some nonsense in serial</serialNumber>" +
"</certItem><certItem issuerName='some nonsense in both issuer'>" +
"<serialNumber>and serial</serialNumber></certItem>" +
// some mixed
// In this case, the issuer name and the valid serialNumber correspond
// to test-int.pem in bad_certs/
"<certItem issuerName='MBIxEDAOBgNVBAMMB1Rlc3QgQ0E='>" +
"<serialNumber>oops! more nonsense.</serialNumber>" +
"<serialNumber>BVio/iQ21GCi2iUven8oJ/gae74=</serialNumber></certItem>" +
// ... and some good
// In this case, the issuer name and the valid serialNumber correspond
// to other-test-ca.pem in bad_certs/ (for testing root revocation)
"<certItem issuerName='MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E='>" +
"<serialNumber>exJUIJpq50jgqOwQluhVrAzTF74=</serialNumber></certItem>" +
// This item corresponds to an entry in sample_revocations.txt where:
// isser name is "another imaginary issuer" base-64 encoded, and
// serialNumbers are:
// "serial2." base-64 encoded, and
// "another serial." base-64 encoded
// We need this to ensure that existing items are retained if they're
// also in the blocklist
"<certItem issuerName='YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy'>" +
"<serialNumber>c2VyaWFsMi4=</serialNumber>" +
"<serialNumber>YW5vdGhlciBzZXJpYWwu</serialNumber></certItem>" +
// This item revokes same-issuer-ee.pem by subject and pubKeyHash.
"<certItem subject='MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5'" +
" pubKeyHash='VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8='>" +
"</certItem></certItems></blocklist>";
var updatedBlocklist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
"<certItems>" +
"<certItem issuerName='something new in both the issuer'>" +
"<serialNumber>and the serial number</serialNumber></certItem>" +
"</certItems></blocklist>";
const kintoHelloViewJSON = `{"settings":{"batch_max_requests":25}}`;
const kintoChangesJSON = `{
"data": [
{
"host": "firefox.settings.services.mozilla.com",
"id": "3ace9d8e-00b5-a353-7fd5-1f081ff482ba",
"last_modified": 100000000000000000001,
"bucket": "blocklists",
"collection": "certificates"
}
]
}`;
const certMetadataJSON = `{"data": {}}`;
const certBlocklistJSON = `{
"data": [` +
// test with some bad data ...
` {
"id": "1",
"last_modified": 100000000000000000001,
"issuerName": "Some nonsense in issuer",
"serialNumber": "AkHVNA=="
},
{
"id": "2",
"last_modified": 100000000000000000002,
"issuerName": "MA0xCzAJBgNVBAMMAmNh",
"serialNumber": "some nonsense in serial"
},
{
"id": "3",
"last_modified": 100000000000000000003,
"issuerName": "and serial",
"serialNumber": "some nonsense in both issuer"
},` +
// some mixed
// In these case, the issuer name and the valid serialNumber correspond
// to test-int.pem in bad_certs/
` {
"id": "4",
"last_modified": 100000000000000000004,
"issuerName": "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
"serialNumber": "oops! more nonsense."
},` +
` {
"id": "5",
"last_modified": 100000000000000000004,
"issuerName": "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
"serialNumber": "BVio/iQ21GCi2iUven8oJ/gae74="
},` +
// ... and some good
// In this case, the issuer name and the valid serialNumber correspond
// to other-test-ca.pem in bad_certs/ (for testing root revocation)
` {
"id": "6",
"last_modified": 100000000000000000005,
"issuerName": "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
"serialNumber": "exJUIJpq50jgqOwQluhVrAzTF74="
},` +
// These items correspond to an entry in sample_revocations.txt where:
// isser name is "another imaginary issuer" base-64 encoded, and
// serialNumbers are:
// "serial2." base-64 encoded, and
// "another serial." base-64 encoded
// We need this to ensure that existing items are retained if they're
// also in the blocklist
` {
"id": "7",
"last_modified": 100000000000000000006,
"issuerName": "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
"serialNumber": "c2VyaWFsMi4="
},` +
` {
"id": "8",
"last_modified": 100000000000000000006,
"issuerName": "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
"serialNumber": "YW5vdGhlciBzZXJpYWwu"
},` +
// This item revokes same-issuer-ee.pem by subject and pubKeyHash.
` {
"id": "9",
"last_modified": 100000000000000000007,
"subject": "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
"pubKeyHash": "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="
}
]
}`;
var blocklists = {
"/initialBlocklist/": initialBlocklist,
"/updatedBlocklist/": updatedBlocklist
};
function serveResponse(request, response) {
do_print("Serving for path " + request.path + "\n");
response.write(blocklists[request.path]);
function serveResponse(body) {
return (req, response) => {
response.setStatusLine(null, 200, "OK");
response.write(body);
};
}
for (var path in blocklists) {
testserver.registerPathHandler(path, serveResponse);
}
testserver.registerPathHandler("/v1/",
serveResponse(kintoHelloViewJSON));
testserver.registerPathHandler("/v1/buckets/monitor/collections/changes/records",
serveResponse(kintoChangesJSON));
testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates",
serveResponse(certMetadataJSON));
testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates/records",
serveResponse(certBlocklistJSON));
// start the test server
testserver.start(-1);
@ -172,21 +202,28 @@ function test_is_revoked(certList, issuerString, serialString, subjectString,
pubKeyString ? pubKeyString.length : 0);
}
function fetch_blocklist(blocklistPath) {
do_print("path is " + blocklistPath + "\n");
let certblockObserver = {
observe(aSubject, aTopic, aData) {
Services.obs.removeObserver(this, "blocklist-updated");
run_next_test();
}
};
Services.obs.addObserver(certblockObserver, "blocklist-updated");
function fetch_blocklist() {
Services.prefs.setBoolPref("services.blocklist.load_dump", false);
Services.prefs.setBoolPref("services.blocklist.signing.enforced", false);
Services.prefs.setCharPref("services.settings.server",
`http://localhost:${port}/v1`);
Services.prefs.setCharPref("extensions.blocklist.url",
`http://localhost:${port}/${blocklistPath}`);
`http://localhost:${port}/blocklist.xml`);
let blocklist = Cc["@mozilla.org/extensions/blocklist;1"]
.getService(Ci.nsITimerCallback);
blocklist.notify(null);
return new Promise((resolve) => {
let certblockObserver = {
observe(aSubject, aTopic, aData) {
Services.obs.removeObserver(this, "blocklist-updater-versions-checked");
resolve();
}
};
Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
blocklist.notify(null);
});
}
function* generate_revocations_txt_lines() {
@ -264,19 +301,15 @@ function run_test() {
let expected = { "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5":
{ "\tVCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=": true },
"MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
{ " BVio/iQ21GCi2iUven8oJ/gae74=": true },
"MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=":
{ " exJUIJpq50jgqOwQluhVrAzTF74=": true },
{ " exJUIJpq50jgqOwQluhVrAzTF74=": true},
"MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
{ " BVio/iQ21GCi2iUven8oJ/gae74=": true},
"YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy":
{ " YW5vdGhlciBzZXJpYWwu": true,
" c2VyaWFsMi4=": true }
};
// This test assumes OneCRL updates via AMO
Services.prefs.setBoolPref(PREF_BLOCKLIST_UPDATE_ENABLED, false);
Services.prefs.setBoolPref(PREF_ONECRL_VIA_AMO, true);
add_test(function () {
// check some existing items in revocations.txt are blocked. Since the
// CertBlocklistItems don't know about the data they contain, we can use
@ -320,14 +353,14 @@ function run_test() {
});
// blocklist load is async so we must use add_test from here
add_test(function() {
fetch_blocklist("initialBlocklist/");
add_task(function* () {
yield fetch_blocklist();
});
add_test(function() {
// The blocklist will be loaded now. Let's check the data is sane.
// In particular, we should still have the revoked issuer / serial pair
// that was in both revocations.txt and the blocklist.xml
// that was in both revocations.txt and the blocklist.
ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
"issuer / serial pair should be blocked");
@ -383,13 +416,6 @@ function run_test() {
run_next_test();
});
// disable AMO cert blocklist - and check blocklist.xml changes do not
// affect the data stored.
add_test(function() {
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
fetch_blocklist("updatedBlocklist/");
});
add_test(function() {
// Check the blocklist entry has not changed
check_revocations_txt_contents(expected);

11
security/manager/ssl/tests/unit/test_ev_certs.js
Просмотреть файл

@ -279,10 +279,8 @@ add_task(async function oneCRLTests() {
await ensureVerifiesAsEV("test-oid-path");
clearOCSPCache();
// test that setting "security.onecrl.via.amo" results in the correct
// OCSP behavior when services.blocklist.onecrl.checked is in the distant past
// and blacklist-background-update-timer is recent
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
// test the OCSP behavior when services.blocklist.onecrl.checked is in the
// distant past and blacklist-background-update-timer is recent
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
108000);
@ -297,9 +295,7 @@ add_task(async function oneCRLTests() {
await ensureVerifiesAsEV("test-oid-path");
clearOCSPCache();
// test that setting "security.onecrl.via.amo" results in the correct
// OCSP behavior when services.blocklist.onecrl.checked is recent
Services.prefs.setBoolPref("security.onecrl.via.amo", false);
// test the OCSP behavior when services.blocklist.onecrl.checked is recent
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
108000);
@ -310,7 +306,6 @@ add_task(async function oneCRLTests() {
await ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
await ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
Services.prefs.clearUserPref("security.onecrl.via.amo");
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
Services.prefs.clearUserPref(

3
services/common/blocklist-updater.js
Просмотреть файл

@ -18,6 +18,7 @@ const PREF_BLOCKLIST_CHANGES_PATH = "services.blocklist.changes.path";
const PREF_BLOCKLIST_LAST_UPDATE = "services.blocklist.last_update_seconds";
const PREF_BLOCKLIST_LAST_ETAG = "services.blocklist.last_etag";
const PREF_BLOCKLIST_CLOCK_SKEW_SECONDS = "services.blocklist.clock_skew_seconds";
const PREF_BLOCKLIST_LOAD_DUMP = "services.blocklist.load_dump";
// Telemetry update source identifier.
const TELEMETRY_HISTOGRAM_KEY = "settings-changes-monitoring";
@ -177,4 +178,6 @@ this.checkVersions = async function() {
if (currentEtag) {
Services.prefs.setCharPref(PREF_BLOCKLIST_LAST_ETAG, currentEtag);
}
Services.obs.notifyObservers(null, "blocklist-updater-versions-checked");
};

19
services/common/tests/unit/test_blocklist_updater.js
Просмотреть файл

@ -71,8 +71,22 @@ add_task(async function test_check_maybeSync() {
const startHistogram = getUptakeTelemetrySnapshot(TELEMETRY_HISTOGRAM_KEY);
let notificationObserved = false;
// Ensure that the blocklist-updater-versions-checked notification works
let certblockObserver = {
observe(aSubject, aTopic, aData) {
Services.obs.removeObserver(this, "blocklist-updater-versions-checked");
notificationObserved = true;
}
};
Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
await updater.checkVersions();
do_check_true(notificationObserved, "a notification should have been observed");
// check the last_update is updated
do_check_eq(Services.prefs.getIntPref(PREF_LAST_UPDATE), 2);
@ -110,13 +124,16 @@ add_task(async function test_check_maybeSync() {
}
server.registerPathHandler(changesPath, simulateErrorResponse);
// checkVersions() fails with adequate error.
// checkVersions() fails with adequate error and no notification.
let error;
notificationObserved = false;
Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
try {
await updater.checkVersions();
} catch (e) {
error = e;
}
do_check_false(notificationObserved, "a notification should not have been observed");
do_check_true(/Polling for changes failed/.test(error.message));
// When an error occurs, last update was not overwritten (see Date header above).
do_check_eq(Services.prefs.getIntPref(PREF_LAST_UPDATE), 2);

43
toolkit/mozapps/extensions/nsBlocklistService.js
Просмотреть файл

@ -51,7 +51,6 @@ const PREF_BLOCKLIST_LEVEL = "extensions.blocklist.level";
const PREF_BLOCKLIST_PINGCOUNTTOTAL = "extensions.blocklist.pingCountTotal";
const PREF_BLOCKLIST_PINGCOUNTVERSION = "extensions.blocklist.pingCountVersion";
const PREF_BLOCKLIST_SUPPRESSUI = "extensions.blocklist.suppressUI";
const PREF_ONECRL_VIA_AMO = "security.onecrl.via.amo";
const PREF_BLOCKLIST_UPDATE_ENABLED = "services.blocklist.update_enabled";
const PREF_APP_DISTRIBUTION = "distribution.id";
const PREF_APP_DISTRIBUTION_VERSION = "distribution.version";
@ -81,10 +80,6 @@ XPCOMUtils.defineLazyServiceGetter(this, "gVersionChecker",
"@mozilla.org/xpcom/version-comparator;1",
"nsIVersionComparator");
XPCOMUtils.defineLazyServiceGetter(this, "gCertBlocklistService",
"@mozilla.org/security/certblocklist;1",
"nsICertBlocklist");
XPCOMUtils.defineLazyGetter(this, "gPref", function() {
return Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefService).
QueryInterface(Ci.nsIPrefBranch);
@ -910,8 +905,6 @@ Blocklist.prototype = {
return;
}
var populateCertBlocklist = getPref("getBoolPref", PREF_ONECRL_VIA_AMO, true);
var childNodes = doc.documentElement.childNodes;
for (let element of childNodes) {
if (!(element instanceof Ci.nsIDOMElement))
@ -925,12 +918,6 @@ Blocklist.prototype = {
this._pluginEntries = this._processItemNodes(element.childNodes, "pluginItem",
this._handlePluginItemNode);
break;
case "certItems":
if (populateCertBlocklist) {
this._processItemNodes(element.childNodes, "certItem",
this._handleCertItemNode.bind(this));
}
break;
case "gfxItems":
// Parse as simple list of objects.
this._gfxEntries = this._processItemNodes(element.childNodes, "gfxBlacklistEntry",
@ -940,9 +927,6 @@ Blocklist.prototype = {
LOG("Blocklist::_loadBlocklistFromString: ignored entries " + element.localName);
}
}
if (populateCertBlocklist) {
gCertBlocklistService.saveEntries();
}
if (this._gfxEntries.length > 0) {
this._notifyObserversBlocklistGFX();
}
@ -964,33 +948,6 @@ Blocklist.prototype = {
return result;
},
_handleCertItemNode(blocklistElement, result) {
let issuer = blocklistElement.getAttribute("issuerName");
if (issuer) {
for (let snElement of blocklistElement.children) {
try {
gCertBlocklistService.revokeCertByIssuerAndSerial(issuer, snElement.textContent);
} catch (e) {
// we want to keep trying other elements since missing all items
// is worse than missing one
LOG("Blocklist::_handleCertItemNode: Error adding revoked cert by Issuer and Serial" + e);
}
}
return;
}
let pubKeyHash = blocklistElement.getAttribute("pubKeyHash");
let subject = blocklistElement.getAttribute("subject");
if (pubKeyHash && subject) {
try {
gCertBlocklistService.revokeCertBySubjectAndPubKey(subject, pubKeyHash);
} catch (e) {
LOG("Blocklist::_handleCertItemNode: Error adding revoked cert by Subject and PubKey" + e);
}
}
},
_handleEmItemNode(blocklistElement, result) {
if (!matchesOSABI(blocklistElement))
return;

8
toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js
Просмотреть файл

@ -64,12 +64,8 @@ function load_blocklist(aFile, aCallback) {
gPort + "/data/" + aFile);
var blocklist = Cc["@mozilla.org/extensions/blocklist;1"].
getService(Ci.nsITimerCallback);
// if we're not using the blocklist.xml for certificate blocklist state,
// ensure that kinto update is enabled
if (!Services.prefs.getBoolPref("security.onecrl.via.amo")) {
ok(Services.prefs.getBoolPref("services.blocklist.update_enabled"),
"Kinto update should be enabled");
}
ok(Services.prefs.getBoolPref("services.blocklist.update_enabled"),
"Kinto update should be enabled");
blocklist.notify(null);
}