Bug 1409259 - Add xpcshell tests for the Symantec distrust r=keeler

This commit adds two new xpcshell tests, both of them testing whether the
security state in TransportSecurityInfo includes the new
STATE_CERT_DISTRUST_IMMINENT flag under the correct circumstances.

The first test, test_symantec_apple_google.js, tests the four combinations of
certs that chain to an affected Symantec root: with/without a whitelisted
intermediate, and before/after the notBefore cutoff date.

The second test, test_symantec_apple_google_unaffected.js, tests an unrelated
ca->intermediate->ee chain that does not chain to an affected root, and ensures
the flag is not set.

This patch adds SymantecSanctionsServer to the mozbuild and xpcshell test
infrastructure files to ensure it runs properly on TaskCluster, too.

MozReview-Commit-ID: GtUXH2VFFh

--HG--
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.key => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.pem => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec
rename : security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp => security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
extra : rebase_source : f399bca5a13db3efa5bbaa5136c8effc3948ed5e

python/mozbuild/mozbuild/action/test_archive.py

@@ -35,6 +35,7 @@ TEST_HARNESS_BINS = [
     'BadCertServer',
     'GenerateOCSPResponse',
     'OCSPStaplingServer',
+    'SymantecSanctionsServer',
     'SmokeDMD',
     'certutil',
     'crashinject',

python/mozbuild/mozbuild/artifacts.py

@@ -129,6 +129,7 @@ class ArtifactJob(object):
         ('bin/BadCertServer', ('bin', 'bin')),
         ('bin/GenerateOCSPResponse', ('bin', 'bin')),
         ('bin/OCSPStaplingServer', ('bin', 'bin')),
+        ('bin/SymantecSanctionsServer', ('bin', 'bin')),
         ('bin/certutil', ('bin', 'bin')),
         ('bin/fileid', ('bin', 'bin')),
         ('bin/geckodriver', ('bin', 'bin')),
@@ -434,6 +435,7 @@ class WinArtifactJob(ArtifactJob):
         ('bin/BadCertServer.exe', ('bin', 'bin')),
         ('bin/GenerateOCSPResponse.exe', ('bin', 'bin')),
         ('bin/OCSPStaplingServer.exe', ('bin', 'bin')),
+        ('bin/SymantecSanctionsServer.exe', ('bin', 'bin')),
         ('bin/certutil.exe', ('bin', 'bin')),
         ('bin/fileid.exe', ('bin', 'bin')),
         ('bin/geckodriver.exe', ('bin', 'bin')),

security/manager/ssl/tests/unit/moz.build

@@ -36,5 +36,6 @@ TEST_DIRS += [
     'test_pinning_dynamic',
     'test_signed_apps',
     'test_startcom_wosign',
+    'test_symantec_apple_google',
     'test_validity',
 ]

security/manager/ssl/tests/unit/test_symantec_apple_google.js

@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates issued by Symantec. If such
+// certificates have a notBefore before 1 June 2016, and are not
+// issued by an Apple or Google intermediate, they should emit a
+// warning to the console.
+
+function shouldBeImminentlyDistrusted(aTransportSecurityInfo) {
+  let isDistrust = aTransportSecurityInfo.securityState &
+                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+  Assert.ok(isDistrust, "This host should be imminently distrusted");
+}
+
+function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
+  let isDistrust = aTransportSecurityInfo.securityState &
+                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+  Assert.ok(!isDistrust, "This host should not be imminently distrusted");
+}
+
+do_get_profile();
+
+add_tls_server_setup("SymantecSanctionsServer", "test_symantec_apple_google");
+
+// Whitelisted certs aren't to be distrusted
+add_connection_test("symantec-whitelist-after-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+add_connection_test("symantec-whitelist-before-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+// Not-whitelisted certs after the cutoff aren't distrusted
+add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+// Not whitelisted certs before the cutoff are to be distrusted
+add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
+                    PRErrorCodeSuccess, null, shouldBeImminentlyDistrusted);

security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
+braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
+eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
+iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
+qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
+LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
+2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
+VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
+JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
+r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
+iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
+SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
+TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
+gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
+xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
+ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
+3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
+EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
+2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
+WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
+tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
+rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
+TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
+tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
+ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
+NBinA5ZsT8d0v3QCr2xDJH9D
+-----END PRIVATE KEY-----

security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec

@@ -0,0 +1 @@
+default

security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm+gAwIBAgIUNRvpOhsDHEYbRf6bsiAPbvKe2VAwCwYJKoZIhvcNAQEL
+MBIxEDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAxNTExMjgwMDAwMDBaGA8yMDE4MDIw
+NTAwMDAwMFowGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HKMIHH
+MIGQBgNVHREEgYgwgYWCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbYIVKi5waW5u
+aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4
+YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUu
+Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z
+dDo4ODg4LzALBgkqhkiG9w0BAQsDggEBAH6+Qe/y1TTCx2w6f31VWp5lcizPkS8s
+ODfbgT9pKYqqvYDeiDu3q8SLGHTTsHWWewBCu5Jd0mXPXfZ4FEHcwbVJZUZBvQVr
+1aNBCriuzhNUyfjkvfCgM4OuxgNwjbihGDE8VzfxTiz8mDN0AgACCZaUTQnybQc0
+SW+ldxspBgQJom0tkZ+TGi80L3/5P5J2+7AchxhAZzQmebDnxNYDZXCJH8w15was
+OzM5BrQzz3vuxupO7lsRzZIzAU+uQD4bjcMpz3oMdj3/0lb0HZGMdU22Ub36PvLC
+6mYbTtf0IS5TVyLnbCNeliE6zoPnQPBzAUfoOeD1Tn6HQUQUT8oTf2E=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec

@@ -0,0 +1,4 @@
+issuer:Test CA
+subject:Test End-entity
+extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com
+extension:authorityInformationAccess:http://localhost:8888/

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiSgAwIBAgIULyGlSNswcf4LYUR3oA5x6jdzOSMwCwYJKoZIhvcNAQEL
+MEkxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxH
+b29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMCIYDzIwMTYwNjAxMDAwMDAwWhgP
+MjA1MDAxMDEwMDAwMDBaMCkxJzAlBgNVBAMMHmVlLWZyb20td2hpdGVsaXN0LWFm
+dGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaM6MDgwNgYDVR0RBC8wLYIrc3ltYW50ZWMtd2hpdGVs
+aXN0LWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH6N
+yRA+aDb6ZnxXq9STgk4nm6ajT6OLIdMOBM5YSFLcTldPKSqgNwUZtkYgCpCqy4PQ
+S80r2YitwexfyzpfEO3Wq+CpvFsOOIit6tlt1nt60oxVylm8cXCrRX3gGO0KrwMl
+gLxXUXDf8lrgYIdsc4zM5bKUK9APnjsdl4SkJ+uuIj4geqCpJk3RNETPOQgxoW48
+GrWBOM6BPG5aRsC2Kq1uEFE4UbaW6vKm2DIiN3Omk3PDHSBRrFUkXtNGDP/cidis
+++ZB7wexNlciVwP88tgPSE7XgbdDtKS3e9EkOw6zulHllSXFXY9Lz/Lru0ecunnl
+HG8CumzG3hGgyxMMvYI=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem.certspec

@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-whitelist-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-whitelist-after-cutoff.example.com

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiagAwIBAgIUTdHuf60HnLh9wyRmnGMqcwdxDkYwCwYJKoZIhvcNAQEL
+MEkxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxH
+b29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMCIYDzIwMTQwNjAxMDAwMDAwWhgP
+MjA1MDAxMDEwMDAwMDBaMCoxKDAmBgNVBAMMH2VlLWZyb20td2hpdGVsaXN0LWJl
+Zm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGA1UdEQQwMC6CLHN5bWFudGVjLXdoaXRl
+bGlzdC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
+VxmVTbXIMs+3EsaQmwf8uIwWC+fGoPkl4/7+TFJn10rga7ixjthfNsOsBAM3NIxg
+qtn7fPFNdY8X6iPloUZtd4APQBcGYDGlviE6fyvGfR9Azu2FjqArVR/IIuJuaOao
+Lo+z+EQ8ZJUwuykkAsA4PWwrE/Y31gB45sAC6BOBWcsWeCmJgd/sIbVjsEB9uC1M
+Ihp/CxW6z23/KKrnJpa+jLtaQ0J7vG2GUhn+7WuuSqnzXKivsJjY02dTt2drNzgu
+Zm1rpqDfbdZ7JKaUzcweIW5MG9Jcc86EiTZvBf9SrEtwXX3OO8ZD5ggD17gkPUT/
+EBQzORg4QMlKFlCz0dqVdg==
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem.certspec

@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-whitelist-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-whitelist-before-cutoff.example.com

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAjGgAwIBAgIUKWMZImQYpUD8orDGzVkiD2/4DU4wCwYJKoZIhvcNAQEL
+ME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNV
+BAMTHVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMCIYDzIwMTYwNjAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMCoxKDAmBgNVBAMMH2VlLW5vdC13aGl0ZWxp
+c3RlZC1hZnRlci1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQDA+MDwGA1UdEQQ1MDOCMXN5bWFudGVj
+LW5vdC13aGl0ZWxpc3RlZC1hZnRlci1jdXRvZmYuZXhhbXBsZS5jb20wCwYJKoZI
+hvcNAQELA4IBAQANqjDZ6fpwQHHPs0U5hB5h/twTX2TXcth1MNSHBY5js33vMKSZ
+rhMK7YtAwEeSqUpvPGJSjq84PSUWJRHZn07Tt0NiCSTC98sZCr/+j0lRBYDF0Zd4
+KY7mBT3GHDKKRiF353Qgw/Shv3N0VxgTHY4qpQFjiQ1Ihz250xbqrNlXNF18LTng
+JQVC0LNhPl7jf5kbSGZBL6upTOhz24eCbZQBetF+cGH5iurSz8o6CAUDtK6nDRpP
+jKGv0euysS72GXk5kG8Hnv+qMGBJKZwOytilawyWeKW+wzPmgWA2QEP99JxhUcrA
+PPxN+ZhdTQahKiizefnJeouEoyU24ufgX7xr
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem.certspec

@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-whitelisted-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-not-whitelisted-after-cutoff.example.com

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjOgAwIBAgIUA8x0aNBUQ08bBOtgaAQjVSarFUUwCwYJKoZIhvcNAQEL
+ME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNV
+BAMTHVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMCIYDzIwMTQwNjAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMCsxKTAnBgNVBAMMIGVlLW5vdC13aGl0ZWxp
+c3RlZC1iZWZvcmUtY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0EwPzA9BgNVHREENjA0gjJzeW1hbnRl
+Yy1ub3Qtd2hpdGVsaXN0ZWQtYmVmb3JlLWN1dG9mZi5leGFtcGxlLmNvbTALBgkq
+hkiG9w0BAQsDggEBAE0WCx+/EFCXGQwZDBY0W0AJ4zvHD8m1BNzFi0UPS1QwSVch
+Ic9jMbwehw0ONGNzpHKdEm4kpIrzzqdGuV2+Zohw2uqVhHuE2VFUDp24gW+MTE9g
+UAdwTv5oKsQrbY3bXY8ssKw2qoLYGwDHJbrKn+QtJeEklDWPLO2Xhpy9v5Ug8pvk
+pSRHyS2KEFSvHLAdpWUE37bXqHaTEM3xT/OEwqsXYzPgCX2RVy6Z9Z/vOz4/qHN7
+WrYmhQ+y+z0QlYl3N4Vo3kJc8mBJzMgSwgrZGHUbSISOiLC3F4qfkoEiZ4AY2ZkH
+hM8CK6afklgNCFamt6Q0/lr9pVbww2l5Cs9cMq8=
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem.certspec

@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-whitelisted-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-not-whitelisted-before-cutoff.example.com

security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiagAwIBAgIUSeAhQo5HgA/QPjSlL7bpwnAVbWIwCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5j
+LjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+HTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MAsGCSqGSIb3DQEBCwOCAQEA
+a7Im726SOtReXjBQnRHJIOXOx/bLStaQRg1Q+eDD2ThLu6F86D8NHmuu/eCPspXI
++Yk8yCY7vHmRV6kzeBM5PRKND5DY1ryzAA3YLIo1TZxd2wkoyBHlwx0tYmKXrTB/
+Mc7BM+8PsFrFOulZYIdsoTeFSjACADrZBLDH9ppN9cNlzJfm/kUo/2rxJsaz5rU3
+xidZSUl5y9apuRHmV2uGlDlTsWQFQq05xeyPsQcI077Q4okmgZvC1flweoquIkc7
+GEQT0hahe8ZhfQXZo3xRBZoaCieFcPYbnwtaVH3Zn4hw+VcFAAl2PqB3ING0fTtc
+OCqKSIcSjbpx9ukW4vmpxg==
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem.certspec

@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,

security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAiCgAwIBAgIUO4dkpdcTqBgGNMyqCmUAgib+sNQwCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAj
+BgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsG
+A1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MAsGCSqGSIb3DQEBCwOCAQEALIJ2Il50
+8ME2FmcjWPF6xjwLgyMNbhVjhYW4BeqH/pGq1cDt9ZT59aWsGVJqEa0VQHwtcgFY
+1JFuQqQkFZ+/9OmRVXC+EM99L593yrQLzoi8XKIgKS4w+EE1Cz+W583SWtFXgmvC
+P0C5awrTCs9QM0gRF1huJvusu29XTQL5a/3g4F2dtvT95j/XX4K4ddV0sv+sAmbC
+wn732djB9j6VJLfpUfJCeOWBHbMMijEgK0+1hW7BoE4Oa0592tLCvfyx4L5Yf9Nc
+B445/1MMZ/tf/ZSbatzaq7S/p40ez+NvZwfg3Wy3dHqRDeaNIxEf3hE6gAcGexw7
+1LfMGE1Jmr7wyQ==
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem.certspec

@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,

security/manager/ssl/tests/unit/test_symantec_apple_google/moz.build

@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Temporarily disabled. See bug 1256495.
+#test_certificates = (
+#    'default-ee.pem',
+#    'ee-from-whitelist-after-cutoff.pem',
+#    'ee-from-whitelist-before-cutoff.pem',
+#    'ee-not-whitelisted-after-cutoff.pem',
+#    'ee-not-whitelisted-before-cutoff.pem',
+#    'intermediate-other.pem',
+#    'intermediate-whitelisted.pem',
+#    'test-ca.pem',
+#)
+#
+#for test_certificate in test_certificates:
+#    GeneratedTestCertificate(test_certificate)

security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhmgAwIBAgIUJ7UgecGaZcRZ3+HplOj02+8ZfAswCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4x
+GzAZBgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQD
+AgEGMAwGA1UdEwQFMAMBAf8wCwYJKoZIhvcNAQELA4IBAQC1TOSmG2bkZ5sJXNvm
+GehL8NJIhE8W/x4hFyfVz6Hh5RtSMCpfFppYE8ulL8Vi3a0ddRyy1T+/KyQu29Kx
+y3o9kYWkE6Z4fhfGfODsSFmLdJVd2jyX5NFelEHgQJLvOLzW4cYzfl1WnRpjL2XC
+5UsNnQuJFQHLZKWc4+W+uG7kRdRsOig7wQcOF1Patz3CagGOyuHB62bjrGs02hSF
+ciGUENaRDkTdbiAzUdaUOU9DIZ1IUUhbn9gxACKt4P6QLlkT4BWlyplWbjfu5Y4T
+StpExt/mn/V0uclWpnJRNdfrqLAIXAXcKa+RWHdy0NRcklSAAz9L7hopr8dAEv40
+YKVN
+-----END CERTIFICATE-----

security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem.certspec

@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,

security/manager/ssl/tests/unit/test_symantec_apple_google_unaffected.js

@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates issued by Symantec. If such
+// certificates have a notBefore before 1 June 2016, and are not
+// issued by an Apple or Google intermediate, they should emit a
+// warning to the console.
+
+function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
+  let isDistrust = aTransportSecurityInfo.securityState &
+                     Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+  Assert.ok(!isDistrust, "This host should not be imminently distrusted");
+}
+
+do_get_profile();
+
+add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+add_connection_test("ocsp-stapling-good.example.com",
+                    PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);

security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp

@@ -0,0 +1,96 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct SymantecCertHost
+{
+  const char *mHostName;
+  const char *mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const SymantecCertHost sSymantecCertHosts[] =
+{
+  { "symantec-whitelist-after-cutoff.example.com", "ee-from-whitelist-after-cutoff" },
+  { "symantec-whitelist-before-cutoff.example.com", "ee-from-whitelist-before-cutoff" },
+  { "symantec-not-whitelisted-after-cutoff.example.com", "ee-not-whitelisted-after-cutoff" },
+  { "symantec-not-whitelisted-before-cutoff.example.com", "ee-not-whitelisted-before-cutoff" },
+  { "symantec-unaffected.example.com", "ee-unaffected" },
+  { nullptr, nullptr }
+};
+
+int32_t
+DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                             uint32_t aSrvNameArrSize)
+{
+  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+    UniquePORTString name(
+      static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+    if (name) {
+      PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+      if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr)
+            == SECSuccess) {
+        return 0;
+      }
+    }
+  }
+
+  return SSL_SNI_SEND_ALERT;
+}
+
+int32_t
+DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                  uint32_t aSrvNameArrSize, void* aArg)
+{
+  const SymantecCertHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
+                                               sSymantecCertHosts);
+  if (!host) {
+    // No static cert <-> hostname mapping found. This happens when we use a
+    // collection of certificates in a given directory and build a cert DB at
+    // runtime, rather than using an NSS cert DB populated at build time.
+    // (This will be the default in the future.)
+    // For all given server names, check if the runtime-built cert DB contains
+    // a certificate with a matching subject CN.
+    return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName,
+                                                    &cert, &certKEA)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+  if (argc != 2) {
+    fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
+    return 1;
+  }
+
+  return StartServer(argv[1], DoSNISocketConfig, nullptr);
+}

security/manager/ssl/tests/unit/tlsserver/cmd/moz.build

@@ -8,6 +8,7 @@ GeckoSimplePrograms([
     'BadCertServer',
     'GenerateOCSPResponse',
     'OCSPStaplingServer',
+    'SymantecSanctionsServer',
 ], linkage=None)
 
 LOCAL_INCLUDES += [

security/manager/ssl/tests/unit/xpcshell.ini

@@ -34,6 +34,7 @@ support-files =
   test_signed_apps/**
   test_signed_dir/**
   test_startcom_wosign/**
+  test_symantec_apple_google/**
   test_validity/**
   tlsserver/**
 
@@ -172,6 +173,10 @@ skip-if = toolkit == 'android'
 [test_sts_preload_dynamic.js]
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
+[test_symantec_apple_google.js]
+run-sequentially = hardcoded ports
+[test_symantec_apple_google_unaffected.js]
+run-sequentially = hardcoded ports
 [test_validity.js]
 run-sequentially = hardcoded ports
 [test_x509.js]

testing/xpcshell/remotexpcshelltests.py

@@ -420,7 +420,8 @@ class XPCShellRemote(xpcshell.XPCShellTests, object):
                     "pk12util",
                     "BadCertServer",
                     "OCSPStaplingServer",
-                    "GenerateOCSPResponse"]
+                    "GenerateOCSPResponse",
+                    "SymantecSanctionsServer"]
         for fname in binaries:
             local = os.path.join(self.localBin, fname)
             if os.path.isfile(local):

toolkit/mozapps/installer/upload-files.mk

@@ -278,6 +278,7 @@ NO_PKG_FILES += \
 	pk12util* \
 	BadCertServer* \
 	OCSPStaplingServer* \
+	SymantecSanctionsServer* \
 	GenerateOCSPResponse* \
 	chrome/chrome.rdf \
 	chrome/app-chrome.manifest \