зеркало из https://github.com/mozilla/gecko-dev.git
bug 1034124 - allow overrides when a CA cert is used as an end-entity cert r=briansmith
This commit is contained in:
Родитель
800c5b4b9f
Коммит
d026d78753
|
@ -81,6 +81,9 @@ let SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 176);
|
|||
let SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
|
||||
let SSL_ERROR_BAD_CERT_DOMAIN = (SSL_ERROR_BASE + 12);
|
||||
|
||||
let MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
|
||||
let MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = (MOZILLA_PKIX_ERROR_BASE + 1);
|
||||
|
||||
function getErrorClass(errorCode) {
|
||||
let NSPRCode = -1 * NS_ERROR_GET_CODE(errorCode);
|
||||
|
||||
|
@ -92,6 +95,7 @@ function getErrorClass(errorCode) {
|
|||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT;
|
||||
default:
|
||||
return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL;
|
||||
|
|
|
@ -141,6 +141,7 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, uint32_t *aErrorClass)
|
|||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
*aErrorClass = ERROR_CLASS_BAD_CERT;
|
||||
break;
|
||||
// Non-overridable errors.
|
||||
|
|
|
@ -97,6 +97,7 @@
|
|||
#include <cstring>
|
||||
|
||||
#include "pkix/pkixtypes.h"
|
||||
#include "pkix/pkixnss.h"
|
||||
#include "CertVerifier.h"
|
||||
#include "CryptoTask.h"
|
||||
#include "ExtendedValidation.h"
|
||||
|
@ -300,9 +301,10 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
|
|||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8;
|
||||
case SSL_ERROR_BAD_CERT_DOMAIN: return 9;
|
||||
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;
|
||||
}
|
||||
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
|
||||
"handle everything in PRErrorCodeToOverrideType?");
|
||||
"handle everything in DetermineCertOverrideErrors?");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -328,6 +330,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
|
|||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
||||
case SEC_ERROR_UNKNOWN_ISSUER:
|
||||
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
|
||||
{
|
||||
collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
|
||||
errorCodeTrust = defaultErrorCodeToReport;
|
||||
|
|
|
@ -60,6 +60,7 @@ const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
|
|||
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
|
||||
|
||||
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
|
||||
const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = MOZILLA_PKIX_ERROR_BASE + 1;
|
||||
const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; // -16382
|
||||
|
||||
// Supported Certificate Usages
|
||||
|
|
|
@ -59,8 +59,9 @@ function check_telemetry() {
|
|||
do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
|
||||
do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
|
||||
do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
|
||||
do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
|
||||
do_check_eq(histogram.counts[ 9], 5); // SSL_ERROR_BAD_CERT_DOMAIN
|
||||
do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
|
||||
do_check_eq(histogram.counts[11], 2); // MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
|
@ -121,6 +122,10 @@ function add_simple_tests() {
|
|||
add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
|
||||
|
||||
add_cert_override_test("ca-used-as-end-entity.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
|
||||
}
|
||||
|
||||
function add_combo_tests() {
|
||||
|
@ -147,6 +152,11 @@ function add_combo_tests() {
|
|||
Ci.nsICertOverrideService.ERROR_TIME,
|
||||
getXPCOMStatusFromNSS(
|
||||
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
|
||||
|
||||
add_cert_override_test("ca-used-as-end-entity-name-mismatch.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_MISMATCH |
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
|
||||
}
|
||||
|
||||
function add_distrust_tests() {
|
||||
|
@ -160,6 +170,10 @@ function add_distrust_tests() {
|
|||
add_distrust_override_test("tlsserver/other-test-ca.der",
|
||||
"untrustedissuer.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
|
||||
|
||||
add_distrust_override_test("tlsserver/test-ca.der",
|
||||
"ca-used-as-end-entity.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
|
||||
}
|
||||
|
||||
function add_distrust_override_test(certFileName, hostName, expectedResult) {
|
||||
|
|
|
@ -143,6 +143,9 @@ function add_tests(certDB, otherTestCA) {
|
|||
add_ocsp_test("keysize-ocsp-delegated.example.com",
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE),
|
||||
true);
|
||||
|
||||
add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com",
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
|
||||
}
|
||||
|
||||
function check_ocsp_stapling_telemetry() {
|
||||
|
@ -154,7 +157,7 @@ function check_ocsp_stapling_telemetry() {
|
|||
do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
|
||||
do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
|
||||
do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
|
||||
do_check_eq(histogram.counts[4], 20); // 20 connections with bad responses
|
||||
do_check_eq(histogram.counts[4], 21); // 21 connections with bad responses
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert9.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert9.db
Двоичный файл не отображается.
|
@ -43,6 +43,8 @@ const BadCertHost sBadCertHosts[] =
|
|||
{ "inadequatekeyusage.example.com", "inadequatekeyusage" },
|
||||
{ "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
|
||||
{ "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
|
||||
{ "ca-used-as-end-entity.example.com", "ca-used-as-end-entity" },
|
||||
{ "ca-used-as-end-entity-name-mismatch.example.com", "ca-used-as-end-entity" },
|
||||
// All of include-subdomains.pinning.example.com is pinned to End Entity
|
||||
// Test Cert with nick localhostAndExampleCom. Any other nick will only
|
||||
// pass pinning when security.cert_pinning.enforcement.level != strict and
|
||||
|
|
|
@ -53,6 +53,7 @@ const OCSPHost sOCSPHosts[] =
|
|||
{ "ocsp-stapling-delegated-wrong-extKeyUsage.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage" },
|
||||
{ "ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired, nullptr},
|
||||
{ "keysize-ocsp-delegated.example.com", ORTDelegatedIncluded, "badKeysizeDelegatedSigner" },
|
||||
{ "revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked, "ca-used-as-end-entity" },
|
||||
{ nullptr, ORTNull, nullptr }
|
||||
};
|
||||
|
||||
|
|
|
@ -279,6 +279,7 @@ make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegat
|
|||
make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated Responder Wrong extKeyUsage' testCA "--extKeyUsage codeSigning"
|
||||
|
||||
make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com"
|
||||
make_INT ca-used-as-end-entity 'CN=Test Intermediate used as End-Entity' testCA "-8 ca-used-as-end-entity.example.com"
|
||||
|
||||
make_delegated badKeysizeDelegatedSigner 'CN=Bad Keysize Delegated Responder' testCA "--extKeyUsage ocspResponder -g 1008"
|
||||
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key4.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key4.db
Двоичный файл не отображается.
Загрузка…
Ссылка в новой задаче