bug 1034124 - allow overrides when a CA cert is used as an end-entity cert r=briansmith

This commit is contained in:
David Keeler 2014-08-22 12:07:08 -07:00
Родитель 800c5b4b9f
Коммит d026d78753
11 изменённых файлов: 33 добавлений и 3 удалений

Просмотреть файл

@ -81,6 +81,9 @@ let SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 176);
let SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
let SSL_ERROR_BAD_CERT_DOMAIN = (SSL_ERROR_BASE + 12);
let MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
let MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = (MOZILLA_PKIX_ERROR_BASE + 1);
function getErrorClass(errorCode) {
let NSPRCode = -1 * NS_ERROR_GET_CODE(errorCode);
@ -92,6 +95,7 @@ function getErrorClass(errorCode) {
case SSL_ERROR_BAD_CERT_DOMAIN:
case SEC_ERROR_EXPIRED_CERTIFICATE:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT;
default:
return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL;

Просмотреть файл

@ -141,6 +141,7 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, uint32_t *aErrorClass)
case SSL_ERROR_BAD_CERT_DOMAIN:
case SEC_ERROR_EXPIRED_CERTIFICATE:
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
*aErrorClass = ERROR_CLASS_BAD_CERT;
break;
// Non-overridable errors.

Просмотреть файл

@ -97,6 +97,7 @@
#include <cstring>
#include "pkix/pkixtypes.h"
#include "pkix/pkixnss.h"
#include "CertVerifier.h"
#include "CryptoTask.h"
#include "ExtendedValidation.h"
@ -300,9 +301,10 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8;
case SSL_ERROR_BAD_CERT_DOMAIN: return 9;
case SEC_ERROR_EXPIRED_CERTIFICATE: return 10;
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;
}
NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
"handle everything in PRErrorCodeToOverrideType?");
"handle everything in DetermineCertOverrideErrors?");
return 0;
}
@ -328,6 +330,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
case SEC_ERROR_UNKNOWN_ISSUER:
case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
{
collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
errorCodeTrust = defaultErrorCodeToReport;

Просмотреть файл

@ -60,6 +60,7 @@ const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = MOZILLA_PKIX_ERROR_BASE + 1;
const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; // -16382
// Supported Certificate Usages

Просмотреть файл

@ -59,8 +59,9 @@ function check_telemetry() {
do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
do_check_eq(histogram.counts[ 9], 4); // SSL_ERROR_BAD_CERT_DOMAIN
do_check_eq(histogram.counts[ 9], 5); // SSL_ERROR_BAD_CERT_DOMAIN
do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
do_check_eq(histogram.counts[11], 2); // MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
run_next_test();
}
@ -121,6 +122,10 @@ function add_simple_tests() {
add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("ca-used-as-end-entity.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
}
function add_combo_tests() {
@ -147,6 +152,11 @@ function add_combo_tests() {
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
add_cert_override_test("ca-used-as-end-entity-name-mismatch.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
}
function add_distrust_tests() {
@ -160,6 +170,10 @@ function add_distrust_tests() {
add_distrust_override_test("tlsserver/other-test-ca.der",
"untrustedissuer.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
add_distrust_override_test("tlsserver/test-ca.der",
"ca-used-as-end-entity.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER));
}
function add_distrust_override_test(certFileName, hostName, expectedResult) {

Просмотреть файл

@ -143,6 +143,9 @@ function add_tests(certDB, otherTestCA) {
add_ocsp_test("keysize-ocsp-delegated.example.com",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE),
true);
add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
}
function check_ocsp_stapling_telemetry() {
@ -154,7 +157,7 @@ function check_ocsp_stapling_telemetry() {
do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
do_check_eq(histogram.counts[4], 20); // 20 connections with bad responses
do_check_eq(histogram.counts[4], 21); // 21 connections with bad responses
run_next_test();
}

Двоичный файл не отображается.

Просмотреть файл

@ -43,6 +43,8 @@ const BadCertHost sBadCertHosts[] =
{ "inadequatekeyusage.example.com", "inadequatekeyusage" },
{ "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
{ "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
{ "ca-used-as-end-entity.example.com", "ca-used-as-end-entity" },
{ "ca-used-as-end-entity-name-mismatch.example.com", "ca-used-as-end-entity" },
// All of include-subdomains.pinning.example.com is pinned to End Entity
// Test Cert with nick localhostAndExampleCom. Any other nick will only
// pass pinning when security.cert_pinning.enforcement.level != strict and

Просмотреть файл

@ -53,6 +53,7 @@ const OCSPHost sOCSPHosts[] =
{ "ocsp-stapling-delegated-wrong-extKeyUsage.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage" },
{ "ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired, nullptr},
{ "keysize-ocsp-delegated.example.com", ORTDelegatedIncluded, "badKeysizeDelegatedSigner" },
{ "revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked, "ca-used-as-end-entity" },
{ nullptr, ORTNull, nullptr }
};

Просмотреть файл

@ -279,6 +279,7 @@ make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegat
make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated Responder Wrong extKeyUsage' testCA "--extKeyUsage codeSigning"
make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com"
make_INT ca-used-as-end-entity 'CN=Test Intermediate used as End-Entity' testCA "-8 ca-used-as-end-entity.example.com"
make_delegated badKeysizeDelegatedSigner 'CN=Bad Keysize Delegated Responder' testCA "--extKeyUsage ocspResponder -g 1008"

Двоичный файл не отображается.