Bug 622332 - Show cert SHA-256 fingerprint and remove MD5 fingerprint. r=keeler

mobile/android/components/NSSDialogService.js

@@ -141,8 +141,8 @@ NSSDialogs.prototype = {
                           ["certmgr.begins", aCert.validity.notBeforeLocalDay,
                            "certmgr.expires", aCert.validity.notAfterLocalDay])})
      .addLabel({ label: this.certInfoSection("certmgr.fingerprints.label",
-                          ["certmgr.certdetail.sha1fingerprint", aCert.sha1Fingerprint,
+                          ["certmgr.certdetail.sha256fingerprint", aCert.sha256Fingerprint,
-                           "certmgr.certdetail.md5fingerprint", aCert.md5Fingerprint], false) });
+                           "certmgr.certdetail.sha1fingerprint", aCert.sha1Fingerprint], false) });
     this.showPrompt(p);
   },
 

mobile/android/locales/en-US/chrome/pippki.properties

@@ -35,7 +35,7 @@ certmgr.certdetail.cn=Common Name (CN)
 certmgr.certdetail.o=Organization (O)
 certmgr.certdetail.ou=Organizational Unit (OU)
 certmgr.certdetail.serialnumber=Serial Number
+certmgr.certdetail.sha256fingerprint=SHA-256 Fingerprint
 certmgr.certdetail.sha1fingerprint=SHA1 Fingerprint
-certmgr.certdetail.md5fingerprint=MD5 Fingerprint
 certmgr.begins=Begins On
 certmgr.expires=Expires On

security/manager/locales/en-US/chrome/pippki/certManager.dtd

@@ -34,8 +34,8 @@
 <!ENTITY certmgr.certdetail.o                 "Organization (O)">
 <!ENTITY certmgr.certdetail.ou                "Organizational Unit (OU)">
 <!ENTITY certmgr.certdetail.serialnumber      "Serial Number">
+<!ENTITY certmgr.certdetail.sha256fingerprint "SHA-256 Fingerprint">
 <!ENTITY certmgr.certdetail.sha1fingerprint   "SHA1 Fingerprint">
-<!ENTITY certmgr.certdetail.md5fingerprint    "MD5 Fingerprint">
 
 <!ENTITY certmgr.editcert.title               "Edit Security Certificate Settings">
 <!ENTITY certmgr.editcacert.title             "Edit CA certificate trust settings">

security/manager/pki/resources/content/viewCertDetails.js

@@ -241,10 +241,10 @@ function DisplayGeneralDataFromCert(cert)
   addAttributeFromCert('orgunit', cert.organizationalUnit);
   //  Serial Number
   addAttributeFromCert('serialnumber',cert.serialNumber);
+  // SHA-256 Fingerprint
+  addAttributeFromCert('sha256fingerprint', cert.sha256Fingerprint);
   //  SHA1 Fingerprint
   addAttributeFromCert('sha1fingerprint',cert.sha1Fingerprint);
-  //  MD5 Fingerprint
-  addAttributeFromCert('md5fingerprint',cert.md5Fingerprint);
   // Validity start
   addAttributeFromCert('validitystart', cert.validity.notBeforeLocalDay);
   // Validity end

security/manager/pki/resources/content/viewCertDetails.xul

@@ -87,12 +87,15 @@
           <spacer/>
         </row>
         <row>
-          <label value="&certmgr.certdetail.sha1fingerprint;"/>
+          <label value="&certmgr.certdetail.sha256fingerprint;"/>
-          <textbox id="sha1fingerprint" class="plain" readonly="true" style="min-width:34em;"/>
+          <hbox>
+            <textbox id="sha256fingerprint" class="plain" readonly="true" multiline="true"
+                     style="height: 6ex; width: 48ch; font-family: monospace;"/>
+          </hbox>
         </row>
         <row>
-          <label value="&certmgr.certdetail.md5fingerprint;"/>
+          <label value="&certmgr.certdetail.sha1fingerprint;"/>
-          <textbox id="md5fingerprint" class="plain" readonly="true"/>
+          <textbox id="sha1fingerprint" class="plain" readonly="true" style="min-width:34em;"/>
         </row>
       </rows>
     </grid>

security/manager/ssl/public/nsIX509Cert.idl

@@ -13,7 +13,7 @@ interface nsIASN1Object;
 /**
  * This represents a X.509 certificate.
  */
-[scriptable, uuid(6286dd8c-c1a1-11e3-941d-180373d97f24)]
+[scriptable, uuid(900d6442-d8bc-11e3-aa51-0800273c564f)]
 interface nsIX509Cert : nsISupports {
 
   /**
@@ -67,18 +67,18 @@ interface nsIX509Cert : nsISupports {
    */
   readonly attribute AString organizationalUnit;
 
+  /**
+   *  The fingerprint of the certificate's DER encoding,
+   *  calculated using the SHA-256 algorithm.
+   */
+  readonly attribute AString sha256Fingerprint;
+
   /**
    *  The fingerprint of the certificate's public key,
    *  calculated using the SHA1 algorithm.
    */
   readonly attribute AString sha1Fingerprint;
 
-  /**
-   *  The fingerprint of the certificate's public key,
-   *  calculated using the MD5 algorithm.
-   */
-  readonly attribute AString md5Fingerprint;
-
   /**
    *  A human readable name identifying the hardware or
    *  software token the certificate is stored on.

security/manager/ssl/src/nsNSSCertificate.cpp

@@ -997,52 +997,43 @@ nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber)
   return NS_ERROR_FAILURE;
 }
 
-NS_IMETHODIMP
+nsresult
-nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
+nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg)
 {
   nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
+  if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
-
-  _sha1Fingerprint.Truncate();
-  unsigned char fingerprint[20];
-  SECItem fpItem;
-  memset(fingerprint, 0, sizeof fingerprint);
-  PK11_HashBuf(SEC_OID_SHA1, fingerprint,
-               mCert->derCert.data, mCert->derCert.len);
-  fpItem.data = fingerprint;
-  fpItem.len = SHA1_LENGTH;
-  char* fpStr = CERT_Hexify(&fpItem, 1);
-  if (fpStr) {
-    _sha1Fingerprint = NS_ConvertASCIItoUTF16(fpStr);
-    PORT_Free(fpStr);
-    return NS_OK;
   }
-  return NS_ERROR_FAILURE;
+
+  aFingerprint.Truncate();
+  Digest digest;
+  nsresult rv = digest.DigestBuf(aHashAlg, mCert->derCert.data,
+                                 mCert->derCert.len);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // CERT_Hexify's second argument is an int that is interpreted as a boolean
+  char* fpStr = CERT_Hexify(const_cast<SECItem*>(&digest.get()), 1);
+  if (!fpStr) {
+    return NS_ERROR_FAILURE;
+  }
+
+  aFingerprint.AssignASCII(fpStr);
+  PORT_Free(fpStr);
+  return NS_OK;
 }
 
 NS_IMETHODIMP
-nsNSSCertificate::GetMd5Fingerprint(nsAString& _md5Fingerprint)
+nsNSSCertificate::GetSha256Fingerprint(nsAString& aSha256Fingerprint)
 {
-  nsNSSShutDownPreventionLock locker;
+  return GetCertificateHash(aSha256Fingerprint, SEC_OID_SHA256);
-  if (isAlreadyShutDown())
+}
-    return NS_ERROR_NOT_AVAILABLE;
 
-  _md5Fingerprint.Truncate();
+NS_IMETHODIMP
-  unsigned char fingerprint[20];
+nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
-  SECItem fpItem;
+{
-  memset(fingerprint, 0, sizeof fingerprint);
+  return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1);
-  PK11_HashBuf(SEC_OID_MD5, fingerprint,
-               mCert->derCert.data, mCert->derCert.len);
-  fpItem.data = fingerprint;
-  fpItem.len = MD5_LENGTH;
-  char* fpStr = CERT_Hexify(&fpItem, 1);
-  if (fpStr) {
-    _md5Fingerprint = NS_ConvertASCIItoUTF16(fpStr);
-    PORT_Free(fpStr);
-    return NS_OK;
-  }
-  return NS_ERROR_FAILURE;
 }
 
 NS_IMETHODIMP

security/manager/ssl/src/nsNSSCertificate.h

@@ -65,6 +65,8 @@ private:
   void destructorSafeDestroyNSSReference();
   bool InitFromDER(char* certDER, int derLen);  // return false on failure
 
+  nsresult GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg);
+
   enum {
     ev_status_unknown = -1, ev_status_invalid = 0, ev_status_valid = 1
   } mCachedEVStatus;

security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp

@@ -162,14 +162,14 @@ nsNSSCertificateFakeTransport::GetSerialNumber(nsAString &_serialNumber)
 }
 
 NS_IMETHODIMP
-nsNSSCertificateFakeTransport::GetSha1Fingerprint(nsAString &_sha1Fingerprint)
+nsNSSCertificateFakeTransport::GetSha256Fingerprint(nsAString& aSha256Fingerprint)
 {
   NS_NOTREACHED("Unimplemented on content process");
   return NS_ERROR_NOT_IMPLEMENTED;
 }
 
 NS_IMETHODIMP
-nsNSSCertificateFakeTransport::GetMd5Fingerprint(nsAString &_md5Fingerprint)
+nsNSSCertificateFakeTransport::GetSha1Fingerprint(nsAString& aSha1Fingerprint)
 {
   NS_NOTREACHED("Unimplemented on content process");
   return NS_ERROR_NOT_IMPLEMENTED;

toolkit/mozapps/update/tests/chrome/test_0121_check_requireBuiltinCert.xul

@@ -30,7 +30,7 @@ Components.utils.import("resource://gre/modules/CertUtils.jsm");
 
 const CERT_ATTRS = ["nickname", "emailAddress", "subjectName", "commonName",
                     "organization", "organizationalUnit", "sha1Fingerprint",
-                    "md5Fingerprint", "tokenName", "issuerName", "serialNumber",
+                    "sha256Fingerprint", "tokenName", "issuerName", "serialNumber",
                     "issuerCommonName", "issuerOrganization",
                     "issuerOrganizationUnit", "dbKey", "windowTitle"];
 

toolkit/mozapps/update/tests/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul

@@ -30,7 +30,7 @@ Components.utils.import("resource://gre/modules/CertUtils.jsm");
 
 const CERT_ATTRS = ["nickname", "emailAddress", "subjectName", "commonName",
                     "organization", "organizationalUnit", "sha1Fingerprint",
-                    "md5Fingerprint", "tokenName", "issuerName", "serialNumber",
+                    "sha256Fingerprint", "tokenName", "issuerName", "serialNumber",
                     "issuerCommonName", "issuerOrganization",
                     "issuerOrganizationUnit", "dbKey", "windowTitle"];