Bug 622332 - Show cert SHA-256 fingerprint and remove MD5 fingerprint. r=keeler

2014-05-22 00:52:00 +02:00 · 2014-05-22 00:52:00 +02:00 · d0a5ea9350
--- a/mobile/android/components/NSSDialogService.js
+++ b/mobile/android/components/NSSDialogService.js
@ -141,8 +141,8 @@ NSSDialogs.prototype = {
                          ["certmgr.begins", aCert.validity.notBeforeLocalDay,
                           "certmgr.expires", aCert.validity.notAfterLocalDay])})
     .addLabel({ label: this.certInfoSection("certmgr.fingerprints.label",
-                          ["certmgr.certdetail.sha1fingerprint", aCert.sha1Fingerprint,
-                           "certmgr.certdetail.md5fingerprint", aCert.md5Fingerprint], false) });
+                          ["certmgr.certdetail.sha256fingerprint", aCert.sha256Fingerprint,
+                           "certmgr.certdetail.sha1fingerprint", aCert.sha1Fingerprint], false) });
    this.showPrompt(p);
  },

--- a/mobile/android/locales/en-US/chrome/pippki.properties
+++ b/mobile/android/locales/en-US/chrome/pippki.properties
@ -35,7 +35,7 @@ certmgr.certdetail.cn=Common Name (CN)
 certmgr.certdetail.o=Organization (O)
 certmgr.certdetail.ou=Organizational Unit (OU)
 certmgr.certdetail.serialnumber=Serial Number
+certmgr.certdetail.sha256fingerprint=SHA-256 Fingerprint
 certmgr.certdetail.sha1fingerprint=SHA1 Fingerprint
-certmgr.certdetail.md5fingerprint=MD5 Fingerprint
 certmgr.begins=Begins On
 certmgr.expires=Expires On
--- a/security/manager/locales/en-US/chrome/pippki/certManager.dtd
+++ b/security/manager/locales/en-US/chrome/pippki/certManager.dtd
@ -34,8 +34,8 @@
 <!ENTITY certmgr.certdetail.o                 "Organization (O)">
 <!ENTITY certmgr.certdetail.ou                "Organizational Unit (OU)">
 <!ENTITY certmgr.certdetail.serialnumber      "Serial Number">
+<!ENTITY certmgr.certdetail.sha256fingerprint "SHA-256 Fingerprint">
 <!ENTITY certmgr.certdetail.sha1fingerprint   "SHA1 Fingerprint">
-<!ENTITY certmgr.certdetail.md5fingerprint    "MD5 Fingerprint">

 <!ENTITY certmgr.editcert.title               "Edit Security Certificate Settings">
 <!ENTITY certmgr.editcacert.title             "Edit CA certificate trust settings">
--- a/security/manager/pki/resources/content/viewCertDetails.js
+++ b/security/manager/pki/resources/content/viewCertDetails.js
@ -241,10 +241,10 @@ function DisplayGeneralDataFromCert(cert)
  addAttributeFromCert('orgunit', cert.organizationalUnit);
  //  Serial Number
  addAttributeFromCert('serialnumber',cert.serialNumber);
+  // SHA-256 Fingerprint
+  addAttributeFromCert('sha256fingerprint', cert.sha256Fingerprint);
  //  SHA1 Fingerprint
  addAttributeFromCert('sha1fingerprint',cert.sha1Fingerprint);
-  //  MD5 Fingerprint
-  addAttributeFromCert('md5fingerprint',cert.md5Fingerprint);
  // Validity start
  addAttributeFromCert('validitystart', cert.validity.notBeforeLocalDay);
  // Validity end
--- a/security/manager/pki/resources/content/viewCertDetails.xul
+++ b/security/manager/pki/resources/content/viewCertDetails.xul
@ -87,12 +87,15 @@
          <spacer/>
        </row>
        <row>
-          <label value="&certmgr.certdetail.sha1fingerprint;"/>
-          <textbox id="sha1fingerprint" class="plain" readonly="true" style="min-width:34em;"/>
+          <label value="&certmgr.certdetail.sha256fingerprint;"/>
+          <hbox>
+            <textbox id="sha256fingerprint" class="plain" readonly="true" multiline="true"
+                     style="height: 6ex; width: 48ch; font-family: monospace;"/>
+          </hbox>
        </row>
        <row>
-          <label value="&certmgr.certdetail.md5fingerprint;"/>
-          <textbox id="md5fingerprint" class="plain" readonly="true"/>
+          <label value="&certmgr.certdetail.sha1fingerprint;"/>
+          <textbox id="sha1fingerprint" class="plain" readonly="true" style="min-width:34em;"/>
        </row>
      </rows>
    </grid>
--- a/security/manager/ssl/public/nsIX509Cert.idl
+++ b/security/manager/ssl/public/nsIX509Cert.idl
@ -13,7 +13,7 @@ interface nsIASN1Object;
 /**
 * This represents a X.509 certificate.
 */
-[scriptable, uuid(6286dd8c-c1a1-11e3-941d-180373d97f24)]
+[scriptable, uuid(900d6442-d8bc-11e3-aa51-0800273c564f)]
 interface nsIX509Cert : nsISupports {

  /**
@ -67,18 +67,18 @@ interface nsIX509Cert : nsISupports {
   */
  readonly attribute AString organizationalUnit;

+  /**
+   *  The fingerprint of the certificate's DER encoding,
+   *  calculated using the SHA-256 algorithm.
+   */
+  readonly attribute AString sha256Fingerprint;
+
  /**
   *  The fingerprint of the certificate's public key,
   *  calculated using the SHA1 algorithm.
   */
  readonly attribute AString sha1Fingerprint;

-  /**
-   *  The fingerprint of the certificate's public key,
-   *  calculated using the MD5 algorithm.
-   */
-  readonly attribute AString md5Fingerprint;
-
  /**
   *  A human readable name identifying the hardware or
   *  software token the certificate is stored on.
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@ -997,52 +997,43 @@ nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber)
  return NS_ERROR_FAILURE;
 }

-NS_IMETHODIMP
-nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
+nsresult
+nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg)
 {
  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
+  if (isAlreadyShutDown()) {
    return NS_ERROR_NOT_AVAILABLE;
-
-  _sha1Fingerprint.Truncate();
-  unsigned char fingerprint[20];
-  SECItem fpItem;
-  memset(fingerprint, 0, sizeof fingerprint);
-  PK11_HashBuf(SEC_OID_SHA1, fingerprint,
-               mCert->derCert.data, mCert->derCert.len);
-  fpItem.data = fingerprint;
-  fpItem.len = SHA1_LENGTH;
-  char* fpStr = CERT_Hexify(&fpItem, 1);
-  if (fpStr) {
-    _sha1Fingerprint = NS_ConvertASCIItoUTF16(fpStr);
-    PORT_Free(fpStr);
-    return NS_OK;
  }
-  return NS_ERROR_FAILURE;
+
+  aFingerprint.Truncate();
+  Digest digest;
+  nsresult rv = digest.DigestBuf(aHashAlg, mCert->derCert.data,
+                                 mCert->derCert.len);
+  if (NS_FAILED(rv)) {
+    return rv;
+  }
+
+  // CERT_Hexify's second argument is an int that is interpreted as a boolean
+  char* fpStr = CERT_Hexify(const_cast<SECItem*>(&digest.get()), 1);
+  if (!fpStr) {
+    return NS_ERROR_FAILURE;
+  }
+
+  aFingerprint.AssignASCII(fpStr);
+  PORT_Free(fpStr);
+  return NS_OK;
 }

 NS_IMETHODIMP
-nsNSSCertificate::GetMd5Fingerprint(nsAString& _md5Fingerprint)
+nsNSSCertificate::GetSha256Fingerprint(nsAString& aSha256Fingerprint)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
+  return GetCertificateHash(aSha256Fingerprint, SEC_OID_SHA256);
+}

-  _md5Fingerprint.Truncate();
-  unsigned char fingerprint[20];
-  SECItem fpItem;
-  memset(fingerprint, 0, sizeof fingerprint);
-  PK11_HashBuf(SEC_OID_MD5, fingerprint,
-               mCert->derCert.data, mCert->derCert.len);
-  fpItem.data = fingerprint;
-  fpItem.len = MD5_LENGTH;
-  char* fpStr = CERT_Hexify(&fpItem, 1);
-  if (fpStr) {
-    _md5Fingerprint = NS_ConvertASCIItoUTF16(fpStr);
-    PORT_Free(fpStr);
-    return NS_OK;
-  }
-  return NS_ERROR_FAILURE;
+NS_IMETHODIMP
+nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
+{
+  return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1);
 }

 NS_IMETHODIMP
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@ -65,6 +65,8 @@ private:
  void destructorSafeDestroyNSSReference();
  bool InitFromDER(char* certDER, int derLen);  // return false on failure

+  nsresult GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg);
+
  enum {
    ev_status_unknown = -1, ev_status_invalid = 0, ev_status_valid = 1
  } mCachedEVStatus;
--- a/security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateFakeTransport.cpp
@ -162,14 +162,14 @@ nsNSSCertificateFakeTransport::GetSerialNumber(nsAString &_serialNumber)
 }

 NS_IMETHODIMP
-nsNSSCertificateFakeTransport::GetSha1Fingerprint(nsAString &_sha1Fingerprint)
+nsNSSCertificateFakeTransport::GetSha256Fingerprint(nsAString& aSha256Fingerprint)
 {
  NS_NOTREACHED("Unimplemented on content process");
  return NS_ERROR_NOT_IMPLEMENTED;
 }

 NS_IMETHODIMP
-nsNSSCertificateFakeTransport::GetMd5Fingerprint(nsAString &_md5Fingerprint)
+nsNSSCertificateFakeTransport::GetSha1Fingerprint(nsAString& aSha1Fingerprint)
 {
  NS_NOTREACHED("Unimplemented on content process");
  return NS_ERROR_NOT_IMPLEMENTED;
--- a/toolkit/mozapps/update/tests/chrome/test_0121_check_requireBuiltinCert.xul
+++ b/toolkit/mozapps/update/tests/chrome/test_0121_check_requireBuiltinCert.xul
@ -30,7 +30,7 @@ Components.utils.import("resource://gre/modules/CertUtils.jsm");

 const CERT_ATTRS = ["nickname", "emailAddress", "subjectName", "commonName",
                    "organization", "organizationalUnit", "sha1Fingerprint",
-                    "md5Fingerprint", "tokenName", "issuerName", "serialNumber",
+                    "sha256Fingerprint", "tokenName", "issuerName", "serialNumber",
                    "issuerCommonName", "issuerOrganization",
                    "issuerOrganizationUnit", "dbKey", "windowTitle"];

--- a/toolkit/mozapps/update/tests/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
+++ b/toolkit/mozapps/update/tests/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul
@ -30,7 +30,7 @@ Components.utils.import("resource://gre/modules/CertUtils.jsm");

 const CERT_ATTRS = ["nickname", "emailAddress", "subjectName", "commonName",
                    "organization", "organizationalUnit", "sha1Fingerprint",
-                    "md5Fingerprint", "tokenName", "issuerName", "serialNumber",
+                    "sha256Fingerprint", "tokenName", "issuerName", "serialNumber",
                    "issuerCommonName", "issuerOrganization",
                    "issuerOrganizationUnit", "dbKey", "windowTitle"];