зеркало из https://github.com/mozilla/gecko-dev.git
bug 1312827 - make the certificate blocklist only apply to TLS server certificates r=jcj,mgoodwin
(Note that content signature verification does not use the unified certificate verifier and thus will still consult OneCRL.) MozReview-Commit-ID: 6KvHOngpabT --HG-- extra : rebase_source : 601f4d8d1c66befb77d0c07a2d84f3f04416f996
This commit is contained in:
Родитель
c788de8394
Коммит
d339ca2730
|
@ -192,25 +192,29 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
|
|||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
bool isCertRevoked;
|
||||
nsresult nsrv = mCertBlocklist->IsCertRevoked(
|
||||
candidateCert->derIssuer.data,
|
||||
candidateCert->derIssuer.len,
|
||||
candidateCert->serialNumber.data,
|
||||
candidateCert->serialNumber.len,
|
||||
candidateCert->derSubject.data,
|
||||
candidateCert->derSubject.len,
|
||||
candidateCert->derPublicKey.data,
|
||||
candidateCert->derPublicKey.len,
|
||||
&isCertRevoked);
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
// The certificate blocklist currently only applies to TLS server
|
||||
// certificates.
|
||||
if (mCertDBTrustType == trustSSL) {
|
||||
bool isCertRevoked;
|
||||
nsresult nsrv = mCertBlocklist->IsCertRevoked(
|
||||
candidateCert->derIssuer.data,
|
||||
candidateCert->derIssuer.len,
|
||||
candidateCert->serialNumber.data,
|
||||
candidateCert->serialNumber.len,
|
||||
candidateCert->derSubject.data,
|
||||
candidateCert->derSubject.len,
|
||||
candidateCert->derPublicKey.data,
|
||||
candidateCert->derPublicKey.len,
|
||||
&isCertRevoked);
|
||||
if (NS_FAILED(nsrv)) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
if (isCertRevoked) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain: certificate is in blocklist"));
|
||||
return Result::ERROR_REVOKED_CERTIFICATE;
|
||||
if (isCertRevoked) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain: certificate is in blocklist"));
|
||||
return Result::ERROR_REVOKED_CERTIFICATE;
|
||||
}
|
||||
}
|
||||
|
||||
// XXX: CERT_GetCertTrust seems to be abusing SECStatus as a boolean, where
|
||||
|
|
|
@ -106,8 +106,11 @@ add_task(function* testRevoked() {
|
|||
"VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="); // hash of the shared key
|
||||
let cert = yield readCertificate("revoked.pem", ",,");
|
||||
let win = yield displayCertificate(cert);
|
||||
checkError(win,
|
||||
"Could not verify this certificate because it has been revoked.");
|
||||
// As of bug 1312827, OneCRL only applies to TLS web server certificates, so
|
||||
// this certificate will actually verify successfully for every end-entity
|
||||
// usage except TLS web server.
|
||||
checkUsages(win, ["Email Recipient Certificate", "Email Signer Certificate",
|
||||
"Object Signer", "SSL Client Certificate"]);
|
||||
yield BrowserTestUtils.closeWindow(win);
|
||||
});
|
||||
|
||||
|
|
|
@ -139,6 +139,17 @@ function verify_cert(file, expectedError) {
|
|||
checkCertErrorGeneric(certDB, ee, expectedError, certificateUsageSSLServer);
|
||||
}
|
||||
|
||||
// The certificate blocklist currently only applies to TLS server certificates.
|
||||
function verify_non_tls_usage_succeeds(file) {
|
||||
let ee = constructCertFromFile(file);
|
||||
checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
|
||||
certificateUsageSSLClient);
|
||||
checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
|
||||
certificateUsageEmailSigner);
|
||||
checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
|
||||
certificateUsageEmailRecipient);
|
||||
}
|
||||
|
||||
function load_cert(cert, trust) {
|
||||
let file = "bad_certs/" + cert + ".pem";
|
||||
addCertFromFile(certDB, file, trust);
|
||||
|
@ -294,14 +305,17 @@ function run_test() {
|
|||
// Check the blocklisted intermediate now causes a failure
|
||||
let file = "test_onecrl/test-int-ee.pem";
|
||||
verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
|
||||
verify_non_tls_usage_succeeds(file);
|
||||
|
||||
// Check the ee with the blocklisted root also causes a failure
|
||||
file = "bad_certs/other-issuer-ee.pem";
|
||||
verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
|
||||
verify_non_tls_usage_succeeds(file);
|
||||
|
||||
// Check the ee blocked by subject / pubKey causes a failure
|
||||
file = "test_onecrl/same-issuer-ee.pem";
|
||||
verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
|
||||
verify_non_tls_usage_succeeds(file);
|
||||
|
||||
// Check a non-blocklisted chain still validates OK
|
||||
file = "bad_certs/default-ee.pem";
|
||||
|
|
Загрузка…
Ссылка в новой задаче