Backed out 2 changesets (bug 1750089) for causing mochitest failures on browser_webconsole_certificate_messages.js.

Backed out changeset 7ebb345a9293 (bug 1750089) Backed out changeset 40bd1975208d (bug 1750089)
2022-01-19 04:07:44 +02:00 · 2022-01-19 04:07:44 +02:00 · d8fce573b5
--- a/devtools/server/actors/errordocs.js
+++ b/devtools/server/actors/errordocs.js
@ -112,6 +112,8 @@ const PUBLIC_KEY_PINS_LEARN_MORE =
  "https://developer.mozilla.org/docs/Web/HTTP/Public_Key_Pinning";
 const STRICT_TRANSPORT_SECURITY_LEARN_MORE =
  "https://developer.mozilla.org/docs/Web/HTTP/Headers/Strict-Transport-Security";
+const WEAK_SIGNATURE_ALGORITHM_LEARN_MORE =
+  "https://developer.mozilla.org/docs/Web/Security/Weak_Signature_Algorithm";
 const MIME_TYPE_MISMATCH_LEARN_MORE =
  "https://developer.mozilla.org/docs/Web/HTTP/Headers/X-Content-Type-Options";
 const SOURCE_MAP_LEARN_MORE =
@ -132,6 +134,7 @@ const ErrorCategories = {
  "Mixed Content Blocker": MIXED_CONTENT_LEARN_MORE,
  "Invalid HPKP Headers": PUBLIC_KEY_PINS_LEARN_MORE,
  "Invalid HSTS Headers": STRICT_TRANSPORT_SECURITY_LEARN_MORE,
+  "SHA-1 Signature": WEAK_SIGNATURE_ALGORITHM_LEARN_MORE,
  "Tracking Protection": TRACKING_PROTECTION_LEARN_MORE,
  MIMEMISMATCH: MIME_TYPE_MISMATCH_LEARN_MORE,
  "source map": SOURCE_MAP_LEARN_MORE,
--- a/dom/locales/en-US/chrome/security/security.properties
+++ b/dom/locales/en-US/chrome/security/security.properties
@ -36,6 +36,8 @@ STSMultipleIncludeSubdomains=Strict-Transport-Security: The site specified a hea
 STSInvalidIncludeSubdomains=Strict-Transport-Security: The site specified a header that included an invalid ‘includeSubDomains’ directive.
 STSCouldNotSaveState=Strict-Transport-Security: An error occurred noting the site as a Strict-Transport-Security host.

+# LOCALIZATION NOTE: Do not translate "SHA-1"
+SHA1Sig=This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
 InsecurePasswordsPresentOnPage=Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.
 InsecureFormActionPasswordsPresent=Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.
 InsecurePasswordsPresentOnIframe=Password fields present on an insecure (http://) iframe. This is a security risk that allows user login credentials to be stolen.
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@ -1888,6 +1888,29 @@ void nsHttpChannel::ProcessSSLInformation() {
    }
  }

+  // Send (SHA-1) signature algorithm errors to the web console
+  nsCOMPtr<nsIX509Cert> cert;
+  securityInfo->GetServerCert(getter_AddRefs(cert));
+  if (cert) {
+    UniqueCERTCertificate nssCert(cert->GetCert());
+    if (nssCert) {
+      SECOidTag tag = SECOID_GetAlgorithmTag(&nssCert->signature);
+      LOG(("Checking certificate signature: The OID tag is %i [this=%p]\n", tag,
+           this));
+      // Check to see if the signature is sha-1 based.
+      // Not including checks for SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE
+      // from http://tools.ietf.org/html/rfc2437#section-8 since I
+      // can't see reference to it outside this spec
+      if (tag == SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION ||
+          tag == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST ||
+          tag == SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE) {
+        nsString consoleErrorTag = u"SHA1Sig"_ns;
+        nsString consoleErrorMessage = u"SHA-1 Signature"_ns;
+        Unused << AddSecurityMessage(consoleErrorTag, consoleErrorMessage);
+      }
+    }
+  }
+
  uint16_t tlsVersion;
  nsresult rv = securityInfo->GetProtocolVersion(&tlsVersion);
  if (NS_SUCCEEDED(rv) &&
--- a/security/manager/ssl/CommonSocketControl.cpp
+++ b/security/manager/ssl/CommonSocketControl.cpp
@ -153,15 +153,17 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
  // Ensure that the server certificate covers the hostname that would
  // like to join this connection

+  UniqueCERTCertificate nssCert;
+
  nsCOMPtr<nsIX509Cert> cert;
  if (NS_FAILED(GetServerCert(getter_AddRefs(cert)))) {
    return NS_OK;
  }
-  if (!cert) {
-    return NS_OK;
+  if (cert) {
+    nssCert.reset(cert->GetCert());
  }
-  nsTArray<uint8_t> certDER;
-  if (NS_FAILED(cert->GetRawDER(certDER))) {
+
+  if (!nssCert) {
    return NS_OK;
  }

@ -179,7 +181,7 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
  // CertVerifier::VerifySSLServerCert we need to add them here too.
  Input serverCertInput;
  mozilla::pkix::Result rv =
-      serverCertInput.Init(certDER.Elements(), certDER.Length());
+      serverCertInput.Init(nssCert->derCert.data, nssCert->derCert.len);
  if (rv != Success) {
    return NS_OK;
  }
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@ -470,12 +470,24 @@ static nsresult OverrideAllowedForHost(
 // in order to support SPDY's cross-origin connection pooling.
 static SECStatus BlockServerCertChangeForSpdy(
    nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert) {
+  // Get the existing cert. If there isn't one, then there is
+  // no cert change to worry about.
+  nsCOMPtr<nsIX509Cert> cert;
+
  if (!infoObject->IsHandshakeCompleted()) {
    // first handshake on this connection, not a
    // renegotiation.
    return SECSuccess;
  }

+  infoObject->GetServerCert(getter_AddRefs(cert));
+  if (!cert) {
+    MOZ_ASSERT_UNREACHABLE(
+        "TransportSecurityInfo must have a cert implementing nsIX509Cert");
+    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
+    return SECFailure;
+  }
+
  // Filter out sockets that did not neogtiate SPDY via NPN
  nsAutoCString negotiatedNPN;
  nsresult rv = infoObject->GetNegotiatedNPN(negotiatedNPN);
@ -489,30 +501,20 @@ static SECStatus BlockServerCertChangeForSpdy(
  if (NS_FAILED(rv)) {
    MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
            ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."
-             " Assuming spdy."));
+             " Assuming spdy.\n"));
  }

  // Check to see if the cert has actually changed
-  nsCOMPtr<nsIX509Cert> cert;
-  infoObject->GetServerCert(getter_AddRefs(cert));
-  if (!cert) {
-    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
-    return SECFailure;
-  }
-  nsTArray<uint8_t> certDER;
-  if (NS_FAILED(cert->GetRawDER(certDER))) {
-    PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
-    return SECFailure;
-  }
-  if (certDER.Length() == serverCert->derCert.len &&
-      memcmp(certDER.Elements(), serverCert->derCert.data, certDER.Length()) ==
-          0) {
+  UniqueCERTCertificate c(cert->GetCert());
+  MOZ_ASSERT(c, "Somehow couldn't get underlying cert from nsIX509Cert");
+  bool sameCert = CERT_CompareCerts(c.get(), serverCert.get());
+  if (sameCert) {
    return SECSuccess;
  }

  // Report an error - changed cert is confirmed
  MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-          ("SPDY refused to allow new cert during renegotiation"));
+          ("SPDY Refused to allow new cert during renegotiation\n"));
  PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0);
  return SECFailure;
 }
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@ -1240,6 +1240,11 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
  *aHasEVPolicy = false;
  *_retval = PR_UNKNOWN_ERROR;

+  UniqueCERTCertificate nssCert(aCert->GetCert());
+  if (!nssCert) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
  RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
  NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);