зеркало из https://github.com/mozilla/gecko-dev.git
Backed out 2 changesets (bug 1666567, bug 1605273) for test_crlite_filters.js failures CLOSED TREE
UPGRADE_NSS_RELEASE Backed out changeset 9bc4c7e79cd6 (bug 1666567) Backed out changeset 22753d184de6 (bug 1605273)
This commit is contained in:
Bogdan Tara
Родитель
6b05ae158e
Коммит
db9c89dbca
|
|
@ -227,10 +227,9 @@ Result AppTrustDomain::DigestBuf(Input item, DigestAlgorithm digestAlg,
|
|||
return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
|
||||
}
|
||||
|
||||
Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
||||
Result AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time, Time,
|
||||
Duration,
|
||||
/*optional*/ const Input*,
|
||||
/*optional*/ const Input*,
|
||||
/*optional*/ const Input*) {
|
||||
// We don't currently do revocation checking. If we need to distrust an Apps
|
||||
// certificate, we will use the active distrust mechanism.
|
||||
|
|
|
|||
|
|
@ -39,10 +39,10 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
|
|||
virtual Result CheckRevocation(
|
||||
mozilla::pkix::EndEntityOrCA endEntityOrCA,
|
||||
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
|
||||
mozilla::pkix::Time validityPeriodBeginning,
|
||||
mozilla::pkix::Duration validityDuration,
|
||||
/*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension,
|
||||
/*optional*/ const mozilla::pkix::Input* sctExtension) override;
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;
|
||||
virtual Result IsChainValid(
|
||||
const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
|
||||
const mozilla::pkix::CertPolicyId& requiredPolicy) override;
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@
|
|||
#include <stdint.h>
|
||||
|
||||
#include "ExtendedValidation.h"
|
||||
#include "MultiLogCTVerifier.h"
|
||||
#include "NSSErrorsService.h"
|
||||
#include "OCSPVerificationTrustDomain.h"
|
||||
#include "PublicKeyPinningService.h"
|
||||
|
|
@ -55,7 +54,6 @@
|
|||
#include "TrustOverride-SymantecData.inc"
|
||||
|
||||
using namespace mozilla;
|
||||
using namespace mozilla::ct;
|
||||
using namespace mozilla::pkix;
|
||||
|
||||
extern LazyLogModule gCertVerifierLog;
|
||||
|
|
@ -607,34 +605,11 @@ static Result GetOCSPAuthorityInfoAccessLocation(const UniquePLArenaPool& arena,
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result GetEarliestSCTTimestamp(Input sctExtension,
|
||||
Maybe<uint64_t>& earliestTimestamp) {
|
||||
earliestTimestamp.reset();
|
||||
|
||||
Input sctList;
|
||||
Result rv =
|
||||
ExtractSignedCertificateTimestampListFromExtension(sctExtension, sctList);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
std::vector<SignedCertificateTimestamp> decodedSCTs;
|
||||
size_t decodingErrors;
|
||||
DecodeSCTs(sctList, decodedSCTs, decodingErrors);
|
||||
Unused << decodingErrors;
|
||||
for (const auto& scts : decodedSCTs) {
|
||||
if (!earliestTimestamp.isSome() || scts.timestamp < *earliestTimestamp) {
|
||||
earliestTimestamp = Some(scts.timestamp);
|
||||
}
|
||||
}
|
||||
return Success;
|
||||
}
|
||||
|
||||
Result NSSCertDBTrustDomain::CheckRevocation(
|
||||
EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
|
||||
Duration validityDuration,
|
||||
Time certValidityPeriodBeginning, Duration validityDuration,
|
||||
/*optional*/ const Input* stapledOCSPResponse,
|
||||
/*optional*/ const Input* aiaExtension,
|
||||
/*optional*/ const Input* sctExtension) {
|
||||
/*optional*/ const Input* aiaExtension) {
|
||||
// Actively distrusted certificates will have already been blocked by
|
||||
// GetCertTrust.
|
||||
|
||||
|
|
@ -644,20 +619,10 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain: Top of CheckRevocation\n"));
|
||||
|
||||
Maybe<uint64_t> earliestSCTTimestamp = Nothing();
|
||||
if (sctExtension) {
|
||||
Result rv = GetEarliestSCTTimestamp(*sctExtension, earliestSCTTimestamp);
|
||||
if (rv != Success) {
|
||||
MOZ_LOG(
|
||||
gCertVerifierLog, LogLevel::Debug,
|
||||
("decoding SCT extension failed - CRLite will be not be consulted"));
|
||||
}
|
||||
}
|
||||
|
||||
Maybe<TimeDuration> crliteLookupDuration;
|
||||
#ifdef MOZ_NEW_CERT_STORAGE
|
||||
if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
|
||||
mCRLiteMode != CRLiteMode::Disabled && earliestSCTTimestamp.isSome()) {
|
||||
mCRLiteMode != CRLiteMode::Disabled) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: checking CRLite"));
|
||||
nsTArray<uint8_t> issuerBytes;
|
||||
|
|
@ -703,15 +668,12 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
crliteLookupDuration.emplace(crliteLookupAfter - crliteLookupBefore);
|
||||
}
|
||||
Time filterTimestampTime(TimeFromEpochInSeconds(filterTimestamp));
|
||||
// We can only use this result if the earliest embedded signed
|
||||
// certificate timestamp from the certificate is older than what cert
|
||||
// storage returned for its CRLite timestamp. Otherwise, the CRLite
|
||||
// filter cascade may have been created before this certificate existed,
|
||||
// and if it would create a false positive, it hasn't been accounted for.
|
||||
// SCT timestamps are milliseconds since the epoch.
|
||||
Time earliestCertificateTimestamp(
|
||||
TimeFromEpochInSeconds(*earliestSCTTimestamp / 1000));
|
||||
if (earliestCertificateTimestamp <= filterTimestampTime &&
|
||||
// We can only use this result if this certificate's `notBefore` time
|
||||
// (i.e. the beginning of its validity period) is older than what cert
|
||||
// storage returned for its CRLite timestamp. Otherwise, the CRLite filter
|
||||
// cascade may have been created before this certificate existed, and if
|
||||
// it would create a false positive, it hasn't been accounted for.
|
||||
if (certValidityPeriodBeginning <= filterTimestampTime &&
|
||||
crliteRevocationState == nsICertStorage::STATE_ENFORCE) {
|
||||
if (mCRLiteTelemetryInfo) {
|
||||
mCRLiteTelemetryInfo->mLookupResult =
|
||||
|
|
@ -745,7 +707,7 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
mCRLiteTelemetryInfo->mLookupResult =
|
||||
CRLiteLookupResult::FilterNotAvailable;
|
||||
}
|
||||
} else if (earliestCertificateTimestamp > filterTimestampTime) {
|
||||
} else if (certValidityPeriodBeginning > filterTimestampTime) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: cert too new"));
|
||||
if (mCRLiteTelemetryInfo) {
|
||||
|
|
|
|||
|
|
@ -223,10 +223,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
|
|||
virtual Result CheckRevocation(
|
||||
mozilla::pkix::EndEntityOrCA endEntityOrCA,
|
||||
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
|
||||
mozilla::pkix::Time validityPeriodBeginning,
|
||||
mozilla::pkix::Duration validityDuration,
|
||||
/*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension,
|
||||
/*optional*/ const mozilla::pkix::Input* sctExtension) override;
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;
|
||||
|
||||
virtual Result IsChainValid(
|
||||
const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
|
||||
|
|
|
|||
|
|
@ -36,9 +36,8 @@ Result OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time,
|
|||
}
|
||||
|
||||
Result OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA,
|
||||
const CertID&, Time,
|
||||
const CertID&, Time, Time,
|
||||
Duration, const Input*,
|
||||
const Input*,
|
||||
const Input*) {
|
||||
// We do not expect this to be called for OCSP signers
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
|
|
|
|||
|
|
@ -67,10 +67,10 @@ class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain {
|
|||
virtual Result CheckRevocation(
|
||||
mozilla::pkix::EndEntityOrCA endEntityOrCA,
|
||||
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
|
||||
mozilla::pkix::Time validityPeriodBeginning,
|
||||
mozilla::pkix::Duration validityDuration,
|
||||
/*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension,
|
||||
/*optional*/ const mozilla::pkix::Input* sctExtension) override;
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;
|
||||
|
||||
virtual Result IsChainValid(
|
||||
const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
|
||||
|
|
|
|||
|
|
@ -38,8 +38,8 @@ class SignatureParamsTrustDomain final : public TrustDomain {
|
|||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
const Input*, const Input*, const Input*) override {
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
const Input*, const Input*) override {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -73,46 +73,34 @@ Result MultiLogCTVerifier::Verify(Input cert, Input issuerSubjectPublicKeyInfo,
|
|||
return Success;
|
||||
}
|
||||
|
||||
void DecodeSCTs(Input encodedSctList,
|
||||
std::vector<SignedCertificateTimestamp>& decodedSCTs,
|
||||
size_t& decodingErrors) {
|
||||
decodedSCTs.clear();
|
||||
|
||||
Result MultiLogCTVerifier::VerifySCTs(Input encodedSctList,
|
||||
const LogEntry& expectedEntry,
|
||||
VerifiedSCT::Origin origin, Time time,
|
||||
CTVerifyResult& result) {
|
||||
Reader listReader;
|
||||
Result rv = DecodeSCTList(encodedSctList, listReader);
|
||||
if (rv != Success) {
|
||||
decodingErrors++;
|
||||
return;
|
||||
result.decodingErrors++;
|
||||
return Success;
|
||||
}
|
||||
|
||||
while (!listReader.AtEnd()) {
|
||||
Input encodedSct;
|
||||
rv = ReadSCTListItem(listReader, encodedSct);
|
||||
if (rv != Success) {
|
||||
decodingErrors++;
|
||||
return;
|
||||
result.decodingErrors++;
|
||||
return Success;
|
||||
}
|
||||
|
||||
Reader encodedSctReader(encodedSct);
|
||||
SignedCertificateTimestamp sct;
|
||||
rv = DecodeSignedCertificateTimestamp(encodedSctReader, sct);
|
||||
if (rv != Success) {
|
||||
decodingErrors++;
|
||||
result.decodingErrors++;
|
||||
continue;
|
||||
}
|
||||
decodedSCTs.push_back(std::move(sct));
|
||||
}
|
||||
}
|
||||
|
||||
Result MultiLogCTVerifier::VerifySCTs(Input encodedSctList,
|
||||
const LogEntry& expectedEntry,
|
||||
VerifiedSCT::Origin origin, Time time,
|
||||
CTVerifyResult& result) {
|
||||
std::vector<SignedCertificateTimestamp> decodedSCTs;
|
||||
DecodeSCTs(encodedSctList, decodedSCTs, result.decodingErrors);
|
||||
for (auto sct : decodedSCTs) {
|
||||
Result rv =
|
||||
VerifySingleSCT(std::move(sct), expectedEntry, origin, time, result);
|
||||
rv = VerifySingleSCT(std::move(sct), expectedEntry, origin, time, result);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,10 +19,6 @@
|
|||
namespace mozilla {
|
||||
namespace ct {
|
||||
|
||||
void DecodeSCTs(Input encodedSctList,
|
||||
std::vector<SignedCertificateTimestamp>& decodedSCTs,
|
||||
size_t& decodingErrors);
|
||||
|
||||
// A Certificate Transparency verifier that can verify Signed Certificate
|
||||
// Timestamps from multiple logs.
|
||||
class MultiLogCTVerifier {
|
||||
|
|
|
|||
|
|
@ -675,9 +675,8 @@ class OCSPExtensionTrustDomain : public TrustDomain {
|
|||
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
||||
pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
const Input*, const Input*,
|
||||
const Input*) override {
|
||||
pkix::Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time,
|
||||
Duration, const Input*, const Input*) override {
|
||||
ADD_FAILURE();
|
||||
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -138,10 +138,9 @@ Result CSTrustDomain::FindIssuer(Input encodedIssuerName,
|
|||
|
||||
Result CSTrustDomain::CheckRevocation(
|
||||
EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
|
||||
Duration validityDuration,
|
||||
Time validityPeriodBeginning, Duration validityDuration,
|
||||
/*optional*/ const Input* stapledOCSPresponse,
|
||||
/*optional*/ const Input* aiaExtension,
|
||||
/*optional*/ const Input* sctExtension) {
|
||||
/*optional*/ const Input* aiaExtension) {
|
||||
// We're relying solely on the CertBlocklist for revocation - and we're
|
||||
// performing checks on this in GetCertTrust (as per nsNSSCertDBTrustDomain)
|
||||
return Success;
|
||||
|
|
|
|||
|
|
@ -35,10 +35,10 @@ class CSTrustDomain final : public mozilla::pkix::TrustDomain {
|
|||
virtual Result CheckRevocation(
|
||||
mozilla::pkix::EndEntityOrCA endEntityOrCA,
|
||||
const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
|
||||
mozilla::pkix::Time validityPeriodBeginning,
|
||||
mozilla::pkix::Duration validityDuration,
|
||||
/*optional*/ const mozilla::pkix::Input* stapledOCSPresponse,
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension,
|
||||
/*optional*/ const mozilla::pkix::Input* sctExtension) override;
|
||||
/*optional*/ const mozilla::pkix::Input* aiaExtension) override;
|
||||
virtual Result IsChainValid(
|
||||
const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time,
|
||||
const mozilla::pkix::CertPolicyId& requiredPolicy) override;
|
||||
|
|
|
|||
|
|
@ -1982,10 +1982,9 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
|
|||
|
||||
virtual mozilla::pkix::Result CheckRevocation(
|
||||
EndEntityOrCA endEntityOrCA, const CertID& certID, Time time,
|
||||
Duration validityDuration,
|
||||
Time validityPeriodBeginning, Duration validityDuration,
|
||||
/*optional*/ const Input* stapledOCSPresponse,
|
||||
/*optional*/ const Input* aiaExtension,
|
||||
/*optional*/ const Input* sctExtension) override {
|
||||
/*optional*/ const Input* aiaExtension) override {
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
|
||||
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
|
||||
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
|
||||
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
|
||||
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
|
||||
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
|
||||
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
|
||||
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
|
||||
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
|
||||
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
|
||||
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
|
||||
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
|
||||
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
|
||||
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
|
||||
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
|
||||
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
|
||||
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
|
||||
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
|
||||
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
|
||||
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
|
||||
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
|
||||
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
|
||||
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFpDCCBIygAwIBAgIQDVHBpbd6yyk2LgPoPr9QyjANBgkqhkiG9w0BAQsFADBN
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
|
||||
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMTE4MDAwMDAwWhcN
|
||||
MjExMTE4MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
|
||||
aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHTAbBgNVBAoTFFN5bWFudGVjIENv
|
||||
cnBvcmF0aW9uMRcwFQYDVQQLEw5TeW1hbnRlYy5jbG91ZDEgMB4GA1UEAxMXbWFp
|
||||
bDIzMy5tZXNzYWdlbGFicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
||||
AoIBAQCyM1Fy9hAlahRqqeEnPKDWgUmsxofivWEWKNeSMEKcnXX3TCQOGbLQTthN
|
||||
xfNU7IWY8ViTPwQ8JBWWDxNhd6dTYLNnytKrNRG8qDQ3rFMKJY4p0dZImMp55X3W
|
||||
1xcKMxSOkPv0YUCGp7qlAHq6+N3YY1ILw6MRdJ75Njh4Kw8qe5F3rHLwD+AyYQmx
|
||||
3WsMCRp5NZtWUcU5Vbc9ca/osrh9xBF7U3ZYR6GoPXQlizrNjXv7/BaKWWO5ChbD
|
||||
iRI4Nj8d3HhWUHsJoGvYDof5Iudgtbubz3c5cwp6+VNNMas7izpvbixqW8zXdUug
|
||||
8v5v47IkRNYnlma/zvv2IDC1dVlxAgMBAAGjggI2MIICMjAfBgNVHSMEGDAWgBQP
|
||||
gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZnBdWwGQjkPX/+A2ZEYdUdnw
|
||||
lN8wfQYDVR0RBHYwdIIbY2x1c3RlcjguZXUubWVzc2FnZWxhYnMuY29tgh5jbHVz
|
||||
dGVyOG91dC5ldS5tZXNzYWdlbGFicy5jb22CHGNsdXN0ZXI4YS5ldS5tZXNzYWdl
|
||||
bGFicy5jb22CF21haWwyMzMubWVzc2FnZWxhYnMuY29tMA4GA1UdDwEB/wQEAwIF
|
||||
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g
|
||||
K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6At
|
||||
oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwG
|
||||
A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
|
||||
LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggr
|
||||
BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpo
|
||||
dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2Vy
|
||||
dmVyQ0EuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK7vS/qDcGKb
|
||||
QYu26+jGtBemopT3+2YJjtALeR62eNhF9LoHu+mnmNLvPI0M0NMhz56Ss/6sUHOz
|
||||
hJgB98SLAQ5ElSWXrnZThLIjsiH5X5MYTD0Y8MqzoJSi2Lf2Muy/UpyrD3wB14E1
|
||||
kUYhvUnaWDDPIN81DCFzEosBmnsRqr5zlcZSKs0e1LVQ8cNkt8svVkiwFgeOIhwo
|
||||
QF22GJAZPtRceSGlbRTFBYKh+u3KN8eNS/X+C935y+F4J/grufDCzRSGtRRseTcd
|
||||
1QW49+QME/rx1mBb7id4iXNKxvGuJTivBlxaHWBQLh/RGk39DSdHfjAhYvt2gmxh
|
||||
C3gxXMNrymE=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -402,15 +402,11 @@ add_task(
|
|||
let revokedInStashIssuer = constructCertFromFile(
|
||||
"test_cert_storage_direct/revoked-in-stash-issuer.pem"
|
||||
);
|
||||
let noSCTCertIssuer = constructCertFromFile(
|
||||
"test_cert_storage_direct/no-sct-issuer.pem"
|
||||
);
|
||||
|
||||
let crliteEnrollmentRecords = [
|
||||
getCRLiteEnrollmentRecordFor(validCertIssuer),
|
||||
getCRLiteEnrollmentRecordFor(revokedCertIssuer),
|
||||
getCRLiteEnrollmentRecordFor(revokedInStashIssuer),
|
||||
getCRLiteEnrollmentRecordFor(noSCTCertIssuer),
|
||||
];
|
||||
|
||||
await IntermediatePreloadsClient.onSync({
|
||||
|
|
@ -525,34 +521,6 @@ add_task(
|
|||
"schunk-group.com",
|
||||
Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
|
||||
);
|
||||
|
||||
// This certificate has no embedded SCTs, so it is not guaranteed to be in
|
||||
// CT, so CRLite can't be guaranteed to give the correct answer, so it is
|
||||
// not consulted.
|
||||
let noSCTCert = constructCertFromFile(
|
||||
"test_cert_storage_direct/no-sct.pem"
|
||||
);
|
||||
// Currently OCSP will always be consulted for certificates that are not
|
||||
// revoked in CRLite, but if/when OCSP gets skipped for all certificates
|
||||
// covered by CRLite, this test will ensure that certificates without
|
||||
// embedded SCTs will cause OCSP to be consulted.
|
||||
// NB: this will cause an OCSP request to be sent to localhost:80, but
|
||||
// since an OCSP responder shouldn't be running on that port, this should
|
||||
// fail safely.
|
||||
Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
|
||||
Services.prefs.setBoolPref("security.OCSP.require", true);
|
||||
await checkCertErrorGenericAtTime(
|
||||
certdb,
|
||||
noSCTCert,
|
||||
SEC_ERROR_OCSP_SERVER_ERROR,
|
||||
certificateUsageSSLServer,
|
||||
new Date("2020-11-20T00:00:00Z").getTime() / 1000,
|
||||
false,
|
||||
"mail233.messagelabs.com",
|
||||
0
|
||||
);
|
||||
Services.prefs.clearUserPref("network.dns.localDomains");
|
||||
Services.prefs.clearUserPref("security.OCSP.require");
|
||||
}
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
8ebee3cec9cf
|
||||
c28e20f61e5d
|
||||
|
|
@ -10,3 +10,4 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
|||
|
|
@ -152,11 +152,14 @@ private:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*)
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
||||
Time validityBeginning, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*)
|
||||
override
|
||||
{
|
||||
// All of the certificates in this test for which this is called have a
|
||||
// validity period that begins "one day before now".
|
||||
EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
|
@ -302,11 +305,14 @@ public:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*)
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
||||
Time validityBeginning, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*)
|
||||
override
|
||||
{
|
||||
// All of the certificates in this test for which this is called have a
|
||||
// validity period that begins "one day before now".
|
||||
EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
|
@ -323,9 +329,8 @@ public:
|
|||
{
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*)
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*)
|
||||
override
|
||||
{
|
||||
ADD_FAILURE();
|
||||
|
|
@ -445,11 +450,14 @@ public:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*)
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
||||
Time validityBeginning, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*)
|
||||
override
|
||||
{
|
||||
// All of the certificates in this test for which this is called have a
|
||||
// validity period that begins "one day before now".
|
||||
EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
|
@ -669,11 +677,14 @@ private:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*,
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
||||
Time validityBeginning, Duration,
|
||||
/*optional*/ const Input*,
|
||||
/*optional*/ const Input*) override
|
||||
{
|
||||
// All of the certificates in this test for which this is called have a
|
||||
// validity period that begins "one day before now".
|
||||
EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
|
@ -728,8 +739,8 @@ class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain
|
|||
{
|
||||
public:
|
||||
Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time,
|
||||
Duration, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*) override
|
||||
Time, Duration, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*) override
|
||||
{
|
||||
if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
|
||||
return Result::ERROR_REVOKED_CERTIFICATE;
|
||||
|
|
@ -833,11 +844,14 @@ private:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*)
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
|
||||
Time validityBeginning, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*)
|
||||
override
|
||||
{
|
||||
// All of the certificates in this test for which this is called have a
|
||||
// validity period that begins "one day before now".
|
||||
EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -70,9 +70,8 @@ private:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*,
|
||||
/*optional*/ const Input*)
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
/*optional*/ const Input*, /*optional*/ const Input*)
|
||||
override
|
||||
{
|
||||
return Success;
|
||||
|
|
|
|||
|
|
@ -92,8 +92,8 @@ private:
|
|||
return checker.Check(issuerCert, nullptr, keepGoing);
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
const Input*, const Input*, const Input*) override
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
const Input*, const Input*) override
|
||||
{
|
||||
return Success;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -558,8 +558,8 @@ private:
|
|||
return checker.Check(derCert, nullptr, keepGoing);
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
const Input*, const Input*, const Input*) override
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
const Input*, const Input*) override
|
||||
{
|
||||
return Success;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -302,8 +302,7 @@ public:
|
|||
return Success;
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*,
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
/*optional*/ const Input*,
|
||||
/*optional*/ const Input*) override
|
||||
{
|
||||
|
|
|
|||
|
|
@ -100,8 +100,7 @@ class EverythingFailsByDefaultTrustDomain : public TrustDomain {
|
|||
Result::FATAL_ERROR_LIBRARY_FAILURE);
|
||||
}
|
||||
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
|
||||
/*optional*/ const Input*,
|
||||
Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
|
||||
/*optional*/ const Input*,
|
||||
/*optional*/ const Input*) override {
|
||||
ADD_FAILURE();
|
||||
|
|
|
|||
|
|
@ -278,10 +278,10 @@ class TrustDomain {
|
|||
|
||||
virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
|
||||
const CertID& certID, Time time,
|
||||
Time validityBeginning,
|
||||
Duration validityDuration,
|
||||
/*optional*/ const Input* stapledOCSPresponse,
|
||||
/*optional*/ const Input* aiaExtension,
|
||||
/*optional*/ const Input* sctExtension) = 0;
|
||||
/*optional*/ const Input* aiaExtension) = 0;
|
||||
|
||||
// Check that the given digest algorithm is acceptable for use in signatures.
|
||||
//
|
||||
|
|
|
|||
|
|
@ -252,9 +252,9 @@ PathBuildingStep::Check(Input potentialIssuerDER,
|
|||
}
|
||||
Duration validityDuration(notAfter, notBefore);
|
||||
rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
|
||||
validityDuration, stapledOCSPResponse,
|
||||
subject.GetAuthorityInfoAccess(),
|
||||
subject.GetSignedCertificateTimestamps());
|
||||
notBefore, validityDuration,
|
||||
stapledOCSPResponse,
|
||||
subject.GetAuthorityInfoAccess());
|
||||
if (rv != Success) {
|
||||
// Since this is actually a problem with the current subject certificate
|
||||
// (rather than the issuer), it doesn't make sense to keep going; all
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче