Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs

CLOSED TREE 2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211
2020-09-23 23:28:18 +00:00 · 2020-09-23 23:28:18 +00:00 · e8346094ad
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-c28e20f61e5d
+8ebee3cec9cf
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,4 +10,3 @@
 */

 #error "Do not include this header file."
-
--- a/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
@ -152,14 +152,11 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
-                         Time validityBeginning, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*,
+                         /*optional*/ const Input*)
                         override
  {
-    // All of the certificates in this test for which this is called have a
-    // validity period that begins "one day before now".
-    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -305,14 +302,11 @@ public:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
-                         Time validityBeginning, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*,
+                         /*optional*/ const Input*)
                         override
  {
-    // All of the certificates in this test for which this is called have a
-    // validity period that begins "one day before now".
-    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -329,8 +323,9 @@ public:
  {
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*,
+                         /*optional*/ const Input*)
                         override
  {
    ADD_FAILURE();
@ -450,14 +445,11 @@ public:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
-                         Time validityBeginning, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*,
+                         /*optional*/ const Input*)
                         override
  {
-    // All of the certificates in this test for which this is called have a
-    // validity period that begins "one day before now".
-    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -677,14 +669,11 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
-                         Time validityBeginning, Duration,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
                         /*optional*/ const Input*,
                         /*optional*/ const Input*) override
  {
-    // All of the certificates in this test for which this is called have a
-    // validity period that begins "one day before now".
-    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

@ -739,8 +728,8 @@ class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain
 {
 public:
  Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time,
-                         Time, Duration, /*optional*/ const Input*,
-                         /*optional*/ const Input*) override
+                         Duration, /*optional*/ const Input*,
+                         /*optional*/ const Input*, /*optional*/ const Input*) override
  {
    if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
      return Result::ERROR_REVOKED_CERTIFICATE;
@ -844,14 +833,11 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time,
-                         Time validityBeginning, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*,
+                         /*optional*/ const Input*)
                         override
  {
-    // All of the certificates in this test for which this is called have a
-    // validity period that begins "one day before now".
-    EXPECT_EQ(TimeFromEpochInSeconds(oneDayBeforeNow), validityBeginning);
    return Success;
  }

--- a/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
@ -70,8 +70,9 @@ private:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
-                         /*optional*/ const Input*, /*optional*/ const Input*)
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*,
+                         /*optional*/ const Input*)
                         override
  {
    return Success;
--- a/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
@ -92,8 +92,8 @@ private:
    return checker.Check(issuerCert, nullptr, keepGoing);
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
-                         const Input*, const Input*) override
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         const Input*, const Input*, const Input*) override
  {
    return Success;
  }
--- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
@ -558,8 +558,8 @@ private:
    return checker.Check(derCert, nullptr, keepGoing);
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
-                         const Input*, const Input*) override
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         const Input*, const Input*, const Input*) override
  {
    return Success;
  }
--- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
@ -302,7 +302,8 @@ public:
    return Success;
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
                         /*optional*/ const Input*,
                         /*optional*/ const Input*) override
  {
--- a/security/nss/gtests/mozpkix_gtest/pkixgtest.h
+++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.h
@ -100,7 +100,8 @@ class EverythingFailsByDefaultTrustDomain : public TrustDomain {
                      Result::FATAL_ERROR_LIBRARY_FAILURE);
  }

-  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
                         /*optional*/ const Input*,
                         /*optional*/ const Input*) override {
    ADD_FAILURE();
--- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
+++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
@ -278,10 +278,10 @@ class TrustDomain {

  virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
                                 const CertID& certID, Time time,
-                                 Time validityBeginning,
                                 Duration validityDuration,
                                 /*optional*/ const Input* stapledOCSPresponse,
-                                 /*optional*/ const Input* aiaExtension) = 0;
+                                 /*optional*/ const Input* aiaExtension,
+                                 /*optional*/ const Input* sctExtension) = 0;

  // Check that the given digest algorithm is acceptable for use in signatures.
  //
--- a/security/nss/lib/mozpkix/lib/pkixbuild.cpp
+++ b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
@ -252,9 +252,9 @@ PathBuildingStep::Check(Input potentialIssuerDER,
    }
    Duration validityDuration(notAfter, notBefore);
    rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
-                                     notBefore, validityDuration,
-                                     stapledOCSPResponse,
-                                     subject.GetAuthorityInfoAccess());
+                                     validityDuration, stapledOCSPResponse,
+                                     subject.GetAuthorityInfoAccess(),
+                                     subject.GetSignedCertificateTimestamps());
    if (rv != Success) {
      // Since this is actually a problem with the current subject certificate
      // (rather than the issuer), it doesn't make sense to keep going; all