This updates the certificate transparency policy based on Chrome's policy,
found at https://googlechrome.github.io/CertificateTransparency/ct_policy.html.
Both it and the Chrome policy are similar to the Apple policy, found at
https://support.apple.com/en-us/103214.
Essentially, the policy can be satisfied in two ways, depending on the source
of the collected SCTs.
For embedded SCTs, at least one must be from a log that was Admissible
(Qualified, Usable, or ReadOnly) at the time of the check. There must be SCTs
from N distinct logs that were Admissible or Retired at the time of the check,
where N depends on the lifetime of the certificate. If the certificate lifetime
is less than or equal to 180 days, N is 2. Otherwise, N is 3. Among these SCTs,
at least two must be issued from distinct log operators.
For SCTs delivered via the TLS handshake or an OCSP response, at least two must
be from a log that was Admissible at the time of the check. Among these SCTs,
at least two must be issued from distinct log operators.
Differential Revision: https://phabricator.services.mozilla.com/D218800
This patch uses the log state information in the known CT log list to
differentiate qualified, usable, and readonly (collectively now referred to as
"admissible") logs from retired logs. This patch also takes the opportunity to
update the language in the implementation from "disqualified" to "retired" to
match the current terminology from the source data.
Differential Revision: https://phabricator.services.mozilla.com/D218266
This patch uses the log state information in the known CT log list to
differentiate qualified, usable, and readonly (collectively now referred to as
"admissible") logs from retired logs. This patch also takes the opportunity to
update the language in the implementation from "disqualified" to "retired" to
match the current terminology from the source data.
Differential Revision: https://phabricator.services.mozilla.com/D218266
This patch uses the log state information in the known CT log list to
differentiate qualified, usable, and readonly (collectively now referred to as
"admissible") logs from retired logs. This patch also takes the opportunity to
update the language in the implementation from "disqualified" to "retired" to
match the current terminology from the source data.
Differential Revision: https://phabricator.services.mozilla.com/D218266
This patch gets the known CT log update script working again, runs it, and adds
an expiration time so that the implementation will not attempt to use
CT information that hasn't been updated in twelve weeks, which is about three
releases.
Differential Revision: https://phabricator.services.mozilla.com/D218023
The use of `-Xclang -Wall` somehow makes `-Wno-unknown-pragmas`
ineffective. `-Xclang -Wno-unknown-pragmas` does however work.
But we don't need to set `-Xclang -Wall` from the moz.builds in the first
place, as that's already done properly via warnings.configure (setting
-Wall on non-clang-cl and -W3 on clang-cl, which is the equivalent).
Differential Revision: https://phabricator.services.mozilla.com/D159366
Automatically generated path that adds flag `REQUIRES_UNIFIED_BUILD = True` to `moz.build`
when the module governed by the build config file is not buildable outside on the unified environment.
This needs to be done in order to have a hybrid build system that adds the possibility of combing
unified build components with ones that are built outside of the unified eco system.
Differential Revision: https://phabricator.services.mozilla.com/D122345
In bug 1174288 and related bugs we created a framework for generating
test certificates (and later, keys) from specifications at build time. This
turned out to take too long to run on each build, so this system was largely
left disabled (see all of the "# Temporarily disabled. See bug 1256495."
comments removed in this patch). This patch introduces a mach command
("generate-test-certs") that can generate test certificates and keys. The
expectation is that when a developer needs to add new such artifacts, they can
use this new command. Similarly, when the artifacts need to be updated (for
example, because they've expired), this command can regenerate them all at
once.
Differential Revision: https://phabricator.services.mozilla.com/D108869
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.
To produce this patch I did all of the following:
1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.
2. Run ./mach lint --linter black --fix
3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.
4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.
5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D94045
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.
To produce this patch I did all of the following:
1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.
2. Run ./mach lint --linter black --fix
3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.
4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.
5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D94045
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.
To produce this patch I did all of the following:
1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.
2. Run ./mach lint --linter black --fix
3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.
4. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D94045
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.
Differential Revision: https://phabricator.services.mozilla.com/D90599
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.
Differential Revision: https://phabricator.services.mozilla.com/D90599
Unfortunately, since the new ecdsa library has a different interface and slightly different inner workings compared to the old PyECC library, the changes to support this update are not trivial. Luckily the ecdsa library is extensible enough to allow us to adjust the library's functionality with function parameters rather than monkey-patching, as we were doing with the previous version of the code. All of these interface changes are in addition to the normal rote Python 3 updates. This was tested by running a build with and without this patch and ensuring there were no unexpected diffs.
Differential Revision: https://phabricator.services.mozilla.com/D70117
GENERATED_FILES now defaults to python3 unless py2=True is specified as
an argument. All existing GENERATED_FILES scripts and GeneratedFile
templates have the py2=True attribute added, so this patch should
effectively be a no-op.
Going forward, individual scripts can be converted to python3 and their
corresponding py2=True attribute can be deleted. In effect, this patch
will be backed out in pieces until all scripts run in python3, at which
point the py2 attribute itself can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D60919
--HG--
extra : moz-landing-system : lando
GENERATED_FILES now defaults to python3 unless py2=True is specified as
an argument. All existing GENERATED_FILES scripts and GeneratedFile
templates have the py2=True attribute added, so this patch should
effectively be a no-op.
Going forward, individual scripts can be converted to python3 and their
corresponding py2=True attribute can be deleted. In effect, this patch
will be backed out in pieces until all scripts run in python3, at which
point the py2 attribute itself can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D60919
--HG--
extra : moz-landing-system : lando
GENERATED_FILES now defaults to python3 unless py2=True is specified as
an argument. All existing GENERATED_FILES scripts and GeneratedFile
templates have the py2=True attribute added, so this patch should
effectively be a no-op.
Going forward, individual scripts can be converted to python3 and their
corresponding py2=True attribute can be deleted. In effect, this patch
will be backed out in pieces until all scripts run in python3, at which
point the py2 attribute itself can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D60919
--HG--
extra : moz-landing-system : lando
Bug 1593141 adds a parameter to mozilla::pkix::TrustDomain::CheckRevocation.
This patch updates all TrustDomain implementations in mozilla-central to
reflect this.
Differential Revision: https://phabricator.services.mozilla.com/D52066
--HG--
extra : moz-landing-system : lando