Bug 1493788 - remove other mozilla-specific dependencies from certificate transparency implementation r=jcj

This patch removes the remaining mozilla-specific dependencies from the
certificate transparency implementation.

Depends on D6845

Differential Revision: https://phabricator.services.mozilla.com/D6846

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Dana Keeler 2018-10-01 16:20:57 +00:00
parent 1661adeb86
commit 0c4b612622
21 changed files with 160 additions and 124 deletions

View File

@ -390,7 +390,7 @@ CertVerifier::VerifyCertificateTransparencyPolicy(
GetCTLogOperatorsFromVerifiedSCTList(result.verifiedScts, allOperators);
CTLogOperatorList dependentOperators;
rv = mCTDiversityPolicy->GetDependentOperators(builtChain, allOperators,
rv = mCTDiversityPolicy->GetDependentOperators(builtChain.get(), allOperators,
dependentOperators);
if (rv != Success) {
return rv;

View File

@ -10,10 +10,6 @@
#include <stdint.h>
#include "mozilla/Assertions.h"
#include "mozilla/Move.h"
#include "mozilla/TypeTraits.h"
namespace mozilla { namespace ct {
using namespace mozilla::pkix;

View File

@ -6,6 +6,8 @@
#include "Buffer.h"
#include <string.h>
namespace mozilla {
bool

View File

@ -8,6 +8,7 @@
#define Buffer_h
#include <vector>
#include <cstdint>
namespace mozilla { namespace ct {

View File

@ -31,7 +31,7 @@ GetCTLogOperatorsFromVerifiedSCTList(const VerifiedSCTList& list,
}
Result
CTDiversityPolicy::GetDependentOperators(const UniqueCERTCertList& builtChain,
CTDiversityPolicy::GetDependentOperators(const CERTCertList* builtChain,
const CTLogOperatorList& operators,
CTLogOperatorList& dependentOperators)
{

View File

@ -9,8 +9,8 @@
#include "CTLog.h"
#include "CTVerifyResult.h"
#include "certt.h"
#include "pkix/Result.h"
#include "ScopedNSSTypes.h"
namespace mozilla { namespace ct {
@ -30,7 +30,7 @@ public:
// issuing the certificate (as defined by the CT Policy).
//
// NOTE: TBD, PENDING FINALIZATION OF MOZILLA CT POLICY.
pkix::Result GetDependentOperators(const UniqueCERTCertList& builtChain,
pkix::Result GetDependentOperators(const CERTCertList* builtChain,
const CTLogOperatorList& operators,
CTLogOperatorList& dependentOperators);
};

View File

@ -10,8 +10,6 @@
#include "CTSerialization.h"
#include "hasht.h"
#include "mozilla/ArrayUtils.h"
#include "mozilla/Assertions.h"
#include "pkix/pkixnss.h"
#include "pkixutil.h"
@ -68,7 +66,7 @@ public:
Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve curve) override
{
MOZ_ASSERT(mSignatureAlgorithm ==
assert(mSignatureAlgorithm ==
DigitallySigned::SignatureAlgorithm::Anonymous);
if (curve != NamedCurve::secp256r1) {
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
@ -86,7 +84,7 @@ public:
unsigned int modulusSizeInBits)
override
{
MOZ_ASSERT(mSignatureAlgorithm ==
assert(mSignatureAlgorithm ==
DigitallySigned::SignatureAlgorithm::Anonymous);
// Require RSA keys of at least 2048 bits. See RFC 6962, Section 2.1.4.
if (modulusSizeInBits < 2048) {
@ -145,7 +143,7 @@ CTLogVerifier::Init(Input subjectPublicKeyInfo,
break;
case CTLogStatus::Unknown:
default:
MOZ_ASSERT_UNREACHABLE("Unsupported CTLogStatus");
assert(false);
return Result::FATAL_ERROR_INVALID_ARGS;
}
@ -266,7 +264,7 @@ static Result
FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd,
UniqueSECKEYPublicKey& pubkey)
{
MOZ_ASSERT(pubkey);
assert(pubkey);
if (!pubkey) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -299,14 +297,14 @@ CTLogVerifier::VerifySignature(Input data, Input signature)
{
uint8_t digest[SHA256_LENGTH];
Result rv = DigestBufNSS(data, DigestAlgorithm::sha256, digest,
ArrayLength(digest));
MOZILLA_CT_ARRAY_LENGTH(digest));
if (rv != Success) {
return rv;
}
SignedDigest signedDigest;
signedDigest.digestAlgorithm = DigestAlgorithm::sha256;
rv = signedDigest.digest.Init(digest, ArrayLength(digest));
rv = signedDigest.digest.Init(digest, MOZILLA_CT_ARRAY_LENGTH(digest));
if (rv != Success) {
return rv;
}
@ -335,7 +333,7 @@ CTLogVerifier::VerifySignature(Input data, Input signature)
case DigitallySigned::SignatureAlgorithm::Anonymous:
case DigitallySigned::SignatureAlgorithm::DSA:
default:
MOZ_ASSERT_UNREACHABLE("RSA/ECDSA expected");
assert(false);
return Result::FATAL_ERROR_INVALID_ARGS;
}
if (rv != Success) {

View File

@ -7,13 +7,15 @@
#ifndef CTLogVerifier_h
#define CTLogVerifier_h
#include <memory>
#include "CTLog.h"
#include "pkix/Input.h"
#include "pkix/pkix.h"
#include "pkix/Result.h"
#include "ScopedNSSTypes.h"
#include "CTUtils.h"
#include "SignedCertificateTimestamp.h"
#include "SignedTreeHead.h"
#include "pkix/Input.h"
#include "pkix/Result.h"
#include "pkix/pkix.h"
namespace mozilla { namespace ct {

View File

@ -6,14 +6,10 @@
#include "CTObjectsExtractor.h"
#include <limits>
#include <vector>
#include "hasht.h"
#include "mozilla/Assertions.h"
#include "mozilla/Casting.h"
#include "mozilla/Move.h"
#include "mozilla/PodOperations.h"
#include "mozilla/RangedPtr.h"
#include "pkix/pkixnss.h"
#include "pkixutil.h"
@ -33,7 +29,7 @@ public:
Output(uint8_t* buffer, size_t length)
: begin(buffer)
, end(buffer + length)
, current(buffer, begin, end)
, current(begin)
, overflowed(false)
{
}
@ -58,17 +54,17 @@ public:
Result GetInput(/*out*/ Input& input) const
{
if (overflowed) {
if (overflowed || current < begin) {
return Result::FATAL_ERROR_INVALID_STATE;
}
size_t length = AssertedCast<size_t>(current.get() - begin);
size_t length = static_cast<size_t>(current - begin);
return input.Init(begin, length);
}
private:
uint8_t* begin;
uint8_t* end;
RangedPtr<uint8_t> current;
uint8_t* current;
bool overflowed;
Output(const Output&) = delete;
@ -76,14 +72,17 @@ private:
void Write(const uint8_t* data, size_t length)
{
size_t available = AssertedCast<size_t>(end - current.get());
if (end < current) {
overflowed = true;
}
size_t available = static_cast<size_t>(end - current);
if (available < length) {
overflowed = true;
}
if (overflowed) {
return;
}
PodCopy(current.get(), data, length);
memcpy(current, data, length);
current += length;
}
};
@ -122,6 +121,15 @@ static const size_t MAX_TLV_HEADER_LENGTH = 4;
static const uint8_t EXTENSIONS_CONTEXT_TAG =
der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3;
Result
CheckForInputSizeTypeOverflow(size_t length)
{
if (length > std::numeric_limits<Input::size_type>::max()) {
return Result::FATAL_ERROR_INVALID_STATE;
}
return Success;
}
// Given a leaf certificate, extracts the DER-encoded TBSCertificate component
// of the corresponding Precertificate.
// Basically, the extractor needs to remove the embedded SCTs extension
@ -278,9 +286,17 @@ private:
if (rv != Success) {
return rv;
}
// Since we're getting these extensions from a certificate that has
// already fit in an Input, this shouldn't overflow.
size_t extensionsContextLengthAsSizeT =
static_cast<size_t>(extensionsHeader.GetLength()) +
static_cast<size_t>(extensionsValueLength);
rv = CheckForInputSizeTypeOverflow(extensionsContextLengthAsSizeT);
if (rv != Success) {
return rv;
}
Input::size_type extensionsContextLength =
AssertedCast<Input::size_type>(extensionsHeader.GetLength() +
extensionsValueLength);
static_cast<Input::size_type>(extensionsContextLengthAsSizeT);
rv = MakeTLVHeader(EXTENSIONS_CONTEXT_TAG,
extensionsContextLength,
extensionsContextHeaderBuffer,
@ -288,11 +304,17 @@ private:
if (rv != Success) {
return rv;
}
size_t tbsLengthAsSizeT =
static_cast<size_t>(mTLVsBeforeExtensions.GetLength()) +
static_cast<size_t>(extensionsContextHeader.GetLength()) +
static_cast<size_t>(extensionsHeader.GetLength()) +
static_cast<size_t>(extensionsValueLength);
rv = CheckForInputSizeTypeOverflow(tbsLengthAsSizeT);
if (rv != Success) {
return rv;
}
Input::size_type tbsLength =
AssertedCast<Input::size_type>(mTLVsBeforeExtensions.GetLength() +
extensionsContextHeader.GetLength() +
extensionsHeader.GetLength() +
extensionsValueLength);
static_cast<Input::size_type>(tbsLengthAsSizeT);
rv = MakeTLVHeader(der::SEQUENCE, tbsLength, tbsHeaderBuffer, tbsHeader);
if (rv != Success) {
return rv;
@ -327,14 +349,14 @@ private:
Output output(buffer);
output.Write(tag);
if (length < 128) {
output.Write(AssertedCast<uint8_t>(length));
output.Write(static_cast<uint8_t>(length));
} else if (length < 256) {
output.Write(0x81u);
output.Write(AssertedCast<uint8_t>(length));
output.Write(static_cast<uint8_t>(length));
} else if (length < 65536) {
output.Write(0x82u);
output.Write(AssertedCast<uint8_t>(length / 256));
output.Write(AssertedCast<uint8_t>(length % 256));
output.Write(static_cast<uint8_t>(length / 256));
output.Write(static_cast<uint8_t>(length % 256));
} else {
return Result::FATAL_ERROR_INVALID_ARGS;
}
@ -352,8 +374,8 @@ Result
GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
LogEntry& output)
{
MOZ_ASSERT(leafCertificate.GetLength() > 0);
MOZ_ASSERT(issuerSubjectPublicKeyInfo.GetLength() > 0);
assert(leafCertificate.GetLength() > 0);
assert(issuerSubjectPublicKeyInfo.GetLength() > 0);
output.Reset();
Buffer precertTBSBuffer;
@ -367,8 +389,8 @@ GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
return rv;
}
Input precertTBS(extractor.GetPrecertTBS());
MOZ_ASSERT(precertTBS.UnsafeGetData() == precertTBSBuffer.data());
MOZ_ASSERT(precertTBS.GetLength() <= precertTBSBuffer.size());
assert(precertTBS.UnsafeGetData() == precertTBSBuffer.data());
assert(precertTBS.GetLength() <= precertTBSBuffer.size());
precertTBSBuffer.resize(precertTBS.GetLength());
output.type = LogEntry::Type::Precert;
@ -383,7 +405,7 @@ GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
void
GetX509LogEntry(Input leafCertificate, LogEntry& output)
{
MOZ_ASSERT(leafCertificate.GetLength() > 0);
assert(leafCertificate.GetLength() > 0);
output.Reset();
output.type = LogEntry::Type::X509;
InputToBuffer(leafCertificate, output.leafCertificate);

View File

@ -10,12 +10,6 @@
#include <stdint.h>
#include <vector>
#include "mozilla/ArrayUtils.h"
#include "mozilla/Assertions.h"
#include "mozilla/Logging.h"
extern mozilla::LazyLogModule gCertVerifierLog;
namespace mozilla { namespace ct {
using namespace mozilla::pkix;
@ -222,9 +216,6 @@ CheckNonEmbeddedCompliance(const VerifiedSCTList& verifiedScts, bool& compliant)
return verifiedSct.status == VerifiedSCT::Status::Valid;
});
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy non-embedded case status: validSCTs=%zu\n",
validSctsCount));
compliant = validSctsCount >= 2;
}
@ -259,11 +250,6 @@ CheckEmbeddedCompliance(const VerifiedSCTList& verifiedScts,
size_t requiredSctsCount =
GetRequiredEmbeddedSctsCount(certLifetimeInCalendarMonths);
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy embedded case status: "
"requiredSCTs=%zu embeddedSCTs=%zu\n",
requiredSctsCount, embeddedSctsCount));
compliant = embeddedSctsCount >= requiredSctsCount;
}
@ -278,25 +264,13 @@ CTPolicyEnforcer::CheckCompliance(const VerifiedSCTList& verifiedScts,
bool diversityOK;
CheckOperatorDiversityCompliance(verifiedScts, certIssuanceTime,
dependentOperators, diversityOK);
if (diversityOK) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy: diversity satisfied\n"));
}
bool nonEmbeddedCaseOK;
CheckNonEmbeddedCompliance(verifiedScts, nonEmbeddedCaseOK);
if (nonEmbeddedCaseOK) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy: non-embedded case satisfied)\n"));
}
bool embeddedCaseOK;
CheckEmbeddedCompliance(verifiedScts, certLifetimeInCalendarMonths,
certIssuanceTime, embeddedCaseOK);
if (embeddedCaseOK) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy: embedded case satisfied\n"));
}
if (nonEmbeddedCaseOK || embeddedCaseOK) {
compliance = diversityOK ? CTPolicyCompliance::Compliant
@ -308,20 +282,12 @@ CTPolicyEnforcer::CheckCompliance(const VerifiedSCTList& verifiedScts,
switch (compliance) {
case CTPolicyCompliance::Compliant:
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy compliance: Compliant\n"));
break;
case CTPolicyCompliance::NotEnoughScts:
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy compliance: NotEnoughScts\n"));
break;
case CTPolicyCompliance::NotDiverseScts:
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("CT Policy compliance: NotDiverseScts\n"));
break;
case CTPolicyCompliance::Unknown:
default:
MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
assert(false);
}
}

View File

@ -8,10 +8,7 @@
#include "CTUtils.h"
#include <stdint.h>
#include "mozilla/Assertions.h"
#include "mozilla/Move.h"
#include "mozilla/TypeTraits.h"
#include <type_traits>
namespace mozilla { namespace ct {
@ -77,7 +74,7 @@ Result
ReadUint(Reader& in, T& out)
{
uint64_t value;
static_assert(mozilla::IsUnsigned<T>::value, "T must be unsigned");
static_assert(std::is_unsigned<T>::value, "T must be unsigned");
static_assert(length <= 8, "At most 8 byte integers can be read");
static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
Result rv = UncheckedReadUint(length, in, value);
@ -198,7 +195,7 @@ WriteUint(T value, Buffer& output)
{
static_assert(length <= 8, "At most 8 byte integers can be written");
static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
if (mozilla::IsSigned<T>::value) {
if (std::is_signed<T>::value) {
// We accept signed integer types assuming the actual value is non-negative.
if (value < 0) {
return Result::FATAL_ERROR_INVALID_ARGS;
@ -363,7 +360,7 @@ EncodeLogEntry(const LogEntry& entry, Buffer& output)
case LogEntry::Type::Precert:
return EncodePrecertLogEntry(entry, output);
default:
MOZ_ASSERT_UNREACHABLE("Unexpected LogEntry type");
assert(false);
}
return Result::ERROR_BAD_DER;
}

View File

@ -7,9 +7,48 @@
#ifndef CTUtils_h
#define CTUtils_h
#include <memory>
#include "cryptohi.h"
#include "keyhi.h"
#include "keythi.h"
#include "pk11pub.h"
#include "pkix/Input.h"
#include "pkix/Result.h"
#define MOZILLA_CT_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
struct DeleteHelper
{
void operator()(CERTSubjectPublicKeyInfo* value)
{
SECKEY_DestroySubjectPublicKeyInfo(value);
}
void operator()(PK11SlotInfo* value) { PK11_FreeSlot(value); }
void operator()(SECKEYPublicKey* value) { SECKEY_DestroyPublicKey(value); }
void operator()(SECItem* value) { SECITEM_FreeItem(value, true); }
};
template <class T>
struct MaybeDeleteHelper
{
void operator()(T* ptr)
{
if (ptr) {
DeleteHelper del;
del(ptr);
}
}
};
typedef std::unique_ptr<CERTSubjectPublicKeyInfo, MaybeDeleteHelper<CERTSubjectPublicKeyInfo>>
UniqueCERTSubjectPublicKeyInfo;
typedef std::unique_ptr<PK11SlotInfo, MaybeDeleteHelper<PK11SlotInfo>>
UniquePK11SlotInfo;
typedef std::unique_ptr<SECKEYPublicKey, MaybeDeleteHelper<SECKEYPublicKey>>
UniqueSECKEYPublicKey;
typedef std::unique_ptr<SECItem, MaybeDeleteHelper<SECItem>> UniqueSECItem;
namespace mozilla { namespace ct {
// Reads a TLS-encoded variable length unsigned integer from |in|.

View File

@ -8,8 +8,6 @@
#include "CTObjectsExtractor.h"
#include "CTSerialization.h"
#include "mozilla/Assertions.h"
#include "mozilla/Move.h"
namespace mozilla { namespace ct {
@ -40,7 +38,7 @@ MultiLogCTVerifier::Verify(Input cert,
Time time,
CTVerifyResult& result)
{
MOZ_ASSERT(cert.GetLength() > 0);
assert(cert.GetLength() > 0);
result.Reset();
Result rv;

View File

@ -44,6 +44,9 @@ TEST_DIRS += [
'tests/gtest',
]
if not CONFIG['MOZ_DEBUG']:
DEFINES['NDEBUG'] = True
if CONFIG['CC_TYPE'] == 'clang-cl':
# -Wall on clang-cl maps to -Weverything, which turns on way too
# much, so we're passing through -Wall using -Xclang.
@ -71,11 +74,6 @@ if CONFIG['CC_TYPE'] == 'msvc':
# class copy constructor is inaccessible or deleted
'-wd4626', # assignment operator could not be generated because a base
# class assignment operator is inaccessible or deleted
'-wd4628', # digraphs not supported with -Ze (nsThreadUtils.h includes
# what would be the digraph "<:" in the expression
# "mozilla::EnableIf<::detail::...". Since we don't want it
# interpreted as a digraph anyway, we can disable the
# warning.)
'-wd4640', # construction of local static object is not thread-safe
'-wd4710', # 'function': function not inlined
'-wd4711', # function 'function' selected for inline expansion

View File

@ -20,7 +20,9 @@ public:
void SetUp() override
{
// Does nothing if NSS is already initialized.
MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
abort();
}
ASSERT_EQ(Success, mLog.Init(InputForBuffer(GetTestPublicKey()),
-1 /*operator id*/,

View File

@ -21,7 +21,9 @@ public:
void SetUp() override
{
// Does nothing if NSS is already initialized.
MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
abort();
}
mTestCert = GetDEREncodedX509Cert();
mEmbeddedCert = GetDEREncodedTestEmbeddedCert();

View File

@ -10,13 +10,12 @@
#include <stdint.h>
#include <stdio.h>
#include "CTLogVerifier.h"
#include "CTVerifyResult.h"
#include "SignedCertificateTimestamp.h"
#include "gtest/gtest.h"
#include "hasht.h"
#include "mozilla/ArrayUtils.h"
#include "mozilla/Assertions.h"
#include "prtime.h"
#include "SignedCertificateTimestamp.h"
// Implemented in CertVerifier.cpp.
extern mozilla::pkix::Result
@ -42,7 +41,7 @@ public:
logId.resize(SHA256_LENGTH);
std::fill(logId.begin(), logId.end(), 0);
// Just raw-copy |logId| into the output buffer.
MOZ_ASSERT(sizeof(logNo) <= logId.size());
assert(sizeof(logNo) <= logId.size());
memcpy(logId.data(), &logNo, sizeof(logNo));
}
@ -341,7 +340,7 @@ TEST_F(CTPolicyEnforcerTest,
{ 3*12 + 4, 5 }
};
for (size_t i = 0; i < ArrayLength(kTestData); ++i) {
for (size_t i = 0; i < MOZILLA_CT_ARRAY_LENGTH(kTestData); ++i) {
SCOPED_TRACE(i);
size_t months = kTestData[i].certLifetimeInCalendarMonths;
@ -401,7 +400,7 @@ TEST_F(CTPolicyEnforcerTest, TestEdgeCasesOfGetCertLifetimeInFullMonths)
12 }
};
for (size_t i = 0; i < ArrayLength(kTestData); ++i) {
for (size_t i = 0; i < MOZILLA_CT_ARRAY_LENGTH(kTestData); ++i) {
SCOPED_TRACE(i);
size_t months;

View File

@ -7,7 +7,6 @@
#include "CTSerialization.h"
#include "CTTestUtils.h"
#include "gtest/gtest.h"
#include "mozilla/Move.h"
namespace mozilla { namespace ct {

View File

@ -12,9 +12,6 @@
#include "BTInclusionProof.h"
#include "CTSerialization.h"
#include "gtest/gtest.h"
#include "mozilla/Assertions.h"
#include "mozilla/Move.h"
#include "mozilla/Vector.h"
#include "pkix/Input.h"
#include "pkix/pkix.h"
#include "pkix/pkixnss.h"
@ -435,15 +432,16 @@ CharToByte(char c)
} else if (c >= 'A' && c <= 'F') {
return c - 'A' + 10;
}
MOZ_RELEASE_ASSERT(false);
return 0;
abort();
}
static Buffer
HexToBytes(const char* hexData)
{
size_t hexLen = strlen(hexData);
MOZ_RELEASE_ASSERT(hexLen > 0 && (hexLen % 2 == 0));
if (!(hexLen > 0 && (hexLen % 2 == 0))) {
abort();
}
size_t resultLen = hexLen / 2;
Buffer result;
result.reserve(resultLen);
@ -715,7 +713,9 @@ Buffer
ExtractCertSPKI(Input cert)
{
BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr);
MOZ_RELEASE_ASSERT(backCert.Init() == Success);
if (backCert.Init() != Success) {
abort();
}
Input spkiInput = backCert.GetSubjectPublicKeyInfo();
Buffer spki;
@ -874,15 +874,18 @@ Input
InputForBuffer(const Buffer& buffer)
{
Input input;
MOZ_RELEASE_ASSERT(Success == input.Init(buffer.data(), buffer.size()));
if (input.Init(buffer.data(), buffer.size()) != Success) {
abort();
}
return input;
}
Input InputForSECItem(const SECItem& item)
{
Input input;
MOZ_RELEASE_ASSERT(Success ==
input.Init(item.data, item.len));
if (input.Init(item.data, item.len) != Success) {
abort();
}
return input;
}

View File

@ -13,8 +13,6 @@
#include "CTSerialization.h"
#include "CTTestUtils.h"
#include "gtest/gtest.h"
#include "mozilla/EnumSet.h"
#include "mozilla/Move.h"
#include "nss.h"
namespace mozilla { namespace ct {
@ -32,7 +30,9 @@ public:
void SetUp() override
{
// Does nothing if NSS is already initialized.
MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
abort();
}
CTLogVerifier log;
ASSERT_EQ(Success, log.Init(InputForBuffer(GetTestPublicKey()),
@ -203,14 +203,23 @@ TEST_F(MultiLogCTVerifierTest, VerifiesSCTFromMultipleSources)
mNow, result));
// The result should contain verified SCTs from TLS and OCSP origins.
EnumSet<VerifiedSCT::Origin> origins;
size_t embeddedCount = 0;
size_t tlsExtensionCount = 0;
size_t ocspResponseCount = 0;
for (const VerifiedSCT& verifiedSct : result.verifiedScts) {
EXPECT_EQ(VerifiedSCT::Status::Valid, verifiedSct.status);
origins += verifiedSct.origin;
switch (verifiedSct.origin) {
case VerifiedSCT::Origin::Embedded: embeddedCount++; break;
case VerifiedSCT::Origin::TLSExtension: tlsExtensionCount++; break;
case VerifiedSCT::Origin::OCSPResponse: ocspResponseCount++; break;
case VerifiedSCT::Origin::Unknown:
default:
ASSERT_TRUE(false);
}
}
EXPECT_FALSE(origins.contains(VerifiedSCT::Origin::Embedded));
EXPECT_TRUE(origins.contains(VerifiedSCT::Origin::OCSPResponse));
EXPECT_TRUE(origins.contains(VerifiedSCT::Origin::TLSExtension));
EXPECT_EQ(embeddedCount, 0u);
EXPECT_TRUE(tlsExtensionCount > 0);
EXPECT_TRUE(ocspResponseCount > 0);
}
TEST_F(MultiLogCTVerifierTest, IdentifiesSCTFromUnknownLog)

View File

@ -21,4 +21,7 @@ LOCAL_INCLUDES += [
'/security/pkix/lib',
]
if not CONFIG['MOZ_DEBUG']:
DEFINES['NDEBUG'] = True
FINAL_LIBRARY = 'xul-gtest'