mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 14:52:16 +00:00
Bug 1493788 - remove other mozilla-specific dependencies from certificate transparency implementation r=jcj
This patch removes the remaining mozilla-specific dependencies from the certificate transparency implementation. Depends on D6845 Differential Revision: https://phabricator.services.mozilla.com/D6846 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
1661adeb86
commit
0c4b612622
@ -390,7 +390,7 @@ CertVerifier::VerifyCertificateTransparencyPolicy(
|
||||
GetCTLogOperatorsFromVerifiedSCTList(result.verifiedScts, allOperators);
|
||||
|
||||
CTLogOperatorList dependentOperators;
|
||||
rv = mCTDiversityPolicy->GetDependentOperators(builtChain, allOperators,
|
||||
rv = mCTDiversityPolicy->GetDependentOperators(builtChain.get(), allOperators,
|
||||
dependentOperators);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
|
@ -10,10 +10,6 @@
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Move.h"
|
||||
#include "mozilla/TypeTraits.h"
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
using namespace mozilla::pkix;
|
||||
|
@ -6,6 +6,8 @@
|
||||
|
||||
#include "Buffer.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
namespace mozilla {
|
||||
|
||||
bool
|
||||
|
@ -8,6 +8,7 @@
|
||||
#define Buffer_h
|
||||
|
||||
#include <vector>
|
||||
#include <cstdint>
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
|
@ -31,7 +31,7 @@ GetCTLogOperatorsFromVerifiedSCTList(const VerifiedSCTList& list,
|
||||
}
|
||||
|
||||
Result
|
||||
CTDiversityPolicy::GetDependentOperators(const UniqueCERTCertList& builtChain,
|
||||
CTDiversityPolicy::GetDependentOperators(const CERTCertList* builtChain,
|
||||
const CTLogOperatorList& operators,
|
||||
CTLogOperatorList& dependentOperators)
|
||||
{
|
||||
|
@ -9,8 +9,8 @@
|
||||
|
||||
#include "CTLog.h"
|
||||
#include "CTVerifyResult.h"
|
||||
#include "certt.h"
|
||||
#include "pkix/Result.h"
|
||||
#include "ScopedNSSTypes.h"
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
@ -30,7 +30,7 @@ public:
|
||||
// issuing the certificate (as defined by the CT Policy).
|
||||
//
|
||||
// NOTE: TBD, PENDING FINALIZATION OF MOZILLA CT POLICY.
|
||||
pkix::Result GetDependentOperators(const UniqueCERTCertList& builtChain,
|
||||
pkix::Result GetDependentOperators(const CERTCertList* builtChain,
|
||||
const CTLogOperatorList& operators,
|
||||
CTLogOperatorList& dependentOperators);
|
||||
};
|
||||
|
@ -10,8 +10,6 @@
|
||||
|
||||
#include "CTSerialization.h"
|
||||
#include "hasht.h"
|
||||
#include "mozilla/ArrayUtils.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "pkix/pkixnss.h"
|
||||
#include "pkixutil.h"
|
||||
|
||||
@ -68,7 +66,7 @@ public:
|
||||
|
||||
Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve curve) override
|
||||
{
|
||||
MOZ_ASSERT(mSignatureAlgorithm ==
|
||||
assert(mSignatureAlgorithm ==
|
||||
DigitallySigned::SignatureAlgorithm::Anonymous);
|
||||
if (curve != NamedCurve::secp256r1) {
|
||||
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
|
||||
@ -86,7 +84,7 @@ public:
|
||||
unsigned int modulusSizeInBits)
|
||||
override
|
||||
{
|
||||
MOZ_ASSERT(mSignatureAlgorithm ==
|
||||
assert(mSignatureAlgorithm ==
|
||||
DigitallySigned::SignatureAlgorithm::Anonymous);
|
||||
// Require RSA keys of at least 2048 bits. See RFC 6962, Section 2.1.4.
|
||||
if (modulusSizeInBits < 2048) {
|
||||
@ -145,7 +143,7 @@ CTLogVerifier::Init(Input subjectPublicKeyInfo,
|
||||
break;
|
||||
case CTLogStatus::Unknown:
|
||||
default:
|
||||
MOZ_ASSERT_UNREACHABLE("Unsupported CTLogStatus");
|
||||
assert(false);
|
||||
return Result::FATAL_ERROR_INVALID_ARGS;
|
||||
}
|
||||
|
||||
@ -266,7 +264,7 @@ static Result
|
||||
FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd,
|
||||
UniqueSECKEYPublicKey& pubkey)
|
||||
{
|
||||
MOZ_ASSERT(pubkey);
|
||||
assert(pubkey);
|
||||
if (!pubkey) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
@ -299,14 +297,14 @@ CTLogVerifier::VerifySignature(Input data, Input signature)
|
||||
{
|
||||
uint8_t digest[SHA256_LENGTH];
|
||||
Result rv = DigestBufNSS(data, DigestAlgorithm::sha256, digest,
|
||||
ArrayLength(digest));
|
||||
MOZILLA_CT_ARRAY_LENGTH(digest));
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
|
||||
SignedDigest signedDigest;
|
||||
signedDigest.digestAlgorithm = DigestAlgorithm::sha256;
|
||||
rv = signedDigest.digest.Init(digest, ArrayLength(digest));
|
||||
rv = signedDigest.digest.Init(digest, MOZILLA_CT_ARRAY_LENGTH(digest));
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
@ -335,7 +333,7 @@ CTLogVerifier::VerifySignature(Input data, Input signature)
|
||||
case DigitallySigned::SignatureAlgorithm::Anonymous:
|
||||
case DigitallySigned::SignatureAlgorithm::DSA:
|
||||
default:
|
||||
MOZ_ASSERT_UNREACHABLE("RSA/ECDSA expected");
|
||||
assert(false);
|
||||
return Result::FATAL_ERROR_INVALID_ARGS;
|
||||
}
|
||||
if (rv != Success) {
|
||||
|
@ -7,13 +7,15 @@
|
||||
#ifndef CTLogVerifier_h
|
||||
#define CTLogVerifier_h
|
||||
|
||||
#include <memory>
|
||||
|
||||
#include "CTLog.h"
|
||||
#include "pkix/Input.h"
|
||||
#include "pkix/pkix.h"
|
||||
#include "pkix/Result.h"
|
||||
#include "ScopedNSSTypes.h"
|
||||
#include "CTUtils.h"
|
||||
#include "SignedCertificateTimestamp.h"
|
||||
#include "SignedTreeHead.h"
|
||||
#include "pkix/Input.h"
|
||||
#include "pkix/Result.h"
|
||||
#include "pkix/pkix.h"
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
|
@ -6,14 +6,10 @@
|
||||
|
||||
#include "CTObjectsExtractor.h"
|
||||
|
||||
#include <limits>
|
||||
#include <vector>
|
||||
|
||||
#include "hasht.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Casting.h"
|
||||
#include "mozilla/Move.h"
|
||||
#include "mozilla/PodOperations.h"
|
||||
#include "mozilla/RangedPtr.h"
|
||||
#include "pkix/pkixnss.h"
|
||||
#include "pkixutil.h"
|
||||
|
||||
@ -33,7 +29,7 @@ public:
|
||||
Output(uint8_t* buffer, size_t length)
|
||||
: begin(buffer)
|
||||
, end(buffer + length)
|
||||
, current(buffer, begin, end)
|
||||
, current(begin)
|
||||
, overflowed(false)
|
||||
{
|
||||
}
|
||||
@ -58,17 +54,17 @@ public:
|
||||
|
||||
Result GetInput(/*out*/ Input& input) const
|
||||
{
|
||||
if (overflowed) {
|
||||
if (overflowed || current < begin) {
|
||||
return Result::FATAL_ERROR_INVALID_STATE;
|
||||
}
|
||||
size_t length = AssertedCast<size_t>(current.get() - begin);
|
||||
size_t length = static_cast<size_t>(current - begin);
|
||||
return input.Init(begin, length);
|
||||
}
|
||||
|
||||
private:
|
||||
uint8_t* begin;
|
||||
uint8_t* end;
|
||||
RangedPtr<uint8_t> current;
|
||||
uint8_t* current;
|
||||
bool overflowed;
|
||||
|
||||
Output(const Output&) = delete;
|
||||
@ -76,14 +72,17 @@ private:
|
||||
|
||||
void Write(const uint8_t* data, size_t length)
|
||||
{
|
||||
size_t available = AssertedCast<size_t>(end - current.get());
|
||||
if (end < current) {
|
||||
overflowed = true;
|
||||
}
|
||||
size_t available = static_cast<size_t>(end - current);
|
||||
if (available < length) {
|
||||
overflowed = true;
|
||||
}
|
||||
if (overflowed) {
|
||||
return;
|
||||
}
|
||||
PodCopy(current.get(), data, length);
|
||||
memcpy(current, data, length);
|
||||
current += length;
|
||||
}
|
||||
};
|
||||
@ -122,6 +121,15 @@ static const size_t MAX_TLV_HEADER_LENGTH = 4;
|
||||
static const uint8_t EXTENSIONS_CONTEXT_TAG =
|
||||
der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3;
|
||||
|
||||
Result
|
||||
CheckForInputSizeTypeOverflow(size_t length)
|
||||
{
|
||||
if (length > std::numeric_limits<Input::size_type>::max()) {
|
||||
return Result::FATAL_ERROR_INVALID_STATE;
|
||||
}
|
||||
return Success;
|
||||
}
|
||||
|
||||
// Given a leaf certificate, extracts the DER-encoded TBSCertificate component
|
||||
// of the corresponding Precertificate.
|
||||
// Basically, the extractor needs to remove the embedded SCTs extension
|
||||
@ -278,9 +286,17 @@ private:
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
// Since we're getting these extensions from a certificate that has
|
||||
// already fit in an Input, this shouldn't overflow.
|
||||
size_t extensionsContextLengthAsSizeT =
|
||||
static_cast<size_t>(extensionsHeader.GetLength()) +
|
||||
static_cast<size_t>(extensionsValueLength);
|
||||
rv = CheckForInputSizeTypeOverflow(extensionsContextLengthAsSizeT);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input::size_type extensionsContextLength =
|
||||
AssertedCast<Input::size_type>(extensionsHeader.GetLength() +
|
||||
extensionsValueLength);
|
||||
static_cast<Input::size_type>(extensionsContextLengthAsSizeT);
|
||||
rv = MakeTLVHeader(EXTENSIONS_CONTEXT_TAG,
|
||||
extensionsContextLength,
|
||||
extensionsContextHeaderBuffer,
|
||||
@ -288,11 +304,17 @@ private:
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
size_t tbsLengthAsSizeT =
|
||||
static_cast<size_t>(mTLVsBeforeExtensions.GetLength()) +
|
||||
static_cast<size_t>(extensionsContextHeader.GetLength()) +
|
||||
static_cast<size_t>(extensionsHeader.GetLength()) +
|
||||
static_cast<size_t>(extensionsValueLength);
|
||||
rv = CheckForInputSizeTypeOverflow(tbsLengthAsSizeT);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
Input::size_type tbsLength =
|
||||
AssertedCast<Input::size_type>(mTLVsBeforeExtensions.GetLength() +
|
||||
extensionsContextHeader.GetLength() +
|
||||
extensionsHeader.GetLength() +
|
||||
extensionsValueLength);
|
||||
static_cast<Input::size_type>(tbsLengthAsSizeT);
|
||||
rv = MakeTLVHeader(der::SEQUENCE, tbsLength, tbsHeaderBuffer, tbsHeader);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
@ -327,14 +349,14 @@ private:
|
||||
Output output(buffer);
|
||||
output.Write(tag);
|
||||
if (length < 128) {
|
||||
output.Write(AssertedCast<uint8_t>(length));
|
||||
output.Write(static_cast<uint8_t>(length));
|
||||
} else if (length < 256) {
|
||||
output.Write(0x81u);
|
||||
output.Write(AssertedCast<uint8_t>(length));
|
||||
output.Write(static_cast<uint8_t>(length));
|
||||
} else if (length < 65536) {
|
||||
output.Write(0x82u);
|
||||
output.Write(AssertedCast<uint8_t>(length / 256));
|
||||
output.Write(AssertedCast<uint8_t>(length % 256));
|
||||
output.Write(static_cast<uint8_t>(length / 256));
|
||||
output.Write(static_cast<uint8_t>(length % 256));
|
||||
} else {
|
||||
return Result::FATAL_ERROR_INVALID_ARGS;
|
||||
}
|
||||
@ -352,8 +374,8 @@ Result
|
||||
GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
|
||||
LogEntry& output)
|
||||
{
|
||||
MOZ_ASSERT(leafCertificate.GetLength() > 0);
|
||||
MOZ_ASSERT(issuerSubjectPublicKeyInfo.GetLength() > 0);
|
||||
assert(leafCertificate.GetLength() > 0);
|
||||
assert(issuerSubjectPublicKeyInfo.GetLength() > 0);
|
||||
output.Reset();
|
||||
|
||||
Buffer precertTBSBuffer;
|
||||
@ -367,8 +389,8 @@ GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
|
||||
return rv;
|
||||
}
|
||||
Input precertTBS(extractor.GetPrecertTBS());
|
||||
MOZ_ASSERT(precertTBS.UnsafeGetData() == precertTBSBuffer.data());
|
||||
MOZ_ASSERT(precertTBS.GetLength() <= precertTBSBuffer.size());
|
||||
assert(precertTBS.UnsafeGetData() == precertTBSBuffer.data());
|
||||
assert(precertTBS.GetLength() <= precertTBSBuffer.size());
|
||||
precertTBSBuffer.resize(precertTBS.GetLength());
|
||||
|
||||
output.type = LogEntry::Type::Precert;
|
||||
@ -383,7 +405,7 @@ GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
|
||||
void
|
||||
GetX509LogEntry(Input leafCertificate, LogEntry& output)
|
||||
{
|
||||
MOZ_ASSERT(leafCertificate.GetLength() > 0);
|
||||
assert(leafCertificate.GetLength() > 0);
|
||||
output.Reset();
|
||||
output.type = LogEntry::Type::X509;
|
||||
InputToBuffer(leafCertificate, output.leafCertificate);
|
||||
|
@ -10,12 +10,6 @@
|
||||
#include <stdint.h>
|
||||
#include <vector>
|
||||
|
||||
#include "mozilla/ArrayUtils.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Logging.h"
|
||||
|
||||
extern mozilla::LazyLogModule gCertVerifierLog;
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
using namespace mozilla::pkix;
|
||||
@ -222,9 +216,6 @@ CheckNonEmbeddedCompliance(const VerifiedSCTList& verifiedScts, bool& compliant)
|
||||
return verifiedSct.status == VerifiedSCT::Status::Valid;
|
||||
});
|
||||
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy non-embedded case status: validSCTs=%zu\n",
|
||||
validSctsCount));
|
||||
compliant = validSctsCount >= 2;
|
||||
}
|
||||
|
||||
@ -259,11 +250,6 @@ CheckEmbeddedCompliance(const VerifiedSCTList& verifiedScts,
|
||||
size_t requiredSctsCount =
|
||||
GetRequiredEmbeddedSctsCount(certLifetimeInCalendarMonths);
|
||||
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy embedded case status: "
|
||||
"requiredSCTs=%zu embeddedSCTs=%zu\n",
|
||||
requiredSctsCount, embeddedSctsCount));
|
||||
|
||||
compliant = embeddedSctsCount >= requiredSctsCount;
|
||||
}
|
||||
|
||||
@ -278,25 +264,13 @@ CTPolicyEnforcer::CheckCompliance(const VerifiedSCTList& verifiedScts,
|
||||
bool diversityOK;
|
||||
CheckOperatorDiversityCompliance(verifiedScts, certIssuanceTime,
|
||||
dependentOperators, diversityOK);
|
||||
if (diversityOK) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy: diversity satisfied\n"));
|
||||
}
|
||||
|
||||
bool nonEmbeddedCaseOK;
|
||||
CheckNonEmbeddedCompliance(verifiedScts, nonEmbeddedCaseOK);
|
||||
if (nonEmbeddedCaseOK) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy: non-embedded case satisfied)\n"));
|
||||
}
|
||||
|
||||
bool embeddedCaseOK;
|
||||
CheckEmbeddedCompliance(verifiedScts, certLifetimeInCalendarMonths,
|
||||
certIssuanceTime, embeddedCaseOK);
|
||||
if (embeddedCaseOK) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy: embedded case satisfied\n"));
|
||||
}
|
||||
|
||||
if (nonEmbeddedCaseOK || embeddedCaseOK) {
|
||||
compliance = diversityOK ? CTPolicyCompliance::Compliant
|
||||
@ -308,20 +282,12 @@ CTPolicyEnforcer::CheckCompliance(const VerifiedSCTList& verifiedScts,
|
||||
|
||||
switch (compliance) {
|
||||
case CTPolicyCompliance::Compliant:
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy compliance: Compliant\n"));
|
||||
break;
|
||||
case CTPolicyCompliance::NotEnoughScts:
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy compliance: NotEnoughScts\n"));
|
||||
break;
|
||||
case CTPolicyCompliance::NotDiverseScts:
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("CT Policy compliance: NotDiverseScts\n"));
|
||||
break;
|
||||
case CTPolicyCompliance::Unknown:
|
||||
default:
|
||||
MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
|
||||
assert(false);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -8,10 +8,7 @@
|
||||
#include "CTUtils.h"
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Move.h"
|
||||
#include "mozilla/TypeTraits.h"
|
||||
#include <type_traits>
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
@ -77,7 +74,7 @@ Result
|
||||
ReadUint(Reader& in, T& out)
|
||||
{
|
||||
uint64_t value;
|
||||
static_assert(mozilla::IsUnsigned<T>::value, "T must be unsigned");
|
||||
static_assert(std::is_unsigned<T>::value, "T must be unsigned");
|
||||
static_assert(length <= 8, "At most 8 byte integers can be read");
|
||||
static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
|
||||
Result rv = UncheckedReadUint(length, in, value);
|
||||
@ -198,7 +195,7 @@ WriteUint(T value, Buffer& output)
|
||||
{
|
||||
static_assert(length <= 8, "At most 8 byte integers can be written");
|
||||
static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
|
||||
if (mozilla::IsSigned<T>::value) {
|
||||
if (std::is_signed<T>::value) {
|
||||
// We accept signed integer types assuming the actual value is non-negative.
|
||||
if (value < 0) {
|
||||
return Result::FATAL_ERROR_INVALID_ARGS;
|
||||
@ -363,7 +360,7 @@ EncodeLogEntry(const LogEntry& entry, Buffer& output)
|
||||
case LogEntry::Type::Precert:
|
||||
return EncodePrecertLogEntry(entry, output);
|
||||
default:
|
||||
MOZ_ASSERT_UNREACHABLE("Unexpected LogEntry type");
|
||||
assert(false);
|
||||
}
|
||||
return Result::ERROR_BAD_DER;
|
||||
}
|
||||
|
@ -7,9 +7,48 @@
|
||||
#ifndef CTUtils_h
|
||||
#define CTUtils_h
|
||||
|
||||
#include <memory>
|
||||
|
||||
#include "cryptohi.h"
|
||||
#include "keyhi.h"
|
||||
#include "keythi.h"
|
||||
#include "pk11pub.h"
|
||||
#include "pkix/Input.h"
|
||||
#include "pkix/Result.h"
|
||||
|
||||
#define MOZILLA_CT_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
|
||||
|
||||
struct DeleteHelper
|
||||
{
|
||||
void operator()(CERTSubjectPublicKeyInfo* value)
|
||||
{
|
||||
SECKEY_DestroySubjectPublicKeyInfo(value);
|
||||
}
|
||||
void operator()(PK11SlotInfo* value) { PK11_FreeSlot(value); }
|
||||
void operator()(SECKEYPublicKey* value) { SECKEY_DestroyPublicKey(value); }
|
||||
void operator()(SECItem* value) { SECITEM_FreeItem(value, true); }
|
||||
};
|
||||
|
||||
template <class T>
|
||||
struct MaybeDeleteHelper
|
||||
{
|
||||
void operator()(T* ptr)
|
||||
{
|
||||
if (ptr) {
|
||||
DeleteHelper del;
|
||||
del(ptr);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
typedef std::unique_ptr<CERTSubjectPublicKeyInfo, MaybeDeleteHelper<CERTSubjectPublicKeyInfo>>
|
||||
UniqueCERTSubjectPublicKeyInfo;
|
||||
typedef std::unique_ptr<PK11SlotInfo, MaybeDeleteHelper<PK11SlotInfo>>
|
||||
UniquePK11SlotInfo;
|
||||
typedef std::unique_ptr<SECKEYPublicKey, MaybeDeleteHelper<SECKEYPublicKey>>
|
||||
UniqueSECKEYPublicKey;
|
||||
typedef std::unique_ptr<SECItem, MaybeDeleteHelper<SECItem>> UniqueSECItem;
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
// Reads a TLS-encoded variable length unsigned integer from |in|.
|
||||
|
@ -8,8 +8,6 @@
|
||||
|
||||
#include "CTObjectsExtractor.h"
|
||||
#include "CTSerialization.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Move.h"
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
@ -40,7 +38,7 @@ MultiLogCTVerifier::Verify(Input cert,
|
||||
Time time,
|
||||
CTVerifyResult& result)
|
||||
{
|
||||
MOZ_ASSERT(cert.GetLength() > 0);
|
||||
assert(cert.GetLength() > 0);
|
||||
result.Reset();
|
||||
|
||||
Result rv;
|
||||
|
@ -44,6 +44,9 @@ TEST_DIRS += [
|
||||
'tests/gtest',
|
||||
]
|
||||
|
||||
if not CONFIG['MOZ_DEBUG']:
|
||||
DEFINES['NDEBUG'] = True
|
||||
|
||||
if CONFIG['CC_TYPE'] == 'clang-cl':
|
||||
# -Wall on clang-cl maps to -Weverything, which turns on way too
|
||||
# much, so we're passing through -Wall using -Xclang.
|
||||
@ -71,11 +74,6 @@ if CONFIG['CC_TYPE'] == 'msvc':
|
||||
# class copy constructor is inaccessible or deleted
|
||||
'-wd4626', # assignment operator could not be generated because a base
|
||||
# class assignment operator is inaccessible or deleted
|
||||
'-wd4628', # digraphs not supported with -Ze (nsThreadUtils.h includes
|
||||
# what would be the digraph "<:" in the expression
|
||||
# "mozilla::EnableIf<::detail::...". Since we don't want it
|
||||
# interpreted as a digraph anyway, we can disable the
|
||||
# warning.)
|
||||
'-wd4640', # construction of local static object is not thread-safe
|
||||
'-wd4710', # 'function': function not inlined
|
||||
'-wd4711', # function 'function' selected for inline expansion
|
||||
|
@ -20,7 +20,9 @@ public:
|
||||
void SetUp() override
|
||||
{
|
||||
// Does nothing if NSS is already initialized.
|
||||
MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
|
||||
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
|
||||
abort();
|
||||
}
|
||||
|
||||
ASSERT_EQ(Success, mLog.Init(InputForBuffer(GetTestPublicKey()),
|
||||
-1 /*operator id*/,
|
||||
|
@ -21,7 +21,9 @@ public:
|
||||
void SetUp() override
|
||||
{
|
||||
// Does nothing if NSS is already initialized.
|
||||
MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
|
||||
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
|
||||
abort();
|
||||
}
|
||||
|
||||
mTestCert = GetDEREncodedX509Cert();
|
||||
mEmbeddedCert = GetDEREncodedTestEmbeddedCert();
|
||||
|
@ -10,13 +10,12 @@
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "CTLogVerifier.h"
|
||||
#include "CTVerifyResult.h"
|
||||
#include "SignedCertificateTimestamp.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "hasht.h"
|
||||
#include "mozilla/ArrayUtils.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "prtime.h"
|
||||
#include "SignedCertificateTimestamp.h"
|
||||
|
||||
// Implemented in CertVerifier.cpp.
|
||||
extern mozilla::pkix::Result
|
||||
@ -42,7 +41,7 @@ public:
|
||||
logId.resize(SHA256_LENGTH);
|
||||
std::fill(logId.begin(), logId.end(), 0);
|
||||
// Just raw-copy |logId| into the output buffer.
|
||||
MOZ_ASSERT(sizeof(logNo) <= logId.size());
|
||||
assert(sizeof(logNo) <= logId.size());
|
||||
memcpy(logId.data(), &logNo, sizeof(logNo));
|
||||
}
|
||||
|
||||
@ -341,7 +340,7 @@ TEST_F(CTPolicyEnforcerTest,
|
||||
{ 3*12 + 4, 5 }
|
||||
};
|
||||
|
||||
for (size_t i = 0; i < ArrayLength(kTestData); ++i) {
|
||||
for (size_t i = 0; i < MOZILLA_CT_ARRAY_LENGTH(kTestData); ++i) {
|
||||
SCOPED_TRACE(i);
|
||||
|
||||
size_t months = kTestData[i].certLifetimeInCalendarMonths;
|
||||
@ -401,7 +400,7 @@ TEST_F(CTPolicyEnforcerTest, TestEdgeCasesOfGetCertLifetimeInFullMonths)
|
||||
12 }
|
||||
};
|
||||
|
||||
for (size_t i = 0; i < ArrayLength(kTestData); ++i) {
|
||||
for (size_t i = 0; i < MOZILLA_CT_ARRAY_LENGTH(kTestData); ++i) {
|
||||
SCOPED_TRACE(i);
|
||||
|
||||
size_t months;
|
||||
|
@ -7,7 +7,6 @@
|
||||
#include "CTSerialization.h"
|
||||
#include "CTTestUtils.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "mozilla/Move.h"
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
|
||||
|
@ -12,9 +12,6 @@
|
||||
#include "BTInclusionProof.h"
|
||||
#include "CTSerialization.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Move.h"
|
||||
#include "mozilla/Vector.h"
|
||||
#include "pkix/Input.h"
|
||||
#include "pkix/pkix.h"
|
||||
#include "pkix/pkixnss.h"
|
||||
@ -435,15 +432,16 @@ CharToByte(char c)
|
||||
} else if (c >= 'A' && c <= 'F') {
|
||||
return c - 'A' + 10;
|
||||
}
|
||||
MOZ_RELEASE_ASSERT(false);
|
||||
return 0;
|
||||
abort();
|
||||
}
|
||||
|
||||
static Buffer
|
||||
HexToBytes(const char* hexData)
|
||||
{
|
||||
size_t hexLen = strlen(hexData);
|
||||
MOZ_RELEASE_ASSERT(hexLen > 0 && (hexLen % 2 == 0));
|
||||
if (!(hexLen > 0 && (hexLen % 2 == 0))) {
|
||||
abort();
|
||||
}
|
||||
size_t resultLen = hexLen / 2;
|
||||
Buffer result;
|
||||
result.reserve(resultLen);
|
||||
@ -715,7 +713,9 @@ Buffer
|
||||
ExtractCertSPKI(Input cert)
|
||||
{
|
||||
BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr);
|
||||
MOZ_RELEASE_ASSERT(backCert.Init() == Success);
|
||||
if (backCert.Init() != Success) {
|
||||
abort();
|
||||
}
|
||||
|
||||
Input spkiInput = backCert.GetSubjectPublicKeyInfo();
|
||||
Buffer spki;
|
||||
@ -874,15 +874,18 @@ Input
|
||||
InputForBuffer(const Buffer& buffer)
|
||||
{
|
||||
Input input;
|
||||
MOZ_RELEASE_ASSERT(Success == input.Init(buffer.data(), buffer.size()));
|
||||
if (input.Init(buffer.data(), buffer.size()) != Success) {
|
||||
abort();
|
||||
}
|
||||
return input;
|
||||
}
|
||||
|
||||
Input InputForSECItem(const SECItem& item)
|
||||
{
|
||||
Input input;
|
||||
MOZ_RELEASE_ASSERT(Success ==
|
||||
input.Init(item.data, item.len));
|
||||
if (input.Init(item.data, item.len) != Success) {
|
||||
abort();
|
||||
}
|
||||
return input;
|
||||
}
|
||||
|
||||
|
@ -13,8 +13,6 @@
|
||||
#include "CTSerialization.h"
|
||||
#include "CTTestUtils.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "mozilla/EnumSet.h"
|
||||
#include "mozilla/Move.h"
|
||||
#include "nss.h"
|
||||
|
||||
namespace mozilla { namespace ct {
|
||||
@ -32,7 +30,9 @@ public:
|
||||
void SetUp() override
|
||||
{
|
||||
// Does nothing if NSS is already initialized.
|
||||
MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
|
||||
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
|
||||
abort();
|
||||
}
|
||||
|
||||
CTLogVerifier log;
|
||||
ASSERT_EQ(Success, log.Init(InputForBuffer(GetTestPublicKey()),
|
||||
@ -203,14 +203,23 @@ TEST_F(MultiLogCTVerifierTest, VerifiesSCTFromMultipleSources)
|
||||
mNow, result));
|
||||
|
||||
// The result should contain verified SCTs from TLS and OCSP origins.
|
||||
EnumSet<VerifiedSCT::Origin> origins;
|
||||
size_t embeddedCount = 0;
|
||||
size_t tlsExtensionCount = 0;
|
||||
size_t ocspResponseCount = 0;
|
||||
for (const VerifiedSCT& verifiedSct : result.verifiedScts) {
|
||||
EXPECT_EQ(VerifiedSCT::Status::Valid, verifiedSct.status);
|
||||
origins += verifiedSct.origin;
|
||||
switch (verifiedSct.origin) {
|
||||
case VerifiedSCT::Origin::Embedded: embeddedCount++; break;
|
||||
case VerifiedSCT::Origin::TLSExtension: tlsExtensionCount++; break;
|
||||
case VerifiedSCT::Origin::OCSPResponse: ocspResponseCount++; break;
|
||||
case VerifiedSCT::Origin::Unknown:
|
||||
default:
|
||||
ASSERT_TRUE(false);
|
||||
}
|
||||
}
|
||||
EXPECT_FALSE(origins.contains(VerifiedSCT::Origin::Embedded));
|
||||
EXPECT_TRUE(origins.contains(VerifiedSCT::Origin::OCSPResponse));
|
||||
EXPECT_TRUE(origins.contains(VerifiedSCT::Origin::TLSExtension));
|
||||
EXPECT_EQ(embeddedCount, 0u);
|
||||
EXPECT_TRUE(tlsExtensionCount > 0);
|
||||
EXPECT_TRUE(ocspResponseCount > 0);
|
||||
}
|
||||
|
||||
TEST_F(MultiLogCTVerifierTest, IdentifiesSCTFromUnknownLog)
|
||||
|
@ -21,4 +21,7 @@ LOCAL_INCLUDES += [
|
||||
'/security/pkix/lib',
|
||||
]
|
||||
|
||||
if not CONFIG['MOZ_DEBUG']:
|
||||
DEFINES['NDEBUG'] = True
|
||||
|
||||
FINAL_LIBRARY = 'xul-gtest'
|
||||
|
Loading…
Reference in New Issue
Block a user