mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 14:52:16 +00:00
Bug 1691122 - Remove subject common name fallback support in CertVerifier. r=keeler,necko-reviewers,kershaw
Differential Revision: https://phabricator.services.mozilla.com/D143808
This commit is contained in:
parent
c3a7e39783
commit
6028a138e9
@ -1,2 +1,3 @@
|
||||
subject:www.suggestion-example.com
|
||||
extension:subjectAlternativeName:www.suggestion-example.com
|
||||
issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
|
||||
|
@ -1,2 +1,3 @@
|
||||
subject:www.redirect-example.com
|
||||
extension:subjectAlternativeName:www.redirect-example.com
|
||||
issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -234,7 +234,6 @@
|
||||
#include "nsXULAppAPI.h"
|
||||
|
||||
#include "ThirdPartyUtil.h"
|
||||
#include "BRNameMatchingPolicy.h"
|
||||
#include "GeckoProfiler.h"
|
||||
#include "mozilla/NullPrincipal.h"
|
||||
#include "Navigator.h"
|
||||
@ -6090,10 +6089,7 @@ already_AddRefed<nsIURI> nsDocShell::MaybeFixBadCertDomainErrorURI(
|
||||
|
||||
// Check if adding a "www." prefix to the request's hostname will
|
||||
// cause the response's certificate to match.
|
||||
mozilla::psm::BRNameMatchingPolicy nameMatchingPolicy(
|
||||
mozilla::psm::BRNameMatchingPolicy::Mode::Enforce);
|
||||
rv1 = mozilla::pkix::CheckCertHostname(serverCertInput, newHostInput,
|
||||
nameMatchingPolicy);
|
||||
rv1 = mozilla::pkix::CheckCertHostname(serverCertInput, newHostInput);
|
||||
if (rv1 != mozilla::pkix::Success) {
|
||||
return nullptr;
|
||||
}
|
||||
|
@ -111,18 +111,6 @@ pref("security.pki.sha1_enforcement_level", 3);
|
||||
// x_11_x: COSE is required, PKCS#7 disabled (fail when present)
|
||||
pref("security.signed_app_signatures.policy", 2);
|
||||
|
||||
// security.pki.name_matching_mode controls how the platform matches hostnames
|
||||
// to name information in TLS certificates. The possible values are:
|
||||
// 0: always fall back to the subject common name if necessary (as in, if the
|
||||
// subject alternative name extension is either not present or does not
|
||||
// contain any DNS names or IP addresses)
|
||||
// 1: fall back to the subject common name for certificates valid before 23
|
||||
// August 2016 if necessary
|
||||
// 2: fall back to the subject common name for certificates valid before 23
|
||||
// August 2015 if necessary
|
||||
// 3: only use name information from the subject alternative name extension
|
||||
pref("security.pki.name_matching_mode", 3);
|
||||
|
||||
// security.pki.netscape_step_up_policy controls how the platform handles the
|
||||
// id-Netscape-stepUp OID in extended key usage extensions of CA certificates.
|
||||
// 0: id-Netscape-stepUp is always considered equivalent to id-kp-serverAuth
|
||||
|
@ -252,7 +252,6 @@ static const char* gCallbackSecurityPrefs[] = {
|
||||
"security.ssl.enable_ocsp_stapling",
|
||||
"security.ssl.enable_ocsp_must_staple",
|
||||
"security.pki.certificate_transparency.mode",
|
||||
"security.pki.name_matching_mode",
|
||||
nullptr,
|
||||
};
|
||||
|
||||
@ -407,8 +406,7 @@ void nsIOService::OnTLSPrefChange(const char* aPref, void* aSelf) {
|
||||
LOG(("HandleTLSPrefChange done"));
|
||||
} else if (pref.EqualsLiteral("security.ssl.enable_ocsp_stapling") ||
|
||||
pref.EqualsLiteral("security.ssl.enable_ocsp_must_staple") ||
|
||||
pref.EqualsLiteral("security.pki.certificate_transparency.mode") ||
|
||||
pref.EqualsLiteral("security.pki.name_matching_mode")) {
|
||||
pref.EqualsLiteral("security.pki.certificate_transparency.mode")) {
|
||||
SetValidationOptionsCommon();
|
||||
}
|
||||
}
|
||||
|
@ -1,42 +0,0 @@
|
||||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "BRNameMatchingPolicy.h"
|
||||
|
||||
#include "mozilla/Assertions.h"
|
||||
|
||||
using namespace mozilla::psm;
|
||||
using namespace mozilla::pkix;
|
||||
|
||||
Result BRNameMatchingPolicy::FallBackToCommonName(
|
||||
Time notBefore,
|
||||
/*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) {
|
||||
// (new Date("2015-08-23T00:00:00Z")).getTime() / 1000
|
||||
static const Time AUGUST_23_2015 = TimeFromEpochInSeconds(1440288000);
|
||||
// (new Date("2016-08-23T00:00:00Z")).getTime() / 1000
|
||||
static const Time AUGUST_23_2016 = TimeFromEpochInSeconds(1471910400);
|
||||
switch (mMode) {
|
||||
case Mode::Enforce:
|
||||
fallBackToCommonName = FallBackToSearchWithinSubject::No;
|
||||
break;
|
||||
case Mode::EnforceAfter23August2015:
|
||||
fallBackToCommonName = notBefore > AUGUST_23_2015
|
||||
? FallBackToSearchWithinSubject::No
|
||||
: FallBackToSearchWithinSubject::Yes;
|
||||
break;
|
||||
case Mode::EnforceAfter23August2016:
|
||||
fallBackToCommonName = notBefore > AUGUST_23_2016
|
||||
? FallBackToSearchWithinSubject::No
|
||||
: FallBackToSearchWithinSubject::Yes;
|
||||
break;
|
||||
case Mode::DoNotEnforce:
|
||||
fallBackToCommonName = FallBackToSearchWithinSubject::Yes;
|
||||
break;
|
||||
default:
|
||||
MOZ_CRASH("Unexpected Mode");
|
||||
}
|
||||
return Success;
|
||||
}
|
@ -1,57 +0,0 @@
|
||||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef BRNameMatchingPolicy_h
|
||||
#define BRNameMatchingPolicy_h
|
||||
|
||||
#include "mozpkix/pkixtypes.h"
|
||||
|
||||
namespace mozilla {
|
||||
namespace psm {
|
||||
|
||||
// According to the Baseline Requirements version 1.3.3 section 7.1.4.2.2.a,
|
||||
// the requirements of the subject common name field are as follows:
|
||||
// "If present, this field MUST contain a single IP address or Fully‐Qualified
|
||||
// Domain Name that is one of the values contained in the Certificate’s
|
||||
// subjectAltName extension". Consequently, since any name information present
|
||||
// in the common name must be present in the subject alternative name extension,
|
||||
// when performing name matching, it should not be necessary to fall back to the
|
||||
// common name. Because this consequence has not commonly been enforced, this
|
||||
// implementation provides a mechanism to start enforcing it gradually while
|
||||
// maintaining some backwards compatibility. If configured with the mode
|
||||
// "EnforceAfter23August2016", name matching will only fall back to using the
|
||||
// subject common name for certificates where the notBefore field is before 23
|
||||
// August 2016. Similarly, the mode "EnforceAfter23August2015" is also
|
||||
// available. This is to provide a balance between allowing preexisting
|
||||
// long-lived certificates and detecting newly-issued problematic certificates.
|
||||
// Note that this implementation does not actually directly enforce that if the
|
||||
// subject common name is present, its value corresponds to a dNSName or
|
||||
// iPAddress entry in the subject alternative name extension.
|
||||
|
||||
class BRNameMatchingPolicy : public mozilla::pkix::NameMatchingPolicy {
|
||||
public:
|
||||
enum class Mode {
|
||||
DoNotEnforce = 0,
|
||||
EnforceAfter23August2016 = 1,
|
||||
EnforceAfter23August2015 = 2,
|
||||
Enforce = 3,
|
||||
};
|
||||
|
||||
explicit BRNameMatchingPolicy(Mode mode) : mMode(mode) {}
|
||||
|
||||
virtual mozilla::pkix::Result FallBackToCommonName(
|
||||
mozilla::pkix::Time notBefore,
|
||||
/*out*/ mozilla::pkix::FallBackToSearchWithinSubject&
|
||||
fallBacktoCommonName) override;
|
||||
|
||||
private:
|
||||
Mode mMode;
|
||||
};
|
||||
|
||||
} // namespace psm
|
||||
} // namespace mozilla
|
||||
|
||||
#endif // BRNameMatchingPolicy_h
|
@ -105,7 +105,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||
mozilla::TimeDuration ocspTimeoutSoft,
|
||||
mozilla::TimeDuration ocspTimeoutHard,
|
||||
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CertificateTransparencyMode ctMode,
|
||||
CRLiteMode crliteMode,
|
||||
@ -116,7 +115,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
||||
mOCSPTimeoutHard(ocspTimeoutHard),
|
||||
mCertShortLifetimeInDays(certShortLifetimeInDays),
|
||||
mSHA1Mode(sha1Mode),
|
||||
mNameMatchingMode(nameMatchingMode),
|
||||
mNetscapeStepUpPolicy(netscapeStepUpPolicy),
|
||||
mCTMode(ctMode),
|
||||
mCRLiteMode(crliteMode) {
|
||||
@ -990,11 +988,7 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
return Result::FATAL_ERROR_INVALID_ARGS;
|
||||
}
|
||||
|
||||
BRNameMatchingPolicy nameMatchingPolicy(
|
||||
isBuiltChainRootBuiltInRootLocal
|
||||
? mNameMatchingMode
|
||||
: BRNameMatchingPolicy::Mode::DoNotEnforce);
|
||||
rv = CheckCertHostname(peerCertInput, hostnameInput, nameMatchingPolicy);
|
||||
rv = CheckCertHostname(peerCertInput, hostnameInput);
|
||||
if (rv != Success) {
|
||||
// Treat malformed name information as a domain mismatch.
|
||||
if (rv == Result::ERROR_BAD_DER) {
|
||||
|
@ -7,7 +7,6 @@
|
||||
#ifndef CertVerifier_h
|
||||
#define CertVerifier_h
|
||||
|
||||
#include "BRNameMatchingPolicy.h"
|
||||
#include "CTPolicyEnforcer.h"
|
||||
#include "CTVerifyResult.h"
|
||||
#include "EnterpriseRoots.h"
|
||||
@ -220,7 +219,6 @@ class CertVerifier {
|
||||
mozilla::TimeDuration ocspTimeoutSoft,
|
||||
mozilla::TimeDuration ocspTimeoutHard,
|
||||
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
|
||||
const Vector<EnterpriseCert>& thirdPartyCerts);
|
||||
@ -234,7 +232,6 @@ class CertVerifier {
|
||||
const mozilla::TimeDuration mOCSPTimeoutHard;
|
||||
const uint32_t mCertShortLifetimeInDays;
|
||||
const SHA1Mode mSHA1Mode;
|
||||
const BRNameMatchingPolicy::Mode mNameMatchingMode;
|
||||
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
|
||||
const CertificateTransparencyMode mCTMode;
|
||||
const CRLiteMode mCRLiteMode;
|
||||
|
@ -8,13 +8,11 @@ with Files("**"):
|
||||
BUG_COMPONENT = ("Core", "Security: PSM")
|
||||
|
||||
EXPORTS += [
|
||||
"BRNameMatchingPolicy.h",
|
||||
"CertVerifier.h",
|
||||
"OCSPCache.h",
|
||||
]
|
||||
|
||||
UNIFIED_SOURCES += [
|
||||
"BRNameMatchingPolicy.cpp",
|
||||
"CertVerifier.cpp",
|
||||
"NSSCertDBTrustDomain.cpp",
|
||||
"OCSPCache.cpp",
|
||||
|
@ -19,7 +19,7 @@
|
||||
namespace mozilla {
|
||||
namespace ct {
|
||||
|
||||
void DecodeSCTs(Input encodedSctList,
|
||||
void DecodeSCTs(pkix::Input encodedSctList,
|
||||
std::vector<SignedCertificateTimestamp>& decodedSCTs,
|
||||
size_t& decodingErrors);
|
||||
|
||||
|
@ -6,7 +6,6 @@
|
||||
|
||||
#include "CommonSocketControl.h"
|
||||
|
||||
#include "BRNameMatchingPolicy.h"
|
||||
#include "PublicKeyPinningService.h"
|
||||
#include "SharedCertVerifier.h"
|
||||
#include "nsNSSComponent.h"
|
||||
@ -192,11 +191,7 @@ CommonSocketControl::IsAcceptableForHost(const nsACString& hostname,
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
mozilla::psm::BRNameMatchingPolicy nameMatchingPolicy(
|
||||
mIsBuiltCertChainRootBuiltInRoot
|
||||
? mozilla::psm::PublicSSLState()->NameMatchingMode()
|
||||
: mozilla::psm::BRNameMatchingPolicy::Mode::DoNotEnforce);
|
||||
rv = CheckCertHostname(serverCertInput, hostnameInput, nameMatchingPolicy);
|
||||
rv = CheckCertHostname(serverCertInput, hostnameInput);
|
||||
if (rv != Success) {
|
||||
return NS_OK;
|
||||
}
|
||||
|
@ -6,7 +6,6 @@
|
||||
|
||||
#include "ContentSignatureVerifier.h"
|
||||
|
||||
#include "BRNameMatchingPolicy.h"
|
||||
#include "CryptoTask.h"
|
||||
#include "CSTrustDomain.h"
|
||||
#include "ScopedNSSTypes.h"
|
||||
@ -279,8 +278,7 @@ static nsresult VerifyContentSignatureInternal(
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
BRNameMatchingPolicy nameMatchingPolicy(BRNameMatchingPolicy::Mode::Enforce);
|
||||
result = CheckCertHostname(certInput, hostnameInput, nameMatchingPolicy);
|
||||
result = CheckCertHostname(certInput, hostnameInput);
|
||||
if (result != Success) {
|
||||
// EE cert isnot valid for the given host name.
|
||||
aErrorLabel = Telemetry::LABELS_CONTENT_SIGNATURE_VERIFICATION_ERRORS::err7;
|
||||
|
@ -95,7 +95,6 @@
|
||||
|
||||
#include <cstring>
|
||||
|
||||
#include "BRNameMatchingPolicy.h"
|
||||
#include "CertVerifier.h"
|
||||
#include "CryptoTask.h"
|
||||
#include "ExtendedValidation.h"
|
||||
@ -372,10 +371,6 @@ SECStatus DetermineCertOverrideErrors(const nsCOMPtr<nsIX509Cert>& cert,
|
||||
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
|
||||
return SECFailure;
|
||||
}
|
||||
// Use a lax policy so as to not generate potentially spurious name
|
||||
// mismatch "hints".
|
||||
BRNameMatchingPolicy nameMatchingPolicy(
|
||||
BRNameMatchingPolicy::Mode::DoNotEnforce);
|
||||
// CheckCertHostname expects that its input represents a certificate that
|
||||
// has already been successfully validated by BuildCertChain. This is
|
||||
// obviously not the case, however, because we're in the error path of
|
||||
@ -383,7 +378,7 @@ SECStatus DetermineCertOverrideErrors(const nsCOMPtr<nsIX509Cert>& cert,
|
||||
// would be nice to remove this optimistic additional error checking and
|
||||
// simply punt to the front-end, which can more easily (and safely) perform
|
||||
// extra checks to give the user hints as to why verification failed.
|
||||
result = CheckCertHostname(certInput, hostnameInput, nameMatchingPolicy);
|
||||
result = CheckCertHostname(certInput, hostnameInput);
|
||||
// Treat malformed name information as a domain mismatch.
|
||||
if (result == Result::ERROR_BAD_DER ||
|
||||
result == Result::ERROR_BAD_CERT_DOMAIN) {
|
||||
|
@ -24,14 +24,13 @@ class SharedCertVerifier : public mozilla::psm::CertVerifier {
|
||||
mozilla::TimeDuration ocspSoftTimeout,
|
||||
mozilla::TimeDuration ocspHardTimeout,
|
||||
uint32_t certShortLifetimeInDays, SHA1Mode sha1Mode,
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode,
|
||||
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
||||
CertificateTransparencyMode ctMode, CRLiteMode crliteMode,
|
||||
const Vector<EnterpriseCert>& thirdPartyCerts)
|
||||
: mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout, ocspHardTimeout,
|
||||
certShortLifetimeInDays, sha1Mode,
|
||||
nameMatchingMode, netscapeStepUpPolicy,
|
||||
ctMode, crliteMode, thirdPartyCerts) {}
|
||||
netscapeStepUpPolicy, ctMode, crliteMode,
|
||||
thirdPartyCerts) {}
|
||||
};
|
||||
|
||||
} // namespace psm
|
||||
|
@ -36,9 +36,6 @@ class SharedSSLState {
|
||||
void SetSignedCertTimestampsEnabled(bool signedCertTimestampsEnabled) {
|
||||
mSignedCertTimestampsEnabled = signedCertTimestampsEnabled;
|
||||
}
|
||||
void SetNameMatchingMode(BRNameMatchingPolicy::Mode aMode) {
|
||||
mNameMatchingMode = aMode;
|
||||
}
|
||||
|
||||
// The following methods may be called from any thread
|
||||
bool SocketCreated();
|
||||
@ -49,7 +46,6 @@ class SharedSSLState {
|
||||
bool IsSignedCertTimestampsEnabled() const {
|
||||
return mSignedCertTimestampsEnabled;
|
||||
}
|
||||
BRNameMatchingPolicy::Mode NameMatchingMode() { return mNameMatchingMode; }
|
||||
|
||||
private:
|
||||
~SharedSSLState();
|
||||
@ -67,7 +63,6 @@ class SharedSSLState {
|
||||
bool mOCSPStaplingEnabled;
|
||||
bool mOCSPMustStapleEnabled;
|
||||
bool mSignedCertTimestampsEnabled;
|
||||
BRNameMatchingPolicy::Mode mNameMatchingMode;
|
||||
};
|
||||
|
||||
SharedSSLState* PublicSSLState();
|
||||
|
@ -1340,23 +1340,6 @@ void SetValidationOptionsCommon() {
|
||||
ctMode != CertVerifier::CertificateTransparencyMode::Disabled;
|
||||
PublicSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
||||
PrivateSSLState()->SetSignedCertTimestampsEnabled(sctsEnabled);
|
||||
|
||||
BRNameMatchingPolicy::Mode nameMatchingMode =
|
||||
static_cast<BRNameMatchingPolicy::Mode>(Preferences::GetInt(
|
||||
"security.pki.name_matching_mode",
|
||||
static_cast<int32_t>(BRNameMatchingPolicy::Mode::DoNotEnforce)));
|
||||
switch (nameMatchingMode) {
|
||||
case BRNameMatchingPolicy::Mode::Enforce:
|
||||
case BRNameMatchingPolicy::Mode::EnforceAfter23August2015:
|
||||
case BRNameMatchingPolicy::Mode::EnforceAfter23August2016:
|
||||
case BRNameMatchingPolicy::Mode::DoNotEnforce:
|
||||
break;
|
||||
default:
|
||||
nameMatchingMode = BRNameMatchingPolicy::Mode::DoNotEnforce;
|
||||
break;
|
||||
}
|
||||
PublicSSLState()->SetNameMatchingMode(nameMatchingMode);
|
||||
PrivateSSLState()->SetNameMatchingMode(nameMatchingMode);
|
||||
}
|
||||
|
||||
namespace {
|
||||
@ -1558,8 +1541,7 @@ void nsNSSComponent::setValidationOptions(
|
||||
|
||||
mDefaultCertVerifier = new SharedCertVerifier(
|
||||
odc, osc, softTimeout, hardTimeout, certShortLifetimeInDays, sha1Mode,
|
||||
PublicSSLState()->NameMatchingMode(), netscapeStepUpPolicy, ctMode,
|
||||
crliteMode, mEnterpriseCerts);
|
||||
netscapeStepUpPolicy, ctMode, crliteMode, mEnterpriseCerts);
|
||||
}
|
||||
|
||||
void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
|
||||
@ -1576,7 +1558,6 @@ void nsNSSComponent::UpdateCertVerifierWithEnterpriseRoots() {
|
||||
: CertVerifier::ocspRelaxed,
|
||||
oldCertVerifier->mOCSPTimeoutSoft, oldCertVerifier->mOCSPTimeoutHard,
|
||||
oldCertVerifier->mCertShortLifetimeInDays, oldCertVerifier->mSHA1Mode,
|
||||
oldCertVerifier->mNameMatchingMode,
|
||||
oldCertVerifier->mNetscapeStepUpPolicy, oldCertVerifier->mCTMode,
|
||||
oldCertVerifier->mCRLiteMode, mEnterpriseCerts);
|
||||
}
|
||||
@ -2384,7 +2365,6 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
|
||||
prefName.EqualsLiteral(
|
||||
"security.pki.certificate_transparency.mode") ||
|
||||
prefName.EqualsLiteral("security.pki.sha1_enforcement_level") ||
|
||||
prefName.EqualsLiteral("security.pki.name_matching_mode") ||
|
||||
prefName.EqualsLiteral("security.pki.netscape_step_up_policy") ||
|
||||
prefName.EqualsLiteral(
|
||||
"security.OCSP.timeoutMilliseconds.soft") ||
|
||||
|
@ -3,16 +3,6 @@
|
||||
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
// The preference security.pki.name_matching_mode controls whether or not
|
||||
// mozilla::pkix will fall back to using a certificate's subject common name
|
||||
// during name matching. If the Baseline Requirements are followed, fallback
|
||||
// should not be necessary (because any name information in the subject common
|
||||
// name should be present in the subject alternative name extension). Due to
|
||||
// compatibility concerns, the platform can be configured to fall back for
|
||||
// certificates that are valid before 23 August 2016. Note that for certificates
|
||||
// issued by an imported root, the platform will fall back if necessary,
|
||||
// regardless of the value of the preference.
|
||||
|
||||
"use strict";
|
||||
|
||||
do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
@ -48,8 +38,6 @@ function checkCertOn25August2016(cert, expectedResult) {
|
||||
|
||||
add_task(async function() {
|
||||
registerCleanupFunction(() => {
|
||||
Services.prefs.clearUserPref("security.pki.name_matching_mode");
|
||||
Services.prefs.clearUserPref("security.test.built_in_root_hash");
|
||||
Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
|
||||
});
|
||||
|
||||
@ -57,216 +45,12 @@ add_task(async function() {
|
||||
|
||||
loadCertWithTrust("ca", "CTu,,");
|
||||
|
||||
// When verifying a certificate, if the trust anchor is not a built-in root,
|
||||
// name matching will fall back to using the subject common name if necessary
|
||||
// (i.e. if there is no subject alternative name extension or it does not
|
||||
// contain any dNSName or iPAddress entries). Thus, since imported roots are
|
||||
// not in general treated as built-ins, these should all successfully verify
|
||||
// regardless of the value of the pref.
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 0);
|
||||
info("current mode: always fall back, root not built-in");
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
// At one time there was a preference security.pki.name_matching_mode that
|
||||
// controlled whether or not mozilla::pkix would fall back to using a
|
||||
// certificate's subject common name during name matching. This no longer
|
||||
// exists, and certificates that previously required the fallback should fail
|
||||
// to verify.
|
||||
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 1);
|
||||
info(
|
||||
"current mode: fall back for notBefore < August 23, 2016, root " +
|
||||
"not built-in"
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 2);
|
||||
info(
|
||||
"current mode: fall back for notBefore < August 23, 2015, root " +
|
||||
"not built-in"
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 3);
|
||||
info("current mode: never fall back, root not built-in");
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(certFromFile("no-san-old"), PRErrorCodeSuccess);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
|
||||
// In debug builds, we can treat an imported root as a built-in, and thus we
|
||||
// can actually test the different values of the pref.
|
||||
if (isDebugBuild) {
|
||||
let root = certFromFile("ca");
|
||||
Services.prefs.setCharPref(
|
||||
"security.test.built_in_root_hash",
|
||||
root.sha256Fingerprint
|
||||
);
|
||||
|
||||
// Always fall back if necessary.
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 0);
|
||||
info("current mode: always fall back, root built-in");
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
|
||||
// Only fall back if notBefore < 23 August 2016
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 1);
|
||||
info(
|
||||
"current mode: fall back for notBefore < August 23, 2016, root " +
|
||||
"built-in"
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
|
||||
// Only fall back if notBefore < 23 August 2015
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 2);
|
||||
info(
|
||||
"current mode: fall back for notBefore < August 23, 2015, root " +
|
||||
"built-in"
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-old"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-recent"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-old"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
PRErrorCodeSuccess
|
||||
);
|
||||
|
||||
// Never fall back.
|
||||
Services.prefs.setIntPref("security.pki.name_matching_mode", 3);
|
||||
info("current mode: never fall back, root built-in");
|
||||
await checkCertOn25August2016(
|
||||
certFromFile("no-san-recent"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
@ -291,5 +75,4 @@ add_task(async function() {
|
||||
certFromFile("san-contains-no-hostnames-older"),
|
||||
SSL_ERROR_BAD_CERT_DOMAIN
|
||||
);
|
||||
}
|
||||
});
|
||||
|
@ -882,6 +882,9 @@ def create_self_signed_cert(name):
|
||||
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
|
||||
cert.set_issuer(cert.get_subject())
|
||||
cert.set_pubkey(k)
|
||||
cert.add_extensions(
|
||||
[crypto.X509Extension(b"subjectAltName", False, f"DNS:{name}".encode())]
|
||||
)
|
||||
cert.sign(k, "sha1")
|
||||
|
||||
open(CERT_FILE, "wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
|
||||
|
Loading…
Reference in New Issue
Block a user