bug 928489 - Bug 928489 - Disable update xml certificate checks on Windows. r=bbondy

browser/app/profile/firefox.js

@@ -96,6 +96,14 @@ pref("app.update.log", false);
 // the failure.
 pref("app.update.backgroundMaxErrors", 10);
 
+// The aus update xml certificate checks for application update are disabled on
+// Windows since the mar signature check which is currently only implemented on
+// Windows is sufficient for preventing us from applying a mar that is not
+// valid.
+#ifdef XP_WIN
+pref("app.update.cert.requireBuiltIn", false);
+pref("app.update.cert.checkAttributes", false);
+#else
 // When |app.update.cert.requireBuiltIn| is true or not specified the
 // final certificate and all certificates the connection is redirected to before
 // the final certificate for the url specified in the |app.update.url|
@@ -144,6 +152,7 @@ pref("app.update.certs.1.commonName", "aus3.mozilla.org");
 pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US");
 pref("app.update.certs.2.commonName", "aus3.mozilla.org");
 #endif
+#endif
 
 // Whether or not app updates are enabled
 pref("app.update.enabled", true);

browser/metro/profile/metro.js

@@ -489,52 +489,22 @@ pref("app.update.log", false);
 // the failure.
 pref("app.update.backgroundMaxErrors", 10);
 
+// The aus update xml certificate checks for application update are disabled on
+// Windows since the mar signature check which is currently only implemented on
+// Windows is sufficient for preventing us from applying a mar that is not
+// valid.
+
 // When |app.update.cert.requireBuiltIn| is true or not specified the
 // final certificate and all certificates the connection is redirected to before
 // the final certificate for the url specified in the |app.update.url|
 // preference must be built-in.
-pref("app.update.cert.requireBuiltIn", true);
+pref("app.update.cert.requireBuiltIn", false);
 
 // When |app.update.cert.checkAttributes| is true or not specified the
 // certificate attributes specified in the |app.update.certs.| preference branch
 // are checked against the certificate for the url specified by the
 // |app.update.url| preference.
-pref("app.update.cert.checkAttributes", true);
-
-// The number of certificate attribute check failures to allow for background
-// update checks before notifying the user of the failure. User initiated update
-// checks always notify the user of the certificate attribute check failure.
-pref("app.update.cert.maxErrors", 5);
-
-// The |app.update.certs.| preference branch contains branches that are
-// sequentially numbered starting at 1 that contain attribute name / value
-// pairs for the certificate used by the server that hosts the update xml file
-// as specified in the |app.update.url| preference. When these preferences are
-// present the following conditions apply for a successful update check:
-// 1. the uri scheme must be https
-// 2. the preference name must exist as an attribute name on the certificate and
-//    the value for the name must be the same as the value for the attribute name
-//    on the certificate.
-// If these conditions aren't met it will be treated the same as when there is
-// no update available. This validation will not be performed when the
-// |app.update.url.override| user preference has been set for testing updates or
-// when the |app.update.cert.checkAttributes| preference is set to false. Also,
-// the |app.update.url.override| preference should ONLY be used for testing.
-// IMPORTANT! firefox.js should also be updated for updates to certs.X.issuerName
-
-// Non-release builds (Nightly, Aurora, etc.) have been switched over to aus4.mozilla.org.
-// This condition protects us against accidentally using it for release builds.
-#ifndef RELEASE_BUILD
-pref("app.update.certs.1.issuerName", "CN=DigiCert Secure Server CA,O=DigiCert Inc,C=US");
-pref("app.update.certs.1.commonName", "aus4.mozilla.org");
-pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US");
-pref("app.update.certs.2.commonName", "aus4.mozilla.org");
-#else
-pref("app.update.certs.1.issuerName", "OU=Equifax Secure Certificate Authority,O=Equifax,C=US");
-pref("app.update.certs.1.commonName", "aus3.mozilla.org");
-pref("app.update.certs.2.issuerName", "CN=Thawte SSL CA,O=\"Thawte, Inc.\",C=US");
-pref("app.update.certs.2.commonName", "aus3.mozilla.org");
-#endif
+pref("app.update.cert.checkAttributes", false);
 
 // User-settable override to app.update.url for testing purposes.
 //pref("app.update.url.override", "");

toolkit/mozapps/update/test/chrome/test_0121_check_requireBuiltinCert.xul

@@ -81,6 +81,9 @@ function testXHRLoad(aEvent) {
                                aCertAttrName, cert[aCertAttrName]);
   });
 
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, true);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, false);
+
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);

toolkit/mozapps/update/test/chrome/test_0122_check_allowNonBuiltinCert_validCertAttrs.xul

@@ -82,6 +82,7 @@ function testXHRLoad(aEvent) {
   });
 
   Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();

toolkit/mozapps/update/test/chrome/test_0131_check_invalidCertAttrs_noUpdate.xul

@@ -35,6 +35,8 @@ function runTest() {
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
   Services.prefs.setIntPref(PREF_APP_UPDATE_CERT_ERRORS, 1);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?noUpdates=1";
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);

toolkit/mozapps/update/test/chrome/test_0132_check_invalidCertAttrs_hasUpdate.xul

@@ -35,6 +35,8 @@ function runTest() {
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
   Services.prefs.setIntPref(PREF_APP_UPDATE_CERT_ERRORS, 1);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();

toolkit/mozapps/update/test/chrome/test_0141_notify_invalidCertAttrs_noUpdate.xul

@@ -32,6 +32,8 @@ function runTest() {
 
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?noUpdates=1";
   gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);

toolkit/mozapps/update/test/chrome/test_0142_notify_invalidCertAttrs_hasUpdate.xul

@@ -32,6 +32,8 @@ function runTest() {
 
   Services.prefs.setCharPref(PREF_APP_UPDATE_CERT_INVALID_ATTR_NAME,
                              "Invalid Attribute Name");
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_REQUIREBUILTIN, false);
+  Services.prefs.setBoolPref(PREF_APP_UPDATE_CERT_CHECKATTRS, true);
 
   let url = "https://example.com/" + URL_PATH + "/update.sjs?showDetails=1" +
             getVersionParams();