Bug 1456112 - Add a pref to implement the last Symantec Distrust step r=keeler

This adds another preference (DistrustSymantecRootsRegardlessOfDate == 2) that stops permitting certificates issued after 1 June 2016, and updates the test to check it. --HG-- extra : transplant_source : %F1%DE%16m%F2%DD%A8Ei%EF%B4%CAo%BF%8D%A6%A6%5E%D4%89
2024-11-27 23:02:20 +00:00 · 2018-05-04 09:34:45 -07:00 · 2018-05-04 09:34:45 -07:00 · 8d99d56270
commit 8d99d56270
parent 5dfa7d1f80
4 changed files with 34 additions and 2 deletions
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@ -66,6 +66,7 @@ enum class SHA1ModeResult {
 enum class DistrustedCAPolicy : uint32_t {
  Permit = 0,
  DistrustSymantecRoots = 1,
+  DistrustSymantecRootsRegardlessOfDate = 2,
 };

 enum class NetscapeStepUpPolicy : uint32_t;
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@ -891,7 +891,7 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
  // handshake. To determine this, we check mHostname: If it isn't set, this is
  // not TLS, so don't run the algorithm.
  if (mHostname && CertDNIsInList(root.get(), RootSymantecDNs) &&
-      mDistrustedCAPolicy == DistrustedCAPolicy::DistrustSymantecRoots) {
+      mDistrustedCAPolicy != DistrustedCAPolicy::Permit) {

    rootCert = nullptr; // Clear the state for Segment...
    nsCOMPtr<nsIX509CertList> intCerts;
@ -907,8 +907,13 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time,
    // (new Date("2016-06-01T00:00:00Z")).getTime() * 1000
    static const PRTime JUNE_1_2016 = 1464739200000000;

+    PRTime permitAfterDate = 0; // 0 indicates there is no permitAfterDate
+    if (mDistrustedCAPolicy == DistrustedCAPolicy::DistrustSymantecRoots) {
+      permitAfterDate = JUNE_1_2016;
+    }
+
    bool isDistrusted = false;
-    nsrv = CheckForSymantecDistrust(intCerts, eeCert, JUNE_1_2016,
+    nsrv = CheckForSymantecDistrust(intCerts, eeCert, permitAfterDate,
                                    RootAppleAndGoogleSPKIs, isDistrusted);
    if (NS_FAILED(nsrv)) {
      return Result::FATAL_ERROR_LIBRARY_FAILURE;
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@ -1694,6 +1694,7 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting)
  switch(distrustedCAPolicy) {
    case DistrustedCAPolicy::Permit:
    case DistrustedCAPolicy::DistrustSymantecRoots:
+    case DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate:
      break;
    default:
      distrustedCAPolicy = defaultCAPolicyMode;
--- a/security/manager/ssl/tests/unit/test_symantec_apple_google.js
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js
@ -39,6 +39,23 @@ add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
                    MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
                    null, null);

+// Enable the Firefox 63 total distrust; before or after cutoff should now all
+// behave the same.
+add_test(function() {
+  clearSessionCache();
+  Services.prefs.setIntPref("security.pki.distrust_ca_policy",
+              /* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 2);
+  run_next_test();
+});
+
+add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
+                    MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+                    null, null);
+
+add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
+                    MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
+                    null, null);
+
 // Disable the distrust, should be back to the console warning
 add_test(function() {
  clearSessionCache();
@ -77,6 +94,7 @@ add_task(async function() {
  // (as an external fetch is bad in the tests), disable OCSP first.
  Services.prefs.setIntPref("security.OCSP.enabled", 0);

+  // Try with the policy for 60
  Services.prefs.setIntPref("security.pki.distrust_ca_policy",
                            /* DistrustedCAPolicy::DistrustSymantecRoots */ 1);

@ -85,4 +103,11 @@ add_task(async function() {

  await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
                                    certificateUsageSSLServer, VALIDATION_TIME);
+
+  // Try with the policy for 63
+  Services.prefs.setIntPref("security.pki.distrust_ca_policy",
+                            /* DistrustedCAPolicy::DistrustSymantecRootsRegardlessOfDate */ 2);
+
+  await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
+                                    certificateUsageSSLServer, VALIDATION_TIME);
 });