Bug 1359428 - Remove preference to select OneCRL update mechanism r=keeler,leplatrem,rhelmer

MozReview-Commit-ID: A6CwZrIDmTn --HG-- extra : rebase_source : 41e17d29f982d23f30f48a6f85ad20fc84b018c6
2024-11-25 05:41:12 +00:00 · 2017-09-29 10:47:27 +01:00 · 2017-09-29 10:47:27 +01:00 · ae55f5a197
commit ae55f5a197
parent 1a8efc0e83
8 changed files with 161 additions and 198 deletions
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -2655,9 +2655,6 @@ pref("services.blocklist.signing.enforced", true);
 // Enable blocklists via the services settings mechanism
 pref("services.blocklist.update_enabled", true);

-// Enable certificate blocklist updates via services settings
-pref("security.onecrl.via.amo", false);
-

 // Modifier key prefs: default to Windows settings,
 // menu access key = alt, accelerator key = control.
--- a/security/manager/ssl/CertBlocklist.cpp
+++ b/security/manager/ssl/CertBlocklist.cpp
@ -37,14 +37,11 @@ using namespace mozilla::pkix;
 #define PREF_BACKGROUND_UPDATE_TIMER "app.update.lastUpdateTime.blocklist-background-update-timer"
 #define PREF_BLOCKLIST_ONECRL_CHECKED "services.blocklist.onecrl.checked"
 #define PREF_MAX_STALENESS_IN_SECONDS "security.onecrl.maximum_staleness_in_seconds"
-#define PREF_ONECRL_VIA_AMO "security.onecrl.via.amo"

 static LazyLogModule gCertBlockPRLog("CertBlock");

 uint32_t CertBlocklist::sLastBlocklistUpdate = 0U;
-uint32_t CertBlocklist::sLastKintoUpdate = 0U;
 uint32_t CertBlocklist::sMaxStaleness = 0U;
-bool CertBlocklist::sUseAMO = true;

 CertBlocklistItem::CertBlocklistItem(const uint8_t* DNData,
                                     size_t DNLength,
@ -139,15 +136,9 @@ CertBlocklist::CertBlocklist()

 CertBlocklist::~CertBlocklist()
 {
-  Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
-                                  PREF_BACKGROUND_UPDATE_TIMER,
-                                  this);
  Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
                                  PREF_MAX_STALENESS_IN_SECONDS,
                                  this);
-  Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
-                                  PREF_ONECRL_VIA_AMO,
-                                  this);
  Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
                                  PREF_BLOCKLIST_ONECRL_CHECKED,
                                  this);
@ -166,25 +157,12 @@ CertBlocklist::Init()
  }

  // Register preference callbacks
-  nsresult rv =
-      Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
-                                           PREF_BACKGROUND_UPDATE_TIMER,
-                                           this);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
+  nsresult rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
                                            PREF_MAX_STALENESS_IN_SECONDS,
                                            this);
  if (NS_FAILED(rv)) {
    return rv;
  }
-  rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
-                                            PREF_ONECRL_VIA_AMO,
-                                            this);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
  rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
                                            PREF_BLOCKLIST_ONECRL_CHECKED,
                                            this);
@ -631,13 +609,12 @@ CertBlocklist::IsBlocklistFresh(bool* _retval)
  *_retval = false;

  uint32_t now = uint32_t(PR_Now() / PR_USEC_PER_SEC);
-  uint32_t lastUpdate = sUseAMO ? sLastBlocklistUpdate : sLastKintoUpdate;
  MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
-          ("CertBlocklist::IsBlocklistFresh using AMO? %i lastUpdate is %i",
-           sUseAMO, lastUpdate));
+          ("CertBlocklist::IsBlocklistFresh ? lastUpdate is %i",
+           sLastBlocklistUpdate));

-  if (now > lastUpdate) {
-    int64_t interval = now - lastUpdate;
+  if (now > sLastBlocklistUpdate) {
+    int64_t interval = now - sLastBlocklistUpdate;
    MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
           ("CertBlocklist::IsBlocklistFresh we're after the last BlocklistUpdate "
            "interval is %" PRId64 ", staleness %u", interval, sMaxStaleness));
@ -659,16 +636,11 @@ CertBlocklist::PreferenceChanged(const char* aPref, void* aClosure)

  MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
         ("CertBlocklist::PreferenceChanged %s changed", aPref));
-  if (strcmp(aPref, PREF_BACKGROUND_UPDATE_TIMER) == 0) {
-    sLastBlocklistUpdate = Preferences::GetUint(PREF_BACKGROUND_UPDATE_TIMER,
+  if (strcmp(aPref, PREF_BLOCKLIST_ONECRL_CHECKED) == 0) {
+    sLastBlocklistUpdate = Preferences::GetUint(PREF_BLOCKLIST_ONECRL_CHECKED,
                                                uint32_t(0));
-  } else if (strcmp(aPref, PREF_BLOCKLIST_ONECRL_CHECKED) == 0) {
-    sLastKintoUpdate = Preferences::GetUint(PREF_BLOCKLIST_ONECRL_CHECKED,
-                                            uint32_t(0));
  } else if (strcmp(aPref, PREF_MAX_STALENESS_IN_SECONDS) == 0) {
    sMaxStaleness = Preferences::GetUint(PREF_MAX_STALENESS_IN_SECONDS,
                                         uint32_t(0));
-  } else if (strcmp(aPref, PREF_ONECRL_VIA_AMO) == 0) {
-    sUseAMO = Preferences::GetBool(PREF_ONECRL_VIA_AMO, true);
  }
 }
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js
+++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js
@ -6,12 +6,14 @@

 // This test checks a number of things:
 // * it ensures that data loaded from revocations.txt on startup is present
-// * it ensures that certItems in blocklist.xml are persisted correctly
+// * it ensures that data served from OneCRL are persisted correctly
 // * it ensures that items in the CertBlocklist are seen as revoked by the
 //   cert verifier
 // * it does a sanity check to ensure other cert verifier behavior is
 //   unmodified

+const { setTimeout } = Cu.import("resource://gre/modules/Timer.jsm", {});
+
 // First, we need to setup appInfo for the blocklist service to work
 var id = "xpcshell@tests.mozilla.org";
 var appName = "XPCShell";
@ -31,25 +33,6 @@ updateAppInfo({
 // no revocation.txt in the profile
 var gProfile = do_get_profile();

-// Write out an empty blocklist.xml file to the profile to ensure nothing
-// is blocklisted by default
-var blockFile = gProfile.clone();
-blockFile.append("blocklist.xml");
-var stream = Cc["@mozilla.org/network/file-output-stream;1"]
-               .createInstance(Ci.nsIFileOutputStream);
-stream.init(blockFile,
-  FileUtils.MODE_WRONLY | FileUtils.MODE_CREATE | FileUtils.MODE_TRUNCATE,
-  FileUtils.PERMS_FILE, 0);
-
-var data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
-           "<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">\n" +
-           "</blocklist>\n";
-stream.write(data, data.length);
-stream.close();
-
-const PREF_BLOCKLIST_UPDATE_ENABLED = "services.blocklist.update_enabled";
-const PREF_ONECRL_VIA_AMO = "security.onecrl.via.amo";
-
 var gRevocations = gProfile.clone();
 gRevocations.append("revocations.txt");
 if (!gRevocations.exists()) {
@ -60,65 +43,112 @@ if (!gRevocations.exists()) {
 var certDB = Cc["@mozilla.org/security/x509certdb;1"]
               .getService(Ci.nsIX509CertDB);

-// set up a test server to serve the blocklist.xml
+// set up a test server to serve the kinto views.
 var testserver = new HttpServer();

-var initialBlocklist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-    "<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
-    // test with some bad data ...
-    "<certItems><certItem issuerName='Some nonsense in issuer'>" +
-    "<serialNumber>AkHVNA==</serialNumber>" +
-    "</certItem><certItem issuerName='MA0xCzAJBgNVBAMMAmNh'>" +
-    "<serialNumber>some nonsense in serial</serialNumber>" +
-    "</certItem><certItem issuerName='some nonsense in both issuer'>" +
-    "<serialNumber>and serial</serialNumber></certItem>" +
-    // some mixed
-    // In this case, the issuer name and the valid serialNumber correspond
-    // to test-int.pem in bad_certs/
-    "<certItem issuerName='MBIxEDAOBgNVBAMMB1Rlc3QgQ0E='>" +
-    "<serialNumber>oops! more nonsense.</serialNumber>" +
-    "<serialNumber>BVio/iQ21GCi2iUven8oJ/gae74=</serialNumber></certItem>" +
-    // ... and some good
-    // In this case, the issuer name and the valid serialNumber correspond
-    // to other-test-ca.pem in bad_certs/ (for testing root revocation)
-    "<certItem issuerName='MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E='>" +
-    "<serialNumber>exJUIJpq50jgqOwQluhVrAzTF74=</serialNumber></certItem>" +
-    // This item corresponds to an entry in sample_revocations.txt where:
-    // isser name is "another imaginary issuer" base-64 encoded, and
-    // serialNumbers are:
-    // "serial2." base-64 encoded, and
-    // "another serial." base-64 encoded
-    // We need this to ensure that existing items are retained if they're
-    // also in the blocklist
-    "<certItem issuerName='YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy'>" +
-    "<serialNumber>c2VyaWFsMi4=</serialNumber>" +
-    "<serialNumber>YW5vdGhlciBzZXJpYWwu</serialNumber></certItem>" +
-    // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
-    "<certItem subject='MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5'" +
-    " pubKeyHash='VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8='>" +
-    "</certItem></certItems></blocklist>";

-var updatedBlocklist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-    "<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
-    "<certItems>" +
-    "<certItem issuerName='something new in both the issuer'>" +
-    "<serialNumber>and the serial number</serialNumber></certItem>" +
-    "</certItems></blocklist>";
+const kintoHelloViewJSON = `{"settings":{"batch_max_requests":25}}`;
+const kintoChangesJSON = `{
+  "data": [
+    {
+      "host": "firefox.settings.services.mozilla.com",
+      "id": "3ace9d8e-00b5-a353-7fd5-1f081ff482ba",
+      "last_modified": 100000000000000000001,
+      "bucket": "blocklists",
+      "collection": "certificates"
+    }
+  ]
+}`;
+const certMetadataJSON = `{"data": {}}`;
+const certBlocklistJSON = `{
+  "data": [` +
+  // test with some bad data ...
+  ` {
+      "id": "1",
+      "last_modified": 100000000000000000001,
+      "issuerName": "Some nonsense in issuer",
+      "serialNumber": "AkHVNA=="
+    },
+    {
+      "id": "2",
+      "last_modified": 100000000000000000002,
+      "issuerName": "MA0xCzAJBgNVBAMMAmNh",
+      "serialNumber": "some nonsense in serial"
+    },
+    {
+      "id": "3",
+      "last_modified": 100000000000000000003,
+      "issuerName": "and serial",
+      "serialNumber": "some nonsense in both issuer"
+    },` +
+  // some mixed
+  // In these case, the issuer name and the valid serialNumber correspond
+  // to test-int.pem in bad_certs/
+  ` {
+      "id": "4",
+      "last_modified": 100000000000000000004,
+      "issuerName": "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+      "serialNumber": "oops! more nonsense."
+    },` +
+  ` {
+      "id": "5",
+      "last_modified": 100000000000000000004,
+      "issuerName": "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+      "serialNumber": "BVio/iQ21GCi2iUven8oJ/gae74="
+    },` +
+  // ... and some good
+  // In this case, the issuer name and the valid serialNumber correspond
+  // to other-test-ca.pem in bad_certs/ (for testing root revocation)
+  ` {
+      "id": "6",
+      "last_modified": 100000000000000000005,
+      "issuerName": "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
+      "serialNumber": "exJUIJpq50jgqOwQluhVrAzTF74="
+    },` +
+  // These items correspond to an entry in sample_revocations.txt where:
+  // isser name is "another imaginary issuer" base-64 encoded, and
+  // serialNumbers are:
+  // "serial2." base-64 encoded, and
+  // "another serial." base-64 encoded
+  // We need this to ensure that existing items are retained if they're
+  // also in the blocklist
+  ` {
+      "id": "7",
+      "last_modified": 100000000000000000006,
+      "issuerName": "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
+      "serialNumber": "c2VyaWFsMi4="
+    },` +
+  ` {
+      "id": "8",
+      "last_modified": 100000000000000000006,
+      "issuerName": "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
+      "serialNumber": "YW5vdGhlciBzZXJpYWwu"
+    },` +
+  // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
+  ` {
+      "id": "9",
+      "last_modified": 100000000000000000007,
+      "subject": "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
+      "pubKeyHash": "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="
+    }
+  ]
+}`;

-
-var blocklists = {
-  "/initialBlocklist/": initialBlocklist,
-  "/updatedBlocklist/": updatedBlocklist
-};
-
-function serveResponse(request, response) {
-  do_print("Serving for path " + request.path + "\n");
-  response.write(blocklists[request.path]);
+function serveResponse(body) {
+  return (req, response) => {
+    response.setStatusLine(null, 200, "OK");
+    response.write(body);
+  };
 }

-for (var path in blocklists) {
-  testserver.registerPathHandler(path, serveResponse);
-}
+testserver.registerPathHandler("/v1/",
+                               serveResponse(kintoHelloViewJSON));
+testserver.registerPathHandler("/v1/buckets/monitor/collections/changes/records",
+                               serveResponse(kintoChangesJSON));
+testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates",
+                               serveResponse(certMetadataJSON));
+testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates/records",
+                               serveResponse(certBlocklistJSON));

 // start the test server
 testserver.start(-1);
@ -172,21 +202,28 @@ function test_is_revoked(certList, issuerString, serialString, subjectString,
                                pubKeyString ? pubKeyString.length : 0);
 }

-function fetch_blocklist(blocklistPath) {
-  do_print("path is " + blocklistPath + "\n");
-  let certblockObserver = {
-    observe(aSubject, aTopic, aData) {
-      Services.obs.removeObserver(this, "blocklist-updated");
-      run_next_test();
-    }
-  };
-
-  Services.obs.addObserver(certblockObserver, "blocklist-updated");
+function fetch_blocklist() {
+  Services.prefs.setBoolPref("services.blocklist.load_dump", false);
+  Services.prefs.setBoolPref("services.blocklist.signing.enforced", false);
+  Services.prefs.setCharPref("services.settings.server",
+                             `http://localhost:${port}/v1`);
  Services.prefs.setCharPref("extensions.blocklist.url",
-                              `http://localhost:${port}/${blocklistPath}`);
+                              `http://localhost:${port}/blocklist.xml`);
  let blocklist = Cc["@mozilla.org/extensions/blocklist;1"]
                    .getService(Ci.nsITimerCallback);
-  blocklist.notify(null);
+
+  return new Promise((resolve) => {
+    let certblockObserver = {
+      observe(aSubject, aTopic, aData) {
+        Services.obs.removeObserver(this, "blocklist-updater-versions-checked");
+        resolve();
+      }
+    };
+
+    Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
+
+    blocklist.notify(null);
+  });
 }

 function* generate_revocations_txt_lines() {
@ -264,19 +301,15 @@ function run_test() {

  let expected = { "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5":
                     { "\tVCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=": true },
-                   "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
-                     { " BVio/iQ21GCi2iUven8oJ/gae74=": true },
                   "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=":
-                     { " exJUIJpq50jgqOwQluhVrAzTF74=": true },
+                     { " exJUIJpq50jgqOwQluhVrAzTF74=": true},
+                   "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
+                     { " BVio/iQ21GCi2iUven8oJ/gae74=": true},
                   "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy":
                     { " YW5vdGhlciBzZXJpYWwu": true,
                       " c2VyaWFsMi4=": true }
                 };

-  // This test assumes OneCRL updates via AMO
-  Services.prefs.setBoolPref(PREF_BLOCKLIST_UPDATE_ENABLED, false);
-  Services.prefs.setBoolPref(PREF_ONECRL_VIA_AMO, true);
-
  add_test(function () {
    // check some existing items in revocations.txt are blocked. Since the
    // CertBlocklistItems don't know about the data they contain, we can use
@ -320,14 +353,14 @@ function run_test() {
  });

  // blocklist load is async so we must use add_test from here
-  add_test(function() {
-    fetch_blocklist("initialBlocklist/");
+  add_task(function* () {
+    yield fetch_blocklist();
  });

  add_test(function() {
    // The blocklist will be loaded now. Let's check the data is sane.
    // In particular, we should still have the revoked issuer / serial pair
-    // that was in both revocations.txt and the blocklist.xml
+    // that was in both revocations.txt and the blocklist.
    ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
      "issuer / serial pair should be blocked");

@ -383,13 +416,6 @@ function run_test() {
    run_next_test();
  });

-  // disable AMO cert blocklist - and check blocklist.xml changes do not
-  // affect the data stored.
-  add_test(function() {
-    Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-    fetch_blocklist("updatedBlocklist/");
-  });
-
  add_test(function() {
    // Check the blocklist entry has not changed
    check_revocations_txt_contents(expected);
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@ -279,10 +279,8 @@ add_task(async function oneCRLTests() {
  await ensureVerifiesAsEV("test-oid-path");

  clearOCSPCache();
-  // test that setting "security.onecrl.via.amo" results in the correct
-  // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
-  // and blacklist-background-update-timer is recent
-  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // test the OCSP behavior when services.blocklist.onecrl.checked is in the
+  // distant past and blacklist-background-update-timer is recent
  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
                            108000);
@ -297,9 +295,7 @@ add_task(async function oneCRLTests() {
  await ensureVerifiesAsEV("test-oid-path");

  clearOCSPCache();
-  // test that setting "security.onecrl.via.amo" results in the correct
-  // OCSP behavior when services.blocklist.onecrl.checked is recent
-  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // test the OCSP behavior when services.blocklist.onecrl.checked is recent
  // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
  Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
                            108000);
@ -310,7 +306,6 @@ add_task(async function oneCRLTests() {
  await ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
  await ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");

-  Services.prefs.clearUserPref("security.onecrl.via.amo");
  Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
  Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
  Services.prefs.clearUserPref(
--- a/services/common/blocklist-updater.js
+++ b/services/common/blocklist-updater.js
@ -18,6 +18,7 @@ const PREF_BLOCKLIST_CHANGES_PATH       = "services.blocklist.changes.path";
 const PREF_BLOCKLIST_LAST_UPDATE        = "services.blocklist.last_update_seconds";
 const PREF_BLOCKLIST_LAST_ETAG          = "services.blocklist.last_etag";
 const PREF_BLOCKLIST_CLOCK_SKEW_SECONDS = "services.blocklist.clock_skew_seconds";
+const PREF_BLOCKLIST_LOAD_DUMP          = "services.blocklist.load_dump";

 // Telemetry update source identifier.
 const TELEMETRY_HISTOGRAM_KEY = "settings-changes-monitoring";
@ -177,4 +178,6 @@ this.checkVersions = async function() {
  if (currentEtag) {
    Services.prefs.setCharPref(PREF_BLOCKLIST_LAST_ETAG, currentEtag);
  }
+
+  Services.obs.notifyObservers(null, "blocklist-updater-versions-checked");
 };
--- a/services/common/tests/unit/test_blocklist_updater.js
+++ b/services/common/tests/unit/test_blocklist_updater.js
@ -71,8 +71,22 @@ add_task(async function test_check_maybeSync() {

  const startHistogram = getUptakeTelemetrySnapshot(TELEMETRY_HISTOGRAM_KEY);

+  let notificationObserved = false;
+
+  // Ensure that the blocklist-updater-versions-checked notification works
+  let certblockObserver = {
+    observe(aSubject, aTopic, aData) {
+      Services.obs.removeObserver(this, "blocklist-updater-versions-checked");
+      notificationObserved = true;
+    }
+  };
+
+  Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
+
  await updater.checkVersions();

+  do_check_true(notificationObserved, "a notification should have been observed");
+
  // check the last_update is updated
  do_check_eq(Services.prefs.getIntPref(PREF_LAST_UPDATE), 2);

@ -110,13 +124,16 @@ add_task(async function test_check_maybeSync() {
  }
  server.registerPathHandler(changesPath, simulateErrorResponse);

-  // checkVersions() fails with adequate error.
+  // checkVersions() fails with adequate error and no notification.
  let error;
+  notificationObserved = false;
+  Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
  try {
    await updater.checkVersions();
  } catch (e) {
    error = e;
  }
+  do_check_false(notificationObserved, "a notification should not have been observed");
  do_check_true(/Polling for changes failed/.test(error.message));
  // When an error occurs, last update was not overwritten (see Date header above).
  do_check_eq(Services.prefs.getIntPref(PREF_LAST_UPDATE), 2);
--- a/toolkit/mozapps/extensions/nsBlocklistService.js
+++ b/toolkit/mozapps/extensions/nsBlocklistService.js
@ -51,7 +51,6 @@ const PREF_BLOCKLIST_LEVEL            = "extensions.blocklist.level";
 const PREF_BLOCKLIST_PINGCOUNTTOTAL   = "extensions.blocklist.pingCountTotal";
 const PREF_BLOCKLIST_PINGCOUNTVERSION = "extensions.blocklist.pingCountVersion";
 const PREF_BLOCKLIST_SUPPRESSUI       = "extensions.blocklist.suppressUI";
-const PREF_ONECRL_VIA_AMO             = "security.onecrl.via.amo";
 const PREF_BLOCKLIST_UPDATE_ENABLED   = "services.blocklist.update_enabled";
 const PREF_APP_DISTRIBUTION           = "distribution.id";
 const PREF_APP_DISTRIBUTION_VERSION   = "distribution.version";
@ -81,10 +80,6 @@ XPCOMUtils.defineLazyServiceGetter(this, "gVersionChecker",
                                   "@mozilla.org/xpcom/version-comparator;1",
                                   "nsIVersionComparator");

-XPCOMUtils.defineLazyServiceGetter(this, "gCertBlocklistService",
-                                   "@mozilla.org/security/certblocklist;1",
-                                   "nsICertBlocklist");
-
 XPCOMUtils.defineLazyGetter(this, "gPref", function() {
  return Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefService).
         QueryInterface(Ci.nsIPrefBranch);
@ -910,8 +905,6 @@ Blocklist.prototype = {
        return;
      }

-      var populateCertBlocklist = getPref("getBoolPref", PREF_ONECRL_VIA_AMO, true);
-
      var childNodes = doc.documentElement.childNodes;
      for (let element of childNodes) {
        if (!(element instanceof Ci.nsIDOMElement))
@ -925,12 +918,6 @@ Blocklist.prototype = {
          this._pluginEntries = this._processItemNodes(element.childNodes, "pluginItem",
                                                       this._handlePluginItemNode);
          break;
-        case "certItems":
-          if (populateCertBlocklist) {
-            this._processItemNodes(element.childNodes, "certItem",
-                                   this._handleCertItemNode.bind(this));
-          }
-          break;
        case "gfxItems":
          // Parse as simple list of objects.
          this._gfxEntries = this._processItemNodes(element.childNodes, "gfxBlacklistEntry",
@ -940,9 +927,6 @@ Blocklist.prototype = {
          LOG("Blocklist::_loadBlocklistFromString: ignored entries " + element.localName);
        }
      }
-      if (populateCertBlocklist) {
-        gCertBlocklistService.saveEntries();
-      }
      if (this._gfxEntries.length > 0) {
        this._notifyObserversBlocklistGFX();
      }
@ -964,33 +948,6 @@ Blocklist.prototype = {
    return result;
  },

-  _handleCertItemNode(blocklistElement, result) {
-    let issuer = blocklistElement.getAttribute("issuerName");
-    if (issuer) {
-      for (let snElement of blocklistElement.children) {
-        try {
-          gCertBlocklistService.revokeCertByIssuerAndSerial(issuer, snElement.textContent);
-        } catch (e) {
-          // we want to keep trying other elements since missing all items
-          // is worse than missing one
-          LOG("Blocklist::_handleCertItemNode: Error adding revoked cert by Issuer and Serial" + e);
-        }
-      }
-      return;
-    }
-
-    let pubKeyHash = blocklistElement.getAttribute("pubKeyHash");
-    let subject = blocklistElement.getAttribute("subject");
-
-    if (pubKeyHash && subject) {
-      try {
-        gCertBlocklistService.revokeCertBySubjectAndPubKey(subject, pubKeyHash);
-      } catch (e) {
-        LOG("Blocklist::_handleCertItemNode: Error adding revoked cert by Subject and PubKey" + e);
-      }
-    }
-  },
-
  _handleEmItemNode(blocklistElement, result) {
    if (!matchesOSABI(blocklistElement))
      return;
--- a/toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js
+++ b/toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js
@ -64,12 +64,8 @@ function load_blocklist(aFile, aCallback) {
                             gPort + "/data/" + aFile);
  var blocklist = Cc["@mozilla.org/extensions/blocklist;1"].
                  getService(Ci.nsITimerCallback);
-  // if we're not using the blocklist.xml for certificate blocklist state,
-  // ensure that kinto update is enabled
-  if (!Services.prefs.getBoolPref("security.onecrl.via.amo")) {
-    ok(Services.prefs.getBoolPref("services.blocklist.update_enabled"),
-                                  "Kinto update should be enabled");
-  }
+  ok(Services.prefs.getBoolPref("services.blocklist.update_enabled"),
+                                "Kinto update should be enabled");
  blocklist.notify(null);
 }