From ae55f5a19771eb2697af627dcc6eefb1b821f1f6 Mon Sep 17 00:00:00 2001
From: Mark Goodwin <mgoodwin@mozilla.com>
Date: Fri, 29 Sep 2017 10:47:27 +0100
Subject: [PATCH] Bug 1359428 - Remove preference to select OneCRL update
 mechanism r=keeler,leplatrem,rhelmer

MozReview-Commit-ID: A6CwZrIDmTn

--HG--
extra : rebase_source : 41e17d29f982d23f30f48a6f85ad20fc84b018c6
---
 modules/libpref/init/all.js                   |   3 -
 security/manager/ssl/CertBlocklist.cpp        |  42 +---
 .../ssl/tests/unit/test_cert_blocklist.js     | 230 ++++++++++--------
 .../manager/ssl/tests/unit/test_ev_certs.js   |  11 +-
 services/common/blocklist-updater.js          |   3 +
 .../tests/unit/test_blocklist_updater.js      |  19 +-
 .../mozapps/extensions/nsBlocklistService.js  |  43 ----
 .../test/xpcshell/test_blocklist_regexp.js    |   8 +-
 8 files changed, 161 insertions(+), 198 deletions(-)

diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index d30456225116..8a464c1083f9 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2655,9 +2655,6 @@ pref("services.blocklist.signing.enforced", true);
 // Enable blocklists via the services settings mechanism
 pref("services.blocklist.update_enabled", true);
 
-// Enable certificate blocklist updates via services settings
-pref("security.onecrl.via.amo", false);
-
 
 // Modifier key prefs: default to Windows settings,
 // menu access key = alt, accelerator key = control.
diff --git a/security/manager/ssl/CertBlocklist.cpp b/security/manager/ssl/CertBlocklist.cpp
index 266ca42e2614..4a928956ee72 100644
--- a/security/manager/ssl/CertBlocklist.cpp
+++ b/security/manager/ssl/CertBlocklist.cpp
@@ -37,14 +37,11 @@ using namespace mozilla::pkix;
 #define PREF_BACKGROUND_UPDATE_TIMER "app.update.lastUpdateTime.blocklist-background-update-timer"
 #define PREF_BLOCKLIST_ONECRL_CHECKED "services.blocklist.onecrl.checked"
 #define PREF_MAX_STALENESS_IN_SECONDS "security.onecrl.maximum_staleness_in_seconds"
-#define PREF_ONECRL_VIA_AMO "security.onecrl.via.amo"
 
 static LazyLogModule gCertBlockPRLog("CertBlock");
 
 uint32_t CertBlocklist::sLastBlocklistUpdate = 0U;
-uint32_t CertBlocklist::sLastKintoUpdate = 0U;
 uint32_t CertBlocklist::sMaxStaleness = 0U;
-bool CertBlocklist::sUseAMO = true;
 
 CertBlocklistItem::CertBlocklistItem(const uint8_t* DNData,
                                      size_t DNLength,
@@ -139,15 +136,9 @@ CertBlocklist::CertBlocklist()
 
 CertBlocklist::~CertBlocklist()
 {
-  Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
-                                  PREF_BACKGROUND_UPDATE_TIMER,
-                                  this);
   Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
                                   PREF_MAX_STALENESS_IN_SECONDS,
                                   this);
-  Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
-                                  PREF_ONECRL_VIA_AMO,
-                                  this);
   Preferences::UnregisterCallback(CertBlocklist::PreferenceChanged,
                                   PREF_BLOCKLIST_ONECRL_CHECKED,
                                   this);
@@ -166,25 +157,12 @@ CertBlocklist::Init()
   }
 
   // Register preference callbacks
-  nsresult rv =
-      Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
-                                           PREF_BACKGROUND_UPDATE_TIMER,
-                                           this);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
+  nsresult rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
                                             PREF_MAX_STALENESS_IN_SECONDS,
                                             this);
   if (NS_FAILED(rv)) {
     return rv;
   }
-  rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
-                                            PREF_ONECRL_VIA_AMO,
-                                            this);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
   rv = Preferences::RegisterCallbackAndCall(CertBlocklist::PreferenceChanged,
                                             PREF_BLOCKLIST_ONECRL_CHECKED,
                                             this);
@@ -631,13 +609,12 @@ CertBlocklist::IsBlocklistFresh(bool* _retval)
   *_retval = false;
 
   uint32_t now = uint32_t(PR_Now() / PR_USEC_PER_SEC);
-  uint32_t lastUpdate = sUseAMO ? sLastBlocklistUpdate : sLastKintoUpdate;
   MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
-          ("CertBlocklist::IsBlocklistFresh using AMO? %i lastUpdate is %i",
-           sUseAMO, lastUpdate));
+          ("CertBlocklist::IsBlocklistFresh ? lastUpdate is %i",
+           sLastBlocklistUpdate));
 
-  if (now > lastUpdate) {
-    int64_t interval = now - lastUpdate;
+  if (now > sLastBlocklistUpdate) {
+    int64_t interval = now - sLastBlocklistUpdate;
     MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
            ("CertBlocklist::IsBlocklistFresh we're after the last BlocklistUpdate "
             "interval is %" PRId64 ", staleness %u", interval, sMaxStaleness));
@@ -659,16 +636,11 @@ CertBlocklist::PreferenceChanged(const char* aPref, void* aClosure)
 
   MOZ_LOG(gCertBlockPRLog, LogLevel::Warning,
          ("CertBlocklist::PreferenceChanged %s changed", aPref));
-  if (strcmp(aPref, PREF_BACKGROUND_UPDATE_TIMER) == 0) {
-    sLastBlocklistUpdate = Preferences::GetUint(PREF_BACKGROUND_UPDATE_TIMER,
+  if (strcmp(aPref, PREF_BLOCKLIST_ONECRL_CHECKED) == 0) {
+    sLastBlocklistUpdate = Preferences::GetUint(PREF_BLOCKLIST_ONECRL_CHECKED,
                                                 uint32_t(0));
-  } else if (strcmp(aPref, PREF_BLOCKLIST_ONECRL_CHECKED) == 0) {
-    sLastKintoUpdate = Preferences::GetUint(PREF_BLOCKLIST_ONECRL_CHECKED,
-                                            uint32_t(0));
   } else if (strcmp(aPref, PREF_MAX_STALENESS_IN_SECONDS) == 0) {
     sMaxStaleness = Preferences::GetUint(PREF_MAX_STALENESS_IN_SECONDS,
                                          uint32_t(0));
-  } else if (strcmp(aPref, PREF_ONECRL_VIA_AMO) == 0) {
-    sUseAMO = Preferences::GetBool(PREF_ONECRL_VIA_AMO, true);
   }
 }
diff --git a/security/manager/ssl/tests/unit/test_cert_blocklist.js b/security/manager/ssl/tests/unit/test_cert_blocklist.js
index 55d2e7f72876..4688a52e1630 100644
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js
+++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js
@@ -6,12 +6,14 @@
 
 // This test checks a number of things:
 // * it ensures that data loaded from revocations.txt on startup is present
-// * it ensures that certItems in blocklist.xml are persisted correctly
+// * it ensures that data served from OneCRL are persisted correctly
 // * it ensures that items in the CertBlocklist are seen as revoked by the
 //   cert verifier
 // * it does a sanity check to ensure other cert verifier behavior is
 //   unmodified
 
+const { setTimeout } = Cu.import("resource://gre/modules/Timer.jsm", {});
+
 // First, we need to setup appInfo for the blocklist service to work
 var id = "xpcshell@tests.mozilla.org";
 var appName = "XPCShell";
@@ -31,25 +33,6 @@ updateAppInfo({
 // no revocation.txt in the profile
 var gProfile = do_get_profile();
 
-// Write out an empty blocklist.xml file to the profile to ensure nothing
-// is blocklisted by default
-var blockFile = gProfile.clone();
-blockFile.append("blocklist.xml");
-var stream = Cc["@mozilla.org/network/file-output-stream;1"]
-               .createInstance(Ci.nsIFileOutputStream);
-stream.init(blockFile,
-  FileUtils.MODE_WRONLY | FileUtils.MODE_CREATE | FileUtils.MODE_TRUNCATE,
-  FileUtils.PERMS_FILE, 0);
-
-var data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
-           "<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">\n" +
-           "</blocklist>\n";
-stream.write(data, data.length);
-stream.close();
-
-const PREF_BLOCKLIST_UPDATE_ENABLED = "services.blocklist.update_enabled";
-const PREF_ONECRL_VIA_AMO = "security.onecrl.via.amo";
-
 var gRevocations = gProfile.clone();
 gRevocations.append("revocations.txt");
 if (!gRevocations.exists()) {
@@ -60,65 +43,112 @@ if (!gRevocations.exists()) {
 var certDB = Cc["@mozilla.org/security/x509certdb;1"]
                .getService(Ci.nsIX509CertDB);
 
-// set up a test server to serve the blocklist.xml
+// set up a test server to serve the kinto views.
 var testserver = new HttpServer();
 
-var initialBlocklist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-    "<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
-    // test with some bad data ...
-    "<certItems><certItem issuerName='Some nonsense in issuer'>" +
-    "<serialNumber>AkHVNA==</serialNumber>" +
-    "</certItem><certItem issuerName='MA0xCzAJBgNVBAMMAmNh'>" +
-    "<serialNumber>some nonsense in serial</serialNumber>" +
-    "</certItem><certItem issuerName='some nonsense in both issuer'>" +
-    "<serialNumber>and serial</serialNumber></certItem>" +
-    // some mixed
-    // In this case, the issuer name and the valid serialNumber correspond
-    // to test-int.pem in bad_certs/
-    "<certItem issuerName='MBIxEDAOBgNVBAMMB1Rlc3QgQ0E='>" +
-    "<serialNumber>oops! more nonsense.</serialNumber>" +
-    "<serialNumber>BVio/iQ21GCi2iUven8oJ/gae74=</serialNumber></certItem>" +
-    // ... and some good
-    // In this case, the issuer name and the valid serialNumber correspond
-    // to other-test-ca.pem in bad_certs/ (for testing root revocation)
-    "<certItem issuerName='MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E='>" +
-    "<serialNumber>exJUIJpq50jgqOwQluhVrAzTF74=</serialNumber></certItem>" +
-    // This item corresponds to an entry in sample_revocations.txt where:
-    // isser name is "another imaginary issuer" base-64 encoded, and
-    // serialNumbers are:
-    // "serial2." base-64 encoded, and
-    // "another serial." base-64 encoded
-    // We need this to ensure that existing items are retained if they're
-    // also in the blocklist
-    "<certItem issuerName='YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy'>" +
-    "<serialNumber>c2VyaWFsMi4=</serialNumber>" +
-    "<serialNumber>YW5vdGhlciBzZXJpYWwu</serialNumber></certItem>" +
-    // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
-    "<certItem subject='MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5'" +
-    " pubKeyHash='VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8='>" +
-    "</certItem></certItems></blocklist>";
 
-var updatedBlocklist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
-    "<blocklist xmlns=\"http://www.mozilla.org/2006/addons-blocklist\">" +
-    "<certItems>" +
-    "<certItem issuerName='something new in both the issuer'>" +
-    "<serialNumber>and the serial number</serialNumber></certItem>" +
-    "</certItems></blocklist>";
+const kintoHelloViewJSON = `{"settings":{"batch_max_requests":25}}`;
+const kintoChangesJSON = `{
+  "data": [
+    {
+      "host": "firefox.settings.services.mozilla.com",
+      "id": "3ace9d8e-00b5-a353-7fd5-1f081ff482ba",
+      "last_modified": 100000000000000000001,
+      "bucket": "blocklists",
+      "collection": "certificates"
+    }
+  ]
+}`;
+const certMetadataJSON = `{"data": {}}`;
+const certBlocklistJSON = `{
+  "data": [` +
+  // test with some bad data ...
+  ` {
+      "id": "1",
+      "last_modified": 100000000000000000001,
+      "issuerName": "Some nonsense in issuer",
+      "serialNumber": "AkHVNA=="
+    },
+    {
+      "id": "2",
+      "last_modified": 100000000000000000002,
+      "issuerName": "MA0xCzAJBgNVBAMMAmNh",
+      "serialNumber": "some nonsense in serial"
+    },
+    {
+      "id": "3",
+      "last_modified": 100000000000000000003,
+      "issuerName": "and serial",
+      "serialNumber": "some nonsense in both issuer"
+    },` +
+  // some mixed
+  // In these case, the issuer name and the valid serialNumber correspond
+  // to test-int.pem in bad_certs/
+  ` {
+      "id": "4",
+      "last_modified": 100000000000000000004,
+      "issuerName": "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+      "serialNumber": "oops! more nonsense."
+    },` +
+  ` {
+      "id": "5",
+      "last_modified": 100000000000000000004,
+      "issuerName": "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
+      "serialNumber": "BVio/iQ21GCi2iUven8oJ/gae74="
+    },` +
+  // ... and some good
+  // In this case, the issuer name and the valid serialNumber correspond
+  // to other-test-ca.pem in bad_certs/ (for testing root revocation)
+  ` {
+      "id": "6",
+      "last_modified": 100000000000000000005,
+      "issuerName": "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
+      "serialNumber": "exJUIJpq50jgqOwQluhVrAzTF74="
+    },` +
+  // These items correspond to an entry in sample_revocations.txt where:
+  // isser name is "another imaginary issuer" base-64 encoded, and
+  // serialNumbers are:
+  // "serial2." base-64 encoded, and
+  // "another serial." base-64 encoded
+  // We need this to ensure that existing items are retained if they're
+  // also in the blocklist
+  ` {
+      "id": "7",
+      "last_modified": 100000000000000000006,
+      "issuerName": "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
+      "serialNumber": "c2VyaWFsMi4="
+    },` +
+  ` {
+      "id": "8",
+      "last_modified": 100000000000000000006,
+      "issuerName": "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
+      "serialNumber": "YW5vdGhlciBzZXJpYWwu"
+    },` +
+  // This item revokes same-issuer-ee.pem by subject and pubKeyHash.
+  ` {
+      "id": "9",
+      "last_modified": 100000000000000000007,
+      "subject": "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
+      "pubKeyHash": "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="
+    }
+  ]
+}`;
 
-
-var blocklists = {
-  "/initialBlocklist/": initialBlocklist,
-  "/updatedBlocklist/": updatedBlocklist
-};
-
-function serveResponse(request, response) {
-  do_print("Serving for path " + request.path + "\n");
-  response.write(blocklists[request.path]);
+function serveResponse(body) {
+  return (req, response) => {
+    response.setStatusLine(null, 200, "OK");
+    response.write(body);
+  };
 }
 
-for (var path in blocklists) {
-  testserver.registerPathHandler(path, serveResponse);
-}
+testserver.registerPathHandler("/v1/",
+                               serveResponse(kintoHelloViewJSON));
+testserver.registerPathHandler("/v1/buckets/monitor/collections/changes/records",
+                               serveResponse(kintoChangesJSON));
+testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates",
+                               serveResponse(certMetadataJSON));
+testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates/records",
+                               serveResponse(certBlocklistJSON));
 
 // start the test server
 testserver.start(-1);
@@ -172,21 +202,28 @@ function test_is_revoked(certList, issuerString, serialString, subjectString,
                                 pubKeyString ? pubKeyString.length : 0);
 }
 
-function fetch_blocklist(blocklistPath) {
-  do_print("path is " + blocklistPath + "\n");
-  let certblockObserver = {
-    observe(aSubject, aTopic, aData) {
-      Services.obs.removeObserver(this, "blocklist-updated");
-      run_next_test();
-    }
-  };
-
-  Services.obs.addObserver(certblockObserver, "blocklist-updated");
+function fetch_blocklist() {
+  Services.prefs.setBoolPref("services.blocklist.load_dump", false);
+  Services.prefs.setBoolPref("services.blocklist.signing.enforced", false);
+  Services.prefs.setCharPref("services.settings.server",
+                             `http://localhost:${port}/v1`);
   Services.prefs.setCharPref("extensions.blocklist.url",
-                              `http://localhost:${port}/${blocklistPath}`);
+                              `http://localhost:${port}/blocklist.xml`);
   let blocklist = Cc["@mozilla.org/extensions/blocklist;1"]
                     .getService(Ci.nsITimerCallback);
-  blocklist.notify(null);
+
+  return new Promise((resolve) => {
+    let certblockObserver = {
+      observe(aSubject, aTopic, aData) {
+        Services.obs.removeObserver(this, "blocklist-updater-versions-checked");
+        resolve();
+      }
+    };
+
+    Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
+
+    blocklist.notify(null);
+  });
 }
 
 function* generate_revocations_txt_lines() {
@@ -264,19 +301,15 @@ function run_test() {
 
   let expected = { "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5":
                      { "\tVCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=": true },
-                   "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
-                     { " BVio/iQ21GCi2iUven8oJ/gae74=": true },
                    "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=":
-                     { " exJUIJpq50jgqOwQluhVrAzTF74=": true },
+                     { " exJUIJpq50jgqOwQluhVrAzTF74=": true},
+                   "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
+                     { " BVio/iQ21GCi2iUven8oJ/gae74=": true},
                    "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy":
                      { " YW5vdGhlciBzZXJpYWwu": true,
                        " c2VyaWFsMi4=": true }
                  };
 
-  // This test assumes OneCRL updates via AMO
-  Services.prefs.setBoolPref(PREF_BLOCKLIST_UPDATE_ENABLED, false);
-  Services.prefs.setBoolPref(PREF_ONECRL_VIA_AMO, true);
-
   add_test(function () {
     // check some existing items in revocations.txt are blocked. Since the
     // CertBlocklistItems don't know about the data they contain, we can use
@@ -320,14 +353,14 @@ function run_test() {
   });
 
   // blocklist load is async so we must use add_test from here
-  add_test(function() {
-    fetch_blocklist("initialBlocklist/");
+  add_task(function* () {
+    yield fetch_blocklist();
   });
 
   add_test(function() {
     // The blocklist will be loaded now. Let's check the data is sane.
     // In particular, we should still have the revoked issuer / serial pair
-    // that was in both revocations.txt and the blocklist.xml
+    // that was in both revocations.txt and the blocklist.
     ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
       "issuer / serial pair should be blocked");
 
@@ -383,13 +416,6 @@ function run_test() {
     run_next_test();
   });
 
-  // disable AMO cert blocklist - and check blocklist.xml changes do not
-  // affect the data stored.
-  add_test(function() {
-    Services.prefs.setBoolPref("security.onecrl.via.amo", false);
-    fetch_blocklist("updatedBlocklist/");
-  });
-
   add_test(function() {
     // Check the blocklist entry has not changed
     check_revocations_txt_contents(expected);
diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js
index 64cb62b7bf17..a58aba06bf77 100644
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -279,10 +279,8 @@ add_task(async function oneCRLTests() {
   await ensureVerifiesAsEV("test-oid-path");
 
   clearOCSPCache();
-  // test that setting "security.onecrl.via.amo" results in the correct
-  // OCSP behavior when services.blocklist.onecrl.checked is in the distant past
-  // and blacklist-background-update-timer is recent
-  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // test the OCSP behavior when services.blocklist.onecrl.checked is in the
+  // distant past and blacklist-background-update-timer is recent
   // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
   Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
                             108000);
@@ -297,9 +295,7 @@ add_task(async function oneCRLTests() {
   await ensureVerifiesAsEV("test-oid-path");
 
   clearOCSPCache();
-  // test that setting "security.onecrl.via.amo" results in the correct
-  // OCSP behavior when services.blocklist.onecrl.checked is recent
-  Services.prefs.setBoolPref("security.onecrl.via.amo", false);
+  // test the OCSP behavior when services.blocklist.onecrl.checked is recent
   // enable OneCRL OCSP skipping - allow staleness of up to 30 hours
   Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
                             108000);
@@ -310,7 +306,6 @@ add_task(async function oneCRLTests() {
   await ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
   await ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
 
-  Services.prefs.clearUserPref("security.onecrl.via.amo");
   Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
   Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
   Services.prefs.clearUserPref(
diff --git a/services/common/blocklist-updater.js b/services/common/blocklist-updater.js
index 8dbb89870382..3fb5d7031d91 100644
--- a/services/common/blocklist-updater.js
+++ b/services/common/blocklist-updater.js
@@ -18,6 +18,7 @@ const PREF_BLOCKLIST_CHANGES_PATH       = "services.blocklist.changes.path";
 const PREF_BLOCKLIST_LAST_UPDATE        = "services.blocklist.last_update_seconds";
 const PREF_BLOCKLIST_LAST_ETAG          = "services.blocklist.last_etag";
 const PREF_BLOCKLIST_CLOCK_SKEW_SECONDS = "services.blocklist.clock_skew_seconds";
+const PREF_BLOCKLIST_LOAD_DUMP          = "services.blocklist.load_dump";
 
 // Telemetry update source identifier.
 const TELEMETRY_HISTOGRAM_KEY = "settings-changes-monitoring";
@@ -177,4 +178,6 @@ this.checkVersions = async function() {
   if (currentEtag) {
     Services.prefs.setCharPref(PREF_BLOCKLIST_LAST_ETAG, currentEtag);
   }
+
+  Services.obs.notifyObservers(null, "blocklist-updater-versions-checked");
 };
diff --git a/services/common/tests/unit/test_blocklist_updater.js b/services/common/tests/unit/test_blocklist_updater.js
index ce8e58ac74c2..4924b3809b78 100644
--- a/services/common/tests/unit/test_blocklist_updater.js
+++ b/services/common/tests/unit/test_blocklist_updater.js
@@ -71,8 +71,22 @@ add_task(async function test_check_maybeSync() {
 
   const startHistogram = getUptakeTelemetrySnapshot(TELEMETRY_HISTOGRAM_KEY);
 
+  let notificationObserved = false;
+
+  // Ensure that the blocklist-updater-versions-checked notification works
+  let certblockObserver = {
+    observe(aSubject, aTopic, aData) {
+      Services.obs.removeObserver(this, "blocklist-updater-versions-checked");
+      notificationObserved = true;
+    }
+  };
+
+  Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
+
   await updater.checkVersions();
 
+  do_check_true(notificationObserved, "a notification should have been observed");
+
   // check the last_update is updated
   do_check_eq(Services.prefs.getIntPref(PREF_LAST_UPDATE), 2);
 
@@ -110,13 +124,16 @@ add_task(async function test_check_maybeSync() {
   }
   server.registerPathHandler(changesPath, simulateErrorResponse);
 
-  // checkVersions() fails with adequate error.
+  // checkVersions() fails with adequate error and no notification.
   let error;
+  notificationObserved = false;
+  Services.obs.addObserver(certblockObserver, "blocklist-updater-versions-checked");
   try {
     await updater.checkVersions();
   } catch (e) {
     error = e;
   }
+  do_check_false(notificationObserved, "a notification should not have been observed");
   do_check_true(/Polling for changes failed/.test(error.message));
   // When an error occurs, last update was not overwritten (see Date header above).
   do_check_eq(Services.prefs.getIntPref(PREF_LAST_UPDATE), 2);
diff --git a/toolkit/mozapps/extensions/nsBlocklistService.js b/toolkit/mozapps/extensions/nsBlocklistService.js
index a28331a1aceb..c20c2169ba7d 100644
--- a/toolkit/mozapps/extensions/nsBlocklistService.js
+++ b/toolkit/mozapps/extensions/nsBlocklistService.js
@@ -51,7 +51,6 @@ const PREF_BLOCKLIST_LEVEL            = "extensions.blocklist.level";
 const PREF_BLOCKLIST_PINGCOUNTTOTAL   = "extensions.blocklist.pingCountTotal";
 const PREF_BLOCKLIST_PINGCOUNTVERSION = "extensions.blocklist.pingCountVersion";
 const PREF_BLOCKLIST_SUPPRESSUI       = "extensions.blocklist.suppressUI";
-const PREF_ONECRL_VIA_AMO             = "security.onecrl.via.amo";
 const PREF_BLOCKLIST_UPDATE_ENABLED   = "services.blocklist.update_enabled";
 const PREF_APP_DISTRIBUTION           = "distribution.id";
 const PREF_APP_DISTRIBUTION_VERSION   = "distribution.version";
@@ -81,10 +80,6 @@ XPCOMUtils.defineLazyServiceGetter(this, "gVersionChecker",
                                    "@mozilla.org/xpcom/version-comparator;1",
                                    "nsIVersionComparator");
 
-XPCOMUtils.defineLazyServiceGetter(this, "gCertBlocklistService",
-                                   "@mozilla.org/security/certblocklist;1",
-                                   "nsICertBlocklist");
-
 XPCOMUtils.defineLazyGetter(this, "gPref", function() {
   return Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefService).
          QueryInterface(Ci.nsIPrefBranch);
@@ -910,8 +905,6 @@ Blocklist.prototype = {
         return;
       }
 
-      var populateCertBlocklist = getPref("getBoolPref", PREF_ONECRL_VIA_AMO, true);
-
       var childNodes = doc.documentElement.childNodes;
       for (let element of childNodes) {
         if (!(element instanceof Ci.nsIDOMElement))
@@ -925,12 +918,6 @@ Blocklist.prototype = {
           this._pluginEntries = this._processItemNodes(element.childNodes, "pluginItem",
                                                        this._handlePluginItemNode);
           break;
-        case "certItems":
-          if (populateCertBlocklist) {
-            this._processItemNodes(element.childNodes, "certItem",
-                                   this._handleCertItemNode.bind(this));
-          }
-          break;
         case "gfxItems":
           // Parse as simple list of objects.
           this._gfxEntries = this._processItemNodes(element.childNodes, "gfxBlacklistEntry",
@@ -940,9 +927,6 @@ Blocklist.prototype = {
           LOG("Blocklist::_loadBlocklistFromString: ignored entries " + element.localName);
         }
       }
-      if (populateCertBlocklist) {
-        gCertBlocklistService.saveEntries();
-      }
       if (this._gfxEntries.length > 0) {
         this._notifyObserversBlocklistGFX();
       }
@@ -964,33 +948,6 @@ Blocklist.prototype = {
     return result;
   },
 
-  _handleCertItemNode(blocklistElement, result) {
-    let issuer = blocklistElement.getAttribute("issuerName");
-    if (issuer) {
-      for (let snElement of blocklistElement.children) {
-        try {
-          gCertBlocklistService.revokeCertByIssuerAndSerial(issuer, snElement.textContent);
-        } catch (e) {
-          // we want to keep trying other elements since missing all items
-          // is worse than missing one
-          LOG("Blocklist::_handleCertItemNode: Error adding revoked cert by Issuer and Serial" + e);
-        }
-      }
-      return;
-    }
-
-    let pubKeyHash = blocklistElement.getAttribute("pubKeyHash");
-    let subject = blocklistElement.getAttribute("subject");
-
-    if (pubKeyHash && subject) {
-      try {
-        gCertBlocklistService.revokeCertBySubjectAndPubKey(subject, pubKeyHash);
-      } catch (e) {
-        LOG("Blocklist::_handleCertItemNode: Error adding revoked cert by Subject and PubKey" + e);
-      }
-    }
-  },
-
   _handleEmItemNode(blocklistElement, result) {
     if (!matchesOSABI(blocklistElement))
       return;
diff --git a/toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js b/toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js
index bd220451424b..3ef39be6e757 100644
--- a/toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js
+++ b/toolkit/mozapps/extensions/test/xpcshell/test_blocklist_regexp.js
@@ -64,12 +64,8 @@ function load_blocklist(aFile, aCallback) {
                              gPort + "/data/" + aFile);
   var blocklist = Cc["@mozilla.org/extensions/blocklist;1"].
                   getService(Ci.nsITimerCallback);
-  // if we're not using the blocklist.xml for certificate blocklist state,
-  // ensure that kinto update is enabled
-  if (!Services.prefs.getBoolPref("security.onecrl.via.amo")) {
-    ok(Services.prefs.getBoolPref("services.blocklist.update_enabled"),
-                                  "Kinto update should be enabled");
-  }
+  ok(Services.prefs.getBoolPref("services.blocklist.update_enabled"),
+                                "Kinto update should be enabled");
   blocklist.notify(null);
 }