Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-07 18:04:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bug 985201 - rename insanity::pkix to mozilla::pkix r=cviecco r=briansmith

Browse Source 
--HG--
rename : security/insanity/include/insanity/ScopedPtr.h => security/pkix/include/pkix/ScopedPtr.h
rename : security/insanity/include/insanity/bind.h => security/pkix/include/pkix/bind.h
rename : security/insanity/include/insanity/nullptr.h => security/pkix/include/pkix/nullptr.h
rename : security/insanity/include/insanity/pkix.h => security/pkix/include/pkix/pkix.h
rename : security/insanity/include/insanity/pkixtypes.h => security/pkix/include/pkix/pkixtypes.h
rename : security/insanity/lib/pkixbind.cpp => security/pkix/lib/pkixbind.cpp
rename : security/insanity/lib/pkixbuild.cpp => security/pkix/lib/pkixbuild.cpp
rename : security/insanity/lib/pkixcheck.cpp => security/pkix/lib/pkixcheck.cpp
rename : security/insanity/lib/pkixcheck.h => security/pkix/lib/pkixcheck.h
rename : security/insanity/lib/pkixder.cpp => security/pkix/lib/pkixder.cpp
rename : security/insanity/lib/pkixder.h => security/pkix/lib/pkixder.h
rename : security/insanity/lib/pkixkey.cpp => security/pkix/lib/pkixkey.cpp
rename : security/insanity/lib/pkixocsp.cpp => security/pkix/lib/pkixocsp.cpp
rename : security/insanity/lib/pkixutil.h => security/pkix/lib/pkixutil.h
rename : security/insanity/moz.build => security/pkix/moz.build
rename : security/insanity/test/lib/moz.build => security/pkix/test/lib/moz.build
rename : security/insanity/test/lib/pkixtestutil.cpp => security/pkix/test/lib/pkixtestutil.cpp
rename : security/insanity/test/lib/pkixtestutil.h => security/pkix/test/lib/pkixtestutil.h
This commit is contained in:
David Keeler 2014-03-20 14:29:21 -07:00
parent bf52860243
commit b1405bc489
65 changed files with 430 additions and 429 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
security/apps/AppSignatureVerification.cpp
View File

@ -10,7 +10,7 @@
#include "nsNSSCertificateDB.h"
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include "mozilla/RefPtr.h"
#include "CryptoTask.h"
#include "AppTrustDomain.h"
@ -33,7 +33,7 @@
#include "plstr.h"
#include "prlog.h"
using namespace insanity::pkix;
using namespace mozilla::pkix;
using namespace mozilla;
using namespace mozilla::psm;
@ -525,9 +525,9 @@ ParseMF(const char* filebuf, nsIZipReader * zip,
nsresult
VerifySignature(AppTrustedRoot trustedRoot,
const SECItem& buffer, const SECItem& detachedDigest,
/*out*/ insanity::pkix::ScopedCERTCertList& builtChain)
/*out*/ mozilla::pkix::ScopedCERTCertList& builtChain)
{
insanity::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
mozilla::pkix::ScopedPtr<NSSCMSMessage, NSS_CMSMessage_Destroy>
cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
nullptr, nullptr, nullptr, nullptr,
nullptr));
@ -560,13 +560,13 @@ VerifySignature(AppTrustedRoot trustedRoot,
// Parse the certificates into CERTCertificate objects held in memory, so that
// AppTrustDomain will be able to find them during path building.
insanity::pkix::ScopedCERTCertList certs(CERT_NewCertList());
mozilla::pkix::ScopedCERTCertList certs(CERT_NewCertList());
if (!certs) {
return NS_ERROR_OUT_OF_MEMORY;
}
if (signedData->rawCerts) {
for (size_t i = 0; signedData->rawCerts[i]; ++i) {
insanity::pkix::ScopedCERTCertificate
mozilla::pkix::ScopedCERTCertificate
cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
signedData->rawCerts[i], nullptr, false,
true));
@ -666,7 +666,7 @@ OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
}
sigBuffer.type = siBuffer;
insanity::pkix::ScopedCERTCertList builtChain;
mozilla::pkix::ScopedCERTCertList builtChain;
rv = VerifySignature(aTrustedRoot, sigBuffer, sfCalculatedDigest.get(),
builtChain);
if (NS_FAILED(rv)) {

8
security/apps/AppTrustDomain.cpp
View File

@ -10,7 +10,7 @@
#include "AppTrustDomain.h"
#include "certdb.h"
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include "mozilla/ArrayUtils.h"
#include "nsIX509CertDB.h"
#include "prerror.h"
@ -23,7 +23,7 @@
#include "marketplace-dev-reviewers.inc"
#include "xpcshell.inc"
using namespace insanity::pkix;
using namespace mozilla::pkix;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gPIPNSSLog;
@ -88,7 +88,7 @@ AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
SECStatus
AppTrustDomain::FindPotentialIssuers(const SECItem* encodedIssuerName,
PRTime time,
/*out*/ insanity::pkix::ScopedCERTCertList& results)
/*out*/ mozilla::pkix::ScopedCERTCertList& results)
{
MOZ_ASSERT(mTrustedRoot);
if (!mTrustedRoot) {
@ -168,7 +168,7 @@ SECStatus
AppTrustDomain::VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert)
{
return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
}
SECStatus

12
security/apps/AppTrustDomain.h
View File

@ -7,37 +7,37 @@
#ifndef mozilla_psm_AppsTrustDomain_h
#define mozilla_psm_AppsTrustDomain_h
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsDebug.h"
#include "nsIX509CertDB.h"
namespace mozilla { namespace psm {
class AppTrustDomain MOZ_FINAL : public insanity::pkix::TrustDomain
class AppTrustDomain MOZ_FINAL : public mozilla::pkix::TrustDomain
{
public:
AppTrustDomain(void* pinArg);
SECStatus SetTrustedRoot(AppTrustedRoot trustedRoot);
SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
SECOidTag policy,
const CERTCertificate* candidateCert,
/*out*/ TrustLevel* trustLevel) MOZ_OVERRIDE;
SECStatus FindPotentialIssuers(const SECItem* encodedIssuerName,
PRTime time,
/*out*/ insanity::pkix::ScopedCERTCertList& results)
/*out*/ mozilla::pkix::ScopedCERTCertList& results)
MOZ_OVERRIDE;
SECStatus VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert) MOZ_OVERRIDE;
SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCertToDup,
PRTime time,
/*optional*/ const SECItem* stapledOCSPresponse);
private:
void* mPinArg; // non-owning!
insanity::pkix::ScopedCERTCertificate mTrustedRoot;
mozilla::pkix::ScopedCERTCertificate mTrustedRoot;
};
} } // namespace mozilla::psm

2
security/apps/moz.build
View File

@ -16,8 +16,8 @@ FINAL_LIBRARY = 'xul'
LOCAL_INCLUDES += [
'../certverifier',
'../insanity/include',
'../manager/ssl/src',
'../pkix/include',
]
DEFINES['NSS_ENABLE_ECC'] = 'True'

30
security/certverifier/CertVerifier.cpp
View File

@ -8,7 +8,7 @@
#include <stdint.h>
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "cert.h"
@ -17,9 +17,9 @@
#include "prerror.h"
#include "sslerr.h"
// ScopedXXX in this file are insanity::pkix::ScopedXXX, not
// ScopedXXX in this file are mozilla::pkix::ScopedXXX, not
// mozilla::ScopedXXX.
using namespace insanity::pkix;
using namespace mozilla::pkix;
using namespace mozilla::psm;
#ifdef PR_LOGGING
@ -65,7 +65,7 @@ InitCertVerifierLog()
}
#if 0
// Once we migrate to insanity::pkix or change the overridable error
// Once we migrate to mozilla::pkix or change the overridable error
// logic this will become unnecesary.
static SECStatus
insertErrorIntoVerifyLog(CERTCertificate* cert, const PRErrorCode err,
@ -223,17 +223,17 @@ BuildCertChainForOneKeyUsage(TrustDomain& trustDomain, CERTCertificate* cert,
}
SECStatus
CertVerifier::InsanityVerifyCert(
CertVerifier::MozillaPKIXVerifyCert(
CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy)
{
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of InsanityVerifyCert\n"));
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, ("Top of MozillaPKIXVerifyCert\n"));
PR_ASSERT(cert);
PR_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
@ -267,7 +267,7 @@ CertVerifier::InsanityVerifyCert(
// TODO(bug 915931): Pass in stapled OCSP response in all calls to
// BuildCertChain.
insanity::pkix::ScopedCERTCertList builtChain;
mozilla::pkix::ScopedCERTCertList builtChain;
switch (usage) {
case certificateUsageSSLClient: {
// XXX: We don't really have a trust bit for SSL client authentication so
@ -389,8 +389,8 @@ CertVerifier::InsanityVerifyCert(
// by the implementation of window.crypto.importCertificates and in the
// certificate viewer UI. Because we don't know what trust bit is
// interesting, we just try them all.
insanity::pkix::EndEntityOrCA endEntityOrCA;
insanity::pkix::KeyUsages keyUsage;
mozilla::pkix::EndEntityOrCA endEntityOrCA;
mozilla::pkix::KeyUsages keyUsage;
SECOidTag eku;
if (usage == certificateUsageVerifyCA) {
endEntityOrCA = MustBeCA;
@ -449,10 +449,10 @@ CertVerifier::VerifyCert(CERTCertificate* cert,
/*optional out*/ SECOidTag* evOidPolicy,
/*optional out*/ CERTVerifyLog* verifyLog)
{
if (mImplementation == insanity) {
return InsanityVerifyCert(cert, usage, time, pinArg, flags,
stapledOCSPResponse, validationChain,
evOidPolicy);
if (mImplementation == mozillapkix) {
return MozillaPKIXVerifyCert(cert, usage, time, pinArg, flags,
stapledOCSPResponse, validationChain,
evOidPolicy);
}
if (!cert)
@ -799,7 +799,7 @@ CertVerifier::VerifySSLServerCert(CERTCertificate* peerCert,
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase,
/*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut,
/*optional out*/ SECOidTag* evOidPolicy)
{
PR_ASSERT(peerCert);

12
security/certverifier/CertVerifier.h
View File

@ -7,7 +7,7 @@
#ifndef mozilla_psm__CertVerifier_h
#define mozilla_psm__CertVerifier_h
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "OCSPCache.h"
namespace mozilla { namespace psm {
@ -29,7 +29,7 @@ public:
const PRTime time,
void* pinArg,
const Flags flags = 0,
/*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain = nullptr,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr ,
/*optional out*/ CERTVerifyLog* verifyLog = nullptr);
@ -40,7 +40,7 @@ public:
/*optional*/ void* pinarg,
const char* hostname,
bool saveIntermediatesInPermanentDatabase = false,
/*optional out*/ insanity::pkix::ScopedCERTCertList* certChainOut = nullptr,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* certChainOut = nullptr,
/*optional out*/ SECOidTag* evOidPolicy = nullptr);
@ -49,7 +49,7 @@ public:
#ifndef NSS_NO_LIBPKIX
libpkix = 1,
#endif
insanity = 2
mozillapkix = 2
};
enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
@ -80,13 +80,13 @@ public:
const bool mOCSPGETEnabled;
private:
SECStatus InsanityVerifyCert(CERTCertificate* cert,
SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
const SECCertificateUsage usage,
const PRTime time,
void* pinArg,
const Flags flags,
/*optional*/ const SECItem* stapledOCSPResponse,
/*optional out*/ insanity::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
/*optional out*/ SECOidTag* evOidPolicy);
OCSPCache mOCSPCache;

2
security/certverifier/ExtendedValidation.cpp
View File

@ -9,7 +9,7 @@
#include "cert.h"
#include "certdb.h"
#include "base64.h"
#include "insanity/nullptr.h"
#include "pkix/nullptr.h"
#include "pk11pub.h"
#include "secerr.h"
#include "prerror.h"

12
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -10,7 +10,7 @@
#include "ExtendedValidation.h"
#include "certdb.h"
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include "mozilla/Telemetry.h"
#include "nss.h"
#include "ocsp.h"
@ -21,7 +21,7 @@
#include "secerr.h"
#include "secmod.h"
using namespace insanity::pkix;
using namespace mozilla::pkix;
#ifdef PR_LOGGING
extern PRLogModuleInfo* gCertVerifierLog;
@ -53,7 +53,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
SECStatus
NSSCertDBTrustDomain::FindPotentialIssuers(
const SECItem* encodedIssuerName, PRTime time,
/*out*/ insanity::pkix::ScopedCERTCertList& results)
/*out*/ mozilla::pkix::ScopedCERTCertList& results)
{
// TODO: normalize encodedIssuerName
// TODO: NSS seems to be ambiguous between "no potential issuers found" and
@ -131,12 +131,12 @@ SECStatus
NSSCertDBTrustDomain::VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert)
{
return ::insanity::pkix::VerifySignedData(signedData, cert, mPinArg);
return ::mozilla::pkix::VerifySignedData(signedData, cert, mPinArg);
}
SECStatus
NSSCertDBTrustDomain::CheckRevocation(
insanity::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCert,
PRTime time,
@ -146,7 +146,7 @@ NSSCertDBTrustDomain::CheckRevocation(
// GetCertTrust.
// TODO: need to verify that IsRevoked isn't called for trust anchors AND
// that that fact is documented in insanity.
// that that fact is documented in mozillapkix.
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
("NSSCertDBTrustDomain: Top of CheckRevocation\n"));

12
security/certverifier/NSSCertDBTrustDomain.h
View File

@ -7,7 +7,7 @@
#ifndef mozilla_psm__NSSCertDBTrustDomain_h
#define mozilla_psm__NSSCertDBTrustDomain_h
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "secmodt.h"
#include "CertVerifier.h"
@ -43,9 +43,9 @@ SetClassicOCSPBehavior(CertVerifier::ocsp_download_config enabled,
// Caller must free the result with PR_Free
char* DefaultServerNicknameForCert(CERTCertificate* cert);
void SaveIntermediateCerts(const insanity::pkix::ScopedCERTCertList& certList);
void SaveIntermediateCerts(const mozilla::pkix::ScopedCERTCertList& certList);
class NSSCertDBTrustDomain : public insanity::pkix::TrustDomain
class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain
{
public:
@ -62,9 +62,9 @@ public:
virtual SECStatus FindPotentialIssuers(
const SECItem* encodedIssuerName,
PRTime time,
/*out*/ insanity::pkix::ScopedCERTCertList& results);
/*out*/ mozilla::pkix::ScopedCERTCertList& results);
virtual SECStatus GetCertTrust(insanity::pkix::EndEntityOrCA endEntityOrCA,
virtual SECStatus GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
SECOidTag policy,
const CERTCertificate* candidateCert,
/*out*/ TrustLevel* trustLevel);
@ -72,7 +72,7 @@ public:
virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert);
virtual SECStatus CheckRevocation(insanity::pkix::EndEntityOrCA endEntityOrCA,
virtual SECStatus CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA,
const CERTCertificate* cert,
/*const*/ CERTCertificate* issuerCert,
PRTime time,

12
security/certverifier/OCSPCache.cpp
View File

@ -28,14 +28,14 @@ extern PRLogModuleInfo* gCertVerifierLog;
namespace mozilla { namespace psm {
void
Insanity_PK11_DestroyContext_true(PK11Context* context)
MozillaPKIX_PK11_DestroyContext_true(PK11Context* context)
{
PK11_DestroyContext(context, true);
}
typedef insanity::pkix::ScopedPtr<PK11Context,
Insanity_PK11_DestroyContext_true>
ScopedPK11Context;
typedef mozilla::pkix::ScopedPtr<PK11Context,
MozillaPKIX_PK11_DestroyContext_true>
ScopedPK11Context;
// Let derIssuer be the DER encoding of the issuer of aCert.
// Let derPublicKey be the DER encoding of the public key of aIssuerCert.
@ -138,9 +138,9 @@ OCSPCache::LogWithCerts(const char* aMessage, const CERTCertificate* aCert,
{
#ifdef PR_LOGGING
if (PR_LOG_TEST(gCertVerifierLog, PR_LOG_DEBUG)) {
insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
cn(CERT_GetCommonName(&aCert->subject));
insanity::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
mozilla::pkix::ScopedPtr<char, mozilla::psm::PORT_Free_string>
cnIssuer(CERT_GetCommonName(&aIssuerCert->subject));
PR_LOG(gCertVerifierLog, PR_LOG_DEBUG, (aMessage, cn.get(), cnIssuer.get()));
}

2
security/certverifier/OCSPCache.h
View File

@ -20,7 +20,7 @@
#include "certt.h"
#include "hasht.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "mozilla/Mutex.h"
#include "mozilla/Vector.h"
#include "prerror.h"

4
security/certverifier/moz.build
View File

@ -16,11 +16,11 @@ if not CONFIG['NSS_NO_EV_CERTS']:
]
LOCAL_INCLUDES += [
'../insanity/include',
'../pkix/include',
]
DIRS += [
'../insanity',
'../pkix',
]
FAIL_ON_WARNINGS = True

46
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -96,7 +96,7 @@
#include <cstring>
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "CertVerifier.h"
#include "CryptoTask.h"
#include "ExtendedValidation.h"
@ -314,13 +314,13 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
}
SECStatus
InsanityDetermineCertOverrideErrors(CERTCertificate* cert,
const char* hostName, PRTime now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeExpired)
MozillaPKIXDetermineCertOverrideErrors(CERTCertificate* cert,
const char* hostName, PRTime now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeExpired)
{
MOZ_ASSERT(cert);
MOZ_ASSERT(hostName);
@ -329,7 +329,7 @@ InsanityDetermineCertOverrideErrors(CERTCertificate* cert,
MOZ_ASSERT(errorCodeMismatch == 0);
MOZ_ASSERT(errorCodeExpired == 0);
// Assumes the error prioritization described in insanity::pkix's
// Assumes the error prioritization described in mozilla::pkix's
// BuildForward function. Also assumes that CERT_VerifyCertName was only
// called if CertVerifier::VerifyCert succeeded.
switch (defaultErrorCodeToReport) {
@ -707,14 +707,14 @@ CreateCertErrorRunnable(CertVerifier& certVerifier,
errorCodeMismatch, errorCodeExpired);
break;
case CertVerifier::insanity:
rv = InsanityDetermineCertOverrideErrors(cert,
infoObject->GetHostNameRaw(),
now, defaultErrorCodeToReport,
collected_errors,
errorCodeTrust,
errorCodeMismatch,
errorCodeExpired);
case CertVerifier::mozillapkix:
rv = MozillaPKIXDetermineCertOverrideErrors(cert,
infoObject->GetHostNameRaw(),
now, defaultErrorCodeToReport,
collected_errors,
errorCodeTrust,
errorCodeMismatch,
errorCodeExpired);
break;
default:
@ -809,7 +809,7 @@ private:
const RefPtr<SharedCertVerifier> mCertVerifier;
const void* const mFdForLogging;
const RefPtr<TransportSecurityInfo> mInfoObject;
const insanity::pkix::ScopedCERTCertificate mCert;
const mozilla::pkix::ScopedCERTCertificate mCert;
const uint32_t mProviderFlags;
const PRTime mTime;
const TimeStamp mJobStartTime;
@ -909,7 +909,7 @@ AuthCertificate(CertVerifier& certVerifier, TransportSecurityInfo* infoObject,
SECStatus rv;
// TODO: Remove this after we switch to insanity::pkix as the
// TODO: Remove this after we switch to mozilla::pkix as the
// only option
if (certVerifier.mImplementation == CertVerifier::classic) {
if (stapledOCSPResponse) {
@ -965,7 +965,7 @@ AuthCertificate(CertVerifier& certVerifier, TransportSecurityInfo* infoObject,
bool saveIntermediates =
!(providerFlags & nsISocketProvider::NO_PERMANENT_STORAGE);
insanity::pkix::ScopedCERTCertList certList;
mozilla::pkix::ScopedCERTCertList certList;
SECOidTag evOidPolicy;
rv = certVerifier.VerifySSLServerCert(cert, stapledOCSPResponse,
time, infoObject,
@ -1090,11 +1090,11 @@ SSLServerCertVerificationJob::Run()
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_CLASSIC;
break;
case CertVerifier::insanity:
case CertVerifier::mozillapkix:
successTelemetry
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY;
= Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
failureTelemetry
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY;
= Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
break;
#ifndef NSS_NO_LIBPKIX
case CertVerifier::libpkix:

4
security/manager/ssl/src/TransportSecurityInfo.cpp
View File

@ -6,7 +6,7 @@
#include "TransportSecurityInfo.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "nsIWebProgressListener.h"
#include "nsNSSCertificate.h"
@ -755,7 +755,7 @@ AppendErrorTextMismatch(const nsString &host,
const char16_t *params[1];
nsresult rv;
insanity::pkix::ScopedCERTCertificate nssCert;
mozilla::pkix::ScopedCERTCertificate nssCert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(ix509, &rv);
if (cert2)

2
security/manager/ssl/src/moz.build
View File

@ -95,7 +95,7 @@ FINAL_LIBRARY = 'xul'
LOCAL_INCLUDES += [
'../../../certverifier',
'../../../insanity/include',
'../../../pkix/include',
]
if CONFIG['NSS_DISABLE_DBM']:

10
security/manager/ssl/src/nsCMS.cpp
View File

@ -6,7 +6,7 @@
#include "nsCMS.h"
#include "CertVerifier.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsISupports.h"
#include "nsNSSHelper.h"
#include "nsNSSCertificate.h"
@ -515,7 +515,7 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
if (!nssRecipientCert)
return NS_ERROR_FAILURE;
insanity::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
mozilla::pkix::ScopedCERTCertificate c(nssRecipientCert->GetCert());
recipientCerts.set(i, c.get());
}
@ -553,7 +553,7 @@ NS_IMETHODIMP nsCMSMessage::CreateEncrypted(nsIArray * aRecipientCerts)
// Create and attach recipient information //
for (i=0; i < recipientCertCount; i++) {
insanity::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
mozilla::pkix::ScopedCERTCertificate rc(recipientCerts.get(i));
if ((recipientInfo = NSS_CMSRecipientInfo_Create(m_cmsMsg, rc.get())) == nullptr) {
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsCMSMessage::CreateEncrypted - can't create recipient info\n"));
goto loser;
@ -584,8 +584,8 @@ NS_IMETHODIMP nsCMSMessage::CreateSigned(nsIX509Cert* aSigningCert, nsIX509Cert*
NSSCMSContentInfo *cinfo;
NSSCMSSignedData *sigd;
NSSCMSSignerInfo *signerinfo;
insanity::pkix::ScopedCERTCertificate scert;
insanity::pkix::ScopedCERTCertificate ecert;
mozilla::pkix::ScopedCERTCertificate scert;
mozilla::pkix::ScopedCERTCertificate ecert;
nsCOMPtr<nsIX509Cert2> aSigningCert2 = do_QueryInterface(aSigningCert);
nsresult rv = NS_ERROR_FAILURE;

8
security/manager/ssl/src/nsCertOverrideService.cpp
View File

@ -6,7 +6,7 @@
#include "nsCertOverrideService.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsIX509Cert.h"
#include "NSSCertDBTrustDomain.h"
#include "nsNSSCertificate.h"
@ -394,7 +394,7 @@ GetCertFingerprintByOidTag(nsIX509Cert *aCert,
if (!cert2)
return NS_ERROR_FAILURE;
insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
@ -432,7 +432,7 @@ GetCertFingerprintByDottedOidString(nsIX509Cert *aCert,
if (!cert2)
return NS_ERROR_FAILURE;
insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;
@ -455,7 +455,7 @@ nsCertOverrideService::RememberValidityOverride(const nsACString & aHostName, in
if (!cert2)
return NS_ERROR_FAILURE;
insanity::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
mozilla::pkix::ScopedCERTCertificate nsscert(cert2->GetCert());
if (!nsscert)
return NS_ERROR_FAILURE;

6
security/manager/ssl/src/nsCertPicker.cpp
View File

@ -4,7 +4,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsCertPicker.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsMemory.h"
#include "nsCOMPtr.h"
#include "nsXPIDLString.h"
@ -50,14 +50,14 @@ NS_IMETHODIMP nsCertPicker::PickByUsage(nsIInterfaceRequestor *ctx,
{
// Iterate over all certs. This assures that user is logged in to all hardware tokens.
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
insanity::pkix::ScopedCERTCertList allcerts(
mozilla::pkix::ScopedCERTCertList allcerts(
PK11_ListCerts(PK11CertListUnique, ctx));
}
/* find all user certs that are valid and for SSL */
/* note that we are allowing expired certs in this list */
insanity::pkix::ScopedCERTCertList certList(
mozilla::pkix::ScopedCERTCertList certList(
CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
(SECCertUsage)certUsage,
!allowDuplicateNicknames,

6
security/manager/ssl/src/nsCertTree.cpp
View File

@ -4,7 +4,7 @@
#include "nsCertTree.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
#include "nsITreeColumns.h"
#include "nsIX509Cert.h"
@ -638,7 +638,7 @@ nsCertTree::GetCertsByType(uint32_t aType,
{
nsNSSShutDownPreventionLock locker;
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
insanity::pkix::ScopedCERTCertList certList(
mozilla::pkix::ScopedCERTCertList certList(
PK11_ListCerts(PK11CertListUnique, cxt));
return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn,
aCertCmpFnArg);
@ -809,7 +809,7 @@ nsCertTree::DeleteEntryObject(uint32_t index)
// although there are still overrides stored,
// so, we keep the cert, but remove the trust
insanity::pkix::ScopedCERTCertificate nsscert;
mozilla::pkix::ScopedCERTCertificate nsscert;
nsCOMPtr<nsIX509Cert2> cert2 = do_QueryInterface(cert);
if (cert2) {

10
security/manager/ssl/src/nsCrypto.cpp
View File

@ -70,7 +70,7 @@
#include "certdb.h"
#include "secmod.h"
#include "ScopedNSSTypes.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "ssl.h" // For SSL_ClearSessionCache
@ -1042,7 +1042,7 @@ nsSetEscrowAuthority(CRMFCertRequest *certReq, nsKeyPairInfo *keyInfo,
CRMF_CertRequestIsControlPresent(certReq, crmfPKIArchiveOptionsControl)){
return NS_ERROR_FAILURE;
}
insanity::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
mozilla::pkix::ScopedCERTCertificate cert(wrappingCert->GetCert());
if (!cert)
return NS_ERROR_FAILURE;
@ -1942,7 +1942,7 @@ nsCrypto::GenerateCRMFRequest(JSContext* aContext,
aRv.Throw(NS_ERROR_FAILURE);
return nullptr;
}
insanity::pkix::ScopedCERTCertificate cert(
mozilla::pkix::ScopedCERTCertificate cert(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
&certDer, nullptr, false, true));
if (!cert) {
@ -2211,7 +2211,7 @@ nsCertAlreadyExists(SECItem *derCert)
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
bool retVal = false;
insanity::pkix::ScopedCERTCertificate cert(
mozilla::pkix::ScopedCERTCertificate cert(
CERT_FindCertByDERCert(handle, derCert));
if (cert) {
if (cert->isperm && !cert->nickname && !cert->emailAddr) {
@ -2373,7 +2373,7 @@ nsCrypto::ImportUserCertificates(const nsAString& aNickname,
//Import the root chain into the cert db.
{
insanity::pkix::ScopedCERTCertList
mozilla::pkix::ScopedCERTCertList
caPubs(CMMF_CertRepContentGetCAPubs(certRepContent));
if (caPubs) {
int32_t numCAs = nsCertListCount(caPubs.get());

4
security/manager/ssl/src/nsNSSCallbacks.cpp
View File

@ -5,7 +5,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsNSSCallbacks.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "mozilla/Telemetry.h"
#include "mozilla/TimeStamp.h"
#include "nsNSSComponent.h"
@ -1189,7 +1189,7 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
nsContentUtils::LogSimpleConsoleError(msg, "SSL");
}
insanity::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
mozilla::pkix::ScopedCERTCertificate serverCert(SSL_PeerCertificate(fd));
/* Set the SSL Status information */
RefPtr<nsSSLStatus> status(infoObject->SSLStatus());

2
security/manager/ssl/src/nsNSSCertCache.cpp
View File

@ -46,7 +46,7 @@ nsNSSCertCache::CacheAllCerts()
nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
insanity::pkix::ScopedCERTCertList newList(
mozilla::pkix::ScopedCERTCertList newList(
PK11_ListCerts(PK11CertListUnique, cxt));
if (newList) {

6
security/manager/ssl/src/nsNSSCertificate.cpp
View File

@ -10,7 +10,7 @@
#include "prprf.h"
#include "CertVerifier.h"
#include "ExtendedValidation.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h" // for PIPNSS string bundle calls.
#include "nsNSSCleaner.h"
#include "nsCOMPtr.h"
@ -822,7 +822,7 @@ nsNSSCertificate::GetChain(nsIArray** _rvChain)
nsresult rv;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting chain for \"%s\"\n", mCert->nickname));
::insanity::pkix::ScopedCERTCertList nssChain;
::mozilla::pkix::ScopedCERTCertList nssChain;
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
@ -1542,7 +1542,7 @@ nsNSSCertificate::GetValidEVPolicyOid(nsACString& outDottedOid)
NS_IMPL_ISUPPORTS1(nsNSSCertList, nsIX509CertList)
nsNSSCertList::nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
nsNSSCertList::nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
const nsNSSShutDownPreventionLock& proofOfLock)
{
if (certList) {

10
security/manager/ssl/src/nsNSSCertificate.h
View File

@ -19,7 +19,7 @@
#include "nsISimpleEnumerator.h"
#include "nsISerializable.h"
#include "nsIClassInfo.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "certt.h"
class nsAutoString;
@ -54,7 +54,7 @@ public:
static nsNSSCertificate* ConstructFromDER(char* certDER, int derLen);
private:
insanity::pkix::ScopedCERTCertificate mCert;
mozilla::pkix::ScopedCERTCertificate mCert;
bool mPermDelete;
uint32_t mCertType;
nsresult CreateASN1Struct(nsIASN1Object** aRetVal);
@ -81,7 +81,7 @@ public:
NS_DECL_NSIX509CERTLIST
// certList is adopted
nsNSSCertList(insanity::pkix::ScopedCERTCertList& certList,
nsNSSCertList(mozilla::pkix::ScopedCERTCertList& certList,
const nsNSSShutDownPreventionLock& proofOfLock);
nsNSSCertList();
@ -94,7 +94,7 @@ private:
virtual void virtualDestroyNSSReference();
void destructorSafeDestroyNSSReference();
insanity::pkix::ScopedCERTCertList mCertList;
mozilla::pkix::ScopedCERTCertList mCertList;
nsNSSCertList(const nsNSSCertList&) MOZ_DELETE;
void operator=(const nsNSSCertList&) MOZ_DELETE;
@ -114,7 +114,7 @@ private:
virtual void virtualDestroyNSSReference();
void destructorSafeDestroyNSSReference();
insanity::pkix::ScopedCERTCertList mCertList;
mozilla::pkix::ScopedCERTCertList mCertList;
nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) MOZ_DELETE;
void operator=(const nsNSSCertListEnumerator&) MOZ_DELETE;

48
security/manager/ssl/src/nsNSSCertificateDB.cpp
View File

@ -13,7 +13,7 @@
#include "CertVerifier.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "mozilla/Base64.h"
#include "nsCOMPtr.h"
@ -113,7 +113,7 @@ nsNSSCertificateDB::FindCertByNickname(nsISupports *aToken,
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(nickname);
asciiname = const_cast<char*>(aUtf8Nickname.get());
@ -159,7 +159,7 @@ nsNSSCertificateDB::FindCertByDBKey(const char *aDBkey, nsISupports *aToken,
return NS_ERROR_INVALID_ARG;
}
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
// someday maybe we can speed up the search using the moduleID and slotID
// moduleID = NS_NSS_GET_LONG(keyItem.data);
// slotID = NS_NSS_GET_LONG(&keyItem.data[NS_NSS_LONG]);
@ -203,7 +203,7 @@ nsNSSCertificateDB::FindCertNicknames(nsISupports *aToken,
/*
* obtain the cert list from NSS
*/
insanity::pkix::ScopedCERTCertList certList;
mozilla::pkix::ScopedCERTCertList certList;
certList = PK11_ListCerts(PK11CertListUnique, nullptr);
if (!certList)
goto cleanup;
@ -358,7 +358,7 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
return rv;
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
insanity::pkix::ScopedCERTCertificate tmpCert;
mozilla::pkix::ScopedCERTCertificate tmpCert;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
tmpCert = CERT_FindCertByDERCert(certdb, &der);
if (!tmpCert) {
@ -415,7 +415,7 @@ nsNSSCertificateDB::handleCACertDownload(nsIArray *x509Certs,
// Import additional delivered certificates that can be verified.
// build a CertList for filtering
insanity::pkix::ScopedCERTCertList certList(CERT_NewCertList());
mozilla::pkix::ScopedCERTCertList certList(CERT_NewCertList());
if (!certList) {
return NS_ERROR_FAILURE;
}
@ -511,7 +511,7 @@ nsNSSCertificateDB::ImportCertificates(uint8_t * data, uint32_t length,
static
SECStatus
ImportCertsIntoPermanentStorage(
const insanity::pkix::ScopedCERTCertList& certChain,
const mozilla::pkix::ScopedCERTCertList& certChain,
const SECCertUsage usage, const PRBool caOnly)
{
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
@ -561,7 +561,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
nsresult nsrv = NS_OK;
CERTCertDBHandle *certdb;
CERTCertificate **certArray = nullptr;
insanity::pkix::ScopedCERTCertList certList;
mozilla::pkix::ScopedCERTCertList certList;
CERTCertListNode *node;
SECItem **rawArray;
int numcerts;
@ -632,7 +632,7 @@ nsNSSCertificateDB::ImportEmailCertificate(uint8_t * data, uint32_t length,
continue;
}
insanity::pkix::ScopedCERTCertList certChain;
mozilla::pkix::ScopedCERTCertList certChain;
SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
certificateUsageEmailRecipient,
@ -673,7 +673,7 @@ nsNSSCertificateDB::ImportServerCertificate(uint8_t * data, uint32_t length,
SECStatus srv = SECFailure;
nsresult nsrv = NS_OK;
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
SECItem **rawCerts = nullptr;
int numcerts;
int i;
@ -800,7 +800,7 @@ nsNSSCertificateDB::ImportValidCACertsInList(CERTCertList *certList, nsIInterfac
for (node = CERT_LIST_HEAD(certList);
!CERT_LIST_END(node,certList);
node = CERT_LIST_NEXT(node)) {
insanity::pkix::ScopedCERTCertList certChain;
mozilla::pkix::ScopedCERTCertList certChain;
SECStatus rv = certVerifier->VerifyCert(node->cert, nullptr,
certificateUsageVerifyCA,
PR_Now(), ctx, 0, &certChain);
@ -877,7 +877,7 @@ nsNSSCertificateDB::ImportUserCertificate(uint8_t *data, uint32_t length, nsIInt
SECItem *CACerts;
CERTDERCerts * collectArgs;
PLArenaPool *arena;
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
@ -954,7 +954,7 @@ nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
return NS_ERROR_NOT_AVAILABLE;
}
nsCOMPtr<nsIX509Cert2> nssCert = do_QueryInterface(aCert);
insanity::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
mozilla::pkix::ScopedCERTCertificate cert(nssCert->GetCert());
if (!cert) return NS_ERROR_FAILURE;
SECStatus srv = SECSuccess;
@ -1001,7 +1001,7 @@ nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
if (!pipCert) {
return rv;
}
insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
rv = attemptToLogInWithDefaultPassword();
if (NS_WARN_IF(rv != NS_OK)) {
@ -1054,7 +1054,7 @@ nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
}
SECStatus srv;
nsCOMPtr<nsIX509Cert2> pipCert = do_QueryInterface(cert);
insanity::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
mozilla::pkix::ScopedCERTCertificate nsscert(pipCert->GetCert());
CERTCertTrust nsstrust;
srv = CERT_GetCertTrust(nsscert.get(), &nsstrust);
if (srv != SECSuccess)
@ -1302,7 +1302,7 @@ nsNSSCertificateDB::FindEmailEncryptionCert(const nsAString &aNickname, nsIX509C
asciiname = const_cast<char*>(aUtf8Nickname.get());
/* Find a good cert in the user's database */
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(), asciiname,
certUsageEmailRecipient, true, ctx);
if (!cert) {
@ -1332,7 +1332,7 @@ nsNSSCertificateDB::FindEmailSigningCert(const nsAString &aNickname, nsIX509Cert
return NS_ERROR_NOT_AVAILABLE;
}
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
char *asciiname = nullptr;
NS_ConvertUTF16toUTF8 aUtf8Nickname(aNickname);
@ -1462,7 +1462,7 @@ nsNSSCertificateDB::ConstructX509(const char* certDER,
secitem_cert.data = (unsigned char*)certDER;
secitem_cert.len = lengthDER;
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
cert =
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
nullptr, false, true);
@ -1561,7 +1561,7 @@ nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
PR_smprintf_free(tmp);
}
insanity::pkix::ScopedCERTCertificate dummycert;
mozilla::pkix::ScopedCERTCertificate dummycert;
if (PK11_IsInternal(slot)) {
/* look up the nickname to make sure it isn't in use already */
@ -1622,7 +1622,7 @@ NS_IMETHODIMP nsNSSCertificateDB::AddCertFromBase64(const char *aBase64, const c
PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
insanity::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
mozilla::pkix::ScopedCERTCertificate tmpCert(CERT_FindCertByDERCert(certdb, &der));
if (!tmpCert)
tmpCert = CERT_NewTempCertificate(certdb, &der,
nullptr, false, true);
@ -1677,7 +1677,7 @@ nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert3* cert,
if (srv != SECSuccess) {
return MapSECStatus(SECFailure);
}
insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
nsresult rv = attemptToLogInWithDefaultPassword();
if (NS_WARN_IF(rv != NS_OK)) {
@ -1698,7 +1698,7 @@ nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval)
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
nsCOMPtr<nsIX509CertList> nssCertList;
insanity::pkix::ScopedCERTCertList certList(
mozilla::pkix::ScopedCERTCertList certList(
PK11_ListCerts(PK11CertListUnique, ctx));
// nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine.
@ -1768,7 +1768,7 @@ nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
insanity::pkix::ScopedCERTCertList resultChain;
mozilla::pkix::ScopedCERTCertList resultChain;
SECOidTag evOidPolicy;
SECStatus srv;
@ -1811,7 +1811,7 @@ nsNSSCertificateDB::ClearOCSPCache()
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
if (certVerifier->mImplementation == CertVerifier::insanity) {
if (certVerifier->mImplementation == CertVerifier::mozillapkix) {
certVerifier->ClearOCSPCache();
} else {
SECStatus srv = CERT_ClearOCSPCache();

12
security/manager/ssl/src/nsNSSComponent.cpp
View File

@ -971,9 +971,9 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
CertVerifier::implementation_config certVerifierImplementation
= CertVerifier::classic;
// The insanity::pkix pref overrides the libpkix pref
if (Preferences::GetBool("security.use_insanity_verification", false)) {
certVerifierImplementation = CertVerifier::insanity;
// The mozilla::pkix pref overrides the libpkix pref
if (Preferences::GetBool("security.use_mozillapkix_verification", false)) {
certVerifierImplementation = CertVerifier::mozillapkix;
} else {
#ifndef NSS_NO_LIBPKIX
if (Preferences::GetBool("security.use_libpkix_verification", false)) {
@ -997,9 +997,9 @@ void nsNSSComponent::setValidationOptions(bool isInitialSetting,
#endif
odc, osc, ogc);
// insanity::pkix has its own OCSP cache, so disable the NSS cache
// mozilla::pkix has its own OCSP cache, so disable the NSS cache
// if appropriate.
if (certVerifierImplementation == CertVerifier::insanity) {
if (certVerifierImplementation == CertVerifier::mozillapkix) {
// Using -1 disables the cache. The other arguments are the default
// values and aren't exposed by the API.
CERT_OCSPCacheSettings(-1, 1*60*60L, 24*60*60L);
@ -1617,7 +1617,7 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
|| prefName.Equals("security.OCSP.require")
|| prefName.Equals("security.OCSP.GET.enabled")
|| prefName.Equals("security.ssl.enable_ocsp_stapling")
|| prefName.Equals("security.use_insanity_verification")
|| prefName.Equals("security.use_mozillapkix_verification")
|| prefName.Equals("security.use_libpkix_verification")) {
MutexAutoLock lock(mutex);
setValidationOptions(false, lock);

6
security/manager/ssl/src/nsNSSIOLayer.cpp
View File

@ -6,7 +6,7 @@
#include "nsNSSIOLayer.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsNSSComponent.h"
#include "mozilla/Casting.h"
#include "mozilla/DebugOnly.h"
@ -1870,9 +1870,9 @@ ClientAuthDataRunnable::RunOnTargetThread()
{
PLArenaPool* arena = nullptr;
char** caNameStrings;
insanity::pkix::ScopedCERTCertificate cert;
mozilla::pkix::ScopedCERTCertificate cert;
ScopedSECKEYPrivateKey privKey;
insanity::pkix::ScopedCERTCertList certList;
mozilla::pkix::ScopedCERTCertList certList;
CERTCertListNode* node;
ScopedCERTCertNicknames nicknames;
char* extracted = nullptr;

4
security/manager/ssl/src/nsPKCS12Blob.cpp
View File

@ -5,7 +5,7 @@
#include "nsPKCS12Blob.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "prmem.h"
#include "prprf.h"
@ -307,7 +307,7 @@ nsPKCS12Blob::ExportToFile(nsIFile *file,
for (i=0; i<numCerts; i++) {
nsNSSCertificate *cert = (nsNSSCertificate *)certs[i];
// get it as a CERTCertificate XXX
insanity::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
mozilla::pkix::ScopedCERTCertificate nssCert(cert->GetCert());
if (!nssCert) {
rv = NS_ERROR_FAILURE;
goto finish;

4
security/manager/ssl/src/nsRecentBadCerts.cpp
View File

@ -6,7 +6,7 @@
#include "nsRecentBadCerts.h"
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "nsIX509Cert.h"
#include "nsIObserverService.h"
#include "mozilla/RefPtr.h"
@ -72,7 +72,7 @@ nsRecentBadCerts::GetRecentBadCert(const nsAString & aHostNameWithPort,
if (foundDER.len) {
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
insanity::pkix::ScopedCERTCertificate nssCert(
mozilla::pkix::ScopedCERTCertificate nssCert(
CERT_FindCertByDERCert(certdb, &foundDER));
if (!nssCert)
nssCert = CERT_NewTempCertificate(certdb, &foundDER,

2
security/manager/ssl/tests/gtest/moz.build
View File

@ -15,7 +15,7 @@ SOURCES += [
LOCAL_INCLUDES += [
'../../../../certverifier',
'../../../../insanity/include',
'../../../../pkix/include',
'/security/manager/ssl/src',
]

54
security/manager/ssl/tests/unit/test_cert_overrides.js
View File

@ -72,16 +72,16 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useInsanity) {
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
add_simple_tests(useInsanity);
add_combo_tests(useInsanity);
add_distrust_tests(useInsanity);
add_simple_tests(useMozillaPKIX);
add_combo_tests(useMozillaPKIX);
add_distrust_tests(useMozillaPKIX);
add_test(function () {
certOverrideService.clearValidityOverride("all:temporary-certificates", 0);
@ -89,23 +89,23 @@ function add_tests_in_mode(useInsanity) {
});
}
function add_simple_tests(useInsanity) {
function add_simple_tests(useMozillaPKIX) {
add_cert_override_test("expired.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
add_cert_override_test("selfsigned.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_CA_CERT_INVALID));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_CA_CERT_INVALID));
add_cert_override_test("unknownissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
add_cert_override_test("expiredissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
add_cert_override_test("md5signature.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
@ -122,16 +122,16 @@ function add_simple_tests(useInsanity) {
// (i.e. itself). As a result, to be able to override this,
// SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
// confusingly, this isn't the main error reported).
// insanity::pkix just says this certificate's issuer is unknown.
// mozilla::pkix just says this certificate's issuer is unknown.
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_CA_CERT_INVALID));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_CA_CERT_INVALID));
// SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
// classic verification, but not for insanity::pkix verification.
if (useInsanity) {
// classic verification, but not for mozilla::pkix verification.
if (useMozillaPKIX) {
add_connection_test("inadequatekeyusage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
null,
@ -149,9 +149,9 @@ function add_simple_tests(useInsanity) {
}
}
function add_combo_tests(useInsanity) {
function add_combo_tests(useMozillaPKIX) {
// Note that "untrusted" here really is "unknown issuer" in the
// insanity::pkix case.
// mozilla::pkix case.
add_cert_override_test("mismatch-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
@ -161,21 +161,21 @@ function add_combo_tests(useInsanity) {
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("mismatch-untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER));
add_cert_override_test("md5signature-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
@ -184,7 +184,7 @@ function add_combo_tests(useInsanity) {
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
}
function add_distrust_tests(useInsanity) {
function add_distrust_tests(useMozillaPKIX) {
// Before we specifically distrust this certificate, it should be trusted.
add_connection_test("untrusted.example.com", Cr.NS_OK);
@ -193,7 +193,7 @@ function add_distrust_tests(useInsanity) {
add_distrust_override_test("tlsserver/default-ee.der",
"untrusted.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT),
useInsanity
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_CERT)
: Cr.NS_OK);
@ -202,7 +202,7 @@ function add_distrust_tests(useInsanity) {
add_distrust_override_test("tlsserver/other-test-ca.der",
"untrustedissuer.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER),
useInsanity
useMozillaPKIX
? getXPCOMStatusFromNSS(SEC_ERROR_UNTRUSTED_ISSUER)
: Cr.NS_OK);
}

12
security/manager/ssl/tests/unit/test_cert_signatures.js
View File

@ -49,8 +49,8 @@ function run_test() {
run_test_in_mode(false);
}
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
@ -58,14 +58,14 @@ function run_test_in_mode(useInsanity) {
check_ca("ca-p384");
check_ca("ca-dsa");
// insanity::pkix does not allow CA certs to be validated for end-entity
// mozilla::pkix does not allow CA certs to be validated for end-entity
// usages.
let int_usage = useInsanity
let int_usage = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// insanity::pkix doesn't implement the Netscape Object Signer restriction.
const ee_usage = useInsanity
// mozilla::pkix doesn't implement the Netscape Object Signer restriction.
const ee_usage = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';

142
security/manager/ssl/tests/unit/test_cert_trust.js
View File

@ -39,20 +39,20 @@ function check_cert_err_generic(cert, expected_error, usage) {
do_check_eq(error, expected_error);
};
function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity) {
function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
// On reset most usages are successful
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA); // expected no bc
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useInsanity ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner); // expected
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA); // expected no bc
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); //expected
@ -64,18 +64,18 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity)
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -84,34 +84,34 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity)
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, 'T,T,T');
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
: 0
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
: 0
: 0,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE
: useInsanity ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE
: useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -121,43 +121,43 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity)
setCertTrust(cert_to_modify_trust, 'p,C,C');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, useInsanity ? 0 //XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER,
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useInsanity ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ',C,C');
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? 0 // XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useInsanity ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -166,21 +166,21 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity)
setCertTrust(cert_to_modify_trust, 'C,p,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
: useInsanity ? SEC_ERROR_UNTRUSTED_ISSUER
: 0, // Insanity is OK, NSS bug
: useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
: 0, // Insanity is OK, NSS bug
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useInsanity ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
@ -189,34 +189,34 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useInsanity)
//inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, 'C,,C');
check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER
: 0,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, useInsanity ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, useInsanity ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
: SEC_ERROR_INVALID_ARGS,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
}
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
let ca_cert = certdb.findCertByNickname(null, 'ca');
do_check_false(!ca_cert)
@ -226,10 +226,10 @@ function run_test_in_mode(useInsanity) {
do_check_false(!ee_cert);
setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, ca_cert, true, useInsanity);
test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, int_cert, false, useInsanity);
test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
}
function run_test() {

42
security/manager/ssl/tests/unit/test_certificate_usages.js
View File

@ -35,36 +35,36 @@ function run_test() {
run_test_in_mode(false);
}
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();
// insanity::pkix does not allow CA certs to be validated for non-CA usages.
var allCAUsages = useInsanity
// mozilla::pkix does not allow CA certs to be validated for non-CA usages.
var allCAUsages = useMozillaPKIX
? 'SSL CA'
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// insanity::pkix doesn't allow CA certificates to have the Status Responder
// mozilla::pkix doesn't allow CA certificates to have the Status Responder
// EKU.
var ca_usages = [allCAUsages,
'SSL CA',
allCAUsages,
useInsanity ? ''
: 'Client,Server,Sign,Encrypt,Status Responder'];
useMozillaPKIX ? ''
: 'Client,Server,Sign,Encrypt,Status Responder'];
// insanity::pkix doesn't implement the Netscape Object Signer restriction.
var basicEndEntityUsages = useInsanity
// mozilla::pkix doesn't implement the Netscape Object Signer restriction.
var basicEndEntityUsages = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt';
var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
// insanity::pkix won't let a certificate with the "Status Responder" EKU get
// mozilla::pkix won't let a certificate with the "Status Responder" EKU get
// validated for any other usage.
var statusResponderUsages = (useInsanity ? "" : "Server,") + "Status Responder";
var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
var statusResponderUsagesFull
= useInsanity ? statusResponderUsages
: basicEndEntityUsages + ',Object Signer,Status Responder';
= useMozillaPKIX ? statusResponderUsages
: basicEndEntityUsages + ',Object Signer,Status Responder';
var ee_usages = [
[ basicEndEntityUsages,
@ -101,16 +101,16 @@ function run_test_in_mode(useInsanity) {
//
// The 'classic' NSS mode uses the 'union' of the
// capabilites so the cert is considered a CA.
// insanity::pkix and libpkix use the intersection of
// mozilla::pkix and libpkix use the intersection of
// capabilites, so the cert is NOT considered a CA.
[ useInsanity ? '' : basicEndEntityUsages,
useInsanity ? '' : basicEndEntityUsages,
useInsanity ? '' : basicEndEntityUsages,
[ useMozillaPKIX ? '' : basicEndEntityUsages,
useMozillaPKIX ? '' : basicEndEntityUsages,
useMozillaPKIX ? '' : basicEndEntityUsages,
'',
useInsanity ? '' : statusResponderUsagesFull,
useInsanity ? '' : 'Client,Server',
useInsanity ? '' : 'Sign,Encrypt,Object Signer',
useInsanity ? '' : 'Server,Status Responder'
useMozillaPKIX ? '' : statusResponderUsagesFull,
useMozillaPKIX ? '' : 'Client,Server',
useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
useMozillaPKIX ? '' : 'Server,Status Responder'
]
];

32
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@ -119,11 +119,11 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useInsanity)
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
@ -162,8 +162,8 @@ function add_tests_in_mode(useInsanity)
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("ev-valid",
useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER);
useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_UNTRUSTED_ISSUER);
ocspResponder.stop(run_next_test);
});
@ -186,23 +186,23 @@ function add_tests_in_mode(useInsanity)
add_test(function () {
check_no_ocsp_requests("ev-valid",
useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
});
add_test(function () {
check_no_ocsp_requests("non-ev-root",
useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_EXTENSION_NOT_FOUND));
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_EXTENSION_NOT_FOUND));
});
add_test(function () {
check_no_ocsp_requests("no-ocsp-url-cert",
useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: (isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
: SEC_ERROR_EXTENSION_NOT_FOUND));
});
// Test the EV continues to work with flags after successful EV verification
@ -226,8 +226,8 @@ function add_tests_in_mode(useInsanity)
do_check_eq(hasEVPolicy.value, isDebugBuild);
do_check_eq(error,
isDebugBuild ? 0
: (useInsanity ? SEC_ERROR_POLICY_VALIDATION_FAILED
: SEC_ERROR_EXTENSION_NOT_FOUND));
: (useMozillaPKIX ? SEC_ERROR_POLICY_VALIDATION_FAILED
: SEC_ERROR_EXTENSION_NOT_FOUND));
failingOcspResponder.stop(run_next_test);
});
});

4
security/manager/ssl/tests/unit/test_getchain.js
View File

@ -70,8 +70,8 @@ function check_getchain(ee_cert, ssl_ca, email_ca){
check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
}
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
clearOCSPCache();
clearSessionCache();

20
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
View File

@ -38,18 +38,18 @@ function test_cert_for_usages(certChainNicks, expected_usages_string) {
do_check_eq(expected_usages_string, usages.value);
}
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
// insanity::pkix doesn't support the obsolete Netscape object signing
// mozilla::pkix doesn't support the obsolete Netscape object signing
// extension, but NSS does.
let ee_usage1 = useInsanity
let ee_usage1 = useMozillaPKIX
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt'
// insanity::pkix doesn't validate CA certificates for non-CA uses, but
// mozilla::pkix doesn't validate CA certificates for non-CA uses, but
// NSS does.
let ca_usage1 = useInsanity
let ca_usage1 = useMozillaPKIX
? "SSL CA"
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
@ -85,10 +85,10 @@ function run_test_in_mode(useInsanity) {
// int-limited-depth-invalid (cA==true)
//
// XXX: It seems the NSS code does not consider the path length of the
// certificate we're validating, but insanity::pkix does. insanity::pkix's
// certificate we're validating, but mozilla::pkix does. mozilla::pkix's
// behavior is correct.
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
useInsanity ? "" : ca_usage1);
useMozillaPKIX ? "" : ca_usage1);
test_cert_for_usages(["ee-int-limited-depth-invalid",
"int-limited-depth-invalid",
"int-limited-depth"],
@ -100,11 +100,11 @@ function run_test_in_mode(useInsanity) {
ee_usage1);
// int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
// but the KU extension is missing keyCertSign. Note that insanity::pkix
// but the KU extension is missing keyCertSign. Note that mozilla::pkix
// doesn't validate certificates with basicConstraints.Ca==true for non-CA
// uses, but NSS does.
test_cert_for_usages(["int-bad-ku-no-eku"],
useInsanity
useMozillaPKIX
? ""
: 'Client,Server,Sign,Encrypt,Status Responder');
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");

6
security/manager/ssl/tests/unit/test_name_constraints.js
View File

@ -50,8 +50,8 @@ function check_fail_ca(x) {
return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
}
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
function run_test_in_mode(useMozillaPKIX) {
Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
// Note that CN is only looked at when there is NO subjectAltName!
@ -261,7 +261,7 @@ function run_test_in_mode(useInsanity) {
check_fail(certFromFile('cn-www.foo.com_o-bar_c-us-alt-foo.com-a.a.us-b.a.us-int-ca-nc-perm-foo.com.der'));
// We don't enforce dNSName name constraints on CN unless we're validating
// for the server EKU. libpkix gets this wrong but insanity::pkix and classic
// for the server EKU. libpkix gets this wrong but mozilla::pkix and classic
// NSS get it right.
{
let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');

10
security/manager/ssl/tests/unit/test_ocsp_caching.js
View File

@ -47,10 +47,10 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useInsanity) {
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
@ -107,8 +107,8 @@ function add_tests_in_mode(useInsanity) {
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
// TODO(bug 977865): implement this for insanity
if (!useInsanity) {
// TODO(bug 977865): implement this for mozilla::pkix
if (!useMozillaPKIX) {
// The error entry will prevent a fetch from happening for a while.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
clearSessionCache);

10
security/manager/ssl/tests/unit/test_ocsp_required.js
View File

@ -40,11 +40,11 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useInsanity)
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
@ -53,9 +53,9 @@ function add_tests_in_mode(useInsanity)
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
add_test(function () {
// TODO(bug 977865): insanity::pkix keeps requesting responses from
// TODO(bug 977865): mozilla::pkix keeps requesting responses from
// failing responders
do_check_eq(gOCSPRequestCount, useInsanity ? 2 : 1);
do_check_eq(gOCSPRequestCount, useMozillaPKIX ? 2 : 1);
gOCSPRequestCount = 0;
run_next_test();
});

10
security/manager/ssl/tests/unit/test_ocsp_stapling.js
View File

@ -21,10 +21,10 @@ function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
});
}
function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});
@ -54,7 +54,7 @@ function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
// SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
// depends on whether the CA that signed the response is a trusted CA
// (but only with the classic implementation - insanity::pkix always
// (but only with the classic implementation - mozilla::pkix always
// results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
// This stapled response is from a CA that is untrusted and did not issue
@ -113,7 +113,7 @@ function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
// TODO(bug 979070): NSS can't handle this yet.
if (useInsanity) {
if (useMozillaPKIX) {
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
}

6
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
View File

@ -62,11 +62,11 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useInsanity)
function add_tests_in_mode(useMozillaPKIX)
{
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});

6
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
View File

@ -44,10 +44,10 @@ function run_test() {
run_next_test();
}
function add_tests_in_mode(useInsanity) {
function add_tests_in_mode(useMozillaPKIX) {
add_test(function () {
Services.prefs.setBoolPref("security.use_insanity_verification",
useInsanity);
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
useMozillaPKIX);
run_next_test();
});

4
security/manager/ssl/tests/unit/tlsserver/cmd/Makefile.in
View File

@ -10,8 +10,8 @@ LIBS = \
$(NSPR_LIBS) \
$(NSS_LIBS) \
$(MOZALLOC_LIB) \
../../../../../../insanity/$(LIB_PREFIX)insanitypkix.$(LIB_SUFFIX) \
../../../../../../insanity/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
../../../../../../pkix/$(LIB_PREFIX)mozillapkix.$(LIB_SUFFIX) \
../../../../../../pkix/test/lib/$(LIB_PREFIX)pkixtestutil.$(LIB_SUFFIX) \
../lib/$(LIB_PREFIX)tlsserver.$(LIB_SUFFIX) \
$(NULL)

5
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
View File

@ -13,6 +13,7 @@
using namespace mozilla;
using namespace mozilla::test;
using namespace mozilla::pkix::test;
SECItemArray *
@ -38,7 +39,7 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
PRTime oldNow = now - (8 * oneDay);
insanity::test::OCSPResponseContext context(aArena, aCert, now);
OCSPResponseContext context(aArena, aCert, now);
if (aORT == ORTGoodOtherCert) {
context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
@ -103,7 +104,7 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
context.signerCert = CERT_DupCertificate(context.issuerCert.get());
}
SECItem* response = insanity::test::CreateEncodedOCSPResponse(context);
SECItem* response = CreateEncodedOCSPResponse(context);
if (!response) {
PrintPRError("CreateEncodedOCSPResponse failed");
return nullptr;

4
security/manager/ssl/tests/unit/tlsserver/lib/moz.build
View File

@ -10,8 +10,8 @@ UNIFIED_SOURCES += [
]
LOCAL_INCLUDES += [
'../../../../../../insanity/include',
'../../../../../../insanity/test/lib',
'../../../../../../pkix/include',
'../../../../../../pkix/test/lib',
]
LIBRARY_NAME = 'tlsserver'

38
security/insanity/include/insanity/ScopedPtr.h → security/pkix/include/pkix/ScopedPtr.h
View File

@ -1,26 +1,26 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* Copyright 2013 Mozilla Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
/* Copyright 2013 Mozilla Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef insanity_pkix__ScopedPtr_h
#define insanity_pkix__ScopedPtr_h
#ifndef mozilla_pkix__ScopedPtr_h
#define mozilla_pkix__ScopedPtr_h
#include "insanity/nullptr.h"
#include "pkix/nullptr.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
// Similar to boost::scoped_ptr and std::unique_ptr. Does not support copying
// or assignment.
@ -94,6 +94,6 @@ operator!=(const ScopedPtr<T, Destroyer>& a, T* b)
return a.get() != b;
}
} } // namespace insanity::pkix
} } // namespace mozilla::pkix
#endif // insanity_pkix__ScopedPtr_h
#endif // mozilla_pkix__ScopedPtr_h

10
security/insanity/include/insanity/bind.h → security/pkix/include/pkix/bind.h
View File

@ -19,8 +19,8 @@
// implementation isn't intended to be complete; rather, it is the minimal
// implementation needed to make our use of std::bind work.
#ifndef insanity_pkix__bind_h
#define insanity_pkix__bind_h
#ifndef mozilla_pkix__bind_h
#define mozilla_pkix__bind_h
#ifdef _MSC_VER
#pragma warning(disable:4275) //Suppress spurious MSVC warning
@ -30,7 +30,7 @@
#pragma warning(default:4275)
#endif
namespace insanity {
namespace mozilla { namespace pkix {
#ifdef _MSC_VER
@ -92,6 +92,6 @@ bind(R (*f)(P1&, B1&, B2&), Placeholder1 &, B1 & b1, B2 & b2)
#endif // _MSC_VER
} // namespace insanity
} } // namespace mozilla::pkix
#endif // insanity_pkix__bind_h
#endif // mozilla_pkix__bind_h

6
security/insanity/include/insanity/nullptr.h → security/pkix/include/pkix/nullptr.h
View File

@ -15,8 +15,8 @@
* limitations under the License.
*/
#ifndef insanity_pkix__nullptr_h
#define insanity_pkix__nullptr_h
#ifndef mozilla_pkix__nullptr_h
#define mozilla_pkix__nullptr_h
// GCC does not understand nullptr until 4.6
#if defined(__GNUC__) && !defined(__clang__)
@ -25,4 +25,4 @@
#endif
#endif
#endif // insanity_pkix__nullptr_h
#endif // mozilla_pkix__nullptr_h

10
security/insanity/include/insanity/pkix.h → security/pkix/include/pkix/pkix.h
View File

@ -15,13 +15,13 @@
* limitations under the License.
*/
#ifndef insanity_pkix__pkix_h
#define insanity_pkix__pkix_h
#ifndef mozilla_pkix__pkix_h
#define mozilla_pkix__pkix_h
#include "pkixtypes.h"
#include "prtime.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
// ----------------------------------------------------------------------------
// LIMITED SUPPORT FOR CERTIFICATE POLICIES
@ -118,6 +118,6 @@ SECStatus VerifyEncodedOCSPResponse(TrustDomain& trustDomain,
/* optional out */ PRTime* thisUpdate,
/* optional out */ PRTime* validThrough);
} } // namespace insanity::pkix
} } // namespace mozilla::pkix
#endif // insanity_pkix__pkix_h
#endif // mozilla_pkix__pkix_h

14
security/insanity/include/insanity/pkixtypes.h → security/pkix/include/pkix/pkixtypes.h
View File

@ -15,15 +15,15 @@
* limitations under the License.
*/
#ifndef insanity_pkix__pkixtypes_h
#define insanity_pkix__pkixtypes_h
#ifndef mozilla_pkix__pkixtypes_h
#define mozilla_pkix__pkixtypes_h
#include "insanity/ScopedPtr.h"
#include "pkix/ScopedPtr.h"
#include "plarena.h"
#include "cert.h"
#include "keyhi.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
typedef ScopedPtr<PLArenaPool, PL_FreeArenaPool> ScopedPLArenaPool;
@ -88,7 +88,7 @@ public:
// certificate is not trying to use EC(DSA) parameter inheritance.
//
// Most implementations of this function should probably forward the call
// directly to insanity::pkix::VerifySignedData.
// directly to mozilla::pkix::VerifySignedData.
virtual SECStatus VerifySignedData(const CERTSignedData* signedData,
const CERTCertificate* cert) = 0;
@ -108,6 +108,6 @@ private:
void operator=(const TrustDomain&) /* = delete */;
};
} } // namespace insanity::pkix
} } // namespace mozilla::pkix
#endif // insanity_pkix__pkixtypes_h
#endif // mozilla_pkix__pkixtypes_h

8
security/insanity/lib/pkixbind.cpp → security/pkix/lib/pkixbind.cpp
View File

@ -17,12 +17,12 @@
#ifndef _MSC_VER
#include "insanity/bind.h"
#include "pkix/bind.h"
namespace insanity {
namespace mozilla { namespace pkix {
Placeholder1 _1;
} // namespace insanity
} } // namespace mozilla::pkix
#endif // _MSC_VER

8
security/insanity/lib/pkixbuild.cpp → security/pkix/lib/pkixbuild.cpp
View File

@ -15,14 +15,14 @@
* limitations under the License.
*/
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include <limits>
#include "pkixcheck.h"
#include "pkixder.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
// We assume ext has been zero-initialized by its constructor and otherwise
// not modified.
@ -172,7 +172,7 @@ BuildForwardInner(TrustDomain& trustDomain,
// Be very careful about changing the order of checks. The order is significant
// because it affects which error we return when a certificate or certificate
// chain has multiple problems. See the error ranking documentation in
// insanity/pkix.h.
// pkix/pkix.h.
static Result
BuildForward(TrustDomain& trustDomain,
BackCert& subject,
@ -363,4 +363,4 @@ BackCert::PrependNSSCertToList(CERTCertList* results)
return Success;
}
} } // namespace insanity::pkix
} } // namespace mozilla::pkix

6
security/insanity/lib/pkixcheck.cpp → security/pkix/lib/pkixcheck.cpp
View File

@ -15,13 +15,13 @@
* limitations under the License.
*/
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include "pkixcheck.h"
#include "pkixder.h"
#include "pkixutil.h"
#include "secder.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
Result
CheckTimes(const CERTCertificate* cert, PRTime time)
@ -479,4 +479,4 @@ CheckIssuerIndependentProperties(TrustDomain& trustDomain,
return Success;
}
} } // namespace insanity::pkix
} } // namespace mozilla::pkix

10
security/insanity/lib/pkixcheck.h → security/pkix/lib/pkixcheck.h
View File

@ -15,13 +15,13 @@
* limitations under the License.
*/
#ifndef insanity__pkixcheck_h
#define insanity__pkixcheck_h
#ifndef mozilla_pkix__pkixcheck_h
#define mozilla_pkix__pkixcheck_h
#include "pkixutil.h"
#include "certt.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
Result CheckIssuerIndependentProperties(
TrustDomain& trustDomain,
@ -36,6 +36,6 @@ Result CheckIssuerIndependentProperties(
Result CheckNameConstraints(BackCert& cert);
} } // namespace insanity::pkix
} } // namespace mozilla::pkix
#endif // insanity__pkixcheck_h
#endif // mozilla_pkix__pkixcheck_h

4
security/insanity/lib/pkixder.cpp → security/pkix/lib/pkixder.cpp
View File

@ -17,7 +17,7 @@
#include "pkixder.h"
namespace insanity { namespace der {
namespace mozilla { namespace pkix { namespace der {
// not inline
Result
@ -78,4 +78,4 @@ ExpectTagAndGetLength(Input& input, uint8_t expectedTag, uint16_t& length)
return Success;
}
} } // namespace insanity::der
} } } // namespace mozilla::pkix::der

12
security/insanity/lib/pkixder.h → security/pkix/lib/pkixder.h
View File

@ -15,10 +15,10 @@
* limitations under the License.
*/
#ifndef insanity_pkix__pkixder_h
#define insanity_pkix__pkixder_h
#ifndef mozilla_pkix__pkixder_h
#define mozilla_pkix__pkixder_h
#include "insanity/nullptr.h"
#include "pkix/nullptr.h"
#include "prerror.h"
#include "prlog.h"
@ -27,7 +27,7 @@
#include "secoidt.h"
#include "stdint.h"
namespace insanity { namespace der {
namespace mozilla { namespace pkix { namespace der {
enum Class
{
@ -519,6 +519,6 @@ OptionalVersion(Input& input, /*out*/ uint8_t& version)
return Success;
}
} } // namespace insanity::der
} } } // namespace mozilla::pkix::der
#endif // insanity_pkix__pkixder_h
#endif // mozilla_pkix__pkixder_h

6
security/insanity/lib/pkixkey.cpp → security/pkix/lib/pkixkey.cpp
View File

@ -15,7 +15,7 @@
* limitations under the License.
*/
#include "insanity/pkix.h"
#include "pkix/pkix.h"
#include <limits>
#include <stdint.h>
@ -25,7 +25,7 @@
#include "prerror.h"
#include "secerr.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
SECStatus
VerifySignedData(const CERTSignedData* sd, const CERTCertificate* cert,
@ -86,4 +86,4 @@ VerifySignedData(const CERTSignedData* sd, const CERTCertificate* cert,
return SECSuccess;
}
} } // namespace insanity::pkix
} } // namespace mozilla::pkix

8
security/insanity/lib/pkixocsp.cpp → security/pkix/lib/pkixocsp.cpp
View File

@ -17,8 +17,8 @@
#include <limits>
#include "insanity/bind.h"
#include "insanity/pkix.h"
#include "pkix/bind.h"
#include "pkix/pkix.h"
#include "pkixcheck.h"
#include "pkixder.h"
@ -36,7 +36,7 @@
// TODO: use typed/qualified typedefs everywhere?
// TODO: When should we return SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE?
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
static const PRTime ONE_DAY
= INT64_C(24) * INT64_C(60) * INT64_C(60) * PR_USEC_PER_SEC;
@ -993,4 +993,4 @@ CreateEncodedOCSPRequest(PLArenaPool* arena,
return encodedRequest;
}
} } // namespace insanity::pkix
} } // namespace mozilla::pkix

12
security/insanity/lib/pkixutil.h → security/pkix/lib/pkixutil.h
View File

@ -15,15 +15,15 @@
* limitations under the License.
*/
#ifndef insanity_pkix__pkixutil_h
#define insanity_pkix__pkixutil_h
#ifndef mozilla_pkix__pkixutil_h
#define mozilla_pkix__pkixutil_h
#include "insanity/pkixtypes.h"
#include "pkix/pkixtypes.h"
#include "prerror.h"
#include "seccomon.h"
#include "secerr.h"
namespace insanity { namespace pkix {
namespace mozilla { namespace pkix {
enum Result
{
@ -141,6 +141,6 @@ private:
void operator=(const BackCert&); /* = delete */;
};
} } // namespace insanity::pkix
} } // namespace mozilla::pkix
#endif // insanity_pkix__pkixutil_h
#endif // mozilla_pkix__pkixutil_h

2
security/insanity/moz.build → security/pkix/moz.build
View File

@ -23,6 +23,6 @@ DIRS += [
FAIL_ON_WARNINGS = True
LIBRARY_NAME = 'insanitypkix'
LIBRARY_NAME = 'mozillapkix'
FINAL_LIBRARY = 'xul'

0
security/insanity/test/lib/moz.build → security/pkix/test/lib/moz.build
View File

4
security/insanity/test/lib/pkixtestutil.cpp → security/pkix/test/lib/pkixtestutil.cpp
View File

@ -25,7 +25,7 @@
#include "prinit.h"
#include "secder.h"
namespace insanity { namespace test {
namespace mozilla { namespace pkix { namespace test {
class Output
{
@ -632,4 +632,4 @@ CertStatus(OCSPResponseContext& context)
return nullptr;
}
} } // namespace insanity::test
} } } // namespace mozilla::pkix::test

14
security/insanity/test/lib/pkixtestutil.h → security/pkix/test/lib/pkixtestutil.h
View File

@ -15,14 +15,14 @@
* limitations under the License.
*/
#ifndef insanity_test__pkixtestutils_h
#define insanity_test__pkixtestutils_h
#ifndef mozilla_pkix_test__pkixtestutils_h
#define mozilla_pkix_test__pkixtestutils_h
#include "insanity/ScopedPtr.h"
#include "insanity/pkixtypes.h"
#include "pkix/ScopedPtr.h"
#include "pkix/pkixtypes.h"
#include "seccomon.h"
namespace insanity { namespace test {
namespace mozilla { namespace pkix { namespace test {
class OCSPResponseContext
{
@ -62,6 +62,6 @@ public:
// error of the failed operation). However, this is not guaranteed.
SECItem* CreateEncodedOCSPResponse(OCSPResponseContext& context);
} } // namespace insanity::test
} } } // namespace mozilla::pkix::test
#endif // insanity_test__pkixtestutils_h
#endif // mozilla_pkix_test__pkixtestutils_h

8
toolkit/components/telemetry/Histograms.json
View File

@ -4254,13 +4254,13 @@
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in classic mode (ms)"
},
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_INSANITY" : {
"SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on a successful cert verification in insanity mode (ms)"
"description": "Time spent on a successful cert verification in mozilla::pkix mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_LIBPKIX" : {
"expires_in_version": "never",
@ -4278,13 +4278,13 @@
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in classic mode (ms)"
},
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_INSANITY" : {
"SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX" : {
"expires_in_version": "never",
"kind": "exponential",
"high": "60000",
"n_buckets": 50,
"extended_statistics_ok": true,
"description": "Time spent on an initially failed cert verification in insanity mode (ms)"
"description": "Time spent on an initially failed cert verification in mozilla::pkix mode (ms)"
},
"HEALTHREPORT_DB_OPEN_FIRSTRUN_MS": {
"expires_in_version": "never",