mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-02-17 22:32:51 +00:00
Bug 1575735 - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate r=keeler
This patch provides Delegated Credential information (authKeyBits and signature scheme) to CertVerifier such that we can enforce a policy check and disallow weak keys in the Delegated Credential. This information is not passed from http3 - adding this will be done in a separate bug. Differential Revision: https://phabricator.services.mozilla.com/D47181 --HG-- rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key.keyspec => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec extra : moz-landing-system : lando
This commit is contained in:
Kevin Jacobs
parent
d6131764c5
commit
b964726542
@ -73,6 +73,8 @@ namespace psm {
|
||||
const CertVerifier::Flags CertVerifier::FLAG_LOCAL_ONLY = 1;
|
||||
const CertVerifier::Flags CertVerifier::FLAG_MUST_BE_EV = 2;
|
||||
const CertVerifier::Flags CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST = 4;
|
||||
static const unsigned int MIN_RSA_BITS = 2048;
|
||||
static const unsigned int MIN_RSA_BITS_WEAK = 1024;
|
||||
|
||||
void CertificateTransparencyInfo::Reset() {
|
||||
enabled = false;
|
||||
@ -142,6 +144,35 @@ Result IsCertChainRootBuiltInRoot(const UniqueCERTCertList& chain,
|
||||
return IsCertBuiltInRoot(root, result);
|
||||
}
|
||||
|
||||
Result IsDelegatedCredentialAcceptable(const DelegatedCredentialInfo& dcInfo,
|
||||
SECOidTag evOidPolicyTag) {
|
||||
bool isRsa = dcInfo.scheme == ssl_sig_rsa_pss_rsae_sha256 ||
|
||||
dcInfo.scheme == ssl_sig_rsa_pss_rsae_sha384 ||
|
||||
dcInfo.scheme == ssl_sig_rsa_pss_rsae_sha512 ||
|
||||
dcInfo.scheme == ssl_sig_rsa_pss_pss_sha256 ||
|
||||
dcInfo.scheme == ssl_sig_rsa_pss_pss_sha384 ||
|
||||
dcInfo.scheme == ssl_sig_rsa_pss_pss_sha512;
|
||||
|
||||
bool isEcdsa = dcInfo.scheme == ssl_sig_ecdsa_secp256r1_sha256 ||
|
||||
dcInfo.scheme == ssl_sig_ecdsa_secp384r1_sha384 ||
|
||||
dcInfo.scheme == ssl_sig_ecdsa_secp521r1_sha512;
|
||||
|
||||
size_t minRsaKeyBits =
|
||||
evOidPolicyTag != SEC_OID_UNKNOWN ? MIN_RSA_BITS : MIN_RSA_BITS_WEAK;
|
||||
|
||||
if (isRsa && dcInfo.authKeyBits < minRsaKeyBits) {
|
||||
return Result::ERROR_INADEQUATE_KEY_SIZE;
|
||||
}
|
||||
|
||||
// Since we only support acceptable EC curves, no explicit
|
||||
// |authKeyBits| check is needed.
|
||||
if (!isRsa && !isEcdsa) {
|
||||
return Result::ERROR_INVALID_KEY;
|
||||
}
|
||||
|
||||
return Result::Success;
|
||||
}
|
||||
|
||||
// The term "builtin root" traditionally refers to a root CA certificate that
|
||||
// has been added to the NSS trust store, because it has been approved
|
||||
// for inclusion according to the Mozilla CA policy, and might be accepted
|
||||
@ -439,9 +470,6 @@ bool CertVerifier::SHA1ModeMoreRestrictiveThanGivenMode(SHA1Mode mode) {
|
||||
}
|
||||
}
|
||||
|
||||
static const unsigned int MIN_RSA_BITS = 2048;
|
||||
static const unsigned int MIN_RSA_BITS_WEAK = 1024;
|
||||
|
||||
Result CertVerifier::VerifyCert(
|
||||
CERTCertificate* cert, SECCertificateUsage usage, Time time, void* pinArg,
|
||||
const char* hostname,
|
||||
@ -864,6 +892,7 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
/*optional*/ const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
|
||||
/*optional*/ const Maybe<DelegatedCredentialInfo>& dcInfo,
|
||||
/*optional*/ const OriginAttributes& originAttributes,
|
||||
/*optional*/ bool saveIntermediatesInPermanentDatabase,
|
||||
/*optional out*/ SECOidTag* evOidPolicy,
|
||||
@ -876,8 +905,10 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
// XXX: MOZ_ASSERT(pinarg);
|
||||
MOZ_ASSERT(!hostname.IsEmpty());
|
||||
|
||||
SECOidTag evPolicyOidTag = SEC_OID_UNKNOWN;
|
||||
|
||||
if (evOidPolicy) {
|
||||
*evOidPolicy = SEC_OID_UNKNOWN;
|
||||
*evOidPolicy = evPolicyOidTag;
|
||||
}
|
||||
|
||||
if (hostname.IsEmpty()) {
|
||||
@ -890,7 +921,7 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
VerifyCert(peerCert.get(), certificateUsageSSLServer, time, pinarg,
|
||||
PromiseFlatCString(hostname).get(), builtChain, flags,
|
||||
extraCertificates, stapledOCSPResponse, sctsFromTLS,
|
||||
originAttributes, evOidPolicy, ocspStaplingStatus,
|
||||
originAttributes, &evPolicyOidTag, ocspStaplingStatus,
|
||||
keySizeStatus, sha1ModeResult, pinningTelemetryInfo, ctInfo);
|
||||
if (rv != Success) {
|
||||
if (rv == Result::ERROR_UNKNOWN_ISSUER &&
|
||||
@ -920,6 +951,13 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
return rv;
|
||||
}
|
||||
|
||||
if (dcInfo) {
|
||||
rv = IsDelegatedCredentialAcceptable(*dcInfo, evPolicyOidTag);
|
||||
if (rv != Success) {
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
|
||||
Input peerCertInput;
|
||||
rv = peerCertInput.Init(peerCert->derCert.data, peerCert->derCert.len);
|
||||
if (rv != Success) {
|
||||
@ -974,6 +1012,10 @@ Result CertVerifier::VerifySSLServerCert(
|
||||
SaveIntermediateCerts(builtChain);
|
||||
}
|
||||
|
||||
if (evOidPolicy) {
|
||||
*evOidPolicy = evPolicyOidTag;
|
||||
}
|
||||
|
||||
return Success;
|
||||
}
|
||||
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
#include "mozilla/UniquePtr.h"
|
||||
#include "nsString.h"
|
||||
#include "mozpkix/pkixtypes.h"
|
||||
#include "sslt.h"
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
# pragma warning(push)
|
||||
@ -119,6 +120,20 @@ class CertificateTransparencyInfo {
|
||||
void Reset();
|
||||
};
|
||||
|
||||
class DelegatedCredentialInfo {
|
||||
public:
|
||||
DelegatedCredentialInfo() : scheme(ssl_sig_none), authKeyBits(0) {}
|
||||
DelegatedCredentialInfo(SSLSignatureScheme scheme, uint32_t authKeyBits)
|
||||
: scheme(scheme), authKeyBits(authKeyBits) {}
|
||||
|
||||
// The signature scheme to be used in CertVerify. This tells us
|
||||
// whether to interpret |authKeyBits| in an RSA or ECDSA context.
|
||||
SSLSignatureScheme scheme;
|
||||
|
||||
// The size of the key, in bits.
|
||||
uint32_t authKeyBits;
|
||||
};
|
||||
|
||||
class NSSCertDBTrustDomain;
|
||||
|
||||
class CertVerifier {
|
||||
@ -170,6 +185,7 @@ class CertVerifier {
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse =
|
||||
Nothing(),
|
||||
/*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS = Nothing(),
|
||||
/*optional*/ const Maybe<DelegatedCredentialInfo>& dcInfo = Nothing(),
|
||||
/*optional*/ const OriginAttributes& originAttributes =
|
||||
OriginAttributes(),
|
||||
/*optional*/ bool saveIntermediatesInPermanentDatabase = false,
|
||||
|
||||
@ -115,6 +115,7 @@
|
||||
#include "secport.h"
|
||||
#include "ssl.h"
|
||||
#include "sslerr.h"
|
||||
#include "sslexp.h"
|
||||
|
||||
extern mozilla::LazyLogModule gPIPNSSLog;
|
||||
|
||||
@ -461,6 +462,7 @@ class SSLServerCertVerificationJob : public Runnable {
|
||||
const UniqueCERTCertList& peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
Maybe<DelegatedCredentialInfo>& dcInfo,
|
||||
uint32_t providerFlags, Time time, PRTime prtime,
|
||||
uint32_t certVerifierFlags);
|
||||
|
||||
@ -475,6 +477,7 @@ class SSLServerCertVerificationJob : public Runnable {
|
||||
UniqueCERTCertList peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
Maybe<DelegatedCredentialInfo>& dcInfo,
|
||||
uint32_t providerFlags, Time time, PRTime prtime,
|
||||
uint32_t certVerifierFlags);
|
||||
const RefPtr<SharedCertVerifier> mCertVerifier;
|
||||
@ -488,6 +491,7 @@ class SSLServerCertVerificationJob : public Runnable {
|
||||
const PRTime mPRTime;
|
||||
Maybe<nsTArray<uint8_t>> mStapledOCSPResponse;
|
||||
Maybe<nsTArray<uint8_t>> mSCTsFromTLSExtension;
|
||||
Maybe<DelegatedCredentialInfo> mDCInfo;
|
||||
};
|
||||
|
||||
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
@ -495,8 +499,9 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
TransportSecurityInfo* infoObject, const UniqueCERTCertificate& cert,
|
||||
UniqueCERTCertList peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Time time, PRTime prtime, uint32_t certVerifierFlags)
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, Time time,
|
||||
PRTime prtime, uint32_t certVerifierFlags)
|
||||
: Runnable("psm::SSLServerCertVerificationJob"),
|
||||
mCertVerifier(certVerifier),
|
||||
mFdForLogging(fdForLogging),
|
||||
@ -508,7 +513,8 @@ SSLServerCertVerificationJob::SSLServerCertVerificationJob(
|
||||
mTime(time),
|
||||
mPRTime(prtime),
|
||||
mStapledOCSPResponse(std::move(stapledOCSPResponse)),
|
||||
mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)) {}
|
||||
mSCTsFromTLSExtension(std::move(sctsFromTLSExtension)),
|
||||
mDCInfo(std::move(dcInfo)) {}
|
||||
|
||||
// This function assumes that we will only use the SPDY connection coalescing
|
||||
// feature on connections where we have negotiated SPDY using NPN. If we ever
|
||||
@ -1091,6 +1097,7 @@ Result AuthCertificate(CertVerifier& certVerifier,
|
||||
UniqueCERTCertList& peerCertChain,
|
||||
const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
const Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
const Maybe<DelegatedCredentialInfo>& dcInfo,
|
||||
uint32_t providerFlags, Time time,
|
||||
uint32_t certVerifierFlags) {
|
||||
MOZ_ASSERT(infoObject);
|
||||
@ -1125,7 +1132,7 @@ Result AuthCertificate(CertVerifier& certVerifier,
|
||||
Result rv = certVerifier.VerifySSLServerCert(
|
||||
cert, time, infoObject, infoObject->GetHostName(), builtCertChain,
|
||||
certVerifierFlags, Some(peerCertsBytes), stapledOCSPResponse,
|
||||
sctsFromTLSExtension, infoObject->GetOriginAttributes(),
|
||||
sctsFromTLSExtension, dcInfo, infoObject->GetOriginAttributes(),
|
||||
saveIntermediates, &evOidPolicy, &ocspStaplingStatus, &keySizeStatus,
|
||||
&sha1ModeResult, &pinningTelemetryInfo, &certificateTransparencyInfo);
|
||||
|
||||
@ -1145,8 +1152,9 @@ SECStatus SSLServerCertVerificationJob::Dispatch(
|
||||
TransportSecurityInfo* infoObject, const UniqueCERTCertificate& serverCert,
|
||||
const UniqueCERTCertList& peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Time time, PRTime prtime, uint32_t certVerifierFlags) {
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, Time time,
|
||||
PRTime prtime, uint32_t certVerifierFlags) {
|
||||
// Runs on the socket transport thread
|
||||
if (!certVerifier || !infoObject || !serverCert) {
|
||||
NS_ERROR("Invalid parameters for SSL server cert validation");
|
||||
@ -1171,7 +1179,7 @@ SECStatus SSLServerCertVerificationJob::Dispatch(
|
||||
RefPtr<SSLServerCertVerificationJob> job(new SSLServerCertVerificationJob(
|
||||
certVerifier, fdForLogging, infoObject, serverCert,
|
||||
std::move(peerCertChainCopy), stapledOCSPResponse, sctsFromTLSExtension,
|
||||
providerFlags, time, prtime, certVerifierFlags));
|
||||
dcInfo, providerFlags, time, prtime, certVerifierFlags));
|
||||
|
||||
nsresult nrv = gCertVerificationThreadPool->Dispatch(job, NS_DISPATCH_NORMAL);
|
||||
if (NS_FAILED(nrv)) {
|
||||
@ -1315,9 +1323,10 @@ SSLServerCertVerificationJob::Run() {
|
||||
("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
|
||||
|
||||
TimeStamp jobStartTime = TimeStamp::Now();
|
||||
Result rv = AuthCertificate(
|
||||
*mCertVerifier, mInfoObject, mCert, mPeerCertChain, mStapledOCSPResponse,
|
||||
mSCTsFromTLSExtension, mProviderFlags, mTime, mCertVerifierFlags);
|
||||
Result rv =
|
||||
AuthCertificate(*mCertVerifier, mInfoObject, mCert, mPeerCertChain,
|
||||
mStapledOCSPResponse, mSCTsFromTLSExtension, mDCInfo,
|
||||
mProviderFlags, mTime, mCertVerifierFlags);
|
||||
MOZ_ASSERT(
|
||||
(mPeerCertChain && rv == Success) || (!mPeerCertChain && rv != Success),
|
||||
"AuthCertificate() should take ownership of chain on failure");
|
||||
@ -1365,7 +1374,8 @@ SECStatus AuthCertificateHookInternal(
|
||||
TransportSecurityInfo* infoObject, const void* aPtrForLogging,
|
||||
const UniqueCERTCertificate& serverCert, UniqueCERTCertList& peerCertChain,
|
||||
Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, uint32_t providerFlags,
|
||||
Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension,
|
||||
Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags,
|
||||
uint32_t certVerifierFlags) {
|
||||
RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
|
||||
if (!certVerifier) {
|
||||
@ -1410,8 +1420,8 @@ SECStatus AuthCertificateHookInternal(
|
||||
// because of the performance benefits of doing so.
|
||||
return SSLServerCertVerificationJob::Dispatch(
|
||||
certVerifier, aPtrForLogging, infoObject, serverCert, peerCertChain,
|
||||
stapledOCSPResponse, sctsFromTLSExtension, providerFlags, Now(), PR_Now(),
|
||||
certVerifierFlags);
|
||||
stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, Now(),
|
||||
PR_Now(), certVerifierFlags);
|
||||
}
|
||||
|
||||
// Extracts whatever information we need out of fd (using SSL_*) and passes it
|
||||
@ -1482,11 +1492,25 @@ SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checkSig,
|
||||
certVerifierFlags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
|
||||
}
|
||||
|
||||
// Get DC information
|
||||
Maybe<DelegatedCredentialInfo> dcInfo;
|
||||
SSLPreliminaryChannelInfo channelPreInfo;
|
||||
SECStatus rv = SSL_GetPreliminaryChannelInfo(fd, &channelPreInfo,
|
||||
sizeof(channelPreInfo));
|
||||
if (rv != SECSuccess) {
|
||||
PR_SetError(PR_INVALID_STATE_ERROR, 0);
|
||||
return SECFailure;
|
||||
}
|
||||
if (channelPreInfo.peerDelegCred) {
|
||||
dcInfo.emplace(DelegatedCredentialInfo(channelPreInfo.signatureScheme,
|
||||
channelPreInfo.authKeyBits));
|
||||
}
|
||||
|
||||
socketInfo->SetCertVerificationWaiting();
|
||||
return AuthCertificateHookInternal(socketInfo, static_cast<const void*>(fd),
|
||||
serverCert, peerCertChain,
|
||||
stapledOCSPResponse, sctsFromTLSExtension,
|
||||
providerFlags, certVerifierFlags);
|
||||
dcInfo, providerFlags, certVerifierFlags);
|
||||
}
|
||||
|
||||
// Make a cert chain from an array of ders.
|
||||
@ -1560,9 +1584,13 @@ SECStatus AuthCertificateHookWithInfo(
|
||||
certVerifierFlags |= CertVerifier::FLAG_TLS_IGNORE_STATUS_REQUEST;
|
||||
}
|
||||
|
||||
// Need to update Quic stack to reflect the PreliminaryInfo fields
|
||||
// for Delegated Credentials.
|
||||
Maybe<DelegatedCredentialInfo> dcInfo;
|
||||
|
||||
return AuthCertificateHookInternal(
|
||||
infoObject, aPtrForLogging, cert, certChain, stapledOCSPResponse,
|
||||
sctsFromTLSExtension, providerFlags, certVerifierFlags);
|
||||
sctsFromTLSExtension, dcInfo, providerFlags, certVerifierFlags);
|
||||
}
|
||||
|
||||
SSLServerCertVerificationResult::SSLServerCertVerificationResult(
|
||||
|
||||
@ -1104,7 +1104,7 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
|
||||
mozilla::pkix::Result rv = certVerifier->VerifySSLServerCert(
|
||||
cert, mozilla::pkix::Now(), infoObject, infoObject->GetHostName(),
|
||||
builtChain, flags, maybePeerCertsBytes, stapledOCSPResponse,
|
||||
sctsFromTLSExtension, infoObject->GetOriginAttributes(),
|
||||
sctsFromTLSExtension, Nothing(), infoObject->GetOriginAttributes(),
|
||||
saveIntermediates, &evOidPolicy,
|
||||
nullptr, // OCSP stapling telemetry
|
||||
nullptr, // key size telemetry
|
||||
|
||||
@ -1191,6 +1191,7 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
|
||||
Nothing(), // extraCertificates
|
||||
Nothing(), // stapledOCSPResponse
|
||||
Nothing(), // sctsFromTLSExtension
|
||||
Nothing(), // dcInfo
|
||||
OriginAttributes(),
|
||||
false, // don't save intermediates
|
||||
&evOidPolicy);
|
||||
|
||||
@ -1056,6 +1056,7 @@ nsresult nsSiteSecurityService::ProcessPKPHeader(
|
||||
Nothing(), // extraCertificates
|
||||
Nothing(), // stapledOCSPResponse
|
||||
Nothing(), // sctsFromTLSExtension
|
||||
Nothing(), // dcInfo
|
||||
aOriginAttributes,
|
||||
false // don't store intermediates
|
||||
) != mozilla::pkix::Success) {
|
||||
|
||||
@ -24,6 +24,8 @@ TEST_DIRS += [
|
||||
'test_certDB_import',
|
||||
'test_content_signing',
|
||||
'test_ct',
|
||||
'test_delegated_credentials',
|
||||
'test_delegated_credentials_weak',
|
||||
'test_ev_certs',
|
||||
'test_intermediate_basic_usage_constraints',
|
||||
'test_keysize',
|
||||
|
||||
@ -584,7 +584,7 @@ class RSAKey(object):
|
||||
while b64:
|
||||
output += '\n' + b64[:64]
|
||||
b64 = b64[64:]
|
||||
output += '\n-----END PRIVATE KEY-----\n'
|
||||
output += '\n-----END PRIVATE KEY-----'
|
||||
return output
|
||||
|
||||
def asSubjectPublicKeyInfo(self):
|
||||
@ -732,7 +732,7 @@ class ECCKey(object):
|
||||
while b64:
|
||||
output += '\n' + b64[:64]
|
||||
b64 = b64[64:]
|
||||
output += '\n-----END EC PRIVATE KEY-----\n'
|
||||
output += '\n-----END EC PRIVATE KEY-----'
|
||||
return output
|
||||
|
||||
def toDER(self):
|
||||
|
||||
@ -63,7 +63,7 @@ add_connection_test(
|
||||
null,
|
||||
// We'll never |mHaveCipherSuiteAndProtocol|,
|
||||
// and therefore can't check IsDelegatedCredential
|
||||
function() {}
|
||||
null
|
||||
);
|
||||
|
||||
// Test:
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICSTCCATGgAwIBAgIUQ2q6l0cjlPXxxJFtId7XLpMUpKMwDQYJKoZIhvcNAQEL
|
||||
MIICSDCCATCgAwIBAgIUWawxlXqcr7T8NPe0mO8YQbEljdowDQYJKoZIhvcNAQEL
|
||||
BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
|
||||
MCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBYxFDASBgNVBAMM
|
||||
C2VlLXN0YW5kYXJkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx
|
||||
pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H
|
||||
owTqoEqmwKNAMD4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwJwYDVR0RBCAwHoIcc3Rh
|
||||
bmRhcmQtZW5hYmxlZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAlVb9
|
||||
zRb+Q3Z3yLfIq/RzU0nkHqUbtZ6SKC7GTqPSMjavcspV3RB7AamV324kod9vf6UB
|
||||
uRlpW6u1xcILMQqtqy8RVZMr85WZXgxrAmPsIGXJ8MQGRgVqzQRWF4YX1Hcf6dIi
|
||||
+9v/fA8UVVZGfHUMnKYPBCOBtz2bS7jFwIycHhv6uF+AvHCAlj9sYhDDfHPe3P2t
|
||||
9W8hNAkzZhuqWfZYaSzBb46JT8YVaLDeBLL2k4oUpua6MCfY3VTa8wI/o/F28ECM
|
||||
sIA31gqmDdszEh1NIRN7vzWZxHJqoKYEeDMa66ldWvHqhBjKfFo8GJSsfhlI81G2
|
||||
UVRcUDqdiPSo8M01Nw==
|
||||
MCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBUxEzARBgNVBAMM
|
||||
CmRlZmF1bHQtZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGm
|
||||
ClmshwTi7AULQj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQej
|
||||
BOqgSqbAo0AwPjATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNVHREEIDAeghxzdGFu
|
||||
ZGFyZC1lbmFibGVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBGdtdZ
|
||||
XIS3phh+wmaxsM8Zaz/uDyxc5egqtm4DcVBAQAS9KOWKGmaYsiEX11ENeaX0jbQ3
|
||||
u3bhMP/mN9YkCoxiug5dUfyghXdIsdGdFFtPDFvXGmaE9K6IHZwjZq9qtn3N2IIm
|
||||
1BA1hRPvgCPnvhslfJqjslF2yykXDM1SLMemwakt01isSogNhyItpUBZyCP3jsET
|
||||
wgWHpmIzoE5AOJGko3bORYlTIS/uIR28E/Y/7iN/AFEhIcey6F0U8cimquYpTOem
|
||||
81LzvHBjIm2BlWiSzfuBUFxPHR/VH86wrNkaWJ5Mz8ANM0d3K7W3exriZ9nKlk3u
|
||||
tiyBD5WPD5xF4GsS
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
issuer:delegated-credential-intermediate
|
||||
subjectKey:secp256r1
|
||||
subject:ee-standard
|
||||
subject:default-ee
|
||||
extension:extKeyUsage:serverAuth
|
||||
extension:subjectAlternativeName:standard-enabled.example.com
|
||||
|
||||
@ -1,16 +1,16 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICiTCCAXGgAwIBAgIUPUgqfWW1ljbVjLQd6LE6gS+ZcrAwDQYJKoZIhvcNAQEL
|
||||
MIICiTCCAXGgAwIBAgIUPZ5z67sFCTAyXWPFus9OBYVUArYwDQYJKoZIhvcNAQEL
|
||||
BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
|
||||
MCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBcxFTATBgNVBAMM
|
||||
DGVlLWRlbGVnYXRlZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5
|
||||
DGRlbGVnYXRlZC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5
|
||||
saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st
|
||||
B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI
|
||||
BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh
|
||||
dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI
|
||||
hvcNAQELBQADggEBADZXKk69BKj5nOy0NUdI75t/7wIxEIxntovOOVNwvl9GhzpZ
|
||||
UuwRMWJ/iWWEwJ83hz4ZNUyrl66GFRq/xELs515iWyF4mpTnkFpTAMLo4xN+uyEc
|
||||
26qStODbf8tWZuhOKAf1bKgiXNJ+UmJxBoJljX2Cq96ev29rXF9aDnpxtxf7lDZY
|
||||
lNCnwJd639Eg6qVXvrJGn3xHILt5cw9BVqtH7hRbV07PXxcF7iwVDkHpt8TwHDvn
|
||||
LSIKZcSIVBqbUzH57I/SU8CQHUJzHAFL6Ce/Vq/a/+FLcNxueYiZyP+cs4qoljAJ
|
||||
ymg4gYiKRqOjkvVMLR/CRcgXkggKR273oxBo+80=
|
||||
hvcNAQELBQADggEBAF+2/svfXVVWcnF6oMHPYCNCKEGd8eKIo+etePS0Wu6IN+hz
|
||||
e72J47ldntvCCzNwDZfAw27iP0PWf36yaU9+IQjf1U5SoYrvyrA3+1ob6eWzKMmz
|
||||
FvjVTaPq3gf4KSmMFwbRZXrjdTK5k0zjvdzAOEm7B3+3JgEXiLqUCWlcsp7JP2u7
|
||||
+Ax8nK55T10ZyU5hXMiQGZRq3krm+CPTaJx61mVZbeOpeQb4XBhbtrsEz6toqo1d
|
||||
dB45snZh27w5odIyh0nf/gCY1V6VRHfdbP0/pehgBrTcKMVNMx5KR65kXWZV/17B
|
||||
9Is6AR5mHc0JL41FlSOhFFNSnpj550ZTK7++BJY=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
issuer:delegated-credential-intermediate
|
||||
subject:ee-delegated
|
||||
subject:delegated-ee
|
||||
subjectKey:secp256r1
|
||||
extension:extKeyUsage:serverAuth
|
||||
extension:keyUsage:digitalSignature,keyEncipherment
|
||||
|
||||
@ -1,14 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICEDCB+aADAgECAhRx0mqEIfhjVHVBEUnIoG+JzuAGMDANBgkqhkiG9w0BAQsF
|
||||
ADAZMRcwFQYDVQQDDA5EZWZhdWx0IElzc3VlcjAiGA8yMDE3MTEyNzAwMDAwMFoY
|
||||
DzIwMjAwMjA1MDAwMDAwWjAWMRQwEgYDVQQDDAtzZWxmLXNpZ25lZDB2MBAGByqG
|
||||
SM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3k
|
||||
txMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiI
|
||||
z/AC8Fr3Gh/dzIN0qm6pzjANBgkqhkiG9w0BAQsFAAOCAQEARJWWl1ikJe5usXuR
|
||||
zvgiVnNduUw/ovMti9H65Hc3PfXTabEos7awWn+62ThMkOOx3tx7TCde4Szj7b3S
|
||||
hKXnLlHuKiX4zW5A6/pDGQDy7HXhlNQ7bXgIFWYLOj+FqMIoyZ+wNjDV0dGwSVxS
|
||||
nTtc4iExEtLTu5u4khTNdWWglOLrGoDhGL8xT4SVqAIW+ynarhAo3rRGaeZl88zY
|
||||
8aKsg21WbXDH9pqm6/Z1h3keKK/PpgbKw6e8p5ljRJTVp44lEME9gIxjRygvl2Sm
|
||||
N2XtiZC7RShscbKo07ZEKS1c54x+XLu4v4qClX48ZCrSQWCnbLzUiOMuk8HzZZHb
|
||||
X3RbBg==
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,2 +0,0 @@
|
||||
subject:self-signed
|
||||
subjectKey:secp384r1
|
||||
@ -17,6 +17,7 @@
|
||||
#
|
||||
#test_keys = (
|
||||
# 'default-ee.key',
|
||||
# 'delegated.key',
|
||||
#)
|
||||
#
|
||||
#for test_key in test_keys:
|
||||
|
||||
@ -0,0 +1,30 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
"use strict";
|
||||
|
||||
do_get_profile();
|
||||
|
||||
add_tls_server_setup(
|
||||
"DelegatedCredentialsServer",
|
||||
"test_delegated_credentials_weak"
|
||||
);
|
||||
|
||||
// Test:
|
||||
// Server certificate supports DC
|
||||
// Server DC support enabled, but presents a weak (RSA1016) key in the DC
|
||||
// Client DC support enabled
|
||||
// Result: Inadequate key size error
|
||||
add_test(function() {
|
||||
clearSessionCache();
|
||||
Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true);
|
||||
run_next_test();
|
||||
});
|
||||
add_connection_test(
|
||||
"delegated-weak.example.com",
|
||||
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
|
||||
null,
|
||||
// We'll never |mHaveCipherSuiteAndProtocol|,
|
||||
// and therefore can't check IsDelegatedCredential
|
||||
null
|
||||
);
|
||||
@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9
|
||||
braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI
|
||||
eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6
|
||||
iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za
|
||||
qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7
|
||||
LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs
|
||||
2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs
|
||||
VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s
|
||||
JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI
|
||||
r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz
|
||||
iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg
|
||||
SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R
|
||||
TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N
|
||||
gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp
|
||||
xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r
|
||||
ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR
|
||||
3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY
|
||||
EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs
|
||||
2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb
|
||||
WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo
|
||||
tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl
|
||||
rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2
|
||||
TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit
|
||||
tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m
|
||||
ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1
|
||||
NBinA5ZsT8d0v3QCr2xDJH9D
|
||||
-----END PRIVATE KEY-----
|
||||
@ -0,0 +1 @@
|
||||
default
|
||||
@ -0,0 +1,20 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDLzCCAhegAwIBAgIUOc/BxFzk/ZUirovRUmbAVV++FcYwDQYJKoZIhvcNAQEL
|
||||
BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl
|
||||
MCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBUxEzARBgNVBAMM
|
||||
CmRlZmF1bHQtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
|
||||
RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
|
||||
dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
|
||||
aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
|
||||
FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
|
||||
Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
|
||||
UcQx1QOs2hgKNe2NAgMBAAGjXDBaMA8GCSsGAQQBgtpLLAQCBQAwEwYDVR0lBAww
|
||||
CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMCUGA1UdEQQeMByCGmRlbGVnYXRlZC13
|
||||
ZWFrLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCw2x5mmuf+hrrY+ot5
|
||||
FurxlnbusNZVXwjo7mscXpWyWrI5KKZ9Uo71fWlWXJ/AFA7qXtlgQta4K2MJGbci
|
||||
S+MURwGhukj41gXlCoh4SUpsOTGtsCr+zkMFIikQwwlIS4gJg2RZ+ZSj+vrMOZm7
|
||||
8DIXFxuLmugBoMgP79op5uvvGzYrksX0mTWOgtb7iFcNlMvZkFE66li2mj0JQ6r4
|
||||
jzQWuWzRyLxKxDJFhuHupVG2B1CRuPSZ5zkS7q8HAryKsilFnivIYr3u8Qkuf7Oy
|
||||
wFI6w9F6uVkEQ+kOfqAMpFuMXFmKFP7lCvf9yvIVNroRo/oi6iVt1U2zClpri0At
|
||||
o1Gp
|
||||
-----END CERTIFICATE-----
|
||||
@ -0,0 +1,7 @@
|
||||
issuer:delegated-credential-intermediate
|
||||
subjectKey:default
|
||||
subject:default-ee
|
||||
extension:delegationUsage:
|
||||
extension:extKeyUsage:serverAuth
|
||||
extension:keyUsage:digitalSignature,keyEncipherment
|
||||
extension:subjectAlternativeName:delegated-weak.example.com
|
||||
@ -0,0 +1,16 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl
|
||||
GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ
|
||||
BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh
|
||||
WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK
|
||||
1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2
|
||||
s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV
|
||||
nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+
|
||||
gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr
|
||||
QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA
|
||||
Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh
|
||||
AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur
|
||||
SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx
|
||||
vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx
|
||||
nmTT4A==
|
||||
-----END PRIVATE KEY-----
|
||||
@ -0,0 +1 @@
|
||||
rsa1016
|
||||
@ -0,0 +1,23 @@
|
||||
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
# Temporarily disabled. See bug 1256495.
|
||||
#test_certificates = (
|
||||
# 'test-ca.pem',
|
||||
# 'test-int.pem',
|
||||
# 'default-ee.pem',
|
||||
#)
|
||||
#
|
||||
#for test_certificate in test_certificates:
|
||||
# GeneratedTestCertificate(test_certificate)
|
||||
#
|
||||
#test_keys = (
|
||||
# 'default-ee.key',
|
||||
# 'delegated-weak.key',
|
||||
#)
|
||||
#
|
||||
#for test_key in test_keys:
|
||||
# GeneratedTestKey(test_key)
|
||||
@ -0,0 +1,18 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC8zCCAdugAwIBAgIUZWEzCkuo2Tbhe7ja1soN3tMh7gQwDQYJKoZIhvcNAQEL
|
||||
BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAxNzEx
|
||||
MjcwMDAwMDBaGA8yMDIwMDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk
|
||||
LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
|
||||
iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr
|
||||
4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP
|
||||
8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI
|
||||
Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ
|
||||
77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J
|
||||
I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD
|
||||
AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB1A2t1D7g1pYkvQFBSdbg2zDXoePKMEkru
|
||||
uCPFb7sTqsO17RXKG+mbmZ8wYqu8R8OWI26r+9PFBErNKmwAeCkoQDFXY+9a6r28
|
||||
cMpsHOxWDzq4m0+Ly6CwdGryXc4l+FePl54l+sLjiqg2NJ1X5tyfAUML16mxMVcv
|
||||
O/bgEiOxFUm7PMuPFo6o4pv7Ppw0/QCJRvTYfdt8tQDfGsx++jmLIpuaRrr03vP5
|
||||
Aa6Pe0JCSM6sIF5pTEcvSARo7CwttF5ctikPTha1DdZ9w8nPjs80H8UcxJmX/NQw
|
||||
hPALvWf2w8fI9q86qQjAY9yYqEimbnlbcMZggHo7SAHfw945FagN
|
||||
-----END CERTIFICATE-----
|
||||
@ -0,0 +1,4 @@
|
||||
issuer:delegated-credential-ca
|
||||
subject:delegated-credential-ca
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:cRLSign,keyCertSign
|
||||
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC/TCCAeWgAwIBAgIUazE59EMte5Z75fNl2tR7/Lw+TrIwDQYJKoZIhvcNAQEL
|
||||
BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAxNzEx
|
||||
MjcwMDAwMDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk
|
||||
LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
||||
MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf
|
||||
vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb
|
||||
uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S
|
||||
O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR
|
||||
3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv
|
||||
5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/
|
||||
MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAH6vFPIjmkWYAURv66bcz
|
||||
wiBbk530kCAm9nQwGqsVtfQQBV1tqzjwSdee6XB0tX+a35Q6n/YI4OW94/MetrMD
|
||||
/Q8Dy9CxprnAUNwl5erHj62xmSSxW9NK7goZqulbxEXttE4S7WuacgIM0WGT0mTB
|
||||
avghqfNsPHLBZZm2sfODEo6iKz1ER6TBmjdDsP9pTi5f4TQXMPdJqwY/ymmbvHhh
|
||||
VNfcvWxeIJVAtFo615YEDSPwCxbMHeeglZ6lnp/5YndfXnPdm+RAkZ/gGzYHWBb6
|
||||
1Vqvu5RqlZ1h2SppSIVSyx/WBO3K9TcyKt3BVkpHPQd9kYeP1NJCyltay/6ZncV4
|
||||
bw==
|
||||
-----END CERTIFICATE-----
|
||||
@ -0,0 +1,4 @@
|
||||
issuer:delegated-credential-ca
|
||||
subject:delegated-credential-intermediate
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
@ -25,7 +25,7 @@ using namespace mozilla::test;
|
||||
struct DelegatedCertHost {
|
||||
const char* mHostName;
|
||||
const char* mCertName;
|
||||
const char* mDelegatedCertName;
|
||||
const char* mDCKeyNick;
|
||||
bool mEnableDelegatedCredentials;
|
||||
};
|
||||
|
||||
@ -33,12 +33,12 @@ const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
|
||||
|
||||
// {host, eeCert, dcCert, enableDC}
|
||||
const DelegatedCertHost sDelegatedCertHosts[] = {
|
||||
{"delegated-enabled.example.com", "delegated-ee", "delegated-selfsigned",
|
||||
true},
|
||||
{"delegated-enabled.example.com", "delegated-ee", "delegated.key", true},
|
||||
{"standard-enabled.example.com", "default-ee", "delegated.key", true},
|
||||
{"delegated-disabled.example.com", "delegated-ee",
|
||||
/* anything non-null */ "delegated-selfsigned", false},
|
||||
{"standard-enabled.example.com", "default-ee", "delegated-selfsigned",
|
||||
true},
|
||||
/* anything non-null */ "delegated.key", false},
|
||||
{"delegated-weak.example.com", /* rsa default */ "default-ee",
|
||||
"delegated-weak.key", true},
|
||||
{nullptr, nullptr, nullptr, false}};
|
||||
|
||||
int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
|
||||
@ -60,13 +60,6 @@ int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueCERTCertificate delegatedCert(
|
||||
PK11_FindCertFromNickname(host->mDelegatedCertName, nullptr));
|
||||
if (!delegatedCert) {
|
||||
PrintPRError("PK11_FindCertFromNickname failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
if (!slot) {
|
||||
PrintPRError("PK11_GetInternalKeySlot failed");
|
||||
@ -79,43 +72,68 @@ int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
|
||||
nullptr,
|
||||
/* DC */ nullptr,
|
||||
/* DC PrivKey */ nullptr};
|
||||
UniqueSECKEYPrivateKey dcPriv(
|
||||
PK11_FindKeyByDERCert(slot.get(), delegatedCert.get(), nullptr));
|
||||
if (!dcPriv) {
|
||||
PrintPRError("PK11_FindKeyByDERCert failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueSECKEYPublicKey dcPub(
|
||||
SECKEY_ExtractPublicKey(&delegatedCert->subjectPublicKeyInfo));
|
||||
if (!dcPub) {
|
||||
PrintPRError("SECKEY_ExtractPublicKey failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueSECKEYPrivateKey delegatorPriv(
|
||||
PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr));
|
||||
if (!dcPriv) {
|
||||
if (!delegatorPriv) {
|
||||
PrintPRError("PK11_FindKeyByDERCert failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
// Find the DC keypair by the file (nick) name.
|
||||
ScopedAutoSECItem dc;
|
||||
UniqueSECKEYPrivateKey dcPriv;
|
||||
if (host->mEnableDelegatedCredentials) {
|
||||
if (gDebugLevel >= DEBUG_VERBOSE) {
|
||||
std::cerr << "Enabling a delegated credential for host "
|
||||
<< host->mHostName << std::endl;
|
||||
}
|
||||
|
||||
if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
|
||||
dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384,
|
||||
kDCValidFor, PR_Now(), &dc) != SECSuccess) {
|
||||
PrintPRError("SSL_DelegateCredential failed");
|
||||
if (PK11_NeedLogin(slot.get())) {
|
||||
SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr);
|
||||
if (rv != SECSuccess) {
|
||||
PrintPRError("PK11_Authenticate failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
}
|
||||
UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot(
|
||||
slot.get(), const_cast<char*>(host->mDCKeyNick), nullptr));
|
||||
if (!list) {
|
||||
PrintPRError("PK11_ListPrivKeysInSlot failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list);
|
||||
|
||||
dcPriv.reset(SECKEY_CopyPrivateKey(node->key));
|
||||
if (!dcPriv) {
|
||||
PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get()));
|
||||
if (!dcPub) {
|
||||
PrintPRError("SECKEY_ConvertToPublicKey failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
|
||||
// Use an ECDSA DC unless we're testing weak keys.
|
||||
SSLSignatureScheme certVerifyAlg = ssl_sig_ecdsa_secp384r1_sha384;
|
||||
if (std::string(host->mHostName) == "delegated-weak.example.com") {
|
||||
certVerifyAlg = ssl_sig_rsa_pss_rsae_sha256;
|
||||
}
|
||||
|
||||
// Create and set the DC.
|
||||
if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(),
|
||||
dcPub.get(), certVerifyAlg, kDCValidFor,
|
||||
PR_Now(), &dc) != SECSuccess) {
|
||||
PrintPRError("SSL_DelegateCredential failed");
|
||||
return SSL_SNI_SEND_ALERT;
|
||||
}
|
||||
extra_data.delegCred = &dc;
|
||||
extra_data.delegCredPrivKey = dcPriv.get();
|
||||
|
||||
// The list should only have a single key.
|
||||
PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list));
|
||||
}
|
||||
|
||||
if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr,
|
||||
|
||||
@ -141,8 +141,11 @@ static SECStatus AddKeyFromFile(const std::string& path,
|
||||
}
|
||||
|
||||
SECKEYPrivateKey* privateKey = nullptr;
|
||||
SECItem nick = {siBuffer,
|
||||
BitwiseCast<unsigned char*, const char*>(filename.data()),
|
||||
static_cast<unsigned int>(filename.size())};
|
||||
if (PK11_ImportDERPrivateKeyInfoAndReturnKey(
|
||||
slot.get(), &item, nullptr, nullptr, true, false, KU_ALL, &privateKey,
|
||||
slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &privateKey,
|
||||
nullptr) != SECSuccess) {
|
||||
PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
|
||||
return SECFailure;
|
||||
|
||||
@ -23,6 +23,7 @@ support-files =
|
||||
test_content_signing/**
|
||||
test_ct/**
|
||||
test_delegated_credentials/**
|
||||
test_delegated_credentials_weak/**
|
||||
test_ev_certs/**
|
||||
test_intermediate_basic_usage_constraints/**
|
||||
test_intermediate_preloads/**
|
||||
@ -108,6 +109,7 @@ run-sequentially = hardcoded ports
|
||||
# this test doesn't apply.
|
||||
skip-if = toolkit == 'android'
|
||||
[test_delegated_credentials.js]
|
||||
[test_delegated_credentials_weak.js]
|
||||
[test_der.js]
|
||||
[test_enterprise_roots.js]
|
||||
# This feature is implemented for Windows and OS X. However, we don't currently
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user