Backed out 2 changesets (bug 1016555, bug 1189427) for making Android 4.3 API11+ debug X3 perma fail in test_ev_certs.js

Backed out changeset ebd4e3880403 (bug 1189427)
Backed out changeset 331e489c7534 (bug 1016555)

browser/app/profile/firefox.js

@@ -52,8 +52,6 @@ pref("extensions.getAddons.link.url", "https://addons.mozilla.org/%LOCALE%/firef
 
 // Blocklist preferences
 pref("extensions.blocklist.enabled", true);
-// OneCRL freshness checking depends on this value, so if you change it,
-// please also update security.onecrl.maximum_staleness_in_seconds.
 pref("extensions.blocklist.interval", 86400);
 // Controls what level the blocklist switches from warning about items to forcibly
 // blocking them.
@@ -1762,8 +1760,8 @@ pref("security.mixed_content.block_active_content", true);
 pref("security.cert_pinning.enforcement_level", 1);
 
 // Required blocklist freshness for OneCRL OCSP bypass
-// (default is 1.25% extensions.blocklist.interval, or 30 hours)
-pref("security.onecrl.maximum_staleness_in_seconds", 108000);
+// (default should be at least as large as extensions.blocklist.interval)
+pref("security.onecrl.maximum_staleness_in_seconds", 0);
 
 // Override the Gecko-default value of false for Firefox.
 pref("plain_text.wrap_long_lines", true);

mobile/android/app/mobile.js

@@ -221,8 +221,6 @@ pref("extensions.compatability.locales.buildid", "0");
 
 /* blocklist preferences */
 pref("extensions.blocklist.enabled", true);
-// OneCRL freshness checking depends on this value, so if you change it,
-// please also update security.onecrl.maximum_staleness_in_seconds.
 pref("extensions.blocklist.interval", 86400);
 pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/");
 pref("extensions.blocklist.detailsURL", "https://www.mozilla.com/%LOCALE%/blocklist/");
@@ -486,10 +484,6 @@ pref("security.mixed_content.block_active_content", true);
 // Enable pinning
 pref("security.cert_pinning.enforcement_level", 1);
 
-// Required blocklist freshness for OneCRL OCSP bypass
-// (default is 1.25% extensions.blocklist.interval, or 30 hours)
-pref("security.onecrl.maximum_staleness_in_seconds", 108000);
-
 // Only fetch OCSP for EV certificates
 pref("security.OCSP.enabled", 2);
 

security/manager/ssl/tests/unit/moz.build

@@ -15,7 +15,6 @@ TEST_DIRS += [
     'test_intermediate_basic_usage_constraints',
     'test_keysize_ev',
     'test_pinning_dynamic',
-    'test_ocsp_fetch_method',
     'test_ocsp_url',
     'test_validity',
 ]

security/manager/ssl/tests/unit/test_ocsp_fetch_method.js

@@ -23,14 +23,14 @@ function start_ocsp_responder(expectedCertNames, expectedPaths,
 }
 
 function check_cert_err(cert_name, expected_error) {
-  let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
+  let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".der");
   return checkCertErrorGeneric(certdb, cert, expected_error,
                                certificateUsageSSLServer);
 }
 
 function run_test() {
-  addCertFromFile(certdb, "test_ocsp_fetch_method/ca.pem", 'CTu,CTu,CTu');
-  addCertFromFile(certdb, "test_ocsp_fetch_method/int.pem", ',,');
+  addCertFromFile(certdb, "test_ocsp_fetch_method/ca.der", 'CTu,CTu,CTu');
+  addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
@@ -55,5 +55,16 @@ function run_test() {
     ocspResponder.stop(run_next_test);
   });
 
+  // GET does fallback on bad entry
+  add_test(function() {
+    clearOCSPCache();
+    Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
+    // Bug 1016681 mozilla::pkix does not support fallback yet.
+    // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
+    // check_cert_err("a", PRErrorCodeSuccess);
+    // ocspResponder.stop(run_next_test);
+    run_next_test();
+  });
+
   run_next_test();
 }

security/manager/ssl/tests/unit/test_ocsp_fetch_method/a.pem.certspec

@@ -1,3 +0,0 @@
-issuer:int
-subject:a
-extension:authorityInformationAccess:http://www.example.com:8888/

security/manager/ssl/tests/unit/test_ocsp_fetch_method/ca.pem.certspec

@@ -1,4 +0,0 @@
-issuer:ca
-subject:ca
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign

security/manager/ssl/tests/unit/test_ocsp_fetch_method/generate.py

@@ -0,0 +1,29 @@
+#!/usr/bin/python
+
+import tempfile, os, sys
+
+libpath = os.path.abspath('../psm_common_py')
+sys.path.append(libpath)
+import CertUtils
+
+srcdir = os.getcwd()
+db = tempfile.mkdtemp()
+
+def generate_ca_cert(db_dir, dest_dir, noise_file, name):
+    return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name,
+                                      3, True)
+
+def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee,
+                        ocsp_url):
+    return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
+                                         ca_nick, 3, True, is_ee, ocsp_url)
+
+def generate_certs():
+    [noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
+    generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
+    generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
+    ocsp_url = "http://www.example.com:8888/"
+    generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
+    generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
+
+generate_certs()

security/manager/ssl/tests/unit/test_ocsp_fetch_method/int.pem.certspec

@@ -1,4 +0,0 @@
-issuer:ca
-subject:int
-extension:basicConstraints:cA,
-extension:keyUsage:cRLSign,keyCertSign

security/manager/ssl/tests/unit/test_ocsp_fetch_method/moz.build

@@ -1,31 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-test_certificates = (
-    'a.pem',
-    'ca.pem',
-    'int.pem',
-)
-
-for test_certificate in test_certificates:
-    input_file = test_certificate + '.certspec'
-    GENERATED_FILES += [test_certificate]
-    props = GENERATED_FILES[test_certificate]
-    props.script = '../pycert.py'
-    props.inputs = [input_file]
-    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_ocsp_fetch_method += ['!%s' % test_certificate]
-
-test_keys = (
-    'int.key',
-)
-
-for test_key in test_keys:
-    input_file = test_key + '.keyspec'
-    GENERATED_FILES += [test_key]
-    props = GENERATED_FILES[test_key]
-    props.script = '../pykey.py'
-    props.inputs = [input_file]
-    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_ocsp_fetch_method += ['!%s' % test_key]

security/manager/ssl/tests/unit/test_ocsp_fetch_method/pkcs11.txt

@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/home/cviecco/hg/mozilla-central-unified/security/manager/ssl/tests/unit/test_ocsp_fetch_method' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+