mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-02-11 10:08:41 +00:00
Bug 1047792: Rely on mozilla::pkix to filter out expired certs instead of CERT_CreateSubjectCertList, r=keeler
--HG-- extra : rebase_source : 5182147037b69f0ac3c3cd060d6e2af71bfde2e7
This commit is contained in:
parent
25a73829af
commit
de725ae5ef
@ -115,8 +115,8 @@ AppTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
|
||||
UnsafeMapInputToSECItem(encodedIssuerName);
|
||||
ScopedCERTCertList
|
||||
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
|
||||
&encodedIssuerNameSECItem, time,
|
||||
true));
|
||||
&encodedIssuerNameSECItem, 0,
|
||||
false));
|
||||
if (candidates) {
|
||||
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
|
||||
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
|
||||
|
@ -104,8 +104,8 @@ NSSCertDBTrustDomain::FindIssuer(Input encodedIssuerName,
|
||||
SECItem encodedIssuerNameSECItem = UnsafeMapInputToSECItem(encodedIssuerName);
|
||||
ScopedCERTCertList
|
||||
candidates(CERT_CreateSubjectCertList(nullptr, CERT_GetDefaultCertDB(),
|
||||
&encodedIssuerNameSECItem, time,
|
||||
true));
|
||||
&encodedIssuerNameSECItem, 0,
|
||||
false));
|
||||
if (candidates) {
|
||||
for (CERTCertListNode* n = CERT_LIST_HEAD(candidates);
|
||||
!CERT_LIST_END(n, candidates); n = CERT_LIST_NEXT(n)) {
|
||||
|
@ -324,6 +324,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
|
||||
// called if CertVerifier::VerifyCert succeeded.
|
||||
switch (defaultErrorCodeToReport) {
|
||||
case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
|
||||
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
|
||||
case SEC_ERROR_UNKNOWN_ISSUER:
|
||||
{
|
||||
collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
|
||||
|
@ -52,10 +52,10 @@ function check_telemetry() {
|
||||
.getHistogramById("SSL_CERT_ERROR_OVERRIDES")
|
||||
.snapshot();
|
||||
do_check_eq(histogram.counts[ 0], 0);
|
||||
do_check_eq(histogram.counts[ 2], 8); // SEC_ERROR_UNKNOWN_ISSUER
|
||||
do_check_eq(histogram.counts[ 2], 7); // SEC_ERROR_UNKNOWN_ISSUER
|
||||
do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
|
||||
do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
|
||||
do_check_eq(histogram.counts[ 5], 0); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
|
||||
do_check_eq(histogram.counts[ 5], 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
|
||||
do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
|
||||
do_check_eq(histogram.counts[ 7], 0); // SEC_ERROR_INADEQUATE_KEY_USAGE
|
||||
do_check_eq(histogram.counts[ 8], 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
|
||||
@ -96,7 +96,7 @@ function add_simple_tests() {
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
|
||||
add_cert_override_test("expiredissuer.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
|
||||
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
|
||||
add_cert_override_test("md5signature.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(
|
||||
|
@ -72,9 +72,9 @@ MOZILLA_PKIX_ENUM_CLASS Result
|
||||
ERROR_OCSP_FUTURE_RESPONSE = 34,
|
||||
|
||||
ERROR_UNKNOWN_ERROR = 35,
|
||||
|
||||
ERROR_INVALID_KEY = 36,
|
||||
ERROR_UNSUPPORTED_KEYALG = 37,
|
||||
ERROR_EXPIRED_ISSUER_CERTIFICATE = 38,
|
||||
|
||||
// Keep this in sync with MAP_LIST in pkixnss.cpp
|
||||
|
||||
|
@ -93,6 +93,8 @@ PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing)
|
||||
{
|
||||
if (newResult == Result::ERROR_UNTRUSTED_CERT) {
|
||||
newResult = Result::ERROR_UNTRUSTED_ISSUER;
|
||||
} else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) {
|
||||
newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE;
|
||||
}
|
||||
|
||||
if (resultWasSet) {
|
||||
|
@ -232,6 +232,7 @@ DigestBuf(Input item, /*out*/ uint8_t* digestBuf, size_t digestBufLen)
|
||||
MAP(Result::ERROR_OCSP_FUTURE_RESPONSE, SEC_ERROR_OCSP_FUTURE_RESPONSE) \
|
||||
MAP(Result::ERROR_INVALID_KEY, SEC_ERROR_INVALID_KEY) \
|
||||
MAP(Result::ERROR_UNSUPPORTED_KEYALG, SEC_ERROR_UNSUPPORTED_KEYALG) \
|
||||
MAP(Result::ERROR_EXPIRED_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) \
|
||||
MAP(Result::FATAL_ERROR_INVALID_ARGS, SEC_ERROR_INVALID_ARGS) \
|
||||
MAP(Result::FATAL_ERROR_INVALID_STATE, PR_INVALID_STATE_ERROR) \
|
||||
MAP(Result::FATAL_ERROR_LIBRARY_FAILURE, SEC_ERROR_LIBRARY_FAILURE) \
|
||||
|
Loading…
x
Reference in New Issue
Block a user