gecko-dev/security/certverifier
Dana Keeler 4401954b60 Bug 1551177 - avoid searching unproductive certificate paths during verification r=jcj,KevinJacobs
In bug 1056341 we introduced a search budget to mozilla::pkix to attempt to work
around the problem of having an extremely large search space given a set of
certificates all with the same subject and issuer distinguished names but
different public keys. In the end, though, there is probably no good value to
choose for the budget that is small enough to run quickly on the wide range of
hardware our users have and yet is large enough that we're confident won't break
someone's complicated pki setup (looking at you, the US federal government).

To address this, use the observation that as long as an intermediate can't *add*
information necessary to build a certificate chain (e.g. stapled SCTs), we
should never need a self-signed intermediate (as in, its own key verifies the
signature on it and its subject and issuer distinguished names are identical) to
build a trusted chain (since the exact same chain without that intermediate
should be valid). Given this, we simply skip all self-signed non-trust anchor
CA certificates during path building.

Differential Revision: https://phabricator.services.mozilla.com/D31368

--HG--
extra : moz-landing-system : lando
2019-05-18 00:15:54 +00:00
..
tests/gtest
BRNameMatchingPolicy.cpp
BRNameMatchingPolicy.h
CertVerifier.cpp
CertVerifier.h
ExtendedValidation.cpp
ExtendedValidation.h
moz.build
NSSCertDBTrustDomain.cpp
NSSCertDBTrustDomain.h
OCSPCache.cpp
OCSPCache.h
OCSPVerificationTrustDomain.cpp
OCSPVerificationTrustDomain.h
TrustOverride-AppleGoogleDigiCertData.inc
TrustOverride-GlobalSignData.inc
TrustOverride-StartComAndWoSignData.inc
TrustOverride-SymantecData.inc
TrustOverride-TestImminentDistrustData.inc
TrustOverrideUtils.h