--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -2,44 +2,44 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ExtendedValidation.h"
#include "cert.h"
-#include "certdb.h"
#include "hasht.h"
#include "mozilla/ArrayUtils.h"
#include "mozilla/Assertions.h"
#include "mozilla/Base64.h"
#include "mozilla/Casting.h"
#include "mozilla/PodOperations.h"
#include "nsDependentString.h"
#include "nsString.h"
#include "pk11pub.h"
#include "pkix/pkixtypes.h"
-#include "prerror.h"
-struct nsMyTrustedEVInfo
+namespace mozilla { namespace psm {
+
+struct EVInfo
{
// See bug 1338873 about making these fields const.
- const char* dotted_oid;
- const char* oid_name; // Set this to null to signal an invalid structure,
+ const char* dottedOid;
+ const char* oidName; // Set this to null to signal an invalid structure,
// (We can't have an empty list, so we'll use a dummy entry)
- unsigned char ev_root_sha256_fingerprint[SHA256_LENGTH];
- const char* issuer_base64;
- const char* serial_base64;
+ unsigned char sha256Fingerprint[SHA256_LENGTH];
+ const char* issuerBase64;
+ const char* serialBase64;
};
// HOWTO enable additional CA root certificates for EV:
//
// For each combination of "root certificate" and "policy OID",
-// one entry must be added to the array named myTrustedEVInfos.
+// one entry must be added to the array named kEVInfos.
//
// We use the combination of "issuer name" and "serial number" to
// uniquely identify the certificate. In order to avoid problems
// because of encodings when comparing certificates, we don't
// use plain text representation, we rather use the original encoding
// as it can be found in the root certificate (in base64 format).
//
// We can use the NSS utility named "pp" to extract the encoding.
@@ -81,19 +81,19 @@ struct nsMyTrustedEVInfo
// related to the CA's OCSP infrastructure, either they use an incorrect
// OCSP signing certificate, or OCSP for the intermediate certificates
// isn't working, or OCSP isn't working at all.
#ifdef DEBUG
static const size_t NUM_TEST_EV_ROOTS = 2;
#endif
-static const struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
+static const struct EVInfo kEVInfos[] = {
// IMPORTANT! When extending this list, if you add another entry that uses
- // the same dotted_oid as an existing entry, use the same oid_name.
+ // the same dottedOid as an existing entry, use the same oidName.
#ifdef DEBUG
// Debug EV certificates should all use the following OID:
// 1.3.6.1.4.1.13769.666.666.666.1.500.9.1.
// (multiple entries with the same OID is ok)
// If you add or remove debug EV certs you must also modify NUM_TEST_EV_ROOTS
// so that the correct number of certs are skipped as these debug EV certs are
// NOT part of the default trust store.
{
@@ -1127,21 +1127,21 @@ static const struct nsMyTrustedEVInfo my
0xF9, 0x97, 0x16, 0x8F, 0x24, 0xC5, 0x8F, 0xC5, 0x02, 0x3B, 0xF5,
0xDA, 0x5B, 0xE2, 0xEB, 0x6E, 0x1D, 0xD8, 0x90, 0x2E, 0xD5 },
"MEYxCzAJBgNVBAYTAkxVMRYwFAYDVQQKDA1MdXhUcnVzdCBTLkEuMR8wHQYDVQQD"
"DBZMdXhUcnVzdCBHbG9iYWwgUm9vdCAy",
"Cn6m30tEntpqJIWe5rgV0xZ/u7E=",
},
};
-static SECOidTag sEVInfoOIDTags[mozilla::ArrayLength(myTrustedEVInfos)];
+static SECOidTag sEVInfoOIDTags[ArrayLength(kEVInfos)];
static_assert(SEC_OID_UNKNOWN == 0,
"We depend on zero-initialized globals being interpreted as SEC_OID_UNKNOWN.");
-static_assert(mozilla::ArrayLength(sEVInfoOIDTags) == mozilla::ArrayLength(myTrustedEVInfos),
+static_assert(ArrayLength(sEVInfoOIDTags) == ArrayLength(kEVInfos),
"These arrays are used in parallel and must have the same length.");
static SECOidTag
RegisterOID(const SECItem& oidItem, const char* oidName)
{
SECOidData od;
od.oid.len = oidItem.len;
od.oid.data = oidItem.data;
@@ -1165,18 +1165,16 @@ isEVPolicy(SECOidTag policyOIDTag)
if (policyOIDTag == oidTag) {
return true;
}
}
return false;
}
-namespace mozilla { namespace psm {
-
bool
CertIsAuthoritativeForEVPolicy(const UniqueCERTCertificate& cert,
const mozilla::pkix::CertPolicyId& policy)
{
MOZ_ASSERT(cert);
if (!cert) {
return false;
}
@@ -1185,76 +1183,76 @@ CertIsAuthoritativeForEVPolicy(const Uni
SECStatus srv =
PK11_HashBuf(SEC_OID_SHA256, fingerprint, cert->derCert.data,
AssertedCast<int32_t>(cert->derCert.len));
if (srv != SECSuccess) {
return false;
}
const SECOidData* cabforumOIDData = SECOID_FindOIDByTag(sCABForumEVOIDTag);
- for (size_t iEV = 0; iEV < mozilla::ArrayLength(myTrustedEVInfos); ++iEV) {
- const nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
+ for (size_t i = 0; i < ArrayLength(kEVInfos); ++i) {
+ const EVInfo& entry = kEVInfos[i];
// This check ensures that only the specific roots we approve for EV get
// that status, and not certs (roots or otherwise) that happen to have an
// OID that's already been approved for EV.
- if (!PodEqual(fingerprint, entry.ev_root_sha256_fingerprint)) {
+ if (!PodEqual(fingerprint, entry.sha256Fingerprint)) {
continue;
}
if (cabforumOIDData && cabforumOIDData->oid.len == policy.numBytes &&
PodEqual(cabforumOIDData->oid.data, policy.bytes, policy.numBytes)) {
return true;
}
- const SECOidData* oidData = SECOID_FindOIDByTag(sEVInfoOIDTags[iEV]);
+ const SECOidData* oidData = SECOID_FindOIDByTag(sEVInfoOIDTags[i]);
if (oidData && oidData->oid.len == policy.numBytes &&
PodEqual(oidData->oid.data, policy.bytes, policy.numBytes)) {
return true;
}
}
return false;
}
nsresult
LoadExtendedValidationInfo()
{
static const char* sCABForumOIDString = "2.23.140.1.1";
static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID";
- mozilla::ScopedAutoSECItem cabforumOIDItem;
+ ScopedAutoSECItem cabforumOIDItem;
if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0)
!= SECSuccess) {
return NS_ERROR_FAILURE;
}
sCABForumEVOIDTag = RegisterOID(cabforumOIDItem, sCABForumOIDDescription);
if (sCABForumEVOIDTag == SEC_OID_UNKNOWN) {
return NS_ERROR_FAILURE;
}
- for (size_t iEV = 0; iEV < mozilla::ArrayLength(myTrustedEVInfos); ++iEV) {
- const nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
+ for (size_t i = 0; i < ArrayLength(kEVInfos); ++i) {
+ const EVInfo& entry = kEVInfos[i];
SECStatus srv;
#ifdef DEBUG
// This section of code double-checks that we calculated the correct
// certificate hash given the issuer and serial number and that it is
// actually present in our loaded root certificates module. It is
// unnecessary to check this in non-debug builds since we will safely fall
// back to DV if the EV information is incorrect.
nsAutoCString derIssuer;
- nsresult rv = Base64Decode(nsDependentCString(entry.issuer_base64),
+ nsresult rv = Base64Decode(nsDependentCString(entry.issuerBase64),
derIssuer);
MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV issuer");
if (NS_FAILED(rv)) {
return rv;
}
nsAutoCString serialNumber;
- rv = Base64Decode(nsDependentCString(entry.serial_base64), serialNumber);
+ rv = Base64Decode(nsDependentCString(entry.serialBase64), serialNumber);
MOZ_ASSERT(NS_SUCCEEDED(rv), "Could not base64-decode built-in EV serial");
if (NS_FAILED(rv)) {
return rv;
}
CERTIssuerAndSN ias;
ias.derIssuer.data =
BitwiseCast<unsigned char*, const char*>(derIssuer.get());
@@ -1268,41 +1266,41 @@ LoadExtendedValidationInfo()
// If an entry is missing in the NSS root database, it may be because the
// root database is out of sync with what we expect (e.g. a different
// version of system NSS is installed).
if (!cert) {
// The entries for the debug EV roots are at indices 0 through
// NUM_TEST_EV_ROOTS - 1. Since they're not built-in, they probably
// haven't been loaded yet.
- MOZ_ASSERT(iEV < NUM_TEST_EV_ROOTS, "Could not find built-in EV root");
+ MOZ_ASSERT(i < NUM_TEST_EV_ROOTS, "Could not find built-in EV root");
} else {
unsigned char certFingerprint[SHA256_LENGTH];
srv = PK11_HashBuf(SEC_OID_SHA256, certFingerprint, cert->derCert.data,
AssertedCast<int32_t>(cert->derCert.len));
MOZ_ASSERT(srv == SECSuccess, "Could not hash EV root");
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
- bool same = PodEqual(certFingerprint, entry.ev_root_sha256_fingerprint);
+ bool same = PodEqual(certFingerprint, entry.sha256Fingerprint);
MOZ_ASSERT(same, "EV root fingerprint mismatch");
if (!same) {
return NS_ERROR_FAILURE;
}
}
#endif
// This is the code that actually enables these roots for EV.
- mozilla::ScopedAutoSECItem evOIDItem;
- srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dotted_oid, 0);
+ ScopedAutoSECItem evOIDItem;
+ srv = SEC_StringToOID(nullptr, &evOIDItem, entry.dottedOid, 0);
MOZ_ASSERT(srv == SECSuccess, "SEC_StringToOID failed");
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
- sEVInfoOIDTags[iEV] = RegisterOID(evOIDItem, entry.oid_name);
- if (sEVInfoOIDTags[iEV] == SEC_OID_UNKNOWN) {
+ sEVInfoOIDTags[i] = RegisterOID(evOIDItem, entry.oidName);
+ if (sEVInfoOIDTags[i] == SEC_OID_UNKNOWN) {
return NS_ERROR_FAILURE;
}
}
return NS_OK;
}
// Helper function for GetFirstEVPolicy(): returns the first suitable policy