--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -857,84 +857,16 @@ CertVerifier::VerifyCert(CERTCertificate
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
KeyPurposeId::id_kp_codeSigning,
CertPolicyId::anyPolicy, stapledOCSPResponse);
break;
}
- case certificateUsageVerifyCA:
- case certificateUsageStatusResponder: {
- // XXX This is a pretty useless way to verify a certificate. It is used
- // by the certificate viewer UI. Because we don't know what trust bit is
- // interesting, we just try them all.
- mozilla::pkix::EndEntityOrCA endEntityOrCA;
- mozilla::pkix::KeyUsage keyUsage;
- KeyPurposeId eku;
- if (usage == certificateUsageVerifyCA) {
- endEntityOrCA = EndEntityOrCA::MustBeCA;
- keyUsage = KeyUsage::keyCertSign;
- eku = KeyPurposeId::anyExtendedKeyUsage;
- } else {
- endEntityOrCA = EndEntityOrCA::MustBeEndEntity;
- keyUsage = KeyUsage::digitalSignature;
- eku = KeyPurposeId::id_kp_OCSPSigning;
- }
-
- NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
- pinArg, ocspGETConfig, mOCSPTimeoutSoft,
- mOCSPTimeoutHard, mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
- ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed,
- NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
- rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
- keyUsage, eku, CertPolicyId::anyPolicy,
- stapledOCSPResponse);
- if (rv == Result::ERROR_UNKNOWN_ISSUER) {
- NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
- mOCSPCache, pinArg, ocspGETConfig,
- mOCSPTimeoutSoft, mOCSPTimeoutHard,
- mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
- ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed,
- NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
- rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
- keyUsage, eku, CertPolicyId::anyPolicy,
- stapledOCSPResponse);
- if (rv == Result::ERROR_UNKNOWN_ISSUER) {
- NSSCertDBTrustDomain objectSigningTrust(trustObjectSigning,
- defaultOCSPFetching,
- mOCSPCache, pinArg,
- ocspGETConfig,
- mOCSPTimeoutSoft,
- mOCSPTimeoutHard,
- mCertShortLifetimeInDays,
- pinningDisabled,
- MIN_RSA_BITS_WEAK,
- ValidityCheckingMode::CheckingOff,
- SHA1Mode::Allowed,
- NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain,
- nullptr, nullptr);
- rv = BuildCertChain(objectSigningTrust, certDER, time,
- endEntityOrCA, keyUsage, eku,
- CertPolicyId::anyPolicy, stapledOCSPResponse);
- }
- }
-
- break;
- }
-
default:
rv = Result::FATAL_ERROR_INVALID_ARGS;
}
if (rv != Success) {
return rv;
}
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -282,15 +282,14 @@ certErrorNotYetValidNow=The certificate
# LOCALIZATION NOTE (certErrorCodePrefix2): Do not translate <a id="errorCode" title="%1$S">%1$S</a>
certErrorCodePrefix2=Error code: <a id="errorCode" title="%1$S">%1$S</a>
P12DefaultNickname=Imported Certificate
CertUnknown=Unknown
CertNoEmailAddress=(no email address)
CaCertExists=This certificate is already installed as a certificate authority.
NotACACert=This is not a certificate authority certificate, so it can’t be imported into the certificate authority list.
-NotImportingUnverifiedCert=This certificate can’t be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved.
UserCertIgnoredNoPrivateKey=This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.
UserCertImported=Your personal certificate has been installed. You should keep a backup copy of this certificate.
CertOrgUnknown=(Unknown)
CertNotStored=(Not Stored)
CertExceptionPermanent=Permanent
CertExceptionTemporary=Temporary
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -670,18 +670,17 @@ nsNSSCertificate::GetChain(nsIArray** _r
}
// This is the whitelist of all non-SSLServer usages that are supported by
// verifycert.
const int otherUsagesToTest = certificateUsageSSLClient |
certificateUsageSSLCA |
certificateUsageEmailSigner |
certificateUsageEmailRecipient |
- certificateUsageObjectSigner |
- certificateUsageStatusResponder;
+ certificateUsageObjectSigner;
for (int usage = certificateUsageSSLClient;
usage < certificateUsageAnyCA && !nssChain;
usage = usage << 1) {
if ((usage & otherUsagesToTest) == 0) {
continue;
}
if (certVerifier->VerifyCert(mCert.get(), usage, now,
nullptr, /*XXX fixme*/
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -236,16 +236,43 @@ ChangeCertTrustWithPossibleAuthenticatio
srv = PK11_Authenticate(internalSlot.get(), PR_TRUE, ctx);
}
if (srv != SECSuccess) {
return srv;
}
return CERT_ChangeCertTrust(nullptr, cert.get(), &trust);
}
+static nsresult
+ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain,
+ const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+{
+ bool encounteredFailure = false;
+ PRErrorCode savedErrorCode = 0;
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain);
+ !CERT_LIST_END(chainNode, certChain);
+ chainNode = CERT_LIST_NEXT(chainNode)) {
+ UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert));
+ SECStatus srv = PK11_ImportCert(slot.get(), chainNode->cert,
+ CK_INVALID_HANDLE, nickname.get(),
+ false); // this parameter is ignored by NSS
+ if (srv != SECSuccess) {
+ encounteredFailure = true;
+ savedErrorCode = PR_GetError();
+ }
+ }
+
+ if (encounteredFailure) {
+ return GetXPCOMFromNSSError(savedErrorCode);
+ }
+
+ return NS_OK;
+}
+
nsresult
nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs,
nsIInterfaceRequestor *ctx,
const nsNSSShutDownPreventionLock &proofOfLock)
{
// First thing we have to do is figure out which certificate we're
// gonna present to the user. The CA may have sent down a list of
// certs which may or may not be a chained list of certs. Until
@@ -399,17 +426,17 @@ nsNSSCertificateDB::handleCACertDownload
if (CERT_AddCertToListTail(certList.get(), tmpCert2.get()) != SECSuccess) {
continue;
}
Unused << tmpCert2.release();
}
- return ImportValidCACertsInList(certList, ctx, proofOfLock);
+ return ImportCertsIntoPermanentStorage(certList, proofOfLock);
}
NS_IMETHODIMP
nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length,
uint32_t type,
nsIInterfaceRequestor* ctx)
{
nsNSSShutDownPreventionLock locker;
@@ -451,111 +478,75 @@ nsNSSCertificateDB::ImportCertificates(u
return rv;
}
}
return handleCACertDownload(WrapNotNull(array), ctx, locker);
}
/**
- * Filters an array of certs by usage and imports them into temporary storage.
+ * Decodes a given array of DER-encoded certificates into temporary storage.
*
* @param numcerts
* Size of the |certs| array.
* @param certs
- * Pointer to array of certs to import.
- * @param usage
- * Usage the certs should be filtered on.
- * @param caOnly
- * Whether to import only CA certs.
- * @param filteredCerts
- * List of certs that weren't filtered out and were successfully imported.
+ * Pointer to array of certs to decode.
+ * @param temporaryCerts
+ * List of decoded certificates.
*/
static nsresult
ImportCertsIntoTempStorage(int numcerts, SECItem* certs,
- const SECCertUsage usage, const bool caOnly,
const nsNSSShutDownPreventionLock& /*proofOfLock*/,
- /*out*/ const UniqueCERTCertList& filteredCerts)
+ /*out*/ const UniqueCERTCertList& temporaryCerts)
{
NS_ENSURE_ARG_MIN(numcerts, 1);
NS_ENSURE_ARG_POINTER(certs);
- NS_ENSURE_ARG_POINTER(filteredCerts.get());
+ NS_ENSURE_ARG_POINTER(temporaryCerts);
// CERT_ImportCerts() expects an array of *pointers* to SECItems, so we have
// to convert |certs| to such a format first.
SECItem** ptrArray =
static_cast<SECItem**>(PORT_Alloc(sizeof(SECItem*) * numcerts));
if (!ptrArray) {
return NS_ERROR_OUT_OF_MEMORY;
}
for (int i = 0; i < numcerts; i++) {
ptrArray[i] = &certs[i];
}
CERTCertificate** importedCerts = nullptr;
- SECStatus srv = CERT_ImportCerts(CERT_GetDefaultCertDB(), usage,
+ SECStatus srv = CERT_ImportCerts(CERT_GetDefaultCertDB(),
+ certUsageAnyCA, // this argument is ignored
numcerts, ptrArray, &importedCerts, false,
- caOnly, nullptr);
+ false, // this argument is ignored
+ nullptr);
PORT_Free(ptrArray);
ptrArray = nullptr;
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
for (int i = 0; i < numcerts; i++) {
if (!importedCerts[i]) {
continue;
}
UniqueCERTCertificate cert(CERT_DupCertificate(importedCerts[i]));
if (!cert) {
continue;
}
- if (CERT_AddCertToListTail(filteredCerts.get(), cert.get()) == SECSuccess) {
+ if (CERT_AddCertToListTail(temporaryCerts.get(), cert.get()) == SECSuccess) {
Unused << cert.release();
}
}
CERT_DestroyCertArray(importedCerts, numcerts);
- // CERT_ImportCerts() ignores its |usage| parameter, so we have to manually
- // filter out unwanted certs.
- if (CERT_FilterCertListByUsage(filteredCerts.get(), usage, caOnly)
- != SECSuccess) {
- return NS_ERROR_FAILURE;
- }
-
- return NS_OK;
-}
-
-static nsresult
-ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain)
-{
- bool encounteredFailure = false;
- PRErrorCode savedErrorCode = 0;
- UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
- for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain);
- !CERT_LIST_END(chainNode, certChain);
- chainNode = CERT_LIST_NEXT(chainNode)) {
- UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert));
- SECStatus srv = PK11_ImportCert(slot.get(), chainNode->cert,
- CK_INVALID_HANDLE, nickname.get(),
- false); // this parameter is ignored by NSS
- if (srv != SECSuccess) {
- encounteredFailure = true;
- savedErrorCode = PR_GetError();
- }
- }
-
- if (encounteredFailure) {
- return GetXPCOMFromNSSError(savedErrorCode);
- }
-
return NS_OK;
}
NS_IMETHODIMP
nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length,
nsIInterfaceRequestor* ctx)
{
nsNSSShutDownPreventionLock locker;
@@ -568,115 +559,48 @@ nsNSSCertificateDB::ImportEmailCertifica
return NS_ERROR_OUT_OF_MEMORY;
}
CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length, locker);
if (!certCollection) {
return NS_ERROR_FAILURE;
}
- UniqueCERTCertList filteredCerts(CERT_NewCertList());
- if (!filteredCerts) {
+ UniqueCERTCertList temporaryCerts(CERT_NewCertList());
+ if (!temporaryCerts) {
return NS_ERROR_FAILURE;
}
nsresult rv = ImportCertsIntoTempStorage(certCollection->numcerts,
certCollection->rawCerts,
- certUsageEmailRecipient,
- false, locker, filteredCerts);
+ locker, temporaryCerts);
if (NS_FAILED(rv)) {
return rv;
}
- RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
- if (!certVerifier) {
- return NS_ERROR_UNEXPECTED;
- }
-
- // Iterate through the filtered cert list and import verified certs into
- // permanent storage.
- // Note: We verify the certs in order to prevent DoS attacks. See Bug 249004.
- for (CERTCertListNode* node = CERT_LIST_HEAD(filteredCerts.get());
- !CERT_LIST_END(node, filteredCerts.get());
- node = CERT_LIST_NEXT(node)) {
- if (!node->cert) {
- continue;
- }
-
- UniqueCERTCertList certChain;
- mozilla::pkix::Result result =
- certVerifier->VerifyCert(node->cert, certificateUsageEmailRecipient,
- mozilla::pkix::Now(), ctx, nullptr, certChain);
- if (result != mozilla::pkix::Success) {
- nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
- DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, locker);
- continue;
- }
- rv = ImportCertsIntoPermanentStorage(certChain);
- if (NS_FAILED(rv)) {
- return rv;
- }
- CERT_SaveSMimeProfile(node->cert, nullptr, nullptr);
- }
-
- return NS_OK;
+ return ImportCertsIntoPermanentStorage(temporaryCerts, locker);
}
nsresult
-nsNSSCertificateDB::ImportValidCACerts(int numCACerts, SECItem* caCerts,
- nsIInterfaceRequestor* ctx,
- const nsNSSShutDownPreventionLock& proofOfLock)
+nsNSSCertificateDB::ImportCACerts(int numCACerts, SECItem* caCerts,
+ nsIInterfaceRequestor* ctx,
+ const nsNSSShutDownPreventionLock& proofOfLock)
{
- UniqueCERTCertList filteredCerts(CERT_NewCertList());
- if (!filteredCerts) {
+ UniqueCERTCertList temporaryCerts(CERT_NewCertList());
+ if (!temporaryCerts) {
return NS_ERROR_FAILURE;
}
- nsresult rv = ImportCertsIntoTempStorage(numCACerts, caCerts, certUsageAnyCA,
- true, proofOfLock, filteredCerts);
+ nsresult rv = ImportCertsIntoTempStorage(numCACerts, caCerts, proofOfLock,
+ temporaryCerts);
if (NS_FAILED(rv)) {
return rv;
}
- return ImportValidCACertsInList(filteredCerts, ctx, proofOfLock);
-}
-
-nsresult
-nsNSSCertificateDB::ImportValidCACertsInList(const UniqueCERTCertList& filteredCerts,
- nsIInterfaceRequestor* ctx,
- const nsNSSShutDownPreventionLock& proofOfLock)
-{
- RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
- if (!certVerifier) {
- return NS_ERROR_UNEXPECTED;
- }
-
- // Iterate through the filtered cert list and import verified certs into
- // permanent storage.
- // Note: We verify the certs in order to prevent DoS attacks. See Bug 249004.
- for (CERTCertListNode* node = CERT_LIST_HEAD(filteredCerts.get());
- !CERT_LIST_END(node, filteredCerts.get());
- node = CERT_LIST_NEXT(node)) {
- UniqueCERTCertList certChain;
- mozilla::pkix::Result result =
- certVerifier->VerifyCert(node->cert, certificateUsageVerifyCA,
- mozilla::pkix::Now(), ctx, nullptr, certChain);
- if (result != mozilla::pkix::Success) {
- nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(node->cert);
- DisplayCertificateAlert(ctx, "NotImportingUnverifiedCert", certToShow, proofOfLock);
- continue;
- }
-
- nsresult rv = ImportCertsIntoPermanentStorage(certChain);
- if (NS_FAILED(rv)) {
- return rv;
- }
- }
-
- return NS_OK;
+ return ImportCertsIntoPermanentStorage(temporaryCerts, proofOfLock);
}
void nsNSSCertificateDB::DisplayCertificateAlert(nsIInterfaceRequestor *ctx,
const char *stringID,
nsIX509Cert *certToShow,
const nsNSSShutDownPreventionLock &/*proofOfLock*/)
{
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
@@ -767,17 +691,17 @@ nsNSSCertificateDB::ImportUserCertificat
nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert.get());
DisplayCertificateAlert(ctx, "UserCertImported", certToShow, locker);
}
nsresult rv = NS_OK;
int numCACerts = collectArgs->numcerts - 1;
if (numCACerts) {
SECItem* caCerts = collectArgs->rawCerts + 1;
- rv = ImportValidCACerts(numCACerts, caCerts, ctx, locker);
+ rv = ImportCACerts(numCACerts, caCerts, ctx, locker);
}
nsCOMPtr<nsIObserverService> observerService =
mozilla::services::GetObserverService();
if (observerService) {
observerService->NotifyObservers(nullptr, "psm:user-certificate-added", nullptr);
}
--- a/security/manager/ssl/nsNSSCertificateDB.h
+++ b/security/manager/ssl/nsNSSCertificateDB.h
@@ -20,41 +20,35 @@ class nsIArray;
class nsNSSCertificateDB final : public nsIX509CertDB
, public nsNSSShutDownObject
{
public:
NS_DECL_THREADSAFE_ISUPPORTS
NS_DECL_NSIX509CERTDB
- // Use this function to generate a default nickname for a user
- // certificate that is to be imported onto a token.
- static void
- get_default_nickname(CERTCertificate *cert, nsIInterfaceRequestor* ctx,
- nsCString &nickname,
- const nsNSSShutDownPreventionLock &proofOfLock);
-
- static nsresult
- ImportValidCACerts(int numCACerts, SECItem *CACerts, nsIInterfaceRequestor *ctx,
- const nsNSSShutDownPreventionLock &proofOfLock);
-
// This is a separate static method so nsNSSComponent can use it during NSS
// initialization. Other code should probably not use it.
static nsresult
FindCertByDBKey(const nsACString& aDBKey, mozilla::UniqueCERTCertificate& cert);
protected:
virtual ~nsNSSCertificateDB();
private:
+ // Use this function to generate a default nickname for a user
+ // certificate that is to be imported onto a token.
+ static void
+ get_default_nickname(CERTCertificate* cert, nsIInterfaceRequestor* ctx,
+ nsCString& nickname,
+ const nsNSSShutDownPreventionLock& proofOfLock);
static nsresult
- ImportValidCACertsInList(const mozilla::UniqueCERTCertList& filteredCerts,
- nsIInterfaceRequestor* ctx,
- const nsNSSShutDownPreventionLock& proofOfLock);
+ ImportCACerts(int numCACerts, SECItem* CACerts, nsIInterfaceRequestor* ctx,
+ const nsNSSShutDownPreventionLock& proofOfLock);
static void DisplayCertificateAlert(nsIInterfaceRequestor *ctx,
const char *stringID, nsIX509Cert *certToShow,
const nsNSSShutDownPreventionLock &proofOfLock);
CERTDERCerts* getCertsFromPackage(const mozilla::UniquePLArenaPool& arena,
uint8_t* data, uint32_t length,
const nsNSSShutDownPreventionLock& proofOfLock);
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -86,31 +86,27 @@ const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NA
// Supported Certificate Usages
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
const certificateUsageObjectSigner = 0x0040;
-const certificateUsageVerifyCA = 0x0100;
-const certificateUsageStatusResponder = 0x0400;
// A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported
// usages.
const allCertificateUsages = {
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageSSLCA,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
certificateUsageObjectSigner,
- certificateUsageVerifyCA,
- certificateUsageStatusResponder
};
const NO_FLAGS = 0;
// Commonly certificates are represented as PEM. The format is roughly as
// follows:
//
// -----BEGIN CERTIFICATE-----
--- a/security/manager/ssl/tests/unit/test_cert_keyUsage.js
+++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js
@@ -9,17 +9,17 @@ do_get_profile(); // must be called befo
var certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
const caList = [ "ca-no-keyUsage-extension", "ca-missing-keyCertSign",
"ca-all-usages" ];
const eeList = [ "ee-no-keyUsage-extension", "ee-keyCertSign-only",
"ee-keyEncipherment-only", "ee-keyCertSign-and-keyEncipherment" ];
-const caUsage = [ certificateUsageSSLCA, certificateUsageVerifyCA ];
+const caUsage = [ certificateUsageSSLCA ];
const allEEUsages = [ certificateUsageSSLClient, certificateUsageSSLServer,
certificateUsageEmailSigner, certificateUsageEmailRecipient,
certificateUsageObjectSigner ];
const serverEEUsages = [ certificateUsageSSLServer,
certificateUsageEmailRecipient ];
const expectedUsagesMap = {
"ca-no-keyUsage-extension": caUsage,
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -33,40 +33,32 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageStatusResponder);
// Test of active distrust. No usage should pass.
setCertTrust(cert_to_modify_trust, "p,p,p");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageStatusResponder);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, "T,T,T");
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
@@ -82,22 +74,16 @@ function test_ca_distrust(ee_cert, cert_
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert,
- isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageStatusResponder);
// Now tests on the SSL trust bit
setCertTrust(cert_to_modify_trust, "p,C,C");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
// XXX(Bug 982340)
@@ -106,20 +92,16 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageStatusResponder);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ",C,C");
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
// XXX(Bug 982340)
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
@@ -127,39 +109,31 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageStatusResponder);
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, "C,p,C");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageStatusResponder);
// inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, "C,,C");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
@@ -169,20 +143,16 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageVerifyCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
- certificateUsageStatusResponder);
}
function run_test() {
let certList = [
"ca",
"int",
"ee",
--- a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
+++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
@@ -22,17 +22,17 @@ function test_cert_for_usages(certChainN
let cert = certs[0];
return asyncTestCertificateUsages(certdb, cert, expected_usages);
}
add_task(async function() {
let ee_usages = [ certificateUsageSSLClient, certificateUsageSSLServer,
certificateUsageEmailSigner, certificateUsageEmailRecipient,
certificateUsageObjectSigner ];
- let ca_usages = [ certificateUsageSSLCA, certificateUsageVerifyCA ];
+ let ca_usages = [ certificateUsageSSLCA ];
let eku_usages = [ certificateUsageSSLClient, certificateUsageSSLServer ];
// Load the ca into mem
let ca_name = "ca";
load_cert(ca_name, "CTu,CTu,CTu");
await test_cert_for_usages([ca_name], ca_usages);
// A certificate with no basicConstraints extension is considered an EE.