--- a/python/mozbuild/mozbuild/action/test_archive.py
+++ b/python/mozbuild/mozbuild/action/test_archive.py
@@ -30,16 +30,17 @@ import mozpack.path as mozpath
import buildconfig
STAGE = mozpath.join(buildconfig.topobjdir, 'dist', 'test-stage')
TEST_HARNESS_BINS = [
'BadCertServer',
'GenerateOCSPResponse',
'OCSPStaplingServer',
+ 'SymantecSanctionsServer',
'SmokeDMD',
'certutil',
'crashinject',
'fileid',
'geckodriver',
'minidumpwriter',
'pk12util',
'screenshot',
--- a/python/mozbuild/mozbuild/artifacts.py
+++ b/python/mozbuild/mozbuild/artifacts.py
@@ -124,16 +124,17 @@ class ArtifactJob(object):
# Each item is a pair of (pattern, (src_prefix, dest_prefix), where src_prefix
# is the prefix of the pattern relevant to its location in the archive, and
# dest_prefix is the prefix to be added that will yield the final path relative
# to dist/.
test_artifact_patterns = {
('bin/BadCertServer', ('bin', 'bin')),
('bin/GenerateOCSPResponse', ('bin', 'bin')),
('bin/OCSPStaplingServer', ('bin', 'bin')),
+ ('bin/SymantecSanctionsServer', ('bin', 'bin')),
('bin/certutil', ('bin', 'bin')),
('bin/fileid', ('bin', 'bin')),
('bin/geckodriver', ('bin', 'bin')),
('bin/pk12util', ('bin', 'bin')),
('bin/screentopng', ('bin', 'bin')),
('bin/ssltunnel', ('bin', 'bin')),
('bin/xpcshell', ('bin', 'bin')),
('bin/plugins/gmp-*/*/*', ('bin/plugins', 'bin')),
@@ -429,16 +430,17 @@ class WinArtifactJob(ArtifactJob):
product = 'firefox'
# These are a subset of TEST_HARNESS_BINS in testing/mochitest/Makefile.in.
test_artifact_patterns = {
('bin/BadCertServer.exe', ('bin', 'bin')),
('bin/GenerateOCSPResponse.exe', ('bin', 'bin')),
('bin/OCSPStaplingServer.exe', ('bin', 'bin')),
+ ('bin/SymantecSanctionsServer.exe', ('bin', 'bin')),
('bin/certutil.exe', ('bin', 'bin')),
('bin/fileid.exe', ('bin', 'bin')),
('bin/geckodriver.exe', ('bin', 'bin')),
('bin/pk12util.exe', ('bin', 'bin')),
('bin/screenshot.exe', ('bin', 'bin')),
('bin/ssltunnel.exe', ('bin', 'bin')),
('bin/xpcshell.exe', ('bin', 'bin')),
('bin/plugins/gmp-*/*/*', ('bin/plugins', 'bin')),
--- a/security/manager/ssl/tests/unit/moz.build
+++ b/security/manager/ssl/tests/unit/moz.build
@@ -31,10 +31,11 @@ TEST_DIRS += [
'test_missing_intermediate',
'test_name_constraints',
'test_ocsp_fetch_method',
'test_ocsp_url',
'test_onecrl',
'test_pinning_dynamic',
'test_signed_apps',
'test_startcom_wosign',
+ 'test_symantec_apple_google',
'test_validity',
]
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js
@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates issued by Symantec. If such
+// certificates have a notBefore before 1 June 2016, and are not
+// issued by an Apple or Google intermediate, they should emit a
+// warning to the console.
+
+function shouldBeImminentlyDistrusted(aTransportSecurityInfo) {
+ let isDistrust = aTransportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+ Assert.ok(isDistrust, "This host should be imminently distrusted");
+}
+
+function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
+ let isDistrust = aTransportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+ Assert.ok(!isDistrust, "This host should not be imminently distrusted");
+}
+
+do_get_profile();
+
+add_tls_server_setup("SymantecSanctionsServer", "test_symantec_apple_google");
+
+// Whitelisted certs aren't to be distrusted
+add_connection_test("symantec-whitelist-after-cutoff.example.com",
+ PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+add_connection_test("symantec-whitelist-before-cutoff.example.com",
+ PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+// Not-whitelisted certs after the cutoff aren't distrusted
+add_connection_test("symantec-not-whitelisted-after-cutoff.example.com",
+ PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
+
+// Not whitelisted certs before the cutoff are to be distrusted
+add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
+ PRErrorCodeSuccess, null, shouldBeImminentlyDistrusted);
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.key
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.pem
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
--- a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
@@ -13,9 +13,9 @@ aW5nLmV4YW1wbGUuY29tgigqLmluY2x1ZGUtc3Vi
YW1wbGUuY29tgigqLmV4Y2x1ZGUtc3ViZG9tYWlucy5waW5uaW5nLmV4YW1wbGUu
Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z
dDo4ODg4LzALBgkqhkiG9w0BAQsDggEBAH6+Qe/y1TTCx2w6f31VWp5lcizPkS8s
ODfbgT9pKYqqvYDeiDu3q8SLGHTTsHWWewBCu5Jd0mXPXfZ4FEHcwbVJZUZBvQVr
1aNBCriuzhNUyfjkvfCgM4OuxgNwjbihGDE8VzfxTiz8mDN0AgACCZaUTQnybQc0
SW+ldxspBgQJom0tkZ+TGi80L3/5P5J2+7AchxhAZzQmebDnxNYDZXCJH8w15was
OzM5BrQzz3vuxupO7lsRzZIzAU+uQD4bjcMpz3oMdj3/0lb0HZGMdU22Ub36PvLC
6mYbTtf0IS5TVyLnbCNeliE6zoPnQPBzAUfoOeD1Tn6HQUQUT8oTf2E=
------END CERTIFICATE-----
\ No newline at end of file
+-----END CERTIFICATE-----
copy from security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec
copy to security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiSgAwIBAgIULyGlSNswcf4LYUR3oA5x6jdzOSMwCwYJKoZIhvcNAQEL
+MEkxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxH
+b29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMCIYDzIwMTYwNjAxMDAwMDAwWhgP
+MjA1MDAxMDEwMDAwMDBaMCkxJzAlBgNVBAMMHmVlLWZyb20td2hpdGVsaXN0LWFm
+dGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE
+jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1
+a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p
+GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW
+2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO
+p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR
+xDHVA6zaGAo17Y0CAwEAAaM6MDgwNgYDVR0RBC8wLYIrc3ltYW50ZWMtd2hpdGVs
+aXN0LWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAH6N
+yRA+aDb6ZnxXq9STgk4nm6ajT6OLIdMOBM5YSFLcTldPKSqgNwUZtkYgCpCqy4PQ
+S80r2YitwexfyzpfEO3Wq+CpvFsOOIit6tlt1nt60oxVylm8cXCrRX3gGO0KrwMl
+gLxXUXDf8lrgYIdsc4zM5bKUK9APnjsdl4SkJ+uuIj4geqCpJk3RNETPOQgxoW48
+GrWBOM6BPG5aRsC2Kq1uEFE4UbaW6vKm2DIiN3Omk3PDHSBRrFUkXtNGDP/cidis
+++ZB7wexNlciVwP88tgPSE7XgbdDtKS3e9EkOw6zulHllSXFXY9Lz/Lru0ecunnl
+HG8CumzG3hGgyxMMvYI=
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-whitelist-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-whitelist-after-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiagAwIBAgIUTdHuf60HnLh9wyRmnGMqcwdxDkYwCwYJKoZIhvcNAQEL
+MEkxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxH
+b29nbGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMCIYDzIwMTQwNjAxMDAwMDAwWhgP
+MjA1MDAxMDEwMDAwMDBaMCoxKDAmBgNVBAMMH2VlLWZyb20td2hpdGVsaXN0LWJl
+Zm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo
+RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a
+dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t
+aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n
+FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX
+Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py
+UcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGA1UdEQQwMC6CLHN5bWFudGVjLXdoaXRl
+bGlzdC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA
+VxmVTbXIMs+3EsaQmwf8uIwWC+fGoPkl4/7+TFJn10rga7ixjthfNsOsBAM3NIxg
+qtn7fPFNdY8X6iPloUZtd4APQBcGYDGlviE6fyvGfR9Azu2FjqArVR/IIuJuaOao
+Lo+z+EQ8ZJUwuykkAsA4PWwrE/Y31gB45sAC6BOBWcsWeCmJgd/sIbVjsEB9uC1M
+Ihp/CxW6z23/KKrnJpa+jLtaQ0J7vG2GUhn+7WuuSqnzXKivsJjY02dTt2drNzgu
+Zm1rpqDfbdZ7JKaUzcweIW5MG9Jcc86EiTZvBf9SrEtwXX3OO8ZD5ggD17gkPUT/
+EBQzORg4QMlKFlCz0dqVdg==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+subject:ee-from-whitelist-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-whitelist-before-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAjGgAwIBAgIUKWMZImQYpUD8orDGzVkiD2/4DU4wCwYJKoZIhvcNAQEL
+ME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNV
+BAMTHVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMCIYDzIwMTYwNjAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMCoxKDAmBgNVBAMMH2VlLW5vdC13aGl0ZWxp
+c3RlZC1hZnRlci1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a
+hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t
+FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o
+N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d
+JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4
+s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQDA+MDwGA1UdEQQ1MDOCMXN5bWFudGVj
+LW5vdC13aGl0ZWxpc3RlZC1hZnRlci1jdXRvZmYuZXhhbXBsZS5jb20wCwYJKoZI
+hvcNAQELA4IBAQANqjDZ6fpwQHHPs0U5hB5h/twTX2TXcth1MNSHBY5js33vMKSZ
+rhMK7YtAwEeSqUpvPGJSjq84PSUWJRHZn07Tt0NiCSTC98sZCr/+j0lRBYDF0Zd4
+KY7mBT3GHDKKRiF353Qgw/Shv3N0VxgTHY4qpQFjiQ1Ihz250xbqrNlXNF18LTng
+JQVC0LNhPl7jf5kbSGZBL6upTOhz24eCbZQBetF+cGH5iurSz8o6CAUDtK6nDRpP
+jKGv0euysS72GXk5kG8Hnv+qMGBJKZwOytilawyWeKW+wzPmgWA2QEP99JxhUcrA
+PPxN+ZhdTQahKiizefnJeouEoyU24ufgX7xr
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-whitelisted-after-cutoff
+validity:20160601-20500101
+extension:subjectAlternativeName:symantec-not-whitelisted-after-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSTCCAjOgAwIBAgIUA8x0aNBUQ08bBOtgaAQjVSarFUUwCwYJKoZIhvcNAQEL
+ME8xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNV
+BAMTHVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMCIYDzIwMTQwNjAxMDAw
+MDAwWhgPMjA1MDAxMDEwMDAwMDBaMCsxKTAnBgNVBAMMIGVlLW5vdC13aGl0ZWxp
+c3RlZC1iZWZvcmUtY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu
+Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO
+7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf
+qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt
+HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx
+uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0EwPzA9BgNVHREENjA0gjJzeW1hbnRl
+Yy1ub3Qtd2hpdGVsaXN0ZWQtYmVmb3JlLWN1dG9mZi5leGFtcGxlLmNvbTALBgkq
+hkiG9w0BAQsDggEBAE0WCx+/EFCXGQwZDBY0W0AJ4zvHD8m1BNzFi0UPS1QwSVch
+Ic9jMbwehw0ONGNzpHKdEm4kpIrzzqdGuV2+Zohw2uqVhHuE2VFUDp24gW+MTE9g
+UAdwTv5oKsQrbY3bXY8ssKw2qoLYGwDHJbrKn+QtJeEklDWPLO2Xhpy9v5Ug8pvk
+pSRHyS2KEFSvHLAdpWUE37bXqHaTEM3xT/OEwqsXYzPgCX2RVy6Z9Z/vOz4/qHN7
+WrYmhQ+y+z0QlYl3N4Vo3kJc8mBJzMgSwgrZGHUbSISOiLC3F4qfkoEiZ4AY2ZkH
+hM8CK6afklgNCFamt6Q0/lr9pVbww2l5Cs9cMq8=
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem.certspec
@@ -0,0 +1,4 @@
+issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+subject:ee-not-whitelisted-before-cutoff
+validity:20140601-20500101
+extension:subjectAlternativeName:symantec-not-whitelisted-before-cutoff.example.com
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiagAwIBAgIUSeAhQo5HgA/QPjSlL7bpwnAVbWIwCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5j
+LjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+HTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MAsGCSqGSIb3DQEBCwOCAQEA
+a7Im726SOtReXjBQnRHJIOXOx/bLStaQRg1Q+eDD2ThLu6F86D8NHmuu/eCPspXI
++Yk8yCY7vHmRV6kzeBM5PRKND5DY1ryzAA3YLIo1TZxd2wkoyBHlwx0tYmKXrTB/
+Mc7BM+8PsFrFOulZYIdsoTeFSjACADrZBLDH9ppN9cNlzJfm/kUo/2rxJsaz5rU3
+xidZSUl5y9apuRHmV2uGlDlTsWQFQq05xeyPsQcI077Q4okmgZvC1flweoquIkc7
+GEQT0hahe8ZhfQXZo3xRBZoaCieFcPYbnwtaVH3Zn4hw+VcFAAl2PqB3ING0fTtc
+OCqKSIcSjbpx9ukW4vmpxg==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAiCgAwIBAgIUO4dkpdcTqBgGNMyqCmUAgib+sNQwCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAj
+BgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo
+V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p
+0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk
+fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh
+W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI
+TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsG
+A1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MAsGCSqGSIb3DQEBCwOCAQEALIJ2Il50
+8ME2FmcjWPF6xjwLgyMNbhVjhYW4BeqH/pGq1cDt9ZT59aWsGVJqEa0VQHwtcgFY
+1JFuQqQkFZ+/9OmRVXC+EM99L593yrQLzoi8XKIgKS4w+EE1Cz+W583SWtFXgmvC
+P0C5awrTCs9QM0gRF1huJvusu29XTQL5a/3g4F2dtvT95j/XX4K4ddV0sv+sAmbC
+wn732djB9j6VJLfpUfJCeOWBHbMMijEgK0+1hW7BoE4Oa0592tLCvfyx4L5Yf9Nc
+B445/1MMZ/tf/ZSbatzaq7S/p40ez+NvZwfg3Wy3dHqRDeaNIxEf3hE6gAcGexw7
+1LfMGE1Jmr7wyQ==
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/moz.build
@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Temporarily disabled. See bug 1256495.
+#test_certificates = (
+# 'default-ee.pem',
+# 'ee-from-whitelist-after-cutoff.pem',
+# 'ee-from-whitelist-before-cutoff.pem',
+# 'ee-not-whitelisted-after-cutoff.pem',
+# 'ee-not-whitelisted-before-cutoff.pem',
+# 'intermediate-other.pem',
+# 'intermediate-whitelisted.pem',
+# 'test-ca.pem',
+#)
+#
+#for test_certificate in test_certificates:
+# GeneratedTestCertificate(test_certificate)
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDLzCCAhmgAwIBAgIUJ7UgecGaZcRZ3+HplOj02+8ZfAswCwYJKoZIhvcNAQEL
+MEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQD
+ExJHZW9UcnVzdCBHbG9iYWwgQ0EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEw
+MTAwMDAwMFowQjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4x
+GzAZBgNVBAMTEkdlb1RydXN0IEdsb2JhbCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl
+qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg
+w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx
+V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1
+MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs
+vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQD
+AgEGMAwGA1UdEwQFMAMBAf8wCwYJKoZIhvcNAQELA4IBAQC1TOSmG2bkZ5sJXNvm
+GehL8NJIhE8W/x4hFyfVz6Hh5RtSMCpfFppYE8ulL8Vi3a0ddRyy1T+/KyQu29Kx
+y3o9kYWkE6Z4fhfGfODsSFmLdJVd2jyX5NFelEHgQJLvOLzW4cYzfl1WnRpjL2XC
+5UsNnQuJFQHLZKWc4+W+uG7kRdRsOig7wQcOF1Patz3CagGOyuHB62bjrGs02hSF
+ciGUENaRDkTdbiAzUdaUOU9DIZ1IUUhbn9gxACKt4P6QLlkT4BWlyplWbjfu5Y4T
+StpExt/mn/V0uclWpnJRNdfrqLAIXAXcKa+RWHdy0NRcklSAAz9L7hopr8dAEv40
+YKVN
+-----END CERTIFICATE-----
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem.certspec
@@ -0,0 +1,5 @@
+issuer:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+subject:printableString/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
+validity:20100101-20500101
+extension:keyUsage:keyCertSign,cRLSign
+extension:basicConstraints:cA,
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google_unaffected.js
@@ -0,0 +1,22 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+"use strict";
+
+// Tests handling of certificates issued by Symantec. If such
+// certificates have a notBefore before 1 June 2016, and are not
+// issued by an Apple or Google intermediate, they should emit a
+// warning to the console.
+
+function shouldNotBeImminentlyDistrusted(aTransportSecurityInfo) {
+ let isDistrust = aTransportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_DISTRUST_IMMINENT;
+ Assert.ok(!isDistrust, "This host should not be imminently distrusted");
+}
+
+do_get_profile();
+
+add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+add_connection_test("ocsp-stapling-good.example.com",
+ PRErrorCodeSuccess, null, shouldNotBeImminentlyDistrusted);
copy from security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
copy to security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
@@ -13,77 +13,30 @@
#include <stdio.h>
#include "TLSServer.h"
using namespace mozilla;
using namespace mozilla::test;
-struct BadCertHost
+struct SymantecCertHost
{
const char *mHostName;
const char *mCertName;
};
// Hostname, cert nickname pairs.
-const BadCertHost sBadCertHosts[] =
+const SymantecCertHost sSymantecCertHosts[] =
{
- { "expired.example.com", "expired-ee" },
- { "notyetvalid.example.com", "notYetValid" },
- { "before-epoch.example.com", "beforeEpoch" },
- { "selfsigned.example.com", "selfsigned" },
- { "unknownissuer.example.com", "unknownissuer" },
- { "mismatch.example.com", "mismatch" },
- { "mismatch-CN.example.com", "mismatchCN" },
- { "expiredissuer.example.com", "expiredissuer" },
- { "notyetvalidissuer.example.com", "notYetValidIssuer" },
- { "before-epoch-issuer.example.com", "beforeEpochIssuer" },
- { "md5signature.example.com", "md5signature" },
- { "untrusted.example.com", "default-ee" },
- { "untrustedissuer.example.com", "untrustedissuer" },
- { "mismatch-expired.example.com", "mismatch-expired" },
- { "mismatch-notYetValid.example.com", "mismatch-notYetValid" },
- { "mismatch-untrusted.example.com", "mismatch-untrusted" },
- { "untrusted-expired.example.com", "untrusted-expired" },
- { "md5signature-expired.example.com", "md5signature-expired" },
- { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
- { "inadequatekeyusage.example.com", "inadequatekeyusage-ee" },
- { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
- { "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
- { "ca-used-as-end-entity.example.com", "ca-used-as-end-entity" },
- { "ca-used-as-end-entity-name-mismatch.example.com", "ca-used-as-end-entity" },
- // All of include-subdomains.pinning.example.com is pinned to End Entity
- // Test Cert with nick default-ee. Any other nick will only
- // pass pinning when security.cert_pinning.enforcement.level != strict and
- // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
- { "include-subdomains.pinning.example.com", "default-ee" },
- { "good.include-subdomains.pinning.example.com", "default-ee" },
- { "bad.include-subdomains.pinning.example.com", "other-issuer-ee" },
- { "bad.include-subdomains.pinning.example.com.", "other-issuer-ee" },
- { "bad.include-subdomains.pinning.example.com..", "other-issuer-ee" },
- { "exclude-subdomains.pinning.example.com", "default-ee" },
- { "sub.exclude-subdomains.pinning.example.com", "other-issuer-ee" },
- { "test-mode.pinning.example.com", "other-issuer-ee" },
- { "unknownissuer.include-subdomains.pinning.example.com", "unknownissuer" },
- { "unknownissuer.test-mode.pinning.example.com", "unknownissuer" },
- { "nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical" },
- { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
- { "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
- { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
- { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
- { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
- { "badSubjectAltNames.example.com", "badSubjectAltNames" },
- { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
- { "noValidNames.example.com", "noValidNames" },
- { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
- { "emptyissuername.example.com", "emptyIssuerName" },
- { "ev-test.example.com", "ev-test" },
- { "ee-from-missing-intermediate.example.com", "ee-from-missing-intermediate" },
- { "localhost", "unknownissuer" },
+ { "symantec-whitelist-after-cutoff.example.com", "ee-from-whitelist-after-cutoff" },
+ { "symantec-whitelist-before-cutoff.example.com", "ee-from-whitelist-before-cutoff" },
+ { "symantec-not-whitelisted-after-cutoff.example.com", "ee-not-whitelisted-after-cutoff" },
+ { "symantec-not-whitelisted-before-cutoff.example.com", "ee-not-whitelisted-before-cutoff" },
+ { "symantec-unaffected.example.com", "ee-unaffected" },
{ nullptr, nullptr }
};
int32_t
DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
uint32_t aSrvNameArrSize)
{
for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
@@ -100,18 +53,18 @@ DoSNISocketConfigBySubjectCN(PRFileDesc*
return SSL_SNI_SEND_ALERT;
}
int32_t
DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
uint32_t aSrvNameArrSize, void* aArg)
{
- const BadCertHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
- sBadCertHosts);
+ const SymantecCertHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
+ sSymantecCertHosts);
if (!host) {
// No static cert <-> hostname mapping found. This happens when we use a
// collection of certificates in a given directory and build a cert DB at
// runtime, rather than using an NSS cert DB populated at build time.
// (This will be the default in the future.)
// For all given server names, check if the runtime-built cert DB contains
// a certificate with a matching subject CN.
return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build
@@ -3,16 +3,17 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
GeckoSimplePrograms([
'BadCertServer',
'GenerateOCSPResponse',
'OCSPStaplingServer',
+ 'SymantecSanctionsServer',
], linkage=None)
LOCAL_INCLUDES += [
'../lib',
]
USE_LIBS += [
'mozillapkix',
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -29,16 +29,17 @@ support-files =
test_ocsp_url/**
test_onecrl/**
test_pinning_dynamic/**
test_sdr_preexisting/**
test_sdr_preexisting_with_password/**
test_signed_apps/**
test_signed_dir/**
test_startcom_wosign/**
+ test_symantec_apple_google/**
test_validity/**
tlsserver/**
[test_add_preexisting_cert.js]
[test_baseline_requirements_subject_common_name.js]
[test_broken_fips.js]
# FIPS has never been a thing on Android, so the workaround doesn't
# exist on that platform.
@@ -167,14 +168,18 @@ skip-if = toolkit == 'android'
[test_startcom_wosign.js]
[test_sts_fqdn.js]
[test_sts_holepunch.js]
[test_sts_ipv4_ipv6.js]
[test_sts_parser.js]
[test_sts_preload_dynamic.js]
[test_sts_preloadlist_perwindowpb.js]
[test_sts_preloadlist_selfdestruct.js]
+[test_symantec_apple_google.js]
+run-sequentially = hardcoded ports
+[test_symantec_apple_google_unaffected.js]
+run-sequentially = hardcoded ports
[test_validity.js]
run-sequentially = hardcoded ports
[test_x509.js]
# The TLS error reporting functionality lives in /toolkit but needs tlsserver
[test_toolkit_securityreporter.js]
--- a/testing/xpcshell/remotexpcshelltests.py
+++ b/testing/xpcshell/remotexpcshelltests.py
@@ -415,17 +415,18 @@ class XPCShellRemote(xpcshell.XPCShellTe
# are required for some tests. This list should be similar to
# TEST_HARNESS_BINS in testing/mochitest/Makefile.in.
binaries = ["xpcshell",
"ssltunnel",
"certutil",
"pk12util",
"BadCertServer",
"OCSPStaplingServer",
- "GenerateOCSPResponse"]
+ "GenerateOCSPResponse",
+ "SymantecSanctionsServer"]
for fname in binaries:
local = os.path.join(self.localBin, fname)
if os.path.isfile(local):
print("Pushing %s.." % fname, file=sys.stderr)
remoteFile = remoteJoin(self.remoteBinDir, fname)
self.device.pushFile(local, remoteFile)
else:
print("*** Expected binary %s not found in %s!" %
--- a/toolkit/mozapps/installer/upload-files.mk
+++ b/toolkit/mozapps/installer/upload-files.mk
@@ -273,16 +273,17 @@ NO_PKG_FILES += \
nsinstall* \
res/samples \
res/throbber \
shlibsign* \
certutil* \
pk12util* \
BadCertServer* \
OCSPStaplingServer* \
+ SymantecSanctionsServer* \
GenerateOCSPResponse* \
chrome/chrome.rdf \
chrome/app-chrome.manifest \
chrome/overlayinfo \
components/compreg.dat \
components/xpti.dat \
content_unit_tests \
necko_unit_tests \
