summaryrefslogtreecommitdiffstats
path: root/security/certverifier
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2020-11-20 09:47:03 +0000
committerMoonchild <moonchild@palemoon.org>2020-11-20 09:47:03 +0000
commit5165ed02285315cc0bed7977c7bac6d0a90ca43c (patch)
tree9b761a21eb924915e51c2d803208e6c01b505a45 /security/certverifier
parente1db27e19989db11fef70f439cf95821316535b3 (diff)
parentca9abcdf1702c37bf00048dab3f460b2252873a3 (diff)
downloadUXP-5165ed02285315cc0bed7977c7bac6d0a90ca43c.tar
UXP-5165ed02285315cc0bed7977c7bac6d0a90ca43c.tar.gz
UXP-5165ed02285315cc0bed7977c7bac6d0a90ca43c.tar.lz
UXP-5165ed02285315cc0bed7977c7bac6d0a90ca43c.tar.xz
UXP-5165ed02285315cc0bed7977c7bac6d0a90ca43c.zip
Merge branch 'redwood' into releaseRELBASE_20201124RELBASE_20201120RC_20201120
Diffstat (limited to 'security/certverifier')
-rw-r--r--security/certverifier/CertVerifier.cpp21
-rw-r--r--security/certverifier/CertVerifier.h13
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp2
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.h2
4 files changed, 11 insertions, 27 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 7f47de14f..389a6c70a 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -42,7 +42,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc,
OcspStrictConfig osc,
OcspGetConfig ogc,
uint32_t certShortLifetimeInDays,
- PinningMode pinningMode,
SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
@@ -51,7 +50,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc,
, mOCSPStrict(osc == ocspStrict)
, mOCSPGETEnabled(ogc == ocspGetEnabled)
, mCertShortLifetimeInDays(certShortLifetimeInDays)
- , mPinningMode(pinningMode)
, mSHA1Mode(sha1Mode)
, mNameMatchingMode(nameMatchingMode)
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
@@ -417,7 +415,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -486,7 +484,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain
trustDomain(trustSSL, evOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
- mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
+ mCertShortLifetimeInDays, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
originAttributes, builtChain);
@@ -567,7 +565,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- mPinningMode, keySizeOptions[i],
+ keySizeOptions[i],
ValidityCheckingMode::CheckingOff,
sha1ModeConfigurations[j],
mNetscapeStepUpPolicy,
@@ -630,7 +628,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
originAttributes, builtChain);
@@ -645,7 +643,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -672,7 +670,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -696,7 +694,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -729,7 +727,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
pinArg, ocspGETConfig, mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -741,7 +739,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled, MIN_RSA_BITS_WEAK,
+ MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
@@ -754,7 +752,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
defaultOCSPFetching, mOCSPCache,
pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
- pinningDisabled,
MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
index fbc3adab4..0bb1508c5 100644
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -140,13 +140,6 @@ public:
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
- enum PinningMode {
- pinningDisabled = 0,
- pinningAllowUserCAMITM = 1,
- pinningStrict = 2,
- pinningEnforceTestMode = 3
- };
-
enum class SHA1Mode {
Allowed = 0,
Forbidden = 1,
@@ -173,7 +166,7 @@ public:
CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
OcspGetConfig ogc, uint32_t certShortLifetimeInDays,
- PinningMode pinningMode, SHA1Mode sha1Mode,
+ SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode);
@@ -185,7 +178,6 @@ public:
const bool mOCSPStrict;
const bool mOCSPGETEnabled;
const uint32_t mCertShortLifetimeInDays;
- const PinningMode mPinningMode;
const SHA1Mode mSHA1Mode;
const BRNameMatchingPolicy::Mode mNameMatchingMode;
const NetscapeStepUpPolicy mNetscapeStepUpPolicy;
@@ -215,8 +207,7 @@ private:
mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result);
mozilla::pkix::Result CertListContainsExpectedKeys(
- const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time,
- CertVerifier::PinningMode pinningMode);
+ const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time);
} } // namespace mozilla::psm
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index a8ecbf1d1..ed16098b8 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -52,7 +52,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
/*optional but shouldn't be*/ void* pinArg,
CertVerifier::OcspGetConfig ocspGETConfig,
uint32_t certShortLifetimeInDays,
- CertVerifier::PinningMode pinningMode,
unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
@@ -65,7 +64,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
, mPinArg(pinArg)
, mOCSPGetConfig(ocspGETConfig)
, mCertShortLifetimeInDays(certShortLifetimeInDays)
- , mPinningMode(pinningMode)
, mMinRSABits(minRSABits)
, mValidityCheckingMode(validityCheckingMode)
, mSHA1Mode(sha1Mode)
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index 50e2c8adc..8d25e746c 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -77,7 +77,6 @@ public:
OCSPCache& ocspCache, void* pinArg,
CertVerifier::OcspGetConfig ocspGETConfig,
uint32_t certShortLifetimeInDays,
- CertVerifier::PinningMode pinningMode,
unsigned int minRSABits,
ValidityCheckingMode validityCheckingMode,
CertVerifier::SHA1Mode sha1Mode,
@@ -179,7 +178,6 @@ private:
void* mPinArg; // non-owning!
const CertVerifier::OcspGetConfig mOCSPGetConfig;
const uint32_t mCertShortLifetimeInDays;
- CertVerifier::PinningMode mPinningMode;
const unsigned int mMinRSABits;
ValidityCheckingMode mValidityCheckingMode;
CertVerifier::SHA1Mode mSHA1Mode;