Issue #1338 - Part 2: Update NSS to 3.48-RTM

author: wolfbeast <mcwerewolf@wolfbeast.com> 2020-01-02 21:06:40 +0100
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2020-01-02 21:06:40 +0100
commit: f4a12fc67689a830e9da1c87fd11afe5bc09deb3 (patch)
tree: 211ae0cd022a6c11b0026ecc7761a550c584583c /security/nss/lib/certdb
parent: f7d30133221896638f7bf4f66c504255c4b14f48 (diff)
download: UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar
UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.gz
UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.lz
UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.xz
UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.zip
4 files changed, 113 insertions, 129 deletions
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 333ba4c9d..1981b8f54 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -215,6 +215,12 @@ extern void CERT_DestroyCertificate(CERTCertificate *cert);
 */
 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
 
+/* Access the DER of the certificate. This only creates a reference to the DER
+ * in the outparam not a copy.  To avoid the pointer becoming invalid, use
+ * CERT_DupCertificate() and keep a reference to the duplicate alive.
+ */
+extern SECStatus CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der);
+
 /*
 ** Create a new certificate request. This result must be wrapped with an
 ** CERTSignedData to create a signed certificate request.
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 85b5f2917..0796fe5d7 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -447,71 +447,39 @@ cert_GetCertType(CERTCertificate *cert)
 }
 
 PRBool
-cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+cert_IsIPsecOID(CERTOidSequence *extKeyUsage)
 {
-    SECStatus rv;
-    SECItem encodedExtKeyUsage;
-    CERTOidSequence *extKeyUsage = NULL;
-    PRBool result = PR_FALSE;
-
-    rv = CERT_GetExtenCriticality(cert->extensions,
-                                  SEC_OID_X509_EXT_KEY_USAGE,
-                                  isCritical);
-    if (rv != SECSuccess) {
-        *isCritical = PR_FALSE;
-    }
-
-    encodedExtKeyUsage.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
-                                &encodedExtKeyUsage);
-    if (rv != SECSuccess) {
-        /* EKU not present, allowed. */
-        result = PR_TRUE;
-        goto done;
-    }
-
-    extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
-    if (!extKeyUsage) {
-        /* failure */
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_IPSEC_IKE_END) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_IPSEC_IKE_INTERMEDIATE) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_IPSEC_IKE_END) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    /* these are now deprecated, but may show up. Treat them the same as IKE */
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_END) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL) == SECSuccess) {
+        return PR_TRUE;
     }
-
-done:
-    if (encodedExtKeyUsage.data != NULL) {
-        PORT_Free(encodedExtKeyUsage.data);
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_USER) == SECSuccess) {
+        return PR_TRUE;
     }
-    if (extKeyUsage != NULL) {
-        CERT_DestroyOidSequence(extKeyUsage);
+    /* this one should probably be in cert_ComputeCertType and set all usages? */
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE) == SECSuccess) {
+        return PR_TRUE;
     }
-    return result;
+    return PR_FALSE;
 }
 
 PRUint32
@@ -521,9 +489,9 @@ cert_ComputeCertType(CERTCertificate *cert)
     SECItem tmpitem;
     SECItem encodedExtKeyUsage;
     CERTOidSequence *extKeyUsage = NULL;
-    PRBool basicConstraintPresent = PR_FALSE;
     CERTBasicConstraints basicConstraint;
     PRUint32 nsCertType = 0;
+    PRBool isCA = PR_FALSE;
 
     tmpitem.data = NULL;
     CERT_FindNSCertTypeExtension(cert, &tmpitem);
@@ -535,7 +503,7 @@ cert_ComputeCertType(CERTCertificate *cert)
     }
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv == SECSuccess) {
-        basicConstraintPresent = PR_TRUE;
+        isCA = basicConstraint.isCA;
     }
     if (tmpitem.data != NULL || extKeyUsage != NULL) {
         if (tmpitem.data == NULL) {
@@ -571,19 +539,11 @@ cert_ComputeCertType(CERTCertificate *cert)
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
             SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_EMAIL;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_EMAIL_CA : NS_CERT_TYPE_EMAIL;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_SERVER;
         }
         /*
          * Treat certs with step-up OID as also having SSL server type.
@@ -592,27 +552,18 @@ cert_ComputeCertType(CERTCertificate *cert)
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
             SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_SERVER;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_CLIENT;
+        }
+        if (cert_IsIPsecOID(extKeyUsage)) {
+            nsCertType |= isCA ? NS_CERT_TYPE_IPSEC_CA : NS_CERT_TYPE_IPSEC;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_OBJECT_SIGNING_CA : NS_CERT_TYPE_OBJECT_SIGNING;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == SECSuccess) {
@@ -629,7 +580,7 @@ cert_ComputeCertType(CERTCertificate *cert)
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         /* if the basic constraint extension says the cert is a CA, then
            allow SSL CA and EMAIL CA and Status Responder */
-        if (basicConstraintPresent && basicConstraint.isCA) {
+        if (isCA) {
             nsCertType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
                            EXT_KEY_USAGE_STATUS_RESPONDER);
         }
@@ -638,6 +589,14 @@ cert_ComputeCertType(CERTCertificate *cert)
                       NS_CERT_TYPE_EMAIL;
     }
 
+    /* IPSEC is allowed to use SSL client and server certs as well as email certs */
+    if (nsCertType & (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL)) {
+        nsCertType |= NS_CERT_TYPE_IPSEC;
+    }
+    if (nsCertType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA)) {
+        nsCertType |= NS_CERT_TYPE_IPSEC_CA;
+    }
+
     if (encodedExtKeyUsage.data != NULL) {
         PORT_Free(encodedExtKeyUsage.data);
     }
@@ -1153,7 +1112,7 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
                 break;
             case certUsageIPsec:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
-                requiredCertType = NS_CERT_TYPE_SSL_CA;
+                requiredCertType = NS_CERT_TYPE_IPSEC_CA;
                 break;
             case certUsageSSLCA:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
@@ -1200,7 +1159,7 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
             case certUsageIPsec:
                 /* RFC 4945 Section 5.1.3.2 */
                 requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
-                requiredCertType = 0;
+                requiredCertType = NS_CERT_TYPE_IPSEC;
                 break;
             case certUsageSSLServerWithStepUp:
                 requiredKeyUsage =
@@ -1314,6 +1273,17 @@ CERT_DupCertificate(CERTCertificate *c)
     return c;
 }
 
+SECStatus
+CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
+{
+    if (!c || !der) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *der = c->derCert;
+    return SECSuccess;
+}
+
 /*
  * Allow use of default cert database, so that apps(such as mozilla) don't
  * have to pass the handle all over the place.
@@ -2919,15 +2889,8 @@ void
 CERT_UnlockCertRefCount(CERTCertificate *cert)
 {
     PORT_Assert(certRefCountLock != NULL);
-
-#ifdef DEBUG
-    {
-        PRStatus prstat = PZ_Unlock(certRefCountLock);
-        PORT_Assert(prstat == PR_SUCCESS);
-    }
-#else
-    PZ_Unlock(certRefCountLock);
-#endif
+    PRStatus prstat = PZ_Unlock(certRefCountLock);
+    PORT_AssertArg(prstat == PR_SUCCESS);
 }
 
 static PZLock *certTrustLock = NULL;
@@ -3031,15 +2994,8 @@ void
 CERT_UnlockCertTrust(const CERTCertificate *cert)
 {
     PORT_Assert(certTrustLock != NULL);
-
-#ifdef DEBUG
-    {
-        PRStatus prstat = PZ_Unlock(certTrustLock);
-        PORT_Assert(prstat == PR_SUCCESS);
-    }
-#else
-    PZ_Unlock(certTrustLock);
-#endif
+    PRStatus prstat = PZ_Unlock(certTrustLock);
+    PORT_AssertArg(prstat == PR_SUCCESS);
 }
 
 /*
@@ -3049,14 +3005,8 @@ void
 CERT_UnlockCertTempPerm(const CERTCertificate *cert)
 {
     PORT_Assert(certTempPermLock != NULL);
-#ifdef DEBUG
-    {
-        PRStatus prstat = PZ_Unlock(certTempPermLock);
-        PORT_Assert(prstat == PR_SUCCESS);
-    }
-#else
-    (void)PZ_Unlock(certTempPermLock);
-#endif
+    PRStatus prstat = PZ_Unlock(certTempPermLock);
+    PORT_AssertArg(prstat == PR_SUCCESS);
 }
 
 /*
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 9cac70ca6..aae1184a8 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -35,6 +35,7 @@ typedef struct CERTCertListStr CERTCertList;
 typedef struct CERTCertListNodeStr CERTCertListNode;
 typedef struct CERTCertNicknamesStr CERTCertNicknames;
 typedef struct CERTCertTrustStr CERTCertTrust;
+typedef struct CERTCertDistrustStr CERTCertDistrust;
 typedef struct CERTCertificateStr CERTCertificate;
 typedef struct CERTCertificateListStr CERTCertificateList;
 typedef struct CERTCertificateRequestStr CERTCertificateRequest;
@@ -141,6 +142,18 @@ struct CERTCertTrustStr {
 };
 
 /*
+ * Distrust dates for specific certificate usages.
+ * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
+ * compatible with the format of certdata.txt, other date fields in certs and
+ * existing functions to read these dates. Clients should check the distrust
+ * date in certificates to avoid trusting a CA for service they have ceased to
+ * support */
+struct CERTCertDistrustStr {
+    SECItem serverDistrustAfter;
+    SECItem emailDistrustAfter;
+};
+
+/*
  * defined the types of trust that exist
  */
 typedef enum SECTrustTypeEnum {
@@ -279,6 +292,8 @@ struct CERTCertificateStr {
     PK11SlotInfo *slot;        /*if this cert came of a token, which is it*/
     CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
     PRBool ownSlot;            /*true if the cert owns the slot reference */
+    /* These fields are used in nssckbi/builtins CAs. */
+    CERTCertDistrust *distrust;
 };
 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
@@ -416,6 +431,19 @@ struct CERTDistNamesStr {
     void *head; /* private */
 };
 
+/*
+ * NS_CERT_TYPE defines are used in two areas:
+ * 1) The old NSS Cert Type Extension, which is a certificate extension in the
+ * actual cert. It was created before the x509 Extended Key Usage Extension,
+ * which has now taken over it's function. This field is only 8 bits wide
+ * 2) The nsCertType entry in the CERTCertificate structure. This field is
+ * 32 bits wide.
+ * Any entries in this table greater than 0x80 will not be able to be encoded
+ * in an NSS Cert Type Extension, but can still be represented internally in
+ * the nsCertType field.
+ */
+#define NS_CERT_TYPE_IPSEC_CA (0x200)         /* outside the NS Cert Type Extenstion */
+#define NS_CERT_TYPE_IPSEC (0x100)            /* outside the NS Cert Type Extenstion */
 #define NS_CERT_TYPE_SSL_CLIENT (0x80)        /* bit 0 */
 #define NS_CERT_TYPE_SSL_SERVER (0x40)        /* bit 1 */
 #define NS_CERT_TYPE_EMAIL (0x20)             /* bit 2 */
@@ -430,11 +458,12 @@ struct CERTDistNamesStr {
 
 #define NS_CERT_TYPE_APP                                                      \
     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
-     NS_CERT_TYPE_OBJECT_SIGNING)
+     NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING)
 
-#define NS_CERT_TYPE_CA                            \
-    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \
-     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER)
+#define NS_CERT_TYPE_CA                                                \
+    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |                     \
+     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \
+     NS_CERT_TYPE_IPSEC_CA)
 typedef enum SECCertUsageEnum {
     certUsageSSLClient = 0,
     certUsageSSLServer = 1,
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
index d5d19c39d..e2a668bb1 100644
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -412,18 +412,17 @@ CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
                    cc->derIssuer.data);
     nssItem_Create(c->object.arena, &c->subject, cc->derSubject.len,
                    cc->derSubject.data);
-    if (PR_TRUE) {
-        /* CERTCertificate stores serial numbers decoded.  I need the DER
-        * here.  sigh.
-        */
-        SECItem derSerial = { 0 };
-        CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
-        if (!derSerial.data)
-            goto loser;
-        nssItem_Create(c->object.arena, &c->serial, derSerial.len,
-                       derSerial.data);
-        PORT_Free(derSerial.data);
-    }
+    /* CERTCertificate stores serial numbers decoded.  I need the DER
+    * here.  sigh.
+    */
+    SECItem derSerial = { 0 };
+    CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+    if (!derSerial.data)
+        goto loser;
+    nssItem_Create(c->object.arena, &c->serial, derSerial.len,
+                   derSerial.data);
+    PORT_Free(derSerial.data);
+
     if (nickname) {
         c->object.tempName =
             nssUTF8_Create(c->object.arena, nssStringType_UTF8String,
author	wolfbeast <mcwerewolf@wolfbeast.com>	2020-01-02 21:06:40 +0100
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2020-01-02 21:06:40 +0100
commit	f4a12fc67689a830e9da1c87fd11afe5bc09deb3 (patch)
tree	211ae0cd022a6c11b0026ecc7761a550c584583c /security/nss/lib/certdb
parent	f7d30133221896638f7bf4f66c504255c4b14f48 (diff)
download	UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.gz UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.lz UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.tar.xz UXP-f4a12fc67689a830e9da1c87fd11afe5bc09deb3.zip