diff options
| author | janekptacijarabaci <janekptacijarabaci@seznam.cz> | 2018-04-25 15:48:44 +0200 |
|---|---|---|
| committer | janekptacijarabaci <janekptacijarabaci@seznam.cz> | 2018-04-25 15:48:44 +0200 |
| commit | 3ab6c7feee8126bdfc5c9ab9371db41102e12e95 (patch) | |
| tree | a309c45826300b888238b6a517051fe7e71d63eb /security | |
| parent | b18a9cf86ea25bc52d9cfea584e3aa8bfbe81f0a (diff) | |
| parent | b069dabc91b7e0f5f8d161cdbe598276a21d6d68 (diff) | |
| download | UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar.gz UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar.lz UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.tar.xz UXP-3ab6c7feee8126bdfc5c9ab9371db41102e12e95.zip | |
Merge branch 'master' of https://github.com/MoonchildProductions/UXP into pm_url_1
Diffstat (limited to 'security')
| -rw-r--r-- | security/certverifier/CertVerifier.cpp | 3 | ||||
| -rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 6 | ||||
| -rw-r--r-- | security/manager/ssl/tests/unit/test_cert_trust.js | 28 | ||||
| -rw-r--r-- | security/nss/lib/softoken/sftkpwd.c | 4 |
4 files changed, 33 insertions, 8 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index 61d8fcdb8..2957a269f 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -224,8 +224,7 @@ CertVerifier::VerifySignedCertificateTimestamps( CERTCertListNode* issuerNode = CERT_LIST_NEXT(endEntityNode); if (!issuerNode || CERT_LIST_END(issuerNode, builtChain)) { // Issuer certificate is required for SCT verification. - // TODO(bug 1294580): change this to Result::FATAL_ERROR_INVALID_ARGS - return Success; + return Result::FATAL_ERROR_INVALID_ARGS; } CERTCertificate* endEntity = endEntityNode->cert; diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 1fe27b760..b4e12fe9c 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -245,7 +245,11 @@ NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, // For TRUST, we only use the CERTDB_TRUSTED_CA bit, because Goanna hasn't // needed to consider end-entity certs to be their own trust anchors since // Goanna implemented nsICertOverrideService. - if (flags & CERTDB_TRUSTED_CA) { + // Of course, for this to work as expected, we need to make sure we're + // inquiring about the trust of a CA and not an end-entity. If an end-entity + // has the CERTDB_TRUSTED_CA bit set, Gecko does not consider it to be a + // trust anchor; it must inherit its trust. + if (flags & CERTDB_TRUSTED_CA && endEntityOrCA == EndEntityOrCA::MustBeCA) { if (policy.IsAnyPolicy()) { trustLevel = TrustLevel::TrustAnchor; return Success; diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js index 622678c7a..bf081f1bd 100644 --- a/security/manager/ssl/tests/unit/test_cert_trust.js +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -208,9 +208,31 @@ function run_test() { setCertTrust(ca_cert, ",,"); setCertTrust(int_cert, ",,"); - // It turns out that if an end-entity certificate is manually trusted, it can - // be the root of its own verified chain. This will be removed in bug 1294580. - setCertTrust(ee_cert, "C,,"); + // If an end-entity certificate is manually trusted, it may not be the root of + // its own verified chain. In general this will cause "unknown issuer" errors + // unless a CA trust anchor can be found. + setCertTrust(ee_cert, "CTu,CTu,CTu"); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLClient); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageEmailSigner); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageEmailRecipient); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageObjectSigner); + + // Now make a CA trust anchor available. + setCertTrust(ca_cert, "CTu,CTu,CTu"); checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, certificateUsageSSLServer); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLClient); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailSigner); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailRecipient); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageObjectSigner); } diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c index e0d2df9ab..07b6922dc 100644 --- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -273,7 +273,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len); param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt, - 1); + 30000); if (param == NULL) { rv = SECFailure; goto loser; @@ -444,7 +444,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, RNG_GenerateGlobalRandomBytes(saltData, prfLength); /* initialize our pkcs5 parameter */ - param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1); + param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 30000); if (param == NULL) { rv = SECFailure; goto loser; |