summaryrefslogtreecommitdiffstats
path: root/security/certverifier
diff options
context:
space:
mode:
Diffstat (limited to 'security/certverifier')
-rw-r--r--security/certverifier/CertVerifier.cpp41
-rw-r--r--security/certverifier/CertVerifier.h19
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp5
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.h2
4 files changed, 12 insertions, 55 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 2957a269f..1139ecae5 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -333,7 +333,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
/*optional out*/ KeySizeStatus* keySizeStatus,
/*optional out*/ SHA1ModeResult* sha1ModeResult,
- /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional out*/ CertificateTransparencyInfo* ctInfo)
{
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n"));
@@ -423,7 +422,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes,
- builtChain, nullptr, nullptr);
+ builtChain, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@@ -484,19 +483,13 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
continue;
}
- // Because of the try-strict and fallback approach, we have to clear any
- // previously noted telemetry information
- if (pinningTelemetryInfo) {
- pinningTelemetryInfo->Reset();
- }
-
NSSCertDBTrustDomain
trustDomain(trustSSL, evOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
- originAttributes, builtChain, pinningTelemetryInfo,
+ originAttributes, builtChain,
hostname);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,// (EC)DHE
@@ -572,11 +565,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
continue;
}
- // invalidate any telemetry info relating to failed chains
- if (pinningTelemetryInfo) {
- pinningTelemetryInfo->Reset();
- }
-
NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
mOCSPCache, pinArg, ocspGETConfig,
mCertShortLifetimeInDays,
@@ -585,7 +573,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
sha1ModeConfigurations[j],
mNetscapeStepUpPolicy,
originAttributes, builtChain,
- pinningTelemetryInfo, hostname);
+ hostname);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,//(EC)DHE
KeyUsage::keyEncipherment,//RSA
@@ -647,8 +635,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
- originAttributes, builtChain, nullptr,
- nullptr);
+ originAttributes, builtChain, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
KeyPurposeId::id_kp_serverAuth,
@@ -664,8 +651,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
+ originAttributes, builtChain, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@@ -692,8 +678,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
+ originAttributes, builtChain, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::keyEncipherment, // RSA
@@ -717,8 +702,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
+ originAttributes, builtChain, nullptr);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@@ -751,8 +735,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
+ originAttributes, builtChain, nullptr);
rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
stapledOCSPResponse);
@@ -764,8 +747,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr,
- nullptr);
+ originAttributes, builtChain, nullptr);
rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
stapledOCSPResponse);
@@ -780,7 +762,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes, builtChain,
- nullptr, nullptr);
+ nullptr);
rv = BuildCertChain(objectSigningTrust, certDER, time,
endEntityOrCA, keyUsage, eku,
CertPolicyId::anyPolicy, stapledOCSPResponse);
@@ -816,7 +798,6 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
/*optional out*/ KeySizeStatus* keySizeStatus,
/*optional out*/ SHA1ModeResult* sha1ModeResult,
- /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional out*/ CertificateTransparencyInfo* ctInfo)
{
PR_ASSERT(peerCert);
@@ -838,7 +819,7 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert,
pinarg, hostname, builtChain, flags,
stapledOCSPResponse, sctsFromTLS, originAttributes,
evOidPolicy, ocspStaplingStatus, keySizeStatus,
- sha1ModeResult, pinningTelemetryInfo, ctInfo);
+ sha1ModeResult, ctInfo);
if (rv != Success) {
return rv;
}
diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
index d88c3f33c..fbc3adab4 100644
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -11,7 +11,6 @@
#include "CTVerifyResult.h"
#include "OCSPCache.h"
#include "ScopedNSSTypes.h"
-#include "mozilla/Telemetry.h"
#include "mozilla/UniquePtr.h"
#include "pkix/pkixtypes.h"
@@ -66,22 +65,6 @@ enum class SHA1ModeResult {
enum class NetscapeStepUpPolicy : uint32_t;
-class PinningTelemetryInfo
-{
-public:
- PinningTelemetryInfo() { Reset(); }
-
- // Should we accumulate pinning telemetry for the result?
- bool accumulateResult;
- Telemetry::ID certPinningResultHistogram;
- int32_t certPinningResultBucket;
- // Should we accumulate telemetry for the root?
- bool accumulateForRoot;
- int32_t rootBucket;
-
- void Reset() { accumulateForRoot = false; accumulateResult = false; }
-};
-
class CertificateTransparencyInfo
{
public:
@@ -137,7 +120,6 @@ public:
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
- /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
mozilla::pkix::Result VerifySSLServerCert(
@@ -156,7 +138,6 @@ public:
/*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr,
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
- /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
enum PinningMode {
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 39f7d3e9e..5e89c2484 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -60,7 +60,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
NetscapeStepUpPolicy netscapeStepUpPolicy,
const NeckoOriginAttributes& originAttributes,
UniqueCERTCertList& builtChain,
- /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional*/ const char* hostname)
: mCertDBTrustType(certDBTrustType)
, mOCSPFetching(ocspFetching)
@@ -75,7 +74,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
, mOriginAttributes(originAttributes)
, mBuiltChain(builtChain)
- , mPinningTelemetryInfo(pinningTelemetryInfo)
, mHostname(hostname)
, mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID))
, mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED)
@@ -874,8 +872,7 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time)
(mPinningMode == CertVerifier::pinningEnforceTestMode);
bool chainHasValidPins;
nsresult nsrv = PublicKeyPinningService::ChainHasValidPins(
- certList, mHostname, time, enforceTestMode, chainHasValidPins,
- mPinningTelemetryInfo);
+ certList, mHostname, time, enforceTestMode, chainHasValidPins);
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index 64827536c..becf29eee 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -84,7 +84,6 @@ public:
NetscapeStepUpPolicy netscapeStepUpPolicy,
const NeckoOriginAttributes& originAttributes,
UniqueCERTCertList& builtChain,
- /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional*/ const char* hostname = nullptr);
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
@@ -188,7 +187,6 @@ private:
NetscapeStepUpPolicy mNetscapeStepUpPolicy;
const NeckoOriginAttributes& mOriginAttributes;
UniqueCERTCertList& mBuiltChain; // non-owning
- PinningTelemetryInfo* mPinningTelemetryInfo;
const char* mHostname; // non-owning - only used for pinning checks
nsCOMPtr<nsICertBlocklist> mCertBlocklist;
CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;