diff options
Diffstat (limited to 'security/certverifier')
-rw-r--r-- | security/certverifier/CertVerifier.cpp | 41 | ||||
-rw-r--r-- | security/certverifier/CertVerifier.h | 19 | ||||
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 5 | ||||
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.h | 2 |
4 files changed, 12 insertions, 55 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index 2957a269f..1139ecae5 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -333,7 +333,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus, /*optional out*/ KeySizeStatus* keySizeStatus, /*optional out*/ SHA1ModeResult* sha1ModeResult, - /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo, /*optional out*/ CertificateTransparencyInfo* ctInfo) { MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n")); @@ -423,7 +422,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, originAttributes, - builtChain, nullptr, nullptr); + builtChain, nullptr); rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity, KeyUsage::digitalSignature, @@ -484,19 +483,13 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, continue; } - // Because of the try-strict and fallback approach, we have to clear any - // previously noted telemetry information - if (pinningTelemetryInfo) { - pinningTelemetryInfo->Reset(); - } - NSSCertDBTrustDomain trustDomain(trustSSL, evOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS, ValidityCheckingMode::CheckForEV, sha1ModeConfigurations[i], mNetscapeStepUpPolicy, - originAttributes, builtChain, pinningTelemetryInfo, + originAttributes, builtChain, hostname); rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time, KeyUsage::digitalSignature,// (EC)DHE @@ -572,11 +565,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, continue; } - // invalidate any telemetry info relating to failed chains - if (pinningTelemetryInfo) { - pinningTelemetryInfo->Reset(); - } - NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, @@ -585,7 +573,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, sha1ModeConfigurations[j], mNetscapeStepUpPolicy, originAttributes, builtChain, - pinningTelemetryInfo, hostname); + hostname); rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time, KeyUsage::digitalSignature,//(EC)DHE KeyUsage::keyEncipherment,//RSA @@ -647,8 +635,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, pinningDisabled, MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, mNetscapeStepUpPolicy, - originAttributes, builtChain, nullptr, - nullptr); + originAttributes, builtChain, nullptr); rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign, KeyPurposeId::id_kp_serverAuth, @@ -664,8 +651,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, - originAttributes, builtChain, nullptr, - nullptr); + originAttributes, builtChain, nullptr); rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity, KeyUsage::digitalSignature, @@ -692,8 +678,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, - originAttributes, builtChain, nullptr, - nullptr); + originAttributes, builtChain, nullptr); rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity, KeyUsage::keyEncipherment, // RSA @@ -717,8 +702,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, - originAttributes, builtChain, nullptr, - nullptr); + originAttributes, builtChain, nullptr); rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity, KeyUsage::digitalSignature, @@ -751,8 +735,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, - originAttributes, builtChain, nullptr, - nullptr); + originAttributes, builtChain, nullptr); rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA, keyUsage, eku, CertPolicyId::anyPolicy, stapledOCSPResponse); @@ -764,8 +747,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, - originAttributes, builtChain, nullptr, - nullptr); + originAttributes, builtChain, nullptr); rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA, keyUsage, eku, CertPolicyId::anyPolicy, stapledOCSPResponse); @@ -780,7 +762,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, originAttributes, builtChain, - nullptr, nullptr); + nullptr); rv = BuildCertChain(objectSigningTrust, certDER, time, endEntityOrCA, keyUsage, eku, CertPolicyId::anyPolicy, stapledOCSPResponse); @@ -816,7 +798,6 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert, /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus, /*optional out*/ KeySizeStatus* keySizeStatus, /*optional out*/ SHA1ModeResult* sha1ModeResult, - /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo, /*optional out*/ CertificateTransparencyInfo* ctInfo) { PR_ASSERT(peerCert); @@ -838,7 +819,7 @@ CertVerifier::VerifySSLServerCert(const UniqueCERTCertificate& peerCert, pinarg, hostname, builtChain, flags, stapledOCSPResponse, sctsFromTLS, originAttributes, evOidPolicy, ocspStaplingStatus, keySizeStatus, - sha1ModeResult, pinningTelemetryInfo, ctInfo); + sha1ModeResult, ctInfo); if (rv != Success) { return rv; } diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h index d88c3f33c..fbc3adab4 100644 --- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -11,7 +11,6 @@ #include "CTVerifyResult.h" #include "OCSPCache.h" #include "ScopedNSSTypes.h" -#include "mozilla/Telemetry.h" #include "mozilla/UniquePtr.h" #include "pkix/pkixtypes.h" @@ -66,22 +65,6 @@ enum class SHA1ModeResult { enum class NetscapeStepUpPolicy : uint32_t; -class PinningTelemetryInfo -{ -public: - PinningTelemetryInfo() { Reset(); } - - // Should we accumulate pinning telemetry for the result? - bool accumulateResult; - Telemetry::ID certPinningResultHistogram; - int32_t certPinningResultBucket; - // Should we accumulate telemetry for the root? - bool accumulateForRoot; - int32_t rootBucket; - - void Reset() { accumulateForRoot = false; accumulateResult = false; } -}; - class CertificateTransparencyInfo { public: @@ -137,7 +120,6 @@ public: /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr, /*optional out*/ KeySizeStatus* keySizeStatus = nullptr, /*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr, - /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr, /*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr); mozilla::pkix::Result VerifySSLServerCert( @@ -156,7 +138,6 @@ public: /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus = nullptr, /*optional out*/ KeySizeStatus* keySizeStatus = nullptr, /*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr, - /*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr, /*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr); enum PinningMode { diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 39f7d3e9e..5e89c2484 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -60,7 +60,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, NetscapeStepUpPolicy netscapeStepUpPolicy, const NeckoOriginAttributes& originAttributes, UniqueCERTCertList& builtChain, - /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo, /*optional*/ const char* hostname) : mCertDBTrustType(certDBTrustType) , mOCSPFetching(ocspFetching) @@ -75,7 +74,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, , mNetscapeStepUpPolicy(netscapeStepUpPolicy) , mOriginAttributes(originAttributes) , mBuiltChain(builtChain) - , mPinningTelemetryInfo(pinningTelemetryInfo) , mHostname(hostname) , mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID)) , mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED) @@ -874,8 +872,7 @@ NSSCertDBTrustDomain::IsChainValid(const DERArray& certArray, Time time) (mPinningMode == CertVerifier::pinningEnforceTestMode); bool chainHasValidPins; nsresult nsrv = PublicKeyPinningService::ChainHasValidPins( - certList, mHostname, time, enforceTestMode, chainHasValidPins, - mPinningTelemetryInfo); + certList, mHostname, time, enforceTestMode, chainHasValidPins); if (NS_FAILED(nsrv)) { return Result::FATAL_ERROR_LIBRARY_FAILURE; } diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h index 64827536c..becf29eee 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -84,7 +84,6 @@ public: NetscapeStepUpPolicy netscapeStepUpPolicy, const NeckoOriginAttributes& originAttributes, UniqueCERTCertList& builtChain, - /*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr, /*optional*/ const char* hostname = nullptr); virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName, @@ -188,7 +187,6 @@ private: NetscapeStepUpPolicy mNetscapeStepUpPolicy; const NeckoOriginAttributes& mOriginAttributes; UniqueCERTCertList& mBuiltChain; // non-owning - PinningTelemetryInfo* mPinningTelemetryInfo; const char* mHostname; // non-owning - only used for pinning checks nsCOMPtr<nsICertBlocklist> mCertBlocklist; CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus; |