From 06f9b815ce422c18195bfcbc42ab71fbb6592e33 Mon Sep 17 00:00:00 2001 From: adesh Date: Tue, 10 Nov 2020 04:22:12 -0500 Subject: Issue #1280 - Follow-up: Get rid of HPKP pinning mode. This was a leftover from HPKP removal. Also remove a couple of unused variables from security/manager/ssl/nsSiteSecurityService.cpp. --- security/certverifier/CertVerifier.cpp | 21 +++++++++------------ security/certverifier/CertVerifier.h | 13 ++----------- security/certverifier/NSSCertDBTrustDomain.cpp | 2 -- security/certverifier/NSSCertDBTrustDomain.h | 2 -- 4 files changed, 11 insertions(+), 27 deletions(-) (limited to 'security/certverifier') diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp index 7f47de14f..389a6c70a 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp @@ -42,7 +42,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, OcspGetConfig ogc, uint32_t certShortLifetimeInDays, - PinningMode pinningMode, SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, @@ -51,7 +50,6 @@ CertVerifier::CertVerifier(OcspDownloadConfig odc, , mOCSPStrict(osc == ocspStrict) , mOCSPGETEnabled(ogc == ocspGetEnabled) , mCertShortLifetimeInDays(certShortLifetimeInDays) - , mPinningMode(pinningMode) , mSHA1Mode(sha1Mode) , mNameMatchingMode(nameMatchingMode) , mNetscapeStepUpPolicy(netscapeStepUpPolicy) @@ -417,7 +415,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -486,7 +484,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustSSL, evOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, - mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS, + mCertShortLifetimeInDays, MIN_RSA_BITS, ValidityCheckingMode::CheckForEV, sha1ModeConfigurations[i], mNetscapeStepUpPolicy, originAttributes, builtChain); @@ -567,7 +565,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - mPinningMode, keySizeOptions[i], + keySizeOptions[i], ValidityCheckingMode::CheckingOff, sha1ModeConfigurations[j], mNetscapeStepUpPolicy, @@ -630,7 +628,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, mNetscapeStepUpPolicy, originAttributes, builtChain); @@ -645,7 +643,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -672,7 +670,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -696,7 +694,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -729,7 +727,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -741,7 +739,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, + MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, NetscapeStepUpPolicy::NeverMatch, @@ -754,7 +752,6 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage, defaultOCSPFetching, mOCSPCache, pinArg, ocspGETConfig, mCertShortLifetimeInDays, - pinningDisabled, MIN_RSA_BITS_WEAK, ValidityCheckingMode::CheckingOff, SHA1Mode::Allowed, diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h index fbc3adab4..0bb1508c5 100644 --- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h @@ -140,13 +140,6 @@ public: /*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr, /*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr); - enum PinningMode { - pinningDisabled = 0, - pinningAllowUserCAMITM = 1, - pinningStrict = 2, - pinningEnforceTestMode = 3 - }; - enum class SHA1Mode { Allowed = 0, Forbidden = 1, @@ -173,7 +166,7 @@ public: CertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc, OcspGetConfig ogc, uint32_t certShortLifetimeInDays, - PinningMode pinningMode, SHA1Mode sha1Mode, + SHA1Mode sha1Mode, BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode); @@ -185,7 +178,6 @@ public: const bool mOCSPStrict; const bool mOCSPGETEnabled; const uint32_t mCertShortLifetimeInDays; - const PinningMode mPinningMode; const SHA1Mode mSHA1Mode; const BRNameMatchingPolicy::Mode mNameMatchingMode; const NetscapeStepUpPolicy mNetscapeStepUpPolicy; @@ -215,8 +207,7 @@ private: mozilla::pkix::Result IsCertBuiltInRoot(CERTCertificate* cert, bool& result); mozilla::pkix::Result CertListContainsExpectedKeys( - const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time, - CertVerifier::PinningMode pinningMode); + const CERTCertList* certList, const char* hostname, mozilla::pkix::Time time); } } // namespace mozilla::psm diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index a8ecbf1d1..ed16098b8 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -52,7 +52,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, /*optional but shouldn't be*/ void* pinArg, CertVerifier::OcspGetConfig ocspGETConfig, uint32_t certShortLifetimeInDays, - CertVerifier::PinningMode pinningMode, unsigned int minRSABits, ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode, @@ -65,7 +64,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType, , mPinArg(pinArg) , mOCSPGetConfig(ocspGETConfig) , mCertShortLifetimeInDays(certShortLifetimeInDays) - , mPinningMode(pinningMode) , mMinRSABits(minRSABits) , mValidityCheckingMode(validityCheckingMode) , mSHA1Mode(sha1Mode) diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h index 50e2c8adc..8d25e746c 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -77,7 +77,6 @@ public: OCSPCache& ocspCache, void* pinArg, CertVerifier::OcspGetConfig ocspGETConfig, uint32_t certShortLifetimeInDays, - CertVerifier::PinningMode pinningMode, unsigned int minRSABits, ValidityCheckingMode validityCheckingMode, CertVerifier::SHA1Mode sha1Mode, @@ -179,7 +178,6 @@ private: void* mPinArg; // non-owning! const CertVerifier::OcspGetConfig mOCSPGetConfig; const uint32_t mCertShortLifetimeInDays; - CertVerifier::PinningMode mPinningMode; const unsigned int mMinRSABits; ValidityCheckingMode mValidityCheckingMode; CertVerifier::SHA1Mode mSHA1Mode; -- cgit v1.2.3