diff options
author | Dana Keeler <dkeeler@mozilla.com> | 2020-09-23 21:13:40 +0000 |
---|---|---|
committer | Dana Keeler <dkeeler@mozilla.com> | 2020-09-23 21:13:40 +0000 |
commit | c6f0e26f1752c8e2cf13f3fe7b5ebdb8dcd0803b (patch) | |
tree | d0bbd56f552bc14915cd201aa9333588f8af7217 | |
parent | d1158595ce099e746ab0b933dd406d2c09d4836b (diff) | |
download | nss-hg-c6f0e26f1752c8e2cf13f3fe7b5ebdb8dcd0803b.tar.gz |
Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest known time that
a certificate exists (with respect to certificate transparency) that a CA is
unlikely to back-date. In particular, this is essential for CRLite. Note that
if the SCT signature isn't validated, a CA could still make a certificate
appear to have existed for longer than it really has. However, this change is
not an attempt to catch malicious CAs. The aim is to avoid false positives in
CRLite resulting from CAs backdating the notBefore field on certificates they
issue.
Depends on D90595
Differential Revision: https://phabricator.services.mozilla.com/D90596
-rw-r--r-- | gtests/mozpkix_gtest/pkixbuild_tests.cpp | 18 | ||||
-rw-r--r-- | gtests/mozpkix_gtest/pkixcert_extension_tests.cpp | 3 | ||||
-rw-r--r-- | gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp | 2 | ||||
-rw-r--r-- | gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp | 2 | ||||
-rw-r--r-- | gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp | 1 | ||||
-rw-r--r-- | gtests/mozpkix_gtest/pkixgtest.h | 1 | ||||
-rw-r--r-- | lib/mozpkix/include/pkix/pkixtypes.h | 3 | ||||
-rw-r--r-- | lib/mozpkix/lib/pkixbuild.cpp | 3 |
8 files changed, 22 insertions, 11 deletions
diff --git a/gtests/mozpkix_gtest/pkixbuild_tests.cpp b/gtests/mozpkix_gtest/pkixbuild_tests.cpp index e17321075..c5ac86e62 100644 --- a/gtests/mozpkix_gtest/pkixbuild_tests.cpp +++ b/gtests/mozpkix_gtest/pkixbuild_tests.cpp @@ -153,7 +153,8 @@ private: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*) + /*optional*/ const Input*, /*optional*/ const Input*, + /*optional*/ const Input*) override { return Success; @@ -302,7 +303,8 @@ public: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*) + /*optional*/ const Input*, /*optional*/ const Input*, + /*optional*/ const Input*) override { return Success; @@ -322,7 +324,8 @@ public: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*) + /*optional*/ const Input*, /*optional*/ const Input*, + /*optional*/ const Input*) override { ADD_FAILURE(); @@ -443,7 +446,8 @@ public: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*) + /*optional*/ const Input*, /*optional*/ const Input*, + /*optional*/ const Input*) override { return Success; @@ -667,6 +671,7 @@ private: Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, /*optional*/ const Input*, + /*optional*/ const Input*, /*optional*/ const Input*) override { return Success; @@ -724,7 +729,7 @@ class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain public: Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time, Duration, /*optional*/ const Input*, - /*optional*/ const Input*) override + /*optional*/ const Input*, /*optional*/ const Input*) override { if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) { return Result::ERROR_REVOKED_CERTIFICATE; @@ -829,7 +834,8 @@ private: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*) + /*optional*/ const Input*, /*optional*/ const Input*, + /*optional*/ const Input*) override { return Success; diff --git a/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp b/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp index 762fac146..e2dcc8e02 100644 --- a/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp +++ b/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp @@ -71,7 +71,8 @@ private: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, /*optional*/ const Input*) + /*optional*/ const Input*, /*optional*/ const Input*, + /*optional*/ const Input*) override { return Success; diff --git a/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp b/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp index 00ccffb04..5719d1045 100644 --- a/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp +++ b/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp @@ -93,7 +93,7 @@ private: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - const Input*, const Input*) override + const Input*, const Input*, const Input*) override { return Success; } diff --git a/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp b/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp index 0aef3d5c1..364be47e6 100644 --- a/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp +++ b/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp @@ -559,7 +559,7 @@ private: } Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - const Input*, const Input*) override + const Input*, const Input*, const Input*) override { return Success; } diff --git a/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp b/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp index 70e6fd410..d3a57c3e6 100644 --- a/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp +++ b/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp @@ -304,6 +304,7 @@ public: Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, /*optional*/ const Input*, + /*optional*/ const Input*, /*optional*/ const Input*) override { return Success; diff --git a/gtests/mozpkix_gtest/pkixgtest.h b/gtests/mozpkix_gtest/pkixgtest.h index bb3491d44..719b87d54 100644 --- a/gtests/mozpkix_gtest/pkixgtest.h +++ b/gtests/mozpkix_gtest/pkixgtest.h @@ -102,6 +102,7 @@ class EverythingFailsByDefaultTrustDomain : public TrustDomain { Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, /*optional*/ const Input*, + /*optional*/ const Input*, /*optional*/ const Input*) override { ADD_FAILURE(); return NotReached("CheckRevocation should not be called", diff --git a/lib/mozpkix/include/pkix/pkixtypes.h b/lib/mozpkix/include/pkix/pkixtypes.h index 6b12edbb1..6c391681f 100644 --- a/lib/mozpkix/include/pkix/pkixtypes.h +++ b/lib/mozpkix/include/pkix/pkixtypes.h @@ -280,7 +280,8 @@ class TrustDomain { const CertID& certID, Time time, Duration validityDuration, /*optional*/ const Input* stapledOCSPresponse, - /*optional*/ const Input* aiaExtension) = 0; + /*optional*/ const Input* aiaExtension, + /*optional*/ const Input* sctExtension) = 0; // Check that the given digest algorithm is acceptable for use in signatures. // diff --git a/lib/mozpkix/lib/pkixbuild.cpp b/lib/mozpkix/lib/pkixbuild.cpp index 0ac2cb883..afe7e2a24 100644 --- a/lib/mozpkix/lib/pkixbuild.cpp +++ b/lib/mozpkix/lib/pkixbuild.cpp @@ -253,7 +253,8 @@ PathBuildingStep::Check(Input potentialIssuerDER, Duration validityDuration(notAfter, notBefore); rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time, validityDuration, stapledOCSPResponse, - subject.GetAuthorityInfoAccess()); + subject.GetAuthorityInfoAccess(), + subject.GetSignedCertificateTimestamps()); if (rv != Success) { // Since this is actually a problem with the current subject certificate // (rather than the issuer), it doesn't make sense to keep going; all |