Bug 1465613 - Created two new fields for scheduled distrust from builtins and updated support commands. r=jcj,kjacobs,mt

Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.

Differential Revision: https://phabricator.services.mozilla.com/D36597

2 files changed, 108 insertions, 55 deletions

diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c
index 831672039..92ef75897 100644
--- a/cmd/addbuiltin/addbuiltin.c
+++ b/cmd/addbuiltin/addbuiltin.c
@@ -230,6 +230,8 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
             hasPositiveTrust(trust->objectSigningFlags)) {
             printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
         }
+        printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
+        printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
     }
 
     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
@@ -306,19 +308,21 @@ printheader()
            "#\n"
            "#    Certificates\n"
            "#\n"
-           "#  -- Attribute --          -- type --              -- value --\n"
-           "#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE\n"
-           "#  CKA_TOKEN                CK_BBOOL                CK_TRUE\n"
-           "#  CKA_PRIVATE              CK_BBOOL                CK_FALSE\n"
-           "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
-           "#  CKA_LABEL                UTF8                    (varies)\n"
-           "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
-           "#  CKA_SUBJECT              DER+base64              (varies)\n"
-           "#  CKA_ID                   byte array              (varies)\n"
-           "#  CKA_ISSUER               DER+base64              (varies)\n"
-           "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
-           "#  CKA_VALUE                DER+base64              (varies)\n"
-           "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
+           "#  -- Attribute --               -- type --          -- value --\n"
+           "#  CKA_CLASS                     CK_OBJECT_CLASS     CKO_CERTIFICATE\n"
+           "#  CKA_TOKEN                     CK_BBOOL            CK_TRUE\n"
+           "#  CKA_PRIVATE                   CK_BBOOL            CK_FALSE\n"
+           "#  CKA_MODIFIABLE                CK_BBOOL            CK_FALSE\n"
+           "#  CKA_LABEL                     UTF8                (varies)\n"
+           "#  CKA_CERTIFICATE_TYPE          CK_CERTIFICATE_TYPE CKC_X_509\n"
+           "#  CKA_SUBJECT                   DER+base64          (varies)\n"
+           "#  CKA_ID                        byte array          (varies)\n"
+           "#  CKA_ISSUER                    DER+base64          (varies)\n"
+           "#  CKA_SERIAL_NUMBER             DER+base64          (varies)\n"
+           "#  CKA_VALUE                     DER+base64          (varies)\n"
+           "#  CKA_NSS_EMAIL                 ASCII7              (unused here)\n"
+           "#  CKA_NSS_SERVER_DISTRUST_AFTER DER+base64          (varies)\n"
+           "#  CKA_NSS_EMAIL_DISTRUST_AFTER  DER+base64          (varies)\n"
            "#\n"
            "#    Trust\n"
            "#\n"
@@ -392,6 +396,12 @@ Usage(char *progName)
     fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
     fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
     fprintf(stderr, "%-15s     (pipe through atob if the cert is b64-encoded)\n", "");
+    fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp");
+    fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", "");
+    fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName);
+    fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", "");
+    fprintf(stderr, "%-15s since unix epoch.\n", "");
+    fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", "");
     exit(-1);
 }
 
@@ -403,20 +413,21 @@ enum {
     opt_ExcludeCert,
     opt_ExcludeHash,
     opt_DistrustCRL,
-    opt_CRLEnry
+    opt_CRLEntry,
+    opt_ConvertDate
 };
 
-static secuCommandFlag addbuiltin_options[] =
-    {
-      { /* opt_Input         */ 'i', PR_TRUE, 0, PR_FALSE },
-      { /* opt_Nickname      */ 'n', PR_TRUE, 0, PR_FALSE },
-      { /* opt_Trust         */ 't', PR_TRUE, 0, PR_FALSE },
-      { /* opt_Distrust      */ 'D', PR_FALSE, 0, PR_FALSE },
-      { /* opt_ExcludeCert   */ 'c', PR_FALSE, 0, PR_FALSE },
-      { /* opt_ExcludeHash   */ 'h', PR_FALSE, 0, PR_FALSE },
-      { /* opt_DistrustCRL   */ 'C', PR_FALSE, 0, PR_FALSE },
-      { /* opt_CRLEnry       */ 'e', PR_TRUE, 0, PR_FALSE },
-    };
+static secuCommandFlag addbuiltin_options[] = {
+    { /* opt_Input         */ 'i', PR_TRUE, 0, PR_FALSE },
+    { /* opt_Nickname      */ 'n', PR_TRUE, 0, PR_FALSE },
+    { /* opt_Trust         */ 't', PR_TRUE, 0, PR_FALSE },
+    { /* opt_Distrust      */ 'D', PR_FALSE, 0, PR_FALSE },
+    { /* opt_ExcludeCert   */ 'c', PR_FALSE, 0, PR_FALSE },
+    { /* opt_ExcludeHash   */ 'h', PR_FALSE, 0, PR_FALSE },
+    { /* opt_DistrustCRL   */ 'C', PR_FALSE, 0, PR_FALSE },
+    { /* opt_CRLEntry      */ 'e', PR_TRUE, 0, PR_FALSE },
+    { /* opt_ConvertDate   */ 'd', PR_TRUE, 0, PR_FALSE },
+};
 
 int
 main(int argc, char **argv)
@@ -444,6 +455,30 @@ main(int argc, char **argv)
     if (rv != SECSuccess)
         Usage(progName);
 
+    if (addbuiltin.options[opt_ConvertDate].activated) {
+        char* endPtr;
+        PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC;
+        if (*endPtr != '\0' && distrustTimestamp > 0) {
+            Usage(progName);
+            exit(1);
+        }
+        SECItem encTime;
+        DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp);
+        SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0);
+        printf("Locate the entry of the desired certificate in certdata.txt\n"
+               "Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"
+               "And override with the following respective entry:\n\n");
+        SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0);
+        printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n");
+        dumpbytes(encTime.data, encTime.len);
+        printf("END\n");
+        SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0);
+        printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n");
+        dumpbytes(encTime.data, encTime.len);
+        printf("END\n");
+        exit(0);
+    }
+
     if (addbuiltin.options[opt_Trust].activated)
         ++mutuallyExclusiveOpts;
     if (addbuiltin.options[opt_Distrust].activated)
@@ -458,12 +493,12 @@ main(int argc, char **argv)
     }
 
     if (addbuiltin.options[opt_DistrustCRL].activated) {
-        if (!addbuiltin.options[opt_CRLEnry].activated) {
+        if (!addbuiltin.options[opt_CRLEntry].activated) {
             fprintf(stderr, "%s: you must specify the CRL entry number.\n",
                     progName);
             Usage(progName);
         } else {
-            crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
+            crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg);
             if (crlentry < 1) {
                 fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
                         progName);
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
index aafde9b5f..703845e98 100644
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1108,36 +1108,33 @@ typedef struct secuPBEParamsStr {
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 
 /* SECOID_PKCS5_PBKDF2 */
-const SEC_ASN1Template secuKDF2Params[] =
-    {
-      { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-      { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-      { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-      { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
-      { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-      { 0 }
-    };
+const SEC_ASN1Template secuKDF2Params[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
 
 /* PKCS5v1 & PKCS12 */
-const SEC_ASN1Template secuPBEParamsTemp[] =
-    {
-      { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-      { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-      { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-      { 0 }
-    };
+const SEC_ASN1Template secuPBEParamsTemp[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
+    { 0 }
+};
 
 /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
-const SEC_ASN1Template secuPBEV2Params[] =
-    {
-      { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-      { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-      { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-      { 0 }
-    };
+const SEC_ASN1Template secuPBEV2Params[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
 
 void
 secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
@@ -2300,8 +2297,9 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
     return rv;
 }
 
-int /* sometimes a PRErrorCode, other times a SECStatus.  Sigh. */
-    SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
+/* sometimes a PRErrorCode, other times a SECStatus.  Sigh. */
+int
+SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
 {
     PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTCertificateRequest *cr;
@@ -3251,6 +3249,26 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              "Certificate Trust Flags", 1);
     }
 
+    /* The distrust fields are hard-coded in nssckbi and read-only.
+     * If verifying some cert, with vfychain, for instance, the certificate may
+     * not have a defined slot if not imported. */
+    if (cert->slot != NULL && cert->distrust != NULL) {
+        const unsigned int kDistrustFieldSize = 13;
+        fprintf(stdout, "\n");
+        SECU_Indent(stdout, 1);
+        fprintf(stdout, "%s:\n", "Certificate Distrust Dates");
+        if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) {
+            SECU_PrintTimeChoice(stdout,
+                                 &cert->distrust->serverDistrustAfter,
+                                 "Server Distrust After", 2);
+        }
+        if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) {
+            SECU_PrintTimeChoice(stdout,
+                                 &cert->distrust->emailDistrustAfter,
+                                 "E-mail Distrust After", 2);
+        }
+    }
+
     printf("\n");
 
     return (SECSuccess);