68.14.2 - security

security/apps/AppSignatureVerification.cpp

@@ -1278,7 +1278,6 @@ nsresult OpenSignedAppFile(AppTrustedRoot aTrustedRoot, nsIFile* aJarFile,
   }
 
   // Return the signer's certificate to the reader if they want it.
-  // XXX: We should return an nsIX509CertList with the whole validated chain.
   if (aSignerCert) {
     // The COSE certificate is authoritative.
     if (aPolicy.COSERequired() || (coseCertItem && coseCertItem->len != 0)) {

security/certverifier/CertVerifier.cpp

@@ -17,6 +17,7 @@
 #include "mozilla/Assertions.h"
 #include "mozilla/Casting.h"
 #include "mozilla/IntegerPrintfMacros.h"
+#include "mozilla/Logging.h"
 #include "nsNSSComponent.h"
 #include "nsPromiseFlatString.h"
 #include "nsServiceManagerUtils.h"
@@ -445,8 +446,8 @@ Result CertVerifier::VerifyCert(
     const char* hostname,
     /*out*/ UniqueCERTCertList& builtChain,
     /*optional*/ const Flags flags,
-    /*optional*/ const SECItem* stapledOCSPResponseSECItem,
-    /*optional*/ const SECItem* sctsFromTLSSECItem,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
     /*optional*/ const OriginAttributes& originAttributes,
     /*optional out*/ SECOidTag* evOidPolicy,
     /*optional out*/ OCSPStaplingStatus* ocspStaplingStatus,
@@ -514,9 +515,9 @@ Result CertVerifier::VerifyCert(
 
   Input stapledOCSPResponseInput;
   const Input* stapledOCSPResponse = nullptr;
-  if (stapledOCSPResponseSECItem) {
-    rv = stapledOCSPResponseInput.Init(stapledOCSPResponseSECItem->data,
-                                       stapledOCSPResponseSECItem->len);
+  if (stapledOCSPResponseArg) {
+    rv = stapledOCSPResponseInput.Init(stapledOCSPResponseArg->Elements(),
+                                       stapledOCSPResponseArg->Length());
     if (rv != Success) {
       // The stapled OCSP response was too big.
       return Result::ERROR_OCSP_MALFORMED_RESPONSE;
@@ -525,12 +526,11 @@ Result CertVerifier::VerifyCert(
   }
 
   Input sctsFromTLSInput;
-  if (sctsFromTLSSECItem) {
-    rv = sctsFromTLSInput.Init(sctsFromTLSSECItem->data,
-                               sctsFromTLSSECItem->len);
-    // Silently discard the error of the extension being too big,
-    // do not fail the verification.
-    MOZ_ASSERT(rv == Success);
+  if (sctsFromTLS) {
+    rv = sctsFromTLSInput.Init(sctsFromTLS->Elements(), sctsFromTLS->Length());
+    if (rv != Success && sctsFromTLSInput.GetLength() != 0) {
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    }
   }
 
   switch (usage) {
@@ -852,8 +852,8 @@ static bool CertIsSelfSigned(const UniqueCERTCertificate& cert, void* pinarg) {
 
 Result CertVerifier::VerifySSLServerCert(
     const UniqueCERTCertificate& peerCert,
-    /*optional*/ const SECItem* stapledOCSPResponse,
-    /*optional*/ const SECItem* sctsFromTLS, Time time,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+    /*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS, Time time,
     /*optional*/ void* pinarg, const nsACString& hostname,
     /*out*/ UniqueCERTCertList& builtChain,
     /*optional*/ bool saveIntermediatesInPermanentDatabase,
@@ -922,8 +922,8 @@ Result CertVerifier::VerifySSLServerCert(
   Input stapledOCSPResponseInput;
   Input* responseInputPtr = nullptr;
   if (stapledOCSPResponse) {
-    rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->data,
-                                       stapledOCSPResponse->len);
+    rv = stapledOCSPResponseInput.Init(stapledOCSPResponse->Elements(),
+                                       stapledOCSPResponse->Length());
     if (rv != Success) {
       // The stapled OCSP response was too big.
       return Result::ERROR_OCSP_MALFORMED_RESPONSE;

security/certverifier/CertVerifier.h

@@ -144,8 +144,10 @@ class CertVerifier {
       CERTCertificate* cert, SECCertificateUsage usage,
       mozilla::pkix::Time time, void* pinArg, const char* hostname,
       /*out*/ UniqueCERTCertList& builtChain, Flags flags = 0,
-      /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
-      /*optional in*/ const SECItem* sctsFromTLS = nullptr,
+      /*optional in*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponseArg =
+          Maybe<nsTArray<uint8_t>>(),
+      /*optional in*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS =
+          Maybe<nsTArray<uint8_t>>(),
       /*optional in*/ const OriginAttributes& originAttributes =
           OriginAttributes(),
       /*optional out*/ SECOidTag* evOidPolicy = nullptr,
@@ -157,8 +159,9 @@ class CertVerifier {
 
   mozilla::pkix::Result VerifySSLServerCert(
       const UniqueCERTCertificate& peerCert,
-      /*optional*/ const SECItem* stapledOCSPResponse,
-      /*optional*/ const SECItem* sctsFromTLS, mozilla::pkix::Time time,
+      /*optional*/ const Maybe<nsTArray<uint8_t>>& stapledOCSPResponse,
+      /*optional*/ const Maybe<nsTArray<uint8_t>>& sctsFromTLS,
+      mozilla::pkix::Time time,
       /*optional*/ void* pinarg, const nsACString& hostname,
       /*out*/ UniqueCERTCertList& builtChain,
       /*optional*/ bool saveIntermediatesInPermanentDatabase = false,

security/certverifier/ExtendedValidation.cpp

@@ -342,17 +342,6 @@ static const struct EVInfo kEVInfos[] = {
     "VQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0E=",
     "BAAAAAABFUtaw5Q=",
   },
-  {
-    // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
-    "2.23.140.1.1",
-    "CA/Browser Forum EV OID",
-    { 0xCA, 0x42, 0xDD, 0x41, 0x74, 0x5F, 0xD0, 0xB8, 0x1E, 0xB9, 0x02,
-      0x36, 0x2C, 0xF9, 0xD8, 0xBF, 0x71, 0x9D, 0xA1, 0xBD, 0x1B, 0x1E,
-      0xFC, 0x94, 0x6F, 0x5B, 0x4C, 0x99, 0xF4, 0x2C, 0x1B, 0x9E },
-    "MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMwEQYDVQQKEwpH"
-    "bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu",
-    "BAAAAAABD4Ym5g0=",
-  },
   {
     // CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
     "2.23.140.1.1",