Skip to content

Commit

Permalink
Bug 1465613 - Created two new fields for scheduled distrust from buil…
Browse files Browse the repository at this point in the history 
…tins and updated support commands. r=jcj,kjacobs,mt

Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.

Differential Revision: https://phabricator.services.mozilla.com/D36597

--HG--
extra : moz-landing-system : lando
  • Loading branch information
Marcus Burghardt committed Oct 11, 2019
1 parent c778aa4 commit 47e35ec
Show file tree
Hide file tree
Showing 30 changed files with 1,594 additions and 96 deletions.
29 changes: 29 additions & 0 deletions automation/abi-check/expected-report-libnss3.so.txt
View file
Expand Up @@ -2,3 +2,32 @@

'function CERTCertList* PK11_GetCertsMatchingPrivateKey(SECKEYPrivateKey*)' {PK11_GetCertsMatchingPrivateKey@@NSS_3.47}

3 functions with some indirect sub-type change:

[C]'function SECStatus CERT_AddCertToListHead(CERTCertList*, CERTCertificate*)' at certdb.c:2631:1 has some indirect sub-type changes:
parameter 2 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
no data member changes (2 filtered);

[C]'function SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle*, CERTCertificate*, PRTime, const SECItem*, void*)' at ocsp.c:5102:1 has some indirect sub-type changes:
parameter 2 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
no data member change (1 filtered);

[C]'function CERTCertificateList* CERT_CertChainFromCert(CERTCertificate*, SECCertUsage, PRBool)' at certhigh.c:1030:1 has some indirect sub-type changes:
parameter 1 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
no data member changes (2 filtered);

11 changes: 11 additions & 0 deletions automation/abi-check/expected-report-libsmime3.so.txt
View file
@@ -0,0 +1,11 @@
1 function with some indirect sub-type change:

[C]'function CERTCertificate* CERT_ConvertAndDecodeCertificate(char*)' at certread.c:219:1 has some indirect sub-type changes:
return type changed:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1


10 changes: 10 additions & 0 deletions automation/abi-check/expected-report-libssl3.so.txt
View file
@@ -0,0 +1,10 @@
1 function with some indirect sub-type change:

[C]'function SECStatus NSS_CmpCertChainWCANames(CERTCertificate*, CERTDistNames*)' at cmpcert.c:25:1 has some indirect sub-type changes:
parameter 1 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1

89 changes: 62 additions & 27 deletions cmd/addbuiltin/addbuiltin.c
View file
Expand Up @@ -230,6 +230,8 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
hasPositiveTrust(trust->objectSigningFlags)) {
printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
}
printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
}

if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
Expand Down Expand Up @@ -306,19 +308,21 @@ printheader()
"#\n"
"# Certificates\n"
"#\n"
"# -- Attribute -- -- type -- -- value --\n"
"# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"
"# CKA_TOKEN CK_BBOOL CK_TRUE\n"
"# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
"# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
"# CKA_LABEL UTF8 (varies)\n"
"# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"
"# CKA_SUBJECT DER+base64 (varies)\n"
"# CKA_ID byte array (varies)\n"
"# CKA_ISSUER DER+base64 (varies)\n"
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
"# CKA_VALUE DER+base64 (varies)\n"
"# CKA_NSS_EMAIL ASCII7 (unused here)\n"
"# -- Attribute -- -- type -- -- value --\n"
"# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"
"# CKA_TOKEN CK_BBOOL CK_TRUE\n"
"# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
"# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
"# CKA_LABEL UTF8 (varies)\n"
"# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"
"# CKA_SUBJECT DER+base64 (varies)\n"
"# CKA_ID byte array (varies)\n"
"# CKA_ISSUER DER+base64 (varies)\n"
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
"# CKA_VALUE DER+base64 (varies)\n"
"# CKA_NSS_EMAIL ASCII7 (unused here)\n"
"# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies)\n"
"# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies)\n"
"#\n"
"# Trust\n"
"#\n"
Expand Down Expand Up @@ -392,6 +396,12 @@ Usage(char *progName)
fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", "");
fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp");
fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", "");
fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName);
fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", "");
fprintf(stderr, "%-15s since unix epoch.\n", "");
fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", "");
exit(-1);
}

Expand All @@ -403,20 +413,21 @@ enum {
opt_ExcludeCert,
opt_ExcludeHash,
opt_DistrustCRL,
opt_CRLEnry
opt_CRLEntry,
opt_ConvertDate
};

static secuCommandFlag addbuiltin_options[] =
{
{ /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
{ /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE },
{ /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE },
{ /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE },
{ /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE },
};
static secuCommandFlag addbuiltin_options[] = {
{ /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
{ /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE },
{ /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE },
{ /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE },
{ /* opt_CRLEntry */ 'e', PR_TRUE, 0, PR_FALSE },
{ /* opt_ConvertDate */ 'd', PR_TRUE, 0, PR_FALSE },
};

int
main(int argc, char **argv)
Expand Down Expand Up @@ -444,6 +455,30 @@ main(int argc, char **argv)
if (rv != SECSuccess)
Usage(progName);

if (addbuiltin.options[opt_ConvertDate].activated) {
char* endPtr;
PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC;
if (*endPtr != '\0' && distrustTimestamp > 0) {
Usage(progName);
exit(1);
}
SECItem encTime;
DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp);
SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0);
printf("Locate the entry of the desired certificate in certdata.txt\n"
"Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"
"And override with the following respective entry:\n\n");
SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0);
printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n");
dumpbytes(encTime.data, encTime.len);
printf("END\n");
SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0);
printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n");
dumpbytes(encTime.data, encTime.len);
printf("END\n");
exit(0);
}

if (addbuiltin.options[opt_Trust].activated)
++mutuallyExclusiveOpts;
if (addbuiltin.options[opt_Distrust].activated)
Expand All @@ -458,12 +493,12 @@ main(int argc, char **argv)
}

if (addbuiltin.options[opt_DistrustCRL].activated) {
if (!addbuiltin.options[opt_CRLEnry].activated) {
if (!addbuiltin.options[opt_CRLEntry].activated) {
fprintf(stderr, "%s: you must specify the CRL entry number.\n",
progName);
Usage(progName);
} else {
crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg);
if (crlentry < 1) {
fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
progName);
Expand Down
74 changes: 46 additions & 28 deletions cmd/lib/secutil.c
View file
Expand Up @@ -1108,36 +1108,33 @@ typedef struct secuPBEParamsStr {
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)

/* SECOID_PKCS5_PBKDF2 */
const SEC_ASN1Template secuKDF2Params[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};
const SEC_ASN1Template secuKDF2Params[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};

/* PKCS5v1 & PKCS12 */
const SEC_ASN1Template secuPBEParamsTemp[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ 0 }
};
const SEC_ASN1Template secuPBEParamsTemp[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ 0 }
};

/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
const SEC_ASN1Template secuPBEV2Params[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};
const SEC_ASN1Template secuPBEV2Params[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};

void
secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
Expand Down Expand Up @@ -2300,8 +2297,9 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
return rv;
}

int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */
SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
/* sometimes a PRErrorCode, other times a SECStatus. Sigh. */
int
SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
{
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTCertificateRequest *cr;
Expand Down Expand Up @@ -3251,6 +3249,26 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
"Certificate Trust Flags", 1);
}

/* The distrust fields are hard-coded in nssckbi and read-only.
* If verifying some cert, with vfychain, for instance, the certificate may
* not have a defined slot if not imported. */
if (cert->slot != NULL && cert->distrust != NULL) {
const unsigned int kDistrustFieldSize = 13;
fprintf(stdout, "\n");
SECU_Indent(stdout, 1);
fprintf(stdout, "%s:\n", "Certificate Distrust Dates");
if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) {
SECU_PrintTimeChoice(stdout,
&cert->distrust->serverDistrustAfter,
"Server Distrust After", 2);
}
if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) {
SECU_PrintTimeChoice(stdout,
&cert->distrust->emailDistrustAfter,
"E-mail Distrust After", 2);
}
}

printf("\n");

return (SECSuccess);
Expand Down
11 changes: 10 additions & 1 deletion gtests/softoken_gtest/manifest.mn
View file
Expand Up @@ -6,13 +6,22 @@ CORE_DEPTH = ../..
DEPTH = ../..
MODULE = nss

DEFINES += -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" -DDLL_PREFIX=\"$(DLL_PREFIX)\"

include $(CORE_DEPTH)/coreconf/arch.mk
ifneq ($(OS_ARCH),WINNT)
DB_TESTS = \
softoken_nssckbi_testlib_gtest.cc
endif

CPPSRCS = \
softoken_gtest.cc \
$(DB_TESTS) \
$(NULL)

INCLUDES += \
-I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-I$(CORE_DEPTH)/gtests/common \
-I$(CORE_DEPTH)/gtests/common \
-I$(CORE_DEPTH)/cpputil \
$(NULL)

Expand Down
5 changes: 5 additions & 0 deletions gtests/softoken_gtest/softoken_gtest.gyp
View file
Expand Up @@ -12,6 +12,7 @@
'type': 'executable',
'sources': [
'softoken_gtest.cc',
'softoken_nssckbi_testlib_gtest.cc',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
Expand Down Expand Up @@ -44,6 +45,10 @@
'target_defaults': {
'include_dirs': [
'../../lib/util'
],
'defines': [
'DLL_PREFIX=\"<(dll_prefix)\"',
'DLL_SUFFIX=\"<(dll_suffix)\"'
]
},
'variables': {
Expand Down

0 comments on commit 47e35ec

Please sign in to comment.