|
|
43f726 |
diff --git a/security/manager/locales/en-US/security/certificates/certManager.ftl b/security/manager/locales/en-US/security/certificates/certManager.ftl
|
|
|
43f726 |
--- a/security/manager/locales/en-US/security/certificates/certManager.ftl
|
|
|
43f726 |
+++ b/security/manager/locales/en-US/security/certificates/certManager.ftl
|
|
|
43f726 |
@@ -51,9 +51,6 @@ certmgr-cert-name =
|
|
|
43f726 |
certmgr-cert-server =
|
|
|
43f726 |
.label = Server
|
|
|
43f726 |
|
|
|
43f726 |
-certmgr-override-lifetime =
|
|
|
43f726 |
- .label = Lifetime
|
|
|
43f726 |
-
|
|
|
43f726 |
certmgr-token-name =
|
|
|
43f726 |
.label = Security Device
|
|
|
43f726 |
|
|
|
43f726 |
@@ -69,6 +66,9 @@ certmgr-email =
|
|
|
43f726 |
certmgr-serial =
|
|
|
43f726 |
.label = Serial Number
|
|
|
43f726 |
|
|
|
43f726 |
+certmgr-fingerprint-sha-256 =
|
|
|
43f726 |
+ .label = SHA-256 Fingerprint
|
|
|
43f726 |
+
|
|
|
43f726 |
certmgr-view =
|
|
|
43f726 |
.label = View…
|
|
|
43f726 |
.accesskey = V
|
|
|
43f726 |
diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js
|
|
|
43f726 |
--- a/security/manager/pki/resources/content/certManager.js
|
|
|
43f726 |
+++ b/security/manager/pki/resources/content/certManager.js
|
|
|
43f726 |
@@ -64,22 +64,16 @@ var serverRichList = {
|
|
|
43f726 |
|
|
|
43f726 |
buildRichList() {
|
|
|
43f726 |
let overrides = overrideService.getOverrides().map(item => {
|
|
|
43f726 |
- let cert = null;
|
|
|
43f726 |
- if (item.dbKey !== "") {
|
|
|
43f726 |
- cert = certdb.findCertByDBKey(item.dbKey);
|
|
|
43f726 |
- }
|
|
|
43f726 |
return {
|
|
|
43f726 |
hostPort: item.hostPort,
|
|
|
43f726 |
- dbKey: item.dbKey,
|
|
|
43f726 |
asciiHost: item.asciiHost,
|
|
|
43f726 |
port: item.port,
|
|
|
43f726 |
originAttributes: item.originAttributes,
|
|
|
43f726 |
- isTemporary: item.isTemporary,
|
|
|
43f726 |
- displayName: cert !== null ? cert.displayName : "",
|
|
|
43f726 |
+ fingerprint: item.fingerprint,
|
|
|
43f726 |
};
|
|
|
43f726 |
});
|
|
|
43f726 |
overrides.sort((a, b) => {
|
|
|
43f726 |
- let criteria = ["hostPort", "displayName"];
|
|
|
43f726 |
+ let criteria = ["hostPort", "fingerprint"];
|
|
|
43f726 |
for (let c of criteria) {
|
|
|
43f726 |
let res = a[c].localeCompare(b[c]);
|
|
|
43f726 |
if (res !== 0) {
|
|
|
43f726 |
@@ -106,10 +100,10 @@ var serverRichList = {
|
|
|
43f726 |
_richBoxAddItem(item) {
|
|
|
43f726 |
let richlistitem = document.createXULElement("richlistitem");
|
|
|
43f726 |
|
|
|
43f726 |
- richlistitem.setAttribute("dbKey", item.dbKey);
|
|
|
43f726 |
richlistitem.setAttribute("host", item.asciiHost);
|
|
|
43f726 |
richlistitem.setAttribute("port", item.port);
|
|
|
43f726 |
richlistitem.setAttribute("hostPort", item.hostPort);
|
|
|
43f726 |
+ richlistitem.setAttribute("fingerprint", item.fingerprint);
|
|
|
43f726 |
richlistitem.setAttribute(
|
|
|
43f726 |
"originAttributes",
|
|
|
43f726 |
JSON.stringify(item.originAttributes)
|
|
|
43f726 |
@@ -120,18 +114,7 @@ var serverRichList = {
|
|
|
43f726 |
hbox.setAttribute("equalsize", "always");
|
|
|
43f726 |
|
|
|
43f726 |
hbox.appendChild(createRichlistItem({ raw: item.hostPort }));
|
|
|
43f726 |
- hbox.appendChild(
|
|
|
43f726 |
- createRichlistItem(
|
|
|
43f726 |
- item.displayName !== ""
|
|
|
43f726 |
- ? { raw: item.displayName }
|
|
|
43f726 |
- : { l10nid: "no-cert-stored-for-override" }
|
|
|
43f726 |
- )
|
|
|
43f726 |
- );
|
|
|
43f726 |
- hbox.appendChild(
|
|
|
43f726 |
- createRichlistItem({
|
|
|
43f726 |
- l10nid: item.isTemporary ? "temporary-override" : "permanent-override",
|
|
|
43f726 |
- })
|
|
|
43f726 |
- );
|
|
|
43f726 |
+ hbox.appendChild(createRichlistItem({ raw: item.fingerprint }));
|
|
|
43f726 |
|
|
|
43f726 |
richlistitem.appendChild(hbox);
|
|
|
43f726 |
|
|
|
43f726 |
@@ -170,32 +153,6 @@ var serverRichList = {
|
|
|
43f726 |
}
|
|
|
43f726 |
},
|
|
|
43f726 |
|
|
|
43f726 |
- viewSelectedRichListItem() {
|
|
|
43f726 |
- let selectedItem = this.richlist.selectedItem;
|
|
|
43f726 |
- if (!selectedItem) {
|
|
|
43f726 |
- return;
|
|
|
43f726 |
- }
|
|
|
43f726 |
-
|
|
|
43f726 |
- let dbKey = selectedItem.getAttribute("dbKey");
|
|
|
43f726 |
- if (dbKey) {
|
|
|
43f726 |
- let cert = certdb.findCertByDBKey(dbKey);
|
|
|
43f726 |
- viewCertHelper(window, cert);
|
|
|
43f726 |
- }
|
|
|
43f726 |
- },
|
|
|
43f726 |
-
|
|
|
43f726 |
- exportSelectedRichListItem() {
|
|
|
43f726 |
- let selectedItem = this.richlist.selectedItem;
|
|
|
43f726 |
- if (!selectedItem) {
|
|
|
43f726 |
- return;
|
|
|
43f726 |
- }
|
|
|
43f726 |
-
|
|
|
43f726 |
- let dbKey = selectedItem.getAttribute("dbKey");
|
|
|
43f726 |
- if (dbKey) {
|
|
|
43f726 |
- let cert = certdb.findCertByDBKey(dbKey);
|
|
|
43f726 |
- exportToFile(window, cert);
|
|
|
43f726 |
- }
|
|
|
43f726 |
- },
|
|
|
43f726 |
-
|
|
|
43f726 |
addException() {
|
|
|
43f726 |
let retval = {
|
|
|
43f726 |
exceptionAdded: false,
|
|
|
43f726 |
@@ -212,16 +169,8 @@ var serverRichList = {
|
|
|
43f726 |
},
|
|
|
43f726 |
|
|
|
43f726 |
_setButtonState() {
|
|
|
43f726 |
- let websiteViewButton = document.getElementById("websites_viewButton");
|
|
|
43f726 |
- let websiteExportButton = document.getElementById("websites_exportButton");
|
|
|
43f726 |
let websiteDeleteButton = document.getElementById("websites_deleteButton");
|
|
|
43f726 |
-
|
|
|
43f726 |
- let certKey = this.richlist.selectedItem?.getAttribute("dbKey");
|
|
|
43f726 |
- let cert = certKey && certdb.findCertByDBKey(certKey);
|
|
|
43f726 |
-
|
|
|
43f726 |
websiteDeleteButton.disabled = this.richlist.selectedIndex < 0;
|
|
|
43f726 |
- websiteExportButton.disabled = !cert;
|
|
|
43f726 |
- websiteViewButton.disabled = websiteExportButton.disabled;
|
|
|
43f726 |
},
|
|
|
43f726 |
};
|
|
|
43f726 |
/**
|
|
|
43f726 |
diff --git a/security/manager/pki/resources/content/certManager.xhtml b/security/manager/pki/resources/content/certManager.xhtml
|
|
|
43f726 |
--- a/security/manager/pki/resources/content/certManager.xhtml
|
|
|
43f726 |
+++ b/security/manager/pki/resources/content/certManager.xhtml
|
|
|
43f726 |
@@ -157,18 +157,13 @@
|
|
|
43f726 |
|
|
|
43f726 |
<listheader equalsize="always">
|
|
|
43f726 |
<treecol id="sitecol" data-l10n-id="certmgr-cert-server" primary="true" flex="1"/>
|
|
|
43f726 |
- <treecol id="certcol" data-l10n-id="certmgr-cert-name" flex="1"/>
|
|
|
43f726 |
- <treecol id="lifetimecol" data-l10n-id="certmgr-override-lifetime" flex="1"/>
|
|
|
43f726 |
+ <treecol id="sha256col" data-l10n-id="certmgr-fingerprint-sha-256" flex="1"/>
|
|
|
43f726 |
</listheader>
|
|
|
43f726 |
<richlistbox ondblclick="serverRichList.viewSelectedRichListItem();" class="certManagerRichlistBox" id="serverList" flex="1" selected="false"/>
|
|
|
43f726 |
|
|
|
43f726 |
<separator class="thin"/>
|
|
|
43f726 |
|
|
|
43f726 |
<hbox>
|
|
|
43f726 |
-
|
|
|
43f726 |
- data-l10n-id="certmgr-view" oncommand="serverRichList.viewSelectedRichListItem();"/>
|
|
|
43f726 |
-
|
|
|
43f726 |
- data-l10n-id="certmgr-export" oncommand="serverRichList.exportSelectedRichListItem();"/>
|
|
|
43f726 |
|
|
|
43f726 |
data-l10n-id="certmgr-delete" oncommand="serverRichList.deleteSelectedRichListItem();"/>
|
|
|
43f726 |
|
|
|
43f726 |
diff --git a/security/manager/ssl/nsCertOverrideService.cpp b/security/manager/ssl/nsCertOverrideService.cpp
|
|
|
43f726 |
--- a/security/manager/ssl/nsCertOverrideService.cpp
|
|
|
43f726 |
+++ b/security/manager/ssl/nsCertOverrideService.cpp
|
|
|
43f726 |
@@ -106,8 +106,8 @@ nsCertOverride::GetAsciiHost(/*out*/ nsA
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
NS_IMETHODIMP
|
|
|
43f726 |
-nsCertOverride::GetDbKey(/*out*/ nsACString& aDBKey) {
|
|
|
43f726 |
- aDBKey = mDBKey;
|
|
|
43f726 |
+nsCertOverride::GetFingerprint(/*out*/ nsACString& aFingerprint) {
|
|
|
43f726 |
+ aFingerprint = mFingerprint;
|
|
|
43f726 |
return NS_OK;
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
@@ -118,12 +118,6 @@ nsCertOverride::GetPort(/*out*/ int32_t*
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
NS_IMETHODIMP
|
|
|
43f726 |
-nsCertOverride::GetIsTemporary(/*out*/ bool* aIsTemporary) {
|
|
|
43f726 |
- *aIsTemporary = mIsTemporary;
|
|
|
43f726 |
- return NS_OK;
|
|
|
43f726 |
-}
|
|
|
43f726 |
-
|
|
|
43f726 |
-NS_IMETHODIMP
|
|
|
43f726 |
nsCertOverride::GetHostPort(/*out*/ nsACString& aHostPort) {
|
|
|
43f726 |
nsCertOverrideService::GetHostWithPort(mAsciiHost, mPort, aHostPort);
|
|
|
43f726 |
return NS_OK;
|
|
|
43f726 |
@@ -274,7 +268,6 @@ void nsCertOverrideService::RemoveAllTem
|
|
|
43f726 |
for (auto iter = mSettingsTable.Iter(); !iter.Done(); iter.Next()) {
|
|
|
43f726 |
nsCertOverrideEntry* entry = iter.Get();
|
|
|
43f726 |
if (entry->mSettings->mIsTemporary) {
|
|
|
43f726 |
- entry->mSettings->mCert = nullptr;
|
|
|
43f726 |
iter.Remove();
|
|
|
43f726 |
}
|
|
|
43f726 |
}
|
|
|
43f726 |
@@ -297,18 +297,11 @@
|
|
|
43f726 |
nsAutoCString buffer;
|
|
|
43f726 |
bool isMore = true;
|
|
|
43f726 |
|
|
|
43f726 |
- /* file format is:
|
|
|
43f726 |
- *
|
|
|
43f726 |
- * host:port:originattributes \t fingerprint-algorithm \t fingerprint \t
|
|
|
43f726 |
- * override-mask \t dbKey
|
|
|
43f726 |
- *
|
|
|
43f726 |
- * where override-mask is a sequence of characters,
|
|
|
43f726 |
- * M meaning hostname-Mismatch-override
|
|
|
43f726 |
- * U meaning Untrusted-override
|
|
|
43f726 |
- * T meaning Time-error-override (expired/not yet valid)
|
|
|
43f726 |
- *
|
|
|
43f726 |
- * if this format isn't respected we move onto the next line in the file.
|
|
|
43f726 |
- */
|
|
|
43f726 |
+ // Each line is of the form:
|
|
|
43f726 |
+ // host:port:originAttributes \t sSHA256OIDString \t fingerprint \t
|
|
|
43f726 |
+ // There may be some "bits" identifiers and "dbKey" after the `fingerprint`
|
|
|
43f726 |
+ // field in 'fingerprint \t \t dbKey' format, but these are now ignored.
|
|
|
43f726 |
+ // Lines that don't match this form are silently dropped.
|
|
|
43f726 |
|
|
|
43f726 |
while (isMore && NS_SUCCEEDED(lineInputStream->ReadLine(buffer, &isMore))) {
|
|
|
43f726 |
if (buffer.IsEmpty() || buffer.First() == '#') {
|
|
|
43f726 |
@@ -350,23 +343,10 @@
|
|
|
43f726 |
fingerprint.Length() == 0) {
|
|
|
43f726 |
continue;
|
|
|
43f726 |
}
|
|
|
43f726 |
- nsDependentCSubstring bitsString;
|
|
|
43f726 |
- if (!parser.ReadUntil(Tokenizer::Token::Whitespace(), bitsString) ||
|
|
|
43f726 |
- bitsString.Length() == 0) {
|
|
|
43f726 |
- continue;
|
|
|
43f726 |
- }
|
|
|
43f726 |
- nsDependentCSubstring dbKey;
|
|
|
43f726 |
- if (!parser.ReadUntil(Tokenizer::Token::EndOfFile(), dbKey) ||
|
|
|
43f726 |
- dbKey.Length() == 0) {
|
|
|
43f726 |
- continue;
|
|
|
43f726 |
- }
|
|
|
43f726 |
- nsCertOverride::OverrideBits bits;
|
|
|
43f726 |
- nsCertOverride::convertStringToBits(bitsString, bits);
|
|
|
43f726 |
|
|
|
43f726 |
AddEntryToList(host, port, attributes,
|
|
|
43f726 |
- nullptr, // don't have the cert
|
|
|
43f726 |
- false, // not temporary
|
|
|
43f726 |
- fingerprint, bits, dbKey, aProofOfLock);
|
|
|
43f726 |
+ false, // not temporary
|
|
|
43f726 |
+ fingerprint, aProofOfLock);
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
return NS_OK;
|
|
|
43f726 |
@@ -412,9 +392,8 @@
|
|
|
43f726 |
output.Append(kTab);
|
|
|
43f726 |
output.Append(settings->mFingerprint);
|
|
|
43f726 |
output.Append(kTab);
|
|
|
43f726 |
- output.Append(bitsString);
|
|
|
43f726 |
- output.Append(kTab);
|
|
|
43f726 |
- output.Append(settings->mDBKey);
|
|
|
43f726 |
+ // the "bits" string used to go here, but it no longer exists
|
|
|
43f726 |
+ // the "\t dbKey" string used to go here, but it no longer exists
|
|
|
43f726 |
output.Append(NS_LINEBREAK);
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
@@ -462,42 +441,16 @@
|
|
|
43f726 |
return NS_ERROR_FAILURE;
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
- nsAutoCString nickname;
|
|
|
43f726 |
- nsresult rv = DefaultServerNicknameForCert(nsscert.get(), nickname);
|
|
|
43f726 |
- if (!aTemporary && NS_SUCCEEDED(rv)) {
|
|
|
43f726 |
- UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
|
|
43f726 |
- if (!slot) {
|
|
|
43f726 |
- return NS_ERROR_FAILURE;
|
|
|
43f726 |
- }
|
|
|
43f726 |
-
|
|
|
43f726 |
- // This can fail (for example, if we're in read-only mode). Luckily, we
|
|
|
43f726 |
- // don't even need it to succeed - we always match on the stored hash of the
|
|
|
43f726 |
- // certificate rather than the full certificate. It makes the display a bit
|
|
|
43f726 |
- // less informative (since we won't have a certificate to display), but it's
|
|
|
43f726 |
- // better than failing the entire operation.
|
|
|
43f726 |
- Unused << PK11_ImportCert(slot.get(), nsscert.get(), CK_INVALID_HANDLE,
|
|
|
43f726 |
- nickname.get(), false);
|
|
|
43f726 |
- }
|
|
|
43f726 |
-
|
|
|
43f726 |
nsAutoCString fpStr;
|
|
|
43f726 |
- rv = GetCertSha256Fingerprint(aCert, fpStr);
|
|
|
43f726 |
- if (NS_FAILED(rv)) {
|
|
|
43f726 |
- return rv;
|
|
|
43f726 |
- }
|
|
|
43f726 |
-
|
|
|
43f726 |
- nsAutoCString dbkey;
|
|
|
43f726 |
- rv = aCert->GetDbKey(dbkey);
|
|
|
43f726 |
+ nsresult rv = GetCertSha256Fingerprint(aCert, fpStr);
|
|
|
43f726 |
if (NS_FAILED(rv)) {
|
|
|
43f726 |
return rv;
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
{
|
|
|
43f726 |
MutexAutoLock lock(mMutex);
|
|
|
43f726 |
- AddEntryToList(aHostName, aPort, aOriginAttributes,
|
|
|
43f726 |
- aTemporary ? aCert : nullptr,
|
|
|
43f726 |
- // keep a reference to the cert for temporary overrides
|
|
|
43f726 |
- aTemporary, fpStr,
|
|
|
43f726 |
- (nsCertOverride::OverrideBits)aOverrideBits, dbkey, lock);
|
|
|
43f726 |
+ AddEntryToList(aHostName, aPort, aOriginAttributes, aTemporary, fpStr,
|
|
|
43f726 |
+ lock);
|
|
|
43f726 |
if (!aTemporary) {
|
|
|
43f726 |
Write(lock);
|
|
|
43f726 |
}
|
|
|
43f726 |
@@ -532,10 +485,8 @@
|
|
|
43f726 |
|
|
|
43f726 |
MutexAutoLock lock(mMutex);
|
|
|
43f726 |
AddEntryToList(aHostName, aPort, aOriginAttributes,
|
|
|
43f726 |
- nullptr, // No cert to keep alive
|
|
|
43f726 |
true, // temporary
|
|
|
43f726 |
- aCertFingerprint, (nsCertOverride::OverrideBits)aOverrideBits,
|
|
|
43f726 |
- ""_ns, // dbkey
|
|
|
43f726 |
+ aCertFingerprint,
|
|
|
43f726 |
lock);
|
|
|
43f726 |
|
|
|
43f726 |
return NS_OK;
|
|
|
43f726 |
@@ -632,10 +583,8 @@
|
|
|
43f726 |
|
|
|
43f726 |
nsresult nsCertOverrideService::AddEntryToList(
|
|
|
43f726 |
const nsACString& aHostName, int32_t aPort,
|
|
|
43f726 |
- const OriginAttributes& aOriginAttributes, nsIX509Cert* aCert,
|
|
|
43f726 |
- const bool aIsTemporary, const nsACString& fingerprint,
|
|
|
43f726 |
- nsCertOverride::OverrideBits ob, const nsACString& dbKey,
|
|
|
43f726 |
- const MutexAutoLock& aProofOfLock) {
|
|
|
43f726 |
+ const OriginAttributes& aOriginAttributes, const bool aIsTemporary,
|
|
|
43f726 |
+ const nsACString& fingerprint, const MutexAutoLock& aProofOfLock) {
|
|
|
43f726 |
mMutex.AssertCurrentThreadOwns();
|
|
|
43f726 |
nsAutoCString keyString;
|
|
|
43f726 |
GetKeyString(aHostName, aPort, aOriginAttributes, keyString);
|
|
|
43f726 |
@@ -656,11 +605,6 @@
|
|
|
43f726 |
settings->mOriginAttributes = aOriginAttributes;
|
|
|
43f726 |
settings->mIsTemporary = aIsTemporary;
|
|
|
43f726 |
settings->mFingerprint = fingerprint;
|
|
|
43f726 |
- settings->mOverrideBits = ob;
|
|
|
43f726 |
- settings->mDBKey = dbKey;
|
|
|
43f726 |
- // remove whitespace from stored dbKey for backwards compatibility
|
|
|
43f726 |
- settings->mDBKey.StripWhitespace();
|
|
|
43f726 |
- settings->mCert = aCert;
|
|
|
43f726 |
entry->mSettings = settings;
|
|
|
43f726 |
|
|
|
43f726 |
return NS_OK;
|
|
|
43f726 |
diff --git a/security/manager/ssl/nsCertOverrideService.h b/security/manager/ssl/nsCertOverrideService.h
|
|
|
43f726 |
--- a/security/manager/ssl/nsCertOverrideService.h
|
|
|
43f726 |
+++ b/security/manager/ssl/nsCertOverrideService.h
|
|
|
43f726 |
@@ -43,8 +43,6 @@
|
|
|
43f726 |
bool mIsTemporary; // true: session only, false: stored on disk
|
|
|
43f726 |
nsCString mFingerprint;
|
|
|
43f726 |
OverrideBits mOverrideBits;
|
|
|
43f726 |
- nsCString mDBKey;
|
|
|
43f726 |
- nsCOMPtr<nsIX509Cert> mCert;
|
|
|
43f726 |
|
|
|
43f726 |
static void convertBitsToString(OverrideBits ob, nsACString& str);
|
|
|
43f726 |
static void convertStringToBits(const nsACString& str, OverrideBits& ob);
|
|
|
43f726 |
@@ -145,10 +143,8 @@
|
|
|
43f726 |
nsresult Write(const mozilla::MutexAutoLock& aProofOfLock);
|
|
|
43f726 |
nsresult AddEntryToList(const nsACString& host, int32_t port,
|
|
|
43f726 |
const OriginAttributes& aOriginAttributes,
|
|
|
43f726 |
- nsIX509Cert* aCert, const bool aIsTemporary,
|
|
|
43f726 |
+ const bool aIsTemporary,
|
|
|
43f726 |
const nsACString& fingerprint,
|
|
|
43f726 |
- nsCertOverride::OverrideBits ob,
|
|
|
43f726 |
- const nsACString& dbKey,
|
|
|
43f726 |
const mozilla::MutexAutoLock& aProofOfLock);
|
|
|
43f726 |
|
|
|
43f726 |
// Set in constructor only
|
|
|
43f726 |
diff --git a/security/manager/ssl/SSLServerCertVerification.cpp b/security/manager/ssl/SSLServerCertVerification.cpp
|
|
|
43f726 |
--- a/security/manager/ssl/SSLServerCertVerification.cpp
|
|
|
43f726 |
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
|
|
|
43f726 |
@@ -791,8 +791,8 @@
|
|
|
43f726 |
aHostName, aPort, aOriginAttributes, aCert, &overrideBits,
|
|
|
43f726 |
&isTemporaryOverride, &haveOverride);
|
|
|
43f726 |
if (NS_SUCCEEDED(rv) && haveOverride) {
|
|
|
43f726 |
- // remove the errors that are already overriden
|
|
|
43f726 |
- remainingDisplayErrors &= ~overrideBits;
|
|
|
43f726 |
+ // remove all the errors
|
|
|
43f726 |
+ remainingDisplayErrors = 0;
|
|
|
43f726 |
}
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl
|
|
|
43f726 |
--- a/security/manager/ssl/nsICertOverrideService.idl
|
|
|
43f726 |
+++ b/security/manager/ssl/nsICertOverrideService.idl
|
|
|
43f726 |
@@ -33,17 +33,6 @@ interface nsICertOverride : nsISupports
|
|
|
43f726 |
readonly attribute int32_t port;
|
|
|
43f726 |
|
|
|
43f726 |
/**
|
|
|
43f726 |
- * Whether or not the override is only used for this
|
|
|
43f726 |
- * session (true) or stored persistently (false)
|
|
|
43f726 |
- */
|
|
|
43f726 |
- readonly attribute boolean isTemporary;
|
|
|
43f726 |
-
|
|
|
43f726 |
- /**
|
|
|
43f726 |
- * The database key for the associated certificate.
|
|
|
43f726 |
- */
|
|
|
43f726 |
- readonly attribute ACString dbKey;
|
|
|
43f726 |
-
|
|
|
43f726 |
- /**
|
|
|
43f726 |
* A combination of hostname and port in the form host:port.
|
|
|
43f726 |
* Since the port can be -1 which is equivalent to port 433 we use an
|
|
|
43f726 |
* existing function of nsCertOverrideService to create this property.
|
|
|
43f726 |
@@ -51,6 +40,11 @@ interface nsICertOverride : nsISupports
|
|
|
43f726 |
readonly attribute ACString hostPort;
|
|
|
43f726 |
|
|
|
43f726 |
/**
|
|
|
43f726 |
+ * The fingerprint for the associated certificate.
|
|
|
43f726 |
+ */
|
|
|
43f726 |
+ readonly attribute ACString fingerprint;
|
|
|
43f726 |
+
|
|
|
43f726 |
+ /**
|
|
|
43f726 |
* The origin attributes associated with this override.
|
|
|
43f726 |
*/
|
|
|
43f726 |
[implicit_jscontext]
|
|
|
43f726 |
diff --git a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
|
|
|
43f726 |
--- a/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
|
|
|
43f726 |
+++ b/security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js
|
|
|
43f726 |
@@ -27,9 +27,7 @@ async function checkServerCertificates(w
|
|
|
43f726 |
|
|
|
43f726 |
expectedValues.forEach((item, i) => {
|
|
|
43f726 |
let hostPort = labels[i * 3].value;
|
|
|
43f726 |
- let certString = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent;
|
|
|
43f726 |
- let isTemporaryString =
|
|
|
43f726 |
- labels[i * 3 + 2].value || labels[i * 3 + 2].textContent;
|
|
|
43f726 |
+ let fingerprint = labels[i * 3 + 1].value || labels[i * 3 + 1].textContent;
|
|
|
43f726 |
|
|
|
43f726 |
Assert.equal(
|
|
|
43f726 |
hostPort,
|
|
|
43f726 |
@@ -38,15 +36,9 @@ async function checkServerCertificates(w
|
|
|
43f726 |
);
|
|
|
43f726 |
|
|
|
43f726 |
Assert.equal(
|
|
|
43f726 |
- certString,
|
|
|
43f726 |
- item.certName,
|
|
|
43f726 |
- `Expected override to have field ${item.certName}`
|
|
|
43f726 |
- );
|
|
|
43f726 |
-
|
|
|
43f726 |
- Assert.equal(
|
|
|
43f726 |
- isTemporaryString,
|
|
|
43f726 |
- item.isTemporary ? "Temporary" : "Permanent",
|
|
|
43f726 |
- `Expected override to be ${item.isTemporary ? "Temporary" : "Permanent"}`
|
|
|
43f726 |
+ fingerprint,
|
|
|
43f726 |
+ item.fingerprint,
|
|
|
43f726 |
+ `Expected override to have field ${item.fingerprint}`
|
|
|
43f726 |
);
|
|
|
43f726 |
});
|
|
|
43f726 |
}
|
|
|
43f726 |
@@ -73,41 +73,6 @@
|
|
|
43f726 |
);
|
|
|
43f726 |
}
|
|
|
43f726 |
|
|
|
43f726 |
-async function testViewButton(win) {
|
|
|
43f726 |
- win.document.getElementById("serverList").selectedIndex = 1;
|
|
|
43f726 |
-
|
|
|
43f726 |
- Assert.ok(
|
|
|
43f726 |
- win.document.getElementById("websites_viewButton").disabled,
|
|
|
43f726 |
- "View button should be disabled for override without cert"
|
|
|
43f726 |
- );
|
|
|
43f726 |
-
|
|
|
43f726 |
- win.document.getElementById("serverList").selectedIndex = 0;
|
|
|
43f726 |
-
|
|
|
43f726 |
- Assert.ok(
|
|
|
43f726 |
- !win.document.getElementById("websites_viewButton").disabled,
|
|
|
43f726 |
- "View button should be enabled for override with cert"
|
|
|
43f726 |
- );
|
|
|
43f726 |
-
|
|
|
43f726 |
- let loaded = BrowserTestUtils.waitForNewTab(gBrowser, null, true);
|
|
|
43f726 |
-
|
|
|
43f726 |
- win.document.getElementById("websites_viewButton").click();
|
|
|
43f726 |
-
|
|
|
43f726 |
- let newTab = await loaded;
|
|
|
43f726 |
- let spec = newTab.linkedBrowser.documentURI.spec;
|
|
|
43f726 |
-
|
|
|
43f726 |
- Assert.ok(
|
|
|
43f726 |
- spec.startsWith("about:certificate"),
|
|
|
43f726 |
- "about:certificate should habe been opened"
|
|
|
43f726 |
- );
|
|
|
43f726 |
-
|
|
|
43f726 |
- let newUrl = new URL(spec);
|
|
|
43f726 |
- let certEncoded = newUrl.searchParams.get("cert");
|
|
|
43f726 |
- let certDecoded = decodeURIComponent(certEncoded);
|
|
|
43f726 |
- Assert.ok(certDecoded, "should have some certificate as cert url param");
|
|
|
43f726 |
-
|
|
|
43f726 |
- gBrowser.removeCurrentTab();
|
|
|
43f726 |
-}
|
|
|
43f726 |
-
|
|
|
43f726 |
add_task(async function test_cert_manager_server_tab() {
|
|
|
43f726 |
let win = await openCertManager();
|
|
|
43f726 |
|
|
|
43f726 |
@@ -134,48 +99,13 @@
|
|
|
43f726 |
await checkServerCertificates(win, [
|
|
|
43f726 |
{
|
|
|
43f726 |
hostPort: "example.com:443",
|
|
|
43f726 |
- certName: "md5-ee",
|
|
|
43f726 |
- isTemporary: false,
|
|
|
43f726 |
- },
|
|
|
43f726 |
- ]);
|
|
|
43f726 |
-
|
|
|
43f726 |
- win.document.getElementById("certmanager").acceptDialog();
|
|
|
43f726 |
- await BrowserTestUtils.windowClosed(win);
|
|
|
43f726 |
-
|
|
|
43f726 |
- certOverrideService.rememberTemporaryValidityOverrideUsingFingerprint(
|
|
|
43f726 |
- "example.com",
|
|
|
43f726 |
- 9999,
|
|
|
43f726 |
- {},
|
|
|
43f726 |
- "40:20:3E:57:FB:82:95:0D:3F:62:D7:04:39:F6:32:CC:B2:2F:70:9F:3E:66:C5:35:64:6E:49:2A:F1:02:75:9F",
|
|
|
43f726 |
- Ci.nsICertOverrideService.ERROR_UNTRUSTED
|
|
|
43f726 |
- );
|
|
|
43f726 |
-
|
|
|
43f726 |
- win = await openCertManager();
|
|
|
43f726 |
-
|
|
|
43f726 |
- await checkServerCertificates(win, [
|
|
|
43f726 |
- {
|
|
|
43f726 |
- hostPort: "example.com:443",
|
|
|
43f726 |
- certName: "md5-ee",
|
|
|
43f726 |
- isTemporary: false,
|
|
|
43f726 |
- },
|
|
|
43f726 |
- {
|
|
|
43f726 |
- hostPort: "example.com:9999",
|
|
|
43f726 |
- certName: "(Not Stored)",
|
|
|
43f726 |
- isTemporary: true,
|
|
|
43f726 |
+ fingerprint: cert.sha256Fingerprint,
|
|
|
43f726 |
},
|
|
|
43f726 |
]);
|
|
|
43f726 |
|
|
|
43f726 |
- await testViewButton(win);
|
|
|
43f726 |
-
|
|
|
43f726 |
- await deleteOverride(win, 2);
|
|
|
43f726 |
+ await deleteOverride(win, 1);
|
|
|
43f726 |
|
|
|
43f726 |
- await checkServerCertificates(win, [
|
|
|
43f726 |
- {
|
|
|
43f726 |
- hostPort: "example.com:9999",
|
|
|
43f726 |
- certName: "(Not Stored)",
|
|
|
43f726 |
- isTemporary: true,
|
|
|
43f726 |
- },
|
|
|
43f726 |
- ]);
|
|
|
43f726 |
+ await checkServerCertificates(win, []);
|
|
|
43f726 |
|
|
|
43f726 |
win.document.getElementById("certmanager").acceptDialog();
|
|
|
43f726 |
await BrowserTestUtils.windowClosed(win);
|
|
|
43f726 |
diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js
|
|
|
43f726 |
--- a/security/manager/ssl/tests/unit/test_cert_override_read.js
|
|
|
43f726 |
+++ b/security/manager/ssl/tests/unit/test_cert_override_read.js
|
|
|
43f726 |
@@ -11,19 +11,16 @@ function run_test() {
|
|
|
43f726 |
let cert1 = {
|
|
|
43f726 |
sha256Fingerprint:
|
|
|
43f726 |
"E9:3A:91:F6:15:11:FB:DD:02:76:DD:45:8C:4B:F4:9B:D1:14:13:91:2E:96:4B:EC:D2:4F:90:D5:F4:BB:29:5C",
|
|
|
43f726 |
- dbKey: "This isn't relevant for this test.",
|
|
|
43f726 |
};
|
|
|
43f726 |
// bad_certs/selfsigned.pem
|
|
|
43f726 |
let cert2 = {
|
|
|
43f726 |
sha256Fingerprint:
|
|
|
43f726 |
"51:BC:41:90:C1:FD:6E:73:18:19:B0:60:08:DD:A3:3D:59:B2:5B:FB:D0:3D:DD:89:19:A5:BB:C6:2B:5A:72:A7",
|
|
|
43f726 |
- dbKey: "This isn't relevant for this test.",
|
|
|
43f726 |
};
|
|
|
43f726 |
// bad_certs/noValidNames.pem
|
|
|
43f726 |
let cert3 = {
|
|
|
43f726 |
sha256Fingerprint:
|
|
|
43f726 |
"C3:A3:61:02:CA:64:CC:EC:45:1D:24:B6:A0:69:DB:DB:F0:D8:58:76:FC:50:36:52:5A:E8:40:4C:55:72:08:F4",
|
|
|
43f726 |
- dbKey: "This isn't relevant for this test.",
|
|
|
43f726 |
};
|
|
|
43f726 |
|
|
|
43f726 |
let profileDir = do_get_profile();
|
|
|
43f726 |
@@ -35,58 +35,42 @@
|
|
|
43f726 |
"# This is a generated file! Do not edit.",
|
|
|
43f726 |
"test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" +
|
|
|
43f726 |
cert1.sha256Fingerprint +
|
|
|
43f726 |
- "\tM\t" +
|
|
|
43f726 |
- cert1.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" +
|
|
|
43f726 |
cert1.sha256Fingerprint +
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
+ "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete)
|
|
|
43f726 |
+ cert1.sha256Fingerprint +
|
|
|
43f726 |
"\tM\t" +
|
|
|
43f726 |
- cert1.dbKey,
|
|
|
43f726 |
+ "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==",
|
|
|
43f726 |
"example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" +
|
|
|
43f726 |
cert2.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert2.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
|
|
|
43f726 |
cert2.sha256Fingerprint +
|
|
|
43f726 |
- "\tM\t" +
|
|
|
43f726 |
- cert2.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
|
|
|
43f726 |
cert1.sha256Fingerprint +
|
|
|
43f726 |
- "\tM\t" +
|
|
|
43f726 |
- cert1.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name
|
|
|
43f726 |
cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port
|
|
|
43f726 |
cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
- "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint/dbkey
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint
|
|
|
43f726 |
cert2.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID
|
|
|
43f726 |
cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"example.com:443:\t.0.0.0.0\t" + // malformed OID
|
|
|
43f726 |
cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
"example.com:443:\t\t" + // missing OID
|
|
|
43f726 |
cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
- "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing fingerprint
|
|
|
43f726 |
- "\tU\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
- "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing override bits
|
|
|
43f726 |
- cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\t\t" +
|
|
|
43f726 |
- cert3.dbKey,
|
|
|
43f726 |
- "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing dbkey
|
|
|
43f726 |
- cert3.sha256Fingerprint +
|
|
|
43f726 |
- "\tU\t",
|
|
|
43f726 |
+ "\t",
|
|
|
43f726 |
+ "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint
|
|
|
43f726 |
];
|
|
|
43f726 |
writeLinesAndClose(lines, outputStream);
|
|
|
43f726 |
let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
|