Closed Bug 1313491 Opened 8 years ago Closed 8 years ago

shift-refresh on a site with an EV certificate removes EV status

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(2 files)

bug 1313491 - include more context when determining EV status
58 bytes, text/x-review-board-request
Cykesiopka
: review+
jcj
: review+
mgoodwin
: review+
Details
bug 1313491 - add basic tests that PSM sets the right security state during session resumption
58 bytes, text/x-review-board-request
Cykesiopka
: review+
jcj
: review+
mgoodwin
: review+
Details
STR: visit a site with an EV certificate (e.g. bugzilla.mozilla.org) and then shift-refresh (clearing the cache). Expected results: the extended green EV bar should still be displayed Actual results: the EV indicator falls back to the DV indicator I bisected this to changeset 4adb7daf5033 from bug 1264562.
Comment on attachment 8806508 [details] bug 1313491 - add basic tests that PSM sets the right security state during session resumption https://reviewboard.mozilla.org/r/89904/#review90138 ::: security/manager/ssl/tests/unit/test_session_resumption.js:49 (Diff revision 1) > + ok(!sslStatus.isUntrusted, > + "expired.example.com should not have isUntrusted set"); > + } > + ); > + > + // This test is similar, except with extended validation. Could you maybe explain a little better exactly what the EV part of the test achieves? The two add_connection_test calls look basically the same. It's wasn't clear to me on reading this part of the test what was being tested.
Attachment #8806508 - Flags: review?(mgoodwin) → review+
Comment on attachment 8806507 [details] bug 1313491 - include more context when determining EV status https://reviewboard.mozilla.org/r/89868/#review90166
Attachment #8806507 - Flags: review?(mgoodwin) → review+
Comment on attachment 8806507 [details] bug 1313491 - include more context when determining EV status https://reviewboard.mozilla.org/r/89868/#review90404 Cool, much nicer! ::: security/manager/ssl/SSLServerCertVerification.cpp:1375 (Diff revision 1) > + RememberCertErrorsTable::GetInstance().RememberCertHasError(infoObject, > + nullptr, > + SECSuccess); Follow-up material: Might be nice to create a new method dedicated to clearing cert errors, since IMO it's confusing that method named `RememberCertHasError()` can actually clear an existing error. We should probably also rename `LookupCertErrorBits()` to `UpdateCertErrorBits()` or something. ::: security/manager/ssl/SSLServerCertVerification.cpp:1385 (Diff revision 1) > certificateTransparencyInfo); > > // The connection may get terminated, for example, if the server requires > // a client cert. Let's provide a minimal SSLStatus > // to the caller that contains at least the cert and its status. > + RefPtr<nsSSLStatus> status(infoObject->SSLStatus()); A prexisting issue, but it looks like this file is actually missing a few includes: ```cpp #include "nsSSLStatus.h" #include "nsNSSCertificate.h" #include "mozilla/RefPtr.h" #include "SharedCertVerifier.h" #include "TransportSecurityInfo.h" // For RememberCertErrorsTable ``` ::: security/manager/ssl/SSLServerCertVerification.cpp:1402 (Diff revision 1) > } > > + RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert.get()); > status->SetServerCert(nsc, evStatus); > MOZ_LOG(gPIPNSSLog, LogLevel::Debug, > - ("AuthCertificate setting NEW cert %p\n", nsc.get())); > + ("AuthCertificate setting NEW cert %p\n", nsc.get())); Nit: Might as well get rid of the unnecessary \n while we're touching this line. ::: security/manager/ssl/nsNSSCallbacks.cpp:1106 (Diff revision 1) > + > + if (!sslStatus || !fd || !infoObject) { > + return; > + } > + > + UniqueCERTCertificate cert(SSL_PeerCertificate(fd)); Seems like this deserves an assert and null check. ::: security/manager/ssl/nsNSSCallbacks.cpp:1108 (Diff revision 1) > + return; > + } > + > + UniqueCERTCertificate cert(SSL_PeerCertificate(fd)); > + > + RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier()); A prexisting issue, but it looks like this file is actually missing a few includes: ```cpp #include "mozilla/RefPtr.h" #include "SharedCertVerifier.h" #include "nsNSSCertificate.h" ``` ::: security/manager/ssl/nsNSSCallbacks.cpp:1116 (Diff revision 1) > + if (!certVerifier) { > + return; > + } > + > + // We don't own these pointers. > + const SECItemArray* csa = SSL_PeerStapledOCSPResponses(fd); Nit: I guess this was copied from from AuthCertificateHook(), but maybe we could name `csa` something else? At least for me it's not a really intuitive name. ::: security/manager/ssl/nsNSSCallbacks.cpp:1156 (Diff revision 1) > + &evOidPolicy); > + > + RefPtr<nsNSSCertificate> nssc(nsNSSCertificate::Create(cert.get())); > + if (rv == Success && evOidPolicy != SEC_OID_UNKNOWN) { > + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, > + ("HandshakeCallback using NEW cert %p (is EV)\n", nssc.get())); Nit: Get rid of the unnecessary \n. Same thing below. ::: security/manager/ssl/nsNSSCertificate.h:42 (Diff revision 1) > > friend class nsNSSCertificateFakeTransport; > > - explicit nsNSSCertificate(CERTCertificate* cert, SECOidTag* evOidPolicy = nullptr); > + explicit nsNSSCertificate(CERTCertificate* cert); > nsNSSCertificate(); > - static nsNSSCertificate* Create(CERTCertificate*cert = nullptr, > + static nsNSSCertificate* Create(CERTCertificate*cert = nullptr); Nit: Space after *. ::: security/manager/ssl/nsSSLStatus.cpp:13 (Diff revision 1) > #include "nsIClassInfoImpl.h" > -#include "nsIObjectOutputStream.h" > #include "nsIObjectInputStream.h" > +#include "nsIObjectOutputStream.h" > +#include "nsNSSCertificate.h" > +#include "plstr.h" I think we can get rid of this include now.
Attachment #8806507 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8806508 [details] bug 1313491 - add basic tests that PSM sets the right security state during session resumption https://reviewboard.mozilla.org/r/89904/#review90406 LGTM. ::: security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec:6 (Diff revision 1) > issuer:evroot > -subject:anyPolicy-int-path-int > +subject:ev-test-intermediate > issuerKey:ev > extension:basicConstraints:cA, > extension:keyUsage:cRLSign,keyCertSign > -extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/ > +extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/ Hmm, why the www.example.com -> localhost change? Is it to save us having to set the "network.dns.localDomains" pref? ::: security/manager/ssl/tests/unit/test_session_resumption.js:60 (Diff revision 1) > + add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null, > + (transportSecurityInfo) => { > + ok(!(transportSecurityInfo.securityState & > + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN), > + "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"); > + let sslStatus = transportSecurityInfo > + .QueryInterface(Ci.nsISSLStatusProvider) > + .SSLStatus; > + ok(!sslStatus.isDomainMismatch, > + "ev-test.example.com should not have isDomainMismatch set"); > + ok(!sslStatus.isNotValidAtThisTime, > + "ev-test.example.com should not have isNotValidAtThisTime set"); > + ok(!sslStatus.isUntrusted, > + "ev-test.example.com should not have isUntrusted set"); > + ok(!gEVExpected || sslStatus.isExtendedValidation, > + "ev-test.example.com should have isExtendedValidation set " + > + "(or this is a non-debug build)"); > + } > + ); Nit: It might be clearer to dedupe this block of code and the one above to make it clearer we expect the exact same results.
Attachment #8806508 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8806507 [details] bug 1313491 - include more context when determining EV status https://reviewboard.mozilla.org/r/89868/#review90940 This looks all right and proper to me.
Attachment #8806507 - Flags: review?(jjones) → review+
Comment on attachment 8806508 [details] bug 1313491 - add basic tests that PSM sets the right security state during session resumption https://reviewboard.mozilla.org/r/89904/#review91028 ::: security/manager/ssl/tests/unit/test_session_resumption.js:49 (Diff revision 1) > + ok(!sslStatus.isUntrusted, > + "expired.example.com should not have isUntrusted set"); > + } > + ); > + > + // This test is similar, except with extended validation. Maybe it'd be clearer to split `run_test()` into two tests: `run_resume_non_ev_with_override()` and `run_resume_ev()` ?
Attachment #8806508 - Flags: review?(jjones) → review+
See Also: → 1316070
Comment on attachment 8806507 [details] bug 1313491 - include more context when determining EV status https://reviewboard.mozilla.org/r/89868/#review90404 Thanks for the reviews, all! > Follow-up material: Might be nice to create a new method dedicated to clearing cert errors, since IMO it's confusing that method named `RememberCertHasError()` can actually clear an existing error. > > We should probably also rename `LookupCertErrorBits()` to `UpdateCertErrorBits()` or something. Sure - filed bug 1316070. > A prexisting issue, but it looks like this file is actually missing a few includes: > ```cpp > #include "nsSSLStatus.h" > #include "nsNSSCertificate.h" > #include "mozilla/RefPtr.h" > #include "SharedCertVerifier.h" > #include "TransportSecurityInfo.h" // For RememberCertErrorsTable > ``` Ok - added. > Nit: Might as well get rid of the unnecessary \n while we're touching this line. Sounds good. > Seems like this deserves an assert and null check. Good call. > A prexisting issue, but it looks like this file is actually missing a few includes: > ```cpp > #include "mozilla/RefPtr.h" > #include "SharedCertVerifier.h" > #include "nsNSSCertificate.h" > ``` Ok - added (also sorted). > Nit: I guess this was copied from from AuthCertificateHook(), but maybe we could name `csa` something else? At least for me it's not a really intuitive name. I can't remember why I called it that, but yeah, it's not a great name. > Nit: Get rid of the unnecessary \n. Same thing below. Sounds good. > Nit: Space after *. Fixed. > I think we can get rid of this include now. Sounds good.
Comment on attachment 8806508 [details] bug 1313491 - add basic tests that PSM sets the right security state during session resumption https://reviewboard.mozilla.org/r/89904/#review90138 > Could you maybe explain a little better exactly what the EV part of the test achieves? The two add_connection_test calls look basically the same. It's wasn't clear to me on reading this part of the test what was being tested. I added more documentation in addition to refactoring the code a bit.
Comment on attachment 8806508 [details] bug 1313491 - add basic tests that PSM sets the right security state during session resumption https://reviewboard.mozilla.org/r/89904/#review90406 > Hmm, why the www.example.com -> localhost change? Is it to save us having to set the "network.dns.localDomains" pref? Yes - unfortunately add_connection_test *sets* "network.dns.localDomains" rather than appending to it. That needs fixing, but I was concerned about making too many changes with this patch, so I'd rather address that as a follow-up. I filed bug 1316076 for this. > Nit: It might be clearer to dedupe this block of code and the one above to make it clearer we expect the exact same results. Good call.
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1c76db819ee6 include more context when determining EV status r=Cykesiopka,jcj,mgoodwin https://hg.mozilla.org/integration/autoland/rev/bd9fb3865606 add basic tests that PSM sets the right security state during session resumption r=Cykesiopka,jcj,mgoodwin
https://hg.mozilla.org/mozilla-central/rev/1c76db819ee6 https://hg.mozilla.org/mozilla-central/rev/bd9fb3865606
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: