886183 - Remove three unused functions from nsIdentityChecking.cpp

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[(no longer active)]

Attachment: Patch (v1)

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

This patch removes the function isApprovedForEV from nsIdentityChecking.cpp.

In bug 813418, we centralized all the calls to NSS's CERT_Verify*/CERT_PKIXVerifyCert into one place. And, in the process of doing so, we refactored the way EV certificates are validated.

Basically, isApprovedForEV just checks the SHA1 fingerprint of the root certificate used for the EV validation with a hard-coded expected SHA1 fingerprint. However, we already restrict the EV certificate verification to roots returned by getRootsForOid, which is a function that maps an EV OID to a set of roots for that OID. In nsNSSComponent::IdentityInfoInit, we already ensure that the mapping used by getRootsForOid is populated with only with certificates that are SHA1 fingerprint matches. Consequently, the call to isApprovedForEV seems to have been completely redundant. And, unsurprisingly, we removed the call to isApprovedForEV.

Am I overlooking something that makes the call to isApprovedForEV important?

Here is the current EV verification code:
https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/CertVerifier.cpp?rev=6b2f29bc6da8#150

Comment 2

[(no longer active)]

The point of this patch is that there is nothing that calls isApprovedForEV in the tree: <http://mxr.mozilla.org/mozilla-central/search?string=isApprovedForEV>.  In other words, I'm just removing dead code.

Comment 3

[(no longer active)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/0361b8276e50

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/0361b8276e50