Closed
Bug 921886
Opened 11 years ago
Closed 10 years ago
Add certificate policy support to insanity::pkix
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox29 | --- | fixed |
People
(Reporter: briansmith, Assigned: briansmith)
References
Details
Attachments
(1 file, 1 obsolete file)
34.35 KB,
patch
|
cviecco
:
review+
keeler
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The certificate policy support only needs to be good enough to verify EV certificates. That means, AFAICT, that we can always require explicit policy, always prohibit policy mapping, and always ignore anyPolicy. This is great because then we won't have to explicitly implement the policy mapping extension, policy constraints extension, or inhibit anyPolicy extension. It also means we can greatly simplify testing.
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → brian
Assignee | ||
Updated•10 years ago
|
Target Milestone: --- → mozilla30
Assignee | ||
Comment 1•10 years ago
|
||
This will be tested (only, for now) via the test_ev_certs.js xpcshell tests, which will be extended in bug 921885 to cover more of this.
Attachment #8380879 -
Flags: review?(dkeeler)
Attachment #8380879 -
Flags: review?(cviecco)
Assignee | ||
Comment 2•10 years ago
|
||
Comment on attachment 8380879 [details] [diff] [review] certificate-policies.patch Review of attachment 8380879 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/insanity/lib/pkixcheck.cpp @@ +420,5 @@ > } > > + // 4.2.1.1. Authority Key Identifier is ignored (see bug 965136). > + > + // 4.2.1.2. Subject Key Identifier is ignored (see bug 965136). Note that some of these comment changes were unrelated, but I don't think it is worth splitting them into another patch, considering that ~50% of them are relevant to this patch anyway.
Comment 3•10 years ago
|
||
Comment on attachment 8380879 [details] [diff] [review] certificate-policies.patch Review of attachment 8380879 [details] [diff] [review]: ----------------------------------------------------------------- r- just for clarifications. ::: security/certverifier/NSSCertDBTrustDomain.cpp @@ +76,4 @@ > const CERTCertificate* candidateCert, > /*out*/ TrustLevel* trustLevel) > { > + PR_ASSERT(candidateCert); Just to be consistent: PR_XX instead of PORT_XX from now on? ::: security/insanity/lib/pkixcheck.cpp @@ +122,5 @@ > + // which policies is made by the TrustDomain's GetCertTrust method. Note > + // that this is needed for many EV root certificates. > + // > + // XXX: Is this correct? I don't think cert.GetNSSCert()->isRoot is > + // calculated correctly. Also, not sure this is 100% correct logic. Why not stop with isTrustAnchor && endEntityOrCA == MustBeCA? @@ +127,5 @@ > + if (isTrustAnchor && endEntityOrCA == MustBeCA && cert.GetNSSCert()->isRoot) { > + return Success; > + } > + > + if (!cert.encodedCertificatePolicies) { if (endEntityOrCA == MustBeEndEntity) { return FatalError;} ? CA is ok to return recoverable. @@ +135,5 @@ > + > + ScopedPtr<CERTCertificatePolicies, CERT_DestroyCertificatePoliciesExtension> > + policies(CERT_DecodeCertificatePoliciesExtension( > + cert.encodedCertificatePolicies)); > + if (!policies) { again, on EE I think this should be fatal. @@ +145,5 @@ > + if ((*policyInfos)->oid == requiredPolicy) { > + return Success; > + } > + } > + fatal on EE?
Comment 4•10 years ago
|
||
Comment on attachment 8380879 [details] [diff] [review] certificate-policies.patch Review of attachment 8380879 [details] [diff] [review]: ----------------------------------------------------------------- r- just for clarifications. ::: security/certverifier/NSSCertDBTrustDomain.cpp @@ +76,4 @@ > const CERTCertificate* candidateCert, > /*out*/ TrustLevel* trustLevel) > { > + PR_ASSERT(candidateCert); Just to be consistent: PR_XX instead of PORT_XX from now on? ::: security/insanity/lib/pkixcheck.cpp @@ +122,5 @@ > + // which policies is made by the TrustDomain's GetCertTrust method. Note > + // that this is needed for many EV root certificates. > + // > + // XXX: Is this correct? I don't think cert.GetNSSCert()->isRoot is > + // calculated correctly. Also, not sure this is 100% correct logic. Why not stop with isTrustAnchor && endEntityOrCA == MustBeCA? @@ +127,5 @@ > + if (isTrustAnchor && endEntityOrCA == MustBeCA && cert.GetNSSCert()->isRoot) { > + return Success; > + } > + > + if (!cert.encodedCertificatePolicies) { if (endEntityOrCA == MustBeEndEntity) { return FatalError;} ? CA is ok to return recoverable. @@ +135,5 @@ > + > + ScopedPtr<CERTCertificatePolicies, CERT_DestroyCertificatePoliciesExtension> > + policies(CERT_DecodeCertificatePoliciesExtension( > + cert.encodedCertificatePolicies)); > + if (!policies) { again, on EE I think this should be fatal. @@ +145,5 @@ > + if ((*policyInfos)->oid == requiredPolicy) { > + return Success; > + } > + } > + fatal on EE?
Attachment #8380879 -
Flags: review?(cviecco) → review-
Comment on attachment 8380879 [details] [diff] [review] certificate-policies.patch Review of attachment 8380879 [details] [diff] [review]: ----------------------------------------------------------------- LGTM. ::: security/insanity/lib/pkixcheck.cpp @@ +122,5 @@ > + // which policies is made by the TrustDomain's GetCertTrust method. Note > + // that this is needed for many EV root certificates. > + // > + // XXX: Is this correct? I don't think cert.GetNSSCert()->isRoot is > + // calculated correctly. Also, not sure this is 100% correct logic. Agreed - why not trust what the TrustDomain says? (i.e. if it says it's a trust anchor and we're looking for a CA, then it's a root, right?) @@ +127,5 @@ > + if (isTrustAnchor && endEntityOrCA == MustBeCA && cert.GetNSSCert()->isRoot) { > + return Success; > + } > + > + if (!cert.encodedCertificatePolicies) { The recoverable/fatal error distinction only makes sense in terms of trying other possibilities, right? And in the EE case, there are no other possibilities, so processing won't continue if either a recoverable or fatal error is encountered here. So, I think it's fine that RecoverableError is returned here and elsewhere in this function for both EEs and CAs.
Attachment #8380879 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Comment on attachment 8380879 [details] [diff] [review] certificate-policies.patch Review of attachment 8380879 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/certverifier/NSSCertDBTrustDomain.cpp @@ +76,4 @@ > const CERTCertificate* candidateCert, > /*out*/ TrustLevel* trustLevel) > { > + PR_ASSERT(candidateCert); Yes, please use PR_*, except in NSS. In NSS use PORT_*. ::: security/insanity/lib/pkixcheck.cpp @@ +122,5 @@ > + // which policies is made by the TrustDomain's GetCertTrust method. Note > + // that this is needed for many EV root certificates. > + // > + // XXX: Is this correct? I don't think cert.GetNSSCert()->isRoot is > + // calculated correctly. Also, not sure this is 100% correct logic. Unless I hear otherwise from y'all, I will remove the IsRoot check. An intermediate could be explicitly trusted by the user in the certificate manager and still not be a root. In that case, do we want to treat the end-entity certificate as EV? @@ +127,5 @@ > + if (isTrustAnchor && endEntityOrCA == MustBeCA && cert.GetNSSCert()->isRoot) { > + return Success; > + } > + > + if (!cert.encodedCertificatePolicies) { David is correct here. In the EE case it is kind of a distinction without a difference anyway. However, FatalError is really for errors where we must stop path building dead. In fact, now that all this code is written, I'm not sure it was even a good idea to have the Fatal/Recoverable distinction; we could probably have just written an IsFatalError(PRErrorCode) function that calculates the recoverability (fatality?) from the error code. Maybe we can change to that in the future.
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #6) > > + // XXX: Is this correct? I don't think cert.GetNSSCert()->isRoot is > > + // calculated correctly. Also, not sure this is 100% correct logic. > > Unless I hear otherwise from y'all, I will remove the IsRoot check. > > An intermediate could be explicitly trusted by the user in the certificate > manager and still not be a root. In that case, do we want to treat the > end-entity certificate as EV? Actually, maybe we should also see if cert is self-signed?
Assignee | ||
Comment 8•10 years ago
|
||
(In reply to David Keeler (:keeler) from comment #7) > (In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) > > An intermediate could be explicitly trusted by the user in the certificate > > manager and still not be a root. In that case, do we want to treat the > > end-entity certificate as EV? > > Actually, maybe we should also see if cert is self-signed? David and Camilo, please see if the comments in pkixtypes.h in my updated patch address this issue to your satisfaction.
Assignee | ||
Comment 9•10 years ago
|
||
Attachment #8380879 -
Attachment is obsolete: true
Attachment #8381959 -
Flags: review?(dkeeler)
Attachment #8381959 -
Flags: review?(cviecco)
Comment 10•10 years ago
|
||
Comment on attachment 8381959 [details] [diff] [review] certificate-policies.patch [v2] Review of attachment 8381959 [details] [diff] [review]: ----------------------------------------------------------------- LGTM now (the comment makes a lot of difference)
Attachment #8381959 -
Flags: review?(cviecco) → review+
Comment on attachment 8381959 [details] [diff] [review] certificate-policies.patch [v2] Review of attachment 8381959 [details] [diff] [review]: ----------------------------------------------------------------- Sounds like a plan.
Attachment #8381959 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e50c326ad721
Status: NEW → ASSIGNED
Assignee | ||
Comment 13•10 years ago
|
||
Comment on attachment 8381959 [details] [diff] [review] certificate-policies.patch [v2] [Approval Request Comment] See bug 915931 comment 43.
Attachment #8381959 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•10 years ago
|
Priority: -- → P1
Comment 14•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e50c326ad721
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Attachment #8381959 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 15•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/1d447f155ab7
status-firefox29:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•