summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoradeshkp <adeshkp@users.noreply.github.com>2020-09-12 04:08:43 -0400
committeradeshkp <adeshkp@users.noreply.github.com>2020-09-12 04:11:03 -0400
commit61ab2b98ea7550e30209b31e07b8b8536b2937a9 (patch)
tree3ef2d28cd5b98e7d4e2b592d70efb378fd17da3f
parentb55d425b37b552e3fd5c781af6d9a172d0ce763c (diff)
downloaduxp-61ab2b98ea7550e30209b31e07b8b8536b2937a9.tar.gz
Issue #1280 - Remove hostname parameter to trust domain.
Host name was purely being used for HPKP and since HPKP is killed, this can also go. Currently it doesn't do anything other than generating build warnings.
-rw-r--r--security/certverifier/CertVerifier.cpp23
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp4
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.h4
3 files changed, 12 insertions, 19 deletions
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index 1139ecae58..7f47de14fc 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -422,7 +422,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
originAttributes,
- builtChain, nullptr);
+ builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@@ -489,8 +489,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
ValidityCheckingMode::CheckForEV,
sha1ModeConfigurations[i], mNetscapeStepUpPolicy,
- originAttributes, builtChain,
- hostname);
+ originAttributes, builtChain);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,// (EC)DHE
KeyUsage::keyEncipherment, // RSA
@@ -572,8 +571,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
sha1ModeConfigurations[j],
mNetscapeStepUpPolicy,
- originAttributes, builtChain,
- hostname);
+ originAttributes, builtChain);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,//(EC)DHE
KeyUsage::keyEncipherment,//RSA
@@ -635,7 +633,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
pinningDisabled, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed, mNetscapeStepUpPolicy,
- originAttributes, builtChain, nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
KeyPurposeId::id_kp_serverAuth,
@@ -651,7 +649,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@@ -678,7 +676,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::keyEncipherment, // RSA
@@ -702,7 +700,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@@ -735,7 +733,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
stapledOCSPResponse);
@@ -747,7 +745,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain, nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
stapledOCSPResponse);
@@ -761,8 +759,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ValidityCheckingMode::CheckingOff,
SHA1Mode::Allowed,
NetscapeStepUpPolicy::NeverMatch,
- originAttributes, builtChain,
- nullptr);
+ originAttributes, builtChain);
rv = BuildCertChain(objectSigningTrust, certDER, time,
endEntityOrCA, keyUsage, eku,
CertPolicyId::anyPolicy, stapledOCSPResponse);
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index fff75ee88f..a8ecbf1d11 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -58,8 +58,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
const NeckoOriginAttributes& originAttributes,
- UniqueCERTCertList& builtChain,
- /*optional*/ const char* hostname)
+ UniqueCERTCertList& builtChain)
: mCertDBTrustType(certDBTrustType)
, mOCSPFetching(ocspFetching)
, mOCSPCache(ocspCache)
@@ -73,7 +72,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
, mNetscapeStepUpPolicy(netscapeStepUpPolicy)
, mOriginAttributes(originAttributes)
, mBuiltChain(builtChain)
- , mHostname(hostname)
, mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID))
, mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED)
, mSCTListFromCertificate()
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index becf29eee9..50e2c8adc6 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -83,8 +83,7 @@ public:
CertVerifier::SHA1Mode sha1Mode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
const NeckoOriginAttributes& originAttributes,
- UniqueCERTCertList& builtChain,
- /*optional*/ const char* hostname = nullptr);
+ UniqueCERTCertList& builtChain);
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
IssuerChecker& checker,
@@ -187,7 +186,6 @@ private:
NetscapeStepUpPolicy mNetscapeStepUpPolicy;
const NeckoOriginAttributes& mOriginAttributes;
UniqueCERTCertList& mBuiltChain; // non-owning
- const char* mHostname; // non-owning - only used for pinning checks
nsCOMPtr<nsICertBlocklist> mCertBlocklist;
CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
// Certificate Transparency data extracted during certificate verification