Revert "Bug 2004708 - Extending signature verification with certificate chain verification r=keeler" for causing build bustages in PDFTrustDomain.cpp.

This reverts commit 84c1181.

Revert "Bug 2004708 - Introduce BuildCertChainForDocumentSigningKeyUsage building certificate chain with all the supported document signing EKUs r=keeler"

This reverts commit 84a088d.

Author: Atila Butkovits

Cargo.lock

@@ -15,7 +15,6 @@ members = [
   "security/manager/ssl/tests/unit/pkcs11testmodule",
   "security/manager/ssl/tests/unit/test_trust_anchors",
   "security/manager/ssl/qwac_trust_anchors",
-  "security/manager/ssl/pdf_trust_anchors",
   "security/manager/ssl/trust_anchors",
   "security/mls/mls_gk",
   "services/app-services-tools/embedded-uniffi-bindgen",

Cargo.toml

@@ -17521,14 +17521,6 @@
   value: true
   mirror: always
 
-
-# Whether or not to enable the test trust anchor list when verifying PDF signatures
-- name: security.pdf_signature_verification.enable_test_trust_anchors
-  type: RelaxedAtomicBool
-  value: false
-  mirror: always
-  rust: true
-
 # If true, attempt to load the osclientcerts PKCS#11 module at startup on a
 # background thread. This module allows Firefox to use client certificates
 # stored in OS certificate storage. Currently only available for Windows and

modules/libpref/init/StaticPrefList.yaml

@@ -7,7 +7,6 @@
 #include "nsNSSCertificate.h"
 #include "AppSignatureVerification.h"
 #include "CryptoTask.h"
-#include "PDFTrustDomain.h"
 
 #include "mozpkix/pkix.h"
 #include "mozpkix/pkixnss.h"
@@ -53,8 +52,7 @@ struct VerifySignatureResult {
 
 void VerifySignature(
     NSSCMSSignedData* signedData, const nsTArray<nsTArray<uint8_t>>& data,
-    /* out */ nsTArray<VerifySignatureResult>& signatureVerificationResults,
-    /* out */ nsTArray<Span<const uint8_t>>& collectedCerts) {
+    /* out */ nsTArray<VerifySignatureResult>& signatureVerificationResults) {
   nsTArray<std::tuple<NSSCMSSignerInfo*, SECOidTag>> signerInfos;
   // Returns a prioritized list of signerInfos.
   GetAllSignerInfosForSupportedDigestAlgorithms(signedData, signerInfos);
@@ -68,6 +66,7 @@ void VerifySignature(
     return;
   }
 
+  nsTArray<Span<const uint8_t>> collectedCerts;
   CollectCertificates(signedData, collectedCerts);
   if (collectedCerts.Length() == 0) {
     signatureVerificationResults.AppendElement(
@@ -117,53 +116,12 @@ void VerifySignature(
           TimeFromEpochInSeconds((uint64_t)(signingTime / 1000000))));
     } else {
       signatureVerificationResults.AppendElement(
-          VerifySignatureResult(rv, signerCertSpan, Now()));
+          VerifySignatureResult(rv, signerCertSpan, defaultTime));
     }
   }
 }
 
-static mozilla::pkix::Result BuildCertChainForDocumentSigningKeyUsage(
-    TrustDomain& trustDomain, Input certDER, Time time) {
-  mozilla::pkix::Result rv = BuildCertChain(
-      trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity,
-      KeyUsage::digitalSignature, KeyPurposeId::id_kp_documentSigning,
-      CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/);
-  if (rv == mozilla::pkix::Result::ERROR_INADEQUATE_CERT_TYPE) {
-    rv = BuildCertChain(
-        trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity,
-        KeyUsage::digitalSignature, KeyPurposeId::id_kp_documentSigningAdobe,
-        CertPolicyId::anyPolicy, nullptr /*stapledOCSPResponse*/);
-    if (rv == mozilla::pkix::Result::ERROR_INADEQUATE_CERT_TYPE) {
-      rv = BuildCertChain(
-          trustDomain, certDER, time, EndEntityOrCA::MustBeEndEntity,
-          KeyUsage::digitalSignature,
-          KeyPurposeId::id_kp_documentSigningMicrosoft, CertPolicyId::anyPolicy,
-          nullptr /*stapledOCSPResponse*/);
-      if (rv != Success) {
-        rv = mozilla::pkix::Result::ERROR_INADEQUATE_CERT_TYPE;
-      }
-    }
-  }
-
-  return rv;
-}
-
-nsresult VerifyCertificate(PDFTrustDomain& trustDomain,
-                           Span<const uint8_t> signerCert, Time time) {
-  Input certDER;
-  mozilla::pkix::Result result =
-      certDER.Init(signerCert.Elements(), signerCert.Length());
-  if (result != Success) {
-    return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
-  }
-
-  result = BuildCertChainForDocumentSigningKeyUsage(trustDomain, certDER, time);
-  if (result != Success) {
-    return mozilla::psm::GetXPCOMFromNSSError(MapResultToPRErrorCode(result));
-  }
-
-  return NS_OK;
-}
+nsresult VerifyCertificate() { return NS_ERROR_CMS_VERIFY_NOT_YET_ATTEMPTED; }
 
 class PDFVerificationResultImpl final : public nsIPDFVerificationResult {
  public:
@@ -244,26 +202,21 @@ void VerifyPKCS7Object(
   }
 
   nsTArray<VerifySignatureResult> signatureVerificationResults;
-  nsTArray<Span<const uint8_t>> collectedCerts;
-  VerifySignature(signedData, data, signatureVerificationResults,
-                  collectedCerts);
-
-  PDFTrustDomain trustDomain(std::move(collectedCerts));
+  VerifySignature(signedData, data, signatureVerificationResults);
 
   for (auto& result : signatureVerificationResults) {
     if (result.signatureVerificationResult != NS_OK) {
       pdfVerifResults.AppendElement(new PDFVerificationResultImpl(
           result.signatureVerificationResult,
           NS_ERROR_CMS_VERIFY_NOT_YET_ATTEMPTED, nullptr));
     } else {
-      nsresult certChainVerifResult =
-          VerifyCertificate(trustDomain, result.signerCert, result.time);
-
+      // The next patch will contain the certificate verification for each
+      // signerCert
       nsCOMPtr<nsIX509Cert> cert(
           new nsNSSCertificate(std::move(result.signerCert)));
-
       pdfVerifResults.AppendElement(new PDFVerificationResultImpl(
-          result.signatureVerificationResult, certChainVerifResult, cert));
+          result.signatureVerificationResult,
+          NS_ERROR_CMS_VERIFY_NOT_YET_ATTEMPTED, cert));
     }
   }
 }