diff --git a/security/apps/AppTrustDomain.cpp b/security/apps/AppTrustDomain.cpp index 35be4ebd97..9bce231397 100644 --- a/security/apps/AppTrustDomain.cpp +++ b/security/apps/AppTrustDomain.cpp @@ -291,8 +291,7 @@ AppTrustDomain::DigestBuf(Input item, } Result -AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - /*optional*/ const Input*, +AppTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, /*optional*/ const Input*, /*optional*/ const Input*) { diff --git a/security/apps/AppTrustDomain.h b/security/apps/AppTrustDomain.h index e4a8ec5e50..3a3892637e 100644 --- a/security/apps/AppTrustDomain.h +++ b/security/apps/AppTrustDomain.h @@ -35,10 +35,10 @@ public: virtual Result CheckRevocation(mozilla::pkix::EndEntityOrCA endEntityOrCA, const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, + mozilla::pkix::Time validityBeginning, mozilla::pkix::Duration validityDuration, /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse, - /*optional*/ const mozilla::pkix::Input* aiaExtension, - /*optional*/ const mozilla::pkix::Input* sctExtension) override; + /*optional*/ const mozilla::pkix::Input* aiaExtension) override; virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time, const mozilla::pkix::CertPolicyId& requiredPolicy) override; diff --git a/security/certverifier/CTLogVerifier.cpp b/security/certverifier/CTLogVerifier.cpp index 202e4b4acd..5edac6001a 100644 --- a/security/certverifier/CTLogVerifier.cpp +++ b/security/certverifier/CTLogVerifier.cpp @@ -41,8 +41,8 @@ public: return Result::FATAL_ERROR_LIBRARY_FAILURE; } - Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration, - const Input*, const Input*, const Input*) override + Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration, + const Input*, const Input*) override { return Result::FATAL_ERROR_LIBRARY_FAILURE; } diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 1e4bbf34bf..947b08a5a8 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -346,10 +346,10 @@ GetOCSPAuthorityInfoAccessLocation(const UniquePLArenaPool& arena, Result NSSCertDBTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID& certID, Time time, + Time validityBeginning, Duration validityDuration, /*optional*/ const Input* stapledOCSPResponse, - /*optional*/ const Input* aiaExtension, - /*optional*/ const Input* sctExtension) + /*optional*/ const Input* aiaExtension) { // Actively distrusted certificates will have already been blocked by // GetCertTrust. diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h index e01e9cd68f..d6793ec54d 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -132,10 +132,10 @@ public: mozilla::pkix::EndEntityOrCA endEntityOrCA, const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, + mozilla::pkix::Time validityBeginning, mozilla::pkix::Duration validityDuration, /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse, - /*optional*/ const mozilla::pkix::Input* aiaExtension, - /*optional*/ const mozilla::pkix::Input* sctExtension) + /*optional*/ const mozilla::pkix::Input* aiaExtension) override; virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain, diff --git a/security/certverifier/OCSPVerificationTrustDomain.cpp b/security/certverifier/OCSPVerificationTrustDomain.cpp index 66c7e4137c..56d23fd105 100644 --- a/security/certverifier/OCSPVerificationTrustDomain.cpp +++ b/security/certverifier/OCSPVerificationTrustDomain.cpp @@ -43,8 +43,8 @@ OCSPVerificationTrustDomain::IsChainValid(const DERArray&, Time, const CertPolic Result OCSPVerificationTrustDomain::CheckRevocation(EndEntityOrCA, const CertID&, - Time, Duration, const Input*, - const Input*, const Input*) + Time, Time, Duration, const Input*, + const Input*) { // We do not expect this to be called for OCSP signers return Result::FATAL_ERROR_LIBRARY_FAILURE; diff --git a/security/certverifier/OCSPVerificationTrustDomain.h b/security/certverifier/OCSPVerificationTrustDomain.h index c3cbf108af..e01c639741 100644 --- a/security/certverifier/OCSPVerificationTrustDomain.h +++ b/security/certverifier/OCSPVerificationTrustDomain.h @@ -66,10 +66,10 @@ public: mozilla::pkix::EndEntityOrCA endEntityOrCA, const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, + mozilla::pkix::Time validityBeginning, mozilla::pkix::Duration validityDuration, /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse, - /*optional*/ const mozilla::pkix::Input* aiaExtension, - /*optional*/ const mozilla::pkix::Input* sctExtension) + /*optional*/ const mozilla::pkix::Input* aiaExtension) override; virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain, diff --git a/security/manager/ssl/CSTrustDomain.cpp b/security/manager/ssl/CSTrustDomain.cpp index 0dd357e75d..a21de0e32e 100644 --- a/security/manager/ssl/CSTrustDomain.cpp +++ b/security/manager/ssl/CSTrustDomain.cpp @@ -127,10 +127,10 @@ CSTrustDomain::FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Result CSTrustDomain::CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID& certID, Time time, + Time validityBeginning, Duration validityDuration, /*optional*/ const Input* stapledOCSPresponse, - /*optional*/ const Input* aiaExtension, - /*optional*/ const Input* sctExtension) + /*optional*/ const Input* aiaExtension) { // We're relying solely on the CertBlocklist for revocation - and we're // performing checks on this in GetCertTrust (as per nsNSSCertDBTrustDomain) diff --git a/security/manager/ssl/CSTrustDomain.h b/security/manager/ssl/CSTrustDomain.h index 02448b7dfa..7b6730c2ea 100644 --- a/security/manager/ssl/CSTrustDomain.h +++ b/security/manager/ssl/CSTrustDomain.h @@ -34,10 +34,10 @@ public: virtual Result CheckRevocation( mozilla::pkix::EndEntityOrCA endEntityOrCA, const mozilla::pkix::CertID& certID, mozilla::pkix::Time time, + mozilla::pkix::Time validityBeginning, mozilla::pkix::Duration validityDuration, /*optional*/ const mozilla::pkix::Input* stapledOCSPresponse, - /*optional*/ const mozilla::pkix::Input* aiaExtension, - /*optional*/ const mozilla::pkix::Input* sctExtension) override; + /*optional*/ const mozilla::pkix::Input* aiaExtension) override; virtual Result IsChainValid(const mozilla::pkix::DERArray& certChain, mozilla::pkix::Time time, const mozilla::pkix::CertPolicyId& requiredPolicy) override; diff --git a/security/pkix/include/pkix/pkixtypes.h b/security/pkix/include/pkix/pkixtypes.h index 7023faac44..d79642e5d7 100644 --- a/security/pkix/include/pkix/pkixtypes.h +++ b/security/pkix/include/pkix/pkixtypes.h @@ -260,10 +260,10 @@ class TrustDomain { virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID& certID, Time time, + Time validityBeginning, Duration validityDuration, /*optional*/ const Input* stapledOCSPresponse, - /*optional*/ const Input* aiaExtension, - /*optional*/ const Input* sctExtension) = 0; + /*optional*/ const Input* aiaExtension) = 0; // Check that the given digest algorithm is acceptable for use in signatures. // diff --git a/security/pkix/lib/pkixbuild.cpp b/security/pkix/lib/pkixbuild.cpp index 02de1ff705..820ee16e63 100644 --- a/security/pkix/lib/pkixbuild.cpp +++ b/security/pkix/lib/pkixbuild.cpp @@ -234,9 +234,9 @@ PathBuildingStep::Check(Input potentialIssuerDER, } Duration validityDuration(notAfter, notBefore); rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time, - validityDuration, stapledOCSPResponse, - subject.GetAuthorityInfoAccess(), - subject.GetSignedCertificateTimestamps()); + notBefore, validityDuration, + stapledOCSPResponse, + subject.GetAuthorityInfoAccess()); if (rv != Success) { // Since this is actually a problem with the current subject certificate // (rather than the issuer), it doesn't make sense to keep going; all