| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
|
| |
r=nss-reviewers,nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D142481
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D142434
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Depends on D141920
Differential Revision: https://phabricator.services.mozilla.com/D141921
|
|
|
|
|
|
| |
Depends on D141919
Differential Revision: https://phabricator.services.mozilla.com/D141920
|
|
|
|
|
|
| |
certdata.txt. r=KathleenWilson
Differential Revision: https://phabricator.services.mozilla.com/D141919
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support to mozilla::pkix for certificates signed with
RSA-PSS using one of the following parameters permitted by the CA/Browser
Forum Baseline Requirements 1.8.1:
* SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes
* SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes
* SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes
Differential Revision: https://phabricator.services.mozilla.com/D141539
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `stateEnd->parent != state` check was added in Bug 95458 to avoid a crash
in `sec_asn1d_free_child`. The diagnosis in Bug 95458 is incorrect---the crash
was actually due to a `PORT_Assert(0)` that was meant to highlight a memory
leak when `SEC_ASN1DecoderStart` was called with `their_pool==NULL`. The
offending assertion was removed in Bug 95311, which makes the `stateEnd` check
obsolete. In Bug 1753535 it was observed that the `stateEnd` check could read
from a poisoned region of an arena when the decoder was used in a streaming
mode. This read-after-poison could lead to an arena memory leak, although this
is mitigated by the fact that the read-after-poison is on an error-handling path
where the caller typically frees the entire arena.
Differential Revision: https://phabricator.services.mozilla.com/D140861
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D139547
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D139866
|
|
|
|
| |
Caused Windows gyp build failures for cmd/mpitests
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D139785
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D139790
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D139866
|
|
|
|
|
|
| |
Depends on D141764
Differential Revision: https://phabricator.services.mozilla.com/D141765
|
|
|
|
|
|
| |
Depends on D131425
Differential Revision: https://phabricator.services.mozilla.com/D141764
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D131425
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D140984
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D138647
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D140963
|
|
|
|
|
|
| |
Submitted on behalf of Zi Lin, the author of the patch.
Differential Revision: https://phabricator.services.mozilla.com/D141119
|
|
|
|
|
|
| |
r=mt,nss-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D141651
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D141650
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3
We need to be able to select Client certificates based on the schemes sent to us from the server. Rather than changing the callback function, this patch adds those schemes to the ssl socket info as suggested by Dana. In addition, two helpful functions have been added to aid User applications in properly selecting the Certificate:
PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate *cert) - returns true if the given cert matches the schemes of the server, the schemes configured on the socket, capability of the token the private key resides on, and the current policy. For future SSL protocol, additional restrictions may be parsed.
SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) - removes the certs from the cert list that doesn't pass the SSL_CertIsUsable() call.
In addition the built in cert selection function (NSS_GetClientAuthData) uses the above functions to filter the list. In order to support the NSS_GetClientAuthData three new functions have been added:
SECStatus CERT_FilterCertListByNickname(CERTCertList *certList, char *nickname, void *pwarg) -- removes the certs that don't match the 'nickname'.
SECStatus CERT_FilterCertListByCertList(CERTCertlist *certList, const CERTCertlist *filterList ) -- removes all the certs on the first cert list that isn't on the second.
PRBool CERT_IsInList(CERTCertificate *, const CERTCertList *certList) -- returns true if cert is on certList.
In addition
* PK11_FindObjectForCert() is exported so the token the cert lives on can be accessed.
* the ssle ssl_PickClientSignatureScheme() function (along with several supporing functions) have been modified so it can be used by SSL_CertIsUsable()
Differential Revision: https://phabricator.services.mozilla.com/D135715
|
|
|
|
|
|
|
|
|
|
|
| |
The initial implementation of mozilla::pkix split signature verification into
two steps: digesting the data that had been signed and then verifying that
digest. This separation added complexity that was hidden by the VFY_* APIs.
However, those APIs are in need of improvements. This patch avoids the VFY_*
APIs as well as the additional complexity by removing the separate digest step
and using the PK11_Verify* APIs directly.
Differential Revision: https://phabricator.services.mozilla.com/D138605
|
| |
|
| |
|
|
|
|
|
|
| |
nssTrustDomain_GetActiveSlots. r=rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D138852
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D139420
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D134846
|
|
|
|
|
|
| |
handshake message. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D136000
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D137788
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
The new SHA256 hashes were calculated using the script below, which reads certificates out of the builtin token and re-processing them with the current version of addbuiltin. One of the "Autoridad de Certificacion Firmaprofesional CIF A62634068" certificates had to be handled manually because of Bug 456858.
```
#!/bin/bash
NSS_LIB=<path to dist/Debug/lib>
WORK=/tmp/nssdb/
LIST=${WORK}/list.txt
OUT=${WORK}/certdata.txt
rm -rf ${WORK}
mkdir -p ${WORK}
modutil -force -dbdir "sql:${WORK}" -create
modutil -force -dbdir "sql:${WORK}" -add "nssckbi" -libfile "${NSS_LIB}/libnssckbi.so"
certutil -d "sql:${WORK}" -L -h "Builtin Object Token" | grep Builtin > ${LIST}
sed -i 's/\s*\(C\?,C\?,C\?\)\s*$/;\1/' ${LIST}
while IFS=";" read -r name trust
do
certutil -d "sql:${WORK}" -L -n "${name}" -r 1> "${WORK}/${name}.der"
addbuiltin -t "${trust}" -n "${name/Builtin Object Token:/}" -i "${WORK}/${name}.der"
done < ${LIST} >> ${OUT}
```
Differential Revision: https://phabricator.services.mozilla.com/D136508
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D136289
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D137738
|
|
|
|
|
|
|
|
| |
Note: these links won't work for local doc build of NSS.
They are designed for firefox source tree:
https://firefox-source-docs.mozilla.org/security/nss/
Differential Revision: https://phabricator.services.mozilla.com/D137732
|
| |
|
| |
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D137313
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D137312
|
| |
|