| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D158323
|
|
|
|
|
|
| |
r=nss-reviewers,djackson
Differential Revision: https://phabricator.services.mozilla.com/D147531
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D147526
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3
We need to be able to select Client certificates based on the schemes sent to us from the server. Rather than changing the callback function, this patch adds those schemes to the ssl socket info as suggested by Dana. In addition, two helpful functions have been added to aid User applications in properly selecting the Certificate:
PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate *cert) - returns true if the given cert matches the schemes of the server, the schemes configured on the socket, capability of the token the private key resides on, and the current policy. For future SSL protocol, additional restrictions may be parsed.
SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) - removes the certs from the cert list that doesn't pass the SSL_CertIsUsable() call.
In addition the built in cert selection function (NSS_GetClientAuthData) uses the above functions to filter the list. In order to support the NSS_GetClientAuthData three new functions have been added:
SECStatus CERT_FilterCertListByNickname(CERTCertList *certList, char *nickname, void *pwarg) -- removes the certs that don't match the 'nickname'.
SECStatus CERT_FilterCertListByCertList(CERTCertlist *certList, const CERTCertlist *filterList ) -- removes all the certs on the first cert list that isn't on the second.
PRBool CERT_IsInList(CERTCertificate *, const CERTCertList *certList) -- returns true if cert is on certList.
In addition
* PK11_FindObjectForCert() is exported so the token the cert lives on can be accessed.
* the ssle ssl_PickClientSignatureScheme() function (along with several supporing functions) have been modified so it can be used by SSL_CertIsUsable()
Differential Revision: https://phabricator.services.mozilla.com/D135715
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D139420
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D64233
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D64233
|
|
|
|
|
|
|
|
|
|
|
| |
There is really no good reason to explicitly change the TARGET
variable. And the empty SHARED_LIBRARY variable should also be
in the manifest.mn to begin with.
All the other empty variables start empty or undefined, so there
is also no need to explicitly set them empty.
Differential Revision: https://phabricator.services.mozilla.com/D70691
|
|
|
|
|
|
|
| |
Copying private headers is now simply included in the exports
target, as these headers use an extra directory anyway.
Differential Revision: https://phabricator.services.mozilla.com/D69021
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://phabricator.services.mozilla.com/D63241
This patch implements the first phase: updating the headers.
lib/util/pkcs11.h
lib/util/pkcs11f.h
lib/util/pkcs11t.h
Were updated using the released OASIS PKCS #11 v3.0 header files.
lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?.
A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small
semantic changes (including the removal of deprecated defines) between the
NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of
the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in
favor of CK?_NSS_?.
One notable change was caused by an inconsistancy between the spec and the
released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in
the header that was not in the spec. OASIS considers the header file to be
normative, so PKCS #11 v3.0 resolved the issue in favor of the header file
definition. NSS had the spec definition, so now there are 2 defines for this
structure:
CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl.
CK_GCM_PARAMS_V3 - the new define.
CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as
CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
One other semantic difference between the 3.0 version of pkcs11f.h and the
version here: In the oasis version of the header, you must define
CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you
must define CK_PKCS11_3 to get the PCKS #11 v3 defines.
Most of this patch is to handle changing the deprecated defines that have been
removed in PCKS #11 v3 from NSS.
Differential Revision: https://phabricator.services.mozilla.com/D63241
|
|
|
|
|
|
|
| |
Bug 1588015 introduced in NSPR a new way to ASSERT values where the arguments are always used avoiding "unused variable" errors.
This was implemented in NSS, at certdb.c.
Differential Revision: https://phabricator.services.mozilla.com/D49418
|
|
|
|
|
|
|
|
|
| |
and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.
Differential Revision: https://phabricator.services.mozilla.com/D36597
|
|
|
|
|
|
|
|
| |
r=jcj
Some conditionals that are always true were removed.
Differential Revision: https://phabricator.services.mozilla.com/D48255
|
|
|
|
|
|
| |
try: -p linux64,linux64-fuzz -u gtest -t clang-format,scan-build
Differential Revision: https://phabricator.services.mozilla.com/D24399
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
Forgot to put this up. This will make the neqo wrapper considerably more
hygenic. Having to explode the entire CERTCertificate struct (which is public
and never should have been) into the FFI is a complete disaster. Better to
treat it as opaque and use an accessor function.
Reviewers: jcj
Tags: #secure-revision
Bug #: 1531236
Differential Revision: https://phabricator.services.mozilla.com/D24129
|
|
|
|
|
| |
Patch by Kai
r=rrelyea
|
|
|
|
| |
instead of key.h, and keythi.h instead of keyt.h. r=rrelyea
|
| |
|
|
|
|
| |
and which introduced a bad ABI change.
|
|
|
|
| |
doesn't associate it to the existing private key, r=kaie
|
|
|
|
|
|
|
|
| |
Reviewers: mt, ekr
Bug #: 1399439
Differential Revision: https://phabricator.services.mozilla.com/D284
|
|\ |
|
| |
| |
| |
| | |
This series adds high level API to sign and verify RSA-PSS signatures on certificates and utilizes them in tools.
|
|\ \
| |/ |
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
| |
These files were being reformatted by clang-format 4.0. If you make this
change, then both 3.9 (in CI) and 4.0 are happy with the result. I don't plan
to do this often, but it is a huge help.
Note that the PK11 ECDSA tests are an odd duck, I have more on that coming.
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D366
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D364
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D354
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D301
|
|
|
|
|
|
|
|
|
|
| |
Summary: This change fixes dead code caught by Coverity after bug 1342137.
Reviewers: franziskus
Reviewed By: franziskus
Differential Revision: https://nss-review.dev.mozaws.net/D318
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=franziskus,ttaubert
RFC 1485 permits principals with OIDs in either "1.2=Name" or "OID.1.2=Name"
form. This patch permits such forms, for unknown OIDs.
This patch adds disabled tests which should fail, but do not, and need further
cleanup.
Original patch courtesy of Miklos Vajna.
Differential Revision: https://nss-review.dev.mozaws.net/D310
|
|
|
|
|
|
| |
Sertifikasi - Surum 1" to NSS function CERT_GetImposedNameConstraints, r=keeler
(CERT_GetImposedNameConstraints is used by both NSS and Firefox/PSM certificate verification code.)
|
| |
|
| |
|
| |
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D231
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D173
|
|
|
|
|
| |
Mozilla's build system currently puts NSS public headers directly in
$(DIST)/include/nss, so we need a way to override the export directory.
|
|
|
|
|
|
| |
the right directory r=franziskus
Differential Revision: https://nss-dev.phacility.com/D104
|
| |
|
|
|
|
|
|
| |
r=ttaubert
try: -t all
|
| |
|
|
|
|
| |
Differential Revision: https://nss-dev.phacility.com/D78
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
functions. r=mt.
This avoids *many* heap allocations in places where arena pools are used in a
function-bounded, single-threaded way.
MozReview-Commit-ID: JLYhpvEXEa1
|