summaryrefslogtreecommitdiff
path: root/lib/certdb
Commit message (Collapse)AuthorAgeFilesLines
* Bug 1804505 - Update the technical constraints for KamuSM. ↵Dennis Jackson2023-05-051-10/+2
| | | | | | | | r=nss-reviewers,jschanck Depends on D177241 Differential Revision: https://phabricator.services.mozilla.com/D177242
* Bug 1792821 - Updating the clang-format version to 10. r=jschanckAnna Weine2022-10-073-6/+6
| | | | Differential Revision: https://phabricator.services.mozilla.com/D158323
* Bug 1771497 - Uninitialized value in cert_VerifyCertChainOld. ↵John M. Schanck2022-06-061-1/+4
| | | | | | r=nss-reviewers,djackson Differential Revision: https://phabricator.services.mozilla.com/D147531
* Bug 1771498 - Uninitialized value in cert_ComputeCertType. r=djacksonJohn M. Schanck2022-06-063-6/+9
| | | | Differential Revision: https://phabricator.services.mozilla.com/D147526
* Bug 1552254 internal_error alert on Certificate Request with sha1+ecdsa in ↵Robert Relyea2022-03-182-0/+99
| | | | | | | | | | | | | | | | | | | TLS 1.3 We need to be able to select Client certificates based on the schemes sent to us from the server. Rather than changing the callback function, this patch adds those schemes to the ssl socket info as suggested by Dana. In addition, two helpful functions have been added to aid User applications in properly selecting the Certificate: PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate *cert) - returns true if the given cert matches the schemes of the server, the schemes configured on the socket, capability of the token the private key resides on, and the current policy. For future SSL protocol, additional restrictions may be parsed. SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) - removes the certs from the cert list that doesn't pass the SSL_CertIsUsable() call. In addition the built in cert selection function (NSS_GetClientAuthData) uses the above functions to filter the list. In order to support the NSS_GetClientAuthData three new functions have been added: SECStatus CERT_FilterCertListByNickname(CERTCertList *certList, char *nickname, void *pwarg) -- removes the certs that don't match the 'nickname'. SECStatus CERT_FilterCertListByCertList(CERTCertlist *certList, const CERTCertlist *filterList ) -- removes all the certs on the first cert list that isn't on the second. PRBool CERT_IsInList(CERTCertificate *, const CERTCertList *certList) -- returns true if cert is on certList. In addition * PK11_FindObjectForCert() is exported so the token the cert lives on can be accessed. * the ssle ssl_PickClientSignatureScheme() function (along with several supporing functions) have been modified so it can be used by SSL_CertIsUsable() Differential Revision: https://phabricator.services.mozilla.com/D135715
* Bug 1370866 - Check return value of PK11Slot_GetNSSToken. r=djacksonJohn M. Schanck2022-02-232-0/+8
| | | | Differential Revision: https://phabricator.services.mozilla.com/D139420
* Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=jcj,keelerNSS_3_59_BETA1Kevin Jacobs2020-11-102-17/+49
| | | | Differential Revision: https://phabricator.services.mozilla.com/D64233
* Backed out changeset aa6f29a76cfc for Certificates test failuresJ.C. Jones2020-11-092-27/+17
|
* Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=keelerKevin Jacobs2020-11-092-17/+27
| | | | Differential Revision: https://phabricator.services.mozilla.com/D64233
* Bug 1629553 Merge simple config.mk files r=rrelyeaJan-Marek Glogowski2020-05-053-17/+1
| | | | | | | | | | | There is really no good reason to explicitly change the TARGET variable. And the empty SHARED_LIBRARY variable should also be in the manifest.mn to begin with. All the other empty variables start empty or undefined, so there is also no need to explicitly set them empty. Differential Revision: https://phabricator.services.mozilla.com/D70691
* Bug 290526 Drop recursive private_exports r=rrelyeaJan-Marek Glogowski2020-05-051-1/+0
| | | | | | | Copying private headers is now simply included in the exports target, as these headers use an extra directory anyway. Differential Revision: https://phabricator.services.mozilla.com/D69021
* Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoyeRobert Relyea2020-02-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://phabricator.services.mozilla.com/D63241 This patch implements the first phase: updating the headers. lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h Were updated using the released OASIS PKCS #11 v3.0 header files. lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?. A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small semantic changes (including the removal of deprecated defines) between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in favor of CK?_NSS_?. One notable change was caused by an inconsistancy between the spec and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in the header that was not in the spec. OASIS considers the header file to be normative, so PKCS #11 v3.0 resolved the issue in favor of the header file definition. NSS had the spec definition, so now there are 2 defines for this structure: CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined. Softoken has been updated to accept either CK_NSS_GCM_PARAMS or CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS. One other semantic difference between the 3.0 version of pkcs11f.h and the version here: In the oasis version of the header, you must define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you must define CK_PKCS11_3 to get the PCKS #11 v3 defines. Most of this patch is to handle changing the deprecated defines that have been removed in PCKS #11 v3 from NSS. Differential Revision: https://phabricator.services.mozilla.com/D63241
* Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mtMarcus Burghardt2019-11-051-9/+3
| | | | | | | Bug 1588015 introduced in NSPR a new way to ASSERT values where the arguments are always used avoiding "unused variable" errors. This was implemented in NSS, at certdb.c. Differential Revision: https://phabricator.services.mozilla.com/D49418
* Bug 1465613 - Created two new fields for scheduled distrust from builtins ↵Marcus Burghardt2019-10-112-20/+21
| | | | | | | | | and updated support commands. r=jcj,kjacobs,mt Added two new fields do scheduled distrust of CAs in nssckbi/builtins. Also, created a testlib to validate these fields with gtests. Differential Revision: https://phabricator.services.mozilla.com/D36597
* Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and stanpcertdb. ↵Marcus Burghardt2019-10-081-12/+11
| | | | | | | | r=jcj Some conditionals that are always true were removed. Differential Revision: https://phabricator.services.mozilla.com/D48255
* Bug 1537927 - IPsec usage is too restrictive for existing deploymentsRobert Relyea2019-03-212-91/+64
| | | | | | try: -p linux64,linux64-fuzz -u gtest -t clang-format,scan-build Differential Revision: https://phabricator.services.mozilla.com/D24399
* Bug 1531236 - Accessor for certificate DER, r=jcjMartin Thomson2019-02-282-0/+17
| | | | | | | | | | | | | | | | Summary: Forgot to put this up. This will make the neqo wrapper considerably more hygenic. Having to explode the entire CERTCertificate struct (which is public and never should have been) into the FFI is a complete disaster. Better to treat it as opaque and use an accessor function. Reviewers: jcj Tags: #secure-revision Bug #: 1531236 Differential Revision: https://phabricator.services.mozilla.com/D24129
* # Bug 1252891 Implement certUsageIPSec as defined in RFC 4945Robert Relyea2018-11-093-2/+84
| | | | | Patch by Kai r=rrelyea
* Bug 1480647 - Warn about deprecation of key.h and keyt.h. Include keyhi.h ↵Cosmin Truta2018-09-141-1/+1
| | | | instead of key.h, and keythi.h instead of keyt.h. r=rrelyea
* Bug 1309068 - Enable -Wshadow, r=franziskusMartin Thomson2018-02-141-4/+4
|
* Bug 1429591, reverting the part of my previous commit that was unnecessary, ↵Kai Engert2018-02-272-2/+2
| | | | and which introduced a bad ABI change.
* Bug 1429591, Importing a certificate with CERT_ImportCerts to an NSS SQL db ↵Robert Relyea2018-02-272-2/+15
| | | | doesn't associate it to the existing private key, r=kaie
* Bug 1399439 - API for external TLS session caches, r=mtFranziskus Kiefer2018-01-161-1/+1
| | | | | | | | Reviewers: mt, ekr Bug #: 1399439 Differential Revision: https://phabricator.services.mozilla.com/D284
* Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCHMartin Thomson2017-11-061-0/+1
|\
| * Bug 1400844, Implement handling of RSA-PSS signatures on certificates, r=mtDaiki Ueno2017-10-241-0/+1
| | | | | | | | This series adds high level API to sign and verify RSA-PSS signatures on certificates and utilizes them in tools.
* | Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCHMartin Thomson2017-10-092-10/+54
|\ \ | |/
| * removing evil unnecessary whitespace, fixing build bustageKai Engert2017-09-081-1/+0
| |
| * Bug 1395897, certutil shouldn't prompt for password if -f is given, r=rrelyeaKai Engert2017-09-082-10/+55
| |
* | Bug 1397990 - Run clang-format 4.0, r=meMartin Thomson2017-09-082-4/+2
|/ | | | | | | | These files were being reformatted by clang-format 4.0. If you make this change, then both 3.9 (in CI) and 4.0 are happy with the result. I don't plan to do this often, but it is a huge help. Note that the PK11 ECDSA tests are an odd duck, I have more on that coming.
* Bug 1321998 - don't overrun OIDs in alg1485 part 2, r=ttaubertFranziskus Kiefer2017-07-111-1/+6
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D366
* Bug 1321998 - fix alg1485 malformed OID issue part 1, r=ttaubertFranziskus Kiefer2017-07-101-4/+8
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D364
* Bug 1376520 - some static analysis (infer) fixes, r=ttaubertFranziskus Kiefer2017-06-271-1/+1
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D354
* Bug 1361197 - Don't skip first RDN in CERT_CompareName() r=franziskusTim Taubert2017-06-061-14/+4
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D301
* Bug 1364469 - Remove dead state check, r=franziskusJ.C. Jones2017-05-121-2/+0
| | | | | | | | | | Summary: This change fixes dead code caught by Coverity after bug 1342137. Reviewers: franziskus Reviewed By: franziskus Differential Revision: https://nss-review.dev.mozaws.net/D318
* Bug 1342137 - Permit unknown dotted-decimal X500 Principals ↵J.C. Jones2017-05-111-3/+9
| | | | | | | | | | | | | | r=franziskus,ttaubert RFC 1485 permits principals with OIDs in either "1.2=Name" or "OID.1.2=Name" form. This patch permits such forms, for unknown OIDs. This patch adds disabled tests which should fail, but do not, and need further cleanup. Original patch courtesy of Miklos Vajna. Differential Revision: https://nss-review.dev.mozaws.net/D310
* Bug 1349705, add domain name constraints for "TUBITAK Kamu SM SSL Kok ↵Kai Engert2017-04-041-4/+33
| | | | | | Sertifikasi - Surum 1" to NSS function CERT_GetImposedNameConstraints, r=keeler (CERT_GetImposedNameConstraints is used by both NSS and Firefox/PSM certificate verification code.)
* Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubertFranziskus Kiefer2017-02-084-17/+116
|
* Backed out changeset 545e059dbb17Franziskus Kiefer2017-03-204-116/+17
|
* Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubertFranziskus Kiefer2017-02-084-17/+116
|
* Bug 1342061 - Fix some misuses of CERT_LIST* APIs r=franziskusTim Taubert2017-02-272-19/+15
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D231
* Bug 1334049 - fix negative left shift, r=ttaubertFranziskus Kiefer2017-01-251-3/+6
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D173
* bug 1316604 - Add variables for <(nss_dist_dir)/{public,private}. r=franziskusTed Mielczarek2016-11-101-2/+2
| | | | | Mozilla's build system currently puts NSS public headers directly in $(DIST)/include/nss, so we need a way to override the export directory.
* Bug 1311615 - Building with gyp should copy headers, libs, executables to ↵Tim Taubert2016-10-211-3/+3
| | | | | | the right directory r=franziskus Differential Revision: https://nss-dev.phacility.com/D104
* Bug 1208405 - coverity and infer fixes, r=ttaubertFranziskus Kiefer2016-10-201-2/+4
|
* Bug 1277228 - some scan-build fixes to enable it on base/certdb/certhigh, ↵Franziskus Kiefer2016-10-176-18/+23
| | | | | | r=ttaubert try: -t all
* bug 1237872 - Add gyp build system for NSS. r=fkieferTed Mielczarek2016-09-232-0/+70
|
* Bug 1308866 - Make cert test suite run with ASan+LSan+UBSan r=franziskusTim Taubert2016-10-121-2/+3
| | | | Differential Revision: https://nss-dev.phacility.com/D78
* Bug 1295115 - follow up to clang-format for CI, r= kaieFranziskus Kiefer2016-08-149-58/+64
|
* Bug 1281724 - Don't leak OIDs by copying them when copyData=true r=franziskusTim Taubert2016-06-271-4/+7
|
* Bug 1234201 - clean-up of CERT_IsCACert. r=franziskusMichelangelo De Simone2016-03-101-24/+15
|
View Lorry Controller Status