Bug 1583610 modified the cipher suite ordering on ARM devices to prefer
ChaCha20/Poly1305 with the assumption that hardware support for AES wouldn't be
available. However, because there are ARM devices with hardware support for
AES, this patch makes this only happen when that support isn't available.
Differential Revision: https://phabricator.services.mozilla.com/D104897
Loading an accumulated set of crlite stashes can take some time. To address
this, this patch dispatches an asynchronous background task to read the
accumulated set of crlite stashes in a way that doesn't block certificate
verification. Of course, this means that the stash information won't
necessarily be available for the first few verifications. This shouldn't be a
security concern as long as the crlite filter is no more than 10 days out of
date (the maximum lifespan of an OCSP response, which is what Firefox relies on
currently in release). Note that currently crlite filters as published by
remote settings regularly end up being more than 10 days old, which will be
addressed in https://github.com/mozilla/crlite/issues/153. Note further that
crlite is currently not being enforced by default on any channel, so making
this change now is not a security concern.
Differential Revision: https://phabricator.services.mozilla.com/D104447
InitializeCipherSuite() in nsNSSComponent.cpp controls which encryption schemes
are allowed when decrypting PKCS12 files. Before this patch, the AES ciphers
were not enabled, which prevented importing PKCS12 files that used AES.
This patch fixes this and adds a test.
Differential Revision: https://phabricator.services.mozilla.com/D104567
This patch improves the performance of DER.jsm by changing readBytes to use
slice rather than repeatedly calling readByte.
Additionally, this patch removes the validation that the input to DERDecoder
consists of an array of integers in the range [0, 255]. This check is
unnecessary for all current consumers of DER.jsm because the input comes from
atob, which only outputs values in that range. If other consumers use DER.jsm
in the future, they will have to determine whether or not they need to validate
the input themselves first.
Differential Revision: https://phabricator.services.mozilla.com/D103838
When we moved to python3, sign_app.py had some issues that weren't addressed.
This patch addresses those issues and regenerates the input files for
test_signed_apps.js because the issuing certificates will expire soon.
Differential Revision: https://phabricator.services.mozilla.com/D103063
This patch changes nsNSSCertificate::GetDbKey to use mozilla::pkix::BackCert
instead of requiring a decoded CERTCertificate.
Differential Revision: https://phabricator.services.mozilla.com/D101836
Before this patch, nsIX509Cert.isSelfSigned was only used by LocalCertService
to verify that the certificate it uses is self-signed. This shouldn't have been
necessary, because the certificate isn't a trust anchor and an override has to
be added for it anyway. Additionally, the certificate in question is already
guaranteed to be self-signed because it was either just generated that way or
it was retrieved from the database (the code for which checks that it's
self-signed).
Differential Revision: https://phabricator.services.mozilla.com/D101810
This removes nsIX509Cert.subjectAltNames and reduces potential attack surface
by avoiding parsing subject alternative names in C/C++. It also reduces PSM
reliance on NSS types.
Differential Revision: https://phabricator.services.mozilla.com/D101418
TLS error report sending was disabled by default in bug 1579906. The server
that ingested these reports has been decommissioned as well, so this patch
removes this dead code.
Differential Revision: https://phabricator.services.mozilla.com/D99405
As of bug 1594931, Firefox does not migrate old NSS DB files to the newer
version. As a result, any old NSS DB files that exist in the profile directory
either were already migrated or will never be migrated. To avoid data loss,
this patch removes the functionality that would remove key3.db if it existed in
the profile directory.
Differential Revision: https://phabricator.services.mozilla.com/D99946