Граф коммитов

120 Коммитов

Автор SHA1 Сообщение Дата
David Keeler 13b5a0e017 bug 1421413 - add a preference to control which add-on signature algorithms are valid r=jcj
MozReview-Commit-ID: EwkpY9ADAtw

--HG--
extra : rebase_source : 7fce75b0ff7b42057840df0450d97ce840a69c89
2017-11-28 14:24:11 -08:00
David Keeler d49916e353 bug 1415991 - remove support for signed unpacked addons r=jcj,rhelmer
Unfortunately we have a number of add-on installation tests that rely on
unpacked addons verifying as signed. The test infrastructure achieves this by
monkey-patching nsIX509CertDB.verifySignedDirectoryAsync to always succeed.
These tests are, in general, not actually testing the successful verification of
signed unpacked add-ons but rather other aspects of add-on installation,
updating, etc.. Some of these tests are certainly no longer relevant now that
legacy add-ons aren't supported, but we don't have the time to go through all of
them at the moment (this blocks updating add-on signature verification to use
COSE signatures, which we need to ship in 59 or we're probably not shipping at
all).

MozReview-Commit-ID: 3TVPK703mUy

--HG--
extra : rebase_source : 5bf0b72a4d7c8ade702334345fdc3bf6a8761b15
2017-11-09 11:19:23 -08:00
David Keeler 6922b82c52 bug 1357815 - 4/4: go a bit overboard on testcases for SHA-256 support in add-on signatures r=jcj
MozReview-Commit-ID: K4WYTYPXpi1

--HG--
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha1_and_sha256.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha1_and_sha256_manifest_sha1_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha1_and_sha256_manifest_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha1_manifest_sha1_and_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha256_manifest_sha1_and_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha256_manifest.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha256.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
extra : rebase_source : f56c5c9309590bd37d933e8e8fbff8535296b874
2017-10-27 11:20:33 -07:00
David Keeler 6034b39937 bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.

This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).

MozReview-Commit-ID: K3OQEpIrnUW

--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-24 15:27:53 -07:00
David Keeler 7617737c9f bug 1357815 - 2/4: refactor away unnecessary parts of certificate verification in add-on signature verification r=jcj
MozReview-Commit-ID: 4JKWIZ0wnuO

--HG--
extra : rebase_source : 7f032046b3a81c2b3f2135451af07a1e38e94664
2017-10-24 13:32:02 -07:00
David Keeler 543678ab80 bug 1357815 - 1/4: move VerifyCMSDetachedSignatureIncludingCertificate to where it's used r=jcj
MozReview-Commit-ID: JsBPGhDxQoS

--HG--
extra : rebase_source : 88a1c0b73762f28c53ffd645f2eba260743a4062
2017-10-24 13:18:14 -07:00
David Keeler 83ca10065e bug 1180826 - add support for sha256 digests in add-on signature manifests r=dveditz,jcj
MozReview-Commit-ID: HTlm6esgPUx

--HG--
extra : rebase_source : 50f082dea0b2afb1e9099fb94364863a4d85543b
2017-10-09 13:53:23 -07:00
David Keeler 14bdb29dc1 bug 1407081 - rework signed app tests for flexibility with upcoming hash algorithm changes r=Cykesiopka,jcj
MozReview-Commit-ID: 6HnJPrG7GfK

--HG--
rename : security/manager/ssl/tests/unit/test_signed_apps/gentestfiles/sign_b2g_app.py => security/manager/ssl/tests/unit/sign_app.py
rename : dom/manifest/test/blue-150.png => security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
rename : security/manager/ssl/tests/unit/test_signed_apps/valid_app_1.zip => security/manager/ssl/tests/unit/test_signed_apps/signed_app.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app_1.zip => security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/unsigned_app_1.zip => security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/trusted_ca1.der => security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
extra : rebase_source : eacc6ec67b282c93e86254693f48c8bdf6f55816
2017-10-10 16:55:09 -07:00
Chris Peterson 5698729243 Bug 870698 - Part 10: Replace Append(NS_LITERAL_STRING("")) with AppendLiteral(u""). r=erahm
The NS_LITERAL_STRING macro creates a temporary nsLiteralString to encapsulate the char16_t string literal and its length, but AssignLiteral() can determine the char16_t string literal's length at compile-time without nsLiteralString.

MozReview-Commit-ID: H9I6vNDMdIr

--HG--
extra : rebase_source : cf537a1f65af003c6c4f8919b925b0f305c1dd4d
extra : source : 13b89ce4e6a66c840f82a335c71f5a12938aba22
2017-09-07 18:32:54 -07:00
Nicholas Nethercote 72c884bf74 Bug 1384835 (part 3, attempt 2) - Remove the Preferences::Get*CString() variants that return nsAdoptingCString. r=froydnj.
--HG--
extra : rebase_source : d317b25be2ec21d1a60d25da3689e46cdce0b649
2017-07-31 14:28:48 +10:00
Bevis Tseng d1637b9c5a Bug 1372453 - Part 2: Name the caller of ProxyReleaseEvent. r=billm
MozReview-Commit-ID: LYhSWnZkq0i
2017-06-14 09:27:17 +08:00
David Keeler 47263aefb3 bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj
(adapted from bug 1349762 comment 0)
Google Trust Services (GTS) recently purchased two roots from GlobalSign that
are both enabled for EV treatment: "GlobalSign Root CA - R2" and "GlobalSign ECC
Root CA - R4".

However, GTS does not have an EV audit, so we are going to turn off EV treatment
for both of those root certificates.

But "GlobalSign Root CA - R2" has intermediate cert "GlobalSign Extended
Validation CA - SHA256 - G2" that continues to be controlled by GlobalSign, to
be used to migrate their customers off dependence on that root.

This patch removes EV treatment for "GlobalSign ECC Root CA - R4". It also
removes EV treatment for all chains rooted in "GlobalSign Root CA - R2" unless
the "GlobalSign Extended Validation CA - SHA256 - G2" intermediate is in the
chain.

MozReview-Commit-ID: Ej9L9zTwoPN

--HG--
extra : rebase_source : 575f1a48646cf728d879d0cf53c888654e4a32ad
2017-04-03 17:17:38 -07:00
Cykesiopka a4b87029fc Bug 1346315 - Enable gcc/clang -Wextra for security/apps/, security/manager/pki/ and security/manager/ssl/. r=keeler
-Wextra implies -Wmissing-field-initializers, but since the latter warning seems
to warn about mostly uninteresting instances (XPCOM module definitions etc), we
disable it for now.

(Note that -Wall is already enabled by default for all directories for gcc and
clang.)

MozReview-Commit-ID: 8RdF51sLPC8

--HG--
extra : rebase_source : 003c1c04e090ec215d058f5adf4c9e72558bbae3
2017-04-04 16:56:26 +08:00
Cykesiopka 7995951109 Bug 1338897 - Avoid using NSS Base64 functions in PSM. r=keeler
The NSS Base64 functions are less safe and convenient to use than the XPCOM ones.
They're also an unnecessary dependency on NSS.

The NSS Base64 functions behave slightly differently than the XPCOM ones:
1. ATOB_ConvertAsciiToItem() / NSSBase64_DecodeBuffer() silently ignore invalid
   characters like CRLF, space and so on. Base64Decode() will return an error
   if these characters are encountered.
2. BTOA_DataToAscii() will produce output that has CRLF inserted every 64
   characters. Base64Encode() doesn't do this.

For the reasons listed below, no unexpected compatibility issues should arise:
1. AppSignatureVerification.cpp already filters out CRLF and spaces for Manifest
   and Signature values before decoding.
2. ExtendedValidation.cpp is only given what should be valid hard-coded input to
   decode.
3. ContentSignatureVerifier.cpp already splits on CRLF for when it needs to
   decode PEM certs. Spaces shouldn't be likely.
   For Content-Signature header verification, examination of real input to a
   running instance of Firefox suggests CRLF and spaces will not be present in
   the header to decode.
4. nsCryptoHash.cpp encode is affected, but we actually don't want the CRLF
   behaviour.
5. nsDataSignatureVerifier.cpp decode is affected, but we add whitespace
   stripping to maintain backwards compatibility.
6. nsKeygenHandler.cpp encode is affected, but the previous CRLF behaviour was
   arguably a bug, since neither WHATWG or W3C specs specified this.

MozReview-Commit-ID: IWMFxqVZMeX

--HG--
extra : rebase_source : 4863b2e5eabef0555e8e1ebe39216d0d9393f3e9
2017-03-17 23:31:40 +08:00
Joel Maher 41e6060a92 Bug 1344829 - add BUG_COMPONENT to security/* files. r=keeler
MozReview-Commit-ID: AS6e14FOqsb
2017-03-09 05:33:30 -05:00
Cykesiopka d80bc035b4 Bug 1342736 - Remove nsIX509CertDB.verifySignedManifestAsync(). r=mgoodwin
verifySignedManifestAsync() was added in Bug 1059216 to support Trusted Hosted
Apps.

However, Bug 1196988 removed THA and no add-ons use this method, so there's no
point in keeping it around.

MozReview-Commit-ID: 6xBRxvRZfjh

--HG--
extra : rebase_source : 5b8cf9c5863187b55325a8f9929bbe52c6478ec5
2017-02-26 20:25:36 +08:00
David Keeler fca1830f46 bug 1341905 - double-check that uses of CERT_LIST_* are safe in PSM r=jcj
MozReview-Commit-ID: BhGHd9xUUbP

--HG--
extra : amend_source : b7f8260719a3d918867a8ed7cf092e2909193bb5
2017-02-22 15:07:05 -08:00
Cykesiopka fa71c479fc Bug 1332636 - Remove PSM support for Firefox Marketplace apps and Trusted Hosted Apps. r=keeler
THA was removed in Bug 1196988.

After Bug 1235869 and Bug 1238079, Firefox Marketplace apps are at most
supported by B2G, and B2G only code doesn't need to be in m-c anymore.

MozReview-Commit-ID: DAx5lRdYQo0

--HG--
extra : rebase_source : e7fc32195def3acda2d53a6e3cb969f1e8a9a9a1
2017-02-06 23:43:38 +08:00
Cykesiopka e8b35af2ec Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler
The PR_SetError() + PR_GetError() pattern is error prone and unnecessary.

Also fixes Bug 1254403.

MozReview-Commit-ID: DRI69xY4vxC

--HG--
extra : rebase_source : aa07c0dfb5cc2a203e772b415b7a75b27d9bad3c
2016-12-14 20:10:25 +08:00
Jan de Mooij 31df59e394 Bug 1311996 - Fix code using pkix::Result to not conflict with the new mozilla::Result type. r=keeler 2016-10-31 10:05:13 +01:00
Cykesiopka 80c7f24081 Bug 1274135 - Replace char_ptr_cast() and uint8_t_ptr_cast() with mozilla::BitwiseCast. r=keeler,valentin
The functions aren't necessary now that we have BitwiseCast.

MozReview-Commit-ID: 2nzOuwAop4Y

--HG--
extra : rebase_source : 0cb2c16f484a81b2e77384564973b58ac2d10fb9
2016-09-08 20:46:26 +08:00
Ryan VanderMeulen 57d3c61d9b Backed out changeset db5d2a3899c0 (bug 1274135) for bustage. 2016-09-07 20:52:18 -04:00
Cykesiopka 0193f94d53 Bug 1274135 - Replace char_ptr_cast() and uint8_t_ptr_cast() with mozilla::BitwiseCast. r=keeler,valentin
The functions aren't necessary now that we have BitwiseCast.

MozReview-Commit-ID: 2nzOuwAop4Y

--HG--
extra : rebase_source : 196449249eec75b8eb10e59662231c3f4e83c268
2016-09-01 15:58:51 +08:00
Tom Tromey 5538d692d3 Bug 1286877 - do not set c-basic-offset for python-mode; r=gps
This removes the unnecessary setting of c-basic-offset from all
python-mode files.

This was automatically generated using

    perl -pi -e 's/; *c-basic-offset: *[0-9]+//'

... on the affected files.

The bulk of these files are moz.build files but there a few others as
well.

MozReview-Commit-ID: 2pPf3DEiZqx

--HG--
extra : rebase_source : 0a7dcac80b924174a2c429b093791148ea6ac204
2016-07-14 10:16:42 -06:00
Sergei Chernov edb1f658f6 Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
MozReview-Commit-ID: HZwzSgxarTw

--HG--
extra : transplant_source : %BF%F9%A8T%C6x%82%03%3Ez%9F%3BT%E3%1B%11s%294%F4
2016-06-15 11:11:00 +03:00
Cykesiopka 6b12fc8650 Bug 1271501 - Use mozilla::BitwiseCast instead of reinterpret_cast in PSM. r=keeler
mozilla::BitwiseCast does the same thing, but provides static asserts that
mitigate some of the risk of using reinterpret_cast.

MozReview-Commit-ID: ENQ8QC6Nl9o

--HG--
extra : rebase_source : c1725c8363c0f7f9877601de5ab5f152ef4d0439
2016-05-18 21:20:56 -07:00
Cykesiopka 179b27667b Bug 1271501 - Downgrade unnecessarily strong reinterpret_casts in PSM. r=keeler
These reinterpret_casts can be static_casts or const_casts instead.

MozReview-Commit-ID: 1KQDWHO9CGS

--HG--
extra : rebase_source : a629d91577bdcb6d7fd94416e61ad46ca43f945d
2016-05-18 18:58:41 -07:00
Cykesiopka 18c21f386e Bug 1271495 - Replace uses of ScopedPK11Context with UniquePK11Context. r=keeler,mcmanus
ScopedPK11Context is based on Scoped.h, which is deprecated in favour of the
standardised UniquePtr.

MozReview-Commit-ID: HE8UY1hOuph

--HG--
extra : transplant_source : 4%BF%81M%09Q-%2A%E6%04%86i%18%1B%3CL%90%88%04%C7
2016-05-13 05:53:57 -07:00
David Keeler c17f3a2733 bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
MozReview-Commit-ID: 88JhIU1pUji

--HG--
rename : security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
rename : security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
extra : rebase_source : 2f6251679a6f31cccb6d88bb51c567de9cc9bc76
2016-05-05 16:11:11 -07:00
Cykesiopka 128f004a1f Bug 1267905 - Replace uses of ScopedCERTCertList with UniqueCERTCertList. r=keeler
ScopedCERTCertList is based on Scoped.h, which is deprecated in favour of the
standardised UniquePtr.

Also changes CERTCertList parameters of various functions to make ownership more
explicit.

MozReview-Commit-ID: EXqxTK6inqy

--HG--
extra : transplant_source : %9B%A9a%94%D1%7E%2BTa%9E%9Fu%9F%02%B3%1AT%1B%F1%F6
2016-05-05 14:56:36 -07:00
Daniel Veditz 19be5bed6c Bug 1267318 ignore cert expiration for mozilla-signed packages, r=dkeeler
MozReview-Commit-ID: Lw6jGmK8gkS
2016-04-26 11:54:08 -07:00
Cykesiopka 372fe1a598 Bug 1260643 - Convert most uses of ScopedCERTCertificate in PSM to UniqueCERTCertificate. r=keeler
MozReview-Commit-ID: JnjoUd7d2M0

--HG--
extra : transplant_source : %99x%B6%F5%09%97%E6%60%B6%3C%3C%C2%D5vt%27%0C-%96%1B
2016-04-20 01:14:22 -07:00
Cykesiopka c510e4037b Bug 1029173 - Clean up nsDataSignatureVerifier. r=keeler
This patch does the following:
 - Implements nsNSSShutDownObject.
 - Replaces more raw pointers with smart pointers.
 - Fixes other misc issues.

MozReview-Commit-ID: HulWdonEbP8

--HG--
extra : transplant_source : %DC%27%14%AE%28%A2F%80%1F%2C%83L%D3h%A2%C7k%F0%1C%2B
2016-04-12 18:09:06 -07:00
Cykesiopka b883b2533f Bug 1259909 - Obviate char PORT_Free() calls in PSM. r=keeler
Also converts the longer |UniquePtr<char, void(&)(void*)> foo(..., PORT_Free)|
to the shorter and equivalent |UniquePORTString foo(...)|.

MozReview-Commit-ID: LlrTNUYBP4V

--HG--
extra : transplant_source : afU%FB%0EC%3E%E0pm%A3-%0E%C8%83%CF%0A%B1%9E%ED
2016-04-09 01:03:59 -07:00
sajitk 25babf4ea8 Bug 1219482: Replace PRLogModuleInfo with LazyLogModule in security subdirectory.r=nfroyd 2016-01-28 10:36:00 -08:00
Wes Kocher a40af4aa59 Backed out changeset 7ec471c99263 (bug 1219482) to hopefully fix the intermittent hazard failures CLOSED TREE
--HG--
extra : commitid : B8zmd9Xadpz
2016-01-29 10:15:34 -08:00
sajitk 1b0525a9d3 Bug 1219482 - Replace PRLogModuleInfo with LazyLogModule in security subdirectory. r=froydnj
--HG--
extra : rebase_source : 7aed4d8669dccd1270a88a0cacfa254e3b9f5950
2016-01-28 10:36:00 -05:00
Nathan Froyd 2c2f66f499 Bug 1232454 - use UniquePtr<T[]> instead of nsAutoArrayPtr<T> in security/apps/; r=keeler
As a nice side effect, we also fix a (rare) memory leak in
AppTrustDomain::SetTrustedRoot.
2015-12-06 08:06:03 -05:00
Jonathan Hao 7882aa6f0e Bug 1225422 - Update the PrivilegedPackageRoot certificate. r=keeler 2015-11-19 15:08:05 +08:00
Jonathan Hao 3d02a2da65 Bug 1216469 - Bypass verification for signed packages from trust origins. r=valentin 2015-10-22 17:09:44 +08:00
Jonathan Hao e4b1f62b85 Bug 1178448 - Use imported CA in developer mode. r=keeler,valentin 2015-10-08 17:08:45 +08:00
Nicholas Nethercote 7d1c7e0014 Bug 1209351 (part 5) - Optimize nsTHashTable::RemoveEntry() usage in security/. r=keeler.
--HG--
extra : rebase_source : 74877baad7a7e019c7151efaad96d7b8ccc4b6f5
2015-09-24 20:44:31 -07:00
Jonathan Hao e2da61623b Bug 1178518 - Add an AppTrustedRoot for signed packaged app. r=keeler 2015-09-07 15:28:21 +08:00
Richard Barnes 990593f9cf Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler 2015-09-11 14:52:30 -04:00
Nicholas Nethercote f44287005f Bug 1198334 (part 1) - Replace the opt-in FAIL_ON_WARNINGS with the opt-out ALLOW_COMPILER_WARNINGS. r=glandium.
The patch removes 455 occurrences of FAIL_ON_WARNINGS from moz.build files, and
adds 78 instances of ALLOW_COMPILER_WARNINGS. About half of those 78 are in
code we control and which should be removable with a little effort.

--HG--
extra : rebase_source : 82e3387abfbd5f1471e953961d301d3d97ed2973
2015-08-27 20:44:53 -07:00
Fabrice Desré 3a47f061c9 Bug 1196988 - Remove THA support. r=gwagner 2015-08-21 10:00:54 -07:00
Mark Goodwin 91782dab68 Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler) 2015-07-09 07:22:29 +01:00
Cykesiopka 0a9aea4ab2 Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
--HG--
extra : rebase_source : ec44bb566cce8ab14f740457d6ba1d863b39c256
2015-06-29 22:19:00 +02:00
Eric Rahm 75c4bebb79 Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
This is straightforward mapping of PR_LOG levels to their LogLevel
counterparts:
  PR_LOG_ERROR   -> LogLevel::Error
  PR_LOG_WARNING -> LogLevel::Warning
  PR_LOG_WARN    -> LogLevel::Warning
  PR_LOG_INFO    -> LogLevel::Info
  PR_LOG_DEBUG   -> LogLevel::Debug
  PR_LOG_NOTICE  -> LogLevel::Debug
  PR_LOG_VERBOSE -> LogLevel::Verbose

Instances of PRLogModuleLevel were mapped to a fully qualified
mozilla::LogLevel, instances of PR_LOG levels in #defines were mapped to a
fully qualified mozilla::LogLevel::* level, and all other instances were
mapped to us a shorter format of LogLevel::*.

Bustage for usage of the non-fully qualified LogLevel were fixed by adding
|using mozilla::LogLevel;| where appropriate.
2015-06-03 15:25:57 -07:00
Mike Hommey 79ea9f2368 Bug 1170431 part 0 - Use the *Path classes for GENERATED_FILES scripts and inputs. r=gps 2015-06-03 07:10:12 +09:00