Граф коммитов

213 Коммитов

Автор SHA1 Сообщение Дата
manikishan 8752d4637d Bug 1198481 - Fixed typo 'id_pk_serverAuth' to 'id_kp_serverAuth'. r=keeler 2017-12-02 18:03:18 +05:30
Nicolas Vigier 21244bc461 Bug 1305396 - Replace memmove with std::copy_backward in a file that doesn't include cstring explicitly. r=keeler 2017-10-16 20:03:54 +02:00
David Keeler 47263aefb3 bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj
(adapted from bug 1349762 comment 0)
Google Trust Services (GTS) recently purchased two roots from GlobalSign that
are both enabled for EV treatment: "GlobalSign Root CA - R2" and "GlobalSign ECC
Root CA - R4".

However, GTS does not have an EV audit, so we are going to turn off EV treatment
for both of those root certificates.

But "GlobalSign Root CA - R2" has intermediate cert "GlobalSign Extended
Validation CA - SHA256 - G2" that continues to be controlled by GlobalSign, to
be used to migrate their customers off dependence on that root.

This patch removes EV treatment for "GlobalSign ECC Root CA - R4". It also
removes EV treatment for all chains rooted in "GlobalSign Root CA - R2" unless
the "GlobalSign Extended Validation CA - SHA256 - G2" intermediate is in the
chain.

MozReview-Commit-ID: Ej9L9zTwoPN

--HG--
extra : rebase_source : 575f1a48646cf728d879d0cf53c888654e4a32ad
2017-04-03 17:17:38 -07:00
Tim Taubert 00b8400985 Bug 1351779 - Removed unused variable 'loopDetected' from PathBuildingStep::Check() r=keeler 2017-03-29 20:17:06 +02:00
Sylvestre Ledru aba86ae938 Bug 1337358 - Converts for(...; ...; ...) loops to use the new range-based loops in C++11 in security/ r=keeler
MozReview-Commit-ID: yfkQVEp2do

--HG--
extra : rebase_source : 048f30343b9eb353bbc15fbde157ffbb3b2da8ec
2017-02-07 13:22:44 +01:00
David Cook 7d4c71cc9c Bug 1115718 - Check for empty issuer name in mozilla::pkix; r=keeler
MozReview-Commit-ID: 6Ymgo7dQE7b

--HG--
extra : rebase_source : 54ee27fd46c2139125a40deabb11a6aca04c84bc
2016-07-28 20:36:18 -05:00
Sergei Chernov 21be681857 Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka
MozReview-Commit-ID: IgcnyBH4Up

--HG--
extra : transplant_source : %98%A3%5E%B4%DA%89qI1%01A%F8%FF%C7%1FS%D4%23v%B3
2016-07-05 08:35:06 +03:00
Sergei Chernov edb1f658f6 Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
MozReview-Commit-ID: HZwzSgxarTw

--HG--
extra : transplant_source : %BF%F9%A8T%C6x%82%03%3Ez%9F%3BT%E3%1B%11s%294%F4
2016-06-15 11:11:00 +03:00
Julian Seward 8562142079 Bug 1275582 - TSan: data race security/nss/lib/freebl/sha_fast.c:176 SHA1_End. r=dkeeler.
--HG--
extra : rebase_source : d8e517c891212c0b7794e7db433f6ed626c4cac5
2016-05-30 15:25:52 +02:00
David Keeler c17f3a2733 bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
MozReview-Commit-ID: 88JhIU1pUji

--HG--
rename : security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
rename : security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
extra : rebase_source : 2f6251679a6f31cccb6d88bb51c567de9cc9bc76
2016-05-05 16:11:11 -07:00
Cykesiopka 33825b4eb1 Bug 1257031 - Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER. r=keeler
Also adds some missing l10n entries to nsserrors.properties (but not for errors
that are specific to TLS 1.3, since TLS 1.3 is not yet finalised).

MozReview-Commit-ID: A42fmTDTe8W

--HG--
extra : transplant_source : x%F7s%DB%05%B4%81%9Dm%FDC%A1f%B3%0D%7DR%C1%BA%B1
2016-04-21 16:41:22 -07:00
David Keeler 6e4140d766 bug 1245280 - add policy mechanism to optionally enforce BRs for falling back to subject CN r=Cykesiopka,mgoodwin
MozReview-Commit-ID: 7xT6JGpOH1g

--HG--
extra : rebase_source : 0def29e8be898a2d975ee4390b3bc6a193766b1b
2016-02-09 10:14:27 -08:00
Brian Smith 30373af60a Bug 1189020 - Replace |// unnamed namespace| with |// namespace| in mozilla::pkix. r=Cykesiopka
This is what Google suggests in its style guide, and somebody
already changed one of these comments to the new style.

--HG--
extra : rebase_source : fe3f7fc17a2fc09ad0ba01fa1511dc8dba7653e1
2016-03-16 07:10:00 +01:00
Mark Goodwin 31adb1a5c5 Bug 901698 - Implement OCSP-must-staple; r=keeler 2015-11-13 16:49:08 +00:00
Richard Barnes 990593f9cf Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler 2015-09-11 14:52:30 -04:00
Jacek Caban b15946229a Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith 2015-09-09 14:16:59 +02:00
Ryan VanderMeulen c7fdbe4d0f Backed out changeset 982be1bbebdf (bug 1199624) for Windows bustage. 2015-08-30 17:09:09 -04:00
Jacek Caban c8309c6328 Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith 2015-08-29 07:59:00 -04:00
Mark Goodwin 91782dab68 Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler) 2015-07-09 07:22:29 +01:00
Cykesiopka 0a9aea4ab2 Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
--HG--
extra : rebase_source : ec44bb566cce8ab14f740457d6ba1d863b39c256
2015-06-29 22:19:00 +02:00
Tim Taubert ab7196486a Bug 1060112 - Don't treat OCSP responses omitting the requested certificate status as "unknown certificate" responses blocking the connection r=keeler 2015-05-21 13:39:34 -04:00
David Keeler 4e7fc3055e bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes 2015-04-06 16:10:28 -07:00
David Keeler e69f0f4b4b bug 1150114 - allow PrintableString to match UTF8String in name constraints checking r=briansmith 2015-04-08 16:17:39 -07:00
Brian Smith 95bd8011e6 Bug 1154399 - Part 4: Simplify certificate parsing in OCSP responses. r=keeler
--HG--
extra : rebase_source : caf903d29b0adc22fcc7e87e4fa0019cfa48007e
2015-04-14 05:33:03 -10:00
Brian Smith f124561818 Bug 1154399 - Part 3: Simplify OptionalExtensions. r=keeler
We used to avoid using Nested and NestedOf because they were based on
bind and it was difficult to maintain our std::bind polyfill. Now that
we use lambdas, it is easy to use Nested and NestedOf, so we should do
so wherever it makes the code clearer.

--HG--
extra : rebase_source : 1157d16320b3b211e3ce612b75782e8bd9c55f30
2015-04-14 05:32:46 -10:00
Brian Smith d09798e9f5 Bug 1154399 - Part 2: Simplify and un-inline OptionalVersion. r=keeler
Also fixes the wrong comment. The syntax for version in OCSP and X.509
certs is identical.

--HG--
extra : rebase_source : 744a2998ce8c55a61fbbc1966bc22e4903fa2484
2015-04-14 05:32:29 -10:00
Brian Smith 0cac719ba9 Bug 1154399 - Part 1: De-templatize and un-inline IntegralValue. r=keeler
--HG--
extra : rebase_source : 899eaed19b13edc9c257f0ab212d447bb54e607d
2015-04-14 05:06:41 -10:00
Brian Smith 566d65be48 Bug 1153738: Make ScopedPtr a minimal proper subset of std::unique_ptr, r=keeler
Remove all features of ScopedPtr that aren't in std::unique_ptr, and
remove all currently-unused features of ScopedPtr. In particular,
replace |operator=(T*)| with |reset(T* p = nullptr)| and make
|operator bool| explicit.

--HG--
rename : security/pkix/include/pkix/ScopedPtr.h => security/pkix/lib/ScopedPtr.h
extra : rebase_source : 206bfb32aa5a04a4719f28b4aca59fe2f0abbec3
2015-04-13 00:28:11 -10:00
David Keeler 2cf7194567 bug 1143085 - allow subject alternative name extensions to be empty for compatibility r=briansmith a=kwierso
--HG--
extra : amend_source : 89b8233b57049a3d2886aa08cd85c57e6faa693e
2015-03-16 14:00:33 -07:00
David Keeler cc58dd5d1a Bug 1136616 - Allow underscores in reference DNS-IDs in mozilla::pkix name matching. r=briansmith 2015-03-03 13:34:45 -08:00
Brian Smith 06b7804e70 Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
--HG--
extra : rebase_source : 79efad2c5f60120ff1022547ce7efa628a7acd0f
2015-02-14 16:59:02 -08:00
Brian Smith 27cb600f2f Bug 1077864, Part 2: Override the trust level for OCSP response signer certs so that they are never considered trust anchors, r=keeler
--HG--
extra : rebase_source : d0c599f7fc29b5fbcb7d8cd97980a3f39d39f515
2015-02-14 15:59:38 -08:00
Brian Smith bdb4294871 Bug 1077864, Part 1: Check consistency of certificates' signature and signatureAlgorithm fields, r=keeler
--HG--
extra : rebase_source : 9a2ca8cb370169f675557987a6b1cc0dedb24ff6
2015-02-22 16:59:03 -08:00
Brian Smith bbf8006735 Bug 1130754 - Make PublicKeyAlgorithm an enum class. r=keeler
--HG--
extra : histedit_source : 14d321bc2cbdf749fd05994571ca439ee62ab973
2015-02-14 13:25:09 -08:00
Cykesiopka 47f24e15e4 Bug 1097622 - Return ERROR_INVALID_TIME when decoding invalid time values. r=dkeeler 2015-02-18 15:56:00 -05:00
Brian Smith a89b90ea7f Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
--HG--
extra : rebase_source : 85266413568df928cb1eaf1cd59b52ee9d4259e6
extra : histedit_source : 767e3263d28926435c6d2f4610c7d8b01e9ba87d
2015-02-07 12:14:31 -08:00
Brian Smith b0f87b9b6c Bug 1122841, Part 2: Centralize checking of public key, r=keeler
--HG--
extra : rebase_source : 6b41ad2d3f37bead8d3ac8b48c5ee0b8063c795b
extra : source : d470b5a68bf915cfb12f0e948e1492463092883c
2015-02-02 16:17:08 -08:00
Brian Smith dbc534e182 Bug 1122841, Part 1: Add PositiveInteger parser, r=keeler
--HG--
extra : rebase_source : 50d79951398e44bf2718c0f071962aa00660fec2
2015-02-06 18:21:20 -08:00
Brian Smith 3920fcd650 Bug 1128413, Part 3: Enable more compiler warnings, r=mmc
--HG--
extra : rebase_source : 2d17605e6b9296b74493526e052b771be18d4260
2015-02-07 14:38:40 -08:00
Brian Smith 6254cc408e Bug 1128413, Part 2: Don't use double underscores any more
--HG--
extra : rebase_source : 5f550089aea320231ca2398126fc7f03e5dffc37
2015-01-31 19:51:46 -08:00
Brian Smith a4ceeff7d4 Bug 1128413, Part 1: Fix switch-related warnings, r=mmc
--HG--
extra : rebase_source : 3d70c2a4ae8f9705a8a2c56c2f49e50fe4711ea9
2015-02-02 14:21:27 -08:00
Cykesiopka eb24c24fb9 Bug 968560 - Return distinct error codes for certificates that are not valid yet, in mozilla::pkix. r=keeler
--HG--
extra : rebase_source : de63f37cdef477d96c1aef8253feca7013ba3bfd
2015-02-06 11:18:20 -08:00
David Keeler 1cd331c2e4 bug 1125261 - mozilla::pkix: handle comparing single, relative labels with wildcards r=briansmith
e.g. handle comparing "localhost" with "*.example.com"
2015-01-23 15:56:53 -08:00
Cykesiopka 590cc7dc4a Bug 1077790 - Make mozilla::pkix::CheckPublicKeySize() accept specific elliptic curves only. r=briansmith
--HG--
extra : rebase_source : 2eab41b647a78ef3a5ea9cf9710704e35c65803a
2015-01-21 17:20:16 -08:00
Brian Smith 2968c94831 Bug 1114703: Remove mozilla::pkix's polyfill for std::bind, r=mmc
--HG--
extra : rebase_source : 11457f210c7f7534db2e6ebe1a8328985ff6d8b0
2015-01-21 04:00:40 -08:00
Brian Smith 29d3c0ed37 Bug 1122835, Part 2: Simplify BitStringWithNoUnusedBits, r=keeler
--HG--
extra : rebase_source : 2beb4ceb866299454c3e9f5b93ac83a18c8fd1c2
2014-12-27 22:39:47 -08:00
Brian Smith f6753ef626 Bug 1122835: Add missing return value checks for Input::SkipToEnd, r=keeler
--HG--
extra : rebase_source : 9b445e3d73d643364355f18307cf13447a5726e8
2014-12-27 23:12:46 -08:00
Brian Smith cc811435fd Bug 1115906, Part 3: Make formatting of struct/class/enum class more consistent, r=keeler
--HG--
extra : rebase_source : 0ba4b630b93775ff68abc583238ba2525b8d56f5
2015-01-13 16:53:34 -08:00
Brian Smith e538f2d921 Bug 1115906, Part 2: Annotate classes and member functions with override and final, r=keeler
--HG--
extra : rebase_source : 79bb236bef83ed3e884d73e029ac29a5aa999840
extra : source : d14d86bcebd38be80d00a263c3145eb0dbcc53cd
2015-01-13 16:54:10 -08:00
Brian Smith 825d71887a Bug 1115906, Part 1: Add workarounds for missing final/override support in GCC before version 4.7, r=keeler
--HG--
rename : security/pkix/include/pkix/nullptr.h => security/pkix/include/pkix/stdkeywords.h
extra : rebase_source : 9cacd9729ac4cfb1e4bf920c8afdffb831b60d36
extra : source : f673d05dfc9a6d830e5e3c01976b41588cc70ead
2015-01-07 14:53:11 -08:00