manikishan
8752d4637d
Bug 1198481 - Fixed typo 'id_pk_serverAuth' to 'id_kp_serverAuth'. r=keeler
2017-12-02 18:03:18 +05:30
Nicolas Vigier
21244bc461
Bug 1305396 - Replace memmove with std::copy_backward in a file that doesn't include cstring explicitly. r=keeler
2017-10-16 20:03:54 +02:00
David Keeler
47263aefb3
bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj
...
(adapted from bug 1349762 comment 0)
Google Trust Services (GTS) recently purchased two roots from GlobalSign that
are both enabled for EV treatment: "GlobalSign Root CA - R2" and "GlobalSign ECC
Root CA - R4".
However, GTS does not have an EV audit, so we are going to turn off EV treatment
for both of those root certificates.
But "GlobalSign Root CA - R2" has intermediate cert "GlobalSign Extended
Validation CA - SHA256 - G2" that continues to be controlled by GlobalSign, to
be used to migrate their customers off dependence on that root.
This patch removes EV treatment for "GlobalSign ECC Root CA - R4". It also
removes EV treatment for all chains rooted in "GlobalSign Root CA - R2" unless
the "GlobalSign Extended Validation CA - SHA256 - G2" intermediate is in the
chain.
MozReview-Commit-ID: Ej9L9zTwoPN
--HG--
extra : rebase_source : 575f1a48646cf728d879d0cf53c888654e4a32ad
2017-04-03 17:17:38 -07:00
Tim Taubert
00b8400985
Bug 1351779 - Removed unused variable 'loopDetected' from PathBuildingStep::Check() r=keeler
2017-03-29 20:17:06 +02:00
Sylvestre Ledru
aba86ae938
Bug 1337358 - Converts for(...; ...; ...) loops to use the new range-based loops in C++11 in security/ r=keeler
...
MozReview-Commit-ID: yfkQVEp2do
--HG--
extra : rebase_source : 048f30343b9eb353bbc15fbde157ffbb3b2da8ec
2017-02-07 13:22:44 +01:00
David Cook
7d4c71cc9c
Bug 1115718 - Check for empty issuer name in mozilla::pkix; r=keeler
...
MozReview-Commit-ID: 6Ymgo7dQE7b
--HG--
extra : rebase_source : 54ee27fd46c2139125a40deabb11a6aca04c84bc
2016-07-28 20:36:18 -05:00
Sergei Chernov
21be681857
Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka
...
MozReview-Commit-ID: IgcnyBH4Up
--HG--
extra : transplant_source : %98%A3%5E%B4%DA%89qI1%01A%F8%FF%C7%1FS%D4%23v%B3
2016-07-05 08:35:06 +03:00
Sergei Chernov
edb1f658f6
Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
...
MozReview-Commit-ID: HZwzSgxarTw
--HG--
extra : transplant_source : %BF%F9%A8T%C6x%82%03%3Ez%9F%3BT%E3%1B%11s%294%F4
2016-06-15 11:11:00 +03:00
Julian Seward
8562142079
Bug 1275582 - TSan: data race security/nss/lib/freebl/sha_fast.c:176 SHA1_End. r=dkeeler.
...
--HG--
extra : rebase_source : d8e517c891212c0b7794e7db433f6ed626c4cac5
2016-05-30 15:25:52 +02:00
David Keeler
c17f3a2733
bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
...
MozReview-Commit-ID: 88JhIU1pUji
--HG--
rename : security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
rename : security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
extra : rebase_source : 2f6251679a6f31cccb6d88bb51c567de9cc9bc76
2016-05-05 16:11:11 -07:00
Cykesiopka
33825b4eb1
Bug 1257031 - Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER. r=keeler
...
Also adds some missing l10n entries to nsserrors.properties (but not for errors
that are specific to TLS 1.3, since TLS 1.3 is not yet finalised).
MozReview-Commit-ID: A42fmTDTe8W
--HG--
extra : transplant_source : x%F7s%DB%05%B4%81%9Dm%FDC%A1f%B3%0D%7DR%C1%BA%B1
2016-04-21 16:41:22 -07:00
David Keeler
6e4140d766
bug 1245280 - add policy mechanism to optionally enforce BRs for falling back to subject CN r=Cykesiopka,mgoodwin
...
MozReview-Commit-ID: 7xT6JGpOH1g
--HG--
extra : rebase_source : 0def29e8be898a2d975ee4390b3bc6a193766b1b
2016-02-09 10:14:27 -08:00
Brian Smith
30373af60a
Bug 1189020 - Replace |// unnamed namespace| with |// namespace| in mozilla::pkix. r=Cykesiopka
...
This is what Google suggests in its style guide, and somebody
already changed one of these comments to the new style.
--HG--
extra : rebase_source : fe3f7fc17a2fc09ad0ba01fa1511dc8dba7653e1
2016-03-16 07:10:00 +01:00
Mark Goodwin
31adb1a5c5
Bug 901698 - Implement OCSP-must-staple; r=keeler
2015-11-13 16:49:08 +00:00
Richard Barnes
990593f9cf
Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler
2015-09-11 14:52:30 -04:00
Jacek Caban
b15946229a
Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith
2015-09-09 14:16:59 +02:00
Ryan VanderMeulen
c7fdbe4d0f
Backed out changeset 982be1bbebdf (bug 1199624) for Windows bustage.
2015-08-30 17:09:09 -04:00
Jacek Caban
c8309c6328
Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith
2015-08-29 07:59:00 -04:00
Mark Goodwin
91782dab68
Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler)
2015-07-09 07:22:29 +01:00
Cykesiopka
0a9aea4ab2
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
...
--HG--
extra : rebase_source : ec44bb566cce8ab14f740457d6ba1d863b39c256
2015-06-29 22:19:00 +02:00
Tim Taubert
ab7196486a
Bug 1060112 - Don't treat OCSP responses omitting the requested certificate status as "unknown certificate" responses blocking the connection r=keeler
2015-05-21 13:39:34 -04:00
David Keeler
4e7fc3055e
bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes
2015-04-06 16:10:28 -07:00
David Keeler
e69f0f4b4b
bug 1150114 - allow PrintableString to match UTF8String in name constraints checking r=briansmith
2015-04-08 16:17:39 -07:00
Brian Smith
95bd8011e6
Bug 1154399 - Part 4: Simplify certificate parsing in OCSP responses. r=keeler
...
--HG--
extra : rebase_source : caf903d29b0adc22fcc7e87e4fa0019cfa48007e
2015-04-14 05:33:03 -10:00
Brian Smith
f124561818
Bug 1154399 - Part 3: Simplify OptionalExtensions. r=keeler
...
We used to avoid using Nested and NestedOf because they were based on
bind and it was difficult to maintain our std::bind polyfill. Now that
we use lambdas, it is easy to use Nested and NestedOf, so we should do
so wherever it makes the code clearer.
--HG--
extra : rebase_source : 1157d16320b3b211e3ce612b75782e8bd9c55f30
2015-04-14 05:32:46 -10:00
Brian Smith
d09798e9f5
Bug 1154399 - Part 2: Simplify and un-inline OptionalVersion. r=keeler
...
Also fixes the wrong comment. The syntax for version in OCSP and X.509
certs is identical.
--HG--
extra : rebase_source : 744a2998ce8c55a61fbbc1966bc22e4903fa2484
2015-04-14 05:32:29 -10:00
Brian Smith
0cac719ba9
Bug 1154399 - Part 1: De-templatize and un-inline IntegralValue. r=keeler
...
--HG--
extra : rebase_source : 899eaed19b13edc9c257f0ab212d447bb54e607d
2015-04-14 05:06:41 -10:00
Brian Smith
566d65be48
Bug 1153738: Make ScopedPtr a minimal proper subset of std::unique_ptr, r=keeler
...
Remove all features of ScopedPtr that aren't in std::unique_ptr, and
remove all currently-unused features of ScopedPtr. In particular,
replace |operator=(T*)| with |reset(T* p = nullptr)| and make
|operator bool| explicit.
--HG--
rename : security/pkix/include/pkix/ScopedPtr.h => security/pkix/lib/ScopedPtr.h
extra : rebase_source : 206bfb32aa5a04a4719f28b4aca59fe2f0abbec3
2015-04-13 00:28:11 -10:00
David Keeler
2cf7194567
bug 1143085 - allow subject alternative name extensions to be empty for compatibility r=briansmith a=kwierso
...
--HG--
extra : amend_source : 89b8233b57049a3d2886aa08cd85c57e6faa693e
2015-03-16 14:00:33 -07:00
David Keeler
cc58dd5d1a
Bug 1136616
- Allow underscores in reference DNS-IDs in mozilla::pkix name matching. r=briansmith
2015-03-03 13:34:45 -08:00
Brian Smith
06b7804e70
Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
...
--HG--
extra : rebase_source : 79efad2c5f60120ff1022547ce7efa628a7acd0f
2015-02-14 16:59:02 -08:00
Brian Smith
27cb600f2f
Bug 1077864, Part 2: Override the trust level for OCSP response signer certs so that they are never considered trust anchors, r=keeler
...
--HG--
extra : rebase_source : d0c599f7fc29b5fbcb7d8cd97980a3f39d39f515
2015-02-14 15:59:38 -08:00
Brian Smith
bdb4294871
Bug 1077864, Part 1: Check consistency of certificates' signature and signatureAlgorithm fields, r=keeler
...
--HG--
extra : rebase_source : 9a2ca8cb370169f675557987a6b1cc0dedb24ff6
2015-02-22 16:59:03 -08:00
Brian Smith
bbf8006735
Bug 1130754 - Make PublicKeyAlgorithm an enum class. r=keeler
...
--HG--
extra : histedit_source : 14d321bc2cbdf749fd05994571ca439ee62ab973
2015-02-14 13:25:09 -08:00
Cykesiopka
47f24e15e4
Bug 1097622 - Return ERROR_INVALID_TIME when decoding invalid time values. r=dkeeler
2015-02-18 15:56:00 -05:00
Brian Smith
a89b90ea7f
Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
...
--HG--
extra : rebase_source : 85266413568df928cb1eaf1cd59b52ee9d4259e6
extra : histedit_source : 767e3263d28926435c6d2f4610c7d8b01e9ba87d
2015-02-07 12:14:31 -08:00
Brian Smith
b0f87b9b6c
Bug 1122841, Part 2: Centralize checking of public key, r=keeler
...
--HG--
extra : rebase_source : 6b41ad2d3f37bead8d3ac8b48c5ee0b8063c795b
extra : source : d470b5a68bf915cfb12f0e948e1492463092883c
2015-02-02 16:17:08 -08:00
Brian Smith
dbc534e182
Bug 1122841, Part 1: Add PositiveInteger parser, r=keeler
...
--HG--
extra : rebase_source : 50d79951398e44bf2718c0f071962aa00660fec2
2015-02-06 18:21:20 -08:00
Brian Smith
3920fcd650
Bug 1128413, Part 3: Enable more compiler warnings, r=mmc
...
--HG--
extra : rebase_source : 2d17605e6b9296b74493526e052b771be18d4260
2015-02-07 14:38:40 -08:00
Brian Smith
6254cc408e
Bug 1128413, Part 2: Don't use double underscores any more
...
--HG--
extra : rebase_source : 5f550089aea320231ca2398126fc7f03e5dffc37
2015-01-31 19:51:46 -08:00
Brian Smith
a4ceeff7d4
Bug 1128413, Part 1: Fix switch-related warnings, r=mmc
...
--HG--
extra : rebase_source : 3d70c2a4ae8f9705a8a2c56c2f49e50fe4711ea9
2015-02-02 14:21:27 -08:00
Cykesiopka
eb24c24fb9
Bug 968560 - Return distinct error codes for certificates that are not valid yet, in mozilla::pkix. r=keeler
...
--HG--
extra : rebase_source : de63f37cdef477d96c1aef8253feca7013ba3bfd
2015-02-06 11:18:20 -08:00
David Keeler
1cd331c2e4
bug 1125261
- mozilla::pkix: handle comparing single, relative labels with wildcards r=briansmith
...
e.g. handle comparing "localhost" with "*.example.com"
2015-01-23 15:56:53 -08:00
Cykesiopka
590cc7dc4a
Bug 1077790 - Make mozilla::pkix::CheckPublicKeySize() accept specific elliptic curves only. r=briansmith
...
--HG--
extra : rebase_source : 2eab41b647a78ef3a5ea9cf9710704e35c65803a
2015-01-21 17:20:16 -08:00
Brian Smith
2968c94831
Bug 1114703: Remove mozilla::pkix's polyfill for std::bind, r=mmc
...
--HG--
extra : rebase_source : 11457f210c7f7534db2e6ebe1a8328985ff6d8b0
2015-01-21 04:00:40 -08:00
Brian Smith
29d3c0ed37
Bug 1122835, Part 2: Simplify BitStringWithNoUnusedBits, r=keeler
...
--HG--
extra : rebase_source : 2beb4ceb866299454c3e9f5b93ac83a18c8fd1c2
2014-12-27 22:39:47 -08:00
Brian Smith
f6753ef626
Bug 1122835: Add missing return value checks for Input::SkipToEnd, r=keeler
...
--HG--
extra : rebase_source : 9b445e3d73d643364355f18307cf13447a5726e8
2014-12-27 23:12:46 -08:00
Brian Smith
cc811435fd
Bug 1115906, Part 3: Make formatting of struct/class/enum class more consistent, r=keeler
...
--HG--
extra : rebase_source : 0ba4b630b93775ff68abc583238ba2525b8d56f5
2015-01-13 16:53:34 -08:00
Brian Smith
e538f2d921
Bug 1115906, Part 2: Annotate classes and member functions with override and final, r=keeler
...
--HG--
extra : rebase_source : 79bb236bef83ed3e884d73e029ac29a5aa999840
extra : source : d14d86bcebd38be80d00a263c3145eb0dbcc53cd
2015-01-13 16:54:10 -08:00
Brian Smith
825d71887a
Bug 1115906, Part 1: Add workarounds for missing final/override support in GCC before version 4.7, r=keeler
...
--HG--
rename : security/pkix/include/pkix/nullptr.h => security/pkix/include/pkix/stdkeywords.h
extra : rebase_source : 9cacd9729ac4cfb1e4bf920c8afdffb831b60d36
extra : source : f673d05dfc9a6d830e5e3c01976b41588cc70ead
2015-01-07 14:53:11 -08:00