Граф коммитов

375 Коммитов

Автор SHA1 Сообщение Дата
Daniel Holbert ec576781c3 Bug 1369806: Fix up pkix test to correctly pass zero to CreateEncodedBasicConstraints (which takes a pointer-to-long, rather than a long). r=keeler
MozReview-Commit-ID: Ki8AHuW5zyP

--HG--
extra : rebase_source : b2c8ba7ad4414c8059f23e9d775fdee7000a4c18
2017-06-02 13:21:53 -07:00
Daniel Holbert ca4b542080 Bug 1369864: Suppress clang -Wno-zero-as-null-pointer-constant build warning, in pkix/test/gtest. r=keeler
The gtest headers trigger many instances of this warning, due to their usage of
NULL instead of nullptr.

MozReview-Commit-ID: Dhv7mPHpZ7I

--HG--
extra : rebase_source : a272472e5cf9a946df3fb1b0ffe919bb0d52f093
2017-06-02 13:05:30 -07:00
Daniel Holbert f2024755c3 Bug 1369871: Add "const" keyword to a long* param in a pkix test function. r=keeler
The only reason this param is a pointer is so that it can be optional. It's not
an outparam -- the function does not (and does not intend to) modify it -- so
it should be declared as 'const' to make that clearer & to allow clients to
pass in pointers to const values.

MozReview-Commit-ID: HbF96YNfnSt

--HG--
extra : rebase_source : 674abeb4c68f6c3fcdbc38edaf19e739ef09a3f6
2017-06-02 13:45:41 -07:00
Cykesiopka a05d6a925c Bug 1361750 - Disable various MSVC 2017 warnings in PSM to unbreak --enable-warnings-as-errors builds. r=keeler
MSVC 2017 headers aren't warning free at the -Wall level.
Since PSM enables -Wall in some moz.build files, this breaks
--enable-warnings-as-errors builds.
As a temporary measure, disable enough warnings to get working builds.

MozReview-Commit-ID: G0oUsAYYct2

--HG--
extra : rebase_source : dc37783c89e66a54510c9940f9eaa5a4340ef43e
2017-05-05 00:41:33 +08:00
David Keeler 47263aefb3 bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj
(adapted from bug 1349762 comment 0)
Google Trust Services (GTS) recently purchased two roots from GlobalSign that
are both enabled for EV treatment: "GlobalSign Root CA - R2" and "GlobalSign ECC
Root CA - R4".

However, GTS does not have an EV audit, so we are going to turn off EV treatment
for both of those root certificates.

But "GlobalSign Root CA - R2" has intermediate cert "GlobalSign Extended
Validation CA - SHA256 - G2" that continues to be controlled by GlobalSign, to
be used to migrate their customers off dependence on that root.

This patch removes EV treatment for "GlobalSign ECC Root CA - R4". It also
removes EV treatment for all chains rooted in "GlobalSign Root CA - R2" unless
the "GlobalSign Extended Validation CA - SHA256 - G2" intermediate is in the
chain.

MozReview-Commit-ID: Ej9L9zTwoPN

--HG--
extra : rebase_source : 575f1a48646cf728d879d0cf53c888654e4a32ad
2017-04-03 17:17:38 -07:00
Tim Taubert 00b8400985 Bug 1351779 - Removed unused variable 'loopDetected' from PathBuildingStep::Check() r=keeler 2017-03-29 20:17:06 +02:00
David Keeler 8c5524fc2e bug 1339921 - disable clang's shadowed field warning in a mozilla::pkix gtest class r=Cykesiopka,dholbert
pkixocsp_VerifyEncodedResponse_GetCertTrust has a field trustDomain that
deliberately shadows the field it inherits from so that code doesn't use it by
accident.

MozReview-Commit-ID: 1Y4W6sA7lHD

--HG--
extra : rebase_source : d2d3180e6c65ea49255545216230525b96af010d
2017-03-14 15:58:04 -07:00
Jan Beich ce968eef85 Bug 1346305 - Unbreak --enable-warnings-as-errors on FreeBSD after bug 1343557. r=keeler
MozReview-Commit-ID: 3gZCXTK1GJI

--HG--
extra : rebase_source : 0de5fc52517c71db1c74814b5dcf096a8ceac593
2017-03-10 18:02:44 +00:00
Wes Kocher 65140a44e3 Merge inbound to central, a=merge CLOSED TREE
MozReview-Commit-ID: Gj4s6DtqKmw
2017-03-09 16:33:31 -08:00
Dan Minor cb9616fb60 Bug 1343557 - Disable -pedantic-errors for pkix gtests; r=keeler
MozReview-Commit-ID: FEeAF9Vm3PJ

--HG--
extra : rebase_source : f62dfac39f8021f7cda8240bf680612847e5fd8b
2017-03-02 17:12:14 -05:00
Joel Maher 41e6060a92 Bug 1344829 - add BUG_COMPONENT to security/* files. r=keeler
MozReview-Commit-ID: AS6e14FOqsb
2017-03-09 05:33:30 -05:00
EKR 785f12a554 Bug 1331280 - Generic telemetry probe for TLS handshake status. r=keeler
--HG--
extra : rebase_source : 69a2e93a5cd8d500702a670dfaa5e6cebb822ff0
2017-02-14 13:12:00 -05:00
Sylvestre Ledru aba86ae938 Bug 1337358 - Converts for(...; ...; ...) loops to use the new range-based loops in C++11 in security/ r=keeler
MozReview-Commit-ID: yfkQVEp2do

--HG--
extra : rebase_source : 048f30343b9eb353bbc15fbde157ffbb3b2da8ec
2017-02-07 13:22:44 +01:00
Julian Seward 621b1dcd5f Bug 1318030 - Possible uninitialised value uses relating to security/pkix/test/gtest/pkixcert_extension_tests.cpp. r=dkeeler@mozilla.com. 2016-11-21 08:49:36 +01:00
David Cook 7d4c71cc9c Bug 1115718 - Check for empty issuer name in mozilla::pkix; r=keeler
MozReview-Commit-ID: 6Ymgo7dQE7b

--HG--
extra : rebase_source : 54ee27fd46c2139125a40deabb11a6aca04c84bc
2016-07-28 20:36:18 -05:00
Sergei Chernov 21be681857 Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka
MozReview-Commit-ID: IgcnyBH4Up

--HG--
extra : transplant_source : %98%A3%5E%B4%DA%89qI1%01A%F8%FF%C7%1FS%D4%23v%B3
2016-07-05 08:35:06 +03:00
Tom Tromey 5538d692d3 Bug 1286877 - do not set c-basic-offset for python-mode; r=gps
This removes the unnecessary setting of c-basic-offset from all
python-mode files.

This was automatically generated using

    perl -pi -e 's/; *c-basic-offset: *[0-9]+//'

... on the affected files.

The bulk of these files are moz.build files but there a few others as
well.

MozReview-Commit-ID: 2pPf3DEiZqx

--HG--
extra : rebase_source : 0a7dcac80b924174a2c429b093791148ea6ac204
2016-07-14 10:16:42 -06:00
Sergei Chernov edb1f658f6 Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
MozReview-Commit-ID: HZwzSgxarTw

--HG--
extra : transplant_source : %BF%F9%A8T%C6x%82%03%3Ez%9F%3BT%E3%1B%11s%294%F4
2016-06-15 11:11:00 +03:00
Julian Seward 8562142079 Bug 1275582 - TSan: data race security/nss/lib/freebl/sha_fast.c:176 SHA1_End. r=dkeeler.
--HG--
extra : rebase_source : d8e517c891212c0b7794e7db433f6ed626c4cac5
2016-05-30 15:25:52 +02:00
Chris Peterson 353ee65255 Bug 1272513 - Part 1: Suppress -Wshadow warnings-as-errors in some directories. r=glandium 2016-05-11 00:00:01 -07:00
David Keeler c17f3a2733 bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
MozReview-Commit-ID: 88JhIU1pUji

--HG--
rename : security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
rename : security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
extra : rebase_source : 2f6251679a6f31cccb6d88bb51c567de9cc9bc76
2016-05-05 16:11:11 -07:00
Cykesiopka 33825b4eb1 Bug 1257031 - Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER. r=keeler
Also adds some missing l10n entries to nsserrors.properties (but not for errors
that are specific to TLS 1.3, since TLS 1.3 is not yet finalised).

MozReview-Commit-ID: A42fmTDTe8W

--HG--
extra : transplant_source : x%F7s%DB%05%B4%81%9Dm%FDC%A1f%B3%0D%7DR%C1%BA%B1
2016-04-21 16:41:22 -07:00
David Keeler 6e4140d766 bug 1245280 - add policy mechanism to optionally enforce BRs for falling back to subject CN r=Cykesiopka,mgoodwin
MozReview-Commit-ID: 7xT6JGpOH1g

--HG--
extra : rebase_source : 0def29e8be898a2d975ee4390b3bc6a193766b1b
2016-02-09 10:14:27 -08:00
David Keeler eabc80d212 bug 1258579 - remove some unnecessary time-related globals from mozilla::pkix tests r=Cykesiopka
MozReview-Commit-ID: C0XPTdO4Ab7

--HG--
extra : rebase_source : cb97b17cc5f3bd2fe1fe2bd13cae5447e029c14d
2016-03-22 10:26:30 -07:00
Brian Smith 30373af60a Bug 1189020 - Replace |// unnamed namespace| with |// namespace| in mozilla::pkix. r=Cykesiopka
This is what Google suggests in its style guide, and somebody
already changed one of these comments to the new style.

--HG--
extra : rebase_source : fe3f7fc17a2fc09ad0ba01fa1511dc8dba7653e1
2016-03-16 07:10:00 +01:00
Gregory Szorc 3ff1fe40e4 Bug 1256484 - Disable C4456 and C4458 to unblock compilation on VS2015; r=keeler
As part of unblocking building with VS2015u1 in automation, I'm mass
disabling compiler warnings that are turned into errors. This is not
the preferred mechanism to fix compilation warnings. So hopefully
someone fixes the underlying problem someday. However, there are tons
of ignored warnings in security/certverifier, so I guess the workaround
in this patch is par for the course.

MozReview-Commit-ID: 7GZ9RpkxnwT

--HG--
extra : rebase_source : 023a438b6458fb4859018cde421d51072f0f0490
2016-03-14 23:57:33 -07:00
David Keeler 61a9a234f8 bug 1255153 - (re)move redundant xpcshell name constraint tests to gtests r=Cykesiopka,jcj
MozReview-Commit-ID: 8eFSIhB1RId

--HG--
extra : rebase_source : 63b147b8bdc9f2961b2f56723ac5baa0e2564684
2016-03-09 14:33:31 -08:00
David Keeler 62bd6f7a62 bug 1248099 - add extended key usage tests for mozilla::pkix r=Cykesiopka,jcj
MozReview-Commit-ID: 9rXn5Q1wsnx

--HG--
extra : rebase_source : f598007d568c7394898294d66b1845a173f97dc2
2016-02-12 17:24:54 -08:00
Xidorn Quan 8cd346c251 Bug 1229587 part 1 - Disable C4464 warning newly added in VS2015u1. r=keeler
--HG--
extra : source : 1c79d789b2de950e8024d857f9315ea362141969
2015-12-03 09:29:42 +11:00
Mark Goodwin a954826958 Bug 901698 - Some tests for OCSP-must-staple; r=keeler 2015-11-13 16:49:09 +00:00
Mark Goodwin 31adb1a5c5 Bug 901698 - Implement OCSP-must-staple; r=keeler 2015-11-13 16:49:08 +00:00
Richard Barnes 990593f9cf Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler 2015-09-11 14:52:30 -04:00
Jacek Caban b15946229a Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith 2015-09-09 14:16:59 +02:00
Nicholas Nethercote f44287005f Bug 1198334 (part 1) - Replace the opt-in FAIL_ON_WARNINGS with the opt-out ALLOW_COMPILER_WARNINGS. r=glandium.
The patch removes 455 occurrences of FAIL_ON_WARNINGS from moz.build files, and
adds 78 instances of ALLOW_COMPILER_WARNINGS. About half of those 78 are in
code we control and which should be removable with a little effort.

--HG--
extra : rebase_source : 82e3387abfbd5f1471e953961d301d3d97ed2973
2015-08-27 20:44:53 -07:00
Ryan VanderMeulen c7fdbe4d0f Backed out changeset 982be1bbebdf (bug 1199624) for Windows bustage. 2015-08-30 17:09:09 -04:00
Jacek Caban c8309c6328 Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith 2015-08-29 07:59:00 -04:00
Mike Hommey 7da4ee35ba Bug 1189891 - Avoid including <cstring> from pkix/Input.h. r=bsmith 2015-08-21 15:27:22 +09:00
Mike Hommey b85471d7e8 Backout changesets af1b36497559 and 1d52ab626597 (bug 1189891) for pkix bustage 2015-08-21 15:05:38 +09:00
Mike Hommey 067b45951a Bug 1189891 - Avoid including <cstring> from pkix/Input.h. r=bsmith 2015-08-21 14:29:19 +09:00
Birunthan Mohanathas a8939590de Bug 1182996 - Fix and add missing namespace comments. rs=ehsan
The bulk of this commit was generated by running:

  run-clang-tidy.py \
    -checks='-*,llvm-namespace-comment' \
    -header-filter=^/.../mozilla-central/.* \
    -fix
2015-07-13 08:25:42 -07:00
Mark Goodwin 91782dab68 Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler) 2015-07-09 07:22:29 +01:00
Cykesiopka 0a9aea4ab2 Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
--HG--
extra : rebase_source : ec44bb566cce8ab14f740457d6ba1d863b39c256
2015-06-29 22:19:00 +02:00
Tim Taubert ab7196486a Bug 1060112 - Don't treat OCSP responses omitting the requested certificate status as "unknown certificate" responses blocking the connection r=keeler 2015-05-21 13:39:34 -04:00
David Keeler 4e7fc3055e bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes 2015-04-06 16:10:28 -07:00
David Keeler e69f0f4b4b bug 1150114 - allow PrintableString to match UTF8String in name constraints checking r=briansmith 2015-04-08 16:17:39 -07:00
Brian Smith 95bd8011e6 Bug 1154399 - Part 4: Simplify certificate parsing in OCSP responses. r=keeler
--HG--
extra : rebase_source : caf903d29b0adc22fcc7e87e4fa0019cfa48007e
2015-04-14 05:33:03 -10:00
Brian Smith f124561818 Bug 1154399 - Part 3: Simplify OptionalExtensions. r=keeler
We used to avoid using Nested and NestedOf because they were based on
bind and it was difficult to maintain our std::bind polyfill. Now that
we use lambdas, it is easy to use Nested and NestedOf, so we should do
so wherever it makes the code clearer.

--HG--
extra : rebase_source : 1157d16320b3b211e3ce612b75782e8bd9c55f30
2015-04-14 05:32:46 -10:00
Brian Smith d09798e9f5 Bug 1154399 - Part 2: Simplify and un-inline OptionalVersion. r=keeler
Also fixes the wrong comment. The syntax for version in OCSP and X.509
certs is identical.

--HG--
extra : rebase_source : 744a2998ce8c55a61fbbc1966bc22e4903fa2484
2015-04-14 05:32:29 -10:00
Brian Smith 0cac719ba9 Bug 1154399 - Part 1: De-templatize and un-inline IntegralValue. r=keeler
--HG--
extra : rebase_source : 899eaed19b13edc9c257f0ab212d447bb54e607d
2015-04-14 05:06:41 -10:00
Mike Hommey 67e9dfaaf8 Bug 1153114 - Remove anonymous namespace around pkix gtests. r=bsmith
This avoids -Wunused-variable fatal warnings with GCC 5.0
2015-04-15 09:21:23 +09:00