```
2022-02-03 John M. Schanck <jschanck@mozilla.com>
* doc/rst/releases/index.rst:
Release notes for NSS 3.75
[27194d9a9ebd] [NSS_3_75_RTM] <NSS_3_75_BRANCH>
2022-02-03 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.75 final
[151f1680d540] <NSS_3_75_BRANCH>
```
Differential Revision: https://phabricator.services.mozilla.com/D137783
We pass 8.3 names to NSS to avoid non-ASCII characters because NSS still
depends on the system code page (although this workaround is not effective on
East-Asian locales).
We don't have to use 8.3 names to NSS for SQLite db paths because SQLite
always use UTF-8 for file names.
Differential Revision: https://phabricator.services.mozilla.com/D137379
This patch updates some uses of RefPtr<nsNSSCertificate> to
nsCOMPtr<nsIX509Cert> because it's not necessary to use the concrete class.
This patch also removes some empty files that should have been removed in a
previous bug.
Differential Revision: https://phabricator.services.mozilla.com/D136679
Firefox uses mozilla::pkix to implement certificate verification. Before this
patch, though, DetermineCertOverrideErrors still used NSS to determine if a
certificate had any time-related errors (in addition to the primary error
returned by verification). This wasn't great from a consistency and
attack-surface point of view, so this patch updates that function to use
mozilla::pkix as well.
Differential Revision: https://phabricator.services.mozilla.com/D136678
After successfully verifying a TLS server certificate, Firefox collects some
telemetry based on the built certificate chain's root certificate. Before this
patch, the implementation would unnecessarily create CERTCertificates out of
the built cert chain (unnecessary because the telemetry only relies on the
bytes of the root certificate). This patch avoids the unnecessary work.
Differential Revision: https://phabricator.services.mozilla.com/D136677
SSL_SERVER_AUTH_EKU has served its purpose. It has demonstrated that in the web
PKI (as defined by TLS web server certificates that chain up to root
certificates in Mozilla's CA program), all server certificates will have the
EKU extension, and the extension will be valid for TLS server authentication.
We no longer need to gather this data, so this patch removes this probe.
Differential Revision: https://phabricator.services.mozilla.com/D136676
nsIX509Cert::GetCert() may cause a CERTCertificate to be instantiated. Doing so
can have performance and stability implications, so it's best to avoid it.
This patch avoids it where possible.
Differential Revision: https://phabricator.services.mozilla.com/D135945
nsIX509Cert::GetCert() may cause a CERTCertificate to be instantiated. Doing so
can have performance and stability implications, so it's best to avoid it.
This patch avoids it where possible.
Depends on D135943
Differential Revision: https://phabricator.services.mozilla.com/D135945
To avoid doing unnecessary work and to reduce NSS resource contention and
crashes, this patch lazily instantiates the CERTCertificate in
nsNSSCertificate.
Depends on D134979
Differential Revision: https://phabricator.services.mozilla.com/D134980
To prepare to lazily instantiate the CERTCertificate in nsNSSCertificate, this
patch avoids the CERTCertificate in nsNSSCertificate as much as possible and
instead uses the bytes of the certificate directly.
Depends on D134978
Differential Revision: https://phabricator.services.mozilla.com/D134979
nsNSSCertificate had a few functions that acted as constructors. This patch
removes these unnecessary functions and uses actual constructors.
Depends on D134977
Differential Revision: https://phabricator.services.mozilla.com/D134978
To avoid doing unnecessary work and to reduce NSS resource contention and
crashes, this patch lazily instantiates the CERTCertificate in
nsNSSCertificate.
Depends on D134979
Differential Revision: https://phabricator.services.mozilla.com/D134980
To prepare to lazily instantiate the CERTCertificate in nsNSSCertificate, this
patch avoids the CERTCertificate in nsNSSCertificate as much as possible and
instead uses the bytes of the certificate directly.
Depends on D134978
Differential Revision: https://phabricator.services.mozilla.com/D134979
nsNSSCertificate had a few functions that acted as constructors. This patch
removes these unnecessary functions and uses actual constructors.
Depends on D134977
Differential Revision: https://phabricator.services.mozilla.com/D134978
* the certificates were regenerated using `./mach generate-test-certs`
* the build/pgo/certs/ changes were made using
`./mach python build/pgo/genpgocert.py`
* the zip files in security/manager/ssl/tests/unit/test_signed_apps/ were
updated per the directions in the corresponding moz.build file
* security/manager/ssl/tests/unit/test_cert_override_read.js needed manual
updating
Differential Revision: https://phabricator.services.mozilla.com/D135283
