Commit Graph

358 Commits

Author SHA1 Message Date
Sergei Chernov
edb1f658f6 Bug 1275238 - Certificate Transparency support in mozilla::pkix; r=keeler
MozReview-Commit-ID: HZwzSgxarTw

--HG--
extra : transplant_source : %BF%F9%A8T%C6x%82%03%3Ez%9F%3BT%E3%1B%11s%294%F4
2016-06-15 11:11:00 +03:00
Julian Seward
8562142079 Bug 1275582 - TSan: data race security/nss/lib/freebl/sha_fast.c:176 SHA1_End. r=dkeeler.
--HG--
extra : rebase_source : d8e517c891212c0b7794e7db433f6ed626c4cac5
2016-05-30 15:25:52 +02:00
Chris Peterson
353ee65255 Bug 1272513 - Part 1: Suppress -Wshadow warnings-as-errors in some directories. r=glandium 2016-05-11 00:00:01 -07:00
David Keeler
c17f3a2733 bug 982932 - only allow Netscape-stepUp to be used for serverAuth for old CA certificates r=Cykesiopka,jcj
MozReview-Commit-ID: 88JhIU1pUji

--HG--
rename : security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec
rename : security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC.pem.certspec => security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec
extra : rebase_source : 2f6251679a6f31cccb6d88bb51c567de9cc9bc76
2016-05-05 16:11:11 -07:00
Cykesiopka
33825b4eb1 Bug 1257031 - Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER. r=keeler
Also adds some missing l10n entries to nsserrors.properties (but not for errors
that are specific to TLS 1.3, since TLS 1.3 is not yet finalised).

MozReview-Commit-ID: A42fmTDTe8W

--HG--
extra : transplant_source : x%F7s%DB%05%B4%81%9Dm%FDC%A1f%B3%0D%7DR%C1%BA%B1
2016-04-21 16:41:22 -07:00
David Keeler
6e4140d766 bug 1245280 - add policy mechanism to optionally enforce BRs for falling back to subject CN r=Cykesiopka,mgoodwin
MozReview-Commit-ID: 7xT6JGpOH1g

--HG--
extra : rebase_source : 0def29e8be898a2d975ee4390b3bc6a193766b1b
2016-02-09 10:14:27 -08:00
David Keeler
eabc80d212 bug 1258579 - remove some unnecessary time-related globals from mozilla::pkix tests r=Cykesiopka
MozReview-Commit-ID: C0XPTdO4Ab7

--HG--
extra : rebase_source : cb97b17cc5f3bd2fe1fe2bd13cae5447e029c14d
2016-03-22 10:26:30 -07:00
Brian Smith
30373af60a Bug 1189020 - Replace |// unnamed namespace| with |// namespace| in mozilla::pkix. r=Cykesiopka
This is what Google suggests in its style guide, and somebody
already changed one of these comments to the new style.

--HG--
extra : rebase_source : fe3f7fc17a2fc09ad0ba01fa1511dc8dba7653e1
2016-03-16 07:10:00 +01:00
Gregory Szorc
3ff1fe40e4 Bug 1256484 - Disable C4456 and C4458 to unblock compilation on VS2015; r=keeler
As part of unblocking building with VS2015u1 in automation, I'm mass
disabling compiler warnings that are turned into errors. This is not
the preferred mechanism to fix compilation warnings. So hopefully
someone fixes the underlying problem someday. However, there are tons
of ignored warnings in security/certverifier, so I guess the workaround
in this patch is par for the course.

MozReview-Commit-ID: 7GZ9RpkxnwT

--HG--
extra : rebase_source : 023a438b6458fb4859018cde421d51072f0f0490
2016-03-14 23:57:33 -07:00
David Keeler
61a9a234f8 bug 1255153 - (re)move redundant xpcshell name constraint tests to gtests r=Cykesiopka,jcj
MozReview-Commit-ID: 8eFSIhB1RId

--HG--
extra : rebase_source : 63b147b8bdc9f2961b2f56723ac5baa0e2564684
2016-03-09 14:33:31 -08:00
David Keeler
62bd6f7a62 bug 1248099 - add extended key usage tests for mozilla::pkix r=Cykesiopka,jcj
MozReview-Commit-ID: 9rXn5Q1wsnx

--HG--
extra : rebase_source : f598007d568c7394898294d66b1845a173f97dc2
2016-02-12 17:24:54 -08:00
Xidorn Quan
8cd346c251 Bug 1229587 part 1 - Disable C4464 warning newly added in VS2015u1. r=keeler
--HG--
extra : source : 1c79d789b2de950e8024d857f9315ea362141969
2015-12-03 09:29:42 +11:00
Mark Goodwin
a954826958 Bug 901698 - Some tests for OCSP-must-staple; r=keeler 2015-11-13 16:49:09 +00:00
Mark Goodwin
31adb1a5c5 Bug 901698 - Implement OCSP-must-staple; r=keeler 2015-11-13 16:49:08 +00:00
Richard Barnes
990593f9cf Bug 942515 - Show Untrusted Connection Error for SHA-1-based SSL certificates with notBefore >= 2016-01-01 r=keeler 2015-09-11 14:52:30 -04:00
Jacek Caban
b15946229a Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith 2015-09-09 14:16:59 +02:00
Nicholas Nethercote
f44287005f Bug 1198334 (part 1) - Replace the opt-in FAIL_ON_WARNINGS with the opt-out ALLOW_COMPILER_WARNINGS. r=glandium.
The patch removes 455 occurrences of FAIL_ON_WARNINGS from moz.build files, and
adds 78 instances of ALLOW_COMPILER_WARNINGS. About half of those 78 are in
code we control and which should be removable with a little effort.

--HG--
extra : rebase_source : 82e3387abfbd5f1471e953961d301d3d97ed2973
2015-08-27 20:44:53 -07:00
Ryan VanderMeulen
c7fdbe4d0f Backed out changeset 982be1bbebdf (bug 1199624) for Windows bustage. 2015-08-30 17:09:09 -04:00
Jacek Caban
c8309c6328 Bug 1199624 - Don't use memset and memcmp in files that don't include cstring explicitly. r=briansmith 2015-08-29 07:59:00 -04:00
Mike Hommey
7da4ee35ba Bug 1189891 - Avoid including <cstring> from pkix/Input.h. r=bsmith 2015-08-21 15:27:22 +09:00
Mike Hommey
b85471d7e8 Backout changesets af1b36497559 and 1d52ab626597 (bug 1189891) for pkix bustage 2015-08-21 15:05:38 +09:00
Mike Hommey
067b45951a Bug 1189891 - Avoid including <cstring> from pkix/Input.h. r=bsmith 2015-08-21 14:29:19 +09:00
Birunthan Mohanathas
a8939590de Bug 1182996 - Fix and add missing namespace comments. rs=ehsan
The bulk of this commit was generated by running:

  run-clang-tidy.py \
    -checks='-*,llvm-namespace-comment' \
    -header-filter=^/.../mozilla-central/.* \
    -fix
2015-07-13 08:25:42 -07:00
Mark Goodwin
91782dab68 Bug 1159155 - Add telemetry probe for SHA-1 usage (r=keeler) 2015-07-09 07:22:29 +01:00
Cykesiopka
0a9aea4ab2 Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
--HG--
extra : rebase_source : ec44bb566cce8ab14f740457d6ba1d863b39c256
2015-06-29 22:19:00 +02:00
Tim Taubert
ab7196486a Bug 1060112 - Don't treat OCSP responses omitting the requested certificate status as "unknown certificate" responses blocking the connection r=keeler 2015-05-21 13:39:34 -04:00
David Keeler
4e7fc3055e bug 1141189 - implement skipping expensive revocation checks (OCSP fetching) for short-lived certificates r=rbarnes 2015-04-06 16:10:28 -07:00
David Keeler
e69f0f4b4b bug 1150114 - allow PrintableString to match UTF8String in name constraints checking r=briansmith 2015-04-08 16:17:39 -07:00
Brian Smith
95bd8011e6 Bug 1154399 - Part 4: Simplify certificate parsing in OCSP responses. r=keeler
--HG--
extra : rebase_source : caf903d29b0adc22fcc7e87e4fa0019cfa48007e
2015-04-14 05:33:03 -10:00
Brian Smith
f124561818 Bug 1154399 - Part 3: Simplify OptionalExtensions. r=keeler
We used to avoid using Nested and NestedOf because they were based on
bind and it was difficult to maintain our std::bind polyfill. Now that
we use lambdas, it is easy to use Nested and NestedOf, so we should do
so wherever it makes the code clearer.

--HG--
extra : rebase_source : 1157d16320b3b211e3ce612b75782e8bd9c55f30
2015-04-14 05:32:46 -10:00
Brian Smith
d09798e9f5 Bug 1154399 - Part 2: Simplify and un-inline OptionalVersion. r=keeler
Also fixes the wrong comment. The syntax for version in OCSP and X.509
certs is identical.

--HG--
extra : rebase_source : 744a2998ce8c55a61fbbc1966bc22e4903fa2484
2015-04-14 05:32:29 -10:00
Brian Smith
0cac719ba9 Bug 1154399 - Part 1: De-templatize and un-inline IntegralValue. r=keeler
--HG--
extra : rebase_source : 899eaed19b13edc9c257f0ab212d447bb54e607d
2015-04-14 05:06:41 -10:00
Mike Hommey
67e9dfaaf8 Bug 1153114 - Remove anonymous namespace around pkix gtests. r=bsmith
This avoids -Wunused-variable fatal warnings with GCC 5.0
2015-04-15 09:21:23 +09:00
Brian Smith
566d65be48 Bug 1153738: Make ScopedPtr a minimal proper subset of std::unique_ptr, r=keeler
Remove all features of ScopedPtr that aren't in std::unique_ptr, and
remove all currently-unused features of ScopedPtr. In particular,
replace |operator=(T*)| with |reset(T* p = nullptr)| and make
|operator bool| explicit.

--HG--
rename : security/pkix/include/pkix/ScopedPtr.h => security/pkix/lib/ScopedPtr.h
extra : rebase_source : 206bfb32aa5a04a4719f28b4aca59fe2f0abbec3
2015-04-13 00:28:11 -10:00
Brian Smith
a0437d5b8f Bug 1146057: Remove support for GCC 4.6, r=keeler
Since Gecko now requires GCC 4.7 or later, we no longer need to
work around the lack of support for "override" and "final" in
earlier versions of GCC.

--HG--
extra : rebase_source : 0f104f16be9e7c1ff87bbdd0d4ba6700b1081fb8
2015-03-30 20:18:46 -10:00
Brian Smith
36b7acc82a Bug 1136278, Part 2: Refactor test SubjectPublicKeyInfo generation, r=keeler
--HG--
extra : rebase_source : 7bb0327749fd013ba5de17483d21a9e9f21eb07a
extra : source : 9f3617a5b85a8a2ae9a82c0f0584b413a9b635b4
2015-02-26 13:10:13 -08:00
Brian Smith
3ab08d7fdb Bug 1136278, Part 1: Refactor algorithm identifiers in tests, r=keeler
This will make it easier to expand the tests to additional
signature algorithms and additional public key types.

--HG--
extra : rebase_source : 256923fff83d58732b6c995a4096b773fdbb28c1
2015-02-26 16:11:41 -08:00
David Keeler
2cf7194567 bug 1143085 - allow subject alternative name extensions to be empty for compatibility r=briansmith a=kwierso
--HG--
extra : amend_source : 89b8233b57049a3d2886aa08cd85c57e6faa693e
2015-03-16 14:00:33 -07:00
David Keeler
cc58dd5d1a Bug 1136616 - Allow underscores in reference DNS-IDs in mozilla::pkix name matching. r=briansmith 2015-03-03 13:34:45 -08:00
Brian Smith
06b7804e70 Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler
--HG--
extra : rebase_source : 79efad2c5f60120ff1022547ce7efa628a7acd0f
2015-02-14 16:59:02 -08:00
Brian Smith
27cb600f2f Bug 1077864, Part 2: Override the trust level for OCSP response signer certs so that they are never considered trust anchors, r=keeler
--HG--
extra : rebase_source : d0c599f7fc29b5fbcb7d8cd97980a3f39d39f515
2015-02-14 15:59:38 -08:00
Brian Smith
bdb4294871 Bug 1077864, Part 1: Check consistency of certificates' signature and signatureAlgorithm fields, r=keeler
--HG--
extra : rebase_source : 9a2ca8cb370169f675557987a6b1cc0dedb24ff6
2015-02-22 16:59:03 -08:00
Brian Smith
f2235a16db Bug 1135407: Factor out duplicate logic in tests, r=keeler
--HG--
extra : rebase_source : d93eef89cb6596cf35e2ebef29030423cf027f0b
2015-02-21 14:12:38 -08:00
Ehsan Akhgari
baf73d756f Bug 1135745 - Disable the reserved-id-macro macro in security/pkix; r=briansmith 2015-02-23 13:40:09 -05:00
Brian Smith
ffe59cf419 Bug 1133618 - Move test SHA1 function to pkixtestutil.cpp. r=mmc
--HG--
extra : histedit_source : ef579a4958356a12974b1f0f69ab2d6070ff8e65
2015-02-16 16:37:03 -08:00
Brian Smith
bbf8006735 Bug 1130754 - Make PublicKeyAlgorithm an enum class. r=keeler
--HG--
extra : histedit_source : 14d321bc2cbdf749fd05994571ca439ee62ab973
2015-02-14 13:25:09 -08:00
Cykesiopka
47f24e15e4 Bug 1097622 - Return ERROR_INVALID_TIME when decoding invalid time values. r=dkeeler 2015-02-18 15:56:00 -05:00
Brian Smith
a89b90ea7f Bug 1130754: Avoid recalculating tbsCertificate digest, r=keeler
--HG--
extra : rebase_source : 85266413568df928cb1eaf1cd59b52ee9d4259e6
extra : histedit_source : 767e3263d28926435c6d2f4610c7d8b01e9ba87d
2015-02-07 12:14:31 -08:00
Brian Smith
b0f87b9b6c Bug 1122841, Part 2: Centralize checking of public key, r=keeler
--HG--
extra : rebase_source : 6b41ad2d3f37bead8d3ac8b48c5ee0b8063c795b
extra : source : d470b5a68bf915cfb12f0e948e1492463092883c
2015-02-02 16:17:08 -08:00
Brian Smith
dbc534e182 Bug 1122841, Part 1: Add PositiveInteger parser, r=keeler
--HG--
extra : rebase_source : 50d79951398e44bf2718c0f071962aa00660fec2
2015-02-06 18:21:20 -08:00