When a server requests a client certificate, it can include a list of
distinguished names that it considers valid issuers for client certificates
(either as direct issuers or as transitive issuers). Before this patch, the
platform would call CERT_FilterCertListByCANames to filter potential client
certificates by this list of names. This function uses the "classic" NSS
certificate path-building algorithm and thus can't make use of other
certificates that gecko may know about, such as third-party intermediates and
preloaded intermediates.
This patch implements client certificate filtering by re-using the path building
implementation provided by mozilla::pkix to determine if each certificate has an
issuer with a name included in the acceptable list. These issuers include
third-party intermediates, preloaded intermediates, and all certificates known
to NSS. Note that this implementation does not actually verify the client
certificates - no signatures are checked and no particular key usages are
enforced. However, some properties are enforced, such as validity periods.
Differential Revision: https://phabricator.services.mozilla.com/D68101
--HG--
rename : security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec => security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
extra : moz-landing-system : lando
This was generated with
```
cp .gitignore .rgignore
rg -l -g '*.{html,xhtml}' 'href="chrome://global/skin/"' | xargs sed -i "" 's/href\="chrome:\/\/global\/skin\/"/href\="chrome:\/\/global\/skin\/global.css"/g'
```
Differential Revision: https://phabricator.services.mozilla.com/D67687
--HG--
extra : moz-landing-system : lando
Revert setting CK_GCM_PARAMS ulIvBits, as this field won't exist until NSS 3.52.
Depends on D68665
Differential Revision: https://phabricator.services.mozilla.com/D68602
--HG--
extra : moz-landing-system : lando
When a server requests a client certificate, it can include a list of
distinguished names that it considers valid issuers for client certificates
(either as direct issuers or as transitive issuers). Before this patch, the
platform would call CERT_FilterCertListByCANames to filter potential client
certificates by this list of names. This function uses the "classic" NSS
certificate path-building algorithm and thus can't make use of other
certificates that gecko may know about, such as third-party intermediates and
preloaded intermediates.
This patch implements client certificate filtering by re-using the path building
implementation provided by mozilla::pkix to determine if each certificate has an
issuer with a name included in the acceptable list. These issuers include
third-party intermediates, preloaded intermediates, and all certificates known
to NSS. Note that this implementation does not actually verify the client
certificates - no signatures are checked and no particular key usages are
enforced. However, some properties are enforced, such as validity periods.
Differential Revision: https://phabricator.services.mozilla.com/D68101
--HG--
rename : security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec => security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
extra : moz-landing-system : lando
This patch initializes the ulIvBits member of CK_GCM_PARAMS, which is new in PKCS11 v3.
For libprio, we instead define NSS_PKCS11_2_0_COMPAT, which yields the old struct definition.
Differential Revision: https://phabricator.services.mozilla.com/D67740
--HG--
extra : moz-landing-system : lando
This patch removes `test_delegated_credentials_weak` (which only applies to RSA DCs currently), as RSA DCs are effectively unsupported by Firefox.
Differential Revision: https://phabricator.services.mozilla.com/D67406
--HG--
extra : moz-landing-system : lando
OSKeyStore doesn't need its own thread and can use the background thread pool instead.
Differential Revision: https://phabricator.services.mozilla.com/D66692
--HG--
extra : moz-landing-system : lando
PKCS#11 requires that serial numbers be DER-encoded (essentially, the bytes of
the serialNumber component of TBSCertificate). On macOS,
SecCertificateCopySerialNumberData gives the contents of this component (so it
lacks the tag and length fields, and may or may not have leading 00 or FF bytes
to indicate sign). On Windows, CERT_INFO.SerialNumber is the value of the
integer with the least significant byte first, which is the opposite of DER
(which has the most significant byte first). It also lacks any leading 00 or FF
sign bytes. Since the OS APIs can't be used here, this patch introduces a
utility function to grab the value of the serialNumber component of a
DER-encoded certificate.
Differential Revision: https://phabricator.services.mozilla.com/D66327
--HG--
extra : moz-landing-system : lando
Before this patch, PSM would register content type handlers to handle certain
certificate types. This was an easy way to install a client certificate after
generating a key with <keygen>, but keygen has been removed. This was also an
easy way to install root certificates, but that's actually a considerable
security risk. We kept this functionality for so long because it was the only
way to add a 3rd-party root certificate to Fennec's certificate store. Now that
Fennec is EOL, we can remove it. (Fenix will need a way to trust 3rd party root
certificates, but the path forward there is to implement the enterprise roots
feature for Android.)
Differential Revision: https://phabricator.services.mozilla.com/D66118
--HG--
extra : moz-landing-system : lando
Bug 1512471 added VerifySSLServerCertParent.cpp, which uses
SSLServerCertVerificationJob::Dispatch, which isn't exposed in a header. It
works in unified builds where the chunking happens to put that file with
SSLServerCertVerification.cpp, but when that changes the build breaks.
Similarly, VerifySSLServerCertChild.cpp uses gPIPNSSLog without declaring it.
Differential Revision: https://phabricator.services.mozilla.com/D66618
--HG--
extra : moz-landing-system : lando
