Commit Graph

501 Commits

Author SHA1 Message Date
Benjamin Beurdouche
d787ba0177 Bug 1615687 - Certificate validation should respect CKA_NSS_EMAIL_DISTRUST_AFTER. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D84195
2021-02-25 19:17:01 +00:00
Benjamin Beurdouche
86775aa29e Bug 1692101 - Disable EV Treatment for Camerfirma's Chambers of Commerce Root - 2008 root certificate. r=mbirghan
Differential Revision: https://phabricator.services.mozilla.com/D106085
2021-02-23 15:12:58 +00:00
Bogdan Tara
3a7168e036 Backed out changeset 1d69ffd05b99 (bug 1683761) for failing assertion at ExtendedValidation CLOSED TREE
DONTBUILD
2021-02-23 11:43:03 +02:00
Moritz Birghan
2c3db5f78e Bug 1683761 - Enable EV Treatment for AC RAIZ FNMT-RCM SERVIDORES SEGUROS root certificate. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D104701
2021-02-23 09:09:56 +00:00
Bogdan Tara
35e6e1afb1 Backed out changeset 3c7ae91a5486 (bug 1683761) for assertion failure at ExtendedValidation.cpp CLOSED TREE 2021-02-11 03:24:23 +02:00
Moritz Birghan
cf8c48ef67 Bug 1683761 - Enable EV Treatment for AC RAIZ FNMT-RCM SERVIDORES SEGUROS root certificate. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D104701
2021-02-10 23:56:27 +00:00
Dana Keeler
aa773f5c8c Bug 1689729 - use NSS only on the socket thread in NSSCertDBTrustDomain::GetCertTrust and FindIssuer r=rmf,dragana
See bug 1689728. To avoid contention on NSS resources and thread-safety issues,
this patch dispatches synchronous events to the socket thread in
NSSCertDBTrustDomain::GetCertTrust and FindIssuer to gather information from
NSS rather than using NSS directly on the cert verification threads.

Differential Revision: https://phabricator.services.mozilla.com/D103514
2021-02-04 16:59:48 +00:00
Benjamin Beurdouche
13d4b68816 Bug 1687701 - Remove IsCertificateDistrustImminent. r=keeler,necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D102416
2021-01-27 18:05:24 +00:00
Dorel Luca
155fbede67 Backed out changeset 831388d8f118 (bug 1687701) for Build bustages. CLOSED TREE 2021-01-27 19:08:38 +02:00
Benjamin Beurdouche
207e18f326 Bug 1687701 - Remove IsCertificateDistrustImminent. r=keeler,necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D102416
2021-01-27 16:38:37 +00:00
Dana Keeler
b20d3edb85 Bug 1682989 - remove CertBlocklist implementation and MOZ_NEW_CERT_STORAGE build variable r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D100034
2021-01-19 22:11:25 +00:00
Moritz Birghan
9a338c96dc Bug 1676303 - Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D97349
2021-01-06 23:39:39 +00:00
smolnar
643005bb54 Backed out changeset b1c01a78a999 (bug 1676303) for perma failures in test_sanctions_symantec_apple_google.js CLOSED TREE 2020-12-16 22:04:49 +02:00
Moritz Birghan
c5610a3897 Bug 1676303 - Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D97349
2020-12-16 15:07:06 +00:00
R. Martinho Fernandes
fe3a7bf2ef Bug 1680321 - Rewrite CertIsSelfSigned using pkix r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D99266
2020-12-11 13:00:46 +00:00
Dana Keeler
2592af36e6 Bug 1678206 - update some CRLite/intermediate preloading telemetry r=bbeurdouche data-review=chutten
This patch extends the lifetimes of the following telemetry probes to Firefox 92:
  CRLITE_RESULT
  INTERMEDIATE_PRELOADING_ERRORS
  INTERMEDIATE_PRELOADING_UPDATE_TIME_MS
  security.intermediate_preloading_num_preloaded
  security.intermediate_preloading_num_pending

This patch removes the following telemetry probes:
  CRLITE_FASTER_THAN_OCSP_MS
  OCSP_FASTER_THAN_CRLITE_MS

Differential Revision: https://phabricator.services.mozilla.com/D98988
2020-12-09 23:11:41 +00:00
Benjamin Beurdouche
279c2a451a Bug 1513645 - Remove Pref to Disable Symantec Distrust. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D91894
2020-12-09 17:45:11 +00:00
Razvan Maries
ae5330c64c Backed out changeset 2ac5258d1da1 (bug 1676303) for perma failures on test_sanctions_symantec_apple_google.js. CLOSED TREE 2020-12-08 21:57:19 +02:00
Moritz Birghan
5fe6a3f180 Bug 1676303 - Remove 10 GeoTrust, thawte, and VeriSign root certs from TrustOverride-SymantecData.inc r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D97349
2020-12-08 15:21:30 +00:00
Simon Giesecke
971b645fe3 Bug 1660470 - Add missing include directives/forward declarations. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D87865
2020-11-23 16:21:38 +00:00
Sylvestre Ledru
bebb9f9181 Bug 1519636 - Reformat with clang-format-11 to the Google coding style r=andi,sg,geckoview-reviewers,snorp
It is bringing some minor changes

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D90795
2020-11-18 09:05:59 +00:00
Moritz Birghan
c297b0b108 Bug 1663052 - Enable EV Treatment for SecureTrust's Trustwave Global root certificates r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D96437
2020-11-09 22:20:36 +00:00
Moritz Birghan
9614d4d163 Bug 1658596 - Enable EV Treatment for "IdenTrust Commercial Root CA 1" root certificate r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D96435
2020-11-09 22:32:27 +00:00
Simon Giesecke
55fc02e6ef Bug 1665462 - Use moving Vector::appendAll overload at a few places, or use move assignment. r=jwalden
Differential Revision: https://phabricator.services.mozilla.com/D90547
2020-10-29 15:04:13 +00:00
Ricky Stewart
02a7b4ebdf Bug 1654103: Standardize on Black for Python code in mozilla-central.
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.

To produce this patch I did all of the following:

1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.

2. Run ./mach lint --linter black --fix

3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.

4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.

5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D94045
2020-10-26 18:34:53 +00:00
Bogdan Tara
da1098d4aa Backed out 10 changesets (bug 1654103, bug 1672023, bug 1518999) for PanZoomControllerTest.touchEventForResult gv-junit failures CLOSED TREE
Backed out changeset ff3fb0b4a512 (bug 1672023)
Backed out changeset e7834b600201 (bug 1654103)
Backed out changeset 807893ca8069 (bug 1518999)
Backed out changeset 13e6b92440e9 (bug 1518999)
Backed out changeset 8b2ac5a6c98a (bug 1518999)
Backed out changeset 575748295752 (bug 1518999)
Backed out changeset 65f07ce7b39b (bug 1518999)
Backed out changeset 4bb80556158d (bug 1518999)
Backed out changeset 8ac8461d7bd7 (bug 1518999)
Backed out changeset e8ba13ee17f5 (bug 1518999)
2020-10-24 03:36:18 +03:00
Dana Keeler
b014438572 Bug 1670984 - include CRLite stash revocation hits/library failures in CRLite telemetry r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D94189
2020-10-23 20:57:48 +00:00
Ricky Stewart
c0cea3b0fa Bug 1654103: Standardize on Black for Python code in mozilla-central. r=remote-protocol-reviewers,marionette-reviewers,webdriver-reviewers,perftest-reviewers,devtools-backward-compat-reviewers,jgilbert,preferences-reviewers,sylvestre,maja_zf,webcompat-reviewers,denschub,ntim,whimboo,sparky
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.

To produce this patch I did all of the following:

1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.

2. Run ./mach lint --linter black --fix

3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.

4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.

5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D94045
2020-10-23 20:40:42 +00:00
Dana Keeler
4ae1753875 Bug 1670985 - don't fall back to OCSP when the CRLite mode is "enforce" r=jcj
When the CRLite mode is "enforce" and a certificate is found to be covered by
CRLite, this patch makes it so the implementation will not fall back to
processing OCSP (whether stapled, cached, or fetched). This also updates
test_crlite_filters.js to use a more recent, realistic filter and stash.

Differential Revision: https://phabricator.services.mozilla.com/D94499
2020-10-23 17:04:18 +00:00
Dorel Luca
1ff59cb7a3 Backed out changeset 7558c8821a07 (bug 1654103) for multiple failures. CLOSED TREE 2020-10-22 03:51:06 +03:00
Ricky Stewart
50762dacab Bug 1654103: Standardize on Black for Python code in mozilla-central. r=remote-protocol-reviewers,marionette-reviewers,webdriver-reviewers,perftest-reviewers,devtools-backward-compat-reviewers,jgilbert,preferences-reviewers,sylvestre,maja_zf,webcompat-reviewers,denschub,ntim,whimboo,sparky
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.

To produce this patch I did all of the following:

1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.

2. Run ./mach lint --linter black --fix

3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.

4. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D94045
2020-10-21 21:27:27 +00:00
Dana Keeler
e0531b8283 Bug 1667829 - CRLite: allow taking the log merge delay into account r=jcj
This patch adds the preference "security.pki.crlite_ct_merge_delay_seconds"
that adds a configurable delay between the earliest certificate timestamp and
the filter creation date. This allows the implementation to take into account
CT log merge delays (i.e. when an SCT exists for a certificate but that
certificate hasn't yet been merged into the log).
The default value is 28 hours in seconds. The minimum value is 0 seconds, and
the maximum value is one year in seconds.

Differential Revision: https://phabricator.services.mozilla.com/D92295
2020-10-07 00:16:49 +00:00
Dana Keeler
3d9ab91ab0 Bug 1605273 - only run CRLite on certificates with a CT SCT available r=jcj
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.

Differential Revision: https://phabricator.services.mozilla.com/D90599
2020-09-24 18:10:05 +00:00
Bogdan Tara
db9c89dbca Backed out 2 changesets (bug 1666567, bug 1605273) for test_crlite_filters.js failures CLOSED TREE
UPGRADE_NSS_RELEASE

Backed out changeset 9bc4c7e79cd6 (bug 1666567)
Backed out changeset 22753d184de6 (bug 1605273)
2020-09-24 06:57:27 +03:00
Dana Keeler
500beadbba Bug 1605273 - only run CRLite on certificates with a CT SCT available r=jcj
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.

Differential Revision: https://phabricator.services.mozilla.com/D90599
2020-09-23 22:24:39 +00:00
Dana Keeler
5763aba6d5 Bug 1664011 - avoid CERTCertificate in nsIX509CertValidity implementation r=rmf
This patch modifies the implementation of nsIX509CertValidity to use
mozilla::pkix to decode notBefore/notAfter values from the given encoded
certificate rather than using a CERTCertificate. This will help in avoiding
CERTCertificate in the implementation of nsIX509Cert.
This patch also renames/moves the previous implementation (which was in
nsNSSCertValidity.{h,cpp} but was called nsX509CertValidity) to be more
consistent and to drop the unnecessary "ns" prefix. It is now in the files
X509CertValidity.{h,cpp} and is called X509CertValidity.

Differential Revision: https://phabricator.services.mozilla.com/D89644
2020-09-11 17:20:25 +00:00
Julien Cristau
dde737671d Bug 1661543 - Backed out 1 changesets (bug 1651449) for performance regression. a=backout CLOSED TREE
Backed out changeset 323e4aecc563 (bug 1651449)
2020-08-27 22:31:36 +02:00
Dana Keeler
1be997b53b Bug 1651449 - rework intermediate caching to make use of nsNSSComponent's background task queue r=kjacobs,rmf
nsNSSComponent has a background task queue that can be used for importing
intermediates from TLS connections instead of using the certificate
verification thread pool.

This patch also addresses places where PSM was directly accessing the isperm
member of CERTCertificate, which is protected by a lock.

Differential Revision: https://phabricator.services.mozilla.com/D86051
2020-08-07 20:30:20 +00:00
Simon Giesecke
1e02318b49 Bug 1653335 - Replace MakeSpan uses by constructor calls. r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D83817
2020-08-07 07:49:47 +00:00
R. Martinho Fernandes
b2ff7fc0a5 Bug 1654835 - Remove CERTCertificate from PublicKeyPinningService.cpp r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D84726
2020-07-30 08:44:59 +00:00
Dana Keeler
b4495c0f15 Bug 1654117 - prevent osclientcerts from loading on macOS <10.14 r=spohl
osclientcerts requires functions that are available starting in macOS 10.14, so
it shouldn't be possible to enable it in earlier versions.

Differential Revision: https://phabricator.services.mozilla.com/D84764
2020-07-24 16:25:08 +00:00
Doug Thayer
f9aaa02d04 Bug 1623943 - Exit from IdleSaveIntermediateCerts if shutting down r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D81612
2020-07-06 17:57:03 +00:00
R. Martinho Fernandes
b4bf6419e0 Bug 1645192 - Enable EV Treatment for "certSIGN Root CA G2" root certificate r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D81052
2020-06-26 07:15:41 +00:00
Kevin Jacobs
7fe6c40b58 Bug 1645525 - Remove EV treatment of AddTrust External CA Root. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D79738
2020-06-15 21:20:47 +00:00
Kevin Jacobs
f072fe0915 Bug 1645188 - Disable EV treatment for LuxTrust Global Root 2. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D79359
2020-06-15 19:17:44 +00:00
Benjamin Beurdouche
290b838cb5 Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D74662
2020-05-28 20:35:48 +00:00
Dana Keeler
3db8f6cd6b Bug 1638139 - use CRLite incremental stashes in the client r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D76054
2020-05-22 20:50:14 +00:00
Kershaw Chang
b0ac2c6c92 Bug 1485652 - Reimplement IsAcceptableForHost r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D67949
2020-04-24 14:45:56 +00:00
Simon Giesecke
191a830575 Bug 1628715 - Part 7: Add MOZ_NONNULL_RETURN to infallible nsTArray::AppendElements. r=xpcom-reviewers,necko-reviewers,nika,valentin
Differential Revision: https://phabricator.services.mozilla.com/D70831
2020-04-24 13:31:14 +00:00
Dana Keeler
b016636b6d Bug 1624464 - don't load certificate transparency log keys if CT is disabled r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D68285

--HG--
extra : moz-landing-system : lando
2020-03-30 16:50:41 +00:00