gecko-dev/security
Dana Keeler 153dbb37e5 Bug 1828968 - osclientcerts: make RSA-PSS support configurable via pref r=jschanck
Due to design constraints, it is difficult for osclientcerts to properly
indicate whether or not each known key supports RSA-PSS. Ideally such a
determination would be made close to when a particular key is going to be used,
but due to the design of PKCS#11 and NSS' tight coupling to it, osclientcerts
would have to make this determination when searching for all known keys, which
has been shown to be prohibitively slow on Windows and results in unexpected
dialogs on macOS.

Thus, previously osclientcerts simply assumed all RSA keys supported RSA-PSS.
This has resulted in handshake failures when a server indicates that it accepts
RSA-PSS signatures.

This patch instead makes RSA-PSS support configurable via a pref
(security.osclientcerts.assume_rsa_pss_support). If the pref is true,
osclientcerts assumes all RSA keys support RSA-PSS. If it is false, it assumes
no RSA keys support RSA-PSS.

Differential Revision: https://phabricator.services.mozilla.com/D175966
2023-04-21 17:49:09 +00:00
..
certverifier Bug 1828968 - osclientcerts: make RSA-PSS support configurable via pref r=jschanck 2023-04-21 17:49:09 +00:00
ct Bug 1827627 - Update CT Log script, log_list.json and CTKnownLogs.h. r=keeler 2023-04-12 18:38:00 +00:00
mac/hardenedruntime Bug 1799922 - Remove codesign.bash r=mstange 2022-11-15 16:03:31 +00:00
manager Bug 1828968 - osclientcerts: make RSA-PSS support configurable via pref r=jschanck 2023-04-21 17:49:09 +00:00
nss Bug 1815435 - land NSS NSS_3_89_RTM UPGRADE_NSS_RELEASE, r=keeler 2023-03-09 23:07:34 +00:00
rlbox Bug 1827704 - Migrate to the upstream wasm2c for RLBox sandboxing r=glandium 2023-04-21 01:31:35 +00:00
sandbox Bug 1824465 - Part 21: Make PRemoteSandboxBroker refcounted, r=ipc-reviewers,mccr8 2023-04-19 22:10:10 +00:00
.eslintrc.js Bug 1824173 - Enable ESLint configuration valid-jsdocs across the tree, disabling for currently failing locations. r=mossop,webcompat-reviewers,extension-reviewers,credential-management-reviewers,denschub,dimi,robwu 2023-03-24 19:35:25 +00:00
generate_certdata.py Bug 1790816 - Reformat security/ with isort. r=linter-reviewers,ahal DONTBUILD 2022-11-24 17:22:21 +00:00
generate_mapfile.py
moz.build Bug 1805371 - avoid building and running FaultyServer tests with system NSS. r=glandium,necko-reviewers,kershaw 2023-01-03 17:48:24 +00:00
nss.symbols