mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-07 18:04:46 +00:00
55cfe61a1d
2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
||
---|---|---|
.. | ||
certdb_gtest | ||
certhigh_gtest | ||
common | ||
cryptohi_gtest | ||
der_gtest | ||
freebl_gtest | ||
google_test | ||
mozpkix_gtest | ||
nss_bogo_shim | ||
pk11_gtest | ||
pkcs11testmodule | ||
smime_gtest | ||
softoken_gtest | ||
ssl_gtest | ||
sysinit_gtest | ||
util_gtest | ||
__init__.py | ||
.clang-format | ||
Makefile | ||
manifest.mn | ||
README |
GTest-based Unit Tests This directory contains GTest-based unit tests for NSS libssl. If your environment doesn't have C++ compiler suitable to build these tests, you may disable them using ``NSS_DISABLE_GTESTS=1'' Once built, they are run as part of running ``test/all.sh'' You can run just the GTests by running ``tests/ssl_gtests/ssl_gtests.sh'' They can be run standalone or under a debugger by invoking the ssl_gtest executable with a ``-d'' option pointing to the directory created by either of the above options. You can find that in tests_results/security/${hostname}.${NUMBER}/ssl_gtests