Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-19 08:15:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
64781f7444
gecko-dev/security/certverifier
History
David Keeler af0ce9fbd6 bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 
Calling VFY_VerifyDigestDirect causes the provided SECKEYPublicKey to be
reimported to the softoken regardless of if it already exists on it. EC keys
must be verified upon import (to see if the point is on the curve to avoid some
small subgroup attacks), and so repeatedly doing this with a static key (say,
for example, a key corresponding to a built-in certificate transparency log) is
inefficient. This patch alters the certificate transparency implementation to
import these keys each once and then use PK11_Verify for ECDSA signature
verification, which doesn't have the same drawback.

Since this change causes CertVerifier to hold an NSS resource (via its
MultiLogCTVerifier having a list of CTLogVerifier, each of which now has a
SECKEYPublicKey), nsNSSComponent has to make sure it goes away before shutting
down NSS. This patch ensures this happens in nsNSSComponent::ShutdownNSS().

MozReview-Commit-ID: 6VSmz7S53y2

--HG--
extra : rebase_source : 4994db9de80a6c1aec3d7e322ff30d040140ce92
2017-04-11 14:11:28 -07:00
..
tests/gtest bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 2017-04-11 14:11:28 -07:00
BRNameMatchingPolicy.cpp bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels r=Cykesiopka,jcj 2016-04-25 15:55:18 -07:00
BRNameMatchingPolicy.h bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels r=Cykesiopka,jcj 2016-04-25 15:55:18 -07:00
CertVerifier.cpp bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
CertVerifier.h bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
CNNICHashWhitelist.inc Bug 1335294: Remove const from data tables under security/ for better codegen on Windows. r=keeler 2017-02-13 09:41:20 +13:00
CTDiversityPolicy.cpp Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTDiversityPolicy.h Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTKnownLogs.h Bug 1335294: Remove const from data tables under security/ for better codegen on Windows. r=keeler 2017-02-13 09:41:20 +13:00
CTLog.h Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTLogVerifier.cpp bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 2017-04-11 14:11:28 -07:00
CTLogVerifier.h bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 2017-04-11 14:11:28 -07:00
CTObjectsExtractor.cpp Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka 2016-07-05 08:35:06 +03:00
CTObjectsExtractor.h Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka 2016-07-05 08:35:06 +03:00
CTPolicyEnforcer.cpp Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTPolicyEnforcer.h Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTSerialization.cpp Bug 1317951, part 1 - Certificate Transparency - extracted verification related fields from SCT to a separate struct. r=keeler 2016-11-23 15:37:31 +02:00
CTSerialization.h Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka 2016-07-05 08:35:06 +03:00
CTVerifyResult.cpp Bug 1317951, part 2 - Certificate Transparency - basic support for disqualified logs. r=keeler 2016-11-29 22:51:46 +02:00
CTVerifyResult.h Bug 1317951, part 2 - Certificate Transparency - basic support for disqualified logs. r=keeler 2016-11-29 22:51:46 +02:00
ExtendedValidation.cpp bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj 2017-04-03 17:17:38 -07:00
ExtendedValidation.h Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler 2016-12-14 20:10:25 +08:00
moz.build Bug 1344829 - add BUG_COMPONENT to security/* files. r=keeler 2017-03-09 05:33:30 -05:00
MultiLogCTVerifier.cpp Bug 1317951, part 2 - Certificate Transparency - basic support for disqualified logs. r=keeler 2016-11-29 22:51:46 +02:00
MultiLogCTVerifier.h Bug 1317951, part 1 - Certificate Transparency - extracted verification related fields from SCT to a separate struct. r=keeler 2016-11-23 15:37:31 +02:00
NSSCertDBTrustDomain.cpp bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
NSSCertDBTrustDomain.h bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
OCSPCache.cpp Bug 1328653 - Merging all the various *OriginAttributes to just one, r=huseby 2017-01-12 17:38:48 +01:00
OCSPCache.h Bug 1328653 - Merging all the various *OriginAttributes to just one, r=huseby 2017-01-12 17:38:48 +01:00
OCSPRequestor.cpp Bug 1308100 - Replace PL_strlen/PL_strnlen with strlen/strnlen;r=erahm 2017-04-13 20:47:00 +02:00
OCSPRequestor.h Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler 2017-01-14 13:12:43 +08:00
OCSPVerificationTrustDomain.cpp bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj 2017-04-03 17:17:38 -07:00
OCSPVerificationTrustDomain.h bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj 2017-04-03 17:17:38 -07:00
SignedCertificateTimestamp.cpp Bug 1317951, part 1 - Certificate Transparency - extracted verification related fields from SCT to a separate struct. r=keeler 2016-11-23 15:37:31 +02:00
SignedCertificateTimestamp.h Bug 1338374 - Make Vector not use AlignedStorage for its inline element storage. r=froydnj, r=keeler 2017-01-30 15:56:05 -08:00
SignedTreeHead.h Bug 1241574 - Certificate Transparency - base definitions and serialization to/from TLS wire format. r=keeler, r=Cykesiopka 2016-04-11 16:17:25 +03:00
StartComAndWoSignData.inc bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj 2016-10-12 17:02:33 -07:00