searching for reviewer(jcj)
8c4446751c4ed37e1e3b3aa56ce20de7caffcf55: bug 1564481 - reset HSTS/HPKP state to factory settings rather than storing knockout entries for preloaded sites r=jcj r=KevinJacobs
Dana Keeler <dkeeler@mozilla.com> - Thu, 11 Jul 2019 13:48:28 -0700 - rev 482880
Push 113698 by dkeeler@mozilla.com at Tue, 16 Jul 2019 23:00:46 +0000
bug 1564481 - reset HSTS/HPKP state to factory settings rather than storing knockout entries for preloaded sites r=jcj r=KevinJacobs As originally implemented, nsISiteSecurityService.removeState allowed direct access to remove HSTS state. It also provided the implementation for when the browser encountered an HSTS header with "max-age=0". In bug 775370, it was updated to store an entry that would override preloaded information when processing such headers. However, this meant that the semantics of the direct access API had changed. Preloaded information could be overridden if a user invoked the "forget about this site" feature. This change fixes the public API (and renames it to "resetState") so it actually behaves as its consumers expect. Reviewers: jcj!, KevinJacobs! Tags: #secure-revision Bug #: 1564481 Differential Revision: https://phabricator.services.mozilla.com/D38108
85646584350c349d8100894edb005b7fa9eeca4c: bug 1563056 - download the most recent CRLite filter and all following incremental filters r=jcj
Dana Keeler <dkeeler@mozilla.com> - Thu, 11 Jul 2019 00:29:44 +0000 - rev 482300
Push 113660 by opoprus@mozilla.com at Thu, 11 Jul 2019 10:01:33 +0000
bug 1563056 - download the most recent CRLite filter and all following incremental filters r=jcj Differential Revision: https://phabricator.services.mozilla.com/D37333
17183959c3a91f478dd3426df4439bb1d714f28a: bug 1553550 - removing expiring intermediate preloading telemetry r=jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 03 Jul 2019 16:49:18 +0000 - rev 481176
Push 113602 by opoprus@mozilla.com at Thu, 04 Jul 2019 03:40:43 +0000
bug 1553550 - removing expiring intermediate preloading telemetry r=jcj Differential Revision: https://phabricator.services.mozilla.com/D36516
82a474df494f100be870eb9aa8079e749f7f5103: Bug 1559114 - Optimize CRLite intermediates download r=glasserc,jcj,keeler
Mathieu Leplatre <mathieu@mozilla.com> - Tue, 18 Jun 2019 23:18:59 +0000 - rev 479158
Push 113465 by cbrindusan@mozilla.com at Wed, 19 Jun 2019 03:59:07 +0000
Bug 1559114 - Optimize CRLite intermediates download r=glasserc,jcj,keeler Differential Revision: https://phabricator.services.mozilla.com/D34880
7efae4f444f1f03ca347c01181d50032e188879e: Bug 1555067 - Backed out changeset 0801165e3175. r=jcj
Eric Rahm <erahm@mozilla.com> - Thu, 13 Jun 2019 20:59:55 +0000 - rev 478778
Push 113435 by shindli@mozilla.com at Fri, 14 Jun 2019 03:43:52 +0000
Bug 1555067 - Backed out changeset 0801165e3175. r=jcj NSS_ALLOW_SSLKEYLOGFILE no longer has issues upstream, we can allow it again. Differential Revision: https://phabricator.services.mozilla.com/D34915
c6167798915ab1bafbcfdc926f66139872b905b1: bug 1557092 - add fast path to avoid calling CERT_CreateSubjectList for most certificate verifications r=jcj,KevinJacobs
Dana Keeler <dkeeler@mozilla.com> - Tue, 11 Jun 2019 22:45:26 +0000 - rev 478379
Push 113419 by dluca@mozilla.com at Wed, 12 Jun 2019 12:45:34 +0000
bug 1557092 - add fast path to avoid calling CERT_CreateSubjectList for most certificate verifications r=jcj,KevinJacobs Differential Revision: https://phabricator.services.mozilla.com/D34042
505411a0364c91c191da0197f8a8c4c563732677: Bug 1543598 - Move OneCRL and Pinning blocklist clients out of services r=jcj,glasserc
Mathieu Leplatre <mathieu@mozilla.com> - Tue, 11 Jun 2019 10:14:40 +0000 - rev 478244
Push 113412 by rgurzau@mozilla.com at Tue, 11 Jun 2019 21:39:14 +0000
Bug 1543598 - Move OneCRL and Pinning blocklist clients out of services r=jcj,glasserc Differential Revision: https://phabricator.services.mozilla.com/D32297
04294661134a194d002e7365e3452368833ea161: bug 1488865 - import CRLite enrollment state r=jcj,KevinJacobs
Dana Keeler <dkeeler@mozilla.com> - Thu, 06 Jun 2019 16:42:41 +0000 - rev 477656
Push 113366 by ncsoregi@mozilla.com at Thu, 06 Jun 2019 22:41:06 +0000
bug 1488865 - import CRLite enrollment state r=jcj,KevinJacobs This patch saves the CRLite enrollment state of every preloaded intermediate to cert_storage. This is an intermediate (hah) step towards actually checking CRLite state. We still have to implement downloading and updating the CRLite bloom filter cascades and implement checking these filters when we encounter a certificate issued from an enrolled intermediate (this work will be done in future bugs). Differential Revision: https://phabricator.services.mozilla.com/D33074
6d643940d96eff4a21d25146b03898f1ffc36128: bug 1555110 - Backed out changeset a187487af38a to disable cert_storage on non-nightly builds r=jcj,froydnj
Dana Keeler <dkeeler@mozilla.com> - Wed, 29 May 2019 00:11:53 +0000 - rev 475972
Push 113240 by nerli@mozilla.com at Wed, 29 May 2019 09:56:33 +0000
bug 1555110 - Backed out changeset a187487af38a to disable cert_storage on non-nightly builds r=jcj,froydnj There are ongoing lmdb issues we need to sort out before we can ship cert_storage (see e.g. bug 1538541 and bug 1550174). Differential Revision: https://phabricator.services.mozilla.com/D32885
96235b29702a521a1fd3383404b2cc9b2884a76b: Bug 1551282 and bug 1553436. Allow pages to override window.u2f but not the "sign" and "register" properties on the U2F object. r=jcj,smaug
Boris Zbarsky <bzbarsky@mit.edu> - Fri, 24 May 2019 20:40:59 +0000 - rev 475469
Push 113209 by aciure@mozilla.com at Sat, 25 May 2019 09:44:12 +0000
Bug 1551282 and bug 1553436. Allow pages to override window.u2f but not the "sign" and "register" properties on the U2F object. r=jcj,smaug There are two related problems this patch is trying to address. The first, and simpler, one is bug 1553436: there are websites that use existing variables and functions named "u2f" and adding a non-replaceable readonly property with that name on Window breaks them. The fix for this is straightforward: mark the property [Replaceable]. The second problem, covered by bug 1551282, involves sites that use the Google U2F polyfill. The relevant parts of that polyfill look like this: 'use strict'; var u2f = u2f || {}; u2f.register = some_function_that_only_works_right_in_Chrome; u2f.sign = some_function_that_only_works_right_in_Chrome; The failure mode for that code before this fix is that the assignment to "u2f" throws because it's a readonly property and we're in strict mode, so any code the page concatenates in the same file after the polyfill does not get run. That's what bug 1551282 is about. The [Replaceable] annotation fixes that issue, because now the polyfill gets the value of window.u2f and then redefines the property (via the [Replaceable] setter) to be a value property with that value. So far, so good. But then we need to prevent the sets of u2f.register and u2f.sign from taking effect, because if they are allowed to happen, the actual sign/register functionality on the page will not work in Firefox. We can't just make the properties readonly, because then the sets will throw due to being in strict mode, and we still have bug 1551282. The proposed fix is to make these accessor properties with a no-op setter, which is exactly what [LenientSetter] gives us. The rest of the patch is just setting up infrastructure for generating the normal bits we would generate if "sign" and "register" were methods and using that to create the JSFunctions at the point when the getter is called. The JSFunctions then get cached on the u2f instance object. Differential Revision: https://phabricator.services.mozilla.com/D32357
823ab2e5430a5ddf411ad08e7c7b4ce70671ec5e: Bug 1551282 and bug 1553436. Allow pages to override window.u2f but not the "sign" and "register" properties on the U2F object. r=jcj,smaug
Boris Zbarsky <bzbarsky@mit.edu> - Fri, 24 May 2019 17:19:23 +0000 - rev 475433
Push 113209 by aciure@mozilla.com at Sat, 25 May 2019 09:44:12 +0000
Bug 1551282 and bug 1553436. Allow pages to override window.u2f but not the "sign" and "register" properties on the U2F object. r=jcj,smaug There are two related problems this patch is trying to address. The first, and simpler, one is bug 1553436: there are websites that use existing variables and functions named "u2f" and adding a non-replaceable readonly property with that name on Window breaks them. The fix for this is straightforward: mark the property [Replaceable]. The second problem, covered by bug 1551282, involves sites that use the Google U2F polyfill. The relevant parts of that polyfill look like this: 'use strict'; var u2f = u2f || {}; u2f.register = some_function_that_only_works_right_in_Chrome; u2f.sign = some_function_that_only_works_right_in_Chrome; The failure mode for that code before this fix is that the assignment to "u2f" throws because it's a readonly property and we're in strict mode, so any code the page concatenates in the same file after the polyfill does not get run. That's what bug 1551282 is about. The [Replaceable] annotation fixes that issue, because now the polyfill gets the value of window.u2f and then redefines the property (via the [Replaceable] setter) to be a value property with that value. So far, so good. But then we need to prevent the sets of u2f.register and u2f.sign from taking effect, because if they are allowed to happen, the actual sign/register functionality on the page will not work in Firefox. We can't just make the properties readonly, because then the sets will throw due to being in strict mode, and we still have bug 1551282. The proposed fix is to make these accessor properties with a no-op setter, which is exactly what [LenientSetter] gives us. The rest of the patch is just setting up infrastructure for generating the normal bits we would generate if "sign" and "register" were methods and using that to create the JSFunctions at the point when the getter is called. The JSFunctions then get cached on the u2f instance object. Differential Revision: https://phabricator.services.mozilla.com/D32357
ad1be1252928f344e5f8d5fd466b868cfb773d6f: Bug 1520166 - Part 2: revendor dependencies. r=jcj
Bastien Orivel <eijebong@bananium.fr> - Fri, 24 May 2019 07:31:35 +0000 - rev 475359
Push 113208 by cbrindusan@mozilla.com at Fri, 24 May 2019 21:57:39 +0000
Bug 1520166 - Part 2: revendor dependencies. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D32222
34d9d707fcd5f8b042e49f64175257b830290c01: Bug 1520166 - Part 1: Use a vendored version of authenticator. r=jcj
Bastien Orivel <eijebong@bananium.fr> - Fri, 24 May 2019 07:31:26 +0000 - rev 475358
Push 113208 by cbrindusan@mozilla.com at Fri, 24 May 2019 21:57:39 +0000
Bug 1520166 - Part 1: Use a vendored version of authenticator. r=jcj This replaces the in-tree u2fhid (which has been renamed to authenticator) by the published crate. Differential Revision: https://phabricator.services.mozilla.com/D32221
5ca3dedbdd6e7dab41342c1bc95ec2baab98e8e3: bug 1552310 - use the correct field to delete preloaded certificates that have been removed from the preload list r=jcj,KevinJacobs
Dana Keeler <dkeeler@mozilla.com> - Thu, 23 May 2019 23:57:39 +0000 - rev 475311
Push 113201 by csabou@mozilla.com at Fri, 24 May 2019 09:57:23 +0000
bug 1552310 - use the correct field to delete preloaded certificates that have been removed from the preload list r=jcj,KevinJacobs The initial implementation made some incorrect assumptions about the data that was in our data set and used the wrong field to identify the certificates to delete when they are removed from our preload list. Now that the data set has the expected field (the hash of the whole certificate), we can use it instead. Differential Revision: https://phabricator.services.mozilla.com/D32380
61ae24d322cb05bec32cf7620778f15a2e6908e5: Bug 1552549 - Update rand dependency to 0.6 r=kats,froydnj,nika,jkt,jcj
Dzmitry Malyshau <dmalyshau@mozilla.com> - Thu, 23 May 2019 19:54:25 +0000 - rev 475288
Push 113198 by aciure@mozilla.com at Fri, 24 May 2019 04:03:55 +0000
Bug 1552549 - Update rand dependency to 0.6 r=kats,froydnj,nika,jkt,jcj Update rand version in u2fhid and xpcom Differential Revision: https://phabricator.services.mozilla.com/D31669
134250706ea6c5988546c73f808815acfc80688e: Bug 1526018 - Initialize PSM clients in their own service r=Gijs,jcj
Mathieu Leplatre <mathieu@mozilla.com> - Tue, 21 May 2019 21:14:11 +0000 - rev 474943
Push 113181 by shindli@mozilla.com at Wed, 22 May 2019 15:39:08 +0000
Bug 1526018 - Initialize PSM clients in their own service r=Gijs,jcj Differential Revision: https://phabricator.services.mozilla.com/D31603
a10cdf32fb5a3fe7474a2e3f6a838215863c3c9e: Bug 1552549 - Update rand dependency to 0.6 r=kats,froydnj,nika,jkt,jcj
Dzmitry Malyshau <dmalyshau@mozilla.com> - Tue, 21 May 2019 19:36:56 +0000 - rev 474854
Push 113174 by nerli@mozilla.com at Wed, 22 May 2019 03:46:05 +0000
Bug 1552549 - Update rand dependency to 0.6 r=kats,froydnj,nika,jkt,jcj Update rand version in u2fhid and xpcom Differential Revision: https://phabricator.services.mozilla.com/D31669
5a721a7648f2db40785729ed8fc7c7444c1afcaf: Bug 1551177 - avoid searching unproductive certificate paths during verification r=jcj,KevinJacobs
Dana Keeler <dkeeler@mozilla.com> - Sat, 18 May 2019 00:15:54 +0000 - rev 474576
Push 113165 by dvarga@mozilla.com at Tue, 21 May 2019 04:23:23 +0000
Bug 1551177 - avoid searching unproductive certificate paths during verification r=jcj,KevinJacobs In bug 1056341 we introduced a search budget to mozilla::pkix to attempt to work around the problem of having an extremely large search space given a set of certificates all with the same subject and issuer distinguished names but different public keys. In the end, though, there is probably no good value to choose for the budget that is small enough to run quickly on the wide range of hardware our users have and yet is large enough that we're confident won't break someone's complicated pki setup (looking at you, the US federal government). To address this, use the observation that as long as an intermediate can't *add* information necessary to build a certificate chain (e.g. stapled SCTs), we should never need a self-signed intermediate (as in, its own key verifies the signature on it and its subject and issuer distinguished names are identical) to build a trusted chain (since the exact same chain without that intermediate should be valid). Given this, we simply skip all self-signed non-trust anchor CA certificates during path building. Differential Revision: https://phabricator.services.mozilla.com/D31368
a187487af38a4caa5f125ab660c4d1d09d69aa9d: Bug 1548365 - enable intermediate preloading on early beta or earlier r=froydnj,jcj
Dana Keeler <dkeeler@mozilla.com> - Thu, 16 May 2019 00:03:09 +0000 - rev 474023
Push 113120 by dvarga@mozilla.com at Thu, 16 May 2019 04:21:05 +0000
Bug 1548365 - enable intermediate preloading on early beta or earlier r=froydnj,jcj This also enables using cert_storage for OneCRL, since it and intermediate preloading both use the same backend. Differential Revision: https://phabricator.services.mozilla.com/D31345
73ead3a81fdf357101987a2796c7c1c1b24dc2bd: bug 1548040 - batch cert_storage certificate adding/removal r=jcj,myk
Dana Keeler <dkeeler@mozilla.com> - Tue, 14 May 2019 20:51:10 +0000 - rev 473981
Push 113120 by dvarga@mozilla.com at Thu, 16 May 2019 04:21:05 +0000
bug 1548040 - batch cert_storage certificate adding/removal r=jcj,myk Differential Revision: https://phabricator.services.mozilla.com/D30271
2c0de6646a6199e4558a4bf6279f7250302fc172: Bug 1551297 - Use MOZ_WIDGET_ANDROID instead of ANDROID when targeting Java r=jcj
Fabrice Desré <fabrice@desre.org> - Mon, 13 May 2019 20:42:37 +0000 - rev 473699
Push 113102 by apavel@mozilla.com at Tue, 14 May 2019 04:24:11 +0000
Bug 1551297 - Use MOZ_WIDGET_ANDROID instead of ANDROID when targeting Java r=jcj ANDROID is true for platforms based only on the native parts of the stack so can't be used when what you depend on is actually the Java layer. Differential Revision: https://phabricator.services.mozilla.com/D30965
c52835481c084fecff479ddf35e06054c5e0ba32: bug 1549249 - hard-code new add-on signing intermediate so it's always available r=jcj,kmag a=ryanvm
Dana Keeler <dkeeler@mozilla.com> - Mon, 06 May 2019 10:42:52 -0700 - rev 472741
Push 113042 by opoprus@mozilla.com at Mon, 06 May 2019 22:36:56 +0000
bug 1549249 - hard-code new add-on signing intermediate so it's always available r=jcj,kmag a=ryanvm Summary: Our previous approach to making this intermediate available relied on being able to add it to the user's NSS cert DB. This does work in the majority of cases, but there are some situations where it doesn't work (e.g. if the user's DB is set to read only, if they've configured Firefox to run in "nocertdb" mode, if they have a master password but forgot it, and so on). This patch compiles the intermediate in to Firefox in the same way we incorporate the root, so it should always be available. At the same time, this patch reverts the changes from 023dd959512e2cfa685187616560f91efa91183c and 1d35f8d88bdd007e01d42c4ff76c6d10d7c01a98 (the patches that implemented the original approach) because they should no longer be necessary. Reviewers: jcj!, kmag! Tags: #secure-revision Bug #: 1549249 Differential Revision: https://phabricator.services.mozilla.com/D30090
a977984e786215c2d186e00eee7c1f408c46e274: bug 1546361 - recreate cert_storage data as necessary r=jcj,myk
Dana Keeler <dkeeler@mozilla.com> - Fri, 03 May 2019 23:41:17 +0000 - rev 472625
Push 113030 by ccoroiu@mozilla.com at Mon, 06 May 2019 04:28:40 +0000
bug 1546361 - recreate cert_storage data as necessary r=jcj,myk It turns out that an rkv database created on a 32-bit platform cannot be used on a 64-bit platform and vice-versa. To work around this for now, we delete and recreate the DB backing cert_storage and set flags to let our consumers know to re-load all known data. Differential Revision: https://phabricator.services.mozilla.com/D29591
fa013d593d02e29d9062900f89a14fd40a9ba687: Bug 1549010 - verify add-on signing certificates at 2019-04-27T02:43:20.000Z r=jcj a=lizzard
Dana Keeler <dkeeler@mozilla.com> - Sat, 04 May 2019 04:15:11 +0000 - rev 472589
Push 113027 by ccoroiu@mozilla.com at Sun, 05 May 2019 21:45:51 +0000
Bug 1549010 - verify add-on signing certificates at 2019-04-27T02:43:20.000Z r=jcj a=lizzard Differential Revision: https://phabricator.services.mozilla.com/D29928
e1ab2cda04243606b3e030f6858f415b83fae1f6: Bug 1512451 - Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc
Mathieu Leplatre <mathieu@mozilla.com> - Wed, 24 Apr 2019 14:52:13 +0000 - rev 471282
Push 112909 by rgurzau@mozilla.com at Thu, 25 Apr 2019 16:32:18 +0000
Bug 1512451 - Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc Read OneCRL blocklist from security-states/onecrl Differential Revision: https://phabricator.services.mozilla.com/D23645
a19d696f96fbf2375fbf3cf107a3d974262a7d5e: Bug 1512451 - Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc
Mathieu Leplatre <mathieu@mozilla.com> - Tue, 23 Apr 2019 18:40:40 +0000 - rev 470781
Push 112879 by aciure@mozilla.com at Wed, 24 Apr 2019 04:31:08 +0000
Bug 1512451 - Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc Read OneCRL blocklist from security-states/onecrl Differential Revision: https://phabricator.services.mozilla.com/D23645
8855bf5ed33f745cadfbd59870e997cae6f3d2ca: Bug 1536773 - WebAuthn does not return userHandle back during Authentication r=jcj
Akshay Kumar <akshay.sonu@gmail.com> - Thu, 21 Mar 2019 11:37:07 +0000 - rev 468178
Push 112692 by shindli@mozilla.com at Fri, 05 Apr 2019 21:53:39 +0000
Bug 1536773 - WebAuthn does not return userHandle back during Authentication r=jcj Differential Revision: https://phabricator.services.mozilla.com/D24189
d1814ba5bb8e0b5716c4eb728ca3a6e9aa305fcc: Bug 1539415 - make nsICertStorage (cert_storage) asynchronous for functions called from the main thread r=jcj,mgoodwin
Dana Keeler <dkeeler@mozilla.com> - Wed, 03 Apr 2019 23:24:19 +0000 - rev 467874
Push 112658 by aciure@mozilla.com at Thu, 04 Apr 2019 04:41:45 +0000
Bug 1539415 - make nsICertStorage (cert_storage) asynchronous for functions called from the main thread r=jcj,mgoodwin The Set* functions of nsICertStorage (SetRevocationByIssuerAndSerial, SetRevocationBySubjectAndPubKey, SetEnrollment, and SetWhitelist) are called on the main thread by the implementations that manage consuming remote security information. We don't want to block the main thread, so this patch modifies these functions to take a callback that will be called (on the original thread) when the operation in question has been completed on a background thread. The Get* functions of nsICertStorage (GetRevocationState, GetEnrollmentState, and GetWhitelistState) should only be called off the main thread. For the most part they are, but there are at least two main-thread certificate verifications that can cause these functions to be called on the main thread. These instances are in nsSiteSecurityService::ProcessPKPHeader and ContentSignatureVerifier::CreateContextInternal and will be dealt with in bug 1406854 bug 1534600, respectively. Differential Revision: https://phabricator.services.mozilla.com/D25174
44f7c1b809eeee7a0f5f5611cca47c7d2da5f8d7: Bug 1538250 - follow-up to remove xperf_whitelist.json entry r=jcj
Dana Keeler <dkeeler@mozilla.com> - Thu, 28 Mar 2019 17:05:04 +0000 - rev 466643
Push 112592 by ncsoregi@mozilla.com at Fri, 29 Mar 2019 05:30:21 +0000
Bug 1538250 - follow-up to remove xperf_whitelist.json entry r=jcj Differential Revision: https://phabricator.services.mozilla.com/D25250
3d4f7e72dadb643ba57214bdf4a8cf6d1bbe217d: bug 1538250 - lazily open DB in cert_storage to avoid main-thread I/O r=jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 27 Mar 2019 19:35:31 +0000 - rev 466461
Push 112585 by opoprus@mozilla.com at Thu, 28 Mar 2019 10:26:17 +0000
bug 1538250 - lazily open DB in cert_storage to avoid main-thread I/O r=jcj After initialization (which happens on the main thread because we need to access preferences), cert_storage will first be used on a certificate verification thread. We can use this to avoid main-thread I/O by lazily opening the DB when it first gets used rather than at initialization. Differential Revision: https://phabricator.services.mozilla.com/D24998
6937e95afc2e74a90282ae709040ef90b879533d: Bug 1536097 - Part 5 - convert AttestationConveyancePreference to use ParamTraits for deserialization; r=jcj
Alex Gaynor <agaynor@mozilla.com> - Tue, 19 Mar 2019 23:25:35 +0000 - rev 465257
Push 112496 by shindli@mozilla.com at Thu, 21 Mar 2019 04:37:39 +0000
Bug 1536097 - Part 5 - convert AttestationConveyancePreference to use ParamTraits for deserialization; r=jcj Depends on D24065 Differential Revision: https://phabricator.services.mozilla.com/D24066
e516a5f9e905add224dc3bba0efd39448758ddf4: Bug 1536097 - Part 4 - convert UserVerificationRequirement to use ParamTraits for deserialization; r=jcj
Alex Gaynor <agaynor@mozilla.com> - Tue, 19 Mar 2019 23:25:47 +0000 - rev 465256
Push 112496 by shindli@mozilla.com at Thu, 21 Mar 2019 04:37:39 +0000
Bug 1536097 - Part 4 - convert UserVerificationRequirement to use ParamTraits for deserialization; r=jcj Depends on D24064 Differential Revision: https://phabricator.services.mozilla.com/D24065
a41f369384368b0863dded39fb9f308ad35f1df6: Bug 1536097 - Part 3 - convert WebAuthnMaybeGetAssertionExtraInfo to use a native IPDL maybe; r=jcj
Alex Gaynor <agaynor@mozilla.com> - Tue, 19 Mar 2019 23:26:00 +0000 - rev 465255
Push 112496 by shindli@mozilla.com at Thu, 21 Mar 2019 04:37:39 +0000
Bug 1536097 - Part 3 - convert WebAuthnMaybeGetAssertionExtraInfo to use a native IPDL maybe; r=jcj Depends on D24063 Differential Revision: https://phabricator.services.mozilla.com/D24064
fd19320348e24f246bf96477e90c06960d45f06a: Bug 1536097 - Part 2 - convert WebAuthnMaybeMakeCredentialExtraInfo to use a native IPDL maybe; r=jcj
Alex Gaynor <agaynor@mozilla.com> - Tue, 19 Mar 2019 23:26:20 +0000 - rev 465254
Push 112496 by shindli@mozilla.com at Thu, 21 Mar 2019 04:37:39 +0000
Bug 1536097 - Part 2 - convert WebAuthnMaybeMakeCredentialExtraInfo to use a native IPDL maybe; r=jcj Depends on D24062 Differential Revision: https://phabricator.services.mozilla.com/D24063
0aec0a2b5cb63943c82c5ddee03b1c4004c30f20: Bug 1536097 - Part 1 - convert WebAuthnMaybeAuthenticatorAttachment to use a native IPDL maybe and use ParamTraits for deserialization; r=jcj
Alex Gaynor <agaynor@mozilla.com> - Wed, 20 Mar 2019 15:23:44 +0000 - rev 465253
Push 112496 by shindli@mozilla.com at Thu, 21 Mar 2019 04:37:39 +0000
Bug 1536097 - Part 1 - convert WebAuthnMaybeAuthenticatorAttachment to use a native IPDL maybe and use ParamTraits for deserialization; r=jcj Differential Revision: https://phabricator.services.mozilla.com/D24062
5514aae0e34e81b39a88447094a34e13c0d74aac: Bug 1429796 - cert_storage: create rkv environment and store only once to avoid races r=mgoodwin,jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 20 Mar 2019 00:01:47 +0000 - rev 465244
Push 112496 by shindli@mozilla.com at Thu, 21 Mar 2019 04:37:39 +0000
Bug 1429796 - cert_storage: create rkv environment and store only once to avoid races r=mgoodwin,jcj This patch also base64-decodes the API inputs before storing in the DB in anticipation of being able to pass binary data directly (bug 1535752). This patch additionally whitelists the DB backing file in talos. Differential Revision: https://phabricator.services.mozilla.com/D23430
b0d08863f7a5fc08a3c0709b5e7151d80ae18261: Bug 1429796 - cert_storage: create rkv environment and store only once to avoid races r=mgoodwin,jcj
Dana Keeler <dkeeler@mozilla.com> - Mon, 18 Mar 2019 20:08:30 +0000 - rev 465080
Push 112493 by opoprus@mozilla.com at Wed, 20 Mar 2019 11:12:22 +0000
Bug 1429796 - cert_storage: create rkv environment and store only once to avoid races r=mgoodwin,jcj This patch also base64-decodes the API inputs before storing in the DB in anticipation of being able to pass binary data directly (bug 1535752). Differential Revision: https://phabricator.services.mozilla.com/D23430
143fe24df3a9ffb261f2684cd00bd3929f57bf71: bug 1515608 - allow end-entity certificates to be trust anchors for compatibility r=jcj
Dana Keeler <dkeeler@mozilla.com> - Mon, 18 Mar 2019 20:01:02 +0000 - rev 464916
Push 112485 by dvarga@mozilla.com at Tue, 19 Mar 2019 09:58:30 +0000
bug 1515608 - allow end-entity certificates to be trust anchors for compatibility r=jcj Differential Revision: https://phabricator.services.mozilla.com/D23240
bfe72a7c57bde0d1825ba43cbd9afa34d03ed00d: Bug 1528097 U2F doesn't work on Windows 10 19H1/20H1 Insider builds r=jcj,keeler
Akshay Kumar <akshay.sonu@gmail.com> - Wed, 06 Mar 2019 22:59:29 +0000 - rev 462882
Push 112349 by aiakab@mozilla.com at Thu, 07 Mar 2019 22:20:12 +0000
Bug 1528097 U2F doesn't work on Windows 10 19H1/20H1 Insider builds r=jcj,keeler Differential Revision: https://phabricator.services.mozilla.com/D22343
dd200b211b4adbbf149096dcf7341576384c5129: bug 1521983 - remove some unused certificate pinning telemetry probes r=jcj,ulfr
Dana Keeler <dkeeler@mozilla.com> - Mon, 04 Mar 2019 20:30:47 +0000 - rev 462293
Push 112291 by aciure@mozilla.com at Tue, 05 Mar 2019 04:24:51 +0000
bug 1521983 - remove some unused certificate pinning telemetry probes r=jcj,ulfr Differential Revision: https://phabricator.services.mozilla.com/D19731
ce7738b3a35df45b1984a8fccec773cc3a429325: Bug 1528097 : Fix FIDO U2F support on Windows 10 19H1/20H1 Insider builds r=keeler,jcj
Akshay Kumar <akshay.sonu@gmail.com> - Mon, 04 Mar 2019 20:07:24 +0000 - rev 462291
Push 112291 by aciure@mozilla.com at Tue, 05 Mar 2019 04:24:51 +0000
Bug 1528097 : Fix FIDO U2F support on Windows 10 19H1/20H1 Insider builds r=keeler,jcj U2F support, behind the `security.webauth.u2f` pref and exposed by `dom/u2f/U2F.cpp`, was broken when using Windows Hello, as the correct options for compatibility weren't set. This patch sets up Windows Hello to handle U2F-protocol backward compatibility properly. Differential Revision: https://phabricator.services.mozilla.com/D21844
825dfac611b25553f36ee0da6d7e5b043087b7e3: bug 1435858 - add a canary test that will fail before all of the test certificates expire r=Alex_Gaynor,jcj
Dana Keeler <dkeeler@mozilla.com> - Mon, 25 Feb 2019 22:51:47 +0000 - rev 461086
Push 112155 by shindli@mozilla.com at Tue, 26 Feb 2019 10:20:59 +0000
bug 1435858 - add a canary test that will fail before all of the test certificates expire r=Alex_Gaynor,jcj This test should remind us to regenerate the test certificates next year before they actually expire. Differential Revision: https://phabricator.services.mozilla.com/D21065
3a11dd127e2c2384564cf162cc73b31c3e525e35: Bug 1456089 - Make a tutorial out of the genpgocerts.py README. r=jcj
Johann Hofmann <jhofmann@mozilla.com> - Mon, 25 Feb 2019 21:06:41 +0000 - rev 461025
Push 112146 by nerli@mozilla.com at Tue, 26 Feb 2019 04:26:08 +0000
Bug 1456089 - Make a tutorial out of the genpgocerts.py README. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D20178
77eb18940eb116616c0a8b5e252823879a4b3655: bug 1526004 - enterprise certs: differentiate between intermediates and roots on MacOS r=jcj,spohl
Dana Keeler <dkeeler@mozilla.com> - Fri, 22 Feb 2019 18:46:21 +0000 - rev 460660
Push 112104 by rmaries@mozilla.com at Sat, 23 Feb 2019 04:28:17 +0000
bug 1526004 - enterprise certs: differentiate between intermediates and roots on MacOS r=jcj,spohl Differential Revision: https://phabricator.services.mozilla.com/D19721
b3b7eeec7aa1785d23232844d2cfdc366afb73fa: Bug 1528492 - Add cbor-cpp to the thirdparty list r=jcj
Sylvestre Ledru <sledru@mozilla.com> - Sun, 17 Feb 2019 01:03:40 +0000 - rev 459709
Push 111989 by dluca@mozilla.com at Sun, 17 Feb 2019 10:51:35 +0000
Bug 1528492 - Add cbor-cpp to the thirdparty list r=jcj Depends on D20065 Differential Revision: https://phabricator.services.mozilla.com/D20066
427fa1eaa4afb82328cf50d3623c086cefe6d418: Bug 1528492 - Revert '1511181 - Reformat everything to the Google coding style' r=jcj
Sylvestre Ledru <sledru@mozilla.com> - Sun, 17 Feb 2019 00:54:15 +0000 - rev 459708
Push 111989 by dluca@mozilla.com at Sun, 17 Feb 2019 10:51:35 +0000
Bug 1528492 - Revert '1511181 - Reformat everything to the Google coding style' r=jcj Differential Revision: https://phabricator.services.mozilla.com/D20065
f72ae300612f1ecfc83bcceb60b5c5a7719087c5: Bug 1527600 - Update moz.build files to use new bugzilla component 'Core :: DOM: Web Authentication' r=jcj
Sebastian Hengst <archaeopteryx@coole-files.de> - Wed, 13 Feb 2019 14:22:06 +0000 - rev 458910
Push 111902 by shindli@mozilla.com at Wed, 13 Feb 2019 21:37:05 +0000
Bug 1527600 - Update moz.build files to use new bugzilla component 'Core :: DOM: Web Authentication' r=jcj Differential Revision: https://phabricator.services.mozilla.com/D19659
c8e523ac7349df2b579b31c74174f0760eefe7f2: bug 1473573 - import intermediate certificates as well as roots r=jcj
Dana Keeler <dkeeler@mozilla.com> - Tue, 12 Feb 2019 18:23:25 +0000 - rev 458778
Push 111893 by opoprus@mozilla.com at Wed, 13 Feb 2019 10:39:30 +0000
bug 1473573 - import intermediate certificates as well as roots r=jcj Differential Revision: https://phabricator.services.mozilla.com/D18630
7168320522bb4ba749c89007972513b53e00c469: bug 1526007 - don't return early from NSSCertDBTrustDomain::FindIssuer if NSS doesn't find any candidate issuers r=jcj
Dana Keeler <dkeeler@mozilla.com> - Thu, 07 Feb 2019 21:52:18 +0000 - rev 458313
Push 111810 by nbeleuzu@mozilla.com at Sat, 09 Feb 2019 03:46:47 +0000
bug 1526007 - don't return early from NSSCertDBTrustDomain::FindIssuer if NSS doesn't find any candidate issuers r=jcj As of bug 1514118, NSS is not the only place NSSCertDBTrustDomain looks for issuer certificates. However, the initial implementation did not take into account that NSSCertDBTrustDomain::FindIssuer would return early if NSS did not find candidate issuers, resulting in unknown issuer errors for third party roots. This patch fixes that bug by not returning early. Differential Revision: https://phabricator.services.mozilla.com/D19058
6e14d77dce8ceea07ed8b780bd75b6dc11ecfc80: Bug 1526473, Export NSS_CMSSignedData_GetDigestAlgs and NSS_CMSSignedData_HasDigests in security/nss.symbols, r=jcj
Kai Engert <kaie@kuix.de> - Sat, 09 Feb 2019 03:35:00 +0100 - rev 458281
Push 111808 by kaie@kuix.de at Sat, 09 Feb 2019 02:35:17 +0000
Bug 1526473, Export NSS_CMSSignedData_GetDigestAlgs and NSS_CMSSignedData_HasDigests in security/nss.symbols, r=jcj