f7aaf4ead845b8f25c43b5d075d32ec37db46057: Bug 1474887, skip NSS shutdown in error path, r=rrelyea
Kai Engert <kaie@kuix.de> - Mon, 23 Jul 2018 13:08:13 +0200 - rev 14426
Push 3143 by kaie@kuix.de at Mon, 23 Jul 2018 11:07:20 +0000
Bug 1474887, skip NSS shutdown in error path, r=rrelyea
d23206e032bd35a049b34d9a53224c13bbd68817: Bug 1475274, Provide a way to specify tokens by PKCS #11 URI, r=rrelyea
Daiki Ueno <dueno@redhat.com> - Mon, 23 Jul 2018 10:08:31 +0200 - rev 14425
Push 3142 by dueno@redhat.com at Mon, 23 Jul 2018 09:45:58 +0000
Bug 1475274, Provide a way to specify tokens by PKCS #11 URI, r=rrelyea Summary: This patch allows client applications to specify tokens unambiguously with PKCS #11 URI, instead of token name. It also includes a minor fixes to PKCS #11 URI handling that previously treated the scheme case sensitively. Reviewers: kaie, rrelyea Bug #: 1475274 Differential Revision: https://phabricator.services.mozilla.com/D2099
783d13e6d3458f291d2b1ae79c7e67bebfa931ed: Bug 1389967 In MinGW, work around a pointer to a function thunk disappearing when we unload nssckbi r=franziskus,dmajor
Tom Ritter <tom@mozilla.com> - Mon, 21 May 2018 10:40:31 -0500 - rev 14424
Push 3141 by franziskuskiefer@gmail.com at Mon, 23 Jul 2018 06:13:10 +0000
Bug 1389967 In MinGW, work around a pointer to a function thunk disappearing when we unload nssckbi r=franziskus,dmajor
8051656a6281e778d2e57ed86113401c9cc2875f: Bug 291383, certutil: Allow -F to delete orphaned private key, r=kaie
Daiki Ueno <dueno@redhat.com> - Fri, 20 Jul 2018 12:48:23 +0200 - rev 14423
Push 3140 by dueno@redhat.com at Fri, 20 Jul 2018 12:35:23 +0000
Bug 291383, certutil: Allow -F to delete orphaned private key, r=kaie Summary: This change makes it possible to remove orphaned private key with the `-F` command. Similarly to `-R` (bug 430198), it reads a key ID from `-k`. Reviewers: kaie Reviewed By: kaie Bug #: 291383 Differential Revision: https://phabricator.services.mozilla.com/D2094
a6d6a56b6e39558e9b6b0b32009a46ea78040bfd: Bug 1474887, nss-policy-check: a tool to check a NSS policy configuration for errors, r=rrelyea
Kai Engert <kaie@kuix.de> - Tue, 17 Jul 2018 12:29:34 +0200 - rev 14422
Push 3139 by kaie@kuix.de at Tue, 17 Jul 2018 10:28:47 +0000
Bug 1474887, nss-policy-check: a tool to check a NSS policy configuration for errors, r=rrelyea
1f58a4995451ac0bdb79b5e3117b365edec3af2d: Bug 1471985, abi-check, r=bustage
Daiki Ueno <dueno@redhat.com> - Mon, 16 Jul 2018 10:35:54 +0200 - rev 14421
Push 3138 by dueno@redhat.com at Mon, 16 Jul 2018 08:37:06 +0000
Bug 1471985, abi-check, r=bustage Remove the first two lines of abidiff output.
52057bba15149efc031a674bcf0721d412bdadf8: Bug 1471985, abi-check, r=bustage
Daiki Ueno <dueno@redhat.com> - Mon, 16 Jul 2018 10:28:57 +0200 - rev 14420
Push 3137 by dueno@redhat.com at Mon, 16 Jul 2018 08:29:42 +0000
Bug 1471985, abi-check, r=bustage
45d04cb67cdae29368e41cab4061f2e0da60563a: Bug 1471985, make SECKEY_Get{Public,Private}KeyType consistent on RSA-PSS, r=rrelyea,fkiefer
Daiki Ueno <dueno@redhat.com> - Mon, 16 Jul 2018 10:02:07 +0200 - rev 14419
Push 3136 by dueno@redhat.com at Mon, 16 Jul 2018 08:07:29 +0000
Bug 1471985, make SECKEY_Get{Public,Private}KeyType consistent on RSA-PSS, r=rrelyea,fkiefer Summary: In bug 1413596, we changed SECKEY_GetPrivateKeyType() to return rsaPssKey, if the private key is restricted to RSA-PSS when importing. Although the intention of this change was to extend the certutil output to provide more information about key types, it introduced inconsistency with the existing code, as SECKEY_GetPublicKeyType() still returns rsaKey. This patch partially revert the change and determine the actual (restricted) key type in a different way, using CERT_GetCertKeyType() and PK11_GetCertFromPrivateKey(). Reviewers: rrelyea, franziskus Reviewed By: franziskus Subscribers: franziskus Bug #: 1471985 Differential Revision: https://phabricator.services.mozilla.com/D1911
53c2ee896c572281557177545ec95a22a8c06b1e: Bug 1474875, Typo in policy handling for DTLS-VERSION-MAX, r=ueno
Kai Engert <kaie@kuix.de> - Fri, 13 Jul 2018 14:02:10 +0200 - rev 14418
Push 3135 by kaie@kuix.de at Fri, 13 Jul 2018 12:01:17 +0000
Bug 1474875, Typo in policy handling for DTLS-VERSION-MAX, r=ueno
d7ecf939b95789e2b0ce812f313aba552164b237: Bug 1444148 - clang-format, a=bustage
Martin Thomson <martin.thomson@gmail.com> - Wed, 11 Jul 2018 17:34:22 +1000 - rev 14417
Push 3134 by martin.thomson@gmail.com at Wed, 11 Jul 2018 07:39:00 +0000
Bug 1444148 - clang-format, a=bustage
5390480af11e392aaf3d81d1ec7a97b29830d6da: Bug 1471586 - Enable interop testing against boringssl, r=franziskus
Franziskus Kiefer <franziskuskiefer@gmail.com> - Wed, 11 Jul 2018 08:57:14 +0200 - rev 14416
Push 3133 by franziskuskiefer@gmail.com at Wed, 11 Jul 2018 06:59:33 +0000
Bug 1471586 - Enable interop testing against boringssl, r=franziskus Differential Revision: https://phabricator.services.mozilla.com/D1843
287370d1a9b6d8c3e879cbf7cdd3cfd67019bdb2: Fix clang issues. relyea
Robert Relyea <rrelyea@redhat.com> - Tue, 03 Jul 2018 15:11:52 -0700 - rev 14415
Push 3132 by rrelyea@redhat.com at Tue, 03 Jul 2018 22:12:09 +0000
Fix clang issues.
f4924bbe01926906b1b1f63e2dc2f8999e3032a4: close-relyea-branch relyea
Robert Relyea <rrelyea@redhat.com> - Tue, 03 Jul 2018 11:03:16 -0700 - rev 14414
Push 3131 by rrelyea@redhat.com at Tue, 03 Jul 2018 18:03:27 +0000
close-relyea-branch
247bf1dc31211e577c3f4335215d03ad63b289ad: Bug 1444148
Robert Relyea <rrelyea@redhat.com> - Tue, 03 Jul 2018 11:02:30 -0700 - rev 14413
Push 3131 by rrelyea@redhat.com at Tue, 03 Jul 2018 18:03:27 +0000
Bug 1444148 /cmd/fipstest needs KAS tests for ECC and DH r=kaie
ed450ac8ac6de3ca6173032507431d4dd933477c: Bug 1471126 - Rename SSL3ContentType and make it public, r=ekr
Martin Thomson <martin.thomson@gmail.com> - Tue, 26 Jun 2018 15:49:14 +1000 - rev 14412
Push 3130 by martin.thomson@gmail.com at Tue, 03 Jul 2018 05:08:41 +0000
Bug 1471126 - Rename SSL3ContentType and make it public, r=ekr The renaming here is less widespread than I expected. I removed the content_alt_handshake while I was at this; no point in putting that in a public API.
84f597eb95d1c43f3a57d6ad6e230accd29f6f0c: /cmd/fipstest needs KAS tests for ECC and DH relyea
Robert Relyea <rrelyea@redhat.com> - Mon, 02 Jul 2018 17:34:25 -0700 - rev 14411
Push 3129 by rrelyea@redhat.com at Tue, 03 Jul 2018 00:47:26 +0000
/cmd/fipstest needs KAS tests for ECC and DH r= kai Bug 1444148
c84a61acb17d8f53f6a6ea47ea91137265d18685: Bug 1469816, Update label for KeyUpdate to draft-28, r=mt
Daiki Ueno <dueno@redhat.com> - Wed, 20 Jun 2018 16:02:51 +0200 - rev 14410
Push 3128 by dueno@redhat.com at Wed, 27 Jun 2018 13:09:19 +0000
Bug 1469816, Update label for KeyUpdate to draft-28, r=mt
7a5ecfb8bf8c0ef4bf85ee23e48fdcdecef5e626: Bug 1427921 - Restore RSA-PSS support for TLS 1.2 and 1.3, r=ttaubert,ueno
Martin Thomson <martin.thomson@gmail.com> - Thu, 04 Jan 2018 17:47:14 +1100 - rev 14409
Push 3127 by martin.thomson@gmail.com at Tue, 26 Jun 2018 07:30:31 +0000
Bug 1427921 - Restore RSA-PSS support for TLS 1.2 and 1.3, r=ttaubert,ueno This adds support for the new codepoints that we added in TLS 1.3 draft -23. In short, the split between rsa_pss_rsae and rsa_pss_pss made our support for PSS inconsistent (we would generate only the former). This adds support for the rsa_pss_pss_shaX signature schemes. It does so by using the ssl_auth_rsa_pss codepoint, which I originally added, then we decided not to use because the generic RSA codepoints were enough at the time. Now, with the split on signature schemes, it isn't possible with the current certificate configuration APIs to have everything work with just ssl_auth_rsa_sign. We expect PSS keys to be configured alongside PKCS#1 keys and use SSLAuthType to distinguish them, but if we only use ssl_auth_rsa_sign, we can't find the right key when resuming. In this way, we are assigning certificates an SSLAuthType based on the type of the key and not the signature it has. That makes it cleaner than what we used to have, at least. That said, once we support signature_algorithms_cert extensions properly, we will not want to bucket certificates on the server. Instead, we will have a list and pick the first that matches, with no attempt to use types as we had. There are just too many ways in which a certificate might be chosen or not when you have to examine the entire chain. Of course, that's an even bigger change than this. The biggest change here is to attempt to determine the signature scheme based on the certificate SPKI. If that works, then we use that signature scheme, otherwise we fall back to the existing logic (which searches a list). For PSS with parameters and EC (EC only in TLS 1.3), there is just one signature scheme for a given SPKI, so that works out nicely. PSS without parameters, ECDSA, and older RSA certificates fall back to searching. I expect all future schemes to have just one scheme each, so it's a structure that I think supports that well.
93cbd336eaca4d3176a5330b86977b05862e1b31: Bug 1296263 - Add secmod flag to load policy files only, r=ueno
Robert Relyea <rrelyea@redhat.com> - Fri, 22 Jun 2018 10:17:10 +0200 - rev 14408
Push 3126 by dueno@redhat.com at Fri, 22 Jun 2018 10:34:56 +0000
Bug 1296263 - Add secmod flag to load policy files only, r=ueno When the library is initialized with NSS_NoDB_Init(), we really don't want to be loading any additional modules specified in the policy files. This patch adds a new "policyOnly" stanza in pkcs11.txt/secmod.db to bypass module loading.
d99e54ca9b6df33025ee9a196b8b942428bbff91: Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea
David Woodhouse <David.Woodhouse@intel.com> - Fri, 22 Jun 2018 10:14:10 +0200 - rev 14407
Push 3126 by dueno@redhat.com at Fri, 22 Jun 2018 10:34:56 +0000
Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea We currently load the policy file after calling STAN_LoadDefaultNSS3TrustDomain(), which causes problems because any tokens in the newly-added modules don't get initialised. Move it up by a few lines and fix up the indentation while we're at it.
(0) -10000 -3000 -1000 -300 -100 -50 -20 +20 +50 +100 +300 +1000 tip