Date: Sat, 16 Feb 2013 14:11:14 GMT From: svn-freebsd-gecko@chruetertee.ch To: freebsd-gecko@freebsd.org Subject: [SVN-Commit] r1171 - in trunk: security/nss/files www/firefox-nightly/files Message-ID: <201302161411.r1GEBEQm096043@trillian.chruetertee.ch>
next in thread | raw e-mail | index | archive | help
Author: jbeich
Date: Sat Feb 16 14:11:14 2013
New Revision: 1171
Log:
move r1157 workaround back to Nightly
Added:
trunk/www/firefox-nightly/files/patch-bug834091
Deleted:
trunk/security/nss/files/patch-bug834091
Deleted: trunk/security/nss/files/patch-bug834091
==============================================================================
--- trunk/security/nss/files/patch-bug834091 Sat Feb 16 14:11:14 2013 (r1170)
+++ /dev/null 00:00:00 1970 (deleted)
@@ -1,150 +0,0 @@
-commit 8d8975b
-Author: Carmen Jiménez Cabezas <macajc@gmail.com>
-Date: Fri Jan 25 15:36:36 2013 -0800
-
- Bug 834091: Verify certificate chain for signed B2G apps as of the current time (now) instead of the signing time, r=bsmith
-
- --HG--
- extra : amend_source : 86d8ca2b28259aaf41983740b809ef8a51befc4f
- extra : rebase_source : e5a1c1199756e929f14852f5c83ba28d097449f4
----
- .../manager/ssl/src/JARSignatureVerification.cpp | 6 +-
- security/nss/lib/pkcs7/p7decode.c | 41 +++-
- security/nss/lib/pkcs7/secpkcs7.h | 17 ++
- security/nss/lib/smime/smime.def | 6 +
- security/patches/README | 4 +
- security/patches/bug-834091.patch | 216 +++++++++++++++++++++
- 6 files changed, 281 insertions(+), 9 deletions(-)
-
-diff --git lib/pkcs7/p7decode.c lib/pkcs7/p7decode.c
-index d0d02d7..dc3339a 100644
---- lib/pkcs7/p7decode.c
-+++ lib/pkcs7/p7decode.c
-@@ -1281,7 +1281,8 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
- SECCertUsage certusage,
- const SECItem *detached_digest,
- HASH_HashType digest_type,
-- PRBool keepcerts)
-+ PRBool keepcerts,
-+ PRTime atTime)
- {
- SECAlgorithmID **digestalgs, *bulkid;
- const SECItem *digest;
-@@ -1299,7 +1300,8 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
- SECItem *content_type;
- PK11SymKey *sigkey;
- SECItem *encoded_stime;
-- int64 stime;
-+ PRTime stime;
-+ PRTime verificationTime;
- SECStatus rv;
-
- /*
-@@ -1436,8 +1438,10 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
- * in a time (and for non-S/MIME callers to pass in nothing, or
- * maybe make them pass in the current time, always?).
- */
-+ verificationTime = atTime ? atTime
-+ : (encoded_stime ? stime : PR_Now());
- if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
-- encoded_stime != NULL ? stime : PR_Now(),
-+ verificationTime,
- cinfo->pwfn_arg, NULL) != SECSuccess)
- {
- /*
-@@ -1757,7 +1761,7 @@ SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
- PRBool keepcerts)
- {
- return sec_pkcs7_verify_signature (cinfo, certusage,
-- NULL, HASH_AlgNULL, keepcerts);
-+ NULL, HASH_AlgNULL, keepcerts, 0);
- }
-
- /*
-@@ -1779,9 +1783,34 @@ SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
- {
- return sec_pkcs7_verify_signature (cinfo, certusage,
- detached_digest, digest_type,
-- keepcerts);
-+ keepcerts, 0);
- }
-
-+/*
-+ * SEC_PKCS7VerifyDetachedSignatureAtTime
-+ * Look at a PKCS7 contentInfo and check if the signature matches
-+ * a passed-in digest (calculated, supposedly, from detached contents).
-+ * The verification checks that the signing cert is valid and trusted
-+ * for the purpose specified by "certusage" at time "atTime"
-+ * if "atTime" is non-zero, or at the current time (as returned by
-+ * PR_Now) otherwise.
-+ */
-+PRBool
-+SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
-+ SECCertUsage certusage,
-+ const SECItem *detached_digest,
-+ HASH_HashType digest_type,
-+ PRBool keepcerts,
-+ PRTime atTime)
-+{
-+ if (!atTime) {
-+ atTime = PR_Now();
-+ }
-+
-+ return sec_pkcs7_verify_signature (cinfo, certusage,
-+ detached_digest, digest_type,
-+ keepcerts, atTime);
-+}
-
- /*
- * Return the asked-for portion of the name of the signer of a PKCS7
-@@ -1844,7 +1873,7 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
- * some valid usage to pass in.
- */
- (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
-- NULL, HASH_AlgNULL, PR_FALSE);
-+ NULL, HASH_AlgNULL, PR_FALSE, 0);
- signercert = signerinfos[0]->cert;
- if (signercert == NULL)
- return NULL;
-diff --git lib/pkcs7/secpkcs7.h lib/pkcs7/secpkcs7.h
-index a50f5ae..d1dd7b9 100644
---- lib/pkcs7/secpkcs7.h
-+++ lib/pkcs7/secpkcs7.h
-@@ -133,6 +133,23 @@ extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
- HASH_HashType digest_type,
- PRBool keepcerts);
-
-+
-+/*
-+ * SEC_PKCS7VerifyDetachedSignatureAtTime
-+ * Look at a PKCS7 contentInfo and check if the signature matches
-+ * a passed-in digest (calculated, supposedly, from detached contents).
-+ * The verification checks that the signing cert is valid and trusted
-+ * for the purpose specified by "certusage" at time "atTime"
-+ * if "atTime" is non-zero, or at the current time (as returned by
-+ * PR_Now) otherwise.
-+ */
-+extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
-+ SECCertUsage certusage,
-+ const SECItem *detached_digest,
-+ HASH_HashType digest_type,
-+ PRBool keepcerts,
-+ PRTime atTime);
-+
- /*
- * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
- * The passed-in contentInfo is espected to be Signed, and these
-diff --git lib/smime/smime.def lib/smime/smime.def
-index 623eaa4..b205d1c 100644
---- lib/smime/smime.def
-+++ lib/smime/smime.def
-@@ -267,3 +267,9 @@ NSSSMIME_GetVersion;
- ;+ local:
- ;+ *;
- ;+};
-+;+NSS_3.14.2 { # NSS 3.14.2 release
-+;+ global:
-+SEC_PKCS7VerifyDetachedSignatureAtTime;
-+;+ local:
-+;+ *;
-+;+};
Added: trunk/www/firefox-nightly/files/patch-bug834091
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ trunk/www/firefox-nightly/files/patch-bug834091 Sat Feb 16 14:11:14 2013 (r1171)
@@ -0,0 +1,35 @@
+commit 8d8975b
+Author: Carmen Jiménez Cabezas <macajc@gmail.com>
+Date: Fri Jan 25 15:36:36 2013 -0800
+
+ Bug 834091: Verify certificate chain for signed B2G apps as of the current time (now) instead of the signing time, r=bsmith
+
+ --HG--
+ extra : amend_source : 86d8ca2b28259aaf41983740b809ef8a51befc4f
+ extra : rebase_source : e5a1c1199756e929f14852f5c83ba28d097449f4
+---
+ .../manager/ssl/src/JARSignatureVerification.cpp | 6 +-
+ security/nss/lib/pkcs7/p7decode.c | 41 +++-
+ security/nss/lib/pkcs7/secpkcs7.h | 17 ++
+ security/nss/lib/smime/smime.def | 6 +
+ security/patches/README | 4 +
+ security/patches/bug-834091.patch | 216 +++++++++++++++++++++
+ 6 files changed, 281 insertions(+), 9 deletions(-)
+
+diff --git security/manager/ssl/src/JARSignatureVerification.cpp security/manager/ssl/src/JARSignatureVerification.cpp
+index d0a8b98..8e694d3 100644
+--- security/manager/ssl/src/JARSignatureVerification.cpp
++++ security/manager/ssl/src/JARSignatureVerification.cpp
+@@ -586,9 +586,9 @@
+ }
+
+ // Verify that the signature file is a valid signature of the SF file
+- if (!SEC_PKCS7VerifyDetachedSignatureAtTime(p7_info, certUsageObjectSigner,
+- &sfCalculatedDigest.get(),
+- HASH_AlgSHA1, false, PR_Now())) {
++ if (!SEC_PKCS7VerifyDetachedSignature(p7_info, certUsageObjectSigner,
++ &sfCalculatedDigest.get(), HASH_AlgSHA1,
++ false)) {
+ PRErrorCode error = PR_GetError();
+ const char * errorName = PR_ErrorToName(error);
+ PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Failed to verify detached signature: %s",
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302161411.r1GEBEQm096043>