gecko/security/patches/bug-834091.patch
Kai Engert 22f8a7ad49 Bug 834741, landing final NSPR 4.9.5 and final NSS 3.14.2, r=wtc.
Keeping the locally applied patch, but bumping its version tag, to indicate it hasn't been part of an official NSS release yet.
2013-02-01 00:31:20 +01:00

217 lines
7.6 KiB
Diff

Index: security/nss/lib/pkcs7/p7decode.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v
retrieving revision 1.31
diff -u -8 -p -r1.31 p7decode.c
--- security/nss/lib/pkcs7/p7decode.c 12 Dec 2012 19:25:36 -0000 1.31
+++ security/nss/lib/pkcs7/p7decode.c 25 Jan 2013 23:22:54 -0000
@@ -1276,17 +1276,18 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten
* there should be NO authenticatedAttributes (signerinfo->authAttr should
* be NULL).
*/
static PRBool
sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
const SECItem *detached_digest,
HASH_HashType digest_type,
- PRBool keepcerts)
+ PRBool keepcerts,
+ PRTime atTime)
{
SECAlgorithmID **digestalgs, *bulkid;
const SECItem *digest;
SECItem **digests;
SECItem **rawcerts;
CERTSignedCrl **crls;
SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
CERTCertificate *cert, **certs;
@@ -1294,17 +1295,18 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
CERTCertDBHandle *certdb, *defaultdb;
SECOidTag encTag,digestTag;
HASH_HashType found_type;
int i, certcount;
SECKEYPublicKey *publickey;
SECItem *content_type;
PK11SymKey *sigkey;
SECItem *encoded_stime;
- int64 stime;
+ PRTime stime;
+ PRTime verificationTime;
SECStatus rv;
/*
* Everything needed in order to "goto done" safely.
*/
goodsig = PR_FALSE;
certcount = 0;
cert = NULL;
@@ -1431,18 +1433,20 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
/*
* XXX This uses the signing time, if available. Additionally, we
* might want to, if there is no signing time, get the message time
* from the mail header itself, and use that. That would require
* a change to our interface though, and for S/MIME callers to pass
* in a time (and for non-S/MIME callers to pass in nothing, or
* maybe make them pass in the current time, always?).
*/
+ verificationTime = atTime ? atTime
+ : (encoded_stime ? stime : PR_Now());
if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
- encoded_stime != NULL ? stime : PR_Now(),
+ verificationTime,
cinfo->pwfn_arg, NULL) != SECSuccess)
{
/*
* XXX Give the user an option to check the signature anyway?
* If we want to do this, need to give a way to leave and display
* some dialog and get the answer and come back through (or do
* the rest of what we do below elsewhere, maybe by putting it
* in a function that we call below and could call from a dialog
@@ -1752,17 +1756,17 @@ done:
* into our local database.
*/
PRBool
SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
PRBool keepcerts)
{
return sec_pkcs7_verify_signature (cinfo, certusage,
- NULL, HASH_AlgNULL, keepcerts);
+ NULL, HASH_AlgNULL, keepcerts, 0);
}
/*
* SEC_PKCS7VerifyDetachedSignature
* Look at a PKCS7 contentInfo and check if the signature matches
* a passed-in digest (calculated, supposedly, from detached contents).
* The verification checks that the signing cert is valid and trusted
* for the purpose specified by "certusage".
@@ -1774,19 +1778,44 @@ PRBool
SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
const SECItem *detached_digest,
HASH_HashType digest_type,
PRBool keepcerts)
{
return sec_pkcs7_verify_signature (cinfo, certusage,
detached_digest, digest_type,
- keepcerts);
+ keepcerts, 0);
}
+/*
+ * SEC_PKCS7VerifyDetachedSignatureAtTime
+ * Look at a PKCS7 contentInfo and check if the signature matches
+ * a passed-in digest (calculated, supposedly, from detached contents).
+ * The verification checks that the signing cert is valid and trusted
+ * for the purpose specified by "certusage" at time "atTime"
+ * if "atTime" is non-zero, or at the current time (as returned by
+ * PR_Now) otherwise.
+ */
+PRBool
+SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
+ SECCertUsage certusage,
+ const SECItem *detached_digest,
+ HASH_HashType digest_type,
+ PRBool keepcerts,
+ PRTime atTime)
+{
+ if (!atTime) {
+ atTime = PR_Now();
+ }
+
+ return sec_pkcs7_verify_signature (cinfo, certusage,
+ detached_digest, digest_type,
+ keepcerts, atTime);
+}
/*
* Return the asked-for portion of the name of the signer of a PKCS7
* signed object.
*
* Returns a pointer to allocated memory, which must be freed.
* A NULL return value is an error.
*/
@@ -1839,17 +1868,17 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7
*/
if (signercert == NULL) {
/*
* The cert usage does not matter in this case, because we do not
* actually care about the verification itself, but we have to pick
* some valid usage to pass in.
*/
(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
- NULL, HASH_AlgNULL, PR_FALSE);
+ NULL, HASH_AlgNULL, PR_FALSE, 0);
signercert = signerinfos[0]->cert;
if (signercert == NULL)
return NULL;
}
switch (selector) {
case sec_common_name:
container = CERT_GetCommonName (&signercert->subject);
Index: security/nss/lib/pkcs7/secpkcs7.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v
retrieving revision 1.10
diff -u -8 -p -r1.10 secpkcs7.h
--- security/nss/lib/pkcs7/secpkcs7.h 27 Nov 2012 22:48:08 -0000 1.10
+++ security/nss/lib/pkcs7/secpkcs7.h 25 Jan 2013 23:22:54 -0000
@@ -128,16 +128,33 @@ extern PRBool SEC_PKCS7VerifySignature(S
* into our local database.
*/
extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
SECCertUsage certusage,
const SECItem *detached_digest,
HASH_HashType digest_type,
PRBool keepcerts);
+
+/*
+ * SEC_PKCS7VerifyDetachedSignatureAtTime
+ * Look at a PKCS7 contentInfo and check if the signature matches
+ * a passed-in digest (calculated, supposedly, from detached contents).
+ * The verification checks that the signing cert is valid and trusted
+ * for the purpose specified by "certusage" at time "atTime"
+ * if "atTime" is non-zero, or at the current time (as returned by
+ * PR_Now) otherwise.
+ */
+extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
+ SECCertUsage certusage,
+ const SECItem *detached_digest,
+ HASH_HashType digest_type,
+ PRBool keepcerts,
+ PRTime atTime);
+
/*
* SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
* The passed-in contentInfo is espected to be Signed, and these
* functions return the specified portion of the full signer name.
*
* Returns a pointer to allocated memory, which must be freed.
* A NULL return value is an error.
*/
Index: security/nss/lib/smime/smime.def
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/smime/smime.def,v
retrieving revision 1.39
diff -u -8 -p -r1.39 smime.def
--- security/nss/lib/smime/smime.def 25 Apr 2012 14:50:09 -0000 1.39
+++ security/nss/lib/smime/smime.def 25 Jan 2013 23:22:54 -0000
@@ -262,8 +262,14 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDa
;+ *;
;+};
;+NSS_3.13 { # NSS 3.13 release
;+ global:
NSSSMIME_GetVersion;
;+ local:
;+ *;
;+};
+;+NSS_3.14.3 { # NSS 3.14.3 release
+;+ global:
+SEC_PKCS7VerifyDetachedSignatureAtTime;
+;+ local:
+;+ *;
+;+};