diff --git a/bug-834091.patch b/bug-834091.patch new file mode 100644 index 0000000..9243829 --- /dev/null +++ b/bug-834091.patch @@ -0,0 +1,216 @@ +Index: security/nss/lib/pkcs7/p7decode.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v +retrieving revision 1.31 +diff -u -8 -p -r1.31 p7decode.c +--- security/nss/lib/pkcs7/p7decode.c 12 Dec 2012 19:25:36 -0000 1.31 ++++ security/nss/lib/pkcs7/p7decode.c 25 Jan 2013 23:22:54 -0000 +@@ -1276,17 +1276,18 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten + * there should be NO authenticatedAttributes (signerinfo->authAttr should + * be NULL). + */ + static PRBool + sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, +- PRBool keepcerts) ++ PRBool keepcerts, ++ PRTime atTime) + { + SECAlgorithmID **digestalgs, *bulkid; + const SECItem *digest; + SECItem **digests; + SECItem **rawcerts; + CERTSignedCrl **crls; + SEC_PKCS7SignerInfo **signerinfos, *signerinfo; + CERTCertificate *cert, **certs; +@@ -1294,17 +1295,18 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont + CERTCertDBHandle *certdb, *defaultdb; + SECOidTag encTag,digestTag; + HASH_HashType found_type; + int i, certcount; + SECKEYPublicKey *publickey; + SECItem *content_type; + PK11SymKey *sigkey; + SECItem *encoded_stime; +- int64 stime; ++ PRTime stime; ++ PRTime verificationTime; + SECStatus rv; + + /* + * Everything needed in order to "goto done" safely. + */ + goodsig = PR_FALSE; + certcount = 0; + cert = NULL; +@@ -1431,18 +1433,20 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont + /* + * XXX This uses the signing time, if available. Additionally, we + * might want to, if there is no signing time, get the message time + * from the mail header itself, and use that. That would require + * a change to our interface though, and for S/MIME callers to pass + * in a time (and for non-S/MIME callers to pass in nothing, or + * maybe make them pass in the current time, always?). + */ ++ verificationTime = atTime ? atTime ++ : (encoded_stime ? stime : PR_Now()); + if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, +- encoded_stime != NULL ? stime : PR_Now(), ++ verificationTime, + cinfo->pwfn_arg, NULL) != SECSuccess) + { + /* + * XXX Give the user an option to check the signature anyway? + * If we want to do this, need to give a way to leave and display + * some dialog and get the answer and come back through (or do + * the rest of what we do below elsewhere, maybe by putting it + * in a function that we call below and could call from a dialog +@@ -1752,17 +1756,17 @@ done: + * into our local database. + */ + PRBool + SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + PRBool keepcerts) + { + return sec_pkcs7_verify_signature (cinfo, certusage, +- NULL, HASH_AlgNULL, keepcerts); ++ NULL, HASH_AlgNULL, keepcerts, 0); + } + + /* + * SEC_PKCS7VerifyDetachedSignature + * Look at a PKCS7 contentInfo and check if the signature matches + * a passed-in digest (calculated, supposedly, from detached contents). + * The verification checks that the signing cert is valid and trusted + * for the purpose specified by "certusage". +@@ -1774,19 +1778,44 @@ PRBool + SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, + PRBool keepcerts) + { + return sec_pkcs7_verify_signature (cinfo, certusage, + detached_digest, digest_type, +- keepcerts); ++ keepcerts, 0); + } + ++/* ++ * SEC_PKCS7VerifyDetachedSignatureAtTime ++ * Look at a PKCS7 contentInfo and check if the signature matches ++ * a passed-in digest (calculated, supposedly, from detached contents). ++ * The verification checks that the signing cert is valid and trusted ++ * for the purpose specified by "certusage" at time "atTime" ++ * if "atTime" is non-zero, or at the current time (as returned by ++ * PR_Now) otherwise. ++ */ ++PRBool ++SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, ++ SECCertUsage certusage, ++ const SECItem *detached_digest, ++ HASH_HashType digest_type, ++ PRBool keepcerts, ++ PRTime atTime) ++{ ++ if (!atTime) { ++ atTime = PR_Now(); ++ } ++ ++ return sec_pkcs7_verify_signature (cinfo, certusage, ++ detached_digest, digest_type, ++ keepcerts, atTime); ++} + + /* + * Return the asked-for portion of the name of the signer of a PKCS7 + * signed object. + * + * Returns a pointer to allocated memory, which must be freed. + * A NULL return value is an error. + */ +@@ -1839,17 +1868,17 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7 + */ + if (signercert == NULL) { + /* + * The cert usage does not matter in this case, because we do not + * actually care about the verification itself, but we have to pick + * some valid usage to pass in. + */ + (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner, +- NULL, HASH_AlgNULL, PR_FALSE); ++ NULL, HASH_AlgNULL, PR_FALSE, 0); + signercert = signerinfos[0]->cert; + if (signercert == NULL) + return NULL; + } + + switch (selector) { + case sec_common_name: + container = CERT_GetCommonName (&signercert->subject); +Index: security/nss/lib/pkcs7/secpkcs7.h +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v +retrieving revision 1.10 +diff -u -8 -p -r1.10 secpkcs7.h +--- security/nss/lib/pkcs7/secpkcs7.h 27 Nov 2012 22:48:08 -0000 1.10 ++++ security/nss/lib/pkcs7/secpkcs7.h 25 Jan 2013 23:22:54 -0000 +@@ -128,16 +128,33 @@ extern PRBool SEC_PKCS7VerifySignature(S + * into our local database. + */ + extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, + PRBool keepcerts); + ++ ++/* ++ * SEC_PKCS7VerifyDetachedSignatureAtTime ++ * Look at a PKCS7 contentInfo and check if the signature matches ++ * a passed-in digest (calculated, supposedly, from detached contents). ++ * The verification checks that the signing cert is valid and trusted ++ * for the purpose specified by "certusage" at time "atTime" ++ * if "atTime" is non-zero, or at the current time (as returned by ++ * PR_Now) otherwise. ++ */ ++extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, ++ SECCertUsage certusage, ++ const SECItem *detached_digest, ++ HASH_HashType digest_type, ++ PRBool keepcerts, ++ PRTime atTime); ++ + /* + * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress + * The passed-in contentInfo is espected to be Signed, and these + * functions return the specified portion of the full signer name. + * + * Returns a pointer to allocated memory, which must be freed. + * A NULL return value is an error. + */ +Index: security/nss/lib/smime/smime.def +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/smime/smime.def,v +retrieving revision 1.39 +diff -u -8 -p -r1.39 smime.def +--- security/nss/lib/smime/smime.def 25 Apr 2012 14:50:09 -0000 1.39 ++++ security/nss/lib/smime/smime.def 25 Jan 2013 23:22:54 -0000 +@@ -262,8 +262,14 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDa + ;+ *; + ;+}; + ;+NSS_3.13 { # NSS 3.13 release + ;+ global: + NSSSMIME_GetVersion; + ;+ local: + ;+ *; + ;+}; ++;+NSS_3.14.3 { # NSS 3.14.3 release ++;+ global: ++SEC_PKCS7VerifyDetachedSignatureAtTime; ++;+ local: ++;+ *; ++;+}; diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 8b678b5..0c2d960 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sun Mar 24 20:07:59 UTC 2013 - wr@rosenauer.org + +- disable tests with expired certificates +- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from + mozilla tree to fulfill Firefox 21 requirements + ------------------------------------------------------------------- Thu Feb 28 21:55:49 UTC 2013 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 0e88a6f..393e063 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -55,6 +55,8 @@ Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch +Patch9: nss-disable-expired-testcerts.patch +Patch10: bug-834091.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -170,6 +172,8 @@ cd mozilla %endif %patch7 %patch8 +%patch9 +%patch10 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt diff --git a/nss-disable-expired-testcerts.patch b/nss-disable-expired-testcerts.patch new file mode 100644 index 0000000..5191ac3 --- /dev/null +++ b/nss-disable-expired-testcerts.patch @@ -0,0 +1,23 @@ +Index: security/nss/tests/chains/scenarios/realcerts.cfg +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg,v +retrieving revision 1.4 +diff -u -r1.4 realcerts.cfg +--- security/nss/tests/chains/scenarios/realcerts.cfg 20 Mar 2012 14:47:29 -0000 1.4 ++++ security/nss/tests/chains/scenarios/realcerts.cfg 22 Mar 2013 06:14:38 -0000 +@@ -14,11 +14,11 @@ + import PayPalEE:x: + import BrAirWaysBadSig:x: + +-verify TestUser50:x +- result pass ++#verify TestUser50:x ++# result pass + +-verify TestUser51:x +- result pass ++#verify TestUser51:x ++# result pass + + verify PayPalEE:x + policy OID.2.16.840.1.113733.1.7.23.6