nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1756061 - PSM changes corresponding to mozilla::pkix signature verification changes in bug 1755092 r=jschanck

Browse source 
Bug 1755092 changed how mozilla::pkix verifies signatures. This patch makes the
corresponding changes in PSM.

Depends on D140597

Differential Revision: https://phabricator.services.mozilla.com/D139202
This commit is contained in:
Dana Keeler 2022-03-10 23:21:00 +00:00
parent 5075ae5d88
commit 3f93068a72
13 changed files with 109 additions and 137 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

20
security/apps/AppTrustDomain.cpp
View file

@ -228,11 +228,13 @@ Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
return Success;
}
Result AppTrustDomain::VerifyRSAPKCS1SignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) {
Result AppTrustDomain::VerifyRSAPKCS1SignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
// TODO: We should restrict signatures to SHA-256 or better.
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
nullptr);
return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result AppTrustDomain::CheckECDSACurveIsAcceptable(
@ -247,10 +249,12 @@ Result AppTrustDomain::CheckECDSACurveIsAcceptable(
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
}
Result AppTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
nullptr);
Result AppTrustDomain::VerifyECDSASignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result AppTrustDomain::CheckValidityIsAcceptable(

10
security/apps/AppTrustDomain.h
View file

@ -51,14 +51,16 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
virtual Result CheckRSAPublicKeyModulusSizeInBits(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
unsigned int modulusSizeInBits) override;
virtual Result VerifyRSAPKCS1SignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyRSAPKCS1SignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckECDSACurveIsAcceptable(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::NamedCurve curve) override;
virtual Result VerifyECDSASignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyECDSASignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckValidityIsAcceptable(
mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,

29
security/certverifier/NSSCertDBTrustDomain.cpp
View file

@ -161,15 +161,8 @@ static bool ShouldSkipSelfSignedNonTrustAnchor(TrustDomain& trustDomain,
if (trust != TrustLevel::InheritsTrust) {
return false;
}
uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES];
pkix::der::PublicKeyAlgorithm publicKeyAlg;
SignedDigest signature;
if (DigestSignedData(trustDomain, cert.GetSignedData(), digestBuf,
publicKeyAlg, signature) != Success) {
return false;
}
if (VerifySignedDigest(trustDomain, publicKeyAlg, signature,
cert.GetSubjectPublicKeyInfo()) != Success) {
if (VerifySignedData(trustDomain, cert.GetSignedData(),
cert.GetSubjectPublicKeyInfo()) != Success) {
return false;
}
// This is a self-signed, non-trust-anchor certificate, so we shouldn't use it
@ -1479,10 +1472,11 @@ Result NSSCertDBTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
return Success;
}
Result NSSCertDBTrustDomain::VerifyRSAPKCS1SignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) {
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
mPinArg);
Result NSSCertDBTrustDomain::VerifyRSAPKCS1SignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, mPinArg);
}
Result NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable(
@ -1497,10 +1491,11 @@ Result NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable(
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
}
Result NSSCertDBTrustDomain::VerifyECDSASignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) {
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
mPinArg);
Result NSSCertDBTrustDomain::VerifyECDSASignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, mPinArg);
}
Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(

10
security/certverifier/NSSCertDBTrustDomain.h
View file

@ -171,16 +171,18 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
mozilla::pkix::EndEntityOrCA endEntityOrCA,
unsigned int modulusSizeInBits) override;
virtual Result VerifyRSAPKCS1SignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyRSAPKCS1SignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckECDSACurveIsAcceptable(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::NamedCurve curve) override;
virtual Result VerifyECDSASignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyECDSASignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result DigestBuf(mozilla::pkix::Input item,

18
security/certverifier/OCSPVerificationTrustDomain.cpp
View file

@ -59,10 +59,11 @@ Result OCSPVerificationTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
aEEOrCA, aModulusSizeInBits);
}
Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedDigest(
const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) {
return mCertDBTrustDomain.VerifyRSAPKCS1SignedDigest(aSignedDigest,
aSubjectPublicKeyInfo);
Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return mCertDBTrustDomain.VerifyRSAPKCS1SignedData(
data, digestAlgorithm, signature, subjectPublicKeyInfo);
}
Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable(
@ -70,10 +71,11 @@ Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable(
return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve);
}
Result OCSPVerificationTrustDomain::VerifyECDSASignedDigest(
const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) {
return mCertDBTrustDomain.VerifyECDSASignedDigest(aSignedDigest,
aSubjectPublicKeyInfo);
Result OCSPVerificationTrustDomain::VerifyECDSASignedData(
Input data, DigestAlgorithm digestAlgorithm, Input signature,
Input subjectPublicKeyInfo) {
return mCertDBTrustDomain.VerifyECDSASignedData(
data, digestAlgorithm, signature, subjectPublicKeyInfo);
}
Result OCSPVerificationTrustDomain::CheckValidityIsAcceptable(

10
security/certverifier/OCSPVerificationTrustDomain.h
View file

@ -38,16 +38,18 @@ class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain {
mozilla::pkix::EndEntityOrCA endEntityOrCA,
unsigned int modulusSizeInBits) override;
virtual Result VerifyRSAPKCS1SignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyRSAPKCS1SignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckECDSACurveIsAcceptable(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::NamedCurve curve) override;
virtual Result VerifyECDSASignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyECDSASignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result DigestBuf(mozilla::pkix::Input item,

37
security/ct/BTVerifier.cpp
View file

@ -100,54 +100,23 @@ Result DecodeAndVerifySignedTreeHead(
return rv;
}
SECOidTag unusedDigestAlgorithmId;
size_t digestAlgorithmLength;
rv = GetDigestAlgorithmLengthAndIdentifier(
digestAlgorithm, digestAlgorithmLength, unusedDigestAlgorithmId);
if (rv != Success) {
return rv;
}
uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES];
rv = DigestBufNSS(signedDataInput, digestAlgorithm, digestBuf,
digestAlgorithmLength);
if (rv != Success) {
return rv;
}
Input digestInput;
rv = digestInput.Init(digestBuf, digestAlgorithmLength);
if (rv != Success) {
return rv;
}
Input signatureInput;
rv = ReadVariableBytes<kSTHSignatureLengthBytes>(reader, signatureInput);
if (rv != Success) {
return rv;
}
SignedDigest signedDigest = {digestInput, digestAlgorithm, signatureInput};
switch (publicKeyAlgorithm) {
case der::PublicKeyAlgorithm::ECDSA:
rv = VerifyECDSASignedDigestNSS(signedDigest, signerSubjectPublicKeyInfo,
nullptr);
rv = VerifyECDSASignedDataNSS(signedDataInput, digestAlgorithm,
signatureInput, signerSubjectPublicKeyInfo,
nullptr);
break;
case der::PublicKeyAlgorithm::RSA_PKCS1:
case der::PublicKeyAlgorithm::Uninitialized:
default:
return Result::FATAL_ERROR_INVALID_ARGS;
}
if (rv != Success) {
// VerifyECDSASignedDigestNSS eventually calls VFY_VerifyDigestDirect, which
// can set the PR error code to SEC_ERROR_PKCS7_KEYALG_MISMATCH if the type
// of key decoded from the SPKI does not match the given signature
// algorithm. mozilla::pkix does not have a corresponding Result value and
// turns this error code into Result::ERROR_UNKNOWN_ERROR. Since this is
// uninformative, we'll turn that result into a bad signature error.
if (rv == Result::ERROR_UNKNOWN_ERROR) {
return Result::ERROR_BAD_SIGNATURE;
}
return rv;
}

44
security/ct/CTLogVerifier.cpp
View file

@ -66,7 +66,7 @@ class SignatureParamsTrustDomain final : public TrustDomain {
return Success;
}
Result VerifyECDSASignedDigest(const SignedDigest&, Input) override {
Result VerifyECDSASignedData(Input, DigestAlgorithm, Input, Input) override {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -82,7 +82,8 @@ class SignatureParamsTrustDomain final : public TrustDomain {
return Success;
}
Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override {
Result VerifyRSAPKCS1SignedData(Input, DigestAlgorithm, Input,
Input) override {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -216,8 +217,8 @@ bool CTLogVerifier::SignatureParametersMatch(const DigitallySigned& signature) {
DigitallySigned::HashAlgorithm::SHA256, mSignatureAlgorithm);
}
static Result FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd,
UniqueSECKEYPublicKey& pubkey) {
static Result FasterVerifyECDSASignedDataNSS(Input data, Input signature,
UniqueSECKEYPublicKey& pubkey) {
assert(pubkey);
if (!pubkey) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
@ -226,7 +227,7 @@ static Result FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd,
// expects the signature as only the two integers r and s (so no encoding -
// just two series of bytes each half as long as SECKEY_SignatureLen(pubkey)).
// DSAU_DecodeDerSigToLen converts from the former format to the latter.
SECItem derSignatureSECItem(UnsafeMapInputToSECItem(sd.signature));
SECItem derSignatureSECItem(UnsafeMapInputToSECItem(signature));
size_t signatureLen = SECKEY_SignatureLen(pubkey.get());
if (signatureLen == 0) {
return MapPRErrorCodeToResult(PR_GetError());
@ -236,47 +237,30 @@ static Result FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd,
if (!signatureSECItem) {
return MapPRErrorCodeToResult(PR_GetError());
}
SECItem digestSECItem(UnsafeMapInputToSECItem(sd.digest));
SECStatus srv = PK11_Verify(pubkey.get(), signatureSECItem.get(),
&digestSECItem, nullptr);
SECItem dataSECItem(UnsafeMapInputToSECItem(data));
SECStatus srv =
PK11_VerifyWithMechanism(pubkey.get(), CKM_ECDSA_SHA256, nullptr,
signatureSECItem.get(), &dataSECItem, nullptr);
if (srv != SECSuccess) {
return MapPRErrorCodeToResult(PR_GetError());
}
return Success;
}
Result CTLogVerifier::VerifySignature(Input data, Input signature) {
uint8_t digest[SHA256_LENGTH];
Result rv = DigestBufNSS(data, DigestAlgorithm::sha256, digest,
MOZILLA_CT_ARRAY_LENGTH(digest));
if (rv != Success) {
return rv;
}
SignedDigest signedDigest;
signedDigest.digestAlgorithm = DigestAlgorithm::sha256;
rv = signedDigest.digest.Init(digest, MOZILLA_CT_ARRAY_LENGTH(digest));
if (rv != Success) {
return rv;
}
rv = signedDigest.signature.Init(signature);
if (rv != Success) {
return rv;
}
Input spki;
rv = BufferToInput(mSubjectPublicKeyInfo, spki);
Result rv = BufferToInput(mSubjectPublicKeyInfo, spki);
if (rv != Success) {
return rv;
}
switch (mSignatureAlgorithm) {
case DigitallySigned::SignatureAlgorithm::RSA:
rv = VerifyRSAPKCS1SignedDigestNSS(signedDigest, spki, nullptr);
rv = VerifyRSAPKCS1SignedDataNSS(data, DigestAlgorithm::sha256, signature,
spki, nullptr);
break;
case DigitallySigned::SignatureAlgorithm::ECDSA:
rv = FasterVerifyECDSASignedDigestNSS(signedDigest, mPublicECKey);
rv = FasterVerifyECDSASignedDataNSS(data, signature, mPublicECKey);
break;
// We do not expect new values added to this enum any time soon,
// so just listing all the available ones seems to be the easiest way

8
security/ct/tests/gtest/BTSignedTreeHeadTest.cpp
View file

@ -125,7 +125,7 @@ static const BTSignedTreeHeadTestParams BT_SIGNED_TREE_HEAD_TEST_PARAMS[] = {
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
{ValidSTH::kSPKIHex, pkix::DigestAlgorithm::sha512,
pkix::der::PublicKeyAlgorithm::ECDSA, ValidSecp521r1SHA512STH::kSTHHex,
Result::ERROR_BAD_DER, 0, 0, nullptr},
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
{SignatureCoversLogIDSTH::kSPKIHex, pkix::DigestAlgorithm::sha256,
pkix::der::PublicKeyAlgorithm::ECDSA, SignatureCoversLogIDSTH::kSTHHex,
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
@ -134,7 +134,7 @@ static const BTSignedTreeHeadTestParams BT_SIGNED_TREE_HEAD_TEST_PARAMS[] = {
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
{WrongSigningKeySTH::kSPKIHex, pkix::DigestAlgorithm::sha256,
pkix::der::PublicKeyAlgorithm::ECDSA, WrongSigningKeySTH::kSTHHex,
Result::ERROR_BAD_DER, 0, 0, nullptr},
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
{MissingLogIDSTH::kSPKIHex, pkix::DigestAlgorithm::sha256,
pkix::der::PublicKeyAlgorithm::ECDSA, MissingLogIDSTH::kSTHHex,
Result::ERROR_BAD_DER, 0, 0, nullptr},
@ -170,10 +170,10 @@ static const BTSignedTreeHeadTestParams BT_SIGNED_TREE_HEAD_TEST_PARAMS[] = {
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
{RSASignerECSPKISTH::kSPKIHex, pkix::DigestAlgorithm::sha256,
pkix::der::PublicKeyAlgorithm::ECDSA, RSASignerECSPKISTH::kSTHHex,
Result::ERROR_BAD_DER, 0, 0, nullptr},
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
{ECSignerRSASPKISTH::kSPKIHex, pkix::DigestAlgorithm::sha256,
pkix::der::PublicKeyAlgorithm::ECDSA, ECSignerRSASPKISTH::kSTHHex,
Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr},
Result::ERROR_INVALID_KEY, 0, 0, nullptr},
};
TEST_P(BTSignedTreeHeadTest, BTSignedTreeHeadSimpleTest) {

20
security/ct/tests/gtest/CTTestUtils.cpp
View file

@ -705,10 +705,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
pkix::Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
Input subjectPublicKeyInfo) override {
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
nullptr);
pkix::Result VerifyECDSASignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) override {
return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
pkix::Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
@ -717,10 +719,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
pkix::Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
Input subjectPublicKeyInfo) override {
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
nullptr);
pkix::Result VerifyRSAPKCS1SignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) override {
return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,

20
security/manager/ssl/CSTrustDomain.cpp
View file

@ -145,10 +145,12 @@ Result CSTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
return Success;
}
Result CSTrustDomain::VerifyRSAPKCS1SignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) {
return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
nullptr);
Result CSTrustDomain::VerifyRSAPKCS1SignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result CSTrustDomain::CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA,
@ -163,10 +165,12 @@ Result CSTrustDomain::CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA,
return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
}
Result CSTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
nullptr);
Result CSTrustDomain::VerifyECDSASignedData(Input data,
DigestAlgorithm digestAlgorithm,
Input signature,
Input subjectPublicKeyInfo) {
return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
subjectPublicKeyInfo, nullptr);
}
Result CSTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter,

10
security/manager/ssl/CSTrustDomain.h
View file

@ -46,14 +46,16 @@ class CSTrustDomain final : public mozilla::pkix::TrustDomain {
virtual Result CheckRSAPublicKeyModulusSizeInBits(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
unsigned int modulusSizeInBits) override;
virtual Result VerifyRSAPKCS1SignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyRSAPKCS1SignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckECDSACurveIsAcceptable(
mozilla::pkix::EndEntityOrCA endEntityOrCA,
mozilla::pkix::NamedCurve curve) override;
virtual Result VerifyECDSASignedDigest(
const mozilla::pkix::SignedDigest& signedDigest,
virtual Result VerifyECDSASignedData(
mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
virtual Result CheckValidityIsAcceptable(
mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,

10
security/manager/ssl/nsNSSIOLayer.cpp
View file

@ -2061,16 +2061,18 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override {
return Success;
}
virtual mozilla::pkix::Result VerifyRSAPKCS1SignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) override {
virtual mozilla::pkix::Result VerifyRSAPKCS1SignedData(
Input data, DigestAlgorithm, Input signature,
Input subjectPublicKeyInfo) override {
return Success;
}
virtual mozilla::pkix::Result CheckECDSACurveIsAcceptable(
EndEntityOrCA endEntityOrCA, NamedCurve curve) override {
return Success;
}
virtual mozilla::pkix::Result VerifyECDSASignedDigest(
const SignedDigest& signedDigest, Input subjectPublicKeyInfo) override {
virtual mozilla::pkix::Result VerifyECDSASignedData(
Input data, DigestAlgorithm, Input signature,
Input subjectPublicKeyInfo) override {
return Success;
}
virtual mozilla::pkix::Result CheckValidityIsAcceptable(