diff --git a/security/apps/AppTrustDomain.cpp b/security/apps/AppTrustDomain.cpp index 2f4bd180023b..c2cae0bddcdf 100644 --- a/security/apps/AppTrustDomain.cpp +++ b/security/apps/AppTrustDomain.cpp @@ -228,11 +228,13 @@ Result AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits( return Success; } -Result AppTrustDomain::VerifyRSAPKCS1SignedDigest( - const SignedDigest& signedDigest, Input subjectPublicKeyInfo) { +Result AppTrustDomain::VerifyRSAPKCS1SignedData(Input data, + DigestAlgorithm digestAlgorithm, + Input signature, + Input subjectPublicKeyInfo) { // TODO: We should restrict signatures to SHA-256 or better. - return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo, - nullptr); + return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); } Result AppTrustDomain::CheckECDSACurveIsAcceptable( @@ -247,10 +249,12 @@ Result AppTrustDomain::CheckECDSACurveIsAcceptable( return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE; } -Result AppTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest, - Input subjectPublicKeyInfo) { - return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo, - nullptr); +Result AppTrustDomain::VerifyECDSASignedData(Input data, + DigestAlgorithm digestAlgorithm, + Input signature, + Input subjectPublicKeyInfo) { + return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); } Result AppTrustDomain::CheckValidityIsAcceptable( diff --git a/security/apps/AppTrustDomain.h b/security/apps/AppTrustDomain.h index 41b01e7ee43f..6aa9b084faf4 100644 --- a/security/apps/AppTrustDomain.h +++ b/security/apps/AppTrustDomain.h @@ -51,14 +51,16 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain { virtual Result CheckRSAPublicKeyModulusSizeInBits( mozilla::pkix::EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override; - virtual Result VerifyRSAPKCS1SignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyRSAPKCS1SignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result CheckECDSACurveIsAcceptable( mozilla::pkix::EndEntityOrCA endEntityOrCA, mozilla::pkix::NamedCurve curve) override; - virtual Result VerifyECDSASignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyECDSASignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result CheckValidityIsAcceptable( mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter, diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index 69a824c04231..90ce9378d71f 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -161,15 +161,8 @@ static bool ShouldSkipSelfSignedNonTrustAnchor(TrustDomain& trustDomain, if (trust != TrustLevel::InheritsTrust) { return false; } - uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES]; - pkix::der::PublicKeyAlgorithm publicKeyAlg; - SignedDigest signature; - if (DigestSignedData(trustDomain, cert.GetSignedData(), digestBuf, - publicKeyAlg, signature) != Success) { - return false; - } - if (VerifySignedDigest(trustDomain, publicKeyAlg, signature, - cert.GetSubjectPublicKeyInfo()) != Success) { + if (VerifySignedData(trustDomain, cert.GetSignedData(), + cert.GetSubjectPublicKeyInfo()) != Success) { return false; } // This is a self-signed, non-trust-anchor certificate, so we shouldn't use it @@ -1479,10 +1472,11 @@ Result NSSCertDBTrustDomain::CheckRSAPublicKeyModulusSizeInBits( return Success; } -Result NSSCertDBTrustDomain::VerifyRSAPKCS1SignedDigest( - const SignedDigest& signedDigest, Input subjectPublicKeyInfo) { - return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo, - mPinArg); +Result NSSCertDBTrustDomain::VerifyRSAPKCS1SignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, mPinArg); } Result NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable( @@ -1497,10 +1491,11 @@ Result NSSCertDBTrustDomain::CheckECDSACurveIsAcceptable( return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE; } -Result NSSCertDBTrustDomain::VerifyECDSASignedDigest( - const SignedDigest& signedDigest, Input subjectPublicKeyInfo) { - return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo, - mPinArg); +Result NSSCertDBTrustDomain::VerifyECDSASignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, mPinArg); } Result NSSCertDBTrustDomain::CheckValidityIsAcceptable( diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h index af0230b5d5ff..9d90257c10d0 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h @@ -171,16 +171,18 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { mozilla::pkix::EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override; - virtual Result VerifyRSAPKCS1SignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyRSAPKCS1SignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result CheckECDSACurveIsAcceptable( mozilla::pkix::EndEntityOrCA endEntityOrCA, mozilla::pkix::NamedCurve curve) override; - virtual Result VerifyECDSASignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyECDSASignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result DigestBuf(mozilla::pkix::Input item, diff --git a/security/certverifier/OCSPVerificationTrustDomain.cpp b/security/certverifier/OCSPVerificationTrustDomain.cpp index 0a23821e4ca3..782627e55d7d 100644 --- a/security/certverifier/OCSPVerificationTrustDomain.cpp +++ b/security/certverifier/OCSPVerificationTrustDomain.cpp @@ -59,10 +59,11 @@ Result OCSPVerificationTrustDomain::CheckRSAPublicKeyModulusSizeInBits( aEEOrCA, aModulusSizeInBits); } -Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedDigest( - const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) { - return mCertDBTrustDomain.VerifyRSAPKCS1SignedDigest(aSignedDigest, - aSubjectPublicKeyInfo); +Result OCSPVerificationTrustDomain::VerifyRSAPKCS1SignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return mCertDBTrustDomain.VerifyRSAPKCS1SignedData( + data, digestAlgorithm, signature, subjectPublicKeyInfo); } Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable( @@ -70,10 +71,11 @@ Result OCSPVerificationTrustDomain::CheckECDSACurveIsAcceptable( return mCertDBTrustDomain.CheckECDSACurveIsAcceptable(aEEOrCA, aCurve); } -Result OCSPVerificationTrustDomain::VerifyECDSASignedDigest( - const SignedDigest& aSignedDigest, Input aSubjectPublicKeyInfo) { - return mCertDBTrustDomain.VerifyECDSASignedDigest(aSignedDigest, - aSubjectPublicKeyInfo); +Result OCSPVerificationTrustDomain::VerifyECDSASignedData( + Input data, DigestAlgorithm digestAlgorithm, Input signature, + Input subjectPublicKeyInfo) { + return mCertDBTrustDomain.VerifyECDSASignedData( + data, digestAlgorithm, signature, subjectPublicKeyInfo); } Result OCSPVerificationTrustDomain::CheckValidityIsAcceptable( diff --git a/security/certverifier/OCSPVerificationTrustDomain.h b/security/certverifier/OCSPVerificationTrustDomain.h index be16a581cc28..e4d8a141a514 100644 --- a/security/certverifier/OCSPVerificationTrustDomain.h +++ b/security/certverifier/OCSPVerificationTrustDomain.h @@ -38,16 +38,18 @@ class OCSPVerificationTrustDomain : public mozilla::pkix::TrustDomain { mozilla::pkix::EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override; - virtual Result VerifyRSAPKCS1SignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyRSAPKCS1SignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result CheckECDSACurveIsAcceptable( mozilla::pkix::EndEntityOrCA endEntityOrCA, mozilla::pkix::NamedCurve curve) override; - virtual Result VerifyECDSASignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyECDSASignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result DigestBuf(mozilla::pkix::Input item, diff --git a/security/ct/BTVerifier.cpp b/security/ct/BTVerifier.cpp index 720d41bc7651..02281fcffd4b 100644 --- a/security/ct/BTVerifier.cpp +++ b/security/ct/BTVerifier.cpp @@ -100,54 +100,23 @@ Result DecodeAndVerifySignedTreeHead( return rv; } - SECOidTag unusedDigestAlgorithmId; - size_t digestAlgorithmLength; - rv = GetDigestAlgorithmLengthAndIdentifier( - digestAlgorithm, digestAlgorithmLength, unusedDigestAlgorithmId); - if (rv != Success) { - return rv; - } - - uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES]; - rv = DigestBufNSS(signedDataInput, digestAlgorithm, digestBuf, - digestAlgorithmLength); - if (rv != Success) { - return rv; - } - - Input digestInput; - rv = digestInput.Init(digestBuf, digestAlgorithmLength); - if (rv != Success) { - return rv; - } - Input signatureInput; rv = ReadVariableBytes(reader, signatureInput); if (rv != Success) { return rv; } - SignedDigest signedDigest = {digestInput, digestAlgorithm, signatureInput}; switch (publicKeyAlgorithm) { case der::PublicKeyAlgorithm::ECDSA: - rv = VerifyECDSASignedDigestNSS(signedDigest, signerSubjectPublicKeyInfo, - nullptr); + rv = VerifyECDSASignedDataNSS(signedDataInput, digestAlgorithm, + signatureInput, signerSubjectPublicKeyInfo, + nullptr); break; case der::PublicKeyAlgorithm::RSA_PKCS1: - case der::PublicKeyAlgorithm::Uninitialized: default: return Result::FATAL_ERROR_INVALID_ARGS; } if (rv != Success) { - // VerifyECDSASignedDigestNSS eventually calls VFY_VerifyDigestDirect, which - // can set the PR error code to SEC_ERROR_PKCS7_KEYALG_MISMATCH if the type - // of key decoded from the SPKI does not match the given signature - // algorithm. mozilla::pkix does not have a corresponding Result value and - // turns this error code into Result::ERROR_UNKNOWN_ERROR. Since this is - // uninformative, we'll turn that result into a bad signature error. - if (rv == Result::ERROR_UNKNOWN_ERROR) { - return Result::ERROR_BAD_SIGNATURE; - } return rv; } diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp index d704e876e596..37c84437c679 100644 --- a/security/ct/CTLogVerifier.cpp +++ b/security/ct/CTLogVerifier.cpp @@ -66,7 +66,7 @@ class SignatureParamsTrustDomain final : public TrustDomain { return Success; } - Result VerifyECDSASignedDigest(const SignedDigest&, Input) override { + Result VerifyECDSASignedData(Input, DigestAlgorithm, Input, Input) override { return Result::FATAL_ERROR_LIBRARY_FAILURE; } @@ -82,7 +82,8 @@ class SignatureParamsTrustDomain final : public TrustDomain { return Success; } - Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override { + Result VerifyRSAPKCS1SignedData(Input, DigestAlgorithm, Input, + Input) override { return Result::FATAL_ERROR_LIBRARY_FAILURE; } @@ -216,8 +217,8 @@ bool CTLogVerifier::SignatureParametersMatch(const DigitallySigned& signature) { DigitallySigned::HashAlgorithm::SHA256, mSignatureAlgorithm); } -static Result FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd, - UniqueSECKEYPublicKey& pubkey) { +static Result FasterVerifyECDSASignedDataNSS(Input data, Input signature, + UniqueSECKEYPublicKey& pubkey) { assert(pubkey); if (!pubkey) { return Result::FATAL_ERROR_LIBRARY_FAILURE; @@ -226,7 +227,7 @@ static Result FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd, // expects the signature as only the two integers r and s (so no encoding - // just two series of bytes each half as long as SECKEY_SignatureLen(pubkey)). // DSAU_DecodeDerSigToLen converts from the former format to the latter. - SECItem derSignatureSECItem(UnsafeMapInputToSECItem(sd.signature)); + SECItem derSignatureSECItem(UnsafeMapInputToSECItem(signature)); size_t signatureLen = SECKEY_SignatureLen(pubkey.get()); if (signatureLen == 0) { return MapPRErrorCodeToResult(PR_GetError()); @@ -236,47 +237,30 @@ static Result FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd, if (!signatureSECItem) { return MapPRErrorCodeToResult(PR_GetError()); } - SECItem digestSECItem(UnsafeMapInputToSECItem(sd.digest)); - SECStatus srv = PK11_Verify(pubkey.get(), signatureSECItem.get(), - &digestSECItem, nullptr); + SECItem dataSECItem(UnsafeMapInputToSECItem(data)); + SECStatus srv = + PK11_VerifyWithMechanism(pubkey.get(), CKM_ECDSA_SHA256, nullptr, + signatureSECItem.get(), &dataSECItem, nullptr); if (srv != SECSuccess) { return MapPRErrorCodeToResult(PR_GetError()); } - return Success; } Result CTLogVerifier::VerifySignature(Input data, Input signature) { - uint8_t digest[SHA256_LENGTH]; - Result rv = DigestBufNSS(data, DigestAlgorithm::sha256, digest, - MOZILLA_CT_ARRAY_LENGTH(digest)); - if (rv != Success) { - return rv; - } - - SignedDigest signedDigest; - signedDigest.digestAlgorithm = DigestAlgorithm::sha256; - rv = signedDigest.digest.Init(digest, MOZILLA_CT_ARRAY_LENGTH(digest)); - if (rv != Success) { - return rv; - } - rv = signedDigest.signature.Init(signature); - if (rv != Success) { - return rv; - } - Input spki; - rv = BufferToInput(mSubjectPublicKeyInfo, spki); + Result rv = BufferToInput(mSubjectPublicKeyInfo, spki); if (rv != Success) { return rv; } switch (mSignatureAlgorithm) { case DigitallySigned::SignatureAlgorithm::RSA: - rv = VerifyRSAPKCS1SignedDigestNSS(signedDigest, spki, nullptr); + rv = VerifyRSAPKCS1SignedDataNSS(data, DigestAlgorithm::sha256, signature, + spki, nullptr); break; case DigitallySigned::SignatureAlgorithm::ECDSA: - rv = FasterVerifyECDSASignedDigestNSS(signedDigest, mPublicECKey); + rv = FasterVerifyECDSASignedDataNSS(data, signature, mPublicECKey); break; // We do not expect new values added to this enum any time soon, // so just listing all the available ones seems to be the easiest way diff --git a/security/ct/tests/gtest/BTSignedTreeHeadTest.cpp b/security/ct/tests/gtest/BTSignedTreeHeadTest.cpp index 289d0beb3348..3f2366bb1f73 100644 --- a/security/ct/tests/gtest/BTSignedTreeHeadTest.cpp +++ b/security/ct/tests/gtest/BTSignedTreeHeadTest.cpp @@ -125,7 +125,7 @@ static const BTSignedTreeHeadTestParams BT_SIGNED_TREE_HEAD_TEST_PARAMS[] = { Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, {ValidSTH::kSPKIHex, pkix::DigestAlgorithm::sha512, pkix::der::PublicKeyAlgorithm::ECDSA, ValidSecp521r1SHA512STH::kSTHHex, - Result::ERROR_BAD_DER, 0, 0, nullptr}, + Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, {SignatureCoversLogIDSTH::kSPKIHex, pkix::DigestAlgorithm::sha256, pkix::der::PublicKeyAlgorithm::ECDSA, SignatureCoversLogIDSTH::kSTHHex, Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, @@ -134,7 +134,7 @@ static const BTSignedTreeHeadTestParams BT_SIGNED_TREE_HEAD_TEST_PARAMS[] = { Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, {WrongSigningKeySTH::kSPKIHex, pkix::DigestAlgorithm::sha256, pkix::der::PublicKeyAlgorithm::ECDSA, WrongSigningKeySTH::kSTHHex, - Result::ERROR_BAD_DER, 0, 0, nullptr}, + Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, {MissingLogIDSTH::kSPKIHex, pkix::DigestAlgorithm::sha256, pkix::der::PublicKeyAlgorithm::ECDSA, MissingLogIDSTH::kSTHHex, Result::ERROR_BAD_DER, 0, 0, nullptr}, @@ -170,10 +170,10 @@ static const BTSignedTreeHeadTestParams BT_SIGNED_TREE_HEAD_TEST_PARAMS[] = { Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, {RSASignerECSPKISTH::kSPKIHex, pkix::DigestAlgorithm::sha256, pkix::der::PublicKeyAlgorithm::ECDSA, RSASignerECSPKISTH::kSTHHex, - Result::ERROR_BAD_DER, 0, 0, nullptr}, + Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, {ECSignerRSASPKISTH::kSPKIHex, pkix::DigestAlgorithm::sha256, pkix::der::PublicKeyAlgorithm::ECDSA, ECSignerRSASPKISTH::kSTHHex, - Result::ERROR_BAD_SIGNATURE, 0, 0, nullptr}, + Result::ERROR_INVALID_KEY, 0, 0, nullptr}, }; TEST_P(BTSignedTreeHeadTest, BTSignedTreeHeadSimpleTest) { diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp index 3dc40182e408..47a3322dde28 100644 --- a/security/ct/tests/gtest/CTTestUtils.cpp +++ b/security/ct/tests/gtest/CTTestUtils.cpp @@ -705,10 +705,12 @@ class OCSPExtensionTrustDomain : public TrustDomain { return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; } - pkix::Result VerifyECDSASignedDigest(const SignedDigest& signedDigest, - Input subjectPublicKeyInfo) override { - return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo, - nullptr); + pkix::Result VerifyECDSASignedData(Input data, + DigestAlgorithm digestAlgorithm, + Input signature, + Input subjectPublicKeyInfo) override { + return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); } pkix::Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, @@ -717,10 +719,12 @@ class OCSPExtensionTrustDomain : public TrustDomain { return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; } - pkix::Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest, - Input subjectPublicKeyInfo) override { - return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo, - nullptr); + pkix::Result VerifyRSAPKCS1SignedData(Input data, + DigestAlgorithm digestAlgorithm, + Input signature, + Input subjectPublicKeyInfo) override { + return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); } pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, diff --git a/security/manager/ssl/CSTrustDomain.cpp b/security/manager/ssl/CSTrustDomain.cpp index 3f19d080ef89..f5e47c06c686 100644 --- a/security/manager/ssl/CSTrustDomain.cpp +++ b/security/manager/ssl/CSTrustDomain.cpp @@ -145,10 +145,12 @@ Result CSTrustDomain::CheckRSAPublicKeyModulusSizeInBits( return Success; } -Result CSTrustDomain::VerifyRSAPKCS1SignedDigest( - const SignedDigest& signedDigest, Input subjectPublicKeyInfo) { - return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo, - nullptr); +Result CSTrustDomain::VerifyRSAPKCS1SignedData(Input data, + DigestAlgorithm digestAlgorithm, + Input signature, + Input subjectPublicKeyInfo) { + return VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); } Result CSTrustDomain::CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA, @@ -163,10 +165,12 @@ Result CSTrustDomain::CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA, return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE; } -Result CSTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest, - Input subjectPublicKeyInfo) { - return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo, - nullptr); +Result CSTrustDomain::VerifyECDSASignedData(Input data, + DigestAlgorithm digestAlgorithm, + Input signature, + Input subjectPublicKeyInfo) { + return VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, + subjectPublicKeyInfo, nullptr); } Result CSTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter, diff --git a/security/manager/ssl/CSTrustDomain.h b/security/manager/ssl/CSTrustDomain.h index 7bbdbb379219..396a818ba25c 100644 --- a/security/manager/ssl/CSTrustDomain.h +++ b/security/manager/ssl/CSTrustDomain.h @@ -46,14 +46,16 @@ class CSTrustDomain final : public mozilla::pkix::TrustDomain { virtual Result CheckRSAPublicKeyModulusSizeInBits( mozilla::pkix::EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override; - virtual Result VerifyRSAPKCS1SignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyRSAPKCS1SignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result CheckECDSACurveIsAcceptable( mozilla::pkix::EndEntityOrCA endEntityOrCA, mozilla::pkix::NamedCurve curve) override; - virtual Result VerifyECDSASignedDigest( - const mozilla::pkix::SignedDigest& signedDigest, + virtual Result VerifyECDSASignedData( + mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; virtual Result CheckValidityIsAcceptable( mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter, diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 587f942e1b32..7cd212049842 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -2061,16 +2061,18 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain { EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) override { return Success; } - virtual mozilla::pkix::Result VerifyRSAPKCS1SignedDigest( - const SignedDigest& signedDigest, Input subjectPublicKeyInfo) override { + virtual mozilla::pkix::Result VerifyRSAPKCS1SignedData( + Input data, DigestAlgorithm, Input signature, + Input subjectPublicKeyInfo) override { return Success; } virtual mozilla::pkix::Result CheckECDSACurveIsAcceptable( EndEntityOrCA endEntityOrCA, NamedCurve curve) override { return Success; } - virtual mozilla::pkix::Result VerifyECDSASignedDigest( - const SignedDigest& signedDigest, Input subjectPublicKeyInfo) override { + virtual mozilla::pkix::Result VerifyECDSASignedData( + Input data, DigestAlgorithm, Input signature, + Input subjectPublicKeyInfo) override { return Success; } virtual mozilla::pkix::Result CheckValidityIsAcceptable(