Chromium Code Reviews Chromium Code Reviews
Issue 13898013:
Update NSS to NSS_3_15_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/| Index: nss/lib/pkcs7/p7decode.c |
| =================================================================== |
| --- nss/lib/pkcs7/p7decode.c (revision 195639) |
| +++ nss/lib/pkcs7/p7decode.c (working copy) |
| @@ -1246,13 +1246,17 @@ |
| /* |
| - * SEC_PKCS7ContentVerifySignature |
| + * sec_pkcs7_verify_signature |
| + * |
| * Look at a PKCS7 contentInfo and check if the signature is good. |
| * The digest was either calculated earlier (and is stored in the |
| * contentInfo itself) or is passed in via "detached_digest". |
| * |
| * The verification checks that the signing cert is valid and trusted |
| - * for the purpose specified by "certusage". |
| + * for the purpose specified by "certusage" at |
| + * - "*atTime" if "atTime" is not null, or |
| + * - the signing time if the signing time is available in "cinfo", or |
| + * - the current time (as returned by PR_Now). |
| * |
| * In addition, if "keepcerts" is true, add any new certificates found |
| * into our local database. |
| @@ -1281,7 +1285,8 @@ |
| SECCertUsage certusage, |
| const SECItem *detached_digest, |
| HASH_HashType digest_type, |
| - PRBool keepcerts) |
| + PRBool keepcerts, |
| + const PRTime *atTime) |
| { |
| SECAlgorithmID **digestalgs, *bulkid; |
| const SECItem *digest; |
| @@ -1299,7 +1304,8 @@ |
| SECItem *content_type; |
| PK11SymKey *sigkey; |
| SECItem *encoded_stime; |
| - int64 stime; |
| + PRTime stime; |
| + PRTime verificationTime; |
| SECStatus rv; |
| /* |
| @@ -1436,8 +1442,14 @@ |
| * in a time (and for non-S/MIME callers to pass in nothing, or |
| * maybe make them pass in the current time, always?). |
| */ |
| - if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, |
| - encoded_stime != NULL ? stime : PR_Now(), |
| + if (atTime) { |
| + verificationTime = *atTime; |
| + } else if (encoded_stime != NULL) { |
| + verificationTime = stime; |
| + } else { |
| + verificationTime = PR_Now(); |
| + } |
| + if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, verificationTime, |
| cinfo->pwfn_arg, NULL) != SECSuccess) |
| { |
| /* |
| @@ -1518,14 +1530,6 @@ |
| goto done; |
| } |
| -#ifndef NSS_ECC_MORE_THAN_SUITE_B |
| - if (encTag == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { |
| - PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE); |
| - goto done; |
| - } |
| -#endif |
| - |
| - |
| if (signerinfo->authAttr != NULL) { |
| SEC_PKCS7Attribute *attr; |
| SECItem *value; |
| @@ -1590,7 +1594,6 @@ |
| goto done; |
| } |
| - |
| goodsig = (PRBool)(VFY_VerifyDataDirect(encoded_attrs.data, |
| encoded_attrs.len, |
| publickey, &(signerinfo->encDigest), |
| @@ -1757,7 +1760,7 @@ |
| PRBool keepcerts) |
| { |
| return sec_pkcs7_verify_signature (cinfo, certusage, |
| - NULL, HASH_AlgNULL, keepcerts); |
| + NULL, HASH_AlgNULL, keepcerts, 0); |
|
wtc
2013/04/24 22:49:45
This 0 should be NULL.
|
| } |
| /* |
| @@ -1779,9 +1782,31 @@ |
| { |
| return sec_pkcs7_verify_signature (cinfo, certusage, |
| detached_digest, digest_type, |
| - keepcerts); |
| + keepcerts, NULL); |
| } |
| +/* |
| + * SEC_PKCS7VerifyDetachedSignatureAtTime |
| + * Look at a PKCS7 contentInfo and check if the signature matches |
| + * a passed-in digest (calculated, supposedly, from detached contents). |
| + * The verification checks that the signing cert is valid and trusted |
| + * for the purpose specified by "certusage" at time "atTime". |
| + * |
| + * In addition, if "keepcerts" is true, add any new certificates found |
| + * into our local database. |
| + */ |
| +PRBool |
| +SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, |
| + SECCertUsage certusage, |
| + const SECItem *detached_digest, |
| + HASH_HashType digest_type, |
| + PRBool keepcerts, |
| + PRTime atTime) |
| +{ |
| + return sec_pkcs7_verify_signature (cinfo, certusage, |
| + detached_digest, digest_type, |
| + keepcerts, &atTime); |
| +} |
| /* |
| * Return the asked-for portion of the name of the signer of a PKCS7 |
| @@ -1844,7 +1869,7 @@ |
| * some valid usage to pass in. |
| */ |
| (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner, |
| - NULL, HASH_AlgNULL, PR_FALSE); |
| + NULL, HASH_AlgNULL, PR_FALSE, 0); |
|
wtc
2013/04/24 22:49:45
This 0 should be NULL.
|
| signercert = signerinfos[0]->cert; |
| if (signercert == NULL) |
| return NULL; |
