Issue #1338 - Part 2: Update NSS to 3.48-RTM

5 files changed, 27 insertions, 18 deletions

diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h
index 3aae0ecf6..379106ef4 100644
--- a/security/nss/lib/mozpkix/include/pkix/pkixder.h
+++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h
@@ -114,6 +114,17 @@ inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) {
   return ExpectTagAndGetValue(input, tag, ignoredValue);
 }
 
+// This skips IMPLICIT OPTIONAL tags that are "primitive" (not constructed),
+// given the number in the class of the tag (i.e. the number in the brackets in
+// `issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL`).
+inline Result SkipOptionalImplicitPrimitiveTag(Reader& input,
+                                               uint8_t numberInClass) {
+  if (input.Peek(CONTEXT_SPECIFIC | numberInClass)) {
+    return ExpectTagAndSkipValue(input, CONTEXT_SPECIFIC | numberInClass);
+  }
+  return Success;
+}
+
 // Like ExpectTagAndGetValue, except the output Input will contain the
 // encoded tag and length along with the value.
 inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag,
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
index 6b12edbb1..bfa5c780a 100644
--- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
+++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
@@ -278,6 +278,7 @@ class TrustDomain {
 
   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
                                  const CertID& certID, Time time,
+                                 Time validityBeginning,
                                  Duration validityDuration,
                                  /*optional*/ const Input* stapledOCSPresponse,
                                  /*optional*/ const Input* aiaExtension) = 0;
diff --git a/security/nss/lib/mozpkix/lib/pkixbuild.cpp b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
index 0ac2cb883..b95907a94 100644
--- a/security/nss/lib/mozpkix/lib/pkixbuild.cpp
+++ b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
@@ -252,7 +252,8 @@ PathBuildingStep::Check(Input potentialIssuerDER,
     }
     Duration validityDuration(notAfter, notBefore);
     rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
-                                     validityDuration, stapledOCSPResponse,
+                                     notBefore, validityDuration,
+                                     stapledOCSPResponse,
                                      subject.GetAuthorityInfoAccess());
     if (rv != Success) {
       // Since this is actually a problem with the current subject certificate
diff --git a/security/nss/lib/mozpkix/lib/pkixcert.cpp b/security/nss/lib/mozpkix/lib/pkixcert.cpp
index a30483738..7789bd57d 100644
--- a/security/nss/lib/mozpkix/lib/pkixcert.cpp
+++ b/security/nss/lib/mozpkix/lib/pkixcert.cpp
@@ -105,29 +105,24 @@ BackCert::Init()
     return rv;
   }
 
-  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
-
   // According to RFC 5280, all fields below this line are forbidden for
   // certificate versions less than v3.  However, for compatibility reasons,
   // we parse v1/v2 certificates in the same way as v3 certificates.  So if
   // these fields appear in a v1 certificate, they will be used.
 
   // Ignore issuerUniqueID if present.
-  if (tbsCertificate.Peek(CSC | 1)) {
-    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
-    if (rv != Success) {
-      return rv;
-    }
+  rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 1);
+  if (rv != Success) {
+    return rv;
   }
 
   // Ignore subjectUniqueID if present.
-  if (tbsCertificate.Peek(CSC | 2)) {
-    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
-    if (rv != Success) {
-      return rv;
-    }
+  rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 2);
+  if (rv != Success) {
+    return rv;
   }
 
+  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
   rv = der::OptionalExtensions(
          tbsCertificate, CSC | 3,
          [this](Reader& extnID, const Input& extnValue, bool critical,
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
index ee59b1d97..1e50f46f4 100644
--- a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
@@ -234,14 +234,14 @@ GenerateKeyPairInner()
   if (!slot) {
     abort();
   }
+  PK11RSAGenParams params;
+  params.keySizeInBits = 2048;
+  params.pe = 65537;
 
   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
   // entropy to generate a random key. Attempting to add some entropy and
   // retrying appears to solve this issue.
   for (uint32_t retries = 0; retries < 10; retries++) {
-    PK11RSAGenParams params;
-    params.keySizeInBits = 2048;
-    params.pe = 3;
     SECKEYPublicKey* publicKeyTemp = nullptr;
     ScopedSECKEYPrivateKey
       privateKey(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
@@ -262,8 +262,9 @@ GenerateKeyPairInner()
     // random keys.
     // https://xkcd.com/221/
     static const uint8_t RANDOM_NUMBER[] = { 4, 4, 4, 4, 4, 4, 4, 4 };
-    if (PK11_RandomUpdate((void*) &RANDOM_NUMBER,
-                          sizeof(RANDOM_NUMBER)) != SECSuccess) {
+    if (PK11_RandomUpdate(
+          const_cast<void*>(reinterpret_cast<const void*>(RANDOM_NUMBER)),
+          sizeof(RANDOM_NUMBER)) != SECSuccess) {
       break;
     }
   }