Closed Bug 1307993 Opened 8 years ago Closed 7 years ago

Expose updated certificate verification function in JSS

Categories

(JSS Graveyard :: Library, defect)

Product:
JSS Graveyard
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: elio.maldonado.batiz, Assigned: cfu)

References

Details

Attachments

(4 files, 4 obsolete files)

Expose updated certificate verification function
15.17 KB, patch
mharmsen
: review+
Details | Diff | Splinter Review
the build log
851.48 KB, text/plain
Details
the test log
40.03 KB, text/plain
Details
jss address a subset of the compiler warnings
13.74 KB, patch
Details | Diff | Splinter Review 
      No description provided.
Blocks: 1307859
Christina's patch updated for current sources, not ready yet for review.
jss-VerifyCertificate.patch will need additional updates.
The one that I tested.
Attachment #8798643 - Attachment is obsolete: true
Assignee: glenbeasley → cfu

        Attachment #8835046 -
        Attachment is obsolete: true

        Attachment #8838784 -
        Flags: review?(jmagne)

    
    

    
  

      
      
      
      

        Attached file
          
        the build log
      

    


  
After I had submitted the patch for review I noticed many warnings. This is the build log which I should discuss with Jack, the reviewer, and if needed also with Christina, the patch original author, as part of the review process.

    
    

    
  

      
      
      
      

        Attached file
          
        the test log
      

    


  

    
    

    
  
Comment on attachment 8838784 [details] [diff] [review]
Expose updated certificate verification function

Review of attachment 8838784 [details] [diff] [review]:
-----------------------------------------------------------------

Some concerns below.

::: lib/jss.def
@@ +125,5 @@
>  Java_org_mozilla_jss_pkcs11_PK11Store_deletePrivateKey;
>  Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey;
>  Java_org_mozilla_jss_pkcs11_PK11Store_putCertsInVector;
>  Java_org_mozilla_jss_pkcs11_PK11Store_putKeysInVector;
> +Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector;

worth examining, will explain later

@@ +215,5 @@
>  Java_org_mozilla_jss_pkcs11_PK11PubKey_fromSPKI;
>  Java_org_mozilla_jss_provider_java_security_JSSKeyStoreSpi_engineGetKey;
>  Java_org_mozilla_jss_provider_java_security_JSSKeyStoreSpi_engineIsCertificateEntry;
>  Java_org_mozilla_jss_provider_java_security_JSSKeyStoreSpi_engineSetKeyEntryNative;
> +Java_org_mozilla_jss_CryptoManager_initializeAllNative2;

worth examining, will explain later

@@ +292,5 @@
>  Java_org_mozilla_jss_pkcs11_PK11Token_needsLogin;
>  ;+    local:
>  ;+       *;
>  ;+};
> +;+JSS_4.2.6 {     # JSS 4.2.6 release

This JSS_4.2.6 release entry appears after the JSS_4.3 one which is odd. I understand that 4.2.6 release was a Red Hat release which Mozilla never made. 
Still we must be careful with things like this. See this guideline
https://wiki.mozilla.org/NSS/Release_Management#Verify_correctness
Following the instruction given there
$ hg diff -r JSS_4_3_2_RTM -r default | lsdiff |grep \.def$
b/lib/jss.def
tells me this file file should be examined. That's why I bring that up.
Should JSS be bound by NSPR and NSS guiedines? I can't answer that with certainty. Let's discuss this either here or off-line.

    
    

    
  
(In reply to Elio Maldonado from comment #7)

> $ hg diff -r JSS_4_3_2_RTM -r default | lsdiff |grep \.def$
> b/lib/jss.def
> tells me this file file should be examined. That's why I bring that up.
> Should JSS be bound by NSPR and NSS guiedines? I can't answer that with
> certainty. Let's discuss this either here or off-line.

I can answer my own question. The rule makes sense for NSS but no so much for JSS. The reason being is that in NSS we declare some functions in public headers that are for the sole use of NSS and not to be used my client code. A functions is not really public unless it is added to nss.def (or ssl.def, until.def, and so on) For JSS the C code is for JNI so the java code can access the new functions and as far as I know no other code except JSS would be having access to what's exported by jas4.so. It's fine to leave the patch as is it. Only jss.def is involved, if this turns out to be incorrect we can always revise our decision at a later time.

    
    

    
  


  
supplementary patch to address some of the compiler warnings, it should be applied after the previous one has been applied. I'm picking only the low hanging fruit and refraining from dealing with other warnings that are more difficult and doing so would be risky. Keeping it separate for now so you can concentrate on each part at a time and I'll a merge them into the main patch if you so request.

        Attachment #8839223 -
        Flags: review?(jmagne)

    
    

    
  
Comment on attachment 8839223 [details] [diff] [review]
Expose updated certificate verification function and address compiler warnings - only a subset

I misspoke earlier, this is actually the the main patch with warning fixes merged into it.

        Attachment #8839223 -
        Attachment description: address compiler warnings - only a subset → Expose updated certificate verification function and address compiler warnings - only a subset

    
  

        Attachment #8838784 -
        Attachment is obsolete: true

        Attachment #8838784 -
        Flags: review?(jmagne)

    
    

    
  


  
the same as before, renamed as it was intended

        Attachment #8839223 -
        Attachment is obsolete: true

        Attachment #8839223 -
        Flags: review?(jmagne)

        Attachment #8839269 -
        Flags: review?(jmagne)

    
    

    
  
Comment on attachment 8835046 [details] [diff] [review]
Expose updated certificate verification function

The original one without any compiler warnings clean-up.

        Attachment #8835046 -
        Attachment is obsolete: false

        Attachment #8835046 -
        Flags: review?(mharmsen)

    
    

    
  
Comment on attachment 8839269 [details] [diff] [review]
Expose updated certificate verification function and address compiler warnings - only a subsetjss-VerifyCertificate.patch

Has to much stuff in it.

        Attachment #8839269 -
        Flags: review?(jmagne)

    
  

        Attachment #8839269 -
        Attachment is obsolete: true

    
    

    
  


  
This is the supplementary patch I originally intended to attach.

        Attachment #8839295 -
        Flags: review?(mharmsen)

    
    

    
  
Comment on attachment 8835046 [details] [diff] [review]
Expose updated certificate verification function

Matches downstream patch very well.

        Attachment #8835046 -
        Flags: review?(mharmsen) → review+

    
  
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to Matthew Harmsen from comment #15)
> Comment on attachment 8835046 [details] [diff] [review]
> Expose updated certificate verification function
> 
> Matches downstream patch very well.

jss-VerifyCertificate.patch

NOTE: I have not yet reviewed the second patch in this bug.

    
    

    
  
(In reply to Matthew Harmsen from comment #17)
> (In reply to Matthew Harmsen from comment #15)
> 
> NOTE: I have not yet reviewed the second patch in this bug.

After a discussion with Matt we agreed that it is best to postpone review if this patch until we reach Bug 1308008 where it fits better.

    
  

        Attachment #8839295 -
        Flags: review?(mharmsen)

    
  
No longer blocks: 1307859

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: