Closed Bug 1755092 Opened 4 years ago Closed 4 years ago

rework signature verification in mozilla::pkix and add tests

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [nss-fx])

Attachments

(1 file)

Bug 1755092 - rework signature verification in mozilla::pkix r?jschanck
48 bytes, text/x-phabricator-request
Details

mozilla::pkix separates signature verification into two steps: computing the digest of the signed data, and then verifying the signature against the digest. This adds some complexity that the VFY_* APIs hide, but that implementation is in need of improvement (for one, the digest versions of those APIs doesn't support RSA-PSS, which we will need soon). We can avoid that complexity and the shortcomings in the implementation by using PK11_Verify* directly and not pre-computing digests.

The initial implementation of mozilla::pkix split signature verification into
two steps: digesting the data that had been signed and then verifying that
digest. This separation added complexity when moving from mozilla::pkix to the
concrete signature verification code in NSS. The VFY_* APIs hide this
complexity, but those APIs are in need of improvements. This patch avoids using
the VFY_* APIs as well as the additional complexity by removing the separate
digest step and using the PK11_Verify* APIs directly.

Depends on: 1756061
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.77
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: