Open Bug 966856 Opened 7 years ago Updated 3 years ago

Add SHA-2 support to mozilla::pkix's OCSP implementation


(Core :: Security: PSM, defect, P3)






(Reporter: briansmith, Unassigned)



(Whiteboard: [psm-backlog])


(1 file)

1. Make sure that SHA-2 hashes work in CertID
2. Test that SHA-2 signatures are accepted.
3. Ensure that we send the preferred signature algorithm extension in our OCSP requests (
Assignee: nobody → dkeeler
Depends on: 915931
Priority: -- → P4
Attached patch patchSplinter Review
I rebased this on top of bug 969048 since it's about to land (once bug 915932 lands and sticks, which it looks like it will), but the only conflict should be with the telemetry tests. One thing to note is that since bug 663315 hasn't been finished, sha-2 is not supported in NSS/classic verification.
Attachment #8390145 - Flags: review?(brian)
It will be a few days before I get to this. AFAICT, this is new functionality beyond the NSS-based verifier and I also want to write unit tests in bug 966856 for this.
Summary: Add SHA-2 support to insanity::pkix's OCSP implementation → Add SHA-2 support to mozilla::pkix's OCSP implementation
Blocks: 942515
Comment on attachment 8390145 [details] [diff] [review]

This has probably bit-rotted quite a bit. Clearing review until we need this.
Attachment #8390145 - Flags: review?(brian)
No longer blocks: 942515
See Also: → 942515
David, is there any chance of this happening soon? I think it would be great if we started moving towards a world where you don't need to implement SHA-1 at all. This is the last place on, AFAICT, where SHA-1 is required, after servers upgrade to TLS 1.2 with SHA-2 based certs.
Flags: needinfo?(dkeeler)
I'll see what I can do. I agree this would be a good thing to do.
Flags: needinfo?(dkeeler)
I'm not actively working on this at the moment.
Assignee: dkeeler → nobody
Whiteboard: [psm-backlog]
You need to log in before you can comment on or make changes to this bug.