PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL.
Notable Changes in NSS 3.45
Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
This adds a new experimental function: SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials. See Bug 1548360.
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement. See Bug 1563078.
Bug 1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto
Bug 1551129 - Support static linking on Windows
Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot
Bug 1546229 - Add IPSEC IKE support to softoken
Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
Bug 1543874 - Expose an external clock for SSL
This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
Bug 1546477 - Various changes in response to the ongoing FIPS review
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
Certificate Authority Changes
The following CA certificates were Removed:
Bug 1552374 - CN = Certinomis - Root CA
SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Bugs fixed in NSS 3.45
Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719)
Bug 1515342 - More thorough input checking (CVE-2019-11729)
Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727)
Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis)
Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim
Bug 1550022 - Ensure nssutil3 gets built on Android
Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on failure
Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns error
Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS
Bug 1553443 - Send session ticket only after handshake is marked as finished
Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds
Bug 1554336 - Optimize away unneeded loop in mpi.c
Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
Bug 1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
This Bugzilla query returns all the bugs fixed in NSS 3.45: