Clarification regarding SEC_PKCS7VerifyDetachedSignatureAtTime

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Clarification regarding SEC_PKCS7VerifyDetachedSignatureAtTime

Kai Engert-4
I'm sending this explanation because I've seen several people being
confused, and I anticipate the confusion might continue for a while.

Since nobody else has done so yet, I'm writing this clarification in the
hope it is useful to avoid future confusion.

As of today, there are development branches of Firefox that require
a new API, a function named:
  SEC_PKCS7VerifyDetachedSignatureAtTime

Those Firefox development branches contain a modified version of NSS,
which adds that function as a new API.

This means, attempts to build those development branches of Firefox
against a systemwide installed NSS will currently fail, because no
released NSS version contains the required API yet.

Fortunately, by now, agreement has been reached how to clean up this
situation: The next version of NSS (3.15) will contain the new API that
Mozilla has already added to their copies of earlier version of NSS.

It will be another couple of weeks until NSS 3.15 gets released, it
might be realistic to expect it around end of April.

Which Firefox branches are affected?

Firefox 23 = current mozilla-central
- currently still using NSS 3.14.3, but with a local patch applied
- expected to upgrade soon to NSS 3.15 beta (tracked in bug 858231)
- in other words, hopefully it will be cleaned up very soon

Firefox 22 = current mozilla-aurora
- currently still using NSS 3.14.3, but with a local patch applied
- I understand that Mozilla engineers are still undecided
  how to clean up
- options are: either same as Firefox 23 or same as Firefox 21

Firefox 21 = current mozilla-beta
- earlier snapshots of Firefox 21 had used this function
- in the meantime this has been cleaned up in bug 853776
  by removing the Firefox application code that calls the function,
  thereby making the new NSS API unnecessary.

Firefox Boot2Gecko B2G 18 branch
- uses a fork of NSS 3.14.3 with the new API added as a patch

What does this mean for building Firefox?

If you want to build a development snapshot of Firefox against a
systemwide installed NSS, and you want to build Firefox 22 aurora at
this time, you have the following choices:

- don't build Firefox 22 aurora until Mozilla cleaned up the situation.
  If you are waiting for that to happen, you could remind Mozilla
  to either apply bug 853776 to aurora 22
  or to extend bug 858231 to cover aurora 22, too.

- if you are testing locally and you don't need to package
  the current development snapshot of Firefox/NSS,
  until the situation gets cleaned up by Mozilla,
  you could temporary build without --with-system-nss

- if you must build Firefox 22 aurora right now, and you must have a
  compatible system NSS right now, then
  - either use the forked version of NSS that Mozilla has used,
    by applying the patch that you can find in the Firefox source
    in directory mozilla/security/patches,
    and install your modified version as system NSS
  - or use NSS 3.15 "beta 1"

Let's hope this kind of situation will remain an exception and can be
avoided in the future.

Regards
Kai


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Clarification regarding SEC_PKCS7VerifyDetachedSignatureAtTime

Brian Smith-31
> What does this mean for building Firefox?
>
> If you want to build a development snapshot of Firefox against a
> systemwide installed NSS, and you want to build Firefox 22 aurora at
> this time, you have the following choices:
>
> - don't build Firefox 22 aurora until Mozilla cleaned up the
>   situation.
>   If you are waiting for that to happen, you could remind Mozilla
>   to either apply bug 853776 to aurora 22
>   or to extend bug 858231 to cover aurora 22, too.

I will apply the patches for bug 853776 to mozilla-aurora. The patch for that is going through try now:
https://tbpl.mozilla.org/?tree=Try&rev=5d0543e962b6

> Let's hope this kind of situation will remain an exception and can be
> avoided in the future.

The expectation should be that there will be local patches in mozilla-central and mozilla-aurora whenever those patches are the fastest way to get work done for Firefox. I will do what I can to get as many patches upstreamed first but in order for Mozilla to be able to experiment and test changes we want to upstream, to minimize disruption to the other users of NSS, we should utilize the ability to have private patches in mozilla-central and mozilla-aurora more.

Cheers,
Brian
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto