Bug 1984544 - upgrade NSS to NSS_3_112_1_RTM. r=keeler a=RyanVM UPGRADE_NSS_RELEASE

Differential Revision: https://phabricator.services.mozilla.com/D262051
2025-08-25 23:38:21 +00:00
parent 7c14b87829
commit d4b467bd4f
6 changed files with 112 additions and 8 deletions
--- a/security/nss/doc/rst/releases/nss_3_112_1.rst
+++ b/security/nss/doc/rst/releases/nss_3_112_1.rst
@@ -0,0 +1,34 @@
+.. _mozilla_projects_nss_nss_3_112_1_release_notes:
+
+NSS 3.112.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.112.1 was released on *21 August 2025**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_112_1_RTM. NSS 3.112.1 requires NSPR 4.36 or newer. The latest version of NSPR is 4.36.
+
+   NSS 3.112.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_1_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.112.1:
+
+`Changes in NSS 3.112.1 <#changes_in_nss_3.112.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+   - Bug 1982742 - restore support for finding certificates by decoded serial number.
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -733,6 +733,48 @@ nssToken_FindCertificatesByID(
    return objects;
 }

+/*
+ * decode the serial item and return our result.
+ * NOTE serialDecode's data is really stored in serial. Don't free it.
+ */
+static PRStatus
+nssToken_decodeSerialItem(NSSItem *serial, NSSItem *serialDecode)
+{
+    unsigned char *data = (unsigned char *)serial->data;
+    int data_left, data_len, index;
+
+    if ((serial->size >= 3) && (data[0] == 0x2)) {
+        /* remove the der encoding of the serial number before generating the
+         * key.. */
+        data_left = serial->size - 2;
+        data_len = data[1];
+        index = 2;
+
+        /* extended length ? (not very likely for a serial number) */
+        if (data_len & 0x80) {
+            int len_count = data_len & 0x7f;
+
+            data_len = 0;
+            data_left -= len_count;
+            if (data_left > 0) {
+                while (len_count--) {
+                    data_len = (data_len << 8) | data[index++];
+                }
+            }
+        }
+        /* XXX leaving any leading zeros on the serial number for backwards
+         * compatibility
+         */
+        /* not a valid der, must be just an unlucky serial number value */
+        if (data_len == data_left) {
+            serialDecode->size = data_len;
+            serialDecode->data = &data[index];
+            return PR_SUCCESS;
+        }
+    }
+    return PR_FAILURE;
+}
+
 NSS_IMPLEMENT nssCryptokiObject *
 nssToken_FindCertificateByIssuerAndSerialNumber(
    NSSToken *token,
@@ -743,6 +785,7 @@ nssToken_FindCertificateByIssuerAndSerialNumber(
    PRStatus *statusOpt)
 {
    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE_PTR serialAttr;
    CK_ATTRIBUTE cert_template[4];
    CK_ULONG ctsize;
    nssCryptokiObject **objects;
@@ -765,6 +808,7 @@ nssToken_FindCertificateByIssuerAndSerialNumber(
    /* Set the unique id */
    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, issuer);
+    serialAttr = attr;
    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, serial);
    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
    /* get the object handle */
@@ -782,6 +826,32 @@ nssToken_FindCertificateByIssuerAndSerialNumber(
        nss_ZFreeIf(objects);
    }

+    /*
+     * Some smart cards incorrectly store serial numbers in their decoded form.
+     */
+    if (!objects) {
+        NSSItem serialDecode;
+        PRStatus status;
+
+        status = nssToken_decodeSerialItem(serial, &serialDecode);
+        if (status != PR_SUCCESS) {
+            return NULL;
+        }
+        NSS_CK_SET_ATTRIBUTE_ITEM(serialAttr, CKA_SERIAL_NUMBER, &serialDecode);
+        if (searchType == nssTokenSearchType_TokenForced) {
+            objects = find_objects(token, sessionOpt,
+                                   cert_template, ctsize,
+                                   1, statusOpt);
+        } else {
+            objects = nssToken_FindObjectsByTemplate(token, sessionOpt,
+                                                     cert_template, ctsize,
+                                                     1, statusOpt);
+        }
+        if (objects) {
+            rvObject = objects[0];
+            nss_ZFreeIf(objects);
+        }
+    }
    return rvObject;
 }

--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,10 +22,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION "3.112" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.112.1" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 112
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE

--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,10 +17,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION "3.112" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.112.1" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 112
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE

--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,10 +19,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION "3.112"
+#define NSSUTIL_VERSION "3.112.1"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 112
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE

--- a/security/nss/moz.yaml
+++ b/security/nss/moz.yaml
@@ -9,8 +9,8 @@ origin:
  description: nss
  url: https://hg-edge.mozilla.org/projects/nss

-  release: 1e1bcffeb9e087080bf28f546919f62900e18ef6 (2025-05-23T13:07:49Z).
-  revision: 1e1bcffeb9e087080bf28f546919f62900e18ef6
+  release: 808e051ea9ce632e910c449a5b60d152e3017572 (2025-08-22T02:48:54Z).
+  revision: 808e051ea9ce632e910c449a5b60d152e3017572

  license: MPL-2.0
  license-file: COPYING