diff -up nss/lib/ssl/ssl3con.c.disable_pss nss/lib/ssl/ssl3con.c
--- nss/lib/ssl/ssl3con.c.disable_pss 2017-02-17 11:44:34.969825045 +0100
+++ nss/lib/ssl/ssl3con.c 2017-02-17 11:44:34.973824961 +0100
@@ -177,9 +177,15 @@ static const SSLSignatureScheme defaultS
ssl_sig_ecdsa_secp384r1_sha384,
ssl_sig_ecdsa_secp521r1_sha512,
ssl_sig_ecdsa_sha1,
+#if 0
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
ssl_sig_rsa_pss_sha256,
ssl_sig_rsa_pss_sha384,
ssl_sig_rsa_pss_sha512,
+#endif
ssl_sig_rsa_pkcs1_sha256,
ssl_sig_rsa_pkcs1_sha384,
ssl_sig_rsa_pkcs1_sha512,
@@ -4622,9 +4628,16 @@ ssl_IsSupportedSignatureScheme(SSLSignat
case ssl_sig_rsa_pkcs1_sha256:
case ssl_sig_rsa_pkcs1_sha384:
case ssl_sig_rsa_pkcs1_sha512:
+ return PR_TRUE;
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
case ssl_sig_rsa_pss_sha256:
case ssl_sig_rsa_pss_sha384:
case ssl_sig_rsa_pss_sha512:
+ return PR_FALSE;
+
case ssl_sig_ecdsa_secp256r1_sha256:
case ssl_sig_ecdsa_secp384r1_sha384:
case ssl_sig_ecdsa_secp521r1_sha512:
diff -up nss/lib/ssl/sslcert.c.disable_pss nss/lib/ssl/sslcert.c
--- nss/lib/ssl/sslcert.c.disable_pss 2017-01-30 02:06:08.000000000 +0100
+++ nss/lib/ssl/sslcert.c 2017-02-17 11:44:34.973824961 +0100
@@ -399,7 +399,13 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
+#if 0
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
(data->authType == ssl_auth_rsa_pss && ku_sig) ||
+#endif
(data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
return ssl_ConfigCert(ss, cert, keyPair, data);
}
@@ -416,12 +422,18 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
return rv;
}
+#if 0
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
/* This certificate is RSA, assume that it's also PSS. */
data->authType = ssl_auth_rsa_pss;
rv = ssl_ConfigCert(ss, cert, keyPair, data);
if (rv != SECSuccess) {
return rv;
}
+#endif
}
if (ku_enc) {