Resolves: RHEL-182530

- drop crmf
 - include missing revert certs
 - remove unused patches
This commit is contained in:
Robert Relyea 2026-06-10 15:49:16 -07:00
parent ed6f9c6a95
commit 32e2ff42ba
5 changed files with 343 additions and 1396 deletions

View File

@ -1,104 +0,0 @@
# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1780437848 25200
# Tue Jun 02 15:04:08 2026 -0700
# Branch NSS_3_124_BRANCH
# Node ID b32abfeba0dab71016b45b33d32b8bea717da75f
# Parent 19e655733f3af71e3d517ada0d31ad0697d40f3f
nss-3.124-enable-crmf.patch
diff --git a/cmd/manifest.mn b/cmd/manifest.mn
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -4,16 +4,22 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
DEPTH = ..
# MODULE = seccmd
SOFTOKEN_SRCDIRS=
NSS_SRCDIRS=
LIB_SRCDIRS=
+CRMF_SRCDIR=
+
+ifdef NSS_ENABLE_CRMF
+CRMF_SRCDIR=crmftest
+endif
+
ifdef NSS_BUILD_UTIL_ONLY
REQUIRES = nspr
else
REQUIRES = nss nspr libdbm
LIB_SRCDIRS = \
lib \
$(NULL)
@@ -35,16 +41,17 @@ ifndef NSS_BUILD_SOFTOKEN_ONLY
ifndef NSS_BUILD_UTIL_ONLY
NSS_SRCDIRS = \
addbuiltin \
atob \
btoa \
certutil \
chktest \
crlutil \
+ $(CRMF_SRCDIR) \
dbtest \
derdump \
digest \
httpserv \
listsuites \
makepqg \
multinit \
nss-policy-check \
diff --git a/lib/Makefile b/lib/Makefile
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -51,16 +51,20 @@ endif # MOZILLA_CLIENT
ifndef NSS_DISABLE_DBM
DBM_SRCDIR = dbm
endif
ifndef NSS_DISABLE_LIBPKIX
LIBPKIX_SRCDIR = libpkix
endif
+ifdef NSS_ENABLE_CRMF
+CRMF_SRCDIR=crmf
+endif
+
ifeq ($(NSS_BUILD_UTIL_ONLY),1)
UTIL_SRCDIR = util
else
ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
FREEBL_SRCDIR = freebl
SOFTOKEN_SRCDIR = softoken
else
@@ -83,24 +87,24 @@ else
endif
ifneq (,$(SOFTOKEN_SRCDIR))
$(SOFTOKEN_SRCDIR): $(DBM_SRCDIR) $(FREEBL_SRCDIR) $(SQLITE_SRCDIR) $(UTIL_SRCDIR)
endif
ifndef NSS_BUILD_SOFTOKEN_ONLY
NSS_SRCDIRS = \
- base certdb certhigh ckfw cryptohi dev jar $(LIBPKIX_SRCDIR) \
+ base certdb certhigh ckfw $(CRMF_SRCDIR) cryptohi dev jar $(LIBPKIX_SRCDIR) \
nss pk11wrap pkcs12 pkcs7 pki smime ssl $(SYSINIT_SRCDIR) $(ZLIB_SRCDIR)
ifneq (,$(SYSINIT_SRCDIR))
$(SYSINIT_SRCDIR): $(UTIL_SRCDIR)
endif
- nss: base certdb certhigh cryptohi dev $(LIBPKIX_SRCDIR) pk11wrap pki $(UTIL_SRCDIR)
+ nss: base certdb certhigh cryptohi $(CRMF_SRCDIR) dev $(LIBPKIX_SRCDIR) pk11wrap pki $(UTIL_SRCDIR)
smime: nss pkcs7 pkcs12
ssl: nss
ckfw: nss
endif # !NSS_BUILD_SOFTOKEN_ONLY
endif # !NSS_BUILD_UTIL_ONLY
DIRS = \

View File

@ -1,627 +0,0 @@
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1603,10 +1603,18 @@
case ecKey:
secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1);
break;
+ case ecMontKey:
+ secu_PrintECPublicKey(out, pk, "EC Montgomery Public Key", level + 1);
+ break;
+
+ case edKey:
+ secu_PrintECPublicKey(out, pk, "EC Edwards Public Key", level + 1);
+ break;
+
case mldsaKey:
SECU_PrintMLDSAPublicKey(out, pk, "ML-DSA Public Key", level + 1);
break;
case kyberKey:
diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c
--- a/cmd/pk11importtest/pk11importtest.c
+++ b/cmd/pk11importtest/pk11importtest.c
@@ -191,10 +191,12 @@
" -r skip rsa test",
" -D skip dsa test",
" -h skip dh test",
" -e skip ec test",
" -K skip mk-kem test",
+ " -w skip ed test",
+ " -g skip ec montgomery test",
};
static int nUsageInfo = sizeof(usageInfo) / sizeof(char *);
static void
Usage(char *progName, FILE *outFile)
@@ -216,10 +218,12 @@
opt_NoRSA,
opt_NoDSA,
opt_NoDH,
opt_NoEC,
opt_NoMLKEM,
+ opt_NoED,
+ opt_NoECMont,
};
static secuCommandFlag options[] = {
{ /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
{ /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE },
@@ -230,10 +234,12 @@
{ /* opt_NoRSA */ 'r', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoMLKEM */ 'K', PR_FALSE, 0, PR_FALSE },
+ { /* opt_NoED */ 'w', PR_FALSE, 0, PR_FALSE },
+ { /* opt_NoECMont */ 'g', PR_FALSE, 0, PR_FALSE },
};
int
main(int argc, char **argv)
{
@@ -246,10 +252,12 @@
PRBool doRSA = PR_TRUE;
PRBool doDSA = PR_TRUE;
PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */
PRBool doEC = PR_TRUE;
PRBool doMLKEM = PR_TRUE;
+ PRBool doED = PR_TRUE;
+ PRBool doECMont = PR_TRUE;
PRBool noPub = PR_FALSE;
PQGParams *pqgParams = NULL;
int keySize;
args.numCommands = 0;
@@ -410,10 +418,55 @@
fprintf(stderr, "MLKEM Import Failed!\n");
failed = PR_TRUE;
}
}
+ if (doED) {
+ SECKEYECParams ecParams;
+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_ED25519);
+ ecParams.data = PORT_Alloc(curve->oid.len + 2);
+ if (ecParams.data == NULL) {
+ rv = SECFailure;
+ goto ed_failed;
+ }
+ ecParams.data[0] = SEC_ASN1_OBJECT_ID;
+ ecParams.data[1] = (unsigned char)curve->oid.len;
+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len);
+ ecParams.len = curve->oid.len + 2;
+ rv = handleEncryptedPrivateImportTest(progName, slot, "EDDSA",
+ CKM_EC_EDWARDS_KEY_PAIR_GEN,
+ noPub, &ecParams, &pwArgs);
+ PORT_Free(ecParams.data);
+ ed_failed:
+ if (rv != SECSuccess) {
+ fprintf(stderr, "EDDSA Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+ if (doECMont) {
+ SECKEYECParams ecParams;
+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_X25519);
+ ecParams.data = PORT_Alloc(curve->oid.len + 2);
+ if (ecParams.data == NULL) {
+ rv = SECFailure;
+ goto ecmont_failed;
+ }
+ ecParams.data[0] = SEC_ASN1_OBJECT_ID;
+ ecParams.data[1] = (unsigned char)curve->oid.len;
+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len);
+ ecParams.len = curve->oid.len + 2;
+ rv = handleEncryptedPrivateImportTest(progName, slot, "EC Mont",
+ CKM_EC_MONTGOMERY_KEY_PAIR_GEN,
+ noPub, &ecParams, &pwArgs);
+ PORT_Free(ecParams.data);
+ ecmont_failed:
+ if (rv != SECSuccess) {
+ fprintf(stderr, "EC Montgomery Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+
if (pqgParams) {
PK11_PQG_DestroyParams(pqgParams);
}
if (slot) {
diff --git a/lib/softoken/lowkey.c b/lib/softoken/lowkey.c
--- a/lib/softoken/lowkey.c
+++ b/lib/softoken/lowkey.c
@@ -43,10 +43,15 @@
{ SEC_ASN1_OCTET_STRING,
offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
nsslowkey_SetOfAttributeTemplate },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_XTRN | 1,
+ offsetof(NSSLOWKEYPrivateKeyInfo, publicKey),
+ SEC_ASN1_SUB(SEC_BitStringTemplate) },
{ 0 }
};
const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYSubjectPublicKeyInfo) },
@@ -399,10 +404,12 @@
if (rv == SECSuccess)
return pubk;
}
break;
case NSSLOWKEYECKey:
+ case NSSLOWKEYECEdwardsKey:
+ case NSSLOWKEYECMontgomeryKey:
pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
sizeof(NSSLOWKEYPublicKey));
if (pubk != NULL) {
SECStatus rv;
@@ -631,10 +638,12 @@
&(privKey->u.dh.base));
if (rv != SECSuccess)
break;
break;
case NSSLOWKEYECKey:
+ case NSSLOWKEYECEdwardsKey:
+ case NSSLOWKEYECMontgomeryKey:
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
&(privKey->u.ec.version));
if (rv != SECSuccess)
break;
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
diff --git a/lib/softoken/lowkeyti.h b/lib/softoken/lowkeyti.h
--- a/lib/softoken/lowkeyti.h
+++ b/lib/softoken/lowkeyti.h
@@ -48,10 +48,11 @@
PLArenaPool *arena;
SECItem version;
SECAlgorithmID algorithm;
SECItem privateKey;
NSSLOWKEYAttribute **attributes;
+ SECItem publicKey;
};
typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
struct NSSLOWKEYSubjectPublicKeyInfoStr {
@@ -65,12 +66,14 @@
NSSLOWKEYNullKey = 0,
NSSLOWKEYRSAKey = 1,
NSSLOWKEYDSAKey = 2,
NSSLOWKEYDHKey = 4,
NSSLOWKEYECKey = 5,
- NSSLOWKEYMLDSAKey = 6,
- NSSLOWKEYMLKEMKey = 7,
+ NSSLOWKEYECEdwardsKey = 6,
+ NSSLOWKEYECMontgomeryKey = 7,
+ NSSLOWKEYMLDSAKey = 8,
+ NSSLOWKEYMLKEMKey = 9,
} NSSLOWKEYType;
/* ML KEM low structures packages a key with it's parameters.
* The ML KEM freebl didn't define these because all the functions
* take raw keys and param separately */
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -2223,13 +2223,18 @@
break;
crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
object, CKA_VALUE);
break;
case CKK_EC_EDWARDS:
+ pubKey->keyType = NSSLOWKEYECEdwardsKey;
+ goto ec_continue;
case CKK_EC_MONTGOMERY:
+ pubKey->keyType = NSSLOWKEYECMontgomeryKey;
+ goto ec_continue;
case CKK_EC:
pubKey->keyType = NSSLOWKEYECKey;
+ ec_continue:
crv = sftk_Attribute2SSecItem(arena,
&pubKey->u.ec.ecParams.DEREncoding,
object, CKA_EC_PARAMS);
if (crv != CKR_OK)
break;
@@ -2451,13 +2456,18 @@
itemTemplateCount++;
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
break;
case CKK_EC_EDWARDS:
+ privKey->keyType = NSSLOWKEYECEdwardsKey;
+ goto ec_continue;
case CKK_EC_MONTGOMERY:
+ privKey->keyType = NSSLOWKEYECMontgomeryKey;
+ goto ec_continue;
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
+ ec_continue:
crv = sftk_Attribute2SSecItem(arena,
&privKey->u.ec.ecParams.DEREncoding,
object, CKA_EC_PARAMS);
if (crv != CKR_OK)
break;
@@ -2514,10 +2524,11 @@
case CKK_NSS_KYBER:
#endif
case CKK_NSS_ML_KEM:
case CKK_ML_KEM:
privKey->keyType = NSSLOWKEYMLKEMKey;
+
crv = sftk_GetULongAttribute(object, CKA_PARAMETER_SET,
&paramSet);
if (crv != CKR_OK) {
crv = sftk_GetULongAttribute(object, CKA_NSS_PARAMETER_SET,
&paramSet);
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -6465,12 +6465,10 @@
* the private key */
seed.data = seedData;
seed.len = sizeof(seedData);
rv = RNG_GenerateGlobalRandomBytes(seed.data, seed.len);
if (rv != SECSuccess) {
- fprintf(stderr, "Generate bytes failed nbytes=%d err=%d\n",
- seed.len, PORT_GetError());
crv = sftk_MapCryptError(PORT_GetError());
goto kyber_done;
}
KyberParams kyberParams = sftk_kyber_PK11ParamToInternal(genParamSet);
@@ -6482,12 +6480,10 @@
crv = CKR_HOST_MEMORY;
goto kyber_done;
}
rv = Kyber_NewKey(kyberParams, &seed, &privKey, &pubKey);
if (rv != SECSuccess) {
- fprintf(stderr, "Generate Kyber_NewKey failed nbytes=%d err=%d\n",
- seed.len, PORT_GetError());
crv = sftk_MapCryptError(PORT_GetError());
goto kyber_done;
}
crv = sftk_AddAttributeType(publicKey, CKA_VALUE, sftk_item_expand(&pubKey));
@@ -6902,10 +6898,11 @@
param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
nsslowkey_PQGParamsTemplate);
algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
break;
case NSSLOWKEYECKey:
+ algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
prepare_low_ec_priv_key_for_asn1(lk);
/* Public value is encoded as a bit string so adjust length
* to be in bits before ASN encoding and readjust
* immediately after.
*
@@ -6926,12 +6923,30 @@
SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
fordebug);
#endif
param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
-
- algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+ break;
+ /* X25519, ED25519, X448, and ED448 encode the private key
+ * as just and int. The public key and Curve come from the
+ * generaly key structure */
+ case NSSLOWKEYECEdwardsKey:
+ algorithm = SEC_OID_ED25519;
+ goto ec_continue;
+ case NSSLOWKEYECMontgomeryKey:
+ algorithm = SEC_OID_X25519;
+ ec_continue:
+ prepare_low_ec_priv_key_for_asn1(lk);
+ /* if we have a public key, copy it to pki public key */
+ if (lk->u.ec.publicValue.len) {
+ pki->publicKey = lk->u.ec.publicValue;
+ pki->publicKey.len <<= 3;
+ }
+ dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey,
+ &lk->u.ec.privateValue,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ param = NULL;
break;
case NSSLOWKEYMLKEMKey: {
SECItem seed = { siBuffer, NULL, 0 };
SECItem rawKey = { siBuffer, NULL, 0 };
dummy = NULL;
@@ -7258,10 +7273,12 @@
PLArenaPool *arena;
NSSLOWKEYPrivateKey *lpk = NULL;
NSSLOWKEYPrivateKeyInfo *pki = NULL;
CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
CK_ULONG paramSet = 0;
+ const SECOidData *oidData = NULL;
+ SECOidTag pkiAlg = SEC_OID_UNKNOWN;
arena = PORT_NewArena(2048);
if (!arena) {
return SECFailure;
}
@@ -7283,11 +7300,12 @@
if (lpk == NULL) {
goto loser;
}
lpk->arena = arena;
- switch (SECOID_GetAlgorithmTag(&pki->algorithm)) {
+ pkiAlg = SECOID_GetAlgorithmTag(&pki->algorithm);
+ switch (pkiAlg) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
keyTemplate = nsslowkey_RSAPrivateKeyTemplate;
paramTemplate = NULL;
paramDest = NULL;
@@ -7309,10 +7327,46 @@
paramDest = &(lpk->u.ec.ecParams.DEREncoding);
lpk->keyType = NSSLOWKEYECKey;
prepare_low_ec_priv_key_for_asn1(lpk);
prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
break;
+ case SEC_OID_X25519:
+ lpk->keyType = NSSLOWKEYECMontgomeryKey;
+ goto ecx_continue;
+ case SEC_OID_ED25519:
+ lpk->keyType = NSSLOWKEYECEdwardsKey;
+ ecx_continue:
+ /* we decode the whole key here rather than do the normal
+ * later decode step */
+ keyTemplate = NULL;
+ paramTemplate = NULL;
+ paramDest = NULL;
+ oidData = SECOID_FindOIDByTag(pkiAlg);
+ if (oidData == NULL) {
+ goto loser;
+ }
+ /* CURVE is provided by the tag, not encoded in the parameters
+ * for the x25519, x448, ed25519 and ed448 keys */
+ if (SEC_ASN1EncodeItem(arena, &(lpk->u.ec.ecParams.DEREncoding),
+ &oidData->oid,
+ SEC_ASN1_GET(SEC_ObjectIDTemplate)) == NULL) {
+ goto loser;
+ }
+ prepare_low_ec_priv_key_for_asn1(lpk);
+ /* private key is a simple octet string, just decode it now */
+ rv = SEC_QuickDERDecodeItem(arena, &(lpk->u.ec.privateValue),
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &(pki->privateKey));
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ if (pki->publicKey.len) {
+ lpk->u.ec.publicValue = pki->publicKey;
+ /* convert length in bits to length in bytes */
+ lpk->u.ec.publicValue.len >>= 3;
+ }
+ break;
case SEC_OID_ML_KEM_768:
paramSet = CKP_ML_KEM_768;
goto mlkem_next;
case SEC_OID_ML_KEM_1024:
paramSet = CKP_ML_KEM_1024;
@@ -7344,30 +7398,31 @@
case SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE:
keyTemplate = nsslowkey_PQBothSeedAndPrivateKeyTemplate;
break;
default:
keyTemplate = NULL;
- break;
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ goto loser;
}
paramTemplate = NULL;
paramDest = NULL;
/* genpq encodes ocect, not integer, so no need to prep it */
break;
default:
keyTemplate = NULL;
paramTemplate = NULL;
paramDest = NULL;
- break;
- }
-
- if (!keyTemplate) {
- goto loser;
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ goto loser;
}
/* decode the private key and any algorithm parameters */
- rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+ rv = SECSuccess;
+ if (keyTemplate) {
+ rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+ }
if (lpk->keyType == NSSLOWKEYECKey) {
/* convert length in bits to length in bytes */
lpk->u.ec.publicValue.len >>= 3;
rv = SECITEM_CopyItem(arena,
@@ -7560,13 +7615,19 @@
template = dhTemplate;
templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE);
keyType = CKK_DH;
break;
#endif
- /* what about fortezza??? */
+ case NSSLOWKEYECEdwardsKey:
+ keyType = CKK_EC_EDWARDS;
+ goto ec_import_continue;
+ case NSSLOWKEYECMontgomeryKey:
+ keyType = CKK_EC_MONTGOMERY;
+ goto ec_import_continue;
case NSSLOWKEYECKey:
keyType = CKK_EC;
+ ec_import_continue:
/* if we weren't passed the CKA_NSS_DB, get it
* from the public key */
if (!sftk_hasAttribute(key, CKA_NSS_DB)) {
if (lpk->u.ec.publicValue.len == 0) {
crv = CKR_KEY_TYPE_INCONSISTENT;
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -1642,10 +1642,12 @@
case CKK_DH:
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
dhPrivKeyAttrsCount);
break;
case CKK_EC:
+ case CKK_EC_EDWARDS:
+ case CKK_EC_MONTGOMERY:
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
ecPrivKeyAttrsCount);
break;
default:
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
@@ -1706,10 +1708,12 @@
case CKK_DH:
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
dhPubKeyAttrsCount);
break;
case CKK_EC:
+ case CKK_EC_EDWARDS:
+ case CKK_EC_MONTGOMERY:
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
ecPubKeyAttrsCount);
break;
default:
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
diff --git a/lib/util/secoid.c b/lib/util/secoid.c
--- a/lib/util/secoid.c
+++ b/lib/util/secoid.c
@@ -640,14 +640,14 @@
a private key, and a signature (for the two EdDSA related OIDs).
Additional encoding information is provided below for each of these
locations.
*/
-CONST_OID ed25519PublicKey[] = { 0x2B, 0x65, 0x70 };
-CONST_OID ed25519Signature[] = { 0x2B, 0x65, 0x70 };
-
/*https://www.rfc-editor.org/rfc/rfc8410#section-3*/
+/* 1.3.101.112 */
+CONST_OID ed25519[] = { 0x2B, 0x65, 0x70 };
+/* 1.3.101.110 */
CONST_OID x25519PublicKey[] = { 0x2b, 0x65, 0x6e };
/*
* ML-DSA OIDs
* https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
@@ -1869,15 +1869,18 @@
OD(hmac_sha3_512, SEC_OID_HMAC_SHA3_512, "HMAC SHA3-512", CKM_SHA3_512_HMAC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_XYBER768D00,
"X25519+Kyber768 key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
- OD(ed25519Signature, SEC_OID_ED25519_SIGNATURE, "X9.62 EDDSA signature", CKM_EDDSA,
- INVALID_CERT_EXTENSION),
+ /* SEC_OID_ED25519_PUBLIC_KEY and SEC_OID_ED25519_SIGNATURE have the same
+ * values, so we should only have one entry in the table, We can't
+ * shift the values of the other entries, so just leav a dead spot here */
+ ODE(SEC_OID_RESERVED_OLD_EDSIG, "Reserved", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION),
- OD(ed25519PublicKey, SEC_OID_ED25519_PUBLIC_KEY,
- "X9.62 elliptic edwards curve public key", CKM_EC_EDWARDS_KEY_PAIR_GEN, INVALID_CERT_EXTENSION),
+ OD(ed25519, SEC_OID_ED25519,
+ "X9.62 Elliptic Edwards Curve 25519", CKM_EDDSA, INVALID_CERT_EXTENSION),
OD(dhSinglePassstdDHsha1kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME,
"Eliptic Curve Diffie-Hellman Single Pass Standard with SHA1 KDF", CKM_ECDH1_DERIVE,
INVALID_CERT_EXTENSION),
OD(dhSinglePassstdDHsha224kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME,
diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
--- a/lib/util/secoidt.h
+++ b/lib/util/secoidt.h
@@ -512,12 +512,12 @@
SEC_OID_HMAC_SHA3_384 = 370,
SEC_OID_HMAC_SHA3_512 = 371,
SEC_OID_XYBER768D00 = 372,
- SEC_OID_ED25519_SIGNATURE = 373,
- SEC_OID_ED25519_PUBLIC_KEY = 374,
+ SEC_OID_RESERVED_OLD_EDSIG = 373,
+ SEC_OID_ED25519 = 374,
SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME = 375,
SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME = 376,
SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME = 377,
SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME = 378,
@@ -561,10 +561,14 @@
#define SEC_OID_ML_DSA_65_SIGNATURE SEC_OID_ML_DSA_65
#define SEC_OID_ML_DSA_65_PUBLIC_KEY SEC_OID_ML_DSA_65
#define SEC_OID_ML_DSA_87_SIGNATURE SEC_OID_ML_DSA_87
#define SEC_OID_ML_DSA_87_PUBLIC_KEY SEC_OID_ML_DSA_87
+/* EDDSA have the same identifiers for public keys and signatures */
+#define SEC_OID_ED25519_SIGNATURE SEC_OID_ED25519
+#define SEC_OID_ED25519_PUBLIC_KEY SEC_OID_ED25519
+
typedef enum {
INVALID_CERT_EXTENSION = 0,
UNSUPPORTED_CERT_EXTENSION = 1,
SUPPORTED_CERT_EXTENSION = 2
} SECSupportExtenTag;
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
--- a/tests/tools/tools.sh
+++ b/tests/tools/tools.sh
@@ -126,10 +126,11 @@
cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/openssl-ed25519.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-768-seed.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-768-priv.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-768-both.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-1024-seed.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-1024-priv.p12 ${TOOLSDIR}/data
@@ -534,10 +535,21 @@
check_tmpfile
return $ret
}
+tools_p12_import_ed25519_private_key()
+{
+ echo "$SCRIPTNAME: Importing ED25519 private key from PKCS#12 file --------------"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ed25519.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing ED25519 private key from PKCS#12 file"
+ check_tmpfile
+
+ return $ret
+}
+
tools_p12_ml_kem_import()
{
echo "$SCRIPTNAME: Testing ml-kem compatibility with pkcs12 --------------"
for i in 768 1024
do
@@ -614,10 +626,11 @@
fi
tools_p12_export_with_none_ciphers
tools_p12_export_with_invalid_ciphers
tools_p12_import_old_files
tools_p12_import_pbmac1_samples
+ tools_p12_import_ed25519_private_key
tools_p12_ml_kem_import
if using_sql; then
tools_p12_import_rsa_pss_private_key
tools_p12_policy
fi

View File

@ -1,654 +0,0 @@
# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1780515403 25200
# Wed Jun 03 12:36:43 2026 -0700
# Branch NSS_3_124_BRANCH
# Node ID eaa726433f362aed5f4cdc40fe0b6aa813d99ed7
# Parent 8136ca511f641717eb0b88becf947767a0335eab
nss-3.124-ml-dsa-test-for-sign-verify-pkcs12.patch
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -1155,18 +1155,20 @@ PrintSyntax()
FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
- FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n",
- progName);
+ FPS "\t%s -G [-h token-name] -k mldsa -q paramset [-f pwfile]\n"
+ "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
+ FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|mldsa|all]\n",
+ progName);
FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
progName);
FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
progName);
@@ -1389,16 +1391,19 @@ luG(enum usage_level ul, const char *com
FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
FPS "%-20s c2tnb191v2, c2tnb191v3, \n", "");
FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
FPS "%-20s c2pnb272w1, c2pnb304w1, \n", "");
FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
FPS "%-20s sect131r1, sect131r2\n", "");
+ FPS "%-20s ML-DSA parameter set (mldsa only)\n",
+ " -q paramset");
+ FPS "%-20s valid values are ml-dsa-44, ml-dsa-65, ml-dsa-87:\n", "");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "%-20s\n"
"%-20s PKCS #11 key Attributes.\n",
" --keyAttrFlags attrflags", "");
FPS "%-20s Comma separated list of key attribute attribute flags,\n", "");
@@ -1481,16 +1486,17 @@ luK(enum usage_level ul, const char *com
"-K");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
" -h token-name ");
FPS "%-20s Key type (\"all\" (default), \"dsa\","
" \"ec\","
+ " \"mldsa\","
" \"rsa\")\n",
" -k key-type");
FPS "%-20s The nickname of the key or associated certificate\n",
" -n name");
FPS "%-20s Specify the password file\n",
" -f password-file");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
@@ -1641,16 +1647,20 @@ luR(enum usage_level ul, const char *com
FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
" --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
+ FPS "%-20s ML-DSA parameter set (mldsa only)\n",
+ " -q paramset");
+ FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
+ "");
FPS "%-20s Specify the password file\n",
" -f pwfile");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
" -p phone");
@@ -1821,16 +1831,20 @@ luS(enum usage_level ul, const char *com
FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
" --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
+ FPS "%-20s ML-DSA parameter set (mldsa only)\n",
+ " -q paramset");
+ FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
+ "");
FPS "%-20s Self sign\n",
" -x");
FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
" --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
" -w warp-months");
@@ -2773,19 +2787,44 @@ certutil_main(int argc, char **argv, PRB
sourceDir = certutil.options[opt_SourceDir].arg;
if (certutil.options[opt_UpgradeID].activated)
upgradeID = certutil.options[opt_UpgradeID].arg;
if (certutil.options[opt_UpgradeTokenName].activated)
upgradeTokenName = certutil.options[opt_UpgradeTokenName].arg;
+ /* must be before opt_KeySize! */
+ /* -k key type */
+ if (certutil.options[opt_KeyType].activated) {
+ char *arg = certutil.options[opt_KeyType].arg;
+ if (PL_strcmp(arg, "rsa") == 0) {
+ keytype = rsaKey;
+ } else if (PL_strcmp(arg, "dsa") == 0) {
+ keytype = dsaKey;
+ } else if (PL_strcmp(arg, "ec") == 0) {
+ keytype = ecKey;
+ } else if (PL_strcmp(arg, "mldsa") == 0) {
+ keytype = mldsaKey;
+ } else if (PL_strcmp(arg, "all") == 0) {
+ keytype = nullKey;
+ } else {
+ /* use an existing private/public key pair */
+ keysource = arg;
+ }
+ } else if (certutil.commands[cmd_ListKeys].activated) {
+ keytype = nullKey;
+ }
+
if (certutil.options[opt_KeySize].activated) {
keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
- if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
+ /* mldsa limits are much different that rsa and dsa, don't
+ * do the check here */
+ if ((keytype != mldsaKey) &&
+ ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS))) {
PR_fprintf(PR_STDERR,
"%s -g: Keysize must be between %d and %d.\n",
progName, MIN_KEY_BITS, MAX_KEY_BITS);
return 255;
}
if (keytype == ecKey) {
PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName);
return 255;
@@ -2806,35 +2845,16 @@ certutil_main(int argc, char **argv, PRB
hashAlgTag = SECU_StringToSignatureAlgTag(arg);
if (hashAlgTag == SEC_OID_UNKNOWN) {
PR_fprintf(PR_STDERR, "%s -Z: %s is not a recognized type.\n",
progName, arg);
return 255;
}
}
- /* -k key type */
- if (certutil.options[opt_KeyType].activated) {
- char *arg = certutil.options[opt_KeyType].arg;
- if (PL_strcmp(arg, "rsa") == 0) {
- keytype = rsaKey;
- } else if (PL_strcmp(arg, "dsa") == 0) {
- keytype = dsaKey;
- } else if (PL_strcmp(arg, "ec") == 0) {
- keytype = ecKey;
- } else if (PL_strcmp(arg, "all") == 0) {
- keytype = nullKey;
- } else {
- /* use an existing private/public key pair */
- keysource = arg;
- }
- } else if (certutil.commands[cmd_ListKeys].activated) {
- keytype = nullKey;
- }
-
if (certutil.options[opt_KeyOpFlagsOn].activated) {
keyOpFlagsOn = GetOpFlags(certutil.options[opt_KeyOpFlagsOn].arg);
}
if (certutil.options[opt_KeyOpFlagsOff].activated) {
keyOpFlagsOff = GetOpFlags(certutil.options[opt_KeyOpFlagsOff].arg);
keyOpFlagsOn &= ~keyOpFlagsOff; /* make off override on */
}
if (certutil.options[opt_KeyAttrFlags].activated) {
@@ -2867,19 +2887,22 @@ certutil_main(int argc, char **argv, PRB
srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
} else {
Usage();
}
}
/* -q PQG file or curve name */
if (certutil.options[opt_PQGFile].activated) {
- if ((keytype != dsaKey) && (keytype != ecKey)) {
+ if ((keytype != dsaKey) && (keytype != ecKey) &&
+ (keytype != mldsaKey)) {
PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys"
- " (-k dsa) or a named curve for EC keys (-k ec)\n)",
+ " (-k dsa)\n"
+ " or a named curve for EC keys (-k ec)\n"
+ " or a parameter set for ML-DSA keys (-k mldsa)\n",
progName);
return 255;
}
}
/* -s subject name */
if (certutil.options[opt_Subject].activated) {
subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
diff --git a/cmd/certutil/keystuff.c b/cmd/certutil/keystuff.c
--- a/cmd/certutil/keystuff.c
+++ b/cmd/certutil/keystuff.c
@@ -512,16 +512,17 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
int publicExponent, const char *noise,
SECKEYPublicKey **pubkeyp, const char *pqgFile,
PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
CK_FLAGS opFlagsOff, secuPWData *pwdata)
{
CK_MECHANISM_TYPE mechanism;
PK11RSAGenParams rsaparams;
SECKEYPQGParams *dsaparams = NULL;
+ CK_ULONG paramSet;
void *params;
SECKEYPrivateKey *privKey = NULL;
if (slot == NULL)
return NULL;
if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess)
return NULL;
@@ -564,16 +565,60 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
}
break;
case ecKey:
mechanism = CKM_EC_KEY_PAIR_GEN;
/* For EC keys, PQGFile determines EC parameters */
if ((params = (void *)getECParams(pqgFile)) == NULL)
return NULL;
break;
+ case mldsaKey:
+ mechanism = CKM_ML_DSA_KEY_PAIR_GEN;
+ /* set paramset */
+ paramSet = 0;
+ if (pqgFile) {
+ if (PORT_Strcasecmp(pqgFile, "ML-DSA-44") == 0) {
+ paramSet = CKP_ML_DSA_44;
+ } else if (PORT_Strcasecmp(pqgFile, "ML-DSA-65") == 0) {
+ paramSet = CKP_ML_DSA_65;
+ } else if (PORT_Strcasecmp(pqgFile, "ML-DSA-87") == 0) {
+ paramSet = CKP_ML_DSA_87;
+ } else {
+ /* if we set pqgfile, it had better be right, don't
+ * fall back to key size */
+ return NULL;
+ }
+ } else
+ switch (size) {
+ /* optionally use the size, either the actual size in bytes
+ * or the short hand ('44', '65', '87') */
+ case 44:
+ case 2560:
+ paramSet = CKP_ML_DSA_44;
+ break;
+ case 65:
+ case 4032:
+ paramSet = CKP_ML_DSA_65;
+ break;
+ case 87:
+ case 4896:
+ paramSet = CKP_ML_DSA_87;
+ break;
+ default:
+ /* force a size to be specified somewhere */
+ return NULL;
+ }
+ /* paranoia, shouldn't be able to happen logically. Code
+ * scanners will scream, but I like belt and suspenders */
+ if (paramSet == 0) {
+ return NULL;
+ }
+ params = &paramSet;
+ break;
+
default:
return NULL;
}
fprintf(stderr, "\n\n");
fprintf(stderr, "Generating key. This may take a few moments...\n\n");
privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp,
diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c
--- a/cmd/pk11importtest/pk11importtest.c
+++ b/cmd/pk11importtest/pk11importtest.c
@@ -214,32 +214,34 @@ enum {
opt_ECCurve,
opt_PWFile,
opt_PWString,
opt_NoPub,
opt_NoRSA,
opt_NoDSA,
opt_NoDH,
opt_NoEC,
+ opt_NoMLDSA,
opt_NoMLKEM,
opt_NoED,
opt_NoECMont,
};
static secuCommandFlag options[] = {
{ /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
{ /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE },
{ /* opt_ECCurve */ 'C', PR_TRUE, 0, PR_FALSE },
{ /* opt_PWFile */ 'f', PR_TRUE, 0, PR_FALSE },
{ /* opt_PWString */ 'p', PR_TRUE, 0, PR_FALSE },
{ /* opt_NoPub */ 'n', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoRSA */ 'r', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE },
+ { /* opt_NoMLDSA */ 'm', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoMLKEM */ 'K', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoED */ 'w', PR_FALSE, 0, PR_FALSE },
{ /* opt_NoECMont */ 'g', PR_FALSE, 0, PR_FALSE },
};
int
main(int argc, char **argv)
{
@@ -248,16 +250,18 @@ main(int argc, char **argv)
secuCommand args;
PK11SlotInfo *slot = NULL;
PRBool failed = PR_FALSE;
secuPWData pwArgs = { PW_NONE, 0 };
PRBool doRSA = PR_TRUE;
PRBool doDSA = PR_TRUE;
PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */
PRBool doEC = PR_TRUE;
+ PRBool doMLDSA = PR_FALSE;
+ CK_ML_DSA_PARAMETER_SET_TYPE mldsaParamSet = CKP_ML_DSA_44;
PRBool doMLKEM = PR_TRUE;
PRBool doED = PR_TRUE;
PRBool doECMont = PR_TRUE;
PRBool noPub = PR_FALSE;
PQGParams *pqgParams = NULL;
int keySize;
args.numCommands = 0;
@@ -308,16 +312,19 @@ main(int argc, char **argv)
doDSA = PR_FALSE;
}
if (args.options[opt_NoDH].activated) {
doDH = PR_FALSE;
}
if (args.options[opt_NoEC].activated) {
doEC = PR_FALSE;
}
+ if (args.options[opt_NoMLDSA].activated) {
+ doMLDSA = PR_FALSE;
+ }
if (args.options[opt_NoMLKEM].activated) {
doMLKEM = PR_FALSE;
}
slot = PK11_GetInternalKeySlot();
if (slot == NULL) {
SECU_PrintError(progName, "Couldn't find the internal key slot\n");
return 255;
@@ -403,16 +410,26 @@ main(int argc, char **argv)
PORT_Free(ecParams.data);
ec_failed:
if (rv != SECSuccess) {
fprintf(stderr, "ECC Import Failed!\n");
failed = PR_TRUE;
}
}
+ if (doMLDSA) {
+ rv = handleEncryptedPrivateImportTest(progName, slot, "MLDSA",
+ CKM_ML_DSA_KEY_PAIR_GEN,
+ noPub, &mldsaParamSet, &pwArgs);
+ if (rv != SECSuccess) {
+ fprintf(stderr, "MLDSA Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+
if (doMLKEM) {
CK_ML_KEM_PARAMETER_SET_TYPE paramSet = CKP_ML_KEM_768;
rv = handleEncryptedPrivateImportTest(progName, slot, "MLKEM",
CKM_ML_KEM_KEY_PAIR_GEN,
noPub, &paramSet, &pwArgs);
if (rv != SECSuccess) {
fprintf(stderr, "MLKEM Import Failed!\n");
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -101,16 +101,19 @@ cert_init()
fi
cert_add_algorithm "RSA" "" "" "false" 0
if [ -z ${NSS_DISABLE_DSA} ]; then
cert_add_algorithm "DSA" "-dsa" "-k dsa" "true" 20000
fi
# NOTE: curve is added later, so the full command would be '-k ec -q curve'
cert_add_algorithm "ECC" "-ec" "-k ec -q" "true" 10000
+ cert_add_algorithm "ML-DSA-44" "-ml-dsa-44" "-k mldsa -q ml-dsa-44" "false" 30000
+ cert_add_algorithm "ML-DSA-65" "-ml-dsa-65" "-k mldsa -q ml-dsa-65" "false" 40000
+ cert_add_algorithm "ML-DSA-87" "-ml-dsa-87" "-k mldsa -q ml-dsa-87" "false" 50000
# currently rsa-pss is only enabled for a subset of tests
# this will enable a full suite of RSA-PSS certs, and we would
# then remove the explicit ones
# ulike the other tests, we would need to change ssl tests as this
# will rename some of the RSA-PSS certificates.
#cert_add_algorithm "RSA-PSS" "-rsa-pss" "-k rsa -pss -Z sha256" "true"
#cert_add_algorithm "RSA-PSS-SHA1" "-rsa-pss-sha1" "-k rsa -pss -Z sha1" "true"
@@ -519,16 +522,25 @@ cert_CA()
cert_dsa_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
;;
ECC)
cert_ec_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}"
;;
RSA-PSS)
cert_rsa_pss_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}"
;;
+ ML-DSA-44)
+ cert_ml_dsa_CA ml-dsa-44 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
+ ;;
+ ML-DSA-65)
+ cert_ml_dsa_CA ml-dsa-65 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
+ ;;
+ ML-DSA-87)
+ cert_ml_dsa_CA ml-dsa-65 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
+ ;;
*)
Exit 9 "Fatal - unknown key type ${KEY_TYPE}, failed to create CA cert"
;;
esac
}
@@ -672,19 +684,78 @@ CERTSCRIPT
CU_ACTION="Exporting DSA Root Cert"
certu -L -n $NICKNAME -r -d ${LPROFILE} -o root-dsa.cert
if [ "$RET" -ne 0 ]; then
Exit 7 "Fatal - failed to export dsa root cert"
fi
cp root-dsa.cert ${NICKNAME}.ca.cert
}
++################################ cert_ml_dsa_CA #############################
+# local shell function to build the Temp. Certificate Authority (CA)
+# used for testing purposes, creating a CA Certificate and a root cert
+# This is the ML-DSA version of cert_CA.
+##########################################################################
+cert_ml_dsa_CA()
+{
+ PARAM_SET=$1
+ CUR_CADIR=$2
+ NICKNAME=$3
+ SIGNER=$4
+ TRUSTARG=$5
+ DOMAIN=$6
+ CERTSERIAL=$7
+ echo "$SCRIPTNAME: Creating a ML-DSA ($PARAM_SET) CA Certificate $NICKNAME =========================="
+
+ if [ ! -d "${CUR_CADIR}" ]; then
+ mkdir -p "${CUR_CADIR}"
+ fi
+ cd ${CUR_CADIR}
+ pwd
+
+ LPROFILE=.
+ if [ -n "${MULTIACCESS_DBM}" ]; then
+ LPROFILE="multiaccess:${DOMAIN}"
+ fi
+ ################# Creating a ML-DSA CA Cert ###############################
+ #
+ CU_ACTION="Creating ML-DSA ($PARAM_SET) CA Cert $NICKNAME "
+ CU_SUBJECT=$ALL_CU_SUBJECT
+ certu -S -n $NICKNAME -k mldsa -q $PARAM_SET -t $TRUSTARG -v 600 $SIGNER \
+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
+ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
+5
+6
+9
+n
+y
+-1
+n
+5
+6
+7
+9
+n
+CERTSCRIPT
+ if [ "$RET" -ne 0 ]; then
+ echo "return value is $RET"
+ Exit 6 "Fatal - failed to create ML-DSA ($PARAM_SET) CA cert"
+ fi
+
+ ################# Exporting ML-DSA Root Cert ###############################
+ #
+ CU_ACTION="Exporting ML-DSA ($PARAM_SET) Root Cert"
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o ${NICKNAME}.ca.cert
+ if [ "$RET" -ne 0 ]; then
+ Exit 7 "Fatal - failed to export $PARAM_SET root cert"
+ fi
+}
################################ cert_rsa_pss_CA #############################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
# This is the RSA-PSS version of cert_CA.
##########################################################################
cert_rsa_pss_CA()
{
@@ -1194,17 +1265,17 @@ cert_stresscerts()
}
############################## cert_fips #####################################
# local shell function to create certificates for FIPS tests
##############################################################################
cert_fips()
{
CERTFAILED=0
- echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
+ echo "$SCRIPTNAME: Creating FIPS 140 Certificates =============="
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
--- a/tests/tools/tools.sh
+++ b/tests/tools/tools.sh
@@ -124,24 +124,32 @@ tools_init()
cp ${QADIR}/tools/pbmac1-valid-sha256.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-valid-sha256-sha512.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ed25519.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/ietf-ml-dsa-44-both.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/ietf-ml-dsa-44-key.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/ietf-ml-dsa-65-both.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/ietf-ml-dsa-65-key.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/ietf-ml-dsa-87-both.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/ietf-ml-dsa-87-key.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/openssl-ml-dsa-44.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/openssl-ml-dsa-65.p12 ${TOOLSDIR}/data
+ cp ${QADIR}/tools/openssl-ml-dsa-87.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-768-seed.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-768-priv.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-768-both.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-1024-seed.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-1024-priv.p12 ${TOOLSDIR}/data
cp ${QADIR}/tools/openssl-ml-kem-1024-both.p12 ${TOOLSDIR}/data
-
cd ${TOOLSDIR}
}
########################## list_p12_file ###############################
# List the key and cert in the specified p12 file
########################################################################
list_p12_file()
{
@@ -543,16 +551,43 @@ tools_p12_import_ed25519_private_key()
${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ed25519.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
ret=$?
html_msg $ret 0 "Importing ED25519 private key from PKCS#12 file"
check_tmpfile
return $ret
}
+tools_p12_ml_dsa_import()
+{
+ echo "$SCRIPTNAME: Testing ml-dsa compatibility with pkcs12 --------------"
+ for i in 44 65 87
+ do
+ echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-dsa-$i.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-dsa-$i.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing openssl encoded ml-dsa-$i private key from PKCS#12 file"
+ check_tmpfile
+ for j in 'key' 'both'
+ do
+ echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/ietf-ml-dsa-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/ietf-ml-dsa-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing openssl encoded ml-dsa-$i private key from PKCS#12 file"
+ check_tmpfile
+ html_msg $ret 0 "Importing ietf sample ml-dsa-$i-$j private key from PKCS#12 file"
+
+ # each cert has the same issuer/sn, so we can't hold more than one in
+ # the data base
+ echo "${BINDIR}/certutil -F -n \"ietf ml-dsa-$i-$j sample\" -d ${P_R_COPYDIR} -f ${R_PWFILE}"
+ ${BINDIR}/certutil -F -n "ietf ml-dsa-$i-$j sample" -d ${P_R_COPYDIR} -f ${R_PWFILE}
+ done
+ done
+}
+
tools_p12_ml_kem_import()
{
echo "$SCRIPTNAME: Testing ml-kem compatibility with pkcs12 --------------"
for i in 768 1024
do
for j in 'seed' 'priv' 'both'
do
echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-kem-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1"
@@ -624,16 +659,17 @@ tools_p12()
else
tools_p12_export_list_import_most_ciphers
fi
tools_p12_export_with_none_ciphers
tools_p12_export_with_invalid_ciphers
tools_p12_import_old_files
tools_p12_import_pbmac1_samples
tools_p12_import_ed25519_private_key
+ tools_p12_ml_dsa_import
tools_p12_ml_kem_import
if using_sql; then
tools_p12_import_rsa_pss_private_key
tools_p12_policy
fi
}
############################## tools_sign ##############################

View File

@ -0,0 +1,335 @@
diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt
--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700
@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+#
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Not Valid Before: Wed May 12 08:51:39 2010
+# Not Valid After : Mon Mar 23 09:50:05 2020
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+\156\151\163\141\164\151\145\040\055\040\107\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+\156\151\163\141\164\151\145\040\055\040\107\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
+\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
+\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
+\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
+\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
+\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
+\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
+\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
+\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
+\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
+\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
+\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
+\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
+\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
+\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
+\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
+\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
+\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
+\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
+\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
+\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
+\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
+\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
+\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
+\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
+\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
+\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
+\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
+\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
+\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
+\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
+\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
+\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
+\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
+\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
+\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
+\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
+\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
+\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
+\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
+\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
+\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
+\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
+\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
+\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
+\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
+\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
+\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
+\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
+\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
+\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
+\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
+\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
+\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
+\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
+\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
+\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
+\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
+\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
+\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
+\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
+\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
+\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
+\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
+\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
+\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
+\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
+\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
+\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
+\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
+\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
+\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
+\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
+\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
+\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
+\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
+\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
+\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
+\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
+\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
+\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
+\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
+\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
+\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
+\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
+\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
+\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
+\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
+\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
+\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
+\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
+\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
+\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
+\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
+\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
+\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
+\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
+\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
+\244\363\116\272\067\230\173\202\271
+END
+
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Serial Number: 268435455 (0xfffffff)
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
+# Not Valid Before: Wed May 12 08:51:39 2010
+# Not Valid After : Mon Mar 23 09:50:05 2020
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
+\222\341\102\102
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
+\156\151\163\141\164\151\145\040\055\040\107\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\017\377\377\377
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
# Certificate "Security Communication RootCA2"
#
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
+# Serial Number: 1800000005 (0x6b49d205)
+# Not Before: Apr 7 15:37:15 2011 GMT
+# Not After : Apr 4 15:37:15 2021 GMT
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\153\111\322\005
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
+# Serial Number: 1800000006 (0x6b49d206)
+# Not Before: Apr 18 21:09:30 2011 GMT
+# Not After : Apr 15 21:09:30 2021 GMT
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\153\111\322\006
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
#
# Certificate "Actalis Authentication Root CA"
#
@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
+# Serial Number: 2087 (0x827)
+# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
+# Not Valid Before: Mon Aug 08 07:07:51 2011
+# Not Valid After : Tue Jul 06 07:07:51 2021
+# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
+# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\010\047
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
+# Serial Number: 2148 (0x864)
+# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
+# Not Valid Before: Mon Aug 08 07:07:51 2011
+# Not Valid After : Thu Aug 05 07:07:51 2021
+# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
+# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\010\144
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
#
# Certificate "D-TRUST Root Class 3 CA 2 2009"
#

View File

@ -3,7 +3,7 @@
# NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 2
%global baserelease 3
%global nss_release %baserelease
# release number between nss and nspr are different. This typically
# happens with a new version of nss was release, but nspr was not updated
@ -168,9 +168,8 @@ Patch35: nss-3.124-disable-ech.patch
Patch36: nss-3.101-skip-ocsp-if-not-connected.patch
# dont upstream, must be after patch36 (sigh)
Patch37: nss-3.124-revert-libpkix-default.patch
# build crmf for now
Patch38: nss-3.124-enable-crmf.patch
Patch39: nss-3.124-no-p12-smime-policy.patch
Patch38: nss-3.124-no-p12-smime-policy.patch
Patch39: nss-3.79-revert-distrusted-certs.patch
Patch40: nss-3.90-dh-test-update.patch
Patch41: nss-3.124-ppc_no_init.patch
@ -715,7 +714,7 @@ pushd nss/tests
# nss_cycles: standard pkix upgradedb sharedb
# the full list from all.sh is:
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
%define nss_tests "libpkix cert dbtests tools fips sdr smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
# nss_ssl_run: cov auth stapling stress
#
@ -822,7 +821,7 @@ install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a
for file in libnssb.a libnssckfw.a
do
install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
@ -1005,7 +1004,6 @@ update-crypto-policies &> /dev/null || :
%doc %{_mandir}/man1/vfyserv.1*
%files devel
%{_libdir}/libcrmf.a
%{_libdir}/pkgconfig/nss.pc
%{_bindir}/nss-config
%doc %{_mandir}/man1/nss-config.1*
@ -1014,13 +1012,9 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/cert.h
%{_includedir}/nss3/certdb.h
%{_includedir}/nss3/certt.h
%{_includedir}/nss3/cmmf.h
%{_includedir}/nss3/cmmft.h
%{_includedir}/nss3/cms.h
%{_includedir}/nss3/cmsreclist.h
%{_includedir}/nss3/cmst.h
%{_includedir}/nss3/crmf.h
%{_includedir}/nss3/crmft.h
%{_includedir}/nss3/cryptohi.h
%{_includedir}/nss3/cryptoht.h
%{_includedir}/nss3/jar-ds.h
@ -1203,6 +1197,9 @@ update-crypto-policies &> /dev/null || :
%changelog
* Tue Jun 9 2026 Bob Relyea <rrelyea@redhat.com> - 3.124.0-3
- drop crmf
* Tue Jun 9 2026 Bob Relyea <rrelyea@redhat.com> - 3.124.0-2
- rebase fixes
- restore rhel-9 dropping of pkcs12 and smime policy