Resolves: RHEL-182530
- drop crmf - include missing revert certs - remove unused patches
This commit is contained in:
parent
ed6f9c6a95
commit
32e2ff42ba
@ -1,104 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Robert Relyea <rrelyea@redhat.com>
|
||||
# Date 1780437848 25200
|
||||
# Tue Jun 02 15:04:08 2026 -0700
|
||||
# Branch NSS_3_124_BRANCH
|
||||
# Node ID b32abfeba0dab71016b45b33d32b8bea717da75f
|
||||
# Parent 19e655733f3af71e3d517ada0d31ad0697d40f3f
|
||||
nss-3.124-enable-crmf.patch
|
||||
|
||||
diff --git a/cmd/manifest.mn b/cmd/manifest.mn
|
||||
--- a/cmd/manifest.mn
|
||||
+++ b/cmd/manifest.mn
|
||||
@@ -4,16 +4,22 @@
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
DEPTH = ..
|
||||
# MODULE = seccmd
|
||||
|
||||
SOFTOKEN_SRCDIRS=
|
||||
NSS_SRCDIRS=
|
||||
LIB_SRCDIRS=
|
||||
+CRMF_SRCDIR=
|
||||
+
|
||||
+ifdef NSS_ENABLE_CRMF
|
||||
+CRMF_SRCDIR=crmftest
|
||||
+endif
|
||||
+
|
||||
|
||||
ifdef NSS_BUILD_UTIL_ONLY
|
||||
REQUIRES = nspr
|
||||
else
|
||||
REQUIRES = nss nspr libdbm
|
||||
LIB_SRCDIRS = \
|
||||
lib \
|
||||
$(NULL)
|
||||
@@ -35,16 +41,17 @@ ifndef NSS_BUILD_SOFTOKEN_ONLY
|
||||
ifndef NSS_BUILD_UTIL_ONLY
|
||||
NSS_SRCDIRS = \
|
||||
addbuiltin \
|
||||
atob \
|
||||
btoa \
|
||||
certutil \
|
||||
chktest \
|
||||
crlutil \
|
||||
+ $(CRMF_SRCDIR) \
|
||||
dbtest \
|
||||
derdump \
|
||||
digest \
|
||||
httpserv \
|
||||
listsuites \
|
||||
makepqg \
|
||||
multinit \
|
||||
nss-policy-check \
|
||||
diff --git a/lib/Makefile b/lib/Makefile
|
||||
--- a/lib/Makefile
|
||||
+++ b/lib/Makefile
|
||||
@@ -51,16 +51,20 @@ endif # MOZILLA_CLIENT
|
||||
ifndef NSS_DISABLE_DBM
|
||||
DBM_SRCDIR = dbm
|
||||
endif
|
||||
|
||||
ifndef NSS_DISABLE_LIBPKIX
|
||||
LIBPKIX_SRCDIR = libpkix
|
||||
endif
|
||||
|
||||
+ifdef NSS_ENABLE_CRMF
|
||||
+CRMF_SRCDIR=crmf
|
||||
+endif
|
||||
+
|
||||
ifeq ($(NSS_BUILD_UTIL_ONLY),1)
|
||||
UTIL_SRCDIR = util
|
||||
|
||||
else
|
||||
ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
|
||||
FREEBL_SRCDIR = freebl
|
||||
SOFTOKEN_SRCDIR = softoken
|
||||
else
|
||||
@@ -83,24 +87,24 @@ else
|
||||
endif
|
||||
|
||||
ifneq (,$(SOFTOKEN_SRCDIR))
|
||||
$(SOFTOKEN_SRCDIR): $(DBM_SRCDIR) $(FREEBL_SRCDIR) $(SQLITE_SRCDIR) $(UTIL_SRCDIR)
|
||||
endif
|
||||
|
||||
ifndef NSS_BUILD_SOFTOKEN_ONLY
|
||||
NSS_SRCDIRS = \
|
||||
- base certdb certhigh ckfw cryptohi dev jar $(LIBPKIX_SRCDIR) \
|
||||
+ base certdb certhigh ckfw $(CRMF_SRCDIR) cryptohi dev jar $(LIBPKIX_SRCDIR) \
|
||||
nss pk11wrap pkcs12 pkcs7 pki smime ssl $(SYSINIT_SRCDIR) $(ZLIB_SRCDIR)
|
||||
|
||||
ifneq (,$(SYSINIT_SRCDIR))
|
||||
$(SYSINIT_SRCDIR): $(UTIL_SRCDIR)
|
||||
endif
|
||||
|
||||
- nss: base certdb certhigh cryptohi dev $(LIBPKIX_SRCDIR) pk11wrap pki $(UTIL_SRCDIR)
|
||||
+ nss: base certdb certhigh cryptohi $(CRMF_SRCDIR) dev $(LIBPKIX_SRCDIR) pk11wrap pki $(UTIL_SRCDIR)
|
||||
smime: nss pkcs7 pkcs12
|
||||
ssl: nss
|
||||
ckfw: nss
|
||||
|
||||
endif # !NSS_BUILD_SOFTOKEN_ONLY
|
||||
endif # !NSS_BUILD_UTIL_ONLY
|
||||
|
||||
DIRS = \
|
||||
@ -1,627 +0,0 @@
|
||||
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
|
||||
--- a/cmd/lib/secutil.c
|
||||
+++ b/cmd/lib/secutil.c
|
||||
@@ -1603,10 +1603,18 @@
|
||||
|
||||
case ecKey:
|
||||
secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1);
|
||||
break;
|
||||
|
||||
+ case ecMontKey:
|
||||
+ secu_PrintECPublicKey(out, pk, "EC Montgomery Public Key", level + 1);
|
||||
+ break;
|
||||
+
|
||||
+ case edKey:
|
||||
+ secu_PrintECPublicKey(out, pk, "EC Edwards Public Key", level + 1);
|
||||
+ break;
|
||||
+
|
||||
case mldsaKey:
|
||||
SECU_PrintMLDSAPublicKey(out, pk, "ML-DSA Public Key", level + 1);
|
||||
break;
|
||||
|
||||
case kyberKey:
|
||||
diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c
|
||||
--- a/cmd/pk11importtest/pk11importtest.c
|
||||
+++ b/cmd/pk11importtest/pk11importtest.c
|
||||
@@ -191,10 +191,12 @@
|
||||
" -r skip rsa test",
|
||||
" -D skip dsa test",
|
||||
" -h skip dh test",
|
||||
" -e skip ec test",
|
||||
" -K skip mk-kem test",
|
||||
+ " -w skip ed test",
|
||||
+ " -g skip ec montgomery test",
|
||||
};
|
||||
static int nUsageInfo = sizeof(usageInfo) / sizeof(char *);
|
||||
|
||||
static void
|
||||
Usage(char *progName, FILE *outFile)
|
||||
@@ -216,10 +218,12 @@
|
||||
opt_NoRSA,
|
||||
opt_NoDSA,
|
||||
opt_NoDH,
|
||||
opt_NoEC,
|
||||
opt_NoMLKEM,
|
||||
+ opt_NoED,
|
||||
+ opt_NoECMont,
|
||||
};
|
||||
|
||||
static secuCommandFlag options[] = {
|
||||
{ /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE },
|
||||
@@ -230,10 +234,12 @@
|
||||
{ /* opt_NoRSA */ 'r', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoMLKEM */ 'K', PR_FALSE, 0, PR_FALSE },
|
||||
+ { /* opt_NoED */ 'w', PR_FALSE, 0, PR_FALSE },
|
||||
+ { /* opt_NoECMont */ 'g', PR_FALSE, 0, PR_FALSE },
|
||||
};
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
@@ -246,10 +252,12 @@
|
||||
PRBool doRSA = PR_TRUE;
|
||||
PRBool doDSA = PR_TRUE;
|
||||
PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */
|
||||
PRBool doEC = PR_TRUE;
|
||||
PRBool doMLKEM = PR_TRUE;
|
||||
+ PRBool doED = PR_TRUE;
|
||||
+ PRBool doECMont = PR_TRUE;
|
||||
PRBool noPub = PR_FALSE;
|
||||
PQGParams *pqgParams = NULL;
|
||||
int keySize;
|
||||
|
||||
args.numCommands = 0;
|
||||
@@ -410,10 +418,55 @@
|
||||
fprintf(stderr, "MLKEM Import Failed!\n");
|
||||
failed = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
+ if (doED) {
|
||||
+ SECKEYECParams ecParams;
|
||||
+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_ED25519);
|
||||
+ ecParams.data = PORT_Alloc(curve->oid.len + 2);
|
||||
+ if (ecParams.data == NULL) {
|
||||
+ rv = SECFailure;
|
||||
+ goto ed_failed;
|
||||
+ }
|
||||
+ ecParams.data[0] = SEC_ASN1_OBJECT_ID;
|
||||
+ ecParams.data[1] = (unsigned char)curve->oid.len;
|
||||
+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len);
|
||||
+ ecParams.len = curve->oid.len + 2;
|
||||
+ rv = handleEncryptedPrivateImportTest(progName, slot, "EDDSA",
|
||||
+ CKM_EC_EDWARDS_KEY_PAIR_GEN,
|
||||
+ noPub, &ecParams, &pwArgs);
|
||||
+ PORT_Free(ecParams.data);
|
||||
+ ed_failed:
|
||||
+ if (rv != SECSuccess) {
|
||||
+ fprintf(stderr, "EDDSA Import Failed!\n");
|
||||
+ failed = PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+ if (doECMont) {
|
||||
+ SECKEYECParams ecParams;
|
||||
+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_X25519);
|
||||
+ ecParams.data = PORT_Alloc(curve->oid.len + 2);
|
||||
+ if (ecParams.data == NULL) {
|
||||
+ rv = SECFailure;
|
||||
+ goto ecmont_failed;
|
||||
+ }
|
||||
+ ecParams.data[0] = SEC_ASN1_OBJECT_ID;
|
||||
+ ecParams.data[1] = (unsigned char)curve->oid.len;
|
||||
+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len);
|
||||
+ ecParams.len = curve->oid.len + 2;
|
||||
+ rv = handleEncryptedPrivateImportTest(progName, slot, "EC Mont",
|
||||
+ CKM_EC_MONTGOMERY_KEY_PAIR_GEN,
|
||||
+ noPub, &ecParams, &pwArgs);
|
||||
+ PORT_Free(ecParams.data);
|
||||
+ ecmont_failed:
|
||||
+ if (rv != SECSuccess) {
|
||||
+ fprintf(stderr, "EC Montgomery Import Failed!\n");
|
||||
+ failed = PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (pqgParams) {
|
||||
PK11_PQG_DestroyParams(pqgParams);
|
||||
}
|
||||
|
||||
if (slot) {
|
||||
diff --git a/lib/softoken/lowkey.c b/lib/softoken/lowkey.c
|
||||
--- a/lib/softoken/lowkey.c
|
||||
+++ b/lib/softoken/lowkey.c
|
||||
@@ -43,10 +43,15 @@
|
||||
{ SEC_ASN1_OCTET_STRING,
|
||||
offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) },
|
||||
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
|
||||
offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
|
||||
nsslowkey_SetOfAttributeTemplate },
|
||||
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
|
||||
+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
|
||||
+ SEC_ASN1_XTRN | 1,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo, publicKey),
|
||||
+ SEC_ASN1_SUB(SEC_BitStringTemplate) },
|
||||
{ 0 }
|
||||
};
|
||||
|
||||
const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[] = {
|
||||
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYSubjectPublicKeyInfo) },
|
||||
@@ -399,10 +404,12 @@
|
||||
if (rv == SECSuccess)
|
||||
return pubk;
|
||||
}
|
||||
break;
|
||||
case NSSLOWKEYECKey:
|
||||
+ case NSSLOWKEYECEdwardsKey:
|
||||
+ case NSSLOWKEYECMontgomeryKey:
|
||||
pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
|
||||
sizeof(NSSLOWKEYPublicKey));
|
||||
if (pubk != NULL) {
|
||||
SECStatus rv;
|
||||
|
||||
@@ -631,10 +638,12 @@
|
||||
&(privKey->u.dh.base));
|
||||
if (rv != SECSuccess)
|
||||
break;
|
||||
break;
|
||||
case NSSLOWKEYECKey:
|
||||
+ case NSSLOWKEYECEdwardsKey:
|
||||
+ case NSSLOWKEYECMontgomeryKey:
|
||||
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
|
||||
&(privKey->u.ec.version));
|
||||
if (rv != SECSuccess)
|
||||
break;
|
||||
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
|
||||
diff --git a/lib/softoken/lowkeyti.h b/lib/softoken/lowkeyti.h
|
||||
--- a/lib/softoken/lowkeyti.h
|
||||
+++ b/lib/softoken/lowkeyti.h
|
||||
@@ -48,10 +48,11 @@
|
||||
PLArenaPool *arena;
|
||||
SECItem version;
|
||||
SECAlgorithmID algorithm;
|
||||
SECItem privateKey;
|
||||
NSSLOWKEYAttribute **attributes;
|
||||
+ SECItem publicKey;
|
||||
};
|
||||
typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
|
||||
#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
|
||||
|
||||
struct NSSLOWKEYSubjectPublicKeyInfoStr {
|
||||
@@ -65,12 +66,14 @@
|
||||
NSSLOWKEYNullKey = 0,
|
||||
NSSLOWKEYRSAKey = 1,
|
||||
NSSLOWKEYDSAKey = 2,
|
||||
NSSLOWKEYDHKey = 4,
|
||||
NSSLOWKEYECKey = 5,
|
||||
- NSSLOWKEYMLDSAKey = 6,
|
||||
- NSSLOWKEYMLKEMKey = 7,
|
||||
+ NSSLOWKEYECEdwardsKey = 6,
|
||||
+ NSSLOWKEYECMontgomeryKey = 7,
|
||||
+ NSSLOWKEYMLDSAKey = 8,
|
||||
+ NSSLOWKEYMLKEMKey = 9,
|
||||
} NSSLOWKEYType;
|
||||
|
||||
/* ML KEM low structures packages a key with it's parameters.
|
||||
* The ML KEM freebl didn't define these because all the functions
|
||||
* take raw keys and param separately */
|
||||
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
|
||||
--- a/lib/softoken/pkcs11.c
|
||||
+++ b/lib/softoken/pkcs11.c
|
||||
@@ -2223,13 +2223,18 @@
|
||||
break;
|
||||
crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
|
||||
object, CKA_VALUE);
|
||||
break;
|
||||
case CKK_EC_EDWARDS:
|
||||
+ pubKey->keyType = NSSLOWKEYECEdwardsKey;
|
||||
+ goto ec_continue;
|
||||
case CKK_EC_MONTGOMERY:
|
||||
+ pubKey->keyType = NSSLOWKEYECMontgomeryKey;
|
||||
+ goto ec_continue;
|
||||
case CKK_EC:
|
||||
pubKey->keyType = NSSLOWKEYECKey;
|
||||
+ ec_continue:
|
||||
crv = sftk_Attribute2SSecItem(arena,
|
||||
&pubKey->u.ec.ecParams.DEREncoding,
|
||||
object, CKA_EC_PARAMS);
|
||||
if (crv != CKR_OK)
|
||||
break;
|
||||
@@ -2451,13 +2456,18 @@
|
||||
itemTemplateCount++;
|
||||
/* privKey was zero'd so public value is already set to NULL, 0
|
||||
* if we don't set it explicitly */
|
||||
break;
|
||||
case CKK_EC_EDWARDS:
|
||||
+ privKey->keyType = NSSLOWKEYECEdwardsKey;
|
||||
+ goto ec_continue;
|
||||
case CKK_EC_MONTGOMERY:
|
||||
+ privKey->keyType = NSSLOWKEYECMontgomeryKey;
|
||||
+ goto ec_continue;
|
||||
case CKK_EC:
|
||||
privKey->keyType = NSSLOWKEYECKey;
|
||||
+ ec_continue:
|
||||
crv = sftk_Attribute2SSecItem(arena,
|
||||
&privKey->u.ec.ecParams.DEREncoding,
|
||||
object, CKA_EC_PARAMS);
|
||||
if (crv != CKR_OK)
|
||||
break;
|
||||
@@ -2514,10 +2524,11 @@
|
||||
case CKK_NSS_KYBER:
|
||||
#endif
|
||||
case CKK_NSS_ML_KEM:
|
||||
case CKK_ML_KEM:
|
||||
privKey->keyType = NSSLOWKEYMLKEMKey;
|
||||
+
|
||||
crv = sftk_GetULongAttribute(object, CKA_PARAMETER_SET,
|
||||
¶mSet);
|
||||
if (crv != CKR_OK) {
|
||||
crv = sftk_GetULongAttribute(object, CKA_NSS_PARAMETER_SET,
|
||||
¶mSet);
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -6465,12 +6465,10 @@
|
||||
* the private key */
|
||||
seed.data = seedData;
|
||||
seed.len = sizeof(seedData);
|
||||
rv = RNG_GenerateGlobalRandomBytes(seed.data, seed.len);
|
||||
if (rv != SECSuccess) {
|
||||
- fprintf(stderr, "Generate bytes failed nbytes=%d err=%d\n",
|
||||
- seed.len, PORT_GetError());
|
||||
crv = sftk_MapCryptError(PORT_GetError());
|
||||
goto kyber_done;
|
||||
}
|
||||
|
||||
KyberParams kyberParams = sftk_kyber_PK11ParamToInternal(genParamSet);
|
||||
@@ -6482,12 +6480,10 @@
|
||||
crv = CKR_HOST_MEMORY;
|
||||
goto kyber_done;
|
||||
}
|
||||
rv = Kyber_NewKey(kyberParams, &seed, &privKey, &pubKey);
|
||||
if (rv != SECSuccess) {
|
||||
- fprintf(stderr, "Generate Kyber_NewKey failed nbytes=%d err=%d\n",
|
||||
- seed.len, PORT_GetError());
|
||||
crv = sftk_MapCryptError(PORT_GetError());
|
||||
goto kyber_done;
|
||||
}
|
||||
|
||||
crv = sftk_AddAttributeType(publicKey, CKA_VALUE, sftk_item_expand(&pubKey));
|
||||
@@ -6902,10 +6898,11 @@
|
||||
param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
|
||||
nsslowkey_PQGParamsTemplate);
|
||||
algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
|
||||
break;
|
||||
case NSSLOWKEYECKey:
|
||||
+ algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
|
||||
prepare_low_ec_priv_key_for_asn1(lk);
|
||||
/* Public value is encoded as a bit string so adjust length
|
||||
* to be in bits before ASN encoding and readjust
|
||||
* immediately after.
|
||||
*
|
||||
@@ -6926,12 +6923,30 @@
|
||||
SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
|
||||
fordebug);
|
||||
#endif
|
||||
|
||||
param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
|
||||
-
|
||||
- algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
|
||||
+ break;
|
||||
+ /* X25519, ED25519, X448, and ED448 encode the private key
|
||||
+ * as just and int. The public key and Curve come from the
|
||||
+ * generaly key structure */
|
||||
+ case NSSLOWKEYECEdwardsKey:
|
||||
+ algorithm = SEC_OID_ED25519;
|
||||
+ goto ec_continue;
|
||||
+ case NSSLOWKEYECMontgomeryKey:
|
||||
+ algorithm = SEC_OID_X25519;
|
||||
+ ec_continue:
|
||||
+ prepare_low_ec_priv_key_for_asn1(lk);
|
||||
+ /* if we have a public key, copy it to pki public key */
|
||||
+ if (lk->u.ec.publicValue.len) {
|
||||
+ pki->publicKey = lk->u.ec.publicValue;
|
||||
+ pki->publicKey.len <<= 3;
|
||||
+ }
|
||||
+ dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey,
|
||||
+ &lk->u.ec.privateValue,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
+ param = NULL;
|
||||
break;
|
||||
case NSSLOWKEYMLKEMKey: {
|
||||
SECItem seed = { siBuffer, NULL, 0 };
|
||||
SECItem rawKey = { siBuffer, NULL, 0 };
|
||||
dummy = NULL;
|
||||
@@ -7258,10 +7273,12 @@
|
||||
PLArenaPool *arena;
|
||||
NSSLOWKEYPrivateKey *lpk = NULL;
|
||||
NSSLOWKEYPrivateKeyInfo *pki = NULL;
|
||||
CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
|
||||
CK_ULONG paramSet = 0;
|
||||
+ const SECOidData *oidData = NULL;
|
||||
+ SECOidTag pkiAlg = SEC_OID_UNKNOWN;
|
||||
|
||||
arena = PORT_NewArena(2048);
|
||||
if (!arena) {
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -7283,11 +7300,12 @@
|
||||
if (lpk == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
lpk->arena = arena;
|
||||
|
||||
- switch (SECOID_GetAlgorithmTag(&pki->algorithm)) {
|
||||
+ pkiAlg = SECOID_GetAlgorithmTag(&pki->algorithm);
|
||||
+ switch (pkiAlg) {
|
||||
case SEC_OID_PKCS1_RSA_ENCRYPTION:
|
||||
case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
|
||||
keyTemplate = nsslowkey_RSAPrivateKeyTemplate;
|
||||
paramTemplate = NULL;
|
||||
paramDest = NULL;
|
||||
@@ -7309,10 +7327,46 @@
|
||||
paramDest = &(lpk->u.ec.ecParams.DEREncoding);
|
||||
lpk->keyType = NSSLOWKEYECKey;
|
||||
prepare_low_ec_priv_key_for_asn1(lpk);
|
||||
prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
|
||||
break;
|
||||
+ case SEC_OID_X25519:
|
||||
+ lpk->keyType = NSSLOWKEYECMontgomeryKey;
|
||||
+ goto ecx_continue;
|
||||
+ case SEC_OID_ED25519:
|
||||
+ lpk->keyType = NSSLOWKEYECEdwardsKey;
|
||||
+ ecx_continue:
|
||||
+ /* we decode the whole key here rather than do the normal
|
||||
+ * later decode step */
|
||||
+ keyTemplate = NULL;
|
||||
+ paramTemplate = NULL;
|
||||
+ paramDest = NULL;
|
||||
+ oidData = SECOID_FindOIDByTag(pkiAlg);
|
||||
+ if (oidData == NULL) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ /* CURVE is provided by the tag, not encoded in the parameters
|
||||
+ * for the x25519, x448, ed25519 and ed448 keys */
|
||||
+ if (SEC_ASN1EncodeItem(arena, &(lpk->u.ec.ecParams.DEREncoding),
|
||||
+ &oidData->oid,
|
||||
+ SEC_ASN1_GET(SEC_ObjectIDTemplate)) == NULL) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ prepare_low_ec_priv_key_for_asn1(lpk);
|
||||
+ /* private key is a simple octet string, just decode it now */
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, &(lpk->u.ec.privateValue),
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
|
||||
+ &(pki->privateKey));
|
||||
+ if (rv != SECSuccess) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ if (pki->publicKey.len) {
|
||||
+ lpk->u.ec.publicValue = pki->publicKey;
|
||||
+ /* convert length in bits to length in bytes */
|
||||
+ lpk->u.ec.publicValue.len >>= 3;
|
||||
+ }
|
||||
+ break;
|
||||
case SEC_OID_ML_KEM_768:
|
||||
paramSet = CKP_ML_KEM_768;
|
||||
goto mlkem_next;
|
||||
case SEC_OID_ML_KEM_1024:
|
||||
paramSet = CKP_ML_KEM_1024;
|
||||
@@ -7344,30 +7398,31 @@
|
||||
case SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE:
|
||||
keyTemplate = nsslowkey_PQBothSeedAndPrivateKeyTemplate;
|
||||
break;
|
||||
default:
|
||||
keyTemplate = NULL;
|
||||
- break;
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ goto loser;
|
||||
}
|
||||
|
||||
paramTemplate = NULL;
|
||||
paramDest = NULL;
|
||||
/* genpq encodes ocect, not integer, so no need to prep it */
|
||||
break;
|
||||
default:
|
||||
keyTemplate = NULL;
|
||||
paramTemplate = NULL;
|
||||
paramDest = NULL;
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- if (!keyTemplate) {
|
||||
- goto loser;
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ goto loser;
|
||||
}
|
||||
|
||||
/* decode the private key and any algorithm parameters */
|
||||
- rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
|
||||
+ rv = SECSuccess;
|
||||
+ if (keyTemplate) {
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
|
||||
+ }
|
||||
|
||||
if (lpk->keyType == NSSLOWKEYECKey) {
|
||||
/* convert length in bits to length in bytes */
|
||||
lpk->u.ec.publicValue.len >>= 3;
|
||||
rv = SECITEM_CopyItem(arena,
|
||||
@@ -7560,13 +7615,19 @@
|
||||
template = dhTemplate;
|
||||
templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE);
|
||||
keyType = CKK_DH;
|
||||
break;
|
||||
#endif
|
||||
- /* what about fortezza??? */
|
||||
+ case NSSLOWKEYECEdwardsKey:
|
||||
+ keyType = CKK_EC_EDWARDS;
|
||||
+ goto ec_import_continue;
|
||||
+ case NSSLOWKEYECMontgomeryKey:
|
||||
+ keyType = CKK_EC_MONTGOMERY;
|
||||
+ goto ec_import_continue;
|
||||
case NSSLOWKEYECKey:
|
||||
keyType = CKK_EC;
|
||||
+ ec_import_continue:
|
||||
/* if we weren't passed the CKA_NSS_DB, get it
|
||||
* from the public key */
|
||||
if (!sftk_hasAttribute(key, CKA_NSS_DB)) {
|
||||
if (lpk->u.ec.publicValue.len == 0) {
|
||||
crv = CKR_KEY_TYPE_INCONSISTENT;
|
||||
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
|
||||
--- a/lib/softoken/pkcs11u.c
|
||||
+++ b/lib/softoken/pkcs11u.c
|
||||
@@ -1642,10 +1642,12 @@
|
||||
case CKK_DH:
|
||||
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
|
||||
dhPrivKeyAttrsCount);
|
||||
break;
|
||||
case CKK_EC:
|
||||
+ case CKK_EC_EDWARDS:
|
||||
+ case CKK_EC_MONTGOMERY:
|
||||
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
|
||||
ecPrivKeyAttrsCount);
|
||||
break;
|
||||
default:
|
||||
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
|
||||
@@ -1706,10 +1708,12 @@
|
||||
case CKK_DH:
|
||||
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
|
||||
dhPubKeyAttrsCount);
|
||||
break;
|
||||
case CKK_EC:
|
||||
+ case CKK_EC_EDWARDS:
|
||||
+ case CKK_EC_MONTGOMERY:
|
||||
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
|
||||
ecPubKeyAttrsCount);
|
||||
break;
|
||||
default:
|
||||
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
|
||||
diff --git a/lib/util/secoid.c b/lib/util/secoid.c
|
||||
--- a/lib/util/secoid.c
|
||||
+++ b/lib/util/secoid.c
|
||||
@@ -640,14 +640,14 @@
|
||||
a private key, and a signature (for the two EdDSA related OIDs).
|
||||
Additional encoding information is provided below for each of these
|
||||
locations.
|
||||
*/
|
||||
|
||||
-CONST_OID ed25519PublicKey[] = { 0x2B, 0x65, 0x70 };
|
||||
-CONST_OID ed25519Signature[] = { 0x2B, 0x65, 0x70 };
|
||||
-
|
||||
/*https://www.rfc-editor.org/rfc/rfc8410#section-3*/
|
||||
+/* 1.3.101.112 */
|
||||
+CONST_OID ed25519[] = { 0x2B, 0x65, 0x70 };
|
||||
+/* 1.3.101.110 */
|
||||
CONST_OID x25519PublicKey[] = { 0x2b, 0x65, 0x6e };
|
||||
|
||||
/*
|
||||
* ML-DSA OIDs
|
||||
* https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
|
||||
@@ -1869,15 +1869,18 @@
|
||||
OD(hmac_sha3_512, SEC_OID_HMAC_SHA3_512, "HMAC SHA3-512", CKM_SHA3_512_HMAC, INVALID_CERT_EXTENSION),
|
||||
|
||||
ODE(SEC_OID_XYBER768D00,
|
||||
"X25519+Kyber768 key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
|
||||
- OD(ed25519Signature, SEC_OID_ED25519_SIGNATURE, "X9.62 EDDSA signature", CKM_EDDSA,
|
||||
- INVALID_CERT_EXTENSION),
|
||||
+ /* SEC_OID_ED25519_PUBLIC_KEY and SEC_OID_ED25519_SIGNATURE have the same
|
||||
+ * values, so we should only have one entry in the table, We can't
|
||||
+ * shift the values of the other entries, so just leav a dead spot here */
|
||||
+ ODE(SEC_OID_RESERVED_OLD_EDSIG, "Reserved", CKM_INVALID_MECHANISM,
|
||||
+ INVALID_CERT_EXTENSION),
|
||||
|
||||
- OD(ed25519PublicKey, SEC_OID_ED25519_PUBLIC_KEY,
|
||||
- "X9.62 elliptic edwards curve public key", CKM_EC_EDWARDS_KEY_PAIR_GEN, INVALID_CERT_EXTENSION),
|
||||
+ OD(ed25519, SEC_OID_ED25519,
|
||||
+ "X9.62 Elliptic Edwards Curve 25519", CKM_EDDSA, INVALID_CERT_EXTENSION),
|
||||
|
||||
OD(dhSinglePassstdDHsha1kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME,
|
||||
"Eliptic Curve Diffie-Hellman Single Pass Standard with SHA1 KDF", CKM_ECDH1_DERIVE,
|
||||
INVALID_CERT_EXTENSION),
|
||||
OD(dhSinglePassstdDHsha224kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME,
|
||||
diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
|
||||
--- a/lib/util/secoidt.h
|
||||
+++ b/lib/util/secoidt.h
|
||||
@@ -512,12 +512,12 @@
|
||||
SEC_OID_HMAC_SHA3_384 = 370,
|
||||
SEC_OID_HMAC_SHA3_512 = 371,
|
||||
|
||||
SEC_OID_XYBER768D00 = 372,
|
||||
|
||||
- SEC_OID_ED25519_SIGNATURE = 373,
|
||||
- SEC_OID_ED25519_PUBLIC_KEY = 374,
|
||||
+ SEC_OID_RESERVED_OLD_EDSIG = 373,
|
||||
+ SEC_OID_ED25519 = 374,
|
||||
|
||||
SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME = 375,
|
||||
SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME = 376,
|
||||
SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME = 377,
|
||||
SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME = 378,
|
||||
@@ -561,10 +561,14 @@
|
||||
#define SEC_OID_ML_DSA_65_SIGNATURE SEC_OID_ML_DSA_65
|
||||
#define SEC_OID_ML_DSA_65_PUBLIC_KEY SEC_OID_ML_DSA_65
|
||||
#define SEC_OID_ML_DSA_87_SIGNATURE SEC_OID_ML_DSA_87
|
||||
#define SEC_OID_ML_DSA_87_PUBLIC_KEY SEC_OID_ML_DSA_87
|
||||
|
||||
+/* EDDSA have the same identifiers for public keys and signatures */
|
||||
+#define SEC_OID_ED25519_SIGNATURE SEC_OID_ED25519
|
||||
+#define SEC_OID_ED25519_PUBLIC_KEY SEC_OID_ED25519
|
||||
+
|
||||
typedef enum {
|
||||
INVALID_CERT_EXTENSION = 0,
|
||||
UNSUPPORTED_CERT_EXTENSION = 1,
|
||||
SUPPORTED_CERT_EXTENSION = 2
|
||||
} SECSupportExtenTag;
|
||||
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
|
||||
--- a/tests/tools/tools.sh
|
||||
+++ b/tests/tools/tools.sh
|
||||
@@ -126,10 +126,11 @@
|
||||
cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/openssl-ed25519.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-768-seed.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-768-priv.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-768-both.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-1024-seed.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-1024-priv.p12 ${TOOLSDIR}/data
|
||||
@@ -534,10 +535,21 @@
|
||||
check_tmpfile
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
||||
+tools_p12_import_ed25519_private_key()
|
||||
+{
|
||||
+ echo "$SCRIPTNAME: Importing ED25519 private key from PKCS#12 file --------------"
|
||||
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ed25519.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
|
||||
+ ret=$?
|
||||
+ html_msg $ret 0 "Importing ED25519 private key from PKCS#12 file"
|
||||
+ check_tmpfile
|
||||
+
|
||||
+ return $ret
|
||||
+}
|
||||
+
|
||||
tools_p12_ml_kem_import()
|
||||
{
|
||||
echo "$SCRIPTNAME: Testing ml-kem compatibility with pkcs12 --------------"
|
||||
for i in 768 1024
|
||||
do
|
||||
@@ -614,10 +626,11 @@
|
||||
fi
|
||||
tools_p12_export_with_none_ciphers
|
||||
tools_p12_export_with_invalid_ciphers
|
||||
tools_p12_import_old_files
|
||||
tools_p12_import_pbmac1_samples
|
||||
+ tools_p12_import_ed25519_private_key
|
||||
tools_p12_ml_kem_import
|
||||
if using_sql; then
|
||||
tools_p12_import_rsa_pss_private_key
|
||||
tools_p12_policy
|
||||
fi
|
||||
|
||||
@ -1,654 +0,0 @@
|
||||
# HG changeset patch
|
||||
# User Robert Relyea <rrelyea@redhat.com>
|
||||
# Date 1780515403 25200
|
||||
# Wed Jun 03 12:36:43 2026 -0700
|
||||
# Branch NSS_3_124_BRANCH
|
||||
# Node ID eaa726433f362aed5f4cdc40fe0b6aa813d99ed7
|
||||
# Parent 8136ca511f641717eb0b88becf947767a0335eab
|
||||
nss-3.124-ml-dsa-test-for-sign-verify-pkcs12.patch
|
||||
|
||||
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
|
||||
--- a/cmd/certutil/certutil.c
|
||||
+++ b/cmd/certutil/certutil.c
|
||||
@@ -1155,18 +1155,20 @@ PrintSyntax()
|
||||
FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
|
||||
progName);
|
||||
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
|
||||
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
|
||||
FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
|
||||
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
|
||||
FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
|
||||
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
|
||||
- FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n",
|
||||
- progName);
|
||||
+ FPS "\t%s -G [-h token-name] -k mldsa -q paramset [-f pwfile]\n"
|
||||
+ "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
|
||||
+ FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|mldsa|all]\n",
|
||||
+ progName);
|
||||
FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
|
||||
FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
|
||||
progName);
|
||||
FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
|
||||
FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
|
||||
FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
|
||||
FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
|
||||
progName);
|
||||
@@ -1389,16 +1391,19 @@ luG(enum usage_level ul, const char *com
|
||||
FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
|
||||
FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
|
||||
FPS "%-20s c2tnb191v2, c2tnb191v3, \n", "");
|
||||
FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
|
||||
FPS "%-20s c2pnb272w1, c2pnb304w1, \n", "");
|
||||
FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
|
||||
FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
|
||||
FPS "%-20s sect131r1, sect131r2\n", "");
|
||||
+ FPS "%-20s ML-DSA parameter set (mldsa only)\n",
|
||||
+ " -q paramset");
|
||||
+ FPS "%-20s valid values are ml-dsa-44, ml-dsa-65, ml-dsa-87:\n", "");
|
||||
FPS "%-20s Key database directory (default is ~/.netscape)\n",
|
||||
" -d keydir");
|
||||
FPS "%-20s Cert & Key database prefix\n",
|
||||
" -P dbprefix");
|
||||
FPS "%-20s\n"
|
||||
"%-20s PKCS #11 key Attributes.\n",
|
||||
" --keyAttrFlags attrflags", "");
|
||||
FPS "%-20s Comma separated list of key attribute attribute flags,\n", "");
|
||||
@@ -1481,16 +1486,17 @@ luK(enum usage_level ul, const char *com
|
||||
"-K");
|
||||
if (ul == usage_selected && !is_my_command)
|
||||
return;
|
||||
FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
|
||||
" -h token-name ");
|
||||
|
||||
FPS "%-20s Key type (\"all\" (default), \"dsa\","
|
||||
" \"ec\","
|
||||
+ " \"mldsa\","
|
||||
" \"rsa\")\n",
|
||||
" -k key-type");
|
||||
FPS "%-20s The nickname of the key or associated certificate\n",
|
||||
" -n name");
|
||||
FPS "%-20s Specify the password file\n",
|
||||
" -f password-file");
|
||||
FPS "%-20s Key database directory (default is ~/.netscape)\n",
|
||||
" -d keydir");
|
||||
@@ -1641,16 +1647,20 @@ luR(enum usage_level ul, const char *com
|
||||
FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
|
||||
" --pss");
|
||||
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
|
||||
" -q pqgfile");
|
||||
FPS "%-20s Elliptic curve name (ec only)\n",
|
||||
" -q curve-name");
|
||||
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
|
||||
"");
|
||||
+ FPS "%-20s ML-DSA parameter set (mldsa only)\n",
|
||||
+ " -q paramset");
|
||||
+ FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
|
||||
+ "");
|
||||
FPS "%-20s Specify the password file\n",
|
||||
" -f pwfile");
|
||||
FPS "%-20s Key database directory (default is ~/.netscape)\n",
|
||||
" -d keydir");
|
||||
FPS "%-20s Cert & Key database prefix\n",
|
||||
" -P dbprefix");
|
||||
FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
|
||||
" -p phone");
|
||||
@@ -1821,16 +1831,20 @@ luS(enum usage_level ul, const char *com
|
||||
FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
|
||||
" --pss");
|
||||
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
|
||||
" -q pqgfile");
|
||||
FPS "%-20s Elliptic curve name (ec only)\n",
|
||||
" -q curve-name");
|
||||
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
|
||||
"");
|
||||
+ FPS "%-20s ML-DSA parameter set (mldsa only)\n",
|
||||
+ " -q paramset");
|
||||
+ FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
|
||||
+ "");
|
||||
FPS "%-20s Self sign\n",
|
||||
" -x");
|
||||
FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
|
||||
" --pss-sign");
|
||||
FPS "%-20s Cert serial number\n",
|
||||
" -m serial-number");
|
||||
FPS "%-20s Time Warp\n",
|
||||
" -w warp-months");
|
||||
@@ -2773,19 +2787,44 @@ certutil_main(int argc, char **argv, PRB
|
||||
sourceDir = certutil.options[opt_SourceDir].arg;
|
||||
|
||||
if (certutil.options[opt_UpgradeID].activated)
|
||||
upgradeID = certutil.options[opt_UpgradeID].arg;
|
||||
|
||||
if (certutil.options[opt_UpgradeTokenName].activated)
|
||||
upgradeTokenName = certutil.options[opt_UpgradeTokenName].arg;
|
||||
|
||||
+ /* must be before opt_KeySize! */
|
||||
+ /* -k key type */
|
||||
+ if (certutil.options[opt_KeyType].activated) {
|
||||
+ char *arg = certutil.options[opt_KeyType].arg;
|
||||
+ if (PL_strcmp(arg, "rsa") == 0) {
|
||||
+ keytype = rsaKey;
|
||||
+ } else if (PL_strcmp(arg, "dsa") == 0) {
|
||||
+ keytype = dsaKey;
|
||||
+ } else if (PL_strcmp(arg, "ec") == 0) {
|
||||
+ keytype = ecKey;
|
||||
+ } else if (PL_strcmp(arg, "mldsa") == 0) {
|
||||
+ keytype = mldsaKey;
|
||||
+ } else if (PL_strcmp(arg, "all") == 0) {
|
||||
+ keytype = nullKey;
|
||||
+ } else {
|
||||
+ /* use an existing private/public key pair */
|
||||
+ keysource = arg;
|
||||
+ }
|
||||
+ } else if (certutil.commands[cmd_ListKeys].activated) {
|
||||
+ keytype = nullKey;
|
||||
+ }
|
||||
+
|
||||
if (certutil.options[opt_KeySize].activated) {
|
||||
keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
|
||||
- if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
|
||||
+ /* mldsa limits are much different that rsa and dsa, don't
|
||||
+ * do the check here */
|
||||
+ if ((keytype != mldsaKey) &&
|
||||
+ ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS))) {
|
||||
PR_fprintf(PR_STDERR,
|
||||
"%s -g: Keysize must be between %d and %d.\n",
|
||||
progName, MIN_KEY_BITS, MAX_KEY_BITS);
|
||||
return 255;
|
||||
}
|
||||
if (keytype == ecKey) {
|
||||
PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName);
|
||||
return 255;
|
||||
@@ -2806,35 +2845,16 @@ certutil_main(int argc, char **argv, PRB
|
||||
hashAlgTag = SECU_StringToSignatureAlgTag(arg);
|
||||
if (hashAlgTag == SEC_OID_UNKNOWN) {
|
||||
PR_fprintf(PR_STDERR, "%s -Z: %s is not a recognized type.\n",
|
||||
progName, arg);
|
||||
return 255;
|
||||
}
|
||||
}
|
||||
|
||||
- /* -k key type */
|
||||
- if (certutil.options[opt_KeyType].activated) {
|
||||
- char *arg = certutil.options[opt_KeyType].arg;
|
||||
- if (PL_strcmp(arg, "rsa") == 0) {
|
||||
- keytype = rsaKey;
|
||||
- } else if (PL_strcmp(arg, "dsa") == 0) {
|
||||
- keytype = dsaKey;
|
||||
- } else if (PL_strcmp(arg, "ec") == 0) {
|
||||
- keytype = ecKey;
|
||||
- } else if (PL_strcmp(arg, "all") == 0) {
|
||||
- keytype = nullKey;
|
||||
- } else {
|
||||
- /* use an existing private/public key pair */
|
||||
- keysource = arg;
|
||||
- }
|
||||
- } else if (certutil.commands[cmd_ListKeys].activated) {
|
||||
- keytype = nullKey;
|
||||
- }
|
||||
-
|
||||
if (certutil.options[opt_KeyOpFlagsOn].activated) {
|
||||
keyOpFlagsOn = GetOpFlags(certutil.options[opt_KeyOpFlagsOn].arg);
|
||||
}
|
||||
if (certutil.options[opt_KeyOpFlagsOff].activated) {
|
||||
keyOpFlagsOff = GetOpFlags(certutil.options[opt_KeyOpFlagsOff].arg);
|
||||
keyOpFlagsOn &= ~keyOpFlagsOff; /* make off override on */
|
||||
}
|
||||
if (certutil.options[opt_KeyAttrFlags].activated) {
|
||||
@@ -2867,19 +2887,22 @@ certutil_main(int argc, char **argv, PRB
|
||||
srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
|
||||
} else {
|
||||
Usage();
|
||||
}
|
||||
}
|
||||
|
||||
/* -q PQG file or curve name */
|
||||
if (certutil.options[opt_PQGFile].activated) {
|
||||
- if ((keytype != dsaKey) && (keytype != ecKey)) {
|
||||
+ if ((keytype != dsaKey) && (keytype != ecKey) &&
|
||||
+ (keytype != mldsaKey)) {
|
||||
PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys"
|
||||
- " (-k dsa) or a named curve for EC keys (-k ec)\n)",
|
||||
+ " (-k dsa)\n"
|
||||
+ " or a named curve for EC keys (-k ec)\n"
|
||||
+ " or a parameter set for ML-DSA keys (-k mldsa)\n",
|
||||
progName);
|
||||
return 255;
|
||||
}
|
||||
}
|
||||
|
||||
/* -s subject name */
|
||||
if (certutil.options[opt_Subject].activated) {
|
||||
subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
|
||||
diff --git a/cmd/certutil/keystuff.c b/cmd/certutil/keystuff.c
|
||||
--- a/cmd/certutil/keystuff.c
|
||||
+++ b/cmd/certutil/keystuff.c
|
||||
@@ -512,16 +512,17 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
|
||||
int publicExponent, const char *noise,
|
||||
SECKEYPublicKey **pubkeyp, const char *pqgFile,
|
||||
PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
|
||||
CK_FLAGS opFlagsOff, secuPWData *pwdata)
|
||||
{
|
||||
CK_MECHANISM_TYPE mechanism;
|
||||
PK11RSAGenParams rsaparams;
|
||||
SECKEYPQGParams *dsaparams = NULL;
|
||||
+ CK_ULONG paramSet;
|
||||
void *params;
|
||||
SECKEYPrivateKey *privKey = NULL;
|
||||
|
||||
if (slot == NULL)
|
||||
return NULL;
|
||||
|
||||
if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess)
|
||||
return NULL;
|
||||
@@ -564,16 +565,60 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
|
||||
}
|
||||
break;
|
||||
case ecKey:
|
||||
mechanism = CKM_EC_KEY_PAIR_GEN;
|
||||
/* For EC keys, PQGFile determines EC parameters */
|
||||
if ((params = (void *)getECParams(pqgFile)) == NULL)
|
||||
return NULL;
|
||||
break;
|
||||
+ case mldsaKey:
|
||||
+ mechanism = CKM_ML_DSA_KEY_PAIR_GEN;
|
||||
+ /* set paramset */
|
||||
+ paramSet = 0;
|
||||
+ if (pqgFile) {
|
||||
+ if (PORT_Strcasecmp(pqgFile, "ML-DSA-44") == 0) {
|
||||
+ paramSet = CKP_ML_DSA_44;
|
||||
+ } else if (PORT_Strcasecmp(pqgFile, "ML-DSA-65") == 0) {
|
||||
+ paramSet = CKP_ML_DSA_65;
|
||||
+ } else if (PORT_Strcasecmp(pqgFile, "ML-DSA-87") == 0) {
|
||||
+ paramSet = CKP_ML_DSA_87;
|
||||
+ } else {
|
||||
+ /* if we set pqgfile, it had better be right, don't
|
||||
+ * fall back to key size */
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ } else
|
||||
+ switch (size) {
|
||||
+ /* optionally use the size, either the actual size in bytes
|
||||
+ * or the short hand ('44', '65', '87') */
|
||||
+ case 44:
|
||||
+ case 2560:
|
||||
+ paramSet = CKP_ML_DSA_44;
|
||||
+ break;
|
||||
+ case 65:
|
||||
+ case 4032:
|
||||
+ paramSet = CKP_ML_DSA_65;
|
||||
+ break;
|
||||
+ case 87:
|
||||
+ case 4896:
|
||||
+ paramSet = CKP_ML_DSA_87;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* force a size to be specified somewhere */
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ /* paranoia, shouldn't be able to happen logically. Code
|
||||
+ * scanners will scream, but I like belt and suspenders */
|
||||
+ if (paramSet == 0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ params = ¶mSet;
|
||||
+ break;
|
||||
+
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
fprintf(stderr, "\n\n");
|
||||
fprintf(stderr, "Generating key. This may take a few moments...\n\n");
|
||||
|
||||
privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp,
|
||||
diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c
|
||||
--- a/cmd/pk11importtest/pk11importtest.c
|
||||
+++ b/cmd/pk11importtest/pk11importtest.c
|
||||
@@ -214,32 +214,34 @@ enum {
|
||||
opt_ECCurve,
|
||||
opt_PWFile,
|
||||
opt_PWString,
|
||||
opt_NoPub,
|
||||
opt_NoRSA,
|
||||
opt_NoDSA,
|
||||
opt_NoDH,
|
||||
opt_NoEC,
|
||||
+ opt_NoMLDSA,
|
||||
opt_NoMLKEM,
|
||||
opt_NoED,
|
||||
opt_NoECMont,
|
||||
};
|
||||
|
||||
static secuCommandFlag options[] = {
|
||||
{ /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_ECCurve */ 'C', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_PWFile */ 'f', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_PWString */ 'p', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_NoPub */ 'n', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoRSA */ 'r', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE },
|
||||
+ { /* opt_NoMLDSA */ 'm', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoMLKEM */ 'K', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoED */ 'w', PR_FALSE, 0, PR_FALSE },
|
||||
{ /* opt_NoECMont */ 'g', PR_FALSE, 0, PR_FALSE },
|
||||
};
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
@@ -248,16 +250,18 @@ main(int argc, char **argv)
|
||||
secuCommand args;
|
||||
PK11SlotInfo *slot = NULL;
|
||||
PRBool failed = PR_FALSE;
|
||||
secuPWData pwArgs = { PW_NONE, 0 };
|
||||
PRBool doRSA = PR_TRUE;
|
||||
PRBool doDSA = PR_TRUE;
|
||||
PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */
|
||||
PRBool doEC = PR_TRUE;
|
||||
+ PRBool doMLDSA = PR_FALSE;
|
||||
+ CK_ML_DSA_PARAMETER_SET_TYPE mldsaParamSet = CKP_ML_DSA_44;
|
||||
PRBool doMLKEM = PR_TRUE;
|
||||
PRBool doED = PR_TRUE;
|
||||
PRBool doECMont = PR_TRUE;
|
||||
PRBool noPub = PR_FALSE;
|
||||
PQGParams *pqgParams = NULL;
|
||||
int keySize;
|
||||
|
||||
args.numCommands = 0;
|
||||
@@ -308,16 +312,19 @@ main(int argc, char **argv)
|
||||
doDSA = PR_FALSE;
|
||||
}
|
||||
if (args.options[opt_NoDH].activated) {
|
||||
doDH = PR_FALSE;
|
||||
}
|
||||
if (args.options[opt_NoEC].activated) {
|
||||
doEC = PR_FALSE;
|
||||
}
|
||||
+ if (args.options[opt_NoMLDSA].activated) {
|
||||
+ doMLDSA = PR_FALSE;
|
||||
+ }
|
||||
if (args.options[opt_NoMLKEM].activated) {
|
||||
doMLKEM = PR_FALSE;
|
||||
}
|
||||
|
||||
slot = PK11_GetInternalKeySlot();
|
||||
if (slot == NULL) {
|
||||
SECU_PrintError(progName, "Couldn't find the internal key slot\n");
|
||||
return 255;
|
||||
@@ -403,16 +410,26 @@ main(int argc, char **argv)
|
||||
PORT_Free(ecParams.data);
|
||||
ec_failed:
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr, "ECC Import Failed!\n");
|
||||
failed = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
+ if (doMLDSA) {
|
||||
+ rv = handleEncryptedPrivateImportTest(progName, slot, "MLDSA",
|
||||
+ CKM_ML_DSA_KEY_PAIR_GEN,
|
||||
+ noPub, &mldsaParamSet, &pwArgs);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ fprintf(stderr, "MLDSA Import Failed!\n");
|
||||
+ failed = PR_TRUE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (doMLKEM) {
|
||||
CK_ML_KEM_PARAMETER_SET_TYPE paramSet = CKP_ML_KEM_768;
|
||||
|
||||
rv = handleEncryptedPrivateImportTest(progName, slot, "MLKEM",
|
||||
CKM_ML_KEM_KEY_PAIR_GEN,
|
||||
noPub, ¶mSet, &pwArgs);
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr, "MLKEM Import Failed!\n");
|
||||
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
|
||||
--- a/tests/cert/cert.sh
|
||||
+++ b/tests/cert/cert.sh
|
||||
@@ -101,16 +101,19 @@ cert_init()
|
||||
fi
|
||||
|
||||
cert_add_algorithm "RSA" "" "" "false" 0
|
||||
if [ -z ${NSS_DISABLE_DSA} ]; then
|
||||
cert_add_algorithm "DSA" "-dsa" "-k dsa" "true" 20000
|
||||
fi
|
||||
# NOTE: curve is added later, so the full command would be '-k ec -q curve'
|
||||
cert_add_algorithm "ECC" "-ec" "-k ec -q" "true" 10000
|
||||
+ cert_add_algorithm "ML-DSA-44" "-ml-dsa-44" "-k mldsa -q ml-dsa-44" "false" 30000
|
||||
+ cert_add_algorithm "ML-DSA-65" "-ml-dsa-65" "-k mldsa -q ml-dsa-65" "false" 40000
|
||||
+ cert_add_algorithm "ML-DSA-87" "-ml-dsa-87" "-k mldsa -q ml-dsa-87" "false" 50000
|
||||
# currently rsa-pss is only enabled for a subset of tests
|
||||
# this will enable a full suite of RSA-PSS certs, and we would
|
||||
# then remove the explicit ones
|
||||
# ulike the other tests, we would need to change ssl tests as this
|
||||
# will rename some of the RSA-PSS certificates.
|
||||
#cert_add_algorithm "RSA-PSS" "-rsa-pss" "-k rsa -pss -Z sha256" "true"
|
||||
#cert_add_algorithm "RSA-PSS-SHA1" "-rsa-pss-sha1" "-k rsa -pss -Z sha1" "true"
|
||||
|
||||
@@ -519,16 +522,25 @@ cert_CA()
|
||||
cert_dsa_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
|
||||
;;
|
||||
ECC)
|
||||
cert_ec_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}"
|
||||
;;
|
||||
RSA-PSS)
|
||||
cert_rsa_pss_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}"
|
||||
;;
|
||||
+ ML-DSA-44)
|
||||
+ cert_ml_dsa_CA ml-dsa-44 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
|
||||
+ ;;
|
||||
+ ML-DSA-65)
|
||||
+ cert_ml_dsa_CA ml-dsa-65 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
|
||||
+ ;;
|
||||
+ ML-DSA-87)
|
||||
+ cert_ml_dsa_CA ml-dsa-65 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}"
|
||||
+ ;;
|
||||
*)
|
||||
Exit 9 "Fatal - unknown key type ${KEY_TYPE}, failed to create CA cert"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -672,19 +684,78 @@ CERTSCRIPT
|
||||
CU_ACTION="Exporting DSA Root Cert"
|
||||
certu -L -n $NICKNAME -r -d ${LPROFILE} -o root-dsa.cert
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
Exit 7 "Fatal - failed to export dsa root cert"
|
||||
fi
|
||||
cp root-dsa.cert ${NICKNAME}.ca.cert
|
||||
}
|
||||
|
||||
++################################ cert_ml_dsa_CA #############################
|
||||
+# local shell function to build the Temp. Certificate Authority (CA)
|
||||
+# used for testing purposes, creating a CA Certificate and a root cert
|
||||
+# This is the ML-DSA version of cert_CA.
|
||||
+##########################################################################
|
||||
+cert_ml_dsa_CA()
|
||||
+{
|
||||
+ PARAM_SET=$1
|
||||
+ CUR_CADIR=$2
|
||||
+ NICKNAME=$3
|
||||
+ SIGNER=$4
|
||||
+ TRUSTARG=$5
|
||||
+ DOMAIN=$6
|
||||
+ CERTSERIAL=$7
|
||||
|
||||
+ echo "$SCRIPTNAME: Creating a ML-DSA ($PARAM_SET) CA Certificate $NICKNAME =========================="
|
||||
+
|
||||
+ if [ ! -d "${CUR_CADIR}" ]; then
|
||||
+ mkdir -p "${CUR_CADIR}"
|
||||
+ fi
|
||||
+ cd ${CUR_CADIR}
|
||||
+ pwd
|
||||
+
|
||||
+ LPROFILE=.
|
||||
+ if [ -n "${MULTIACCESS_DBM}" ]; then
|
||||
+ LPROFILE="multiaccess:${DOMAIN}"
|
||||
+ fi
|
||||
|
||||
+ ################# Creating a ML-DSA CA Cert ###############################
|
||||
+ #
|
||||
+ CU_ACTION="Creating ML-DSA ($PARAM_SET) CA Cert $NICKNAME "
|
||||
+ CU_SUBJECT=$ALL_CU_SUBJECT
|
||||
+ certu -S -n $NICKNAME -k mldsa -q $PARAM_SET -t $TRUSTARG -v 600 $SIGNER \
|
||||
+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \
|
||||
+ -m $CERTSERIAL 2>&1 <<CERTSCRIPT
|
||||
+5
|
||||
+6
|
||||
+9
|
||||
+n
|
||||
+y
|
||||
+-1
|
||||
+n
|
||||
+5
|
||||
+6
|
||||
+7
|
||||
+9
|
||||
+n
|
||||
+CERTSCRIPT
|
||||
|
||||
+ if [ "$RET" -ne 0 ]; then
|
||||
+ echo "return value is $RET"
|
||||
+ Exit 6 "Fatal - failed to create ML-DSA ($PARAM_SET) CA cert"
|
||||
+ fi
|
||||
+
|
||||
+ ################# Exporting ML-DSA Root Cert ###############################
|
||||
+ #
|
||||
+ CU_ACTION="Exporting ML-DSA ($PARAM_SET) Root Cert"
|
||||
+ certu -L -n $NICKNAME -r -d ${LPROFILE} -o ${NICKNAME}.ca.cert
|
||||
+ if [ "$RET" -ne 0 ]; then
|
||||
+ Exit 7 "Fatal - failed to export $PARAM_SET root cert"
|
||||
+ fi
|
||||
+}
|
||||
|
||||
################################ cert_rsa_pss_CA #############################
|
||||
# local shell function to build the Temp. Certificate Authority (CA)
|
||||
# used for testing purposes, creating a CA Certificate and a root cert
|
||||
# This is the RSA-PSS version of cert_CA.
|
||||
##########################################################################
|
||||
cert_rsa_pss_CA()
|
||||
{
|
||||
@@ -1194,17 +1265,17 @@ cert_stresscerts()
|
||||
}
|
||||
|
||||
############################## cert_fips #####################################
|
||||
# local shell function to create certificates for FIPS tests
|
||||
##############################################################################
|
||||
cert_fips()
|
||||
{
|
||||
CERTFAILED=0
|
||||
- echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
|
||||
+ echo "$SCRIPTNAME: Creating FIPS 140 Certificates =============="
|
||||
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
|
||||
|
||||
CU_ACTION="Initializing ${CERTNAME}'s Cert DB"
|
||||
certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1
|
||||
|
||||
CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)"
|
||||
modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
|
||||
|
||||
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
|
||||
--- a/tests/tools/tools.sh
|
||||
+++ b/tests/tools/tools.sh
|
||||
@@ -124,24 +124,32 @@ tools_init()
|
||||
cp ${QADIR}/tools/pbmac1-valid-sha256.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-valid-sha256-sha512.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ed25519.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/ietf-ml-dsa-44-both.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/ietf-ml-dsa-44-key.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/ietf-ml-dsa-65-both.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/ietf-ml-dsa-65-key.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/ietf-ml-dsa-87-both.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/ietf-ml-dsa-87-key.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/openssl-ml-dsa-44.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/openssl-ml-dsa-65.p12 ${TOOLSDIR}/data
|
||||
+ cp ${QADIR}/tools/openssl-ml-dsa-87.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-768-seed.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-768-priv.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-768-both.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-1024-seed.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-1024-priv.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/openssl-ml-kem-1024-both.p12 ${TOOLSDIR}/data
|
||||
|
||||
-
|
||||
cd ${TOOLSDIR}
|
||||
}
|
||||
|
||||
########################## list_p12_file ###############################
|
||||
# List the key and cert in the specified p12 file
|
||||
########################################################################
|
||||
list_p12_file()
|
||||
{
|
||||
@@ -543,16 +551,43 @@ tools_p12_import_ed25519_private_key()
|
||||
${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ed25519.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
|
||||
ret=$?
|
||||
html_msg $ret 0 "Importing ED25519 private key from PKCS#12 file"
|
||||
check_tmpfile
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
||||
+tools_p12_ml_dsa_import()
|
||||
+{
|
||||
+ echo "$SCRIPTNAME: Testing ml-dsa compatibility with pkcs12 --------------"
|
||||
+ for i in 44 65 87
|
||||
+ do
|
||||
+ echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-dsa-$i.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1"
|
||||
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-dsa-$i.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
|
||||
+ ret=$?
|
||||
+ html_msg $ret 0 "Importing openssl encoded ml-dsa-$i private key from PKCS#12 file"
|
||||
+ check_tmpfile
|
||||
+ for j in 'key' 'both'
|
||||
+ do
|
||||
+ echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/ietf-ml-dsa-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1"
|
||||
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/ietf-ml-dsa-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1
|
||||
+ ret=$?
|
||||
+ html_msg $ret 0 "Importing openssl encoded ml-dsa-$i private key from PKCS#12 file"
|
||||
+ check_tmpfile
|
||||
+ html_msg $ret 0 "Importing ietf sample ml-dsa-$i-$j private key from PKCS#12 file"
|
||||
+
|
||||
+ # each cert has the same issuer/sn, so we can't hold more than one in
|
||||
+ # the data base
|
||||
+ echo "${BINDIR}/certutil -F -n \"ietf ml-dsa-$i-$j sample\" -d ${P_R_COPYDIR} -f ${R_PWFILE}"
|
||||
+ ${BINDIR}/certutil -F -n "ietf ml-dsa-$i-$j sample" -d ${P_R_COPYDIR} -f ${R_PWFILE}
|
||||
+ done
|
||||
+ done
|
||||
+}
|
||||
+
|
||||
tools_p12_ml_kem_import()
|
||||
{
|
||||
echo "$SCRIPTNAME: Testing ml-kem compatibility with pkcs12 --------------"
|
||||
for i in 768 1024
|
||||
do
|
||||
for j in 'seed' 'priv' 'both'
|
||||
do
|
||||
echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-kem-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1"
|
||||
@@ -624,16 +659,17 @@ tools_p12()
|
||||
else
|
||||
tools_p12_export_list_import_most_ciphers
|
||||
fi
|
||||
tools_p12_export_with_none_ciphers
|
||||
tools_p12_export_with_invalid_ciphers
|
||||
tools_p12_import_old_files
|
||||
tools_p12_import_pbmac1_samples
|
||||
tools_p12_import_ed25519_private_key
|
||||
+ tools_p12_ml_dsa_import
|
||||
tools_p12_ml_kem_import
|
||||
if using_sql; then
|
||||
tools_p12_import_rsa_pss_private_key
|
||||
tools_p12_policy
|
||||
fi
|
||||
}
|
||||
|
||||
############################## tools_sign ##############################
|
||||
335
nss-3.79-revert-distrusted-certs.patch
Normal file
335
nss-3.79-revert-distrusted-certs.patch
Normal file
@ -0,0 +1,335 @@
|
||||
diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt
|
||||
--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700
|
||||
@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+#
|
||||
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Serial Number: 268435455 (0xfffffff)
|
||||
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
|
||||
+CKA_SUBJECT MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_ID UTF8 "0"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\017\377\377\377
|
||||
+END
|
||||
+CKA_VALUE MULTILINE_OCTAL
|
||||
+\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
|
||||
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
|
||||
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
|
||||
+\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
|
||||
+\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
|
||||
+\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
|
||||
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
|
||||
+\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
|
||||
+\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
|
||||
+\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
|
||||
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
|
||||
+\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
|
||||
+\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
|
||||
+\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
|
||||
+\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
|
||||
+\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
|
||||
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
|
||||
+\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
|
||||
+\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
|
||||
+\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
|
||||
+\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
|
||||
+\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
|
||||
+\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
|
||||
+\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
|
||||
+\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
|
||||
+\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
|
||||
+\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
|
||||
+\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
|
||||
+\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
|
||||
+\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
|
||||
+\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
|
||||
+\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
|
||||
+\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
|
||||
+\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
|
||||
+\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
|
||||
+\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
|
||||
+\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
|
||||
+\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
|
||||
+\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
|
||||
+\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
|
||||
+\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
|
||||
+\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
|
||||
+\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
|
||||
+\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
|
||||
+\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
|
||||
+\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
|
||||
+\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
|
||||
+\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
|
||||
+\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
|
||||
+\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
|
||||
+\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
|
||||
+\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
|
||||
+\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
|
||||
+\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
|
||||
+\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
|
||||
+\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
|
||||
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
|
||||
+\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
|
||||
+\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
|
||||
+\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
|
||||
+\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
|
||||
+\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
+\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
|
||||
+\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
+\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
|
||||
+\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
|
||||
+\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
|
||||
+\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
|
||||
+\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
|
||||
+\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
|
||||
+\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
|
||||
+\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
|
||||
+\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
|
||||
+\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
|
||||
+\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
|
||||
+\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
|
||||
+\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
|
||||
+\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
|
||||
+\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
|
||||
+\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
|
||||
+\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
|
||||
+\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
|
||||
+\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
|
||||
+\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
|
||||
+\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
|
||||
+\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
|
||||
+\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
|
||||
+\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
|
||||
+\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
|
||||
+\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
|
||||
+\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
|
||||
+\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
|
||||
+\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
|
||||
+\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
|
||||
+\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
|
||||
+\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
|
||||
+\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
|
||||
+\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
|
||||
+\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
|
||||
+\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
|
||||
+\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
|
||||
+\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
|
||||
+\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
|
||||
+\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
|
||||
+\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
|
||||
+\244\363\116\272\067\230\173\202\271
|
||||
+END
|
||||
+
|
||||
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Serial Number: 268435455 (0xfffffff)
|
||||
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
|
||||
+\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
|
||||
+\222\341\102\102
|
||||
+END
|
||||
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
|
||||
+\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
|
||||
+END
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\017\377\377\377
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+#
|
||||
# Certificate "Security Communication RootCA2"
|
||||
#
|
||||
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
|
||||
@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
+# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
|
||||
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
+# Serial Number: 1800000005 (0x6b49d205)
|
||||
+# Not Before: Apr 7 15:37:15 2011 GMT
|
||||
+# Not After : Apr 4 15:37:15 2021 GMT
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\153\111\322\005
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
|
||||
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
+# Serial Number: 1800000006 (0x6b49d206)
|
||||
+# Not Before: Apr 18 21:09:30 2011 GMT
|
||||
+# Not After : Apr 15 21:09:30 2021 GMT
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\153\111\322\006
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
#
|
||||
# Certificate "Actalis Authentication Root CA"
|
||||
#
|
||||
@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
|
||||
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
+# Serial Number: 2087 (0x827)
|
||||
+# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
|
||||
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
+# Not Valid After : Tue Jul 06 07:07:51 2021
|
||||
+# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
|
||||
+# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\002\010\047
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
|
||||
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
+# Serial Number: 2148 (0x864)
|
||||
+# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
|
||||
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
+# Not Valid After : Thu Aug 05 07:07:51 2021
|
||||
+# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
|
||||
+# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\002\010\144
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
#
|
||||
# Certificate "D-TRUST Root Class 3 CA 2 2009"
|
||||
#
|
||||
19
nss.spec
19
nss.spec
@ -3,7 +3,7 @@
|
||||
# NOTE: To avoid NVR clashes of nspr* packages:
|
||||
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
|
||||
# - increment %%{nspr_version}, when updating the NSS part only
|
||||
%global baserelease 2
|
||||
%global baserelease 3
|
||||
%global nss_release %baserelease
|
||||
# release number between nss and nspr are different. This typically
|
||||
# happens with a new version of nss was release, but nspr was not updated
|
||||
@ -168,9 +168,8 @@ Patch35: nss-3.124-disable-ech.patch
|
||||
Patch36: nss-3.101-skip-ocsp-if-not-connected.patch
|
||||
# dont upstream, must be after patch36 (sigh)
|
||||
Patch37: nss-3.124-revert-libpkix-default.patch
|
||||
# build crmf for now
|
||||
Patch38: nss-3.124-enable-crmf.patch
|
||||
Patch39: nss-3.124-no-p12-smime-policy.patch
|
||||
Patch38: nss-3.124-no-p12-smime-policy.patch
|
||||
Patch39: nss-3.79-revert-distrusted-certs.patch
|
||||
|
||||
Patch40: nss-3.90-dh-test-update.patch
|
||||
Patch41: nss-3.124-ppc_no_init.patch
|
||||
@ -715,7 +714,7 @@ pushd nss/tests
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
# the full list from all.sh is:
|
||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
|
||||
# nss_ssl_run: cov auth stapling stress
|
||||
#
|
||||
@ -822,7 +821,7 @@ install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
|
||||
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
|
||||
|
||||
# Copy the development libraries we want
|
||||
for file in libcrmf.a libnssb.a libnssckfw.a
|
||||
for file in libnssb.a libnssckfw.a
|
||||
do
|
||||
install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
|
||||
done
|
||||
@ -1005,7 +1004,6 @@ update-crypto-policies &> /dev/null || :
|
||||
%doc %{_mandir}/man1/vfyserv.1*
|
||||
|
||||
%files devel
|
||||
%{_libdir}/libcrmf.a
|
||||
%{_libdir}/pkgconfig/nss.pc
|
||||
%{_bindir}/nss-config
|
||||
%doc %{_mandir}/man1/nss-config.1*
|
||||
@ -1014,13 +1012,9 @@ update-crypto-policies &> /dev/null || :
|
||||
%{_includedir}/nss3/cert.h
|
||||
%{_includedir}/nss3/certdb.h
|
||||
%{_includedir}/nss3/certt.h
|
||||
%{_includedir}/nss3/cmmf.h
|
||||
%{_includedir}/nss3/cmmft.h
|
||||
%{_includedir}/nss3/cms.h
|
||||
%{_includedir}/nss3/cmsreclist.h
|
||||
%{_includedir}/nss3/cmst.h
|
||||
%{_includedir}/nss3/crmf.h
|
||||
%{_includedir}/nss3/crmft.h
|
||||
%{_includedir}/nss3/cryptohi.h
|
||||
%{_includedir}/nss3/cryptoht.h
|
||||
%{_includedir}/nss3/jar-ds.h
|
||||
@ -1203,6 +1197,9 @@ update-crypto-policies &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 9 2026 Bob Relyea <rrelyea@redhat.com> - 3.124.0-3
|
||||
- drop crmf
|
||||
|
||||
* Tue Jun 9 2026 Bob Relyea <rrelyea@redhat.com> - 3.124.0-2
|
||||
- rebase fixes
|
||||
- restore rhel-9 dropping of pkcs12 and smime policy
|
||||
|
||||
Loading…
Reference in New Issue
Block a user