diff --git a/nss-3.124-enable-crmf.patch b/nss-3.124-enable-crmf.patch deleted file mode 100644 index b19de19..0000000 --- a/nss-3.124-enable-crmf.patch +++ /dev/null @@ -1,104 +0,0 @@ -# HG changeset patch -# User Robert Relyea -# Date 1780437848 25200 -# Tue Jun 02 15:04:08 2026 -0700 -# Branch NSS_3_124_BRANCH -# Node ID b32abfeba0dab71016b45b33d32b8bea717da75f -# Parent 19e655733f3af71e3d517ada0d31ad0697d40f3f -nss-3.124-enable-crmf.patch - -diff --git a/cmd/manifest.mn b/cmd/manifest.mn ---- a/cmd/manifest.mn -+++ b/cmd/manifest.mn -@@ -4,16 +4,22 @@ - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - - DEPTH = .. - # MODULE = seccmd - - SOFTOKEN_SRCDIRS= - NSS_SRCDIRS= - LIB_SRCDIRS= -+CRMF_SRCDIR= -+ -+ifdef NSS_ENABLE_CRMF -+CRMF_SRCDIR=crmftest -+endif -+ - - ifdef NSS_BUILD_UTIL_ONLY - REQUIRES = nspr - else - REQUIRES = nss nspr libdbm - LIB_SRCDIRS = \ - lib \ - $(NULL) -@@ -35,16 +41,17 @@ ifndef NSS_BUILD_SOFTOKEN_ONLY - ifndef NSS_BUILD_UTIL_ONLY - NSS_SRCDIRS = \ - addbuiltin \ - atob \ - btoa \ - certutil \ - chktest \ - crlutil \ -+ $(CRMF_SRCDIR) \ - dbtest \ - derdump \ - digest \ - httpserv \ - listsuites \ - makepqg \ - multinit \ - nss-policy-check \ -diff --git a/lib/Makefile b/lib/Makefile ---- a/lib/Makefile -+++ b/lib/Makefile -@@ -51,16 +51,20 @@ endif # MOZILLA_CLIENT - ifndef NSS_DISABLE_DBM - DBM_SRCDIR = dbm - endif - - ifndef NSS_DISABLE_LIBPKIX - LIBPKIX_SRCDIR = libpkix - endif - -+ifdef NSS_ENABLE_CRMF -+CRMF_SRCDIR=crmf -+endif -+ - ifeq ($(NSS_BUILD_UTIL_ONLY),1) - UTIL_SRCDIR = util - - else - ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1) - FREEBL_SRCDIR = freebl - SOFTOKEN_SRCDIR = softoken - else -@@ -83,24 +87,24 @@ else - endif - - ifneq (,$(SOFTOKEN_SRCDIR)) - $(SOFTOKEN_SRCDIR): $(DBM_SRCDIR) $(FREEBL_SRCDIR) $(SQLITE_SRCDIR) $(UTIL_SRCDIR) - endif - - ifndef NSS_BUILD_SOFTOKEN_ONLY - NSS_SRCDIRS = \ -- base certdb certhigh ckfw cryptohi dev jar $(LIBPKIX_SRCDIR) \ -+ base certdb certhigh ckfw $(CRMF_SRCDIR) cryptohi dev jar $(LIBPKIX_SRCDIR) \ - nss pk11wrap pkcs12 pkcs7 pki smime ssl $(SYSINIT_SRCDIR) $(ZLIB_SRCDIR) - - ifneq (,$(SYSINIT_SRCDIR)) - $(SYSINIT_SRCDIR): $(UTIL_SRCDIR) - endif - -- nss: base certdb certhigh cryptohi dev $(LIBPKIX_SRCDIR) pk11wrap pki $(UTIL_SRCDIR) -+ nss: base certdb certhigh cryptohi $(CRMF_SRCDIR) dev $(LIBPKIX_SRCDIR) pk11wrap pki $(UTIL_SRCDIR) - smime: nss pkcs7 pkcs12 - ssl: nss - ckfw: nss - - endif # !NSS_BUILD_SOFTOKEN_ONLY - endif # !NSS_BUILD_UTIL_ONLY - - DIRS = \ diff --git a/nss-3.124-fix-ed-key-storage.patch b/nss-3.124-fix-ed-key-storage.patch deleted file mode 100644 index f539a92..0000000 --- a/nss-3.124-fix-ed-key-storage.patch +++ /dev/null @@ -1,627 +0,0 @@ -diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c ---- a/cmd/lib/secutil.c -+++ b/cmd/lib/secutil.c -@@ -1603,10 +1603,18 @@ - - case ecKey: - secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1); - break; - -+ case ecMontKey: -+ secu_PrintECPublicKey(out, pk, "EC Montgomery Public Key", level + 1); -+ break; -+ -+ case edKey: -+ secu_PrintECPublicKey(out, pk, "EC Edwards Public Key", level + 1); -+ break; -+ - case mldsaKey: - SECU_PrintMLDSAPublicKey(out, pk, "ML-DSA Public Key", level + 1); - break; - - case kyberKey: -diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c ---- a/cmd/pk11importtest/pk11importtest.c -+++ b/cmd/pk11importtest/pk11importtest.c -@@ -191,10 +191,12 @@ - " -r skip rsa test", - " -D skip dsa test", - " -h skip dh test", - " -e skip ec test", - " -K skip mk-kem test", -+ " -w skip ed test", -+ " -g skip ec montgomery test", - }; - static int nUsageInfo = sizeof(usageInfo) / sizeof(char *); - - static void - Usage(char *progName, FILE *outFile) -@@ -216,10 +218,12 @@ - opt_NoRSA, - opt_NoDSA, - opt_NoDH, - opt_NoEC, - opt_NoMLKEM, -+ opt_NoED, -+ opt_NoECMont, - }; - - static secuCommandFlag options[] = { - { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE }, - { /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE }, -@@ -230,10 +234,12 @@ - { /* opt_NoRSA */ 'r', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoMLKEM */ 'K', PR_FALSE, 0, PR_FALSE }, -+ { /* opt_NoED */ 'w', PR_FALSE, 0, PR_FALSE }, -+ { /* opt_NoECMont */ 'g', PR_FALSE, 0, PR_FALSE }, - }; - - int - main(int argc, char **argv) - { -@@ -246,10 +252,12 @@ - PRBool doRSA = PR_TRUE; - PRBool doDSA = PR_TRUE; - PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */ - PRBool doEC = PR_TRUE; - PRBool doMLKEM = PR_TRUE; -+ PRBool doED = PR_TRUE; -+ PRBool doECMont = PR_TRUE; - PRBool noPub = PR_FALSE; - PQGParams *pqgParams = NULL; - int keySize; - - args.numCommands = 0; -@@ -410,10 +418,55 @@ - fprintf(stderr, "MLKEM Import Failed!\n"); - failed = PR_TRUE; - } - } - -+ if (doED) { -+ SECKEYECParams ecParams; -+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_ED25519); -+ ecParams.data = PORT_Alloc(curve->oid.len + 2); -+ if (ecParams.data == NULL) { -+ rv = SECFailure; -+ goto ed_failed; -+ } -+ ecParams.data[0] = SEC_ASN1_OBJECT_ID; -+ ecParams.data[1] = (unsigned char)curve->oid.len; -+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len); -+ ecParams.len = curve->oid.len + 2; -+ rv = handleEncryptedPrivateImportTest(progName, slot, "EDDSA", -+ CKM_EC_EDWARDS_KEY_PAIR_GEN, -+ noPub, &ecParams, &pwArgs); -+ PORT_Free(ecParams.data); -+ ed_failed: -+ if (rv != SECSuccess) { -+ fprintf(stderr, "EDDSA Import Failed!\n"); -+ failed = PR_TRUE; -+ } -+ } -+ if (doECMont) { -+ SECKEYECParams ecParams; -+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_X25519); -+ ecParams.data = PORT_Alloc(curve->oid.len + 2); -+ if (ecParams.data == NULL) { -+ rv = SECFailure; -+ goto ecmont_failed; -+ } -+ ecParams.data[0] = SEC_ASN1_OBJECT_ID; -+ ecParams.data[1] = (unsigned char)curve->oid.len; -+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len); -+ ecParams.len = curve->oid.len + 2; -+ rv = handleEncryptedPrivateImportTest(progName, slot, "EC Mont", -+ CKM_EC_MONTGOMERY_KEY_PAIR_GEN, -+ noPub, &ecParams, &pwArgs); -+ PORT_Free(ecParams.data); -+ ecmont_failed: -+ if (rv != SECSuccess) { -+ fprintf(stderr, "EC Montgomery Import Failed!\n"); -+ failed = PR_TRUE; -+ } -+ } -+ - if (pqgParams) { - PK11_PQG_DestroyParams(pqgParams); - } - - if (slot) { -diff --git a/lib/softoken/lowkey.c b/lib/softoken/lowkey.c ---- a/lib/softoken/lowkey.c -+++ b/lib/softoken/lowkey.c -@@ -43,10 +43,15 @@ - { SEC_ASN1_OCTET_STRING, - offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(NSSLOWKEYPrivateKeyInfo, attributes), - nsslowkey_SetOfAttributeTemplate }, -+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | -+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | -+ SEC_ASN1_XTRN | 1, -+ offsetof(NSSLOWKEYPrivateKeyInfo, publicKey), -+ SEC_ASN1_SUB(SEC_BitStringTemplate) }, - { 0 } - }; - - const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[] = { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYSubjectPublicKeyInfo) }, -@@ -399,10 +404,12 @@ - if (rv == SECSuccess) - return pubk; - } - break; - case NSSLOWKEYECKey: -+ case NSSLOWKEYECEdwardsKey: -+ case NSSLOWKEYECMontgomeryKey: - pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, - sizeof(NSSLOWKEYPublicKey)); - if (pubk != NULL) { - SECStatus rv; - -@@ -631,10 +638,12 @@ - &(privKey->u.dh.base)); - if (rv != SECSuccess) - break; - break; - case NSSLOWKEYECKey: -+ case NSSLOWKEYECEdwardsKey: -+ case NSSLOWKEYECMontgomeryKey: - rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version), - &(privKey->u.ec.version)); - if (rv != SECSuccess) - break; - rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue), -diff --git a/lib/softoken/lowkeyti.h b/lib/softoken/lowkeyti.h ---- a/lib/softoken/lowkeyti.h -+++ b/lib/softoken/lowkeyti.h -@@ -48,10 +48,11 @@ - PLArenaPool *arena; - SECItem version; - SECAlgorithmID algorithm; - SECItem privateKey; - NSSLOWKEYAttribute **attributes; -+ SECItem publicKey; - }; - typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo; - #define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */ - - struct NSSLOWKEYSubjectPublicKeyInfoStr { -@@ -65,12 +66,14 @@ - NSSLOWKEYNullKey = 0, - NSSLOWKEYRSAKey = 1, - NSSLOWKEYDSAKey = 2, - NSSLOWKEYDHKey = 4, - NSSLOWKEYECKey = 5, -- NSSLOWKEYMLDSAKey = 6, -- NSSLOWKEYMLKEMKey = 7, -+ NSSLOWKEYECEdwardsKey = 6, -+ NSSLOWKEYECMontgomeryKey = 7, -+ NSSLOWKEYMLDSAKey = 8, -+ NSSLOWKEYMLKEMKey = 9, - } NSSLOWKEYType; - - /* ML KEM low structures packages a key with it's parameters. - * The ML KEM freebl didn't define these because all the functions - * take raw keys and param separately */ -diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c ---- a/lib/softoken/pkcs11.c -+++ b/lib/softoken/pkcs11.c -@@ -2223,13 +2223,18 @@ - break; - crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue, - object, CKA_VALUE); - break; - case CKK_EC_EDWARDS: -+ pubKey->keyType = NSSLOWKEYECEdwardsKey; -+ goto ec_continue; - case CKK_EC_MONTGOMERY: -+ pubKey->keyType = NSSLOWKEYECMontgomeryKey; -+ goto ec_continue; - case CKK_EC: - pubKey->keyType = NSSLOWKEYECKey; -+ ec_continue: - crv = sftk_Attribute2SSecItem(arena, - &pubKey->u.ec.ecParams.DEREncoding, - object, CKA_EC_PARAMS); - if (crv != CKR_OK) - break; -@@ -2451,13 +2456,18 @@ - itemTemplateCount++; - /* privKey was zero'd so public value is already set to NULL, 0 - * if we don't set it explicitly */ - break; - case CKK_EC_EDWARDS: -+ privKey->keyType = NSSLOWKEYECEdwardsKey; -+ goto ec_continue; - case CKK_EC_MONTGOMERY: -+ privKey->keyType = NSSLOWKEYECMontgomeryKey; -+ goto ec_continue; - case CKK_EC: - privKey->keyType = NSSLOWKEYECKey; -+ ec_continue: - crv = sftk_Attribute2SSecItem(arena, - &privKey->u.ec.ecParams.DEREncoding, - object, CKA_EC_PARAMS); - if (crv != CKR_OK) - break; -@@ -2514,10 +2524,11 @@ - case CKK_NSS_KYBER: - #endif - case CKK_NSS_ML_KEM: - case CKK_ML_KEM: - privKey->keyType = NSSLOWKEYMLKEMKey; -+ - crv = sftk_GetULongAttribute(object, CKA_PARAMETER_SET, - ¶mSet); - if (crv != CKR_OK) { - crv = sftk_GetULongAttribute(object, CKA_NSS_PARAMETER_SET, - ¶mSet); -diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c ---- a/lib/softoken/pkcs11c.c -+++ b/lib/softoken/pkcs11c.c -@@ -6465,12 +6465,10 @@ - * the private key */ - seed.data = seedData; - seed.len = sizeof(seedData); - rv = RNG_GenerateGlobalRandomBytes(seed.data, seed.len); - if (rv != SECSuccess) { -- fprintf(stderr, "Generate bytes failed nbytes=%d err=%d\n", -- seed.len, PORT_GetError()); - crv = sftk_MapCryptError(PORT_GetError()); - goto kyber_done; - } - - KyberParams kyberParams = sftk_kyber_PK11ParamToInternal(genParamSet); -@@ -6482,12 +6480,10 @@ - crv = CKR_HOST_MEMORY; - goto kyber_done; - } - rv = Kyber_NewKey(kyberParams, &seed, &privKey, &pubKey); - if (rv != SECSuccess) { -- fprintf(stderr, "Generate Kyber_NewKey failed nbytes=%d err=%d\n", -- seed.len, PORT_GetError()); - crv = sftk_MapCryptError(PORT_GetError()); - goto kyber_done; - } - - crv = sftk_AddAttributeType(publicKey, CKA_VALUE, sftk_item_expand(&pubKey)); -@@ -6902,10 +6898,11 @@ - param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params), - nsslowkey_PQGParamsTemplate); - algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE; - break; - case NSSLOWKEYECKey: -+ algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY; - prepare_low_ec_priv_key_for_asn1(lk); - /* Public value is encoded as a bit string so adjust length - * to be in bits before ASN encoding and readjust - * immediately after. - * -@@ -6926,12 +6923,30 @@ - SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType, - fordebug); - #endif - - param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding); -- -- algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY; -+ break; -+ /* X25519, ED25519, X448, and ED448 encode the private key -+ * as just and int. The public key and Curve come from the -+ * generaly key structure */ -+ case NSSLOWKEYECEdwardsKey: -+ algorithm = SEC_OID_ED25519; -+ goto ec_continue; -+ case NSSLOWKEYECMontgomeryKey: -+ algorithm = SEC_OID_X25519; -+ ec_continue: -+ prepare_low_ec_priv_key_for_asn1(lk); -+ /* if we have a public key, copy it to pki public key */ -+ if (lk->u.ec.publicValue.len) { -+ pki->publicKey = lk->u.ec.publicValue; -+ pki->publicKey.len <<= 3; -+ } -+ dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, -+ &lk->u.ec.privateValue, -+ SEC_ASN1_GET(SEC_OctetStringTemplate)); -+ param = NULL; - break; - case NSSLOWKEYMLKEMKey: { - SECItem seed = { siBuffer, NULL, 0 }; - SECItem rawKey = { siBuffer, NULL, 0 }; - dummy = NULL; -@@ -7258,10 +7273,12 @@ - PLArenaPool *arena; - NSSLOWKEYPrivateKey *lpk = NULL; - NSSLOWKEYPrivateKeyInfo *pki = NULL; - CK_RV crv = CKR_KEY_TYPE_INCONSISTENT; - CK_ULONG paramSet = 0; -+ const SECOidData *oidData = NULL; -+ SECOidTag pkiAlg = SEC_OID_UNKNOWN; - - arena = PORT_NewArena(2048); - if (!arena) { - return SECFailure; - } -@@ -7283,11 +7300,12 @@ - if (lpk == NULL) { - goto loser; - } - lpk->arena = arena; - -- switch (SECOID_GetAlgorithmTag(&pki->algorithm)) { -+ pkiAlg = SECOID_GetAlgorithmTag(&pki->algorithm); -+ switch (pkiAlg) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: - keyTemplate = nsslowkey_RSAPrivateKeyTemplate; - paramTemplate = NULL; - paramDest = NULL; -@@ -7309,10 +7327,46 @@ - paramDest = &(lpk->u.ec.ecParams.DEREncoding); - lpk->keyType = NSSLOWKEYECKey; - prepare_low_ec_priv_key_for_asn1(lpk); - prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams); - break; -+ case SEC_OID_X25519: -+ lpk->keyType = NSSLOWKEYECMontgomeryKey; -+ goto ecx_continue; -+ case SEC_OID_ED25519: -+ lpk->keyType = NSSLOWKEYECEdwardsKey; -+ ecx_continue: -+ /* we decode the whole key here rather than do the normal -+ * later decode step */ -+ keyTemplate = NULL; -+ paramTemplate = NULL; -+ paramDest = NULL; -+ oidData = SECOID_FindOIDByTag(pkiAlg); -+ if (oidData == NULL) { -+ goto loser; -+ } -+ /* CURVE is provided by the tag, not encoded in the parameters -+ * for the x25519, x448, ed25519 and ed448 keys */ -+ if (SEC_ASN1EncodeItem(arena, &(lpk->u.ec.ecParams.DEREncoding), -+ &oidData->oid, -+ SEC_ASN1_GET(SEC_ObjectIDTemplate)) == NULL) { -+ goto loser; -+ } -+ prepare_low_ec_priv_key_for_asn1(lpk); -+ /* private key is a simple octet string, just decode it now */ -+ rv = SEC_QuickDERDecodeItem(arena, &(lpk->u.ec.privateValue), -+ SEC_ASN1_GET(SEC_OctetStringTemplate), -+ &(pki->privateKey)); -+ if (rv != SECSuccess) { -+ goto loser; -+ } -+ if (pki->publicKey.len) { -+ lpk->u.ec.publicValue = pki->publicKey; -+ /* convert length in bits to length in bytes */ -+ lpk->u.ec.publicValue.len >>= 3; -+ } -+ break; - case SEC_OID_ML_KEM_768: - paramSet = CKP_ML_KEM_768; - goto mlkem_next; - case SEC_OID_ML_KEM_1024: - paramSet = CKP_ML_KEM_1024; -@@ -7344,30 +7398,31 @@ - case SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE: - keyTemplate = nsslowkey_PQBothSeedAndPrivateKeyTemplate; - break; - default: - keyTemplate = NULL; -- break; -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ goto loser; - } - - paramTemplate = NULL; - paramDest = NULL; - /* genpq encodes ocect, not integer, so no need to prep it */ - break; - default: - keyTemplate = NULL; - paramTemplate = NULL; - paramDest = NULL; -- break; -- } -- -- if (!keyTemplate) { -- goto loser; -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ goto loser; - } - - /* decode the private key and any algorithm parameters */ -- rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey); -+ rv = SECSuccess; -+ if (keyTemplate) { -+ rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey); -+ } - - if (lpk->keyType == NSSLOWKEYECKey) { - /* convert length in bits to length in bytes */ - lpk->u.ec.publicValue.len >>= 3; - rv = SECITEM_CopyItem(arena, -@@ -7560,13 +7615,19 @@ - template = dhTemplate; - templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE); - keyType = CKK_DH; - break; - #endif -- /* what about fortezza??? */ -+ case NSSLOWKEYECEdwardsKey: -+ keyType = CKK_EC_EDWARDS; -+ goto ec_import_continue; -+ case NSSLOWKEYECMontgomeryKey: -+ keyType = CKK_EC_MONTGOMERY; -+ goto ec_import_continue; - case NSSLOWKEYECKey: - keyType = CKK_EC; -+ ec_import_continue: - /* if we weren't passed the CKA_NSS_DB, get it - * from the public key */ - if (!sftk_hasAttribute(key, CKA_NSS_DB)) { - if (lpk->u.ec.publicValue.len == 0) { - crv = CKR_KEY_TYPE_INCONSISTENT; -diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c ---- a/lib/softoken/pkcs11u.c -+++ b/lib/softoken/pkcs11u.c -@@ -1642,10 +1642,12 @@ - case CKK_DH: - crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs, - dhPrivKeyAttrsCount); - break; - case CKK_EC: -+ case CKK_EC_EDWARDS: -+ case CKK_EC_MONTGOMERY: - crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs, - ecPrivKeyAttrsCount); - break; - default: - crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types -@@ -1706,10 +1708,12 @@ - case CKK_DH: - crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs, - dhPubKeyAttrsCount); - break; - case CKK_EC: -+ case CKK_EC_EDWARDS: -+ case CKK_EC_MONTGOMERY: - crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs, - ecPubKeyAttrsCount); - break; - default: - crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types -diff --git a/lib/util/secoid.c b/lib/util/secoid.c ---- a/lib/util/secoid.c -+++ b/lib/util/secoid.c -@@ -640,14 +640,14 @@ - a private key, and a signature (for the two EdDSA related OIDs). - Additional encoding information is provided below for each of these - locations. - */ - --CONST_OID ed25519PublicKey[] = { 0x2B, 0x65, 0x70 }; --CONST_OID ed25519Signature[] = { 0x2B, 0x65, 0x70 }; -- - /*https://www.rfc-editor.org/rfc/rfc8410#section-3*/ -+/* 1.3.101.112 */ -+CONST_OID ed25519[] = { 0x2B, 0x65, 0x70 }; -+/* 1.3.101.110 */ - CONST_OID x25519PublicKey[] = { 0x2b, 0x65, 0x6e }; - - /* - * ML-DSA OIDs - * https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration -@@ -1869,15 +1869,18 @@ - OD(hmac_sha3_512, SEC_OID_HMAC_SHA3_512, "HMAC SHA3-512", CKM_SHA3_512_HMAC, INVALID_CERT_EXTENSION), - - ODE(SEC_OID_XYBER768D00, - "X25519+Kyber768 key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), - -- OD(ed25519Signature, SEC_OID_ED25519_SIGNATURE, "X9.62 EDDSA signature", CKM_EDDSA, -- INVALID_CERT_EXTENSION), -+ /* SEC_OID_ED25519_PUBLIC_KEY and SEC_OID_ED25519_SIGNATURE have the same -+ * values, so we should only have one entry in the table, We can't -+ * shift the values of the other entries, so just leav a dead spot here */ -+ ODE(SEC_OID_RESERVED_OLD_EDSIG, "Reserved", CKM_INVALID_MECHANISM, -+ INVALID_CERT_EXTENSION), - -- OD(ed25519PublicKey, SEC_OID_ED25519_PUBLIC_KEY, -- "X9.62 elliptic edwards curve public key", CKM_EC_EDWARDS_KEY_PAIR_GEN, INVALID_CERT_EXTENSION), -+ OD(ed25519, SEC_OID_ED25519, -+ "X9.62 Elliptic Edwards Curve 25519", CKM_EDDSA, INVALID_CERT_EXTENSION), - - OD(dhSinglePassstdDHsha1kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME, - "Eliptic Curve Diffie-Hellman Single Pass Standard with SHA1 KDF", CKM_ECDH1_DERIVE, - INVALID_CERT_EXTENSION), - OD(dhSinglePassstdDHsha224kdfscheme, SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME, -diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h ---- a/lib/util/secoidt.h -+++ b/lib/util/secoidt.h -@@ -512,12 +512,12 @@ - SEC_OID_HMAC_SHA3_384 = 370, - SEC_OID_HMAC_SHA3_512 = 371, - - SEC_OID_XYBER768D00 = 372, - -- SEC_OID_ED25519_SIGNATURE = 373, -- SEC_OID_ED25519_PUBLIC_KEY = 374, -+ SEC_OID_RESERVED_OLD_EDSIG = 373, -+ SEC_OID_ED25519 = 374, - - SEC_OID_DHSINGLEPASS_STDDH_SHA1KDF_SCHEME = 375, - SEC_OID_DHSINGLEPASS_STDDH_SHA224KDF_SCHEME = 376, - SEC_OID_DHSINGLEPASS_STDDH_SHA256KDF_SCHEME = 377, - SEC_OID_DHSINGLEPASS_STDDH_SHA384KDF_SCHEME = 378, -@@ -561,10 +561,14 @@ - #define SEC_OID_ML_DSA_65_SIGNATURE SEC_OID_ML_DSA_65 - #define SEC_OID_ML_DSA_65_PUBLIC_KEY SEC_OID_ML_DSA_65 - #define SEC_OID_ML_DSA_87_SIGNATURE SEC_OID_ML_DSA_87 - #define SEC_OID_ML_DSA_87_PUBLIC_KEY SEC_OID_ML_DSA_87 - -+/* EDDSA have the same identifiers for public keys and signatures */ -+#define SEC_OID_ED25519_SIGNATURE SEC_OID_ED25519 -+#define SEC_OID_ED25519_PUBLIC_KEY SEC_OID_ED25519 -+ - typedef enum { - INVALID_CERT_EXTENSION = 0, - UNSUPPORTED_CERT_EXTENSION = 1, - SUPPORTED_CERT_EXTENSION = 2 - } SECSupportExtenTag; -diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh ---- a/tests/tools/tools.sh -+++ b/tests/tools/tools.sh -@@ -126,10 +126,11 @@ - cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/openssl-ed25519.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-768-seed.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-768-priv.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-768-both.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-1024-seed.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-1024-priv.p12 ${TOOLSDIR}/data -@@ -534,10 +535,21 @@ - check_tmpfile - - return $ret - } - -+tools_p12_import_ed25519_private_key() -+{ -+ echo "$SCRIPTNAME: Importing ED25519 private key from PKCS#12 file --------------" -+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ed25519.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1 -+ ret=$? -+ html_msg $ret 0 "Importing ED25519 private key from PKCS#12 file" -+ check_tmpfile -+ -+ return $ret -+} -+ - tools_p12_ml_kem_import() - { - echo "$SCRIPTNAME: Testing ml-kem compatibility with pkcs12 --------------" - for i in 768 1024 - do -@@ -614,10 +626,11 @@ - fi - tools_p12_export_with_none_ciphers - tools_p12_export_with_invalid_ciphers - tools_p12_import_old_files - tools_p12_import_pbmac1_samples -+ tools_p12_import_ed25519_private_key - tools_p12_ml_kem_import - if using_sql; then - tools_p12_import_rsa_pss_private_key - tools_p12_policy - fi - diff --git a/nss-3.124-ml-dsa-test-for-sign-verify-pkcs12.patch b/nss-3.124-ml-dsa-test-for-sign-verify-pkcs12.patch deleted file mode 100644 index 91ba430..0000000 --- a/nss-3.124-ml-dsa-test-for-sign-verify-pkcs12.patch +++ /dev/null @@ -1,654 +0,0 @@ -# HG changeset patch -# User Robert Relyea -# Date 1780515403 25200 -# Wed Jun 03 12:36:43 2026 -0700 -# Branch NSS_3_124_BRANCH -# Node ID eaa726433f362aed5f4cdc40fe0b6aa813d99ed7 -# Parent 8136ca511f641717eb0b88becf947767a0335eab -nss-3.124-ml-dsa-test-for-sign-verify-pkcs12.patch - -diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c ---- a/cmd/certutil/certutil.c -+++ b/cmd/certutil/certutil.c -@@ -1155,18 +1155,20 @@ PrintSyntax() - FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n", - progName); - FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" - "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); - FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n" - "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); - FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n" - "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); -- FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", -- progName); -+ FPS "\t%s -G [-h token-name] -k mldsa -q paramset [-f pwfile]\n" -+ "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); -+ FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|mldsa|all]\n", -+ progName); - FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n"); - FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n", - progName); - FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n"); - FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n"); - FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n"); - FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n", - progName); -@@ -1389,16 +1391,19 @@ luG(enum usage_level ul, const char *com - FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", ""); - FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", ""); - FPS "%-20s c2tnb191v2, c2tnb191v3, \n", ""); - FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", ""); - FPS "%-20s c2pnb272w1, c2pnb304w1, \n", ""); - FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", ""); - FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", ""); - FPS "%-20s sect131r1, sect131r2\n", ""); -+ FPS "%-20s ML-DSA parameter set (mldsa only)\n", -+ " -q paramset"); -+ FPS "%-20s valid values are ml-dsa-44, ml-dsa-65, ml-dsa-87:\n", ""); - FPS "%-20s Key database directory (default is ~/.netscape)\n", - " -d keydir"); - FPS "%-20s Cert & Key database prefix\n", - " -P dbprefix"); - FPS "%-20s\n" - "%-20s PKCS #11 key Attributes.\n", - " --keyAttrFlags attrflags", ""); - FPS "%-20s Comma separated list of key attribute attribute flags,\n", ""); -@@ -1481,16 +1486,17 @@ luK(enum usage_level ul, const char *com - "-K"); - if (ul == usage_selected && !is_my_command) - return; - FPS "%-20s Name of token to search (\"all\" for all tokens)\n", - " -h token-name "); - - FPS "%-20s Key type (\"all\" (default), \"dsa\"," - " \"ec\"," -+ " \"mldsa\"," - " \"rsa\")\n", - " -k key-type"); - FPS "%-20s The nickname of the key or associated certificate\n", - " -n name"); - FPS "%-20s Specify the password file\n", - " -f password-file"); - FPS "%-20s Key database directory (default is ~/.netscape)\n", - " -d keydir"); -@@ -1641,16 +1647,20 @@ luR(enum usage_level ul, const char *com - FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n", - " --pss"); - FPS "%-20s Name of file containing PQG parameters (dsa only)\n", - " -q pqgfile"); - FPS "%-20s Elliptic curve name (ec only)\n", - " -q curve-name"); - FPS "%-20s See the \"-G\" option for a full list of supported names.\n", - ""); -+ FPS "%-20s ML-DSA parameter set (mldsa only)\n", -+ " -q paramset"); -+ FPS "%-20s See the \"-G\" option for a full list of supported names.\n", -+ ""); - FPS "%-20s Specify the password file\n", - " -f pwfile"); - FPS "%-20s Key database directory (default is ~/.netscape)\n", - " -d keydir"); - FPS "%-20s Cert & Key database prefix\n", - " -P dbprefix"); - FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n", - " -p phone"); -@@ -1821,16 +1831,20 @@ luS(enum usage_level ul, const char *com - FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n", - " --pss"); - FPS "%-20s Name of file containing PQG parameters (dsa only)\n", - " -q pqgfile"); - FPS "%-20s Elliptic curve name (ec only)\n", - " -q curve-name"); - FPS "%-20s See the \"-G\" option for a full list of supported names.\n", - ""); -+ FPS "%-20s ML-DSA parameter set (mldsa only)\n", -+ " -q paramset"); -+ FPS "%-20s See the \"-G\" option for a full list of supported names.\n", -+ ""); - FPS "%-20s Self sign\n", - " -x"); - FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", - " --pss-sign"); - FPS "%-20s Cert serial number\n", - " -m serial-number"); - FPS "%-20s Time Warp\n", - " -w warp-months"); -@@ -2773,19 +2787,44 @@ certutil_main(int argc, char **argv, PRB - sourceDir = certutil.options[opt_SourceDir].arg; - - if (certutil.options[opt_UpgradeID].activated) - upgradeID = certutil.options[opt_UpgradeID].arg; - - if (certutil.options[opt_UpgradeTokenName].activated) - upgradeTokenName = certutil.options[opt_UpgradeTokenName].arg; - -+ /* must be before opt_KeySize! */ -+ /* -k key type */ -+ if (certutil.options[opt_KeyType].activated) { -+ char *arg = certutil.options[opt_KeyType].arg; -+ if (PL_strcmp(arg, "rsa") == 0) { -+ keytype = rsaKey; -+ } else if (PL_strcmp(arg, "dsa") == 0) { -+ keytype = dsaKey; -+ } else if (PL_strcmp(arg, "ec") == 0) { -+ keytype = ecKey; -+ } else if (PL_strcmp(arg, "mldsa") == 0) { -+ keytype = mldsaKey; -+ } else if (PL_strcmp(arg, "all") == 0) { -+ keytype = nullKey; -+ } else { -+ /* use an existing private/public key pair */ -+ keysource = arg; -+ } -+ } else if (certutil.commands[cmd_ListKeys].activated) { -+ keytype = nullKey; -+ } -+ - if (certutil.options[opt_KeySize].activated) { - keysize = PORT_Atoi(certutil.options[opt_KeySize].arg); -- if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) { -+ /* mldsa limits are much different that rsa and dsa, don't -+ * do the check here */ -+ if ((keytype != mldsaKey) && -+ ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS))) { - PR_fprintf(PR_STDERR, - "%s -g: Keysize must be between %d and %d.\n", - progName, MIN_KEY_BITS, MAX_KEY_BITS); - return 255; - } - if (keytype == ecKey) { - PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName); - return 255; -@@ -2806,35 +2845,16 @@ certutil_main(int argc, char **argv, PRB - hashAlgTag = SECU_StringToSignatureAlgTag(arg); - if (hashAlgTag == SEC_OID_UNKNOWN) { - PR_fprintf(PR_STDERR, "%s -Z: %s is not a recognized type.\n", - progName, arg); - return 255; - } - } - -- /* -k key type */ -- if (certutil.options[opt_KeyType].activated) { -- char *arg = certutil.options[opt_KeyType].arg; -- if (PL_strcmp(arg, "rsa") == 0) { -- keytype = rsaKey; -- } else if (PL_strcmp(arg, "dsa") == 0) { -- keytype = dsaKey; -- } else if (PL_strcmp(arg, "ec") == 0) { -- keytype = ecKey; -- } else if (PL_strcmp(arg, "all") == 0) { -- keytype = nullKey; -- } else { -- /* use an existing private/public key pair */ -- keysource = arg; -- } -- } else if (certutil.commands[cmd_ListKeys].activated) { -- keytype = nullKey; -- } -- - if (certutil.options[opt_KeyOpFlagsOn].activated) { - keyOpFlagsOn = GetOpFlags(certutil.options[opt_KeyOpFlagsOn].arg); - } - if (certutil.options[opt_KeyOpFlagsOff].activated) { - keyOpFlagsOff = GetOpFlags(certutil.options[opt_KeyOpFlagsOff].arg); - keyOpFlagsOn &= ~keyOpFlagsOff; /* make off override on */ - } - if (certutil.options[opt_KeyAttrFlags].activated) { -@@ -2867,19 +2887,22 @@ certutil_main(int argc, char **argv, PRB - srcCertPrefix = certutil.options[opt_SourcePrefix].arg; - } else { - Usage(); - } - } - - /* -q PQG file or curve name */ - if (certutil.options[opt_PQGFile].activated) { -- if ((keytype != dsaKey) && (keytype != ecKey)) { -+ if ((keytype != dsaKey) && (keytype != ecKey) && -+ (keytype != mldsaKey)) { - PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys" -- " (-k dsa) or a named curve for EC keys (-k ec)\n)", -+ " (-k dsa)\n" -+ " or a named curve for EC keys (-k ec)\n" -+ " or a parameter set for ML-DSA keys (-k mldsa)\n", - progName); - return 255; - } - } - - /* -s subject name */ - if (certutil.options[opt_Subject].activated) { - subject = CERT_AsciiToName(certutil.options[opt_Subject].arg); -diff --git a/cmd/certutil/keystuff.c b/cmd/certutil/keystuff.c ---- a/cmd/certutil/keystuff.c -+++ b/cmd/certutil/keystuff.c -@@ -512,16 +512,17 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt - int publicExponent, const char *noise, - SECKEYPublicKey **pubkeyp, const char *pqgFile, - PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn, - CK_FLAGS opFlagsOff, secuPWData *pwdata) - { - CK_MECHANISM_TYPE mechanism; - PK11RSAGenParams rsaparams; - SECKEYPQGParams *dsaparams = NULL; -+ CK_ULONG paramSet; - void *params; - SECKEYPrivateKey *privKey = NULL; - - if (slot == NULL) - return NULL; - - if (PK11_Authenticate(slot, PR_TRUE, pwdata) != SECSuccess) - return NULL; -@@ -564,16 +565,60 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt - } - break; - case ecKey: - mechanism = CKM_EC_KEY_PAIR_GEN; - /* For EC keys, PQGFile determines EC parameters */ - if ((params = (void *)getECParams(pqgFile)) == NULL) - return NULL; - break; -+ case mldsaKey: -+ mechanism = CKM_ML_DSA_KEY_PAIR_GEN; -+ /* set paramset */ -+ paramSet = 0; -+ if (pqgFile) { -+ if (PORT_Strcasecmp(pqgFile, "ML-DSA-44") == 0) { -+ paramSet = CKP_ML_DSA_44; -+ } else if (PORT_Strcasecmp(pqgFile, "ML-DSA-65") == 0) { -+ paramSet = CKP_ML_DSA_65; -+ } else if (PORT_Strcasecmp(pqgFile, "ML-DSA-87") == 0) { -+ paramSet = CKP_ML_DSA_87; -+ } else { -+ /* if we set pqgfile, it had better be right, don't -+ * fall back to key size */ -+ return NULL; -+ } -+ } else -+ switch (size) { -+ /* optionally use the size, either the actual size in bytes -+ * or the short hand ('44', '65', '87') */ -+ case 44: -+ case 2560: -+ paramSet = CKP_ML_DSA_44; -+ break; -+ case 65: -+ case 4032: -+ paramSet = CKP_ML_DSA_65; -+ break; -+ case 87: -+ case 4896: -+ paramSet = CKP_ML_DSA_87; -+ break; -+ default: -+ /* force a size to be specified somewhere */ -+ return NULL; -+ } -+ /* paranoia, shouldn't be able to happen logically. Code -+ * scanners will scream, but I like belt and suspenders */ -+ if (paramSet == 0) { -+ return NULL; -+ } -+ params = ¶mSet; -+ break; -+ - default: - return NULL; - } - - fprintf(stderr, "\n\n"); - fprintf(stderr, "Generating key. This may take a few moments...\n\n"); - - privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp, -diff --git a/cmd/pk11importtest/pk11importtest.c b/cmd/pk11importtest/pk11importtest.c ---- a/cmd/pk11importtest/pk11importtest.c -+++ b/cmd/pk11importtest/pk11importtest.c -@@ -214,32 +214,34 @@ enum { - opt_ECCurve, - opt_PWFile, - opt_PWString, - opt_NoPub, - opt_NoRSA, - opt_NoDSA, - opt_NoDH, - opt_NoEC, -+ opt_NoMLDSA, - opt_NoMLKEM, - opt_NoED, - opt_NoECMont, - }; - - static secuCommandFlag options[] = { - { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE }, - { /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE }, - { /* opt_ECCurve */ 'C', PR_TRUE, 0, PR_FALSE }, - { /* opt_PWFile */ 'f', PR_TRUE, 0, PR_FALSE }, - { /* opt_PWString */ 'p', PR_TRUE, 0, PR_FALSE }, - { /* opt_NoPub */ 'n', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoRSA */ 'r', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE }, -+ { /* opt_NoMLDSA */ 'm', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoMLKEM */ 'K', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoED */ 'w', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoECMont */ 'g', PR_FALSE, 0, PR_FALSE }, - }; - - int - main(int argc, char **argv) - { -@@ -248,16 +250,18 @@ main(int argc, char **argv) - secuCommand args; - PK11SlotInfo *slot = NULL; - PRBool failed = PR_FALSE; - secuPWData pwArgs = { PW_NONE, 0 }; - PRBool doRSA = PR_TRUE; - PRBool doDSA = PR_TRUE; - PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */ - PRBool doEC = PR_TRUE; -+ PRBool doMLDSA = PR_FALSE; -+ CK_ML_DSA_PARAMETER_SET_TYPE mldsaParamSet = CKP_ML_DSA_44; - PRBool doMLKEM = PR_TRUE; - PRBool doED = PR_TRUE; - PRBool doECMont = PR_TRUE; - PRBool noPub = PR_FALSE; - PQGParams *pqgParams = NULL; - int keySize; - - args.numCommands = 0; -@@ -308,16 +312,19 @@ main(int argc, char **argv) - doDSA = PR_FALSE; - } - if (args.options[opt_NoDH].activated) { - doDH = PR_FALSE; - } - if (args.options[opt_NoEC].activated) { - doEC = PR_FALSE; - } -+ if (args.options[opt_NoMLDSA].activated) { -+ doMLDSA = PR_FALSE; -+ } - if (args.options[opt_NoMLKEM].activated) { - doMLKEM = PR_FALSE; - } - - slot = PK11_GetInternalKeySlot(); - if (slot == NULL) { - SECU_PrintError(progName, "Couldn't find the internal key slot\n"); - return 255; -@@ -403,16 +410,26 @@ main(int argc, char **argv) - PORT_Free(ecParams.data); - ec_failed: - if (rv != SECSuccess) { - fprintf(stderr, "ECC Import Failed!\n"); - failed = PR_TRUE; - } - } - -+ if (doMLDSA) { -+ rv = handleEncryptedPrivateImportTest(progName, slot, "MLDSA", -+ CKM_ML_DSA_KEY_PAIR_GEN, -+ noPub, &mldsaParamSet, &pwArgs); -+ if (rv != SECSuccess) { -+ fprintf(stderr, "MLDSA Import Failed!\n"); -+ failed = PR_TRUE; -+ } -+ } -+ - if (doMLKEM) { - CK_ML_KEM_PARAMETER_SET_TYPE paramSet = CKP_ML_KEM_768; - - rv = handleEncryptedPrivateImportTest(progName, slot, "MLKEM", - CKM_ML_KEM_KEY_PAIR_GEN, - noPub, ¶mSet, &pwArgs); - if (rv != SECSuccess) { - fprintf(stderr, "MLKEM Import Failed!\n"); -diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh ---- a/tests/cert/cert.sh -+++ b/tests/cert/cert.sh -@@ -101,16 +101,19 @@ cert_init() - fi - - cert_add_algorithm "RSA" "" "" "false" 0 - if [ -z ${NSS_DISABLE_DSA} ]; then - cert_add_algorithm "DSA" "-dsa" "-k dsa" "true" 20000 - fi - # NOTE: curve is added later, so the full command would be '-k ec -q curve' - cert_add_algorithm "ECC" "-ec" "-k ec -q" "true" 10000 -+ cert_add_algorithm "ML-DSA-44" "-ml-dsa-44" "-k mldsa -q ml-dsa-44" "false" 30000 -+ cert_add_algorithm "ML-DSA-65" "-ml-dsa-65" "-k mldsa -q ml-dsa-65" "false" 40000 -+ cert_add_algorithm "ML-DSA-87" "-ml-dsa-87" "-k mldsa -q ml-dsa-87" "false" 50000 - # currently rsa-pss is only enabled for a subset of tests - # this will enable a full suite of RSA-PSS certs, and we would - # then remove the explicit ones - # ulike the other tests, we would need to change ssl tests as this - # will rename some of the RSA-PSS certificates. - #cert_add_algorithm "RSA-PSS" "-rsa-pss" "-k rsa -pss -Z sha256" "true" - #cert_add_algorithm "RSA-PSS-SHA1" "-rsa-pss-sha1" "-k rsa -pss -Z sha1" "true" - -@@ -519,16 +522,25 @@ cert_CA() - cert_dsa_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" - ;; - ECC) - cert_ec_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}" - ;; - RSA-PSS) - cert_rsa_pss_CA "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" "${ALG}" - ;; -+ ML-DSA-44) -+ cert_ml_dsa_CA ml-dsa-44 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" -+ ;; -+ ML-DSA-65) -+ cert_ml_dsa_CA ml-dsa-65 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" -+ ;; -+ ML-DSA-87) -+ cert_ml_dsa_CA ml-dsa-65 "${CUR_CADIR}" "${NICKNAME}" "${SIGNER}" "${TRUSTARG}" "${DOMAIN}" "${CERTSERIAL}" -+ ;; - *) - Exit 9 "Fatal - unknown key type ${KEY_TYPE}, failed to create CA cert" - ;; - esac - } - - - -@@ -672,19 +684,78 @@ CERTSCRIPT - CU_ACTION="Exporting DSA Root Cert" - certu -L -n $NICKNAME -r -d ${LPROFILE} -o root-dsa.cert - if [ "$RET" -ne 0 ]; then - Exit 7 "Fatal - failed to export dsa root cert" - fi - cp root-dsa.cert ${NICKNAME}.ca.cert - } - -++################################ cert_ml_dsa_CA ############################# -+# local shell function to build the Temp. Certificate Authority (CA) -+# used for testing purposes, creating a CA Certificate and a root cert -+# This is the ML-DSA version of cert_CA. -+########################################################################## -+cert_ml_dsa_CA() -+{ -+ PARAM_SET=$1 -+ CUR_CADIR=$2 -+ NICKNAME=$3 -+ SIGNER=$4 -+ TRUSTARG=$5 -+ DOMAIN=$6 -+ CERTSERIAL=$7 - -+ echo "$SCRIPTNAME: Creating a ML-DSA ($PARAM_SET) CA Certificate $NICKNAME ==========================" -+ -+ if [ ! -d "${CUR_CADIR}" ]; then -+ mkdir -p "${CUR_CADIR}" -+ fi -+ cd ${CUR_CADIR} -+ pwd -+ -+ LPROFILE=. -+ if [ -n "${MULTIACCESS_DBM}" ]; then -+ LPROFILE="multiaccess:${DOMAIN}" -+ fi - -+ ################# Creating a ML-DSA CA Cert ############################### -+ # -+ CU_ACTION="Creating ML-DSA ($PARAM_SET) CA Cert $NICKNAME " -+ CU_SUBJECT=$ALL_CU_SUBJECT -+ certu -S -n $NICKNAME -k mldsa -q $PARAM_SET -t $TRUSTARG -v 600 $SIGNER \ -+ -d ${LPROFILE} -1 -2 -5 -f ${R_PWFILE} -z ${R_NOISE_FILE} \ -+ -m $CERTSERIAL 2>&1 <&1 - - CU_ACTION="Loading root cert module to ${CERTNAME}'s Cert DB (ext.)" - modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1 - -diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh ---- a/tests/tools/tools.sh -+++ b/tests/tools/tools.sh -@@ -124,24 +124,32 @@ tools_init() - cp ${QADIR}/tools/pbmac1-valid-sha256.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-valid-sha256-sha512.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-valid-sha512.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-invalid-bad-iter.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-invalid-bad-salt.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/pbmac1-invalid-no-length.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/corrupted_cert_bag.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ed25519.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/ietf-ml-dsa-44-both.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/ietf-ml-dsa-44-key.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/ietf-ml-dsa-65-both.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/ietf-ml-dsa-65-key.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/ietf-ml-dsa-87-both.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/ietf-ml-dsa-87-key.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/openssl-ml-dsa-44.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/openssl-ml-dsa-65.p12 ${TOOLSDIR}/data -+ cp ${QADIR}/tools/openssl-ml-dsa-87.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-768-seed.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-768-priv.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-768-both.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-1024-seed.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-1024-priv.p12 ${TOOLSDIR}/data - cp ${QADIR}/tools/openssl-ml-kem-1024-both.p12 ${TOOLSDIR}/data - -- - cd ${TOOLSDIR} - } - - ########################## list_p12_file ############################### - # List the key and cert in the specified p12 file - ######################################################################## - list_p12_file() - { -@@ -543,16 +551,43 @@ tools_p12_import_ed25519_private_key() - ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ed25519.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1 - ret=$? - html_msg $ret 0 "Importing ED25519 private key from PKCS#12 file" - check_tmpfile - - return $ret - } - -+tools_p12_ml_dsa_import() -+{ -+ echo "$SCRIPTNAME: Testing ml-dsa compatibility with pkcs12 --------------" -+ for i in 44 65 87 -+ do -+ echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-dsa-$i.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1" -+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-dsa-$i.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1 -+ ret=$? -+ html_msg $ret 0 "Importing openssl encoded ml-dsa-$i private key from PKCS#12 file" -+ check_tmpfile -+ for j in 'key' 'both' -+ do -+ echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/ietf-ml-dsa-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1" -+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/ietf-ml-dsa-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1 -+ ret=$? -+ html_msg $ret 0 "Importing openssl encoded ml-dsa-$i private key from PKCS#12 file" -+ check_tmpfile -+ html_msg $ret 0 "Importing ietf sample ml-dsa-$i-$j private key from PKCS#12 file" -+ -+ # each cert has the same issuer/sn, so we can't hold more than one in -+ # the data base -+ echo "${BINDIR}/certutil -F -n \"ietf ml-dsa-$i-$j sample\" -d ${P_R_COPYDIR} -f ${R_PWFILE}" -+ ${BINDIR}/certutil -F -n "ietf ml-dsa-$i-$j sample" -d ${P_R_COPYDIR} -f ${R_PWFILE} -+ done -+ done -+} -+ - tools_p12_ml_kem_import() - { - echo "$SCRIPTNAME: Testing ml-kem compatibility with pkcs12 --------------" - for i in 768 1024 - do - for j in 'seed' 'priv' 'both' - do - echo "${BINDIR}/pk12util -i ${TOOLSDIR}/data/openssl-ml-kem-$i-$j.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W 'test' 2>&1" -@@ -624,16 +659,17 @@ tools_p12() - else - tools_p12_export_list_import_most_ciphers - fi - tools_p12_export_with_none_ciphers - tools_p12_export_with_invalid_ciphers - tools_p12_import_old_files - tools_p12_import_pbmac1_samples - tools_p12_import_ed25519_private_key -+ tools_p12_ml_dsa_import - tools_p12_ml_kem_import - if using_sql; then - tools_p12_import_rsa_pss_private_key - tools_p12_policy - fi - } - - ############################## tools_sign ############################## diff --git a/nss-3.79-revert-distrusted-certs.patch b/nss-3.79-revert-distrusted-certs.patch new file mode 100644 index 0000000..8a607a3 --- /dev/null +++ b/nss-3.79-revert-distrusted-certs.patch @@ -0,0 +1,335 @@ +diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt +--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700 ++++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700 +@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_ + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # ++# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" ++# ++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Serial Number: 268435455 (0xfffffff) ++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Not Valid Before: Wed May 12 08:51:39 2010 ++# Not Valid After : Mon Mar 23 09:50:05 2020 ++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C ++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 ++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" ++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 ++CKA_SUBJECT MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_ID UTF8 "0" ++CKA_ISSUER MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\017\377\377\377 ++END ++CKA_VALUE MULTILINE_OCTAL ++\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017 ++\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013 ++\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116 ++\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151 ++\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003 ++\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120 ++\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162 ++\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036 ++\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027 ++\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132 ++\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060 ++\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141 ++\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014 ++\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166 ++\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151 ++\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015 ++\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 ++\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047 ++\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275 ++\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366 ++\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045 ++\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004 ++\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202 ++\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072 ++\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253 ++\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154 ++\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365 ++\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257 ++\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324 ++\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063 ++\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304 ++\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241 ++\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000 ++\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052 ++\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163 ++\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205 ++\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055 ++\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231 ++\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201 ++\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216 ++\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351 ++\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124 ++\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267 ++\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247 ++\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200 ++\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325 ++\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220 ++\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017 ++\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256 ++\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001 ++\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004 ++\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006 ++\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072 ++\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056 ++\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145 ++\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003 ++\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 ++\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200 ++\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216 ++\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006 ++\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004 ++\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144 ++\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004 ++\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144 ++\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101 ++\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125 ++\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164 ++\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162 ++\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156 ++\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055 ++\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004 ++\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356 ++\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001 ++\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055 ++\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234 ++\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064 ++\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066 ++\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243 ++\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364 ++\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116 ++\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164 ++\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174 ++\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103 ++\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134 ++\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323 ++\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057 ++\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347 ++\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224 ++\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015 ++\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026 ++\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053 ++\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166 ++\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135 ++\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244 ++\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025 ++\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222 ++\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235 ++\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245 ++\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327 ++\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053 ++\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377 ++\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321 ++\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374 ++\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035 ++\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305 ++\244\363\116\272\067\230\173\202\271 ++END ++ ++# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" ++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Serial Number: 268435455 (0xfffffff) ++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Not Valid Before: Wed May 12 08:51:39 2010 ++# Not Valid After : Mon Mar 23 09:50:05 2020 ++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C ++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" ++CKA_CERT_SHA1_HASH MULTILINE_OCTAL ++\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306 ++\222\341\102\102 ++END ++CKA_CERT_MD5_HASH MULTILINE_OCTAL ++\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034 ++END ++CKA_ISSUER MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\017\377\377\377 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# + # Certificate "Security Communication RootCA2" + # + # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP +@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_ + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + ++# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 ++# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US ++# Serial Number: 1800000005 (0x6b49d205) ++# Not Before: Apr 7 15:37:15 2011 GMT ++# Not After : Apr 4 15:37:15 2021 GMT ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 ++\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 ++\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 ++\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 ++\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 ++\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 ++\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 ++\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 ++\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 ++\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 ++\100\164\162\165\163\164\167\141\166\145\056\143\157\155 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\153\111\322\005 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929 ++# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US ++# Serial Number: 1800000006 (0x6b49d206) ++# Not Before: Apr 18 21:09:30 2011 GMT ++# Not After : Apr 15 21:09:30 2021 GMT ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 ++\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 ++\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 ++\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 ++\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 ++\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 ++\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 ++\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 ++\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 ++\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 ++\100\164\162\165\163\164\167\141\166\145\056\143\157\155 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\153\111\322\006 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ + # + # Certificate "Actalis Authentication Root CA" + # +@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_ + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + ++# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri ++# Serial Number: 2087 (0x827) ++# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR ++# Not Valid Before: Mon Aug 08 07:07:51 2011 ++# Not Valid After : Tue Jul 06 07:07:51 2021 ++# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E ++# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 ++\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 ++\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 ++\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 ++\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 ++\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 ++\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 ++\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 ++\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 ++\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\002\010\047 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri ++# Serial Number: 2148 (0x864) ++# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR ++# Not Valid Before: Mon Aug 08 07:07:51 2011 ++# Not Valid After : Thu Aug 05 07:07:51 2021 ++# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2 ++# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 ++\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 ++\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 ++\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 ++\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 ++\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 ++\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 ++\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 ++\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 ++\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\002\010\144 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ + # + # Certificate "D-TRUST Root Class 3 CA 2 2009" + # diff --git a/nss.spec b/nss.spec index 4706d8c..69ed8c3 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 2 +%global baserelease 3 %global nss_release %baserelease # release number between nss and nspr are different. This typically # happens with a new version of nss was release, but nspr was not updated @@ -168,9 +168,8 @@ Patch35: nss-3.124-disable-ech.patch Patch36: nss-3.101-skip-ocsp-if-not-connected.patch # dont upstream, must be after patch36 (sigh) Patch37: nss-3.124-revert-libpkix-default.patch -# build crmf for now -Patch38: nss-3.124-enable-crmf.patch -Patch39: nss-3.124-no-p12-smime-policy.patch +Patch38: nss-3.124-no-p12-smime-policy.patch +Patch39: nss-3.79-revert-distrusted-certs.patch Patch40: nss-3.90-dh-test-update.patch Patch41: nss-3.124-ppc_no_init.patch @@ -715,7 +714,7 @@ pushd nss/tests # nss_cycles: standard pkix upgradedb sharedb # the full list from all.sh is: # "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" -%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +%define nss_tests "libpkix cert dbtests tools fips sdr smime ssl ocsp merge pkits chains ec gtests ssl_gtests" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy # nss_ssl_run: cov auth stapling stress # @@ -822,7 +821,7 @@ install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt # Copy the development libraries we want -for file in libcrmf.a libnssb.a libnssckfw.a +for file in libnssb.a libnssckfw.a do install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir} done @@ -1005,7 +1004,6 @@ update-crypto-policies &> /dev/null || : %doc %{_mandir}/man1/vfyserv.1* %files devel -%{_libdir}/libcrmf.a %{_libdir}/pkgconfig/nss.pc %{_bindir}/nss-config %doc %{_mandir}/man1/nss-config.1* @@ -1014,13 +1012,9 @@ update-crypto-policies &> /dev/null || : %{_includedir}/nss3/cert.h %{_includedir}/nss3/certdb.h %{_includedir}/nss3/certt.h -%{_includedir}/nss3/cmmf.h -%{_includedir}/nss3/cmmft.h %{_includedir}/nss3/cms.h %{_includedir}/nss3/cmsreclist.h %{_includedir}/nss3/cmst.h -%{_includedir}/nss3/crmf.h -%{_includedir}/nss3/crmft.h %{_includedir}/nss3/cryptohi.h %{_includedir}/nss3/cryptoht.h %{_includedir}/nss3/jar-ds.h @@ -1203,6 +1197,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Jun 9 2026 Bob Relyea - 3.124.0-3 +- drop crmf + * Tue Jun 9 2026 Bob Relyea - 3.124.0-2 - rebase fixes - restore rhel-9 dropping of pkcs12 and smime policy