rpms/nss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import nss-3.71.0-7.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-05-17 04:44:44 -04:00 committed by Stepan Oksanichenko
commit 55ade7bfbf
34 changed files with 5960 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
SOURCES/PayPalEE.cert
SOURCES/blank-cert9.db
SOURCES/blank-key4.db
SOURCES/nspr-4.32.tar.gz
SOURCES/nss-3.71.tar.gz

5
.nss.metadata Normal file
View File

@ -0,0 +1,5 @@
5c92efcd23ae5dc57c4f0a3903d662365bca008c SOURCES/PayPalEE.cert
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
28e05ef5cbe6e7cde239d3cdcccabf571ec73f69 SOURCES/nspr-4.32.tar.gz
b60e3e0a2765d4009347e08dc9792a4dc4aded03 SOURCES/nss-3.71.tar.gz

59
SOURCES/cert9.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert9.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert9.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert9.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is the sqlite-based shared database with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert9.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

13
SOURCES/iquote.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
SQLITE_LIB_NAME = sqlite3
endif
+# Prefer in-tree headers over system headers
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
+endif
+
MK_LOCATION = included

59
SOURCES/key4.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key4.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key4.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key4.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key4.db</emphasis> is an NSS key database.</para>
<para>This key database is the sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key4.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

37
SOURCES/nspr-config-pc.patch Normal file
View File

@ -0,0 +1,37 @@
diff -up nspr/config/nspr-config.in.flags nspr/config/nspr-config.in
--- nspr/config/nspr-config.in.flags 2013-05-29 13:46:34.147971410 -0700
+++ nspr/config/nspr-config.in 2013-05-29 14:17:10.990838914 -0700
@@ -102,7 +102,7 @@ if test -z "$includedir"; then
includedir=@includedir@
fi
if test -z "$libdir"; then
- libdir=@libdir@
+ libdir=`pkg-config --variable=libdir nspr`
fi
if test "$echo_prefix" = "yes"; then
@@ -136,12 +136,12 @@ if test "$echo_libs" = "yes"; then
if test -n "$lib_nspr"; then
libdirs="$libdirs -lnspr${major_version}"
fi
- os_ldflags="@LDFLAGS@"
+ os_ldflags=`pkg-config --variable=ldflags nspr`
for i in $os_ldflags ; do
if echo $i | grep \^-L >/dev/null; then
libdirs="$libdirs $i"
fi
done
- echo $libdirs @OS_LIBS@
+ echo $libdirs `pkg-config --variable=os_libs nspr`
fi
diff -up nspr/config/nspr.pc.in.flags nspr/config/nspr.pc.in
--- nspr/config/nspr.pc.in.flags 2013-05-29 13:48:15.026643570 -0700
+++ nspr/config/nspr.pc.in 2013-05-29 13:49:47.795202949 -0700
@@ -6,5 +6,5 @@ includedir=@includedir@
Name: NSPR
Description: The Netscape Portable Runtime
Version: @MOD_MAJOR_VERSION@.@MOD_MINOR_VERSION@.@MOD_PATCH_VERSION@
-Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@
+Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@ @OS_LIBS@
Cflags: -I@includedir@

127
SOURCES/nspr-config.xml Normal file
View File

@ -0,0 +1,127 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="nspr-config">
<refentryinfo>
<date>&date;</date>
<title>Netscape Portable Runtime</title>
<productname>nspr</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>nspr-config</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>nspr-config</refname>
<refpurpose>Return meta information about nspr libraries</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nspr-config</command>
<arg><option>--prefix</option></arg>
<arg><option>--exec-prefix</option></arg>
<arg><option>--includedir</option></arg>
<arg><option>--libs</option></arg>
<arg><option>--cflags</option></arg>
<arg><option>--libdir</option></arg>
<arg><option>--version</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>nspr-config</command> is a shell script which can be used to obtain gcc options for building client pacakges of nspr.</para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>--prefix</option></term>
<listitem><simpara>Returns the top level system directory under which the nspr libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--exec-prefix</option></term>
<listitem><simpara>Returns the top level system directory under which any nspr binaries would be installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--includedir</option> <replaceable>count</replaceable></term>
<listitem><simpara>Returns the path to the directory were the nspr headers are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--version</option></term>
<listitem><simpara>Returns the upstream version of nspr in the form major_version-minor_version-patch_version.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libs</option></term>
<listitem><simpara>Returns the compiler linking flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--cflags</option></term>
<listitem><simpara>Returns the compiler include flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libdir</option></term>
<listitem><simpara>Returns the path to the directory were the nspr libraries are installed.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for both include path and linkage flags:
<programlisting>
/usr/bin/nspr-config --cflags --libs
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/nspr-config</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The NSPR liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

77
SOURCES/nspr-gcc-atomics.patch Normal file
View File

@ -0,0 +1,77 @@
diff --git a/pr/include/md/_linux.h b/pr/include/md/_linux.h
--- a/pr/include/md/_linux.h
+++ b/pr/include/md/_linux.h
@@ -82,53 +82,73 @@
#define NO_DLOPEN_NULL
#endif
#if defined(__FreeBSD_kernel__) || defined(__GNU__)
#define _PR_HAVE_SOCKADDR_LEN
#endif
#if defined(__i386__)
+#if defined(__GNUC__)
+/* Use GCC built-in functions */
+#define _PR_HAVE_ATOMIC_OPS
+#define _MD_INIT_ATOMIC()
+#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
+#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
+#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
+#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
+#else
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
extern PRInt32 _PR_x86_AtomicIncrement(PRInt32 *val);
#define _MD_ATOMIC_INCREMENT _PR_x86_AtomicIncrement
extern PRInt32 _PR_x86_AtomicDecrement(PRInt32 *val);
#define _MD_ATOMIC_DECREMENT _PR_x86_AtomicDecrement
extern PRInt32 _PR_x86_AtomicAdd(PRInt32 *ptr, PRInt32 val);
#define _MD_ATOMIC_ADD _PR_x86_AtomicAdd
extern PRInt32 _PR_x86_AtomicSet(PRInt32 *val, PRInt32 newval);
#define _MD_ATOMIC_SET _PR_x86_AtomicSet
#endif
+#endif
#if defined(__ia64__)
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
extern PRInt32 _PR_ia64_AtomicIncrement(PRInt32 *val);
#define _MD_ATOMIC_INCREMENT _PR_ia64_AtomicIncrement
extern PRInt32 _PR_ia64_AtomicDecrement(PRInt32 *val);
#define _MD_ATOMIC_DECREMENT _PR_ia64_AtomicDecrement
extern PRInt32 _PR_ia64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
#define _MD_ATOMIC_ADD _PR_ia64_AtomicAdd
extern PRInt32 _PR_ia64_AtomicSet(PRInt32 *val, PRInt32 newval);
#define _MD_ATOMIC_SET _PR_ia64_AtomicSet
#endif
#if defined(__x86_64__)
+#if defined(__GNUC__)
+/* Use GCC built-in functions */
+#define _PR_HAVE_ATOMIC_OPS
+#define _MD_INIT_ATOMIC()
+#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
+#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
+#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
+#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
+#else
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
extern PRInt32 _PR_x86_64_AtomicIncrement(PRInt32 *val);
#define _MD_ATOMIC_INCREMENT _PR_x86_64_AtomicIncrement
extern PRInt32 _PR_x86_64_AtomicDecrement(PRInt32 *val);
#define _MD_ATOMIC_DECREMENT _PR_x86_64_AtomicDecrement
extern PRInt32 _PR_x86_64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
#define _MD_ATOMIC_ADD _PR_x86_64_AtomicAdd
extern PRInt32 _PR_x86_64_AtomicSet(PRInt32 *val, PRInt32 newval);
#define _MD_ATOMIC_SET _PR_x86_64_AtomicSet
#endif
+#endif
#if defined(__or1k__)
#if defined(__GNUC__)
/* Use GCC built-in functions */
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)

325
SOURCES/nss-3.67-cve-2021-43527-test.patch Normal file
View File

@ -0,0 +1,325 @@
diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
new file mode 100644
--- /dev/null
+++ b/tests/cert/Leaf-bogus-dsa.crt
@@ -0,0 +1,143 @@
+-----BEGIN CERTIFICATE-----
+MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
+RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
+WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
+dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
+zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
+ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7uAoIIAQD/////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+/////////////////////////////////////////////////////////w==
+-----END CERTIFICATE-----
diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
new file mode 100644
--- /dev/null
+++ b/tests/cert/Leaf-bogus-rsa-pss.crt
@@ -0,0 +1,126 @@
+-----BEGIN CERTIFICATE-----
+MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
+AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
+EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
+MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
+AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
+CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
+CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
+-----END CERTIFICATE-----
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -114,16 +114,28 @@ certu()
cert_log "ERROR: ${CU_ACTION} failed $RET"
else
html_passed "${CU_ACTION}"
fi
return $RET
}
+cert_test_vfy()
+{
+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
+ echo " vfychain -a Leaf-bogus-dsa.crt"
+ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt
+ html_msg $? 1 "Verify large dsa signature"
+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
+ echo " vfychain -a Leaf-bogus-rsa-pss.crt"
+ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
+ html_msg $? 1 "Verify large rsa pss signature"
+}
+
################################ crlu #################################
# local shell function to call crlutil, also: writes action and options to
# stdout, sets variable RET and writes results to the html file results
########################################################################
crlu()
{
echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
else
echo "$SCRIPTNAME: Skipping CRL Tests"
fi
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
cert_stresscerts
fi
+cert_test_vfy
+
cert_iopr_setup
cert_cleanup

279
SOURCES/nss-3.67-cve-2021-43527.patch Normal file
View File

@ -0,0 +1,279 @@
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -164,6 +164,37 @@
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
+static unsigned int
+checkedSignatureLen(const SECKEYPublicKey *pubk)
+{
+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
+ if (sigLen == 0) {
+ /* Error set by SECKEY_SignatureLen */
+ return sigLen;
+ }
+ unsigned int maxSigLen;
+ switch (pubk->keyType) {
+ case rsaKey:
+ case rsaPssKey:
+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
+ break;
+ case dsaKey:
+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
+ break;
+ case ecKey:
+ maxSigLen = 2 * MAX_ECKEY_LEN;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ return 0;
+ }
+ if (sigLen > maxSigLen) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+ return sigLen;
+}
+
/*
* decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed
@@ -174,38 +205,38 @@
unsigned int len)
{
SECItem *dsasig = NULL; /* also used for ECDSA */
- SECStatus rv = SECSuccess;
- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
- if (sig->len != len) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
+ if (len > DSA_MAX_SIGNATURE_LEN) {
+ goto loser;
}
-
- PORT_Memcpy(dsig, sig->data, sig->len);
- return SECSuccess;
+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ if (len > MAX_ECKEY_LEN * 2) {
+ goto loser;
+ }
+ } else {
+ goto loser;
}
- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
- if (len > MAX_ECKEY_LEN * 2) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
- }
+ /* Decode and pad to length */
+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+ if (dsasig == NULL) {
+ goto loser;
}
- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-
- if ((dsasig == NULL) || (dsasig->len != len)) {
- rv = SECFailure;
- } else {
- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
+ if (dsasig->len != len) {
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+ goto loser;
}
- if (dsasig != NULL)
- SECITEM_FreeItem(dsasig, PR_TRUE);
- if (rv == SECFailure)
- PORT_SetError(SEC_ERROR_BAD_DER);
- return rv;
+ PORT_Memcpy(dsig, dsasig->data, len);
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+
+ return SECSuccess;
+
+loser:
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ return SECFailure;
}
const SEC_ASN1Template hashParameterTemplate[] =
@@ -281,7 +312,7 @@
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
{
- int len;
+ unsigned int len;
PLArenaPool *arena;
SECStatus rv;
SECItem oid;
@@ -466,48 +497,52 @@
cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess;
if (sig) {
- switch (type) {
- case rsaKey:
- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
- &cx->pkcs1RSADigestInfo,
- &cx->pkcs1RSADigestInfoLen,
- cx->key,
- sig, wincx);
- break;
- case rsaPssKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
- rv = SECFailure;
+ rv = SECFailure;
+ if (type == rsaKey) {
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+ &cx->pkcs1RSADigestInfo,
+ &cx->pkcs1RSADigestInfoLen,
+ cx->key,
+ sig, wincx);
+ } else {
+ sigLen = checkedSignatureLen(key);
+ /* Check signature length is within limits */
+ if (sigLen == 0) {
+ /* error set by checkedSignatureLen */
+ rv = SECFailure;
+ goto loser;
+ }
+ if (sigLen > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ switch (type) {
+ case rsaPssKey:
+ if (sig->len != sigLen) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+ rv = SECSuccess;
break;
- }
- if (sig->len != sigLen) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ case ecKey:
+ case dsaKey:
+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+ break;
+ default:
+ /* Unreachable */
rv = SECFailure;
- break;
- }
- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
- break;
- case dsaKey:
- case ecKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
- rv = SECFailure;
- break;
- }
- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
- break;
- default:
- rv = SECFailure;
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
- break;
+ goto loser;
+ }
+ }
+ if (rv != SECSuccess) {
+ goto loser;
}
}
- if (rv)
- goto loser;
-
/* check hash alg again, RSA may have changed it.*/
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
@@ -650,11 +685,16 @@
switch (cx->key->keyType) {
case ecKey:
case dsaKey:
- dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
return SECFailure;
}
+ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ dsasig.data = cx->u.buffer;
+
if (sig) {
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
dsasig.len);
@@ -686,8 +726,13 @@
}
rsasig.data = cx->u.buffer;
- rsasig.len = SECKEY_SignatureLen(cx->key);
+ rsasig.len = checkedSignatureLen(cx->key);
if (rsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ return SECFailure;
+ }
+ if (rsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
if (sig) {
@@ -749,7 +794,6 @@
SECStatus rv;
VFYContext *cx;
SECItem dsasig; /* also used for ECDSA */
-
rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
@@ -757,19 +801,25 @@
switch (key->keyType) {
case rsaKey:
rv = verifyPKCS1DigestInfo(cx, digest);
+ /* Error (if any) set by verifyPKCS1DigestInfo */
break;
- case dsaKey:
case ecKey:
+ case dsaKey:
dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ rv = SECFailure;
break;
}
- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
- SECSuccess) {
+ if (dsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- } else {
- rv = SECSuccess;
+ rv = SECFailure;
+ break;
+ }
+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
}
break;
default:

20
SOURCES/nss-3.71-camellia-pkcs12-doc.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
+++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
<refsection id="encryption">
<title>Password Encryption</title>
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
<para>The private key is always protected with strong encryption by default.</para>
<para>Several types of ciphers are supported.</para>
<variablelist>
@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
<listitem>
<itemizedlist>
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>

825
SOURCES/nss-3.71-fips-module-name.patch Normal file
View File

@ -0,0 +1,825 @@
diff --git a/cmd/manifest.mn b/cmd/manifest.mn
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -76,6 +76,7 @@
symkeyutil \
tests \
tstclnt \
+ validation \
vfychain \
vfyserv \
modutil \
diff --git a/cmd/validation/Makefile b/cmd/validation/Makefile
new file mode 100644
--- /dev/null
+++ b/cmd/validation/Makefile
@@ -0,0 +1,48 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/cmd/validation/manifest.mn b/cmd/validation/manifest.mn
new file mode 100644
--- /dev/null
+++ b/cmd/validation/manifest.mn
@@ -0,0 +1,23 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+ validation.c \
+ $(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = validation
+
+# USE_STATIC_LIBS = 1
diff --git a/cmd/validation/validation.c b/cmd/validation/validation.c
new file mode 100644
--- /dev/null
+++ b/cmd/validation/validation.c
@@ -0,0 +1,249 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifdef _CRTDBG_MAP_ALLOC
+#include <stdlib.h>
+#include <crtdbg.h>
+#endif
+
+#include "nspr.h"
+#include "secutil.h"
+#include "pk11func.h"
+#include "nss.h"
+#include "secport.h"
+#include "secpkcs5.h"
+#include "sechash.h"
+#include "certdb.h"
+#include "secmod.h"
+
+#define PKCS12_IN_BUFFER_SIZE 200
+
+static char *progName;
+PRBool debug = PR_FALSE;
+
+#define ERR_USAGE 2
+#define ERR_PK11GETSLOT 13
+
+static void
+Usage()
+{
+#define FPS PR_fprintf(PR_STDERR,
+ FPS "Usage: %s [-d certdir] [-P dbprefix] [-h tokenname]\n",
+ progName);
+ FPS "\t\t [-k slotpwfile | -K slotpw] [-v]\n");
+
+ exit(ERR_USAGE);
+}
+
+typedef enum {
+ tagULong,
+ tagVersion,
+ tagUtf8
+} tagType;
+
+typedef struct {
+ const char *attributeName;
+ tagType attributeStorageType;
+} attributeTag;
+
+enum {
+ opt_CertDir = 0,
+ opt_TokenName,
+ opt_SlotPWFile,
+ opt_SlotPW,
+ opt_DBPrefix,
+ opt_Debug
+};
+
+static secuCommandFlag validation_options[] =
+ {
+ { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
+ { /* opt_TokenName */ 'h', PR_TRUE, 0, PR_FALSE },
+ { /* opt_SlotPWFile */ 'k', PR_TRUE, 0, PR_FALSE },
+ { /* opt_SlotPW */ 'K', PR_TRUE, 0, PR_FALSE },
+ { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE },
+ { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE }
+ };
+
+void
+dump_Raw(char *label, CK_ATTRIBUTE *attr)
+{
+ int i;
+ unsigned char *value = (unsigned char *)attr->pValue;
+ printf("0x");
+ for (i = 0; i < attr->ulValueLen; i++) {
+ printf("%02x", value[i]);
+ }
+ printf("<%s>\n", label);
+}
+
+SECStatus
+dump_validations(CK_OBJECT_CLASS objc, CK_ATTRIBUTE *template, int count,
+ attributeTag *tags, PK11SlotInfo *slot)
+{
+ PK11GenericObject *objs, *obj;
+
+ objs = PK11_FindGenericObjects(slot, objc);
+
+ for (obj = objs; obj != NULL; obj = PK11_GetNextGenericObject(obj)) {
+ int i;
+ printf("Validation Object:\n");
+ PK11_ReadRawAttributes(NULL, PK11_TypeGeneric, obj, template, count);
+ for (i = 0; i < count; i++) {
+ CK_ULONG ulong;
+ CK_VERSION version;
+ int len = template[i].ulValueLen;
+ printf(" %s: ", tags[i].attributeName);
+ if (len < 0) {
+ printf("<failed>\n");
+ } else if (len == 0) {
+ printf("<empty>\n");
+ } else
+ switch (tags[i].attributeStorageType) {
+ case tagULong:
+ if (len != sizeof(CK_ULONG)) {
+ dump_Raw("bad ulong", &template[i]);
+ break;
+ }
+ ulong = *(CK_ULONG *)template[i].pValue;
+ printf("%ld\n", ulong);
+ break;
+ case tagVersion:
+ if (len != sizeof(CK_VERSION)) {
+ dump_Raw("bad version", &template[i]);
+ break;
+ }
+ version = *(CK_VERSION *)template[i].pValue;
+ printf("%d.%d\n", version.major, version.minor);
+ break;
+ case tagUtf8:
+ printf("%.*s\n", len, (char *)template[i].pValue);
+ break;
+ default:
+ dump_Raw("unknown tag", &template[i]);
+ break;
+ }
+ PORT_Free(template[i].pValue);
+ template[i].pValue = NULL;
+ template[i].ulValueLen = 0;
+ }
+ }
+ PK11_DestroyGenericObjects(objs);
+ return SECSuccess;
+}
+
+int
+main(int argc, char **argv)
+{
+ secuPWData slotPw = { PW_NONE, NULL };
+ secuPWData p12FilePw = { PW_NONE, NULL };
+ PK11SlotInfo *slot;
+ char *slotname = NULL;
+ char *dbprefix = "";
+ char *nssdir = NULL;
+ SECStatus rv;
+ secuCommand validation;
+ int local_errno = 0;
+
+ CK_ATTRIBUTE validation_template[] = {
+ { CKA_NSS_VALIDATION_TYPE, NULL, 0 },
+ { CKA_NSS_VALIDATION_VERSION, NULL, 0 },
+ { CKA_NSS_VALIDATION_LEVEL, NULL, 0 },
+ { CKA_NSS_VALIDATION_MODULE_ID, NULL, 0 }
+ };
+ attributeTag validation_tags[] = {
+ { "Validation Type", tagULong },
+ { "Validation Version", tagVersion },
+ { "Validation Level", tagULong },
+ { "Validation Module ID", tagUtf8 },
+ };
+
+#ifdef _CRTDBG_MAP_ALLOC
+ _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
+#endif
+
+ validation.numCommands = 0;
+ validation.commands = 0;
+ validation.numOptions = PR_ARRAY_SIZE(validation_options);
+ validation.options = validation_options;
+
+ progName = strrchr(argv[0], '/');
+ progName = progName ? progName + 1 : argv[0];
+
+ rv = SECU_ParseCommandLine(argc, argv, progName, &validation);
+
+ if (rv != SECSuccess)
+ Usage();
+
+ debug = validation.options[opt_Debug].activated;
+
+ slotname = SECU_GetOptionArg(&validation, opt_TokenName);
+
+ if (validation.options[opt_SlotPWFile].activated) {
+ slotPw.source = PW_FROMFILE;
+ slotPw.data = PORT_Strdup(validation.options[opt_SlotPWFile].arg);
+ }
+
+ if (validation.options[opt_SlotPW].activated) {
+ slotPw.source = PW_PLAINTEXT;
+ slotPw.data = PORT_Strdup(validation.options[opt_SlotPW].arg);
+ }
+
+ if (validation.options[opt_CertDir].activated) {
+ nssdir = validation.options[opt_CertDir].arg;
+ }
+ if (validation.options[opt_DBPrefix].activated) {
+ dbprefix = validation.options[opt_DBPrefix].arg;
+ }
+
+ PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+ if (nssdir == NULL && NSS_NoDB_Init("") == SECSuccess) {
+ rv = SECSuccess;
+ /* if the system isn't already in FIPS mode, we need
+ * to switch to FIPS mode */
+ if (!PK11_IsFIPS()) {
+ /* flip to FIPS mode */
+ SECMODModule *module = SECMOD_GetInternalModule();
+ rv = SECMOD_DeleteInternalModule(module->commonName);
+ }
+ } else {
+ rv = NSS_Initialize(nssdir, dbprefix, dbprefix,
+ "secmod.db", 0);
+ }
+ if (rv != SECSuccess) {
+ SECU_PrintPRandOSError(progName);
+ exit(-1);
+ }
+
+ if (!slotname || PL_strcmp(slotname, "internal") == 0)
+ slot = PK11_GetInternalKeySlot();
+ else
+ slot = PK11_FindSlotByName(slotname);
+
+ if (!slot) {
+ SECU_PrintError(progName, "Invalid slot \"%s\"", slotname);
+ local_errno = ERR_PK11GETSLOT;
+ goto done;
+ }
+
+ rv = dump_validations(CKO_NSS_VALIDATION,
+ validation_template,
+ PR_ARRAY_SIZE(validation_template),
+ validation_tags,
+ slot);
+
+done:
+ if (slotPw.data != NULL)
+ PORT_ZFree(slotPw.data, PL_strlen(slotPw.data));
+ if (p12FilePw.data != NULL)
+ PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data));
+ if (slot)
+ PK11_FreeSlot(slot);
+ if (NSS_Shutdown() != SECSuccess) {
+ local_errno = 1;
+ }
+ PL_ArenaFinish();
+ PR_Cleanup();
+ return local_errno;
+}
diff --git a/cmd/validation/validation.gyp b/cmd/validation/validation.gyp
new file mode 100644
--- /dev/null
+++ b/cmd/validation/validation.gyp
@@ -0,0 +1,30 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../coreconf/config.gypi',
+ '../../cmd/platlibs.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'validation',
+ 'type': 'executable',
+ 'sources': [
+ 'validation.c'
+ ],
+ 'dependencies': [
+ '<(DEPTH)/exports.gyp:dbm_exports',
+ '<(DEPTH)/exports.gyp:nss_exports'
+ ]
+ }
+ ],
+ 'target_defaults': {
+ 'defines': [
+ 'NSPR20'
+ ]
+ },
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
--- a/lib/softoken/config.mk
+++ b/lib/softoken/config.mk
@@ -59,3 +59,7 @@
DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
endif
+ifdef NSS_FIPS_MODULE_ID
+DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
+endif
+
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -75,7 +75,6 @@
* failure so that there are at most 60 login attempts per minute.
*/
static PRIntervalTime loginWaitTime;
-static PRUint32 minSessionObjectHandle = 1U;
#define __PASTE(x, y) x##y
@@ -1672,8 +1671,6 @@
{
SFTKSlot *slot = session->slot;
SFTKAttribute *attribute;
- SFTKObject *duplicateObject = NULL;
- CK_OBJECT_HANDLE handle;
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE;
CK_RV crv;
@@ -1711,30 +1708,13 @@
* token objects and will have a token object handle assigned to
* them by a call to sftk_mkHandle in the handler for each object
* class, invoked below.
- *
+ *
* It may be helpful to note/remember that
* sftk_narrowToXxxObject uses sftk_isToken,
* sftk_isToken examines the sign bit of the object's handle, but
* sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute.
*/
- do {
- PRUint32 wrappedAround;
-
- duplicateObject = NULL;
- PZ_Lock(slot->objectLock);
- wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
- handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
- if (!handle) /* don't allow zero handle */
- handle = minSessionObjectHandle;
- slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
- /* Is there already a session object with this handle? */
- if (wrappedAround) {
- sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
- slot->sessObjHashSize);
- }
- PZ_Unlock(slot->objectLock);
- } while (duplicateObject != NULL);
- object->handle = handle;
+ object->handle = sftk_getNextHandle(slot);
/* get the object class */
attribute = sftk_FindAttribute(object, CKA_CLASS);
@@ -2875,10 +2855,15 @@
goto mem_loser;
slot->sessionIDCount = 0;
- slot->sessionObjectHandleCount = minSessionObjectHandle;
+ slot->sessionObjectHandleCount = NSC_MIN_SESSION_OBJECT_HANDLE;
slot->slotID = slotID;
sftk_setStringName(params->slotdes ? params->slotdes : sftk_getDefSlotName(slotID), slot->slotDescription,
sizeof(slot->slotDescription), PR_TRUE);
+ crv = sftk_InitSession(&slot->moduleObjects, slot, slotID, NULL, NULL,
+ CKF_SERIAL_SESSION);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
/* call the reinit code to set everything that changes between token
* init calls */
@@ -2887,6 +2872,12 @@
if (crv != CKR_OK) {
goto loser;
}
+ if (sftk_isFIPS(slotID)) {
+ crv = sftk_CreateValidationObjects(slot);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
crv = sftk_RegisterSlot(slot, moduleIndex);
if (crv != CKR_OK) {
goto loser;
@@ -3032,6 +3023,8 @@
SFTK_ShutdownSlot(slot);
+ sftk_ClearSession(&slot->moduleObjects);
+
if (slot->tokObjHashTable) {
PL_HashTableDestroy(slot->tokObjHashTable);
slot->tokObjHashTable = NULL;
@@ -3262,6 +3255,7 @@
CK_RV crv = CKR_OK;
SECStatus rv;
CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+ PRBool destroy_freelist_on_error = PR_TRUE;
int i;
unsigned int moduleIndex = isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
@@ -3341,7 +3335,14 @@
"disabled FIPS mode");
}
}
+ /* if we have a peer open, we don't want to destroy the freelist
+ * from under the peer if we fail, the free list will be
+ * destroyed in that case when the C_Finalize is called for
+ * the peer */
+ destroy_freelist_on_error = PR_FALSE;
}
+ /* allow us to create objects in SFTK_SlotInit */
+ sftk_InitFreeLists();
for (i = 0; i < paramStrings.token_count; i++) {
crv = SFTK_SlotInit(paramStrings.configdir,
@@ -3355,8 +3356,9 @@
loser:
sftk_freeParams(&paramStrings);
}
- if (CKR_OK == crv) {
- sftk_InitFreeLists();
+ if (destroy_freelist_on_error && (CKR_OK != crv)) {
+ /* idempotent. If the list are already freed, this is a noop */
+ sftk_CleanupFreeLists();
}
#ifndef NO_FORK_CHECK
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -49,6 +49,8 @@
#define NSC_SEARCH_BLOCK_SIZE 5
#define NSC_SLOT_LIST_BLOCK_SIZE 10
+#define NSC_MIN_SESSION_OBJECT_HANDLE 1U
+
#define NSC_FIPS_MODULE 1
#define NSC_NON_FIPS_MODULE 0
@@ -375,6 +377,9 @@
char tokDescription[33]; /* per load */
char updateTokDescription[33]; /* per load */
char slotDescription[65]; /* invariant */
+ SFTKSession moduleObjects; /* global session to hang module specific
+ * objects like profile objects or
+ * validation objects */
};
/*
@@ -766,6 +771,7 @@
extern void sftk_ReferenceObject(SFTKObject *object);
extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
SFTKSession *session);
+extern CK_OBJECT_HANDLE sftk_getNextHandle(SFTKSlot *slot);
extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
/* clear out all the existing object ID to database key mappings.
@@ -787,7 +793,11 @@
extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
extern void sftk_FreeSession(SFTKSession *session);
+extern void sftk_ClearSession(SFTKSession *session);
extern void sftk_DestroySession(SFTKSession *session);
+extern CK_RV sftk_InitSession(SFTKSession *session, SFTKSlot *slot,
+ CK_SLOT_ID slotID, CK_NOTIFY notify,
+ CK_VOID_PTR pApplication, CK_FLAGS flags);
extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
CK_VOID_PTR pApplication, CK_FLAGS flags);
extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session);
@@ -955,6 +965,9 @@
* FIPS security policy */
PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
CK_ATTRIBUTE_TYPE op, SFTKObject *source);
+/* add validation objects to the slot */
+CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
+
SEC_END_PROTOS
#endif /* _PKCS11I_H_ */
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -14,6 +14,7 @@
#include "sftkdb.h"
#include "softoken.h"
#include "secoid.h"
+#include "softkver.h"
#if !defined(NSS_FIPS_DISABLED) && defined(NSS_ENABLE_FIPS_INDICATORS)
/* this file should be supplied by the vendor and include all the
@@ -1243,6 +1244,32 @@
return SFTK_Busy;
}
+/* find the next available object handle that isn't currently in use */
+CK_OBJECT_HANDLE
+sftk_getNextHandle(SFTKSlot *slot)
+{
+ CK_OBJECT_HANDLE handle;
+ SFTKObject *duplicateObject = NULL;
+ do {
+ PRUint32 wrappedAround;
+
+ duplicateObject = NULL;
+ PZ_Lock(slot->objectLock);
+ wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
+ handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
+ if (!handle) /* don't allow zero handle */
+ handle = NSC_MIN_SESSION_OBJECT_HANDLE;
+ slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
+ /* Is there already a session object with this handle? */
+ if (wrappedAround) {
+ sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
+ slot->sessObjHashSize);
+ }
+ PZ_Unlock(slot->objectLock);
+ } while (duplicateObject != NULL);
+ return handle;
+}
+
/*
* add an object to a slot and session queue. These two functions
* adopt the object.
@@ -1848,23 +1875,13 @@
}
/*
- * create a new nession. NOTE: The session handle is not set, and the
+ * Init a new session. NOTE: The session handle is not set, and the
* session is not added to the slot's session queue.
*/
-SFTKSession *
-sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
- CK_FLAGS flags)
+CK_RV
+sftk_InitSession(SFTKSession *session, SFTKSlot *slot, CK_SLOT_ID slotID,
+ CK_NOTIFY notify, CK_VOID_PTR pApplication, CK_FLAGS flags)
{
- SFTKSession *session;
- SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
-
- if (slot == NULL)
- return NULL;
-
- session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
- if (session == NULL)
- return NULL;
-
session->next = session->prev = NULL;
session->enc_context = NULL;
session->hash_context = NULL;
@@ -1873,8 +1890,7 @@
session->objectIDCount = 1;
session->objectLock = PZ_NewLock(nssILockObject);
if (session->objectLock == NULL) {
- PORT_Free(session);
- return NULL;
+ return CKR_HOST_MEMORY;
}
session->objects[0] = NULL;
@@ -1887,12 +1903,38 @@
sftk_update_state(slot, session);
/* no ops completed yet, so the last one couldn't be a FIPS op */
session->lastOpWasFIPS = PR_FALSE;
+ return CKR_OK;
+}
+
+/*
+ * Create a new session and init it.
+ */
+SFTKSession *
+sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
+ CK_FLAGS flags)
+{
+ SFTKSession *session;
+ SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+ CK_RV crv;
+
+ if (slot == NULL)
+ return NULL;
+
+ session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
+ if (session == NULL)
+ return NULL;
+
+ crv = sftk_InitSession(session, slot, slotID, notify, pApplication, flags);
+ if (crv != CKR_OK) {
+ PORT_Free(session);
+ return NULL;
+ }
return session;
}
/* free all the data associated with a session. */
void
-sftk_DestroySession(SFTKSession *session)
+sftk_ClearSession(SFTKSession *session)
{
SFTKObjectList *op, *next;
@@ -1918,6 +1960,13 @@
if (session->search) {
sftk_FreeSearch(session->search);
}
+}
+
+/* free the data associated with the session, and the session */
+void
+sftk_DestroySession(SFTKSession *session)
+{
+ sftk_ClearSession(session);
PORT_Free(session);
}
@@ -2386,3 +2435,70 @@
return PR_FALSE;
#endif
}
+
+/*
+ * create the FIPS Validation objects. If the vendor
+ * doesn't supply an NSS_FIPS_MODULE_ID, at compile time,
+ * then we assumethis is an unvalidated module.
+ */
+CK_RV
+sftk_CreateValidationObjects(SFTKSlot *slot)
+{
+ const char *module_id;
+ int module_id_len;
+ CK_RV crv = CKR_OK;
+ /* we currently use vendor specific values until the validation
+ * objects are approved for PKCS #11 v3.2. */
+ CK_OBJECT_CLASS cko_validation = CKO_NSS_VALIDATION;
+ CK_NSS_VALIDATION_TYPE ckv_fips = CKV_NSS_FIPS_140;
+ CK_VERSION fips_version = { 3, 0 }; /* FIPS-140-3 */
+ CK_ULONG fips_level = 1; /* or 2 if you validated at level 2 */
+
+#ifndef NSS_FIPS_MODULE_ID
+#define NSS_FIPS_MODULE_ID "Generic NSS " SOFTOKEN_VERSION " Unvalidated"
+#endif
+ module_id = NSS_FIPS_MODULE_ID;
+ module_id_len = sizeof(NSS_FIPS_MODULE_ID) - 1;
+ SFTKObject *object;
+
+ object = sftk_NewObject(slot); /* fill in the handle later */
+ if (object == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ object->isFIPS = PR_FALSE;
+
+ crv = sftk_AddAttributeType(object, CKA_CLASS,
+ &cko_validation, sizeof(cko_validation));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_TYPE,
+ &ckv_fips, sizeof(ckv_fips));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_VERSION,
+ &fips_version, sizeof(fips_version));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_LEVEL,
+ &fips_level, sizeof(fips_level));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_MODULE_ID,
+ module_id, module_id_len);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* future, fill in validation certificate information from a supplied
+ * pointer to a config file */
+ object->handle = sftk_getNextHandle(slot);
+ object->slot = slot;
+ sftk_AddObject(&slot->moduleObjects, object);
+loser:
+ sftk_FreeObject(object);
+ return crv;
+}
diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
--- a/lib/util/pkcs11n.h
+++ b/lib/util/pkcs11n.h
@@ -38,6 +38,9 @@
#define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4)
#define CKO_NSS_NEWSLOT (CKO_NSS + 5)
#define CKO_NSS_DELSLOT (CKO_NSS + 6)
+#define CKO_NSS_VALIDATION (CKO_NSS + 7)
+
+#define CKV_NSS_FIPS_140 (CKO_NSS + 1)
/*
* NSS-defined key types
@@ -99,6 +102,11 @@
#define CKA_NSS_SERVER_DISTRUST_AFTER (CKA_NSS + 35)
#define CKA_NSS_EMAIL_DISTRUST_AFTER (CKA_NSS + 36)
+#define CKA_NSS_VALIDATION_TYPE (CKA_NSS + 36)
+#define CKA_NSS_VALIDATION_VERSION (CKA_NSS + 37)
+#define CKA_NSS_VALIDATION_LEVEL (CKA_NSS + 38)
+#define CKA_NSS_VALIDATION_MODULE_ID (CKA_NSS + 39)
+
/*
* Trust attributes:
*
@@ -344,6 +352,9 @@
#define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1)
#define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2)
+/* NSS specific types */
+typedef CK_ULONG CK_NSS_VALIDATION_TYPE;
+
/* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms.
See RFC 5869.
diff --git a/nss.gyp b/nss.gyp
--- a/nss.gyp
+++ b/nss.gyp
@@ -131,6 +131,7 @@
'cmd/smimetools/smimetools.gyp:cmsutil',
'cmd/ssltap/ssltap.gyp:ssltap',
'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
+ 'cmd/validation/validation.gyp:validation',
'nss-tool/nss_tool.gyp:nss',
'nss-tool/nss_tool.gyp:hw-support',
],

36
SOURCES/nss-3.71-fix-lto-gtests.patch Normal file
View File

@ -0,0 +1,36 @@
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
@@ -8,23 +8,32 @@
#include "prtime.h"
#include "secerr.h"
#include "ssl.h"
#include "gtest_utils.h"
#include "tls_agent.h"
#include "tls_connect.h"
+#define LTO
namespace nss_test {
+#ifndef LTO
+// sigh this construction breaks LTO
const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
const std::string kDCId = TlsAgent::kServerEcdsa256;
+#else
+#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
+#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
+#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
+#define kDCId TlsAgent::kServerEcdsa256
+#endif
const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
static void CheckPreliminaryPeerDelegCred(
const std::shared_ptr<TlsAgent>& client, bool expected,
PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) {
EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth));
EXPECT_EQ(expected, client->pre_info().peerDelegCred);

36
SOURCES/nss-3.71-ipv6-fix.patch Normal file
View File

@ -0,0 +1,36 @@
diff -up ./cmd/selfserv/selfserv.c.ipv6_fix ./cmd/selfserv/selfserv.c
--- ./cmd/selfserv/selfserv.c.ipv6_fix 2021-09-14 11:40:06.176408531 -0700
+++ ./cmd/selfserv/selfserv.c 2021-09-14 11:49:46.361907308 -0700
@@ -1717,14 +1717,28 @@ getBoundListenSocket(unsigned short port
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
errExit("PR_NewTCPSocket");
}
+ /* NSPR has a bug where set inheritable doesn't work unless it's a pure
+ * NSPR socket. If we have an IPV6 emulator on an IPV4 socket, it will fail.
+ * In that case just open an IPV4 socket instead */
+ if (PR_NSPR_IO_LAYER != PR_GetLayersIdentity(listen_sock)) {
+ PR_Close(listen_sock);
+ addr.inet.family = PR_AF_INET;
+ addr.inet.ip = PR_INADDR_ANY;
+ addr.inet.port = PR_htons(port);
+
+ listen_sock = PR_NewTCPSocket();
+ if (listen_sock == NULL) {
+ errExit("PR_NewTCPSocket");
+ }
+ }
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;

257
SOURCES/nss-3.75-fix-pkcs12-passwords.patch Normal file
View File

@ -0,0 +1,257 @@
diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c
--- a/cmd/pk12util/pk12util.c
+++ b/cmd/pk12util/pk12util.c
@@ -660,16 +660,27 @@ P12U_ExportPKCS12Object(char *nn, char *
}
/* Password to use for PKCS12 file. */
pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
if (!pwitem) {
goto loser;
}
+ /* we are passing UTF8, drop the NULL in the normal password value.
+ * UCS2 conversion will add it back if necessary. This only affects
+ * password > Blocksize of the Hash function and pkcs5v2 pbe (if password
+ * <=Blocksize then the password is zero padded anyway, so an extra NULL
+ * at the end has not effect). This is allows us to work with openssl and
+ * gnutls. Older versions of NSS already fail to decrypt long passwords
+ * in this case, so we aren't breaking anyone with this code */
+ if ((pwitem->len > 1) && (!pwitem->data[pwitem->len-1])) {
+ pwitem->len--;
+ }
+
p12cxt = p12u_InitContext(PR_FALSE, outfile);
if (!p12cxt) {
SECU_PrintError(progName, "Initialization failed: %s", outfile);
pk12uErrno = PK12UERR_INIT_FILE;
goto loser;
}
if (certlist) {
diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
--- a/lib/pkcs12/p12local.c
+++ b/lib/pkcs12/p12local.c
@@ -903,31 +903,35 @@ sec_pkcs12_find_object(SEC_PKCS12SafeCon
i++;
}
}
PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
return NULL;
}
-/* this function converts a password to unicode and encures that the
- * required double 0 byte be placed at the end of the string
+/* this function converts a password to unicode and ensures that the
+ * required double 0 byte be placed at the end of the string (if zeroTerm
+ * is set), or the 0 bytes at the end are dropped (if zeroTerm is not set).
*/
PRBool
sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest,
SECItem *src, PRBool zeroTerm,
PRBool asciiConvert, PRBool toUnicode)
{
PRBool success = PR_FALSE;
+ int bufferSize;
+
if (!src || !dest) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return PR_FALSE;
}
- dest->len = src->len * 3 + 2;
+ bufferSize = src->len * 3 + 2;
+ dest->len = bufferSize;
if (arena) {
dest->data = (unsigned char *)PORT_ArenaZAlloc(arena, dest->len);
} else {
dest->data = (unsigned char *)PORT_ZAlloc(dest->len);
}
if (!dest->data) {
dest->len = 0;
@@ -951,34 +955,44 @@ sec_pkcs12_convert_item_to_unicode(PLAre
if (!arena) {
PORT_Free(dest->data);
dest->data = NULL;
dest->len = 0;
}
return PR_FALSE;
}
- if ((dest->len >= 2) &&
- (dest->data[dest->len - 1] || dest->data[dest->len - 2]) && zeroTerm) {
- if (dest->len + 2 > 3 * src->len) {
- if (arena) {
- dest->data = (unsigned char *)PORT_ArenaGrow(arena,
- dest->data, dest->len,
- dest->len + 2);
- } else {
- dest->data = (unsigned char *)PORT_Realloc(dest->data,
- dest->len + 2);
+ /* in some cases we need to add NULL terminations and in others
+ * we need to drop null terminations */
+ if (zeroTerm) {
+ /* unicode adds two nulls a the end */
+ if (toUnicode) {
+ if ((dest->len >= 2) &&
+ (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
+ /* we've already allocated space for these new NULLs */
+ PORT_Assert(dest->len + 2 <= bufferSize);
+ dest->len += 2;
+ dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
}
-
- if (!dest->data) {
- return PR_FALSE;
+ /* ascii/utf-8 adds just 1 */
+ } else if ((dest->len >= 1) && dest->data[dest->len-1]) {
+ PORT_Assert(dest->len + 1 <= bufferSize);
+ dest->len ++;
+ dest->data[dest->len-1] = 0;
+ }
+ } else {
+ /* handle the drop case, no need to do any allocations here. */
+ if (toUnicode) {
+ while ((dest->len >=2) && !dest->data[dest->len - 1] &&
+ !dest->data[dest->len - 2]) {
+ dest->len -= 2;
}
+ } else while (dest->len && !dest->data[dest->len-1]) {
+ dest->len--;
}
- dest->len += 2;
- dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
}
return PR_TRUE;
}
PRBool
sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm)
{
@@ -1006,27 +1020,28 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
}
}
/* this function decodes a password from Unicode if necessary,
* according to the PBE algorithm.
*
* we assume that the pwitem is already encoded in Unicode by the
* caller. if the encryption scheme is not the one defined in PKCS
- * #12, decode the pwitem back into UTF-8. */
+ * #12, decode the pwitem back into UTF-8. NOTE: UTF-8 strings are
+ * used in the PRF without the trailing NULL */
PRBool
sec_pkcs12_decode_password(PLArenaPool *arena,
SECItem *result,
SECOidTag algorithm,
const SECItem *pwitem)
{
if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
return sec_pkcs12_convert_item_to_unicode(arena, result,
(SECItem *)pwitem,
- PR_TRUE, PR_FALSE, PR_FALSE);
+ PR_FALSE, PR_FALSE, PR_FALSE);
return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
}
/* this function encodes a password into Unicode if necessary,
* according to the PBE algorithm.
*
* we assume that the pwitem holds a raw password. if the encryption
diff --git a/tests/common/init.sh b/tests/common/init.sh
--- a/tests/common/init.sh
+++ b/tests/common/init.sh
@@ -78,25 +78,27 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
STAPLINGDIR=${HOSTDIR}/stapling
NOLOGINDIR=${HOSTDIR}/nologin
SSLGTESTDIR=${HOSTDIR}/ssl_gtests
GTESTDIR=${HOSTDIR}/gtests
PWFILE=${HOSTDIR}/tests.pw
+ LONGPWFILE=${HOSTDIR}/tests.longpw
EMPTY_FILE=${HOSTDIR}/tests_empty
NOISE_FILE=${HOSTDIR}/tests_noise
CORELIST_FILE=${HOSTDIR}/clist
FIPSPWFILE=${HOSTDIR}/tests.fipspw
FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw
FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw
echo nss > ${PWFILE}
+ echo "nss123456789012345678901234567890123456789012345678901234567890_" > ${LONGPWFILE}
echo > ${EMPTY_FILE}
echo "fIps140" > ${FIPSPWFILE}
echo "fips104" > ${FIPSBADPWFILE}
echo "pKcs12fips140" > ${FIPSP12PWFILE}
noise
P_SERVER_CADIR=${SERVER_CADIR}
@@ -656,16 +658,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}"
P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
fi
R_PWFILE=../tests.pw
+ R_LONGPWFILE=../tests.longpw
R_EMPTY_FILE=../tests_empty
R_NOISE_FILE=../tests_noise
R_FIPSPWFILE=../tests.fipspw
R_FIPSBADPWFILE=../tests.fipsbadpw
R_FIPSP12PWFILE=../tests.fipsp12pw
trap "Exit $0 Signal_caught" 2 3
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
--- a/tests/tools/tools.sh
+++ b/tests/tools/tools.sh
@@ -382,16 +382,40 @@ tools_p12_export_list_import_with_defaul
check_tmpfile
echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
check_tmpfile
+
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------"
+ echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+ echo " -w ${R_LONGPWFILE}"
+ ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+ -w ${R_LONGPWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)"
+ check_tmpfile
+ verify_p12 Alice-ec-long.p12 "default" "default" "default"
+
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----"
+ echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}"
+ ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------"
+ echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)"
+ check_tmpfile
}
tools_p12_import_old_files()
{
echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
ret=$?

145
SOURCES/nss-config.in Normal file
View File

@ -0,0 +1,145 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nss
nssutil
ssl
smime
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_ssl=yes
lib_smime=yes
lib_nss=yes
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
ssl)
lib_ssl=yes
;;
smime)
lib_smime=yes
;;
nss)
lib_nss=yes
;;
nssutil)
lib_nssutil=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_ssl"; then
libdirs="$libdirs -lssl${major_version}"
fi
if test -n "$lib_smime"; then
libdirs="$libdirs -lsmime${major_version}"
fi
if test -n "$lib_nss"; then
libdirs="$libdirs -lnss${major_version}"
fi
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

132
SOURCES/nss-config.xml Normal file
View File

@ -0,0 +1,132 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="nss-config">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>nss-config</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>nss-config</refname>
<refpurpose>Return meta information about nss libraries</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nss-config</command>
<arg><option>--prefix</option></arg>
<arg><option>--exec-prefix</option></arg>
<arg><option>--includedir</option></arg>
<arg><option>--libs</option></arg>
<arg><option>--cflags</option></arg>
<arg><option>--libdir</option></arg>
<arg><option>--version</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>nss-config</command> is a shell scrip
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>--prefix</option></term>
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--exec-prefix</option></term>
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--includedir</option> <replaceable>count</replaceable></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--version</option></term>
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libs</option></term>
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--cflags</option></term>
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libdir</option></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for both include path and linkage flags:
<programlisting>
/usr/bin/nss-config --cflags --libs
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/nss-config</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

41
SOURCES/nss-disable-md5.patch Normal file
View File

@ -0,0 +1,41 @@
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));

13
SOURCES/nss-dso-ldflags.patch Normal file
View File

@ -0,0 +1,13 @@
Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
endif
DSO_CFLAGS = -fPIC
-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
+DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there.

120
SOURCES/nss-no-dbm-man-page.patch Normal file
View File

@ -0,0 +1,120 @@
diff -up ./doc/certutil.xml.no-dbm ./doc/certutil.xml
--- ./doc/certutil.xml.no-dbm 2021-05-29 10:26:21.853386165 -0700
+++ ./doc/certutil.xml 2021-05-29 10:31:15.057058619 -0700
@@ -205,8 +205,7 @@ If this option is not used, the validity
<para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
<para>NSS recognizes the following prefixes:</para>
<itemizedlist>
- <listitem><para><command>sql:</command> requests the newer database</para></listitem>
- <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
+ <listitem><para><command>sql:</command> requests the sql-lite database</para></listitem>
</itemizedlist>
<para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>sql:</command> is the default.</para>
</listitem>
@@ -1205,17 +1204,9 @@ BerkeleyDB. These new databases provide
</listitem>
</itemizedlist>
-<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. </para>
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
-
-<programlisting>$ certutil -L -d dbm:/home/my/sharednssdb</programlisting>
-
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
-
-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
<itemizedlist>
<listitem>
diff -up ./doc/modutil.xml.no-dbm ./doc/modutil.xml
--- ./doc/modutil.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
+++ ./doc/modutil.xml 2021-05-29 10:28:23.293078869 -0700
@@ -151,7 +151,7 @@
<varlistentry>
<term>-dbdir directory</term>
<listitem><para>Specify the database directory in which to access or create security module database files.</para>
- <para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in SQLite format.</para></listitem>
+ <para><command>modutil</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
</varlistentry>
<varlistentry>
@@ -689,15 +689,7 @@ BerkleyDB. These new databases provide m
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
-
-<programlisting>modutil -create -dbdir dbm:/home/my/sharednssdb</programlisting>
-
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
-
-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type. </para>
<itemizedlist>
<listitem>
diff -up ./doc/pk12util.xml.no-dbm ./doc/pk12util.xml
--- ./doc/pk12util.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
+++ ./doc/pk12util.xml 2021-05-29 10:28:23.293078869 -0700
@@ -90,7 +90,7 @@
<varlistentry>
<term>-d directory</term>
<listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
- <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
+ <para><command>pk12util</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
</varlistentry>
<varlistentry>
@@ -394,15 +394,7 @@ BerkleyDB. These new databases provide m
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
-
-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb</programlisting>
-
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
-
-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type. </para>
<itemizedlist>
<listitem>
diff -up ./doc/signver.xml.no-dbm ./doc/signver.xml
--- ./doc/signver.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
+++ ./doc/signver.xml 2021-05-29 10:28:23.293078869 -0700
@@ -66,7 +66,7 @@
<varlistentry>
<term>-d <emphasis>directory</emphasis></term>
<listitem><para>Specify the database directory which contains the certificates and keys.</para>
- <para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
+ <para><command>signver</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
@@ -155,15 +155,7 @@ BerkleyDB. These new databases provide m
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
-
-<programlisting># signver -A -s <replaceable>signature</replaceable> -d dbm:/home/my/sharednssdb</programlisting>
-
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
-
-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
<itemizedlist>
<listitem>

4
SOURCES/nss-p11-kit.config Normal file
View File

@ -0,0 +1,4 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

85
SOURCES/nss-signtool-format.patch Normal file
View File

@ -0,0 +1,85 @@
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
+++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
dir = PR_OpenDir(path);
if (!dir) {
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
}
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
return -1;
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -138,6 +138,12 @@ rm_dash_r(char *path)
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
+) >= sizeof(filename)) {
+ errorCount++;
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
+++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
*/
PKIX_Error *
PKIX_List_SetItem(
PKIX_List *list,
PKIX_UInt32 index,
PKIX_PL_Object *item,
void *plContext)
{
- PKIX_List *element;
+ PKIX_List *element = NULL;
PKIX_ENTER(LIST, "PKIX_List_SetItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
*/
static PKIX_Error *
pkix_pl_OID_Equals(
PKIX_PL_Object *first,
PKIX_PL_Object *second,
PKIX_Boolean *pResult,
void *plContext)
{
- PKIX_Int32 cmpResult;
+ PKIX_Int32 cmpResult = 0;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
PKIX_CHECK(pkix_pl_OID_Comparator
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);

116
SOURCES/nss-softokn-config.in Normal file
View File

@ -0,0 +1,116 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

18
SOURCES/nss-softokn-dracut-module-setup.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
SOURCES/nss-softokn-dracut.conf Normal file
View File

@ -0,0 +1,3 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

11
SOURCES/nss-softokn.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

118
SOURCES/nss-util-config.in Normal file
View File

@ -0,0 +1,118 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
SOURCES/nss-util.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: %NSSUTIL_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

11
SOURCES/nss.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS
Description: Network Security Services
Version: %NSS_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
Cflags: -I${includedir}

56
SOURCES/pkcs11.txt.xml Normal file
View File

@ -0,0 +1,56 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="pkcs11.txt">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>pkcs11.txt</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>pkcs11.txt</refname>
<refpurpose>NSS PKCS #11 module configuration file</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para>
The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
</para>
<para>
For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

68
SOURCES/setup-nsssysinit.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/sh
#
# Turns on or off the nss-sysinit module db by editing the
# global PKCS #11 congiguration file. Displays the status.
#
# This script can be invoked by the user as super user.
# It is invoked at nss-sysinit post install time with argument on.
#
usage()
{
cat <<EOF
Usage: setup-nsssysinit [on|off]
on - turns on nsssysinit
off - turns off nsssysinit
status - reports whether nsssysinit is turned on or off
EOF
exit $1
}
# validate
if [ $# -eq 0 ]; then
usage 1 1>&2
fi
# the system-wide configuration file
p11conf="/etc/pki/nssdb/pkcs11.txt"
# must exist, otherwise report it and exit with failure
if [ ! -f $p11conf ]; then
echo "Could not find ${p11conf}"
exit 1
fi
# check if nsssysinit is currently enabled or disabled
sysinit_enabled()
{
grep -q '^library=libnsssysinit' ${p11conf}
}
umask 022
case "$1" in
on | ON )
if sysinit_enabled; then
exit 0
fi
cat ${p11conf} | \
sed -e 's/^library=$/library=libnsssysinit.so/' \
-e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
${p11conf}.on
mv ${p11conf}.on ${p11conf}
;;
off | OFF )
if ! sysinit_enabled; then
exit 0
fi
cat ${p11conf} | \
sed -e 's/^library=libnsssysinit.so/library=/' \
-e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
${p11conf}.off
mv ${p11conf}.off ${p11conf}
;;
status )
echo -n 'NSS sysinit is '
sysinit_enabled && echo 'enabled' || echo 'disabled'
;;
* )
usage 1 1>&2
;;
esac

106
SOURCES/setup-nsssysinit.xml Normal file
View File

@ -0,0 +1,106 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="setup-nsssysinit">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>setup-nsssysinit</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>setup-nsssysinit</refname>
<refpurpose>Query or enable the nss-sysinit module</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>setup-nsssysinit</command>
<arg><option>on</option></arg>
<arg><option>off</option></arg>
<arg><option>status</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
</para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>on</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>off</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>status</option></term>
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for the status of nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit status
</programlisting>
</para>
<para>The following example, when run as superuser, will turn on nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit on
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

5
SOURCES/system-pkcs11.txt Normal file
View File

@ -0,0 +1,5 @@
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

2737
SPECS/nss.spec Normal file
View File

File diff suppressed because it is too large Load Diff