diff --git a/nss-3.124-add-ml-kem-key-size-mech-info.patch b/nss-3.124-add-ml-kem-key-size-mech-info.patch new file mode 100644 index 0000000..f80b695 --- /dev/null +++ b/nss-3.124-add-ml-kem-key-size-mech-info.patch @@ -0,0 +1,60 @@ +# HG changeset patch +# User Robert Relyea +# Date 1781030209 25200 +# Tue Jun 09 11:36:49 2026 -0700 +# Branch NSS_3_124_BRANCH +# Node ID 9d51dda84f46517faa8b9cf6abe4311e1ae3e2ac +# Parent 2a7bb3310ced138c06a588fc47b9f98e3f9faa68 +nss-3.124-add-ml-kem-key-size-mech-info.patch + +diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c +--- a/lib/softoken/pkcs11.c ++++ b/lib/softoken/pkcs11.c +@@ -35,16 +35,17 @@ + #include "secoid.h" + #include "sftkdb.h" + #include "utilpars.h" + #include "ec.h" + #include "secasn1.h" + #include "secerr.h" + #include "lgglue.h" + #include "kem.h" ++#include "kyber.h" + + PRBool parentForkedAfterC_Initialize; + + #ifndef NO_FORK_CHECK + + PRBool sftkForkCheckDisabled; + + #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) +@@ -676,23 +677,23 @@ static const struct mechanismList mechan + { CKM_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, + { CKM_IKE1_EXTENDED_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, + /* -------------------- Kyber Operations ----------------------- */ + #ifndef NSS_DISABLE_KYBER +- { CKM_NSS_KYBER_KEY_PAIR_GEN, { 0, 0, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, +- { CKM_NSS_KYBER, { 0, 0, CKF_KEM }, PR_TRUE }, ++ { CKM_NSS_KYBER_KEY_PAIR_GEN, { KYBER768_PUBLIC_KEY_BYTES, KYBER768_PUBLIC_KEY_BYTES, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, ++ { CKM_NSS_KYBER, { KYBER768_PUBLIC_KEY_BYTES, KYBER768_PUBLIC_KEY_BYTES, CKF_KEM }, PR_TRUE }, + #endif +- { CKM_NSS_ML_KEM_KEY_PAIR_GEN, { 0, 0, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, +- { CKM_NSS_ML_KEM, { 0, 0, CKF_KEM }, PR_TRUE }, +- { CKM_ML_KEM_KEY_PAIR_GEN, { 0, 0, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, +- { CKM_ML_KEM, { 0, 0, CKF_KEM }, PR_TRUE }, ++ { CKM_NSS_ML_KEM_KEY_PAIR_GEN, { KYBER768_PUBLIC_KEY_BYTES, MLKEM1024_PUBLIC_KEY_BYTES, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, ++ { CKM_NSS_ML_KEM, { KYBER768_PUBLIC_KEY_BYTES, MLKEM1024_PUBLIC_KEY_BYTES, CKF_KEM }, PR_TRUE }, ++ { CKM_ML_KEM_KEY_PAIR_GEN, { KYBER768_PUBLIC_KEY_BYTES, MLKEM1024_PUBLIC_KEY_BYTES, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, ++ { CKM_ML_KEM, { KYBER768_PUBLIC_KEY_BYTES, MLKEM1024_PUBLIC_KEY_BYTES, CKF_KEM }, PR_TRUE }, + /* don't advertize ML_DSA support until we have it working in freebl */ + { CKM_ML_DSA_KEY_PAIR_GEN, { ML_DSA_44_PUBLICKEY_LEN, ML_DSA_87_PUBLICKEY_LEN, CKF_GENERATE }, PR_TRUE }, + { CKM_ML_DSA, { ML_DSA_44_PUBLICKEY_LEN, ML_DSA_87_PUBLICKEY_LEN, CKF_SN_VR }, PR_TRUE }, + }; + static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]); + + /* sigh global so fipstokn can read it */ + PRBool nsc_init = PR_FALSE; diff --git a/nss-3.124-fix-pub-key-import-encapsulate.patch b/nss-3.124-fix-pub-key-import-encapsulate.patch new file mode 100644 index 0000000..39cccc7 --- /dev/null +++ b/nss-3.124-fix-pub-key-import-encapsulate.patch @@ -0,0 +1,217 @@ +# HG changeset patch +# User Robert Relyea +# Date 1781029720 25200 +# Tue Jun 09 11:28:40 2026 -0700 +# Branch NSS_3_124_BRANCH +# Node ID 1e0565f958c9e9ce4713a19eeee3541286133fb6 +# Parent d9ba1487c7c6821154edd972c88cecba1d458503 +nss-3.124-fix-pub-key-import-encapsulate.patch + +diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c +--- a/lib/pk11wrap/pk11skey.c ++++ b/lib/pk11wrap/pk11skey.c +@@ -3124,33 +3124,54 @@ SECStatus + PK11_Encapsulate(SECKEYPublicKey *pubKey, CK_MECHANISM_TYPE target, + PK11AttrFlags attrFlags, CK_FLAGS opFlags, + PK11SymKey **outKey, SECItem **outCiphertext) + { + PORT_Assert(pubKey); + PORT_Assert(outKey); + PORT_Assert(outCiphertext); + +- PK11SlotInfo *slot = pubKey->pkcs11Slot; + + PK11SymKey *sharedSecret = NULL; + SECItem *ciphertext = NULL; + + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + ++ + CK_ATTRIBUTE *attrs; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_MECHANISM_TYPE kemType = pk11_mapKemKeyType(pubKey->keyType); + CK_MECHANISM mech = { kemType, NULL, 0 }; + CK_ULONG ciphertextLen = 0; +- CK_RV crv; ++ CK_RV crv = CKR_OK; ++ ++ PK11SlotInfo *slot = pubKey->pkcs11Slot; ++ ++ if (slot == NULL) { ++ CK_MECHANISM_TYPE mechs[] = { kemType, target}; ++ CK_ULONG mech_count = PR_ARRAY_SIZE(mechs); ++ slot = PK11_GetBestSlotMultiple(mechs, mech_count, NULL /*sigh*/); ++ } else { ++ /* should we check if the slot can do target and kemtype ++ * here and move the public key if it can't? */ ++ slot = PK11_ReferenceSlot(slot); ++ } ++ if (slot == NULL) { ++ goto loser; /* error already set */ ++ } ++ ++ CK_OBJECT_HANDLE id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE); ++ ++ if (id == CK_INVALID_HANDLE) { ++ goto loser; /* error already set */ ++ } + + /* set up the target key template */ + attrs = keyTemplate; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; +@@ -3162,30 +3183,30 @@ PK11_Encapsulate(SECKEYPublicKey *pubKey + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + *outKey = NULL; + *outCiphertext = NULL; + + /* create a struxture for the target key */ + sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, NULL); + if (sharedSecret == NULL) { +- PORT_SetError(SEC_ERROR_NO_MEMORY); +- return SECFailure; ++ crv = CKR_HOST_MEMORY; ++ goto loser; + } + sharedSecret->origin = PK11_OriginDerive; + + /* this path is KEM mechanism agnostic */ + if (PK11_CheckPKCS11Version(slot, 3, 2, PR_TRUE) >= 0) { + pk11_EnterKeyMonitor(sharedSecret); + /* get the length the normal PKCS #11 way. This works no matter + * what the KEM is and we don't have to try to guess the KEM length + * from the key */ + crv = PK11_GETTAB(slot)->C_EncapsulateKey(sharedSecret->session, + &mech, +- pubKey->pkcs11ID, ++ id, + keyTemplate, + templateCount, + NULL, + &ciphertextLen, + &sharedSecret->objectID); + pk11_ExitKeyMonitor(sharedSecret); + if ((crv != CKR_OK) && (crv != CKR_BUFFER_TOO_SMALL) && + (crv != CKR_KEY_SIZE_RANGE)) { +@@ -3197,17 +3218,17 @@ PK11_Encapsulate(SECKEYPublicKey *pubKey + goto loser; + } + pk11_EnterKeyMonitor(sharedSecret); + /* Now do the encapsulate */ + /* NOTE: the PKCS #11 order of the parameters is different from + * the vendor interface */ + crv = PK11_GETTAB(slot)->C_EncapsulateKey(sharedSecret->session, + &mech, +- pubKey->pkcs11ID, ++ id, + keyTemplate, + templateCount, + ciphertext->data, + &ciphertextLen, + &sharedSecret->objectID); + pk11_ExitKeyMonitor(sharedSecret); + if (crv != CKR_OK) { + goto loser; +@@ -3228,21 +3249,21 @@ PK11_Encapsulate(SECKEYPublicKey *pubKey + if (crv != CKR_OK) { + goto loser; + } + KEMInterfaceFunctions = (CK_NSS_KEM_FUNCTIONS *)(KEMInterface->pFunctionList); + + /* the old API expected the parameter set as a parameter, the + * pkcs11 v3.2 gets it from the key */ + kemParameterSet = PK11_ReadULongAttribute(slot, +- pubKey->pkcs11ID, ++ id, + CKA_NSS_PARAMETER_SET); + if (kemParameterSet == CK_UNAVAILABLE_INFORMATION) { + kemParameterSet = PK11_ReadULongAttribute(slot, +- pubKey->pkcs11ID, ++ id, + CKA_PARAMETER_SET); + if (kemParameterSet == CK_UNAVAILABLE_INFORMATION) { + crv = CKR_PUBLIC_KEY_INVALID; + goto loser; + } + } + /* The old interface only ever supported KYBER768 and MLKEM768 + * SOME versions of RHEL has MLKEM1024 support, if we want to +@@ -3259,39 +3280,48 @@ PK11_Encapsulate(SECKEYPublicKey *pubKey + if (ciphertext == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + pk11_EnterKeyMonitor(sharedSecret); + crv = KEMInterfaceFunctions->C_Encapsulate(sharedSecret->session, + &mech, +- pubKey->pkcs11ID, ++ id, + keyTemplate, + templateCount, + &sharedSecret->objectID, + ciphertext->data, + &ciphertextLen); + pk11_ExitKeyMonitor(sharedSecret); + if (crv != CKR_OK) { + goto loser; + } + + PORT_Assert(ciphertextLen == ciphertext->len); + } + ++ PK11_FreeSlot(slot); ++ + *outKey = sharedSecret; + *outCiphertext = ciphertext; + + return SECSuccess; + + loser: +- PK11_FreeSymKey(sharedSecret); ++ if (slot) { ++ PK11_FreeSlot(slot); ++ } ++ if (sharedSecret) { ++ PK11_FreeSymKey(sharedSecret); ++ } + SECITEM_FreeItem(ciphertext, PR_TRUE); +- PORT_SetError(PK11_MapError(crv)); ++ if (crv != CKR_OK) { ++ PORT_SetError(PK11_MapError(crv)); ++ } + return SECFailure; + } + + SECStatus + PK11_Decapsulate(SECKEYPrivateKey *privKey, const SECItem *ciphertext, + CK_MECHANISM_TYPE target, PK11AttrFlags attrFlags, + CK_FLAGS opFlags, PK11SymKey **outKey) + { +@@ -3312,17 +3342,17 @@ PK11_Decapsulate(SECKEYPrivateKey *privK + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_MECHANISM_TYPE kemType = pk11_mapKemKeyType(privKey->keyType); + CK_MECHANISM mech = { kemType, NULL, 0 }; + + CK_RV crv; + + *outKey = NULL; +- sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, NULL); ++ sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, privKey->wincx); + if (sharedSecret == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + sharedSecret->origin = PK11_OriginUnwrap; + + attrs = keyTemplate; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); diff --git a/nss-3.124-ml-kem-alias-fix.patch b/nss-3.124-ml-kem-alias-fix.patch new file mode 100644 index 0000000..3b1e1ca --- /dev/null +++ b/nss-3.124-ml-kem-alias-fix.patch @@ -0,0 +1,80 @@ +# HG changeset patch +# User Robert Relyea +# Date 1780962091 25200 +# Mon Jun 08 16:41:31 2026 -0700 +# Branch NSS_3_124_BRANCH +# Node ID 7748a8ddfa510458e76ff41e840f78f5af55795a +# Parent 5f6c91f6171020eea4ce9eb5bc353370d30c8df0 +nss-3.124-ml-kem-alias-fix.patch + +diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c +--- a/cmd/lib/secutil.c ++++ b/cmd/lib/secutil.c +@@ -4303,16 +4303,18 @@ static const struct SSLNamedGroupString + #ifndef NSS_DISABLE_KYBER + { NAME_AND_LEN("xyber76800"), ssl_grp_kem_xyber768d00 }, + #endif + { NAME_AND_LEN("x25519mlkem768"), ssl_grp_kem_mlkem768x25519 }, + { NAME_AND_LEN("secp256r1mlkem768"), ssl_grp_kem_secp256r1mlkem768 }, + { NAME_AND_LEN("secp384r1mlkem1024"), ssl_grp_kem_secp384r1mlkem1024 }, + // keep for compatibility + { NAME_AND_LEN("mlkem768x25519"), ssl_grp_kem_mlkem768x25519 }, ++ { NAME_AND_LEN("mlkem768secp256r1"), ssl_grp_kem_secp256r1mlkem768 }, ++ { NAME_AND_LEN("mlkem1024secp384r1"), ssl_grp_kem_secp384r1mlkem1024 }, + }; + + static const size_t sslNamedGroupStringLen = PR_ARRAY_SIZE(sslNamedGroupStringArray); + + static SSLNamedGroup + groupNameToNamedGroup(char *name) + { + int len = PL_strlen(name); +diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c +--- a/lib/pk11wrap/pk11pars.c ++++ b/lib/pk11wrap/pk11pars.c +@@ -255,16 +255,20 @@ static const oidValDef curveOptList[] = + { CIPHER_NAME("X25519MLKEM768"), SEC_OID_MLKEM768X25519, + NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("SECP256R1MLKEM768"), SEC_OID_SECP256R1MLKEM768, + NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("SECP384R1MLKEM1024"), SEC_OID_SECP384R1MLKEM1024, + NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("MLKEM768X25519"), SEC_OID_MLKEM768X25519, + NSS_USE_ALG_IN_SSL_KX }, ++ { CIPHER_NAME("MLKEM768SECP256R1"), SEC_OID_SECP256R1MLKEM768, ++ NSS_USE_ALG_IN_SSL_KX }, ++ { CIPHER_NAME("MLKEM1024SECP384R1"), SEC_OID_SECP384R1MLKEM1024, ++ NSS_USE_ALG_IN_SSL_KX }, + /* ANSI X9.62 named elliptic curves (characteristic two field) */ + { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB163V2"), SEC_OID_ANSIX962_EC_C2PNB163V2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB163V3"), SEC_OID_ANSIX962_EC_C2PNB163V3, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB176V1"), SEC_OID_ANSIX962_EC_C2PNB176V1, +@@ -467,21 +471,21 @@ static const oidValDef signOptList[] = { + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY, + NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("ML-DSA-44"), SEC_OID_ML_DSA_44, +- NSS_USE_ALG_IN_SIGNATURE }, ++ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("ML-DSA-65"), SEC_OID_ML_DSA_65, +- NSS_USE_ALG_IN_SIGNATURE }, ++ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("ML-DSA-87"), SEC_OID_ML_DSA_87, +- NSS_USE_ALG_IN_SIGNATURE }, ++ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + }; + + typedef struct { + const oidValDef *list; + PRUint32 entries; + const char *description; + PRBool allowEmpty; + } algListsDef; diff --git a/nss-3.79-revert-distrusted-certs.patch b/nss-3.79-revert-distrusted-certs.patch new file mode 100644 index 0000000..8a607a3 --- /dev/null +++ b/nss-3.79-revert-distrusted-certs.patch @@ -0,0 +1,335 @@ +diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt +--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700 ++++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700 +@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_ + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # ++# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" ++# ++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Serial Number: 268435455 (0xfffffff) ++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Not Valid Before: Wed May 12 08:51:39 2010 ++# Not Valid After : Mon Mar 23 09:50:05 2020 ++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C ++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 ++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" ++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 ++CKA_SUBJECT MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_ID UTF8 "0" ++CKA_ISSUER MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\017\377\377\377 ++END ++CKA_VALUE MULTILINE_OCTAL ++\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017 ++\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013 ++\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116 ++\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151 ++\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003 ++\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120 ++\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162 ++\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036 ++\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027 ++\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132 ++\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060 ++\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141 ++\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014 ++\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166 ++\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151 ++\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015 ++\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 ++\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047 ++\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275 ++\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366 ++\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045 ++\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004 ++\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202 ++\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072 ++\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253 ++\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154 ++\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365 ++\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257 ++\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324 ++\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063 ++\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304 ++\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241 ++\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000 ++\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052 ++\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163 ++\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205 ++\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055 ++\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231 ++\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201 ++\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216 ++\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351 ++\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124 ++\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267 ++\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247 ++\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200 ++\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325 ++\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220 ++\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017 ++\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256 ++\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001 ++\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004 ++\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006 ++\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072 ++\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056 ++\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145 ++\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003 ++\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 ++\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200 ++\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216 ++\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006 ++\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004 ++\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144 ++\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004 ++\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144 ++\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101 ++\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125 ++\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164 ++\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162 ++\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156 ++\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055 ++\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004 ++\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356 ++\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001 ++\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055 ++\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234 ++\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064 ++\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066 ++\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243 ++\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364 ++\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116 ++\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164 ++\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174 ++\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103 ++\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134 ++\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323 ++\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057 ++\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347 ++\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224 ++\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015 ++\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026 ++\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053 ++\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166 ++\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135 ++\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244 ++\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025 ++\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222 ++\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235 ++\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245 ++\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327 ++\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053 ++\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377 ++\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321 ++\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374 ++\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035 ++\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305 ++\244\363\116\272\067\230\173\202\271 ++END ++ ++# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" ++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Serial Number: 268435455 (0xfffffff) ++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Not Valid Before: Wed May 12 08:51:39 2010 ++# Not Valid After : Mon Mar 23 09:50:05 2020 ++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C ++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" ++CKA_CERT_SHA1_HASH MULTILINE_OCTAL ++\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306 ++\222\341\102\102 ++END ++CKA_CERT_MD5_HASH MULTILINE_OCTAL ++\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034 ++END ++CKA_ISSUER MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\017\377\377\377 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# + # Certificate "Security Communication RootCA2" + # + # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP +@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_ + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + ++# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 ++# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US ++# Serial Number: 1800000005 (0x6b49d205) ++# Not Before: Apr 7 15:37:15 2011 GMT ++# Not After : Apr 4 15:37:15 2021 GMT ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 ++\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 ++\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 ++\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 ++\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 ++\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 ++\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 ++\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 ++\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 ++\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 ++\100\164\162\165\163\164\167\141\166\145\056\143\157\155 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\153\111\322\005 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929 ++# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US ++# Serial Number: 1800000006 (0x6b49d206) ++# Not Before: Apr 18 21:09:30 2011 GMT ++# Not After : Apr 15 21:09:30 2021 GMT ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 ++\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 ++\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 ++\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 ++\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 ++\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 ++\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 ++\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 ++\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 ++\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 ++\100\164\162\165\163\164\167\141\166\145\056\143\157\155 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\153\111\322\006 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ + # + # Certificate "Actalis Authentication Root CA" + # +@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_ + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + ++# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri ++# Serial Number: 2087 (0x827) ++# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR ++# Not Valid Before: Mon Aug 08 07:07:51 2011 ++# Not Valid After : Tue Jul 06 07:07:51 2021 ++# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E ++# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 ++\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 ++\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 ++\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 ++\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 ++\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 ++\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 ++\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 ++\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 ++\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\002\010\047 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri ++# Serial Number: 2148 (0x864) ++# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR ++# Not Valid Before: Mon Aug 08 07:07:51 2011 ++# Not Valid After : Thu Aug 05 07:07:51 2021 ++# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2 ++# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 ++\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 ++\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 ++\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 ++\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 ++\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 ++\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 ++\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 ++\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 ++\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\002\010\144 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ + # + # Certificate "D-TRUST Root Class 3 CA 2 2009" + # diff --git a/nss.spec b/nss.spec index 5003ad0..f4e782e 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. This typically @@ -164,6 +164,7 @@ Patch35: nss-3.124-disable-ech.patch Patch36: nss-3.101-skip-ocsp-if-not-connected.patch # build crmf for now Patch37: nss-3.124-enable-crmf.patch +Patch38: nss-3.79-revert-distrusted-certs.patch # patches that expect to be upstreamed Patch40: nss-3.90-dh-test-update.patch @@ -188,6 +189,10 @@ Patch66: nss-3.124-ml-dsa-tls-test.patch Patch67: nss-3.118-ml-dsa-unittests.patch Patch68: nss-3.123-fix-mldsa-import-regeneration.patch +# rebase fixes +Patch70: nss-3.124-add-ml-kem-key-size-mech-info.patch +Patch71: nss-3.124-fix-pub-key-import-encapsulate.patch +Patch72: nss-3.124-ml-kem-alias-fix.patch # NSS reverse patches # no longer need this patch because all the builtins are @@ -1176,6 +1181,15 @@ fi %changelog +* Tue Jun 9 2026 Bob Relyea - 3.124.0-2 +- rebase fixes +- restore mlkem aliases +- add mlkem key lengths to the mechanism info +- fix crash if you try to encapsulate with an unimported + public key +- restore distrusted certs to certdata.txt even though we + never reference them to make tests happy. + * Tue Jun 2 2026 Bob Relyea - 3.124.0-1 - rebase to upstream NSS 3.124 - backport ml-dsa support that is not upstream yet.