Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
||||
1
|
98
.gitignore
vendored
98
.gitignore
vendored
@ -1,6 +1,92 @@
|
||||
SOURCES/blank-cert8.db
|
||||
SOURCES/blank-cert9.db
|
||||
SOURCES/blank-key3.db
|
||||
SOURCES/blank-key4.db
|
||||
SOURCES/blank-secmod.db
|
||||
SOURCES/nss-3.101.tar.gz
|
||||
blank-cert8.db
|
||||
blank-key3.db
|
||||
blank-secmod.db
|
||||
blank-cert9.db
|
||||
blank-key4.db
|
||||
PayPalEE.cert
|
||||
TestCA.ca.cert
|
||||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.25.0.tar.gz
|
||||
/nss-3.26.0.tar.gz
|
||||
/nss-3.27.0.tar.gz
|
||||
/nss-3.27.2.tar.gz
|
||||
/nss-3.28.1.tar.gz
|
||||
/nss-3.29.0.tar.gz
|
||||
/nss-3.29.1.tar.gz
|
||||
/nss-3.30.0.tar.gz
|
||||
/nss-3.30.2.tar.gz
|
||||
/nss-3.31.0.tar.gz
|
||||
/nss-3.32.0.tar.gz
|
||||
/nss-3.32.1.tar.gz
|
||||
/nss-3.33.0.tar.gz
|
||||
/nss-3.34.0.tar.gz
|
||||
/nss-3.35.0.tar.gz
|
||||
/nss-3.36.0.tar.gz
|
||||
/nss-3.36.1.tar.gz
|
||||
/nss-3.37.1.tar.gz
|
||||
/nss-3.37.3.tar.gz
|
||||
/nss-3.38.0.tar.gz
|
||||
/nss-3.39.tar.gz
|
||||
/nss-3.40.1.tar.gz
|
||||
/nss-3.41.tar.gz
|
||||
/nss-3.42.tar.gz
|
||||
/nss-3.42.1.tar.gz
|
||||
/nss-3.43.tar.gz
|
||||
/nss-3.44.tar.gz
|
||||
/nss-3.44.1.tar.gz
|
||||
/nss-3.45.tar.gz
|
||||
/nss-3.46.tar.gz
|
||||
/nss-3.46.1.tar.gz
|
||||
/nss-3.47.tar.gz
|
||||
/nss-3.47.1.tar.gz
|
||||
/nss-3.48.tar.gz
|
||||
/nss-3.49.tar.gz
|
||||
/nss-3.49.2.tar.gz
|
||||
/nss-3.50.tar.gz
|
||||
/nss-3.51.tar.gz
|
||||
/nss-3.51.1.tar.gz
|
||||
/nss-3.52.tar.gz
|
||||
/nss-3.53.tar.gz
|
||||
/nss-3.54.tar.gz
|
||||
/nss-3.55.tar.gz
|
||||
/nss-3.56.tar.gz
|
||||
/nss-3.57.tar.gz
|
||||
/nss-3.58.tar.gz
|
||||
/nspr-4.29.tar.gz
|
||||
/nss-3.59.tar.gz
|
||||
/nss-3.60.1.tar.gz
|
||||
/nss-3.62.tar.gz
|
||||
/nss-3.63.tar.gz
|
||||
/nspr-4.30.tar.gz
|
||||
/nss-3.65.tar.gz
|
||||
/nss-3.67.tar.gz
|
||||
/nspr-4.31.tar.gz
|
||||
/nss-3.69.tar.gz
|
||||
/nspr-4.32.tar.gz
|
||||
/nss-3.71.tar.gz
|
||||
/nss-3.73.tar.gz
|
||||
/nss-3.75.tar.gz
|
||||
/nss-3.77.tar.gz
|
||||
/nss-3.79.tar.gz
|
||||
/nspr-4.34.tar.gz
|
||||
/nss-3.81.tar.gz
|
||||
/nss-3.83.tar.gz
|
||||
/nspr-4.35.tar.gz
|
||||
/nss-3.85.tar.gz
|
||||
/nss-3.87.tar.gz
|
||||
/nss-3.88.1.tar.gz
|
||||
/nss-3.89.tar.gz
|
||||
/nss-3.89-with-nspr-4.35.tar.gz
|
||||
/nss-3.90-with-nspr-4.35.tar.gz
|
||||
/nss-3.91-with-nspr-4.35.tar.gz
|
||||
/nss-3.92-with-nspr-4.35.tar.gz
|
||||
/nss-3.93-with-nspr-4.35.tar.gz
|
||||
/nss-3.94-with-nspr-4.35.tar.gz
|
||||
/nss-3.95-with-nspr-4.35.tar.gz
|
||||
/nss-3.96-with-nspr-4.35.tar.gz
|
||||
/nss-3.96.1-with-nspr-4.35.tar.gz
|
||||
/nss-3.97-with-nspr-4.35.tar.gz
|
||||
/nss-3.101-with-nspr-4.35.tar.gz
|
||||
|
@ -1,6 +0,0 @@
|
||||
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
|
||||
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
||||
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
|
||||
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
|
||||
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
|
||||
90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz
|
@ -1,59 +0,0 @@
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="cert8.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>cert8.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cert8.db</refname>
|
||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
@ -1,59 +0,0 @@
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="key3.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>key3.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>key3.db</refname>
|
||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
@ -1,133 +0,0 @@
|
||||
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
|
||||
--- a/lib/certhigh/certvfypkix.c
|
||||
+++ b/lib/certhigh/certvfypkix.c
|
||||
@@ -37,11 +37,11 @@
|
||||
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
|
||||
|
||||
PRInt32 parallelFnInvocationCount;
|
||||
#endif /* PKIX_OBJECT_LEAK_TEST */
|
||||
|
||||
-static PRBool usePKIXValidationEngine = PR_FALSE;
|
||||
+static PRBool usePKIXValidationEngine = PR_TRUE;
|
||||
#endif /* NSS_DISABLE_LIBPKIX */
|
||||
|
||||
/*
|
||||
* FUNCTION: CERT_SetUsePKIXForValidation
|
||||
* DESCRIPTION:
|
||||
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||
--- a/lib/nss/nssinit.c
|
||||
+++ b/lib/nss/nssinit.c
|
||||
@@ -762,13 +762,13 @@
|
||||
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||
|
||||
if (pkixError != NULL) {
|
||||
goto loser;
|
||||
} else {
|
||||
- char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
|
||||
+ char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
|
||||
if (ev && ev[0]) {
|
||||
- CERT_SetUsePKIXForValidation(PR_TRUE);
|
||||
+ CERT_SetUsePKIXForValidation(PR_FALSE);
|
||||
}
|
||||
}
|
||||
#endif /* NSS_DISABLE_LIBPKIX */
|
||||
}
|
||||
|
||||
diff --git a/tests/all.sh b/tests/all.sh
|
||||
--- a/tests/all.sh
|
||||
+++ b/tests/all.sh
|
||||
@@ -141,17 +141,22 @@
|
||||
########################################################################
|
||||
run_cycle_standard()
|
||||
{
|
||||
TEST_MODE=STANDARD
|
||||
|
||||
+ NSS_DISABLE_LIBPKIX_VERIFY="1"
|
||||
+ export NSS_DISABLE_LIBPKIX_VERIFY
|
||||
+
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="libpkix pkits"
|
||||
|
||||
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
|
||||
export NSS_DEFAULT_DB_TYPE
|
||||
|
||||
run_tests
|
||||
+
|
||||
+ unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
}
|
||||
|
||||
############################ run_cycle_pkix ############################
|
||||
# run test suites with PKIX enabled
|
||||
########################################################################
|
||||
@@ -165,13 +170,10 @@
|
||||
|
||||
HOSTDIR="${HOSTDIR}/pkix"
|
||||
mkdir -p "${HOSTDIR}"
|
||||
init_directories
|
||||
|
||||
- NSS_ENABLE_PKIX_VERIFY="1"
|
||||
- export NSS_ENABLE_PKIX_VERIFY
|
||||
-
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
|
||||
|
||||
export -n NSS_SSL_RUN
|
||||
|
||||
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
||||
--- a/tests/common/init.sh
|
||||
+++ b/tests/common/init.sh
|
||||
@@ -138,12 +138,12 @@
|
||||
echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
|
||||
echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
|
||||
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
|
||||
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
|
||||
echo "export NSS_DEFAULT_DB_TYPE"
|
||||
- echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
|
||||
- echo "export NSS_ENABLE_PKIX_VERIFY"
|
||||
+ echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
|
||||
+ echo "export NSS_DISABLE_PKIX_VERIFY"
|
||||
echo "init_directories"
|
||||
}
|
||||
|
||||
# Exit shellfunction to clean up at exit (error, regular or signal)
|
||||
Exit()
|
||||
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
||||
--- a/tests/ssl/ssl.sh
|
||||
+++ b/tests/ssl/ssl.sh
|
||||
@@ -960,13 +960,12 @@
|
||||
ssl_policy_pkix_ocsp()
|
||||
{
|
||||
#verbose="-v"
|
||||
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||
|
||||
- PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
|
||||
- NSS_ENABLE_PKIX_VERIFY="1"
|
||||
- export NSS_ENABLE_PKIX_VERIFY
|
||||
+ PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
||||
+ unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
|
||||
testname=""
|
||||
|
||||
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
|
||||
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
|
||||
@@ -987,16 +986,14 @@
|
||||
grep 12276 ${P_R_SERVERDIR}/vfy.out
|
||||
RET=$?
|
||||
html_msg $RET $RET_EXP "${testname}" \
|
||||
"produced a returncode of $RET, expected is $RET_EXP"
|
||||
|
||||
- if [ "${PKIX_SAVE}" = "unset" ]; then
|
||||
- unset NSS_ENABLE_PKIX_VERIFY
|
||||
- else
|
||||
- NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
|
||||
- export NSS_ENABLE_PKIX_VERIFY
|
||||
+ if [ "{PKIX_SAVE}" != "unset" ]; then
|
||||
+ export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
|
||||
fi
|
||||
+
|
||||
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
|
||||
|
||||
html "</TABLE><BR>"
|
||||
|
||||
}
|
||||
|
@ -1,45 +0,0 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.no_signature_policy 2023-06-21 08:54:54.802785229 +0200
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2023-06-21 08:58:24.748282499 +0200
|
||||
@@ -395,12 +395,9 @@ static const oidValDef signOptList[] = {
|
||||
/* Signatures */
|
||||
{ CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
|
||||
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
|
||||
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
|
||||
{ CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
|
||||
NSS_USE_ALG_IN_SIGNATURE },
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
@@ -416,7 +413,7 @@ static const algListsDef algOptLists[] =
|
||||
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
|
||||
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
|
||||
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
|
||||
{ smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE },
|
||||
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
|
||||
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
|
||||
};
|
||||
|
||||
static const optionFreeDef sslOptList[] = {
|
||||
diff -up ./tests/ssl/sslpolicy.txt.no_signature_policy ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.no_signature_policy 2023-06-21 09:00:17.720181306 +0200
|
||||
+++ ./tests/ssl/sslpolicy.txt 2023-06-21 09:00:55.637501208 +0200
|
||||
@@ -193,7 +193,9 @@
|
||||
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
|
||||
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
|
||||
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
|
||||
- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
||||
+# compatibility reasons
|
||||
+# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
@ -1,24 +0,0 @@
|
||||
diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh
|
||||
--- ./tests/ec/ectest.sh.dbm 2024-06-18 14:53:51.201438651 -0700
|
||||
+++ ./tests/ec/ectest.sh 2024-06-18 14:56:09.993993637 -0700
|
||||
@@ -45,12 +45,20 @@ ectest_genkeydb_test()
|
||||
if [ $? -ne 0 ]; then
|
||||
return $?
|
||||
fi
|
||||
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
curves=( \
|
||||
"curve25519" \
|
||||
"secp256r1" \
|
||||
"secp384r1" \
|
||||
"secp521r1" \
|
||||
)
|
||||
+ else
|
||||
+ curves=( \
|
||||
+ "secp256r1" \
|
||||
+ "secp384r1" \
|
||||
+ "secp521r1" \
|
||||
+ )
|
||||
+ fi
|
||||
for curve in "${curves[@]}"; do
|
||||
echo "Test $curve key generation using certutil ..."
|
||||
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
@ -1,89 +0,0 @@
|
||||
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
|
||||
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
|
||||
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
|
||||
static PRBool
|
||||
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
|
||||
{
|
||||
+#ifdef notdef
|
||||
PRUint32 policy;
|
||||
SECStatus rv;
|
||||
|
||||
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
|
||||
return PR_TRUE;
|
||||
}
|
||||
return PR_FALSE;
|
||||
+#else
|
||||
+ return PR_TRUE;
|
||||
+#endif
|
||||
}
|
||||
|
||||
PRBool
|
||||
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
|
||||
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
|
||||
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
|
||||
PRBool
|
||||
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
|
||||
{
|
||||
+#ifdef notdef
|
||||
PRUint32 policyFlags;
|
||||
|
||||
/* some S/MIME algs map to the same underlying KEA mechanism,
|
||||
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
|
||||
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
|
||||
return PR_FALSE;
|
||||
}
|
||||
+#endif
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
|
||||
return PR_FAILURE;
|
||||
}
|
||||
|
||||
+#ifdef notdef
|
||||
/* At initialization time, we need to set up the defaults. We first
|
||||
* look to see if the system or application has set up certain algorithms
|
||||
* by policy. If they have set up values by policy we'll only allow those
|
||||
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
|
||||
PORT_Free(tags);
|
||||
tags = NULL;
|
||||
}
|
||||
+#else
|
||||
+ /* just initialize the old maps */
|
||||
+ rv = SECSuccess;
|
||||
+ tagCount = 0;
|
||||
+#endif
|
||||
if ((rv != SECSuccess) || (tagCount == 0)) {
|
||||
/* No algorithms have been enabled by policy (either by the system
|
||||
* or by the application, we then will use the traditional default
|
||||
diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh
|
||||
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
|
||||
700
|
||||
+++ ./tests/smime/smime.sh 2024-07-17 12:29:08.251207306 -0700
|
||||
@@ -872,8 +872,8 @@ smime_init
|
||||
smime_main
|
||||
smime_data_tb
|
||||
smime_p7
|
||||
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- smime_policy
|
||||
-fi
|
||||
+#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
+# smime_policy
|
||||
+#fi
|
||||
smime_cleanup
|
||||
|
||||
diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
|
||||
700
|
||||
+++ ./tests/tools/tools.sh 2024-07-17 12:28:32.418778346 -0700
|
||||
@@ -586,7 +586,7 @@ tools_p12()
|
||||
tools_p12_import_pbmac1_samples
|
||||
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
tools_p12_import_rsa_pss_private_key
|
||||
- tools_p12_policy
|
||||
+#tools_p12_policy
|
||||
fi
|
||||
}
|
||||
|
@ -1,58 +0,0 @@
|
||||
diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
|
||||
--- ./cmd/pk12util/pk12util.c.orig 2021-05-28 02:50:43.000000000 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2021-06-15 17:05:37.200262345 -0700
|
||||
@@ -1031,9 +1031,11 @@ main(int argc, char **argv)
|
||||
char *export_file = NULL;
|
||||
char *dbprefix = "";
|
||||
SECStatus rv;
|
||||
- SECOidTag cipher = SEC_OID_AES_256_CBC;
|
||||
- SECOidTag hash = SEC_OID_SHA256;
|
||||
- SECOidTag certCipher = SEC_OID_AES_128_CBC;
|
||||
+ SECOidTag cipher =
|
||||
+ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
|
||||
+ SECOidTag hash = SEC_OID_SHA1;
|
||||
+ SECOidTag certCipher =
|
||||
+ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
|
||||
int keyLen = 0;
|
||||
int certKeyLen = 0;
|
||||
secuCommand pk12util;
|
||||
@@ -1147,6 +1149,9 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
+ if (PK11_IsFIPS()) {
|
||||
+ certCipher = SEC_OID_UNKNOWN;
|
||||
+ }
|
||||
if (pk12util.options[opt_CertCipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
||||
|
||||
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.7732
|
||||
48450 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
|
||||
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
|
||||
- if (PK11_IsFIPS()) {
|
||||
- hash = SEC_OID_HMAC_SHA256;
|
||||
- }
|
||||
if (pk12util.options[opt_Mac].activated) {
|
||||
char *hashString = pk12util.options[opt_Mac].arg;
|
||||
|
||||
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
|
||||
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700
|
||||
@@ -47,9 +47,9 @@
|
||||
"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
|
||||
|
||||
# if we change the defaults in pk12util, update these variables
|
||||
- export CERT_ENCRYPTION_DEFAULT="AES-128-CBC"
|
||||
- export KEY_ENCRYPTION_DEFAULT="AES-256-CBC"
|
||||
- export HASH_DEFAULT="SHA-256"
|
||||
+ export CERT_ENCRYPTION_DEFAULT=${pkcs12v2pbeWithSha1And40BitRc2Cbc}
|
||||
+ export KEY_ENCRYPTION_DEFAULT=${pkcs12v2pbeWithSha1AndTripleDESCBC}
|
||||
+ export HASH_DEFAULT="SHA-1"
|
||||
|
||||
export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\
|
||||
${pkcs5pbeWithMD5AndDEScbc},\
|
@ -1,14 +0,0 @@
|
||||
diff -up ./tests/ssl/ssl.sh.brew ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.brew 2021-06-12 11:37:46.153265942 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2021-06-12 11:39:43.069925034 -0700
|
||||
@@ -1641,7 +1641,9 @@ ssl_run_tests()
|
||||
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
ssl_policy_listsuites
|
||||
ssl_policy_selfserv
|
||||
- ssl_policy_pkix_ocsp
|
||||
+ # requires access to external servers, which fails
|
||||
+ # when running in brew
|
||||
+ #ssl_policy_pkix_ocsp
|
||||
ssl_policy
|
||||
fi
|
||||
;;
|
@ -1,25 +0,0 @@
|
||||
diff -up ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults ./cmd/pk12util/pk12util.c
|
||||
--- ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults 2022-07-20 13:40:24.152212683 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2022-07-20 13:42:40.031094190 -0700
|
||||
@@ -1146,6 +1146,11 @@ main(int argc, char **argv)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (PK11_IsFIPS()) {
|
||||
+ cipher = SEC_OID_AES_256_CBC;
|
||||
+ certCipher = SEC_OID_AES_128_CBC;
|
||||
+ }
|
||||
+
|
||||
if (pk12util.options[opt_Cipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_Cipher].arg;
|
||||
|
||||
@@ -1160,9 +1165,6 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
- if (PK11_IsFIPS()) {
|
||||
- certCipher = SEC_OID_UNKNOWN;
|
||||
- }
|
||||
if (pk12util.options[opt_CertCipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
||||
|
@ -1,335 +0,0 @@
|
||||
diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt
|
||||
--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700
|
||||
@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+#
|
||||
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Serial Number: 268435455 (0xfffffff)
|
||||
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
|
||||
+CKA_SUBJECT MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_ID UTF8 "0"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\017\377\377\377
|
||||
+END
|
||||
+CKA_VALUE MULTILINE_OCTAL
|
||||
+\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
|
||||
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
|
||||
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
|
||||
+\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
|
||||
+\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
|
||||
+\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
|
||||
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
|
||||
+\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
|
||||
+\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
|
||||
+\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
|
||||
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
|
||||
+\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
|
||||
+\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
|
||||
+\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
|
||||
+\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
|
||||
+\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
|
||||
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
|
||||
+\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
|
||||
+\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
|
||||
+\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
|
||||
+\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
|
||||
+\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
|
||||
+\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
|
||||
+\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
|
||||
+\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
|
||||
+\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
|
||||
+\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
|
||||
+\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
|
||||
+\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
|
||||
+\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
|
||||
+\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
|
||||
+\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
|
||||
+\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
|
||||
+\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
|
||||
+\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
|
||||
+\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
|
||||
+\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
|
||||
+\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
|
||||
+\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
|
||||
+\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
|
||||
+\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
|
||||
+\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
|
||||
+\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
|
||||
+\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
|
||||
+\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
|
||||
+\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
|
||||
+\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
|
||||
+\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
|
||||
+\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
|
||||
+\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
|
||||
+\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
|
||||
+\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
|
||||
+\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
|
||||
+\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
|
||||
+\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
|
||||
+\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
|
||||
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
|
||||
+\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
|
||||
+\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
|
||||
+\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
|
||||
+\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
|
||||
+\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
+\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
|
||||
+\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
+\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
|
||||
+\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
|
||||
+\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
|
||||
+\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
|
||||
+\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
|
||||
+\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
|
||||
+\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
|
||||
+\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
|
||||
+\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
|
||||
+\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
|
||||
+\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
|
||||
+\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
|
||||
+\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
|
||||
+\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
|
||||
+\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
|
||||
+\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
|
||||
+\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
|
||||
+\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
|
||||
+\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
|
||||
+\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
|
||||
+\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
|
||||
+\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
|
||||
+\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
|
||||
+\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
|
||||
+\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
|
||||
+\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
|
||||
+\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
|
||||
+\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
|
||||
+\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
|
||||
+\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
|
||||
+\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
|
||||
+\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
|
||||
+\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
|
||||
+\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
|
||||
+\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
|
||||
+\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
|
||||
+\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
|
||||
+\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
|
||||
+\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
|
||||
+\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
|
||||
+\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
|
||||
+\244\363\116\272\067\230\173\202\271
|
||||
+END
|
||||
+
|
||||
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Serial Number: 268435455 (0xfffffff)
|
||||
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
|
||||
+\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
|
||||
+\222\341\102\102
|
||||
+END
|
||||
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
|
||||
+\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
|
||||
+END
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\017\377\377\377
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+#
|
||||
# Certificate "Security Communication RootCA2"
|
||||
#
|
||||
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
|
||||
@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
+# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
|
||||
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
+# Serial Number: 1800000005 (0x6b49d205)
|
||||
+# Not Before: Apr 7 15:37:15 2011 GMT
|
||||
+# Not After : Apr 4 15:37:15 2021 GMT
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\153\111\322\005
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
|
||||
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
+# Serial Number: 1800000006 (0x6b49d206)
|
||||
+# Not Before: Apr 18 21:09:30 2011 GMT
|
||||
+# Not After : Apr 15 21:09:30 2021 GMT
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\153\111\322\006
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
#
|
||||
# Certificate "Actalis Authentication Root CA"
|
||||
#
|
||||
@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
|
||||
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
+# Serial Number: 2087 (0x827)
|
||||
+# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
|
||||
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
+# Not Valid After : Tue Jul 06 07:07:51 2021
|
||||
+# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
|
||||
+# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\002\010\047
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
|
||||
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
+# Serial Number: 2148 (0x864)
|
||||
+# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
|
||||
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
+# Not Valid After : Thu Aug 05 07:07:51 2021
|
||||
+# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
|
||||
+# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\002\010\144
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
#
|
||||
# Certificate "D-TRUST Root Class 3 CA 2 2009"
|
||||
#
|
@ -1,21 +0,0 @@
|
||||
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
|
||||
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
|
||||
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
|
||||
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
|
||||
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
|
||||
|
||||
/* deprecated #defines. Drop in future NSS releases */
|
||||
-#ifdef NSS_PKCS11_2_0_COMPAT
|
||||
+#ifndef NSS_PKCS11_3_0_STRICT
|
||||
|
||||
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
|
||||
#define CKF_EC_FP CKF_EC_F_P
|
||||
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
|
||||
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
|
||||
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
|
||||
#else
|
||||
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
|
||||
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
|
||||
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
|
||||
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
|
||||
#endif
|
@ -1,4 +0,0 @@
|
||||
name=p11-kit-proxy
|
||||
library=p11-kit-proxy.so
|
||||
|
||||
|
@ -1,12 +0,0 @@
|
||||
Index: nss/gtests/manifest.mn
|
||||
===================================================================
|
||||
--- nss.orig/gtests/manifest.mn
|
||||
+++ nss/gtests/manifest.mn
|
||||
@@ -31,7 +31,6 @@ NSS_SRCDIRS = \
|
||||
smime_gtest \
|
||||
softoken_gtest \
|
||||
ssl_gtest \
|
||||
- $(SYSINIT_GTEST) \
|
||||
nss_bogo_shim \
|
||||
pkcs11testmodule \
|
||||
$(NULL)
|
@ -1,106 +0,0 @@
|
||||
Index: nss/lib/sysinit/nsssysinit.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/sysinit/nsssysinit.c
|
||||
+++ nss/lib/sysinit/nsssysinit.c
|
||||
@@ -36,41 +36,9 @@ testdir(char *dir)
|
||||
return S_ISDIR(buf.st_mode);
|
||||
}
|
||||
|
||||
-/**
|
||||
- * Append given @dir to @path and creates the directory with mode @mode.
|
||||
- * Returns 0 if successful, -1 otherwise.
|
||||
- * Assumes that the allocation for @path has sufficient space for @dir
|
||||
- * to be added.
|
||||
- */
|
||||
-static int
|
||||
-appendDirAndCreate(char *path, char *dir, mode_t mode)
|
||||
-{
|
||||
- PORT_Strcat(path, dir);
|
||||
- if (!testdir(path)) {
|
||||
- if (mkdir(path, mode)) {
|
||||
- return -1;
|
||||
- }
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-#define XDG_NSS_USER_PATH1 "/.local"
|
||||
-#define XDG_NSS_USER_PATH2 "/share"
|
||||
-#define XDG_NSS_USER_PATH3 "/pki"
|
||||
-
|
||||
#define NSS_USER_PATH1 "/.pki"
|
||||
#define NSS_USER_PATH2 "/nssdb"
|
||||
-
|
||||
-/**
|
||||
- * Return the path to user's NSS database.
|
||||
- * We search in the following dirs in order:
|
||||
- * (1) $HOME/.pki/nssdb;
|
||||
- * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
|
||||
- * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
|
||||
- * If (1) does not exist, then the returned dir will be set to either
|
||||
- * (2) or (3), depending if XDG_DATA_HOME is set.
|
||||
- */
|
||||
-char *
|
||||
+static char *
|
||||
getUserDB(void)
|
||||
{
|
||||
char *userdir = PR_GetEnvSecure("HOME");
|
||||
@@ -81,47 +49,22 @@ getUserDB(void)
|
||||
}
|
||||
|
||||
nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
|
||||
+ if (nssdir == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
PORT_Strcpy(nssdir, userdir);
|
||||
- PORT_Strcat(nssdir, NSS_USER_PATH1 NSS_USER_PATH2);
|
||||
- if (testdir(nssdir)) {
|
||||
- /* $HOME/.pki/nssdb exists */
|
||||
- return nssdir;
|
||||
- } else {
|
||||
- /* either $HOME/.pki or $HOME/.pki/nssdb does not exist */
|
||||
+ /* verify it exists */
|
||||
+ if (!testdir(nssdir)) {
|
||||
PORT_Free(nssdir);
|
||||
- }
|
||||
- int size = 0;
|
||||
- char *xdguserdatadir = PR_GetEnvSecure("XDG_DATA_HOME");
|
||||
- if (xdguserdatadir) {
|
||||
- size = strlen(xdguserdatadir);
|
||||
- } else {
|
||||
- size = strlen(userdir) + sizeof(XDG_NSS_USER_PATH1) + sizeof(XDG_NSS_USER_PATH2);
|
||||
- }
|
||||
- size += sizeof(XDG_NSS_USER_PATH3) + sizeof(NSS_USER_PATH2);
|
||||
-
|
||||
- nssdir = PORT_Alloc(size);
|
||||
- if (nssdir == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
-
|
||||
- if (xdguserdatadir) {
|
||||
- PORT_Strcpy(nssdir, xdguserdatadir);
|
||||
- if (!testdir(nssdir)) {
|
||||
- PORT_Free(nssdir);
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- } else {
|
||||
- PORT_Strcpy(nssdir, userdir);
|
||||
- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH1, 0755) ||
|
||||
- appendDirAndCreate(nssdir, XDG_NSS_USER_PATH2, 0755)) {
|
||||
- PORT_Free(nssdir);
|
||||
- return NULL;
|
||||
- }
|
||||
+ PORT_Strcat(nssdir, NSS_USER_PATH1);
|
||||
+ if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
|
||||
+ PORT_Free(nssdir);
|
||||
+ return NULL;
|
||||
}
|
||||
- /* ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb */
|
||||
- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH3, 0760) ||
|
||||
- appendDirAndCreate(nssdir, NSS_USER_PATH2, 0760)) {
|
||||
+ PORT_Strcat(nssdir, NSS_USER_PATH2);
|
||||
+ if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
|
||||
PORT_Free(nssdir);
|
||||
return NULL;
|
||||
}
|
@ -1,14 +0,0 @@
|
||||
diff -up nss/lib/ssl/ssl3con.c.1185708_3des nss/lib/ssl/ssl3con.c
|
||||
--- nss/lib/ssl/ssl3con.c.1185708_3des 2018-12-11 18:28:06.736592552 +0100
|
||||
+++ nss/lib/ssl/ssl3con.c 2018-12-11 18:29:06.273314692 +0100
|
||||
@@ -106,8 +106,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
|
||||
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
|
||||
|
@ -1,63 +0,0 @@
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="secmod.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>secmod.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>secmod.db</refname>
|
||||
<refpurpose>Legacy NSS security modules database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
|
||||
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
|
||||
</para>
|
||||
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
|
||||
</para>
|
||||
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
@ -20,6 +20,7 @@ typedef enum {
|
||||
SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */
|
||||
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
|
||||
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
|
||||
SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
|
||||
} SFTKFIPSSpecialClass;
|
||||
|
||||
/* set according to your security policy */
|
||||
@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
#define AES_FB_KEY 128, 256
|
||||
#define AES_FB_STEP 64
|
||||
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
|
||||
|
||||
/* -------------- RSA Multipart Signing Operations -------------------- */
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
@ -184,5 +186,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
/* concatentate fuctions used in hybrid operations */
|
||||
/* The following functions add data at the end of a base key. If the base
|
||||
* key is FIPS, and the resulting keys are strong enough, then the
|
||||
* resulting key will also be FIPS and the resulting operations will be
|
||||
* FIPS approved. */
|
||||
{ CKM_CONCATENATE_BASE_AND_KEY, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
{ CKM_CONCATENATE_BASE_AND_DATA, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
};
|
||||
const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
|
10
gating.yaml
Normal file
10
gating.yaml
Normal file
@ -0,0 +1,10 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-10
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
|
||||
- !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.nss.streamspreadprevent}
|
51
nspr-4.34-fix-coverity-loop-issue.patch
Normal file
51
nspr-4.34-fix-coverity-loop-issue.patch
Normal file
@ -0,0 +1,51 @@
|
||||
diff --git a/pr/src/misc/prnetdb.c b/pr/src/misc/prnetdb.c
|
||||
--- a/pr/src/misc/prnetdb.c
|
||||
+++ b/pr/src/misc/prnetdb.c
|
||||
@@ -2209,28 +2209,38 @@ PR_GetPrefLoopbackAddrInfo(PRNetAddr *re
|
||||
PRBool result_still_empty = PR_TRUE;
|
||||
PRADDRINFO *ai = res;
|
||||
do {
|
||||
PRNetAddr aNetAddr;
|
||||
|
||||
while (ai && ai->ai_addrlen > sizeof(PRNetAddr))
|
||||
ai = ai->ai_next;
|
||||
|
||||
- if (ai) {
|
||||
- /* copy sockaddr to PRNetAddr */
|
||||
- memcpy(&aNetAddr, ai->ai_addr, ai->ai_addrlen);
|
||||
- aNetAddr.raw.family = ai->ai_addr->sa_family;
|
||||
+ if (!ai) {
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* copy sockaddr to PRNetAddr */
|
||||
+ memcpy(&aNetAddr, ai->ai_addr, ai->ai_addrlen);
|
||||
+ aNetAddr.raw.family = ai->ai_addr->sa_family;
|
||||
#ifdef _PR_INET6
|
||||
- if (AF_INET6 == aNetAddr.raw.family)
|
||||
- aNetAddr.raw.family = PR_AF_INET6;
|
||||
+ if (AF_INET6 == aNetAddr.raw.family)
|
||||
+ aNetAddr.raw.family = PR_AF_INET6;
|
||||
#endif
|
||||
- if (ai->ai_addrlen < sizeof(PRNetAddr))
|
||||
- memset(((char*)result)+ai->ai_addrlen, 0,
|
||||
- sizeof(PRNetAddr) - ai->ai_addrlen);
|
||||
+ if (ai->ai_addrlen < sizeof(PRNetAddr))
|
||||
+ memset(((char*)&aNetAddr)+ai->ai_addrlen, 0,
|
||||
+ sizeof(PRNetAddr) - ai->ai_addrlen);
|
||||
+
|
||||
+ if (result->raw.family == PR_AF_INET) {
|
||||
+ aNetAddr.inet.port = htons(port);
|
||||
}
|
||||
+ else {
|
||||
+ aNetAddr.ipv6.port = htons(port);
|
||||
+ }
|
||||
+
|
||||
|
||||
/* If we obtain more than one result, prefer IPv6. */
|
||||
if (result_still_empty || aNetAddr.raw.family == PR_AF_INET6) {
|
||||
memcpy(result, &aNetAddr, sizeof(PRNetAddr));
|
||||
}
|
||||
result_still_empty = PR_FALSE;
|
||||
ai = ai->ai_next;
|
||||
}
|
12
nspr-4.34-server-passive.patch
Normal file
12
nspr-4.34-server-passive.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -r c75b4e36b7e8 pr/src/misc/prnetdb.c
|
||||
--- a/pr/src/misc/prnetdb.c Wed May 25 23:39:48 2022 +0200
|
||||
+++ b/pr/src/misc/prnetdb.c Tue Jun 14 18:48:03 2022 -0400
|
||||
@@ -2204,6 +2204,7 @@
|
||||
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
|
||||
+ hints.ai_flags = AI_PASSIVE;
|
||||
rv = GETADDRINFO(NULL, tmpBuf, &hints, &res);
|
||||
if (rv == 0) {
|
||||
PRBool result_still_empty = PR_TRUE;
|
||||
|
37
nspr-config-pc.patch
Normal file
37
nspr-config-pc.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff -up nspr/config/nspr-config.in.flags nspr/config/nspr-config.in
|
||||
--- nspr/config/nspr-config.in.flags 2013-05-29 13:46:34.147971410 -0700
|
||||
+++ nspr/config/nspr-config.in 2013-05-29 14:17:10.990838914 -0700
|
||||
@@ -102,7 +102,7 @@ if test -z "$includedir"; then
|
||||
includedir=@includedir@
|
||||
fi
|
||||
if test -z "$libdir"; then
|
||||
- libdir=@libdir@
|
||||
+ libdir=`pkg-config --variable=libdir nspr`
|
||||
fi
|
||||
|
||||
if test "$echo_prefix" = "yes"; then
|
||||
@@ -136,12 +136,12 @@ if test "$echo_libs" = "yes"; then
|
||||
if test -n "$lib_nspr"; then
|
||||
libdirs="$libdirs -lnspr${major_version}"
|
||||
fi
|
||||
- os_ldflags="@LDFLAGS@"
|
||||
+ os_ldflags=`pkg-config --variable=ldflags nspr`
|
||||
for i in $os_ldflags ; do
|
||||
if echo $i | grep \^-L >/dev/null; then
|
||||
libdirs="$libdirs $i"
|
||||
fi
|
||||
done
|
||||
- echo $libdirs @OS_LIBS@
|
||||
+ echo $libdirs `pkg-config --variable=os_libs nspr`
|
||||
fi
|
||||
|
||||
diff -up nspr/config/nspr.pc.in.flags nspr/config/nspr.pc.in
|
||||
--- nspr/config/nspr.pc.in.flags 2013-05-29 13:48:15.026643570 -0700
|
||||
+++ nspr/config/nspr.pc.in 2013-05-29 13:49:47.795202949 -0700
|
||||
@@ -6,5 +6,5 @@ includedir=@includedir@
|
||||
Name: NSPR
|
||||
Description: The Netscape Portable Runtime
|
||||
Version: @MOD_MAJOR_VERSION@.@MOD_MINOR_VERSION@.@MOD_PATCH_VERSION@
|
||||
-Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@
|
||||
+Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@ @OS_LIBS@
|
||||
Cflags: -I@includedir@
|
127
nspr-config.xml
Normal file
127
nspr-config.xml
Normal file
@ -0,0 +1,127 @@
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="nspr-config">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Netscape Portable Runtime</title>
|
||||
<productname>nspr</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>nspr-config</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>nspr-config</refname>
|
||||
<refpurpose>Return meta information about nspr libraries</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>nspr-config</command>
|
||||
<arg><option>--prefix</option></arg>
|
||||
<arg><option>--exec-prefix</option></arg>
|
||||
<arg><option>--includedir</option></arg>
|
||||
<arg><option>--libs</option></arg>
|
||||
<arg><option>--cflags</option></arg>
|
||||
<arg><option>--libdir</option></arg>
|
||||
<arg><option>--version</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><command>nspr-config</command> is a shell script which can be used to obtain gcc options for building client pacakges of nspr.</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Options</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--prefix</option></term>
|
||||
<listitem><simpara>Returns the top level system directory under which the nspr libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--exec-prefix</option></term>
|
||||
<listitem><simpara>Returns the top level system directory under which any nspr binaries would be installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--includedir</option> <replaceable>count</replaceable></term>
|
||||
<listitem><simpara>Returns the path to the directory were the nspr headers are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--version</option></term>
|
||||
<listitem><simpara>Returns the upstream version of nspr in the form major_version-minor_version-patch_version.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libs</option></term>
|
||||
<listitem><simpara>Returns the compiler linking flags.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--cflags</option></term>
|
||||
<listitem><simpara>Returns the compiler include flags.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libdir</option></term>
|
||||
<listitem><simpara>Returns the path to the directory were the nspr libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Examples</title>
|
||||
|
||||
<para>The following example will query for both include path and linkage flags:
|
||||
<programlisting>
|
||||
/usr/bin/nspr-config --cflags --libs
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
|
||||
<para><filename>/usr/bin/nspr-config</filename></para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkg-config(1)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The NSPR liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>
|
||||
Authors: Elio Maldonado <emaldona@redhat.com>.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
</refentry>
|
||||
|
51
nspr-gcc-atomics.patch
Normal file
51
nspr-gcc-atomics.patch
Normal file
@ -0,0 +1,51 @@
|
||||
diff -up ./pr/include/md/_linux.h.gcc-atomics ./pr/include/md/_linux.h
|
||||
--- ./pr/include/md/_linux.h.gcc-atomics 2022-09-20 11:23:22.008942926 -0700
|
||||
+++ ./pr/include/md/_linux.h 2022-09-20 11:34:45.536751340 -0700
|
||||
@@ -105,6 +105,15 @@
|
||||
#endif
|
||||
|
||||
#if defined(__i386__)
|
||||
+#if defined(__GNUC__)
|
||||
+/* Use GCC built-in functions */
|
||||
+#define _PR_HAVE_ATOMIC_OPS
|
||||
+#define _MD_INIT_ATOMIC()
|
||||
+#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
|
||||
+#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
|
||||
+#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
|
||||
+#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
|
||||
+#else
|
||||
#define _PR_HAVE_ATOMIC_OPS
|
||||
#define _MD_INIT_ATOMIC()
|
||||
extern PRInt32 _PR_x86_AtomicIncrement(PRInt32 *val);
|
||||
@@ -116,6 +125,7 @@ extern PRInt32 _PR_x86_AtomicAdd(PRInt32
|
||||
extern PRInt32 _PR_x86_AtomicSet(PRInt32 *val, PRInt32 newval);
|
||||
#define _MD_ATOMIC_SET _PR_x86_AtomicSet
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
#if defined(__ia64__)
|
||||
#define _PR_HAVE_ATOMIC_OPS
|
||||
@@ -131,6 +141,15 @@ extern PRInt32 _PR_ia64_AtomicSet(PRInt3
|
||||
#endif
|
||||
|
||||
#if defined(__x86_64__)
|
||||
+#if defined(__GNUC__)
|
||||
+/* Use GCC built-in functions */
|
||||
+#define _PR_HAVE_ATOMIC_OPS
|
||||
+#define _MD_INIT_ATOMIC()
|
||||
+#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
|
||||
+#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
|
||||
+#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
|
||||
+#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
|
||||
+#else
|
||||
#define _PR_HAVE_ATOMIC_OPS
|
||||
#define _MD_INIT_ATOMIC()
|
||||
extern PRInt32 _PR_x86_64_AtomicIncrement(PRInt32 *val);
|
||||
@@ -142,6 +161,7 @@ extern PRInt32 _PR_x86_64_AtomicAdd(PRIn
|
||||
extern PRInt32 _PR_x86_64_AtomicSet(PRInt32 *val, PRInt32 newval);
|
||||
#define _MD_ATOMIC_SET _PR_x86_64_AtomicSet
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
#if defined(__loongarch__)
|
||||
#if defined(__GNUC__)
|
20
nss-3.101-allow-fips-rsa-oaep.patch
Normal file
20
nss-3.101-allow-fips-rsa-oaep.patch
Normal file
@ -0,0 +1,20 @@
|
||||
diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200
|
||||
+++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200
|
||||
@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
}
|
||||
return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
|
||||
+ case SFTKFIPSRSAOAEP:;
|
||||
+ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
|
||||
+ mech->pParameter;
|
||||
+
|
||||
+ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
|
||||
+ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
|
||||
+ /* message hash and mask generation function must be the same */
|
||||
+ if (hash_pad != hash_msg) return PR_FALSE;
|
||||
+
|
||||
+ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
|
||||
default:
|
||||
break;
|
||||
}
|
1347
nss-3.101-disable_dsa.patch
Normal file
1347
nss-3.101-disable_dsa.patch
Normal file
File diff suppressed because it is too large
Load Diff
63
nss-3.101-enable-sdb-tests.patch
Normal file
63
nss-3.101-enable-sdb-tests.patch
Normal file
@ -0,0 +1,63 @@
|
||||
diff -up ./tests/cert/cert.sh.no_dbm_tests ./tests/cert/cert.sh
|
||||
--- ./tests/cert/cert.sh.no_dbm_tests 2024-06-20 17:08:03.146169243 -0700
|
||||
+++ ./tests/cert/cert.sh 2024-06-20 17:08:23.282404259 -0700
|
||||
@@ -2662,9 +2662,7 @@ cert_test_password
|
||||
cert_test_distrust
|
||||
cert_test_ocspresp
|
||||
cert_test_rsapss
|
||||
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- cert_test_rsapss_policy
|
||||
-fi
|
||||
+cert_test_rsapss_policy
|
||||
cert_test_token_uri
|
||||
|
||||
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
|
||||
diff -up ./tests/smime/smime.sh.no_dbm_tests ./tests/smime/smime.sh
|
||||
--- ./tests/smime/smime.sh.no_dbm_tests 2024-06-20 17:08:45.147659448 -0700
|
||||
+++ ./tests/smime/smime.sh 2024-06-20 17:09:05.313894814 -0700
|
||||
@@ -872,8 +872,6 @@ smime_init
|
||||
smime_main
|
||||
smime_data_tb
|
||||
smime_p7
|
||||
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- smime_policy
|
||||
-fi
|
||||
+smime_policy
|
||||
smime_cleanup
|
||||
|
||||
diff -up ./tests/ssl/ssl.sh.no_dbm_tests ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.no_dbm_tests 2024-06-20 17:09:28.588166454 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2024-06-20 17:09:54.351467232 -0700
|
||||
@@ -1600,12 +1600,10 @@ ssl_run_tests()
|
||||
do
|
||||
case "${SSL_TEST}" in
|
||||
"policy")
|
||||
- if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- ssl_policy_listsuites
|
||||
- ssl_policy_selfserv
|
||||
- ssl_policy_pkix_ocsp
|
||||
- ssl_policy
|
||||
- fi
|
||||
+ ssl_policy_listsuites
|
||||
+ ssl_policy_selfserv
|
||||
+ ssl_policy_pkix_ocsp
|
||||
+ ssl_policy
|
||||
;;
|
||||
"crl")
|
||||
ssl_crl_ssl
|
||||
diff -up ./tests/tools/tools.sh.no_dbm_tests ./tests/tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.no_dbm_tests 2024-06-20 17:10:13.828694981 -0700
|
||||
+++ ./tests/tools/tools.sh 2024-06-20 17:10:31.051896368 -0700
|
||||
@@ -584,10 +584,8 @@ tools_p12()
|
||||
tools_p12_export_with_invalid_ciphers
|
||||
tools_p12_import_old_files
|
||||
tools_p12_import_pbmac1_samples
|
||||
- if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- tools_p12_import_rsa_pss_private_key
|
||||
- tools_p12_policy
|
||||
- fi
|
||||
+ tools_p12_import_rsa_pss_private_key
|
||||
+ tools_p12_policy
|
||||
}
|
||||
|
||||
############################## tools_sign ##############################
|
12
nss-3.101-fips-check-ec25519-size.patch
Normal file
12
nss-3.101-fips-check-ec25519-size.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100
|
||||
+++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100
|
||||
@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
* key length is CKA_VALUE, which is the default */
|
||||
keyType = CKK_INVALID_KEY_TYPE;
|
||||
}
|
||||
- if (keyType == CKK_EC) {
|
||||
+ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
|
||||
SECOidTag curve = sftk_quickGetECCCurveOid(source);
|
||||
switch (curve) {
|
||||
case SEC_OID_CURVE25519:
|
12
nss-3.101-fix-cavs-test.patch
Normal file
12
nss-3.101-fix-cavs-test.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh
|
||||
--- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs 2024-09-12 14:39:41.421586862 -0700
|
||||
+++ ./tests/fips/cavs_scripts/validate1.sh 2024-09-12 14:39:55.036747283 -0700
|
||||
@@ -21,7 +21,7 @@ name=`basename $request .req`
|
||||
echo ">>>>> $name"
|
||||
sed -e 's;
;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
|
||||
# if we didn't generate any output, flag that as an error
|
||||
-size=`sum /tmp/y1 | awk '{ print $NF }'`
|
||||
+size=`sum /tmp/y1 | awk '{ print $1 }'`
|
||||
if [ $size -eq 0 ]; then
|
||||
echo "${TESTDIR}/resp/${name}.rsp: empty"
|
||||
exit 1;
|
@ -1,9 +1,9 @@
|
||||
diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.rsa_disable_test 2024-06-19 11:17:10.261637015 -0700
|
||||
+++ ./tests/ssl/sslpolicy.txt 2024-06-19 11:18:22.797425628 -0700
|
||||
@@ -197,7 +197,7 @@
|
||||
# compatibility reasons
|
||||
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
diff -up ./tests/ssl/sslpolicy.txt.fix_rsa_policy ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.fix_rsa_policy 2024-06-21 11:08:01.765937907 -0700
|
||||
+++ ./tests/ssl/sslpolicy.txt 2024-06-21 11:08:55.598540079 -0700
|
||||
@@ -195,7 +195,7 @@
|
||||
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
|
||||
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
12
nss-3.101-fix-shlibsign-fips.patch
Normal file
12
nss-3.101-fix-shlibsign-fips.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
|
||||
--- ./cmd/shlibsign/shlibsign.c.shlibsign 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./cmd/shlibsign/shlibsign.c 2024-10-31 10:49:28.637449054 -0700
|
||||
@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
|
||||
} else {
|
||||
/* NON FIPS mode == C_GetFunctionList */
|
||||
pC_GetFunctionList = (CK_C_GetFunctionList)
|
||||
- PR_FindFunctionSymbol(lib, "C_GetFunctionList");
|
||||
+ PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
|
||||
}
|
||||
assert(pC_GetFunctionList != NULL);
|
||||
if (!pC_GetFunctionList) {
|
21477
nss-3.101-replace-xyber_with-mlkem.patch
Normal file
21477
nss-3.101-replace-xyber_with-mlkem.patch
Normal file
File diff suppressed because it is too large
Load Diff
22
nss-3.101-skip-ocsp-if-not-connected.patch
Normal file
22
nss-3.101-skip-ocsp-if-not-connected.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff -up ./tests/ssl/ssl.sh.disable_ocsp_policy ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.disable_ocsp_policy 2024-07-05 14:18:03.985453657 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2024-07-05 14:21:59.308250122 -0700
|
||||
@@ -968,6 +968,18 @@ ssl_policy_pkix_ocsp()
|
||||
#verbose="-v"
|
||||
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||
|
||||
+ # if we are running on a build machine that can't tolerate external
|
||||
+ # references don't run.
|
||||
+ vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} > ${P_R_SERVERDIR}/vfy2.out 2>&1
|
||||
+ RET=$? ; cat "${P_R_SERVERDIR}/vfy2.out"
|
||||
+ # 5961 reset by peer
|
||||
+ grep 5961 ${P_R_SERVERDIR}/vfy2.out
|
||||
+ GRET=$? ; echo "OCSP: RET=$RET GRET=$GRET"
|
||||
+ if [ $RET -ne 0 -o $GRET -eq 0 ]; then
|
||||
+ echo "$SCRIPTNAME: skipping Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE - can't reach external servers"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
||||
unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
|
375
nss-3.79-distrusted-certs.patch
Normal file
375
nss-3.79-distrusted-certs.patch
Normal file
@ -0,0 +1,375 @@
|
||||
# HG changeset patch
|
||||
# User John M. Schanck <jschanck@mozilla.com>
|
||||
# Date 1648094761 0
|
||||
# Thu Mar 24 04:06:01 2022 +0000
|
||||
# Node ID b722e523d66297fe4bc1fac0ebb06203138eccbb
|
||||
# Parent 853b64626b19a46f41f4ba9c684490dc15923c94
|
||||
Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. r=KathleenWilson
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D141919
|
||||
|
||||
diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
|
||||
--- a/lib/ckfw/builtins/certdata.txt
|
||||
+++ b/lib/ckfw/builtins/certdata.txt
|
||||
@@ -7663,197 +7663,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\377\377
|
||||
END
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
-# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
-#
|
||||
-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
-# Serial Number: 268435455 (0xfffffff)
|
||||
-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
-# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
-# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
|
||||
-CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
-CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
|
||||
-CKA_SUBJECT MULTILINE_OCTAL
|
||||
-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
-\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
-END
|
||||
-CKA_ID UTF8 "0"
|
||||
-CKA_ISSUER MULTILINE_OCTAL
|
||||
-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
-\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
-END
|
||||
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
-\002\004\017\377\377\377
|
||||
-END
|
||||
-CKA_VALUE MULTILINE_OCTAL
|
||||
-\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
|
||||
-\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
|
||||
-\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
|
||||
-\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
|
||||
-\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
|
||||
-\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
|
||||
-\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
|
||||
-\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
|
||||
-\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
|
||||
-\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
|
||||
-\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
|
||||
-\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
|
||||
-\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
|
||||
-\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
|
||||
-\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
|
||||
-\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
|
||||
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
|
||||
-\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
|
||||
-\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
|
||||
-\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
|
||||
-\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
|
||||
-\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
|
||||
-\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
|
||||
-\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
|
||||
-\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
|
||||
-\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
|
||||
-\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
|
||||
-\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
|
||||
-\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
|
||||
-\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
|
||||
-\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
|
||||
-\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
|
||||
-\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
|
||||
-\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
|
||||
-\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
|
||||
-\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
|
||||
-\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
|
||||
-\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
|
||||
-\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
|
||||
-\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
|
||||
-\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
|
||||
-\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
|
||||
-\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
|
||||
-\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
|
||||
-\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
|
||||
-\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
|
||||
-\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
|
||||
-\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
|
||||
-\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
|
||||
-\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
|
||||
-\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
|
||||
-\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
|
||||
-\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
|
||||
-\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
|
||||
-\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
|
||||
-\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
|
||||
-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
|
||||
-\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
|
||||
-\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
|
||||
-\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
|
||||
-\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
|
||||
-\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
-\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
|
||||
-\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
-\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
|
||||
-\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
|
||||
-\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
|
||||
-\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
|
||||
-\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
|
||||
-\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
|
||||
-\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
|
||||
-\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
|
||||
-\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
|
||||
-\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
|
||||
-\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
|
||||
-\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
|
||||
-\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
|
||||
-\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
|
||||
-\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
|
||||
-\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
|
||||
-\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
|
||||
-\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
|
||||
-\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
|
||||
-\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
|
||||
-\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
|
||||
-\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
|
||||
-\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
|
||||
-\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
|
||||
-\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
|
||||
-\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
|
||||
-\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
|
||||
-\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
|
||||
-\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
|
||||
-\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
|
||||
-\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
|
||||
-\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
|
||||
-\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
|
||||
-\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
|
||||
-\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
|
||||
-\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
|
||||
-\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
|
||||
-\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
|
||||
-\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
|
||||
-\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
|
||||
-\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
|
||||
-\244\363\116\272\067\230\173\202\271
|
||||
-END
|
||||
-
|
||||
-# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
-# Serial Number: 268435455 (0xfffffff)
|
||||
-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
-# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
-# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
-CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
-CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
|
||||
-\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
|
||||
-\222\341\102\102
|
||||
-END
|
||||
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
|
||||
-\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
|
||||
-END
|
||||
-CKA_ISSUER MULTILINE_OCTAL
|
||||
-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
-\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
-END
|
||||
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
-\002\004\017\377\377\377
|
||||
-END
|
||||
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
-
|
||||
-#
|
||||
# Certificate "Security Communication RootCA2"
|
||||
#
|
||||
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
|
||||
# Serial Number: 0 (0x0)
|
||||
# Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
|
||||
# Not Valid Before: Fri May 29 05:00:39 2009
|
||||
# Not Valid After : Tue May 29 05:00:39 2029
|
||||
# Fingerprint (SHA-256): 51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6
|
||||
@@ -8337,78 +8156,16 @@ END
|
||||
CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\001\000
|
||||
END
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
-# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
|
||||
-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
-# Serial Number: 1800000005 (0x6b49d205)
|
||||
-# Not Before: Apr 7 15:37:15 2011 GMT
|
||||
-# Not After : Apr 4 15:37:15 2021 GMT
|
||||
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
-CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
-CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
-CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
|
||||
-CKA_ISSUER MULTILINE_OCTAL
|
||||
-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
-\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
-END
|
||||
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
-\002\004\153\111\322\005
|
||||
-END
|
||||
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
-
|
||||
-# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
|
||||
-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
-# Serial Number: 1800000006 (0x6b49d206)
|
||||
-# Not Before: Apr 18 21:09:30 2011 GMT
|
||||
-# Not After : Apr 15 21:09:30 2021 GMT
|
||||
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
-CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
-CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
-CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
|
||||
-CKA_ISSUER MULTILINE_OCTAL
|
||||
-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
-\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
-END
|
||||
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
-\002\004\153\111\322\006
|
||||
-END
|
||||
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
-
|
||||
#
|
||||
# Certificate "Actalis Authentication Root CA"
|
||||
#
|
||||
# Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
|
||||
# Serial Number:57:0a:11:97:42:c4:e3:cc
|
||||
# Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
|
||||
# Not Valid Before: Thu Sep 22 11:22:02 2011
|
||||
# Not Valid After : Sun Sep 22 11:22:02 2030
|
||||
@@ -9042,84 +8799,16 @@ END
|
||||
CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\001\001
|
||||
END
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
|
||||
-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
-# Serial Number: 2087 (0x827)
|
||||
-# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
|
||||
-# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
-# Not Valid After : Tue Jul 06 07:07:51 2021
|
||||
-# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
|
||||
-# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
|
||||
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
-CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
-CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
|
||||
-CKA_ISSUER MULTILINE_OCTAL
|
||||
-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
-END
|
||||
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
-\002\002\010\047
|
||||
-END
|
||||
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
-
|
||||
-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
|
||||
-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
-# Serial Number: 2148 (0x864)
|
||||
-# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
|
||||
-# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
-# Not Valid After : Thu Aug 05 07:07:51 2021
|
||||
-# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
|
||||
-# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
|
||||
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
-CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
-CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
|
||||
-CKA_ISSUER MULTILINE_OCTAL
|
||||
-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
-END
|
||||
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
-\002\002\010\144
|
||||
-END
|
||||
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
-
|
||||
#
|
||||
# Certificate "D-TRUST Root Class 3 CA 2 2009"
|
||||
#
|
||||
# Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
|
||||
# Serial Number: 623603 (0x983f3)
|
||||
# Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
|
||||
# Not Valid Before: Thu Nov 05 08:35:58 2009
|
||||
# Not Valid After : Mon Nov 05 08:35:58 2029
|
120
nss-no-dbm-man-page.patch
Normal file
120
nss-no-dbm-man-page.patch
Normal file
@ -0,0 +1,120 @@
|
||||
diff -up ./doc/certutil.xml.no-dbm ./doc/certutil.xml
|
||||
--- ./doc/certutil.xml.no-dbm 2021-05-29 10:26:21.853386165 -0700
|
||||
+++ ./doc/certutil.xml 2021-05-29 10:31:15.057058619 -0700
|
||||
@@ -205,8 +205,7 @@ If this option is not used, the validity
|
||||
<para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
|
||||
<para>NSS recognizes the following prefixes:</para>
|
||||
<itemizedlist>
|
||||
- <listitem><para><command>sql:</command> requests the newer database</para></listitem>
|
||||
- <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
|
||||
+ <listitem><para><command>sql:</command> requests the sql-lite database</para></listitem>
|
||||
</itemizedlist>
|
||||
<para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>sql:</command> is the default.</para>
|
||||
</listitem>
|
||||
@@ -1205,17 +1204,9 @@ BerkeleyDB. These new databases provide
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
-<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
|
||||
+<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. </para>
|
||||
|
||||
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
|
||||
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
|
||||
-
|
||||
-<programlisting>$ certutil -L -d dbm:/home/my/sharednssdb</programlisting>
|
||||
-
|
||||
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
|
||||
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
|
||||
-
|
||||
-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
|
||||
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
diff -up ./doc/modutil.xml.no-dbm ./doc/modutil.xml
|
||||
--- ./doc/modutil.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
|
||||
+++ ./doc/modutil.xml 2021-05-29 10:28:23.293078869 -0700
|
||||
@@ -151,7 +151,7 @@
|
||||
<varlistentry>
|
||||
<term>-dbdir directory</term>
|
||||
<listitem><para>Specify the database directory in which to access or create security module database files.</para>
|
||||
- <para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in SQLite format.</para></listitem>
|
||||
+ <para><command>modutil</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
@@ -689,15 +689,7 @@ BerkleyDB. These new databases provide m
|
||||
|
||||
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
|
||||
|
||||
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
|
||||
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
|
||||
-
|
||||
-<programlisting>modutil -create -dbdir dbm:/home/my/sharednssdb</programlisting>
|
||||
-
|
||||
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
|
||||
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
|
||||
-
|
||||
-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
|
||||
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type. </para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
diff -up ./doc/pk12util.xml.no-dbm ./doc/pk12util.xml
|
||||
--- ./doc/pk12util.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
|
||||
+++ ./doc/pk12util.xml 2021-05-29 10:28:23.293078869 -0700
|
||||
@@ -90,7 +90,7 @@
|
||||
<varlistentry>
|
||||
<term>-d directory</term>
|
||||
<listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
|
||||
- <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
|
||||
+ <para><command>pk12util</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
@@ -394,15 +394,7 @@ BerkleyDB. These new databases provide m
|
||||
|
||||
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
|
||||
|
||||
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
|
||||
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
|
||||
-
|
||||
-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb</programlisting>
|
||||
-
|
||||
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
|
||||
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
|
||||
-
|
||||
-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
|
||||
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type. </para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
diff -up ./doc/signver.xml.no-dbm ./doc/signver.xml
|
||||
--- ./doc/signver.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
|
||||
+++ ./doc/signver.xml 2021-05-29 10:28:23.293078869 -0700
|
||||
@@ -66,7 +66,7 @@
|
||||
<varlistentry>
|
||||
<term>-d <emphasis>directory</emphasis></term>
|
||||
<listitem><para>Specify the database directory which contains the certificates and keys.</para>
|
||||
- <para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
|
||||
+ <para><command>signver</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>-a</term>
|
||||
@@ -155,15 +155,7 @@ BerkleyDB. These new databases provide m
|
||||
|
||||
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
|
||||
|
||||
-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
|
||||
-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
|
||||
-
|
||||
-<programlisting># signver -A -s <replaceable>signature</replaceable> -d dbm:/home/my/sharednssdb</programlisting>
|
||||
-
|
||||
-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
|
||||
-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
|
||||
-
|
||||
-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
|
||||
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
85
nss-signtool-format.patch
Normal file
85
nss-signtool-format.patch
Normal file
@ -0,0 +1,85 @@
|
||||
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
|
||||
--- a/cmd/modutil/install.c
|
||||
+++ b/cmd/modutil/install.c
|
||||
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
|
||||
|
||||
dir = PR_OpenDir(path);
|
||||
if (!dir) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Recursively delete all entries in the directory */
|
||||
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||
- snprintf(filename, sizeof(filename), "%s/%s", path, entry->name);
|
||||
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||
+ PR_CloseDir(dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (rm_dash_r(filename)) {
|
||||
PR_CloseDir(dir);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||
return -1;
|
||||
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
|
||||
--- a/cmd/signtool/util.c
|
||||
+++ b/cmd/signtool/util.c
|
||||
@@ -138,6 +138,12 @@ rm_dash_r(char *path)
|
||||
/* Recursively delete all entries in the directory */
|
||||
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||
snprintf(filename, sizeof(filename), "%s/%s", path, entry->name);
|
||||
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
|
||||
+) >= sizeof(filename)) {
|
||||
+ errorCount++;
|
||||
+ PR_CloseDir(dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (rm_dash_r(filename)) {
|
||||
PR_CloseDir(dir);
|
||||
return -1;
|
||||
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
|
||||
--- a/lib/libpkix/pkix/util/pkix_list.c
|
||||
+++ b/lib/libpkix/pkix/util/pkix_list.c
|
||||
@@ -1530,17 +1530,17 @@ cleanup:
|
||||
*/
|
||||
PKIX_Error *
|
||||
PKIX_List_SetItem(
|
||||
PKIX_List *list,
|
||||
PKIX_UInt32 index,
|
||||
PKIX_PL_Object *item,
|
||||
void *plContext)
|
||||
{
|
||||
- PKIX_List *element;
|
||||
+ PKIX_List *element = NULL;
|
||||
|
||||
PKIX_ENTER(LIST, "PKIX_List_SetItem");
|
||||
PKIX_NULLCHECK_ONE(list);
|
||||
|
||||
if (list->immutable){
|
||||
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
|
||||
}
|
||||
|
||||
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
@@ -102,17 +102,17 @@ cleanup:
|
||||
*/
|
||||
static PKIX_Error *
|
||||
pkix_pl_OID_Equals(
|
||||
PKIX_PL_Object *first,
|
||||
PKIX_PL_Object *second,
|
||||
PKIX_Boolean *pResult,
|
||||
void *plContext)
|
||||
{
|
||||
- PKIX_Int32 cmpResult;
|
||||
+ PKIX_Int32 cmpResult = 0;
|
||||
|
||||
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
|
||||
PKIX_NULLCHECK_THREE(first, second, pResult);
|
||||
|
||||
PKIX_CHECK(pkix_pl_OID_Comparator
|
||||
(first, second, &cmpResult, plContext),
|
||||
PKIX_OIDCOMPARATORFAILED);
|
||||
|
@ -21,7 +21,6 @@ Options:
|
||||
Dynamic Libraries:
|
||||
softokn3 - Requires full dynamic linking
|
||||
freebl3 - for internal use only (and glibc for self-integrity check)
|
||||
nssdbm3 - for internal use only
|
||||
Dymamically linked
|
||||
EOF
|
||||
exit $1
|
@ -7,5 +7,5 @@ Name: NSS-SOFTOKN
|
||||
Description: Network Security Services Softoken PKCS #11 Module
|
||||
Version: %SOFTOKEN_VERSION%
|
||||
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
|
||||
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
|
||||
Libs: -L${libdir} -lfreebl3 -lsoftokn3
|
||||
Cflags: -I${includedir}
|
File diff suppressed because it is too large
Load Diff
23
plans/ci.fmf
Normal file
23
plans/ci.fmf
Normal file
@ -0,0 +1,23 @@
|
||||
/fips-disabled-buildroot-disabled:
|
||||
plan:
|
||||
import:
|
||||
url: https://pkgs.devel.redhat.com/git/tests/nss
|
||||
name: /plans/ci/fips-disabled-buildroot-disabled
|
||||
|
||||
/fips-disabled-buildroot-enabled:
|
||||
plan:
|
||||
import:
|
||||
url: https://pkgs.devel.redhat.com/git/tests/nss
|
||||
name: /plans/ci/fips-disabled-buildroot-enabled
|
||||
|
||||
/fips-enabled-buildroot-disabled:
|
||||
plan:
|
||||
import:
|
||||
url: https://pkgs.devel.redhat.com/git/tests/nss
|
||||
name: /plans/ci/fips-enabled-buildroot-disabled
|
||||
|
||||
/fips-enabled-buildroot-enabled:
|
||||
plan:
|
||||
import:
|
||||
url: https://pkgs.devel.redhat.com/git/tests/nss
|
||||
name: /plans/ci/fips-enabled-buildroot-enabled
|
10
plans/gnutls-2way.fmf
Normal file
10
plans/gnutls-2way.fmf
Normal file
@ -0,0 +1,10 @@
|
||||
summary: Upstreamed interop-2way tests
|
||||
contact: Stanislav Zidek <szidek@redhat.com>
|
||||
discover:
|
||||
# upstreamed tests (public)
|
||||
- name: interop-gnutls-2way
|
||||
how: fmf
|
||||
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||
filter: 'tag: interop-nss & tag: interop-gnutls & tag: interop-2way'
|
||||
execute:
|
||||
how: tmt
|
10
plans/openssl-2way.fmf
Normal file
10
plans/openssl-2way.fmf
Normal file
@ -0,0 +1,10 @@
|
||||
summary: Upstreamed interop-2way tests
|
||||
contact: Stanislav Zidek <szidek@redhat.com>
|
||||
discover:
|
||||
# upstreamed tests (public)
|
||||
- name: interop-openssl-2way
|
||||
how: fmf
|
||||
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||
filter: 'tag: interop-nss & tag: interop-openssl & tag: interop-2way'
|
||||
execute:
|
||||
how: tmt
|
10
plans/openssl-reneg.fmf
Normal file
10
plans/openssl-reneg.fmf
Normal file
@ -0,0 +1,10 @@
|
||||
summary: Upstreamed interop-nss-openssl renegotiation test
|
||||
contact: Stanislav Zidek <szidek@redhat.com>
|
||||
discover:
|
||||
# upstreamed tests (public)
|
||||
- name: interop-openssl-reneg
|
||||
how: fmf
|
||||
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||
filter: 'tag: interop-nss & tag: interop-openssl & tag: interop-reneg'
|
||||
execute:
|
||||
how: tmt
|
10
plans/short-interop-tests.fmf
Normal file
10
plans/short-interop-tests.fmf
Normal file
@ -0,0 +1,10 @@
|
||||
summary: Upstreamed interop tests - short tests which do not need to run in parallel
|
||||
contact: Stanislav Zidek <szidek@redhat.com>
|
||||
discover:
|
||||
# upstreamed tests (public)
|
||||
- name: interop-other+nss-fast
|
||||
how: fmf
|
||||
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||
filter: 'tag: interop-nss & tag: -interop-slow'
|
||||
execute:
|
||||
how: tmt
|
3
sources
Normal file
3
sources
Normal file
@ -0,0 +1,3 @@
|
||||
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (nss-3.101-with-nspr-4.35.tar.gz) = 95c8ef1c12e1de7da4d918cebd1d5464b0ff4932083f6d395733345bd9f8598069028793fd1c08f974efcb31129cd84718487fd5326e45a878fba0d8c309bd39
|
Loading…
Reference in New Issue
Block a user