diff --git a/0001-nss-anolis-nameconstraints.patch b/0001-nss-anolis-nameconstraints.patch new file mode 100644 index 0000000000000000000000000000000000000000..a2ae8a2561530dcc984a78b4c76d7d63c11140c0 --- /dev/null +++ b/0001-nss-anolis-nameconstraints.patch @@ -0,0 +1,30 @@ +--- a/tests/chains/scenarios/nameconstraints.cfg ++++ b/tests/chains/scenarios/nameconstraints.cfg +@@ -154,17 +154,25 @@ verify NameConstraints.server17:x + # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com" + verify NameConstraints.dcissblocked:x + result fail + + # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr" + verify NameConstraints.dcissallowed:x + result pass + +-# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" ++# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC" ++# EKUs: OCSPSigning,ipsecUser + # + # This tests that a non server certificate (i.e. id-kp-serverAuth + # not present in EKU) does *NOT* have CN treated as dnsName for +-# purposes of Name Constraints validation ++# purposes of Name Constraints validation (certificateUsageStatusResponder) ++# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650 + verify NameConstraints.ocsp1:x + usage 10 + result pass + ++# This tests that a non server certificate (i.e. id-kp-serverAuth ++# not present in EKU) does *NOT* have CN treated as dnsName for ++# purposes of Name Constraints validation (certificateUsageIPsec) ++verify NameConstraints.ocsp1:x ++ usage 12 ++ result pass diff --git a/NameConstraints.ipaca.cert b/NameConstraints.ipaca.cert new file mode 100644 index 0000000000000000000000000000000000000000..4a451f3429d25ab6d3a9cb00b2f005118f7cac08 Binary files /dev/null and b/NameConstraints.ipaca.cert differ diff --git a/NameConstraints.ocsp1.cert b/NameConstraints.ocsp1.cert new file mode 100644 index 0000000000000000000000000000000000000000..817faafe3d2b5cd197a5c1dbeaf1db48ff37e689 Binary files /dev/null and b/NameConstraints.ocsp1.cert differ diff --git a/nss.spec b/nss.spec index f4b6b5dea302fa442e8dd8642f07ec5c6d27a946..cf75b205cdfba5ddcad45150488c098f1e89bd0d 100644 --- a/nss.spec +++ b/nss.spec @@ -6,6 +6,7 @@ %global dracutlibdir %{_prefix}/lib/dracut %global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d +%define anolis_release .0.1 # The timestamp of our downstream manual pages, e.g., nss-config.1 %global manual_date "Nov 13 2013" @@ -47,7 +48,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 6%{?dist} +Release: 6%{anolis_release}%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -94,6 +95,8 @@ Source26: key4.db.xml Source27: secmod.db.xml Source28: nss-p11-kit.config Source30: PayPalEE.cert +Source31: NameConstraints.ipaca.cert +Source32: NameConstraints.ocsp1.cert # To inject hardening flags for DSO Patch1: nss-dso-ldflags.patch @@ -158,6 +161,11 @@ Patch234: nss-3.67-fix-sdb-timeout.patch # no upstream bug yet Patch235: nss-3.67-fix-ssl-alerts.patch +# Add by Anolis +#https://github.com/nss-dev/nss/commit/e24c7f21749e4d203e0e0f8a3433ca021ae11bda +Patch1000: 0001-nss-anolis-nameconstraints.patch +# End + %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -286,6 +294,8 @@ Header and library files for doing development with Network Security Services. %prep %autosetup -N -n %{name}-%{nss_archive_version} pushd nss +cp -a %{SOURCE31} tests/libpkix/certs/ +cp -a %{SOURCE32} tests/libpkix/certs/ %autopatch -p1 popd @@ -928,6 +938,10 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Fri Dec 3 2021 zhangbinchen - 3.67.0-6.0.1 +- cherry-pick [85caea6] +- Renew two chains libpkix test certificates + * Tue Jul 6 2021 Bob Relyea - 3.67.0-6 - Fix ssl alert issue