From 9be140121789f60348d6cce4335acbbc0c9c6252 Mon Sep 17 00:00:00 2001 From: yangxianzhao Date: Thu, 12 Oct 2023 14:15:08 +0800 Subject: [PATCH] update to nss-3.90 --- Bug-1001841-disable-sslv2-libssl.patch | 25 - Bug-1001841-disable-sslv2-tests.patch | 57 - add-relro-linker-option.patch | 16 - cert9.db.xml | 4 +- cve-2023-0767.patch | 92 - download | 2 +- fips_algorithms.h | 172 + iquote.patch | 237 +- nss-3.14.0.0-disble-ocsp-test.patch | 11 - nss-3.66-disable-signature-policies.patch | 42 + nss-3.67-revert-sql-manage-change.patch | 2917 -------------- nss-3.71-camellia-pkcs12-doc.patch | 20 + nss-3.79-dbtool.patch | 3411 +++++++++++++++++ nss-3.79-distrusted-certs.patch | 375 -- nss-3.79-fips-review.patches | 497 +++ nss-3.79-fips.patch | 578 +++ nss-3.79-fix-client-cert-crash.patch | 23 - nss-3.79-pkcs12-fips-defaults.patch | 25 + nss-3.79-pkcs12-fix-null-password.patch | 21 - nss-3.79-r7-remove-explicit-ipv4.patch | 258 -- nss-3.79-revert-distrusted-certs.patch | 335 ++ nss-3.79-skip-pwdecrypt-time.patch | 14 - nss-3.79-ssl2-compatible-client-hello.patch | 12 - nss-3.79-version-range.patch | 14 - nss-3.90-DisablingASM.patch | 57 + nss-3.90-add-ems-policy.patch | 104 + nss-3.90-disable-ech.patch | 96 + nss-3.90-no-dbm-25519.patch | 18 + nss-3.90-pbkdf2-indicator.patch | 42 + nss-disable-cipher-suites.patch | 27 - nss-disable-md5.patch | 41 + nss-dso-ldflags.patch | 13 + nss-fix-deadlock-squash.patch | 112 - nss-gcm-param-default-pkcs11v2.patch | 21 + nss-modutil-skip-changepw-fips.patch | 22 - nss-p11-kit.config | 4 + nss-reorder-cipher-suites-gtests.patch | 109 - nss-reorder-cipher-suites.patch | 205 - nss-rhel7.config | 7 - nss-skip-bltest-and-fipstest.patch | 26 - nss-skip-cavs-tests.patch | 11 - nss-skip-sysinit-gtests.patch | 7 +- nss-skip-util-gtest.patch | 21 - nss-sni-c-v-fix.patch | 21 - nss-softokn-config.in | 116 + nss-softokn-dracut-module-setup.sh | 18 + nss-softokn-dracut.conf | 3 + nss-softokn.pc.in | 11 + nss-sql-default-tests.patch | 70 - nss-sql-default.patch | 35 - nss-sysinit-getenv.patch | 32 - nss-sysinit-userdb.patch | 202 +- nss-util-config.in | 118 + nss-util.pc.in | 11 + nss-version-range-set.patch | 43 - nss.spec | 2244 ++++++----- p-ignore-setpolicy.patch | 25 - renegotiate-transitional.patch | 12 - ...8-enable-ecc-3des-ciphers-by-default.patch | 14 + utilwrap-include-templates.patch | 14 - 60 files changed, 7068 insertions(+), 6022 deletions(-) delete mode 100644 Bug-1001841-disable-sslv2-libssl.patch delete mode 100644 Bug-1001841-disable-sslv2-tests.patch delete mode 100644 add-relro-linker-option.patch delete mode 100644 cve-2023-0767.patch create mode 100644 fips_algorithms.h delete mode 100644 nss-3.14.0.0-disble-ocsp-test.patch create mode 100644 nss-3.66-disable-signature-policies.patch delete mode 100644 nss-3.67-revert-sql-manage-change.patch create mode 100644 nss-3.71-camellia-pkcs12-doc.patch create mode 100644 nss-3.79-dbtool.patch delete mode 100644 nss-3.79-distrusted-certs.patch create mode 100644 nss-3.79-fips-review.patches create mode 100644 nss-3.79-fips.patch delete mode 100644 nss-3.79-fix-client-cert-crash.patch create mode 100644 nss-3.79-pkcs12-fips-defaults.patch delete mode 100644 nss-3.79-pkcs12-fix-null-password.patch delete mode 100644 nss-3.79-r7-remove-explicit-ipv4.patch create mode 100644 nss-3.79-revert-distrusted-certs.patch delete mode 100644 nss-3.79-skip-pwdecrypt-time.patch delete mode 100644 nss-3.79-ssl2-compatible-client-hello.patch delete mode 100644 nss-3.79-version-range.patch create mode 100644 nss-3.90-DisablingASM.patch create mode 100644 nss-3.90-add-ems-policy.patch create mode 100644 nss-3.90-disable-ech.patch create mode 100644 nss-3.90-no-dbm-25519.patch create mode 100644 nss-3.90-pbkdf2-indicator.patch delete mode 100644 nss-disable-cipher-suites.patch create mode 100644 nss-disable-md5.patch create mode 100644 nss-dso-ldflags.patch delete mode 100644 nss-fix-deadlock-squash.patch create mode 100644 nss-gcm-param-default-pkcs11v2.patch delete mode 100644 nss-modutil-skip-changepw-fips.patch create mode 100644 nss-p11-kit.config delete mode 100644 nss-reorder-cipher-suites-gtests.patch delete mode 100644 nss-reorder-cipher-suites.patch delete mode 100644 nss-rhel7.config delete mode 100644 nss-skip-bltest-and-fipstest.patch delete mode 100644 nss-skip-cavs-tests.patch delete mode 100644 nss-skip-util-gtest.patch delete mode 100644 nss-sni-c-v-fix.patch create mode 100644 nss-softokn-config.in create mode 100644 nss-softokn-dracut-module-setup.sh create mode 100644 nss-softokn-dracut.conf create mode 100644 nss-softokn.pc.in delete mode 100644 nss-sql-default-tests.patch delete mode 100644 nss-sql-default.patch delete mode 100644 nss-sysinit-getenv.patch create mode 100644 nss-util-config.in create mode 100644 nss-util.pc.in delete mode 100644 nss-version-range-set.patch delete mode 100644 p-ignore-setpolicy.patch delete mode 100644 renegotiate-transitional.patch create mode 100644 rhbz1185708-enable-ecc-3des-ciphers-by-default.patch delete mode 100644 utilwrap-include-templates.patch diff --git a/Bug-1001841-disable-sslv2-libssl.patch b/Bug-1001841-disable-sslv2-libssl.patch deleted file mode 100644 index 9f8134c..0000000 --- a/Bug-1001841-disable-sslv2-libssl.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk ---- nss/lib/ssl/config.mk.disableSSL2libssl 2020-07-22 17:20:07.325371407 +0200 -+++ nss/lib/ssl/config.mk 2020-07-22 17:21:23.818815809 +0200 -@@ -53,3 +53,7 @@ endif - ifdef NSS_DISABLE_TLS_1_3 - DEFINES += -DNSS_DISABLE_TLS_1_3 - endif -+ -+ifdef NSS_NO_SSL2 -+DEFINES += -DNSS_NO_SSL2 -+endif -diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.disableSSL2libssl 2020-07-22 17:20:07.314371487 +0200 -+++ nss/lib/ssl/sslsock.c 2020-07-22 17:20:07.326371400 +0200 -@@ -1405,6 +1405,10 @@ SSLExp_SetMaxEarlyDataSize(PRFileDesc *f - static PRBool - ssl_IsRemovedCipherSuite(PRInt32 suite) - { -+#ifdef NSS_NO_SSL2 -+ if (SSL_IS_SSL2_CIPHER(suite)) -+ return PR_TRUE; -+#endif /* NSS_NO_SSL2 */ - switch (suite) { - case SSL_FORTEZZA_DMS_WITH_NULL_SHA: - case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: diff --git a/Bug-1001841-disable-sslv2-tests.patch b/Bug-1001841-disable-sslv2-tests.patch deleted file mode 100644 index f943cbb..0000000 --- a/Bug-1001841-disable-sslv2-tests.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -up ./tests/ssl/ssl.sh.disableSSL2tests ./tests/ssl/ssl.sh ---- ./tests/ssl/ssl.sh.disableSSL2tests 2021-05-28 02:50:43.000000000 -0700 -+++ ./tests/ssl/ssl.sh 2021-06-03 15:22:02.725514179 -0700 -@@ -88,9 +88,14 @@ ssl_init() - NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} - - # Test case files -- SSLCOV=${QADIR}/ssl/sslcov.txt -+ if [ "${NSS_NO_SSL2}" = "1" ]; then -+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt -+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt -+ else -+ SSLCOV=${QADIR}/ssl/sslcov.txt -+ SSLSTRESS=${QADIR}/ssl/sslstress.txt -+ fi - SSLAUTH=${QADIR}/ssl/sslauth.txt -- SSLSTRESS=${QADIR}/ssl/sslstress.txt - SSLPOLICY=${QADIR}/ssl/sslpolicy.txt - REQUEST_FILE=${QADIR}/ssl/sslreq.dat - -@@ -159,7 +164,11 @@ is_selfserv_alive() - fi - - echo "kill -0 ${PID} >/dev/null 2>/dev/null" -+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ echo "No server to kill" -+ else - kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" -+ fi - - echo "selfserv with PID ${PID} found at `date`" - } -@@ -183,7 +192,11 @@ wait_for_selfserv() - ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ - -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} - if [ $? -ne 0 ]; then -+ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -+ html_passed "Server never started" -+ else - html_failed "Waiting for Server" -+ fi - fi - fi - is_selfserv_alive -@@ -332,6 +345,12 @@ ssl_cov() - echo "${testname}" | grep "EXPORT" > /dev/null - EXP=$? - -+ # skip export tests -+ if [ ${EXP} -eq 0 ]; then -+ echo "export test skipped" -+ continue -+ fi -+ - # RSA-PSS tests are handled in a separate function - case $testname in - *RSA-PSS) diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch deleted file mode 100644 index 7ab9db1..0000000 --- a/add-relro-linker-option.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk ---- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700 -+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700 -@@ -174,6 +174,12 @@ endif - endif - endif - -+# harden DSOs/executables a bit against exploits -+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE)))) -+DSO_LDOPTS+=-Wl,-z,relro -+LDFLAGS += -Wl,-z,relro -+endif -+ - USE_SYSTEM_ZLIB = 1 - ZLIB_LIBS = -lz - diff --git a/cert9.db.xml b/cert9.db.xml index 6cff889..815d3f9 100644 --- a/cert9.db.xml +++ b/cert9.db.xml @@ -21,13 +21,13 @@ cert9.db - Legacy NSS certificate database + NSS certificate database Description cert9.db is an NSS certificate database. - This certificate database is the sqlite-based shared databse with support for concurrent access. + This certificate database is the sqlite-based shared database with support for concurrent access. diff --git a/cve-2023-0767.patch b/cve-2023-0767.patch deleted file mode 100644 index fc5d4fa..0000000 --- a/cve-2023-0767.patch +++ /dev/null @@ -1,92 +0,0 @@ -diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c ---- a/lib/pkcs12/p12d.c -+++ b/lib/pkcs12/p12d.c -@@ -335,35 +335,42 @@ - sec_PKCS12SafeContentsContext *safeContentsCtx = - (sec_PKCS12SafeContentsContext *)arg; - SEC_PKCS12DecoderContext *p12dcx; - SECStatus rv; - -- /* make sure that we are not skipping the current safeBag, -- * and that there are no errors. If so, just return rather -- * than continuing to process. -- */ -- if (!safeContentsCtx || !safeContentsCtx->p12dcx || -- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { -+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { - return; - } - p12dcx = safeContentsCtx->p12dcx; - -+ /* make sure that there are no errors and we are not skipping the current safeBag */ -+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { -+ goto loser; -+ } -+ - rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); - if (rv != SECSuccess) { - p12dcx->errorValue = PORT_GetError(); -+ p12dcx->error = PR_TRUE; -+ goto loser; -+ } -+ -+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we -+ * may not get another opportunity to clean up the decoder context. -+ */ -+ if (safeContentsCtx->skipCurrentSafeBag) { - goto loser; - } - - return; - - loser: -- /* set the error, and finish the decoder context. because there -+ /* Finish the decoder context. Because there - * is not a way of returning an error message, it may be worth - * while to do a check higher up and finish any decoding contexts - * that are still open. - */ -- p12dcx->error = PR_TRUE; - SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); - safeContentsCtx->currentSafeBagA1Dcx = NULL; - return; - } - -diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h ---- a/lib/pkcs12/p12t.h -+++ b/lib/pkcs12/p12t.h -@@ -71,10 +71,11 @@ - SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; - sec_PKCS12CertBag *certBag; - sec_PKCS12CRLBag *crlBag; - sec_PKCS12SecretBag *secretBag; - sec_PKCS12SafeContents *safeContents; -+ SECItem *unknownBag; - } safeBagContent; - - sec_PKCS12Attribute **attribs; - - /* used locally */ -diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c ---- a/lib/pkcs12/p12tmpl.c -+++ b/lib/pkcs12/p12tmpl.c -@@ -28,16 +28,16 @@ - - safeBag = (sec_PKCS12SafeBag *)src_or_dest; - - oiddata = SECOID_FindOID(&safeBag->safeBagType); - if (oiddata == NULL) { -- return SEC_ASN1_GET(SEC_AnyTemplate); -+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); - } - - switch (oiddata->offset) { - default: -- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); -+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); - break; - case SEC_OID_PKCS12_V1_KEY_BAG_ID: - theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); - break; - case SEC_OID_PKCS12_V1_CERT_BAG_ID: - diff --git a/download b/download index aa1c982..cb21d93 100644 --- a/download +++ b/download @@ -1 +1 @@ -6792cd296a6c2a81fde4962718b6d903 nss-3.79.tar.gz +d83c24d03fb4f9a7f688b5d7c6938972 nss-3.90.tar.gz diff --git a/fips_algorithms.h b/fips_algorithms.h new file mode 100644 index 0000000..80d7dcd --- /dev/null +++ b/fips_algorithms.h @@ -0,0 +1,172 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Vendors should replace this header file with the file containing those + * algorithms which have NIST algorithm Certificates. + */ + +/* handle special cases. Classes require existing code to already be + * in place for that class */ +typedef enum { + SFTKFIPSNone = 0, + SFTKFIPSDH, /* allow only specific primes */ + SFTKFIPSECC, /* not just keys but specific curves */ + SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ + SFTKFIPSRSAPSS, /* make sure salt isn't too big */ + SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */ +} SFTKFIPSSpecialClass; + +/* set according to your security policy */ +#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7 + +typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; +struct SFTKFIPSAlgorithmListStr { + CK_MECHANISM_TYPE type; + CK_MECHANISM_INFO info; + CK_ULONG step; + SFTKFIPSSpecialClass special; +}; + +SFTKFIPSAlgorithmList sftk_fips_mechs[] = { +/* A sample set of algorithms to allow basic testing in our continous + * testing infrastructure. The vendor version should replace this with + * a version that matches their algorithm testing and security policy */ +/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it + * differs in the following ways: + * 1) the addition of step and class elements to help restrict + * the supported key sizes and types. + * 2) The mechanism flags are restricted to only those that map to + * fips approved operations. + * 3) All key sizes are in bits, independent of mechanism. + * 4) You can add more then one entry for the same mechanism to handle + * multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply + * or where different operations have different key requirements. + * This table does not encode all the modules legal FIPS semantics, only + * those semantics that might possibly change due to algorithms dropping + * of the security policy late in the process. */ +/* handy common flag types */ +#define CKF_KPG CKF_GENERATE_KEY_PAIR +#define CKF_GEN CKF_GENERATE +#define CKF_SGN (CKF_SIGN | CKF_VERIFY) +#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_KEK (CKF_WRAP | CKF_UNWRAP) +#define CKF_KEA CKF_DERIVE +#define CKF_KDF CKF_DERIVE +#define CKF_HSH CKF_DIGEST +#define CK_MAX 0xffffffffUL +/* mechanisms using the same key types share the same key type + * limits */ +#define RSA_FB_KEY 2048, 4096 /* min, max */ +#define RSA_FB_STEP 1 +#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ +#define RSA_LEGACY_FB_STEP 256 + +#define DSA_FB_KEY 2048, 4096 /* min, max */ +#define DSA_FB_STEP 1024 +#define DH_FB_KEY 2048, 8192 /* min, max */ +#define DH_FB_STEP 1024 +#define EC_FB_KEY 256, 521 /* min, max */ +#define EC_FB_STEP 1 /* key limits handled by special operation */ +#define AES_FB_KEY 128, 256 +#define AES_FB_STEP 64 + { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, + + /* -------------- RSA Multipart Signing Operations -------------------- */ + { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + /* ------------------------- DSA Operations --------------------------- */ + { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + /* -------------------- Diffie Hellman Operations --------------------- */ + { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH }, + { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH }, + /* -------------------- Elliptic Curve Operations --------------------- */ + { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + /* ------------------------- RC2 Operations --------------------------- */ + /* ------------------------- AES Operations --------------------------- */ + { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + /* ------------------------- Hashing Operations ----------------------- */ + { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + /* --------------------- Secret Key Operations ------------------------ */ + { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, + /* ---------------------- SSL/TLS operations ------------------------- */ + { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + + /* ------------------------- HKDF Operations -------------------------- */ + { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, + /* ------------------ NIST 800-108 Key Derivations ------------------- */ + { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + /* --------------------IPSEC ----------------------- */ + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + /* ------------------ PBE Key Derivations ------------------- */ + { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 }, +}; +const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); diff --git a/iquote.patch b/iquote.patch index 4908c00..6e4adcd 100644 --- a/iquote.patch +++ b/iquote.patch @@ -1,228 +1,13 @@ -diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile ---- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile ---- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile ---- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile ---- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile ---- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200 -+++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile ---- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile ---- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile ---- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile ---- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - ####################################################################### - - #include ../platlibs.mk -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile ---- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - ####################################################################### - - #include ../platlibs.mk -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk ---- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200 -@@ -45,6 +45,10 @@ endif - - ifdef NSS_INCLUDE_DIR - INCLUDES += -I$(NSS_INCLUDE_DIR) -+ ifdef IN_TREE_FREEBL_HEADERS_FIRST -+ INCLUDES += -iquote $(DIST)/../public/nss -+ INCLUDES += -iquote $(DIST)/../private/nss -+ endif +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200 ++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200 +@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME + SQLITE_LIB_NAME = sqlite3 endif - ifndef NSS_LIB_DIR -diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile ---- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200 -@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile ---- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile ---- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile ---- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile ---- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile ---- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200 -+++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200 -@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile ---- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -+INCLUDES += -iquote $(DIST)/../public/nss - - - ####################################################################### ++# Prefer in-tree headers over system headers ++ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss ++endif ++ + MK_LOCATION = included diff --git a/nss-3.14.0.0-disble-ocsp-test.patch b/nss-3.14.0.0-disble-ocsp-test.patch deleted file mode 100644 index 3347ee9..0000000 --- a/nss-3.14.0.0-disble-ocsp-test.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios ---- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700 -+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700 -@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg - realcerts.cfg - dsa.cfg - revoc.cfg --ocsp.cfg - crldp.cfg - trustanchors.cfg - nameconstraints.cfg diff --git a/nss-3.66-disable-signature-policies.patch b/nss-3.66-disable-signature-policies.patch new file mode 100644 index 0000000..001983d --- /dev/null +++ b/nss-3.66-disable-signature-policies.patch @@ -0,0 +1,42 @@ +diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c +--- ./lib/pk11wrap/pk11pars.c.no_signature_policy 2023-06-21 08:54:54.802785229 +0200 ++++ ./lib/pk11wrap/pk11pars.c 2023-06-21 08:58:24.748282499 +0200 +@@ -395,12 +395,9 @@ static const oidValDef signOptList[] = { + /* Signatures */ + { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, +- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, +- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, +- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, ++ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0}, ++ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0}, ++ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0}, + }; + + typedef struct { +@@ -416,7 +413,7 @@ static const algListsDef algOptLists[] = + { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, + { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, + { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, +- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE }, ++ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE }, + }; + + static const optionFreeDef sslOptList[] = { +diff -up ./tests/ssl/sslpolicy.txt.no_signature_policy ./tests/ssl/sslpolicy.txt +--- ./tests/ssl/sslpolicy.txt.no_signature_policy 2023-06-21 09:00:17.720181306 +0200 ++++ ./tests/ssl/sslpolicy.txt 2023-06-21 09:00:55.637501208 +0200 +@@ -193,7 +193,9 @@ + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly + 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly +- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly ++# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary ++# compatibility reasons ++# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL diff --git a/nss-3.67-revert-sql-manage-change.patch b/nss-3.67-revert-sql-manage-change.patch deleted file mode 100644 index 40abcc6..0000000 --- a/nss-3.67-revert-sql-manage-change.patch +++ /dev/null @@ -1,2917 +0,0 @@ -# HG changeset patch -# User Robert Relyea -# Date 1621548343 25200 -# Thu May 20 15:05:43 2021 -0700 -# Node ID da25615e92c86aa6bd376fd86bf110d15999eb3c -# Parent 2300e178c90fe6d3e170cf7d96556fce6d6b48e7 -Bug 1712184 NSS tools manpages need to be updated to reflect that sqlite is the default database. - -This patch does 2 things: - -1) update certutil.xml pk12util.xml modutil.xml and signver.xml to reflect the fact -the the sql database is default. Many of these also has examples of specifying -sql:dirname which is now the default. I did not replace them with dbm:dirname since -we don't want to encourage regressing back. The one exception is in the paragraph -explaining how to get to the old database format. - -2) I ran make in the diretory to update the .1 and .html files generated from the .xml -files. There are a number of old updates to the .xml files which haven't been picked -up in their corresponding html or man page files. This updates are included in this -patch. - -It is really only necessary to review the changes to the .xml files, the rest were -reviewed when their patches were applied. - -bob - -Differential Revision: https://phabricator.services.mozilla.com/D115658 - -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -203,17 +203,17 @@ If this option is not used, the validity - - Specify the database directory containing the certificate and key database files. - certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). - NSS recognizes the following prefixes: - - sql: requests the newer database - dbm: requests the legacy database - -- If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default. -+ If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then sql: is the default. - - - - - --dump-ext-val OID - For single cert, print binary DER encoding of extension OID. - - -@@ -843,23 +843,23 @@ Comma separated list of one or more of t - - secmod.db or pkcs11.txt - - - - - These databases must be created before certificates or keys can be generated. - --certutil -N -d [sql:]directory -+certutil -N -d directory - - Creating a Certificate Request - - A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated. - --$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a] -+$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d directory [-p phone] [-o output-file] [-a] - - The command options requires four arguments: - - - - - to specify either the key type to generate or, when renewing a certificate, the existing key pair to use - -@@ -881,27 +881,27 @@ Comma separated list of one or more of t - - - - The new certificate request can be output in ASCII format () or can be written to a specified file (). - - - For example: - --$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer -+$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d $HOME/nssdb -p 650-555-0123 -a -o cert.cer - - Generating key. This may take a few moments... - - - - Creating a Certificate - - A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate () that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the argument with the command option. - --$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID] -+$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID] - - The series of numbers and options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result. - - - For example, this creates a self-signed certificate: - - $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650 - -@@ -911,55 +911,55 @@ The interative prompts for key usage and - From there, new certificates can reference the self-signed certificate: - - $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t ",," -1 -5 -6 -8 -m 730 - - Generating a Certificate from a Certificate Request - - When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the issuer specified in the argument). The issuing certificate must be in the certificate database in the specified directory. - --certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] -+certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] - - For example: - --$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com -+$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d $HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com - - Listing Certificates - - The command option lists all of the certificates listed in the certificate database. The path to the directory () is required. - --$ certutil -L -d sql:/home/my/sharednssdb -+$ certutil -L -d /home/my/sharednssdb - - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - - CA Administrator of Instance pki-ca1's Example Domain ID u,u,u - TPS Administrator's Example Domain ID u,u,u - Google Internet Authority ,, - Certificate Authority - Example Domain CT,C,C - - Using additional arguments with can return and print the information for a single, specific certificate. For example, the argument passes the certificate name, while the argument prints the certificate in ASCII format: - - --$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert -+$ certutil -L -d $HOME/nssdb -a -n my-ca-cert - -----BEGIN CERTIFICATE----- - MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh - bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV - BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz - JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x - XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk - 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB - AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B - AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 - XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF - ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== - -----END CERTIFICATE----- - - For a human-readable display --$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert -+$ certutil -L -d $HOME/nssdb -n my-ca-cert - Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3650 (0xe42) - Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption - Issuer: "CN=Example CA" - Validity: - Not Before: Wed Mar 13 19:10:29 2013 -@@ -1022,17 +1022,17 @@ Certificate: - - Listing Keys - - Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. - - - To list all keys in the database, use the command option and the (required) argument to give the path to the directory. - --$ certutil -K -d sql:$HOME/nssdb -+$ certutil -K -d $HOME/nssdb - certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " - < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert - < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert - - There are ways to narrow the keys listed in the search results: - - -@@ -1052,111 +1052,111 @@ certutil: Checking token "NSS Certificat - - - - - Listing Security Modules - - The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The command option lists all of the security modules listed in the secmod.db database. The path to the directory () is required. - --$ certutil -U -d sql:/home/my/sharednssdb -+$ certutil -U -d /home/my/sharednssdb - - slot: NSS User Private Key and Certificate Services - token: NSS Certificate DB - uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - slot: NSS Internal Cryptographic Services - token: NSS Generic Crypto Services - uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - Adding Certificates to the Database - - Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the command option. - --certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file] -+certutil -A -n certname -t trustargs -d directory [-a] [-i input-file] - - For example: - --$ certutil -A -n "CN=My SSL Certificate" -t ",," -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer -+$ certutil -A -n "CN=My SSL Certificate" -t ",," -d /home/my/sharednssdb -i /home/example-certs/cert.cer - - A related command option, , is used specifically to add email certificates to the certificate database. The command has the same arguments as the command. The trust arguments for certificates have the format SSL,S/MIME,Code-signing, so the middle trust settings relate most to email certificates (though the others can be set). For example: - --$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer -+$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d /home/my/sharednssdb -i /home/example-certs/email.cer - - Deleting Certificates to the Database - - Certificates can be deleted from a database using the option. The only required options are to give the security database directory and to identify the certificate nickname. - --certutil -D -d [sql:]directory -n "nickname" -+certutil -D -d directory -n "nickname" - - For example: - --$ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert" -+$ certutil -D -d /home/my/sharednssdb -n "my-ssl-cert" - - Validating Certificates - - A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the command option. - --certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory -+certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d directory - - For example, to validate an email certificate: - --$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb -+$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d /home/my/sharednssdb - - Modifying Certificate Trust Settings - - The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate. - --certutil -M -n certificate-name -t trust-args -d [sql:]directory -+certutil -M -n certificate-name -t trust-args -d directory - - For example: - --$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CT,CT,CT" -+$ certutil -M -n "My CA Certificate" -d /home/my/sharednssdb -t "CT,CT,CT" - - Printing the Certificate Chain - - Certificates can be issued in chains because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain: - --$ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" -+$ certutil -d /home/my/sharednssdb -O -n "jsmith@example.com" - "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] - - "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] - - "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] - - Resetting a Token - - The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name () as well as any directory path. If there is no external token used, the default value is internal. - --certutil -T -d [sql:]directory -h token-name -0 security-officer-password -+certutil -T -d directory -h token-name -0 security-officer-password - - Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example: - --$ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret -+$ certutil -T -d /home/my/sharednssdb -h nethsm -0 secret - - Upgrading or Merging the Security Databases - - Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8.db). Databases can be upgraded to the new SQLite version of the database (cert9.db) using the command option or existing databases can be merged with the new cert9.db databases using the command. - - - The command must give information about the original database and then use the standard arguments (like ) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database. - --certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file] -+certutil --upgrade-merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file] - - For example: - --$ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal -+$ certutil --upgrade-merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal - - The command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step. - --certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file] -+certutil --merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file] - - For example: - --$ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- -+$ certutil --merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- - - Running certutil Commands from a Batch File - - A series of commands can be run sequentially from a text file with the command option. The only argument for this specifies the input file. - - $ certutil -B -i /path/to/batch-file - - -@@ -1202,27 +1202,26 @@ BerkeleyDB. These new databases provide - - pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --$ certutil -L -d sql:/home/my/sharednssdb -+$ certutil -L -d dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be set added to the ~/.bashrc file to make the change permanent. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - -diff --git a/doc/html/certutil.html b/doc/html/certutil.html ---- a/doc/html/certutil.html -+++ b/doc/html/certutil.html -@@ -1,21 +1,21 @@ --CERTUTIL
CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -+CERTUTIL

CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the - -d argument. -

- Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.

-G

Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.

-H

Display a list of the command options and arguments.

-K

List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

-L

List all the certificates, or display information about a named certificate, in a certificate database. - Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.

-M

Modify a certificate's trust attributes using the values of the -t argument.

-N

Create new certificate and key databases.

-O

Print the certificate chain.

-R

Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. - - Use the -a argument to specify ASCII output.

-S

Create an individual certificate and add it to a certificate database.

-T

Reset the key database or token.

-U

List all available modules or print a single named module.

-V

Check the validity of a certificate and its attributes.

-W

Change the password to a key database.

--merge

Merge two databases into one.

--upgrade-merge

Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (cert8.db and key3.db) into the newer SQLite databases (cert9.db and key4.db).

Arguments

Arguments modify a command option and are usually lower case, numbers, or symbols.

-a

Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. --For certificate requests, ASCII output defaults to standard output unless redirected.

-b validity-time

Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the -V option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. -+For certificate requests, ASCII output defaults to standard output unless redirected.

--simple-self-signed

When printing the certificate chain, don't search for a chain if issuer name equals to subject name.

-b validity-time

Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the -V option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. -

- If this option is not used, the validity check defaults to the current system time.

-c issuer

Identify the certificate of the CA from which a new certificate will derive its authenticity. - Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string -- with quotation marks if it contains spaces.

-d [prefix]directory

Specify the database directory containing the certificate and key database files.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:

  • sql: requests the newer database

  • dbm: requests the legacy database

If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.

--dump-ext-val OID

For single cert, print binary DER encoding of extension OID.

-e

Check a certificate's signature during the process of validating a certificate.

--email email-address

Specify the email address of a certificate to list. Used with the -L command option.

--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...

-+ with quotation marks if it contains spaces.

-d [prefix]directory

Specify the database directory containing the certificate and key database files.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:

  • sql: requests the newer database

  • dbm: requests the legacy database

If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then sql: is the default.

--dump-ext-val OID

For single cert, print binary DER encoding of extension OID.

-e

Check a certificate's signature during the process of validating a certificate.

--email email-address

Specify the email address of a certificate to list. Used with the -L command option.

--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...

- Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. -

  • OID (example): 1.2.3.4

  • critical-flag: critical or not-critical

  • filename: full path to a file containing an encoded extension

-f password-file

Specify a file that will automatically supply the password to include in a certificate - or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent - unauthorized access to this file.

-g keysize

Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.

-h tokenname

Specify the name of a token to use or act on. If not specified the default token is the internal database slot.

The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.

-i input_file

Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.

-k key-type-or-id

Specify the type or specific ID of a key.

- The valid key type options are rsa, dsa, ec, or all. The default - value is rsa. Specifying the type of key can avoid mistakes caused by - duplicate nicknames. Giving a key type generates a new key pair; - giving the ID of an existing key reuses that key pair (which is -@@ -50,17 +50,17 @@ of the attribute codes: -

  • - C - Trusted CA (implies c) -

  • - T - trusted CA for client authentication (ssl server only) -

    • - The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: -

    -t "TC,C,T"

    - Use the -L option to see a list of the current certificates and trust attributes in a certificate database.

    -- Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil.

    -u certusage

    Specify a usage context to apply when validating a certificate with the -V option.

    The contexts are the following:

    • C (as an SSL client)

    • V (as an SSL server)

    • L (as an SSL CA)

    • A (as Any CA)

    • Y (Verify CA)

    • S (as an email signer)

    • R (as an email recipient)

    • O (as an OCSP status responder)

    • J (as an object signer)

    -v valid-months

    Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months.

    -w offset-months

    Set an offset from the current system time, in months, -+ Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil.

    -u certusage

    Specify a usage context to apply when validating a certificate with the -V option.

    The contexts are the following:

    • C (as an SSL client)

    • V (as an SSL server)

    • L (as an SSL CA)

    • A (as Any CA)

    • Y (Verify CA)

    • S (as an email signer)

    • R (as an email recipient)

    • O (as an OCSP status responder)

    • J (as an object signer)

    • I (as an IPSEC user)

    -v valid-months

    Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months.

    -w offset-months

    Set an offset from the current system time, in months, - for the beginning of a certificate's validity period. Use when creating - the certificate or adding it to a database. Express the offset in integers, - using a minus sign (-) to indicate a negative offset. If this argument is - not used, the validity period begins at the current system time. The length - of the validity period is set with the -v argument.

    -X

    Force the key and certificate database to open in read-write mode. This is used with the -U and -L command options.

    -x

    Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

    -y exp

    Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

    --pss

    Restrict the generated certificate (with the -S option) or certificate request (with the -R option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.

    --pss-sign

    Sign the generated certificate with the RSA-PSS signature scheme (with the -C or -S option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.

    -z noise-file

    Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.

    -Z hashAlg

    Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:

    • MD2

    • MD4

    • MD5

    • SHA1

    • SHA224

    • SHA256

    • SHA384

    • SHA512

    -0 SSO_password

    Set a site security officer password on a token.

    -1 | --keyUsage keyword,keyword

    Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:

    • - digitalSignature -

    • - nonRepudiation -@@ -105,16 +105,30 @@ of the attribute codes: -

    • - ocspResponder -

    • - stepUp -

    • - msTrustListSign -

    • - critical -+

    • -+ x509Any -+

    • -+ ipsecIKE -+

    • -+ ipsecIKEEnd -+

    • -+ ipsecIKEIntermediate -+

    • -+ ipsecEnd -+

    • -+ ipsecTunnel -+

    • -+ ipsecUser -

    X.509 certificate extensions are described in RFC 5280.

    -7 emailAddrs

    Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.

    -8 dns-names

    Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.

    --extAIA

    Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extSIA

    Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extCP

    Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extPM

    Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extPC

    Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extIA

    Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extSKID

    Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extNC

    Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.

    --extSAN type:name[,type:name]...

    - Create a Subject Alt Name extension with one or multiple names. -

    - -type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr -

    --empty-password

    Use empty password when creating new certificate database with -N.

    --keyAttrFlags attrflags

    - PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}

    --keyOpFlagsOn opflags, --keyOpFlagsOff opflags

    - PKCS #11 key Operation Flags. - Comma separated list of one or more of the following: -@@ -126,77 +140,77 @@ Comma separated list of one or more of t -

    • - cert8.db or cert9.db -

    • - key3.db or key4.db -

    • - secmod.db or pkcs11.txt -

    - These databases must be created before certificates or keys can be generated. -- 

    certutil -N -d [sql:]directory

    Creating a Certificate Request

    -+ 

    certutil -N -d directory

    Creating a Certificate Request

    - A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated. -- 

    $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a]

    -+ 

    $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d directory [-p phone] [-o output-file] [-a]

    - The -R command options requires four arguments: -

    • - -k to specify either the key type to generate or, when renewing a certificate, the existing key pair to use -

    • - -g to set the keysize of the key to generate -

    • - -s to set the subject name of the certificate -

    • - -d to give the security database directory -

    - The new certificate request can be output in ASCII format (-a) or can be written to a specified file (-o). -

    - For example: -- 

    $ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer
-+	
    $ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d $HOME/nssdb -p 650-555-0123 -a -o cert.cer
- 
- Generating key.  This may take a few moments...
- 
- 
    Creating a Certificate
    
- 		A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (-c) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the -x argument with the -S command option.
--	
    $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]
    
-+	
    $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]
    
- 		The series of numbers and --ext* options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result.
- 	
    
- 		For example, this creates a self-signed certificate:
- 	
    $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650
    
- The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity.
- 	
    
- 		From there, new certificates can reference the self-signed certificate:
- 	
    $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t ",," -1 -5 -6 -8 -m 730
    Generating a Certificate from a Certificate Request
    
- 		When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the issuer specified in the -c argument). The issuing certificate must be in the certificate database in the specified directory.
--	
    certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]
    
-+	
    certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]
    
- 		For example:
--	
    $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com
    Listing Certificates
    
-+	
    $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d $HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com
    Listing Certificates
    
- 		The -L command option lists all of the certificates listed in the certificate database. The path to the directory (-d) is required.
--	
    $ certutil -L -d sql:/home/my/sharednssdb
-+	
    $ certutil -L -d /home/my/sharednssdb
- 
- Certificate Nickname                                         Trust Attributes
-                                                              SSL,S/MIME,JAR/XPI
- 
- CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
- TPS Administrator's Example Domain ID                        u,u,u
- Google Internet Authority                                    ,,   
- Certificate Authority - Example Domain                       CT,C,C
    
- 		Using additional arguments with -L can return and print the information for a single, specific certificate. For example, the -n argument passes the certificate name, while the -a argument prints the certificate in ASCII format:
- 	
    --$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert
-+$ certutil -L -d $HOME/nssdb -a -n my-ca-cert
- -----BEGIN CERTIFICATE-----
- MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh
- bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV
- BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz
- JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x
- XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
- 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
- AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
- AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
- XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
- ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
- -----END CERTIFICATE-----
--
    For a human-readable display
    $ certutil -L -d sql:$HOME/nssdb -n my-ca-cert
-+
    For a human-readable display
    $ certutil -L -d $HOME/nssdb -n my-ca-cert
- Certificate:
-     Data:
-         Version: 3 (0x2)
-         Serial Number: 3650 (0xe42)
-         Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
-         Issuer: "CN=Example CA"
-         Validity:
-             Not Before: Wed Mar 13 19:10:29 2013
-@@ -254,78 +268,78 @@ Certificate:
-             Valid CA
-             Trusted CA
-             User
- 
- 
    Listing Keys
    
- 		Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. 
- 	
    
- 		To list all keys in the database, use the -K command option and the (required) -d argument to give the path to the directory.
--	
    $ certutil -K -d sql:$HOME/nssdb
-+	
    $ certutil -K -d $HOME/nssdb
- certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
- < 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
- < 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain Administrator Cert
- < 2> rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user cert
    
- 		There are ways to narrow the keys listed in the search results:
- 	
    • 
- 		To return a specific key, use the -n name argument with the name of the key.
- 	
    • 
- 		If there are multiple security devices loaded, then the -h tokenname argument can search a specific token or all tokens.
- 	
    • 
- 		If there are multiple key types available, then the -k key-type argument can search a specific type of key, like RSA, DSA, or ECC. 
- 	
    Listing Security Modules
    
- 		The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The -U command option lists all of the security modules listed in the secmod.db database. The path to the directory (-d) is required.
--	
    $ certutil -U -d sql:/home/my/sharednssdb
-+	
    $ certutil -U -d /home/my/sharednssdb
- 
-     slot: NSS User Private Key and Certificate Services                  
-    token: NSS Certificate DB
-      uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
- 
-     slot: NSS Internal Cryptographic Services                            
-    token: NSS Generic Crypto Services
-      uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
    Adding Certificates to the Database
    
- 		Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the -A command option.
--	
    certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]
    
-+	
    certutil -A -n certname -t trustargs -d directory [-a] [-i input-file]
    
- 		For example:
--	
    $ certutil -A -n "CN=My SSL Certificate" -t ",," -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer
    
-+	
    $ certutil -A -n "CN=My SSL Certificate" -t ",," -d /home/my/sharednssdb -i /home/example-certs/cert.cer
    
- 		A related command option, -E, is used specifically to add email certificates to the certificate database. The -E command has the same arguments as the -A command. The trust arguments for certificates have the format SSL,S/MIME,Code-signing, so the middle trust settings relate most to email certificates (though the others can be set). For example:
--	
    $ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer
    Deleting Certificates to the Database
    
-+	
    $ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d /home/my/sharednssdb -i /home/example-certs/email.cer
    Deleting Certificates to the Database
    
- 		Certificates can be deleted from a database using the -D option. The only required options are to give the security database directory and to identify the certificate nickname.
--	
    certutil -D -d [sql:]directory -n "nickname"
    
-+	
    certutil -D -d directory -n "nickname"
    
- 		For example:
--	
    $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert"
    Validating Certificates
    
-+	
    $ certutil -D -d /home/my/sharednssdb -n "my-ssl-cert"
    Validating Certificates
    
- 		A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the -V command option.
--	
    certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory
    
-+	
    certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d directory
    
- 		For example, to validate an email certificate:
--	
    $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb
    Modifying Certificate Trust Settings
    
-+	
    $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d /home/my/sharednssdb
    Modifying Certificate Trust Settings
    
- 		The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate.
--	
    certutil -M -n certificate-name -t trust-args -d [sql:]directory
    
-+	
    certutil -M -n certificate-name -t trust-args -d directory
    
- 		For example:
--	
    $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CT,CT,CT"
    Printing the Certificate Chain
    
-+	
    $ certutil -M -n "My CA Certificate" -d /home/my/sharednssdb -t "CT,CT,CT"
    Printing the Certificate Chain
    
- 		Certificates can be issued in chains because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The -O prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain:
--	
    $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com"
-+	
    $ certutil -d /home/my/sharednssdb -O -n "jsmith@example.com"
- "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]
- 
-   "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
- 
-     "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member]
    Resetting a Token
    
- 		The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (-h) as well as any directory path. If there is no external token used, the default value is internal.
--	
    certutil -T -d [sql:]directory -h token-name -0 security-officer-password
    
-+	
    certutil -T -d directory -h token-name -0 security-officer-password
    
- 		Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example:
--	
    $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret
    Upgrading or Merging the Security Databases
    
-+	
    $ certutil -T -d /home/my/sharednssdb -h nethsm -0 secret
    Upgrading or Merging the Security Databases
    
- 		Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8.db). Databases can be upgraded to the new SQLite version of the database (cert9.db) using the --upgrade-merge command option or existing databases can be merged with the new cert9.db databases using the ---merge command.
- 	
    
- 		The --upgrade-merge command must give information about the original database and then use the standard arguments (like -d) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database.
--	
    certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]
    
-+	
    certutil --upgrade-merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]
    
- 		For example:
--	
    $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal
    
-+	
    $ certutil --upgrade-merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal
    
- 		The --merge command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step.
--	
    certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]
    
-+	
    certutil --merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]
    
- 		For example:
--	
    $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp-
    Running certutil Commands from a Batch File
    
-+	
    $ certutil --merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp-
    Running certutil Commands from a Batch File
    
- 		A series of commands can be run sequentially from a text file with the -B command option. The only argument for this specifies the input file.
- 	
    $ certutil -B -i /path/to/batch-file

    NSS Database Types

    NSS originally used BerkeleyDB databases to store security information. - The last versions of these legacy databases are:

    • - cert8.db for certificates -

    • - key3.db for keys -

    • - secmod.db for PKCS #11 module information -@@ -333,18 +347,18 @@ The last versions of these

      • - cert9.db for certificates -

      • - key4.db for keys -

      • - pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory --

    Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

    By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example:

    $ certutil -L -d sql:/home/my/sharednssdb

    To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:

    export NSS_DEFAULT_DB_TYPE="sql"

    This line can be set added to the ~/.bashrc file to make the change permanent.

    Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:

    • -+

    Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

    By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

    $ certutil -L -d dbm:/home/my/sharednssdb

    To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

    export NSS_DEFAULT_DB_TYPE="dbm"

    This line can be set added to the ~/.bashrc file to make the change permanent.

    • - https://wiki.mozilla.org/NSS_Shared_DB_Howto

    For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

    • - https://wiki.mozilla.org/NSS_Shared_DB -

    See Also

    pk12util (1)

    modutil (1)

    certutil has arguments or operations that use features defined in several IETF RFCs.

    • - http://tools.ietf.org/html/rfc5280 -

    • - http://tools.ietf.org/html/rfc1113 -

    • - http://tools.ietf.org/html/rfc1485 -diff --git a/doc/html/derdump.html b/doc/html/derdump.html ---- a/doc/html/derdump.html -+++ b/doc/html/derdump.html -@@ -1,7 +1,5 @@ --DERDUMP

      DERDUMP

      Name

      derdump — Dumps C-sequence strings from a DER encoded certificate file

      Synopsis

      derdump [-r] [-i input-file] [-o output-file]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 --

      Description

      derdump dumps C-sequence strings from a DER encode certificate file

      Options

      -r
      For formatted items, dump raw bytes as well
      -i DER encoded file
      Define an input file to use (default is stdin)
      -o output file
      Define an output file to use (default is stdout).

      Additional Resources

      NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

      For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape and now with Red Hat.

      -+DERDUMP

      DERDUMP

      Name

      derdump — Dumps C-sequence strings from a DER encoded certificate file

      Synopsis

      derdump [-r] [-i input-file] [-o output-file]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -+

      Description

      derdump dumps C-sequence strings from a DER encode certificate file

      Options

      -r
      For formatted items, dump raw bytes as well
      -i DER encoded file
      Define an input file to use (default is stdin)
      -o output file
      Define an output file to use (default is stdout).

      Additional Resources

      NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

      For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

      - Authors: Gerhardus Geldenhuis <gerhardus.geldenhuis@gmail.com>. Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com> --

      LICENSE

      Licensed under the Mozilla Public License, version 1.1, -- and/or the GNU General Public License, version 2 or later, -- and/or the GNU Lesser General Public License, version 2.1 or later. -+

      LICENSE

      Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. -

      -diff --git a/doc/html/modutil.html b/doc/html/modutil.html ---- a/doc/html/modutil.html -+++ b/doc/html/modutil.html -@@ -1,13 +1,13 @@ --MODUTIL
      MODUTIL

      Name

      modutil — Manage PKCS #11 module information within the security module database.

      Synopsis

      modutil [options] [[arguments]]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -+MODUTIL

      MODUTIL

      Name

      modutil — Manage PKCS #11 module information within the security module database.

      Synopsis

      modutil [options] [[arguments]]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

      Description

      The Security Module Database Tool, modutil, is a command-line utility for managing PKCS #11 module information both within secmod.db files and within hardware tokens. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.

      The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.

      Options

      - Running modutil always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments. --

      Options

      -add modulename

      Add the named PKCS #11 module to the database. Use this option with the -libfile, -ciphers, and -mechanisms arguments.

      -changepw tokenname

      Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the -pwfile and -newpwfile arguments. A password is equivalent to a personal identification number (PIN).

      -chkfips

      Verify whether the module is in the given FIPS mode. true means to verify that the module is in FIPS mode, while false means to verify that the module is not in FIPS mode.

      -create

      Create new certificate, key, and module databases. Use the -dbdir directory argument to specify a directory. If any of these databases already exist in a specified directory, modutil returns an error message.

      -default modulename

      Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the -mechanisms argument.

      -delete modulename

      Delete the named module. The default NSS PKCS #11 module cannot be deleted.

      -disable modulename

      Disable all slots on the named module. Use the -slot argument to disable a specific slot.

      The internal NSS PKCS #11 module cannot be disabled.

      -enable modulename

      Enable all slots on the named module. Use the -slot argument to enable a specific slot.

      -fips [true | false]

      Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.

      -force

      Disable modutil's interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.

      -jar JAR-file

      Add a new PKCS #11 module to the database using the named JAR file. Use this command with the -installdir and -tempdir arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with modutil.

      -list [modulename]

      Display basic information about the contents of the secmod.db file. Specifying a modulename displays detailed information about a particular module and its slots and tokens.

      -rawadd

      Add the module spec string to the secmod.db database.

      -rawlist

      Display the module specs for a specified module or for all loadable modules.

      -undefault modulename

      Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the -mechanisms argument.

      Arguments

      MODULE

      Give the security module to access.

      MODULESPEC

      Give the security module spec to load into the security database.

      -ciphers cipher-enable-list

      Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.

      -dbdir [sql:]directory

      Specify the database directory in which to access or create security module database files.

      modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

      --dbprefix prefix

      Specify the prefix used on the database files, such as my_ for my_cert8.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.

      -installdir root-installation-directory

      Specify the root installation directory relative to which files will be installed by the -jar option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.

      -libfile library-file

      Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.

      -mechanisms mechanism-list

      Specify the security mechanisms for which a particular module will be flagged as a default provider. The mechanism-list is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.

      The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.

      modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).

      -newpwfile new-password-file

      Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the -changepw option.

      -nocertdb

      Do not open the certificate or key databases. This has several effects:

      • With the -create command, only a module security file is created; certificate and key databases are not created.

      • With the -jar command, signatures on the JAR file are not checked.

      • With the -changepw command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.

      -pwfile old-password-file

      Specify a text file containing a token's existing password so that a password can be entered automatically when the -changepw option is used to change passwords.

      -secmod secmodname

      Give the name of the security module database (like secmod.db) to load.

      -slot slotname

      Specify a particular slot to be enabled or disabled with the -enable or -disable options.

      -string CONFIG_STRING

      Pass a configuration string for the module being added to the database.

      -tempdir temporary-directory

      Give a directory location where temporary files are created during the installation by the -jar option. If no temporary directory is specified, the current directory is used.

      Usage and Examples

      Creating Database Files

      Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located.

      modutil -create -dbdir [sql:]directory

      Adding a Cryptographic Module

      Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library:

      modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]

      For example: --

      modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM 
-+	
      Options
      -add modulename
      Add the named PKCS #11 module to the database. Use this option with the -libfile, -ciphers, and -mechanisms arguments.
      -changepw tokenname
      Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the -pwfile and -newpwfile arguments. A password is equivalent to a personal identification number (PIN).
      -chkfips
      Verify whether the module is in the given FIPS mode. true means to verify that the module is in FIPS mode, while false means to verify that the module is not in FIPS mode.
      -create
      Create new certificate, key, and module databases. Use the -dbdir directory argument to specify a directory. If any of these databases already exist in a specified directory, modutil returns an error message.
      -default modulename
      Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the -mechanisms argument.
      -delete modulename
      Delete the named module. The default NSS PKCS #11 module cannot be deleted.
      -disable modulename
      Disable all slots on the named module. Use the -slot argument to disable a specific slot.
      The internal NSS PKCS #11 module cannot be disabled.
      -enable modulename
      Enable all slots on the named module. Use the -slot argument to enable a specific slot.
      -fips [true | false]
      Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.
      -force
      Disable modutil's interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.
      -jar JAR-file
      Add a new PKCS #11 module to the database using the named JAR file. Use this command with the -installdir and -tempdir arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with modutil. 
      -list [modulename]
      Display basic information about the contents of the secmod.db file. Specifying a modulename displays detailed information about a particular module and its slots and tokens.
      -rawadd
      Add the module spec string to the secmod.db database.
      -rawlist
      Display the module specs for a specified module or for all loadable modules.
      -undefault modulename
      Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the -mechanisms argument.
      Arguments
      MODULE
      Give the security module to access.
      MODULESPEC
      Give the security module spec to load into the security database.
      -ciphers cipher-enable-list
      Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.
      -dbdir directory
      Specify the database directory in which to access or create security module database files.
      modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in SQLite format.
      --dbprefix prefix
      Specify the prefix used on the database files, such as my_ for my_cert9.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
      -installdir root-installation-directory
      Specify the root installation directory relative to which files will be installed by the -jar option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.
      -libfile library-file
      Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.
      -mechanisms mechanism-list
      Specify the security mechanisms for which a particular module will be flagged as a default provider. The mechanism-list is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.
      The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.
      modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).
      -newpwfile new-password-file
      Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the -changepw option.
      -nocertdb
      Do not open the certificate or key databases. This has several effects:
      • With the -create command, only a module security file is created; certificate and key databases are not created.
      • With the -jar command, signatures on the JAR file are not checked.
      • With the -changepw command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.
      -pwfile old-password-file
      Specify a text file containing a token's existing password so that a password can be entered automatically when the -changepw option is used to change passwords.
      -secmod secmodname
      Give the name of the security module database (like secmod.db) to load.
      -slot slotname
      Specify a particular slot to be enabled or disabled with the -enable or -disable options.
      -string CONFIG_STRING
      Pass a configuration string for the module being added to the database.
      -tempdir temporary-directory
      Give a directory location where temporary files are created during the installation by the -jar option. If no temporary directory is specified, the current directory is used.

      Usage and Examples

      Creating Database Files

      Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located.

      modutil -create -dbdir directory

      Adding a Cryptographic Module

      Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library:

      modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]

      For example: -+

      modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM 
- 
- Using database directory ... 
- Module "Example PKCS #11 Module" added to database.

      -

      Installing a Cryptographic Module from a JAR File

      PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in the section called “JAR Installation File Format”.

      The JAR installation script defines the setup information for each platform that the module can be installed on. For example:

      Platforms { 
-    Linux:5.4.08:x86 { 
-       ModuleName { "Example PKCS #11 Module" } 
-       ModuleFile { crypto.so } 
-       DefaultMechanismFlags{0x0000} 
-@@ -20,17 +20,17 @@ Module "Example PKCS #11 Module" added t
-             Executable 
-             Path{ /tmp/setup.sh } 
-          } 
-       } 
-    } 
-    Linux:6.0.0:x86 { 
-       EquivalentPlatform { Linux:5.4.08:x86 } 
-    } 
--}

      Both the install script and the required libraries must be bundled in a JAR file, which is specified with the -jar argument.

      modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb
-+}

      Both the install script and the required libraries must be bundled in a JAR file, which is specified with the -jar argument.

      modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb
- 
- This installation JAR file was signed by: 
- ---------------------------------------------- 
- 
- **SUBJECT NAME** 
- 
- C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
- Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
-@@ -48,32 +48,32 @@ Successfully parsed installation script
- Current platform is Linux:5.4.08:x86 
- Using installation parameters for platform Linux:5.4.08:x86 
- Installed file crypto.so to /tmp/crypto.so
- Installed file setup.sh to ./pk11inst.dir/setup.sh 
- Executing "./pk11inst.dir/setup.sh"... 
- "./pk11inst.dir/setup.sh" executed successfully 
- Installed module "Example PKCS #11 Module" into module database 
- 
--Installation completed successfully

      Adding Module Spec

      Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the -rawadd command. For the current settings or to see the format of the module spec in the database, use the -rawlist option.

      modutil -rawadd modulespec

      Deleting a Module

      A specific PKCS #11 module can be deleted from the secmod.db database:

      modutil -delete modulename -dbdir [sql:]directory

      Displaying Module Information

      The secmod.db database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed.

      To simply get a list of modules in the database, use the -list command.

      modutil -list [modulename] -dbdir [sql:]directory

      Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example:

      modutil -list -dbdir sql:/home/my/sharednssdb 
-+Installation completed successfully

      Adding Module Spec

      Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the -rawadd command. For the current settings or to see the format of the module spec in the database, use the -rawlist option.

      modutil -rawadd modulespec

      Deleting a Module

      A specific PKCS #11 module can be deleted from the secmod.db database:

      modutil -delete modulename -dbdir directory

      Displaying Module Information

      The secmod.db database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed.

      To simply get a list of modules in the database, use the -list command.

      modutil -list [modulename] -dbdir directory

      Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example:

      modutil -list -dbdir /home/my/sharednssdb 
- 
- Listing of PKCS #11 Modules
- -----------------------------------------------------------
-   1. NSS Internal PKCS #11 Module
-          slots: 2 slots attached
-         status: loaded
- 
-          slot: NSS Internal Cryptographic Services                            
-         token: NSS Generic Crypto Services
- 	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
- 
-          slot: NSS User Private Key and Certificate Services                  
-         token: NSS Certificate DB
- 	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
-------------------------------------------------------------

      Passing a specific module name with the -list returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:

       modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
-+-----------------------------------------------------------

      Passing a specific module name with the -list returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:

       modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb
- 
- -----------------------------------------------------------
- Name: NSS Internal PKCS #11 Module
- Library file: **Internal ONLY module**
- Manufacturer: Mozilla Foundation              
- Description: NSS Internal Crypto Services    
- PKCS #11 Version 2.20
- Library Version: 3.11
-@@ -107,28 +107,28 @@ Default Mechanism Flags: RSA:RC2:RC4:DES
-   Token Name: NSS Certificate DB              
-   Token Manufacturer: Mozilla Foundation              
-   Token Model: NSS 3           
-   Token Serial Number: 0000000000000000
-   Token Version: 8.3
-   Token Firmware Version: 0.0
-   Access: NOT Write Protected
-   Login Type: Login required
--  User Pin: Initialized

      A related command, -rawlist returns information about the database configuration for the modules. (This information can be edited by loading new specs using the -rawadd command.)

       modutil -rawlist -dbdir sql:/home/my/sharednssdb
-+  User Pin: Initialized

      A related command, -rawlist returns information about the database configuration for the modules. (This information can be edited by loading new specs using the -rawadd command.)

       modutil -rawlist -dbdir /home/my/sharednssdb
-  name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"

      Setting a Default Provider for Security Mechanisms

      Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms).

      modutil -default modulename -mechanisms mechanism-list

      To set a module as the default provider for mechanisms, use the -default command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example:

      modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 
- 
- Using database directory c:\databases...
- 
- Successfully changed defaults.

      Clearing the default provider has the same format:

      modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5

      Enabling and Disabling Modules and Slots

      Modules, and specific slots on modules, can be selectively enabled or disabled using modutil. Both commands have the same format:

      modutil -enable|-disable modulename [-slot slotname]

      For example:

      modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services                            " -dbdir .
- 
--Slot "NSS Internal Cryptographic Services                            " enabled.

      Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail.

      Enabling and Verifying FIPS Compliance

      The NSS modules can have FIPS 140-2 compliance enabled or disabled using modutil with the -fips option. For example:

      modutil -fips true -dbdir sql:/home/my/sharednssdb/
-+Slot "NSS Internal Cryptographic Services                            " enabled.

      Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail.

      Enabling and Verifying FIPS Compliance

      The NSS modules can have FIPS 140-2 compliance enabled or disabled using modutil with the -fips option. For example:

      modutil -fips true -dbdir /home/my/sharednssdb/
- 
--FIPS mode enabled.

      To verify that status of FIPS mode, run the -chkfips command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting.

      modutil -chkfips false -dbdir sql:/home/my/sharednssdb/
-+FIPS mode enabled.

      To verify that status of FIPS mode, run the -chkfips command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting.

      modutil -chkfips false -dbdir /home/my/sharednssdb/
- 
--FIPS mode enabled.

      Changing the Password on a Token

      Initializing or changing a token's password:

      modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] 
      modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB" 
-+FIPS mode enabled.

      Changing the Password on a Token

      Initializing or changing a token's password:

      modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] 
      modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB" 
- 
- Enter old password: 
- Incorrect password, try again... 
- Enter old password: 
- Enter new password: 
- Re-enter new password: 
- Token "Communicator Certificate DB" password changed successfully.

      JAR Installation File Format

      When a JAR file is run by a server, by modutil, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries. There are several things to keep in mind with this file:

      • - It must be declared in the JAR archive's manifest file. -@@ -234,18 +234,18 @@ The last versions of these

        • - cert9.db for certificates -

        • - key4.db for keys -

        • - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory --

      Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

      By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example:

      modutil -create -dbdir sql:/home/my/sharednssdb

      To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:

      export NSS_DEFAULT_DB_TYPE="sql"

      This line can be added to the ~/.bashrc file to make the change permanent for the user.

      Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:

      • -+

      Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

      By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

      modutil -create -dbdir dbm:/home/my/sharednssdb

      To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

      export NSS_DEFAULT_DB_TYPE="dbm"

      This line can be added to the ~/.bashrc file to make the change permanent for the user.

      • - https://wiki.mozilla.org/NSS_Shared_DB_Howto

      For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

      • - https://wiki.mozilla.org/NSS_Shared_DB -

      See Also

      certutil (1)

      pk12util (1)

      signtool (1)

      The NSS wiki has information on the new database design and how to configure applications to use it.

      • - https://wiki.mozilla.org/NSS_Shared_DB_Howto

      • - https://wiki.mozilla.org/NSS_Shared_DB -

      Additional Resources

      For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

      - Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

      LICENSE

      Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. -diff --git a/doc/html/pk12util.html b/doc/html/pk12util.html ---- a/doc/html/pk12util.html -+++ b/doc/html/pk12util.html -@@ -1,27 +1,27 @@ --PK12UTIL

      PK12UTIL

      Name

      pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

      Synopsis

      pk12util [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 --

      Description

      The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.

      Options and Arguments

      Options

      -i p12file

      Import keys and certificates from a PKCS #12 file into a security database.

      -l p12file

      List the keys and certificates in PKCS #12 file.

      -o p12file

      Export keys and certificates from the security database to a PKCS #12 file.

      Arguments

      -c keyCipher

      Specify the key encryption algorithm.

      -C certCipher

      Specify the certiticate encryption algorithm.

      -d [sql:]directory

      Specify the database directory into which to import to or export from certificates and keys.

      pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

      -h tokenname

      Specify the name of the token to import into or export from.

      -k slotPasswordFile

      Specify the text file containing the slot's password.

      -K slotPassword

      Specify the slot's password.

      -m | --key-len keyLength

      Specify the desired length of the symmetric key to be used to encrypt the private key.

      -n | --cert-key-len certKeyLength

      Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

      -n certname

      Specify the nickname of the cert and private key to export.

      The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.

      -P prefix

      Specify the prefix used on the certificate and key databases. This option is provided as a special case. -+PK12UTIL

      PK12UTIL

      Name

      pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

      Synopsis

      pk12util [-i p12File|-l p12File|-o p12File] [-c keyCipher] [-C certCipher] [-d directory] [-h tokenname] [-m | --key-len keyLength] [-M hashAlg] [-n certname] [-P dbprefix] [-r] [-v] [--cert-key-len certKeyLength] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -+

      Description

      The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.

      Options and Arguments

      Options

      -i p12file

      Import keys and certificates from a PKCS #12 file into a security database.

      -l p12file

      List the keys and certificates in PKCS #12 file.

      -o p12file

      Export keys and certificates from the security database to a PKCS #12 file.

      Arguments

      -c keyCipher

      Specify the key encryption algorithm.

      -C certCipher

      Specify the certiticate encryption algorithm.

      -d directory

      Specify the database directory into which to import to or export from certificates and keys.

      pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.

      -h tokenname

      Specify the name of the token to import into or export from.

      -k slotPasswordFile

      Specify the text file containing the slot's password.

      -K slotPassword

      Specify the slot's password.

      -m | --key-len keyLength

      Specify the desired length of the symmetric key to be used to encrypt the private key.

      -M hashAlg

      Specify the hash algorithm used in the pkcs #12 mac. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2.

      --cert-key-len certKeyLength

      Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

      -n certname

      Specify the nickname of the cert and private key to export.

      The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.

      -P prefix

      Specify the prefix used on the certificate and key databases. This option is provided as a special case. - Changing the names of the certificate and key databases is not recommended.

      -r

      Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.

      -v

      Enable debug logging when importing.

      -w p12filePasswordFile

      Specify the text file containing the pkcs #12 file password.

      -W p12filePassword

      Specify the pkcs #12 file password.

      Return Codes

      • 0 - No error

      • 1 - User Cancelled

      • 2 - Usage error

      • 6 - NLS init error

      • 8 - Certificate DB open error

      • 9 - Key DB open error

      • 10 - File initialization error

      • 11 - Unicode conversion error

      • 12 - Temporary file creation error

      • 13 - PKCS11 get slot error

      • 14 - PKCS12 decoder start error

      • 15 - error read from import file

      • 16 - pkcs12 decode error

      • 17 - pkcs12 decoder verify error

      • 18 - pkcs12 decoder validate bags error

      • 19 - pkcs12 decoder import bags error

      • 20 - key db conversion version 3 to version 2 error

      • 21 - cert db conversion version 7 to version 5 error

      • 22 - cert and key dbs patch error

      • 23 - get default cert db error

      • 24 - find cert by nickname error

      • 25 - create export context error

      • 26 - PKCS12 add password itegrity error

      • 27 - cert and key Safes creation error

      • 28 - PKCS12 add cert and key error

      • 29 - PKCS12 encode error

      Examples

      Importing Keys and Certificates

      The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token). -

      -- pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] --

      For example:

      # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
-+    pk12util -i p12File [-h tokenname] [-v] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
-+    
      For example:
       
      # pk12util -i /tmp/cert-files/users.p12 -d /home/my/sharednssdb
- 
- Enter a password which will be used to encrypt your keys.
- The password should be at least 8 characters long,
- and should contain at least one non-alphabetic character.
- 
- Enter new password: 
- Re-enter password: 
- Enter password for PKCS12 file: 
- pk12util: PKCS12 IMPORT SUCCESSFUL
      Exporting Keys and Certificates
      Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database (-n) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
--    
      pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
      For example:
      # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
-+    
      pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
      For example:
      # pk12util -o certs.p12 -n Server-Cert -d /home/my/sharednssdb
- Enter password for PKCS12 file: 
- Re-enter password: 
      Listing Keys and Certificates
      The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file.
--    
      pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
      For example, this prints the default ASCII output:
      # pk12util -l certs.p12
-+    
      pk12util -l p12File [-h tokenname] [-r] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
      For example, this prints the default ASCII output:
      # pk12util -l certs.p12
- 
- Enter password for PKCS12 file: 
- Key(shrouded):
-     Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
- 
-     Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
-         Parameters:
-             Salt:
-@@ -59,18 +59,18 @@ The last versions of these 
      • 
- 			cert9.db for certificates
- 		
      • 
- 			key4.db for keys
- 		
      • 
- 			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
--

      Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

      By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example:

      # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb

      To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:

      export NSS_DEFAULT_DB_TYPE="sql"

      This line can be set added to the ~/.bashrc file to make the change permanent.

      Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:

      • -+

      Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

      By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

      # pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb

      To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

      export NSS_DEFAULT_DB_TYPE="dbm"

      This line can be set added to the ~/.bashrc file to make the change permanent.

      • - https://wiki.mozilla.org/NSS_Shared_DB_Howto

      For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

      • - https://wiki.mozilla.org/NSS_Shared_DB -

      Compatibility Notes

      The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported.

      Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.

      Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme.

      For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools.

      See Also

      certutil (1)

      modutil (1)

      The NSS wiki has information on the new database design and how to configure applications to use it.

      • - https://wiki.mozilla.org/NSS_Shared_DB_Howto

      • - https://wiki.mozilla.org/NSS_Shared_DB -

      Additional Resources

      For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

      - Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

      LICENSE

      Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. -diff --git a/doc/html/pp.html b/doc/html/pp.html ---- a/doc/html/pp.html -+++ b/doc/html/pp.html -@@ -1,7 +1,7 @@ --PP

      PP

      Name

      pp — Prints certificates, keys, crls, and pkcs7 files

      Synopsis

      pp -t type [-a] [-i input] [-o output] [-u] [-w]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 --

      Description

      pp pretty-prints private and public key, certificate, certificate-request, -- pkcs7 or crl files --

      Options

      -t type

      specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}

      -a
      Input is in ascii encoded form (RFC1113)
      -i inputfile
      Define an input file to use (default is stdin)
      -o outputfile
      Define an output file to use (default is stdout)
      -u
      Use UTF-8 (default is to show non-ascii as .)
      -w
      Don't wrap long output lines

      Additional Resources

      NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

      For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

      -+PP

      PP

      Name

      pp — Prints certificates, keys, crls, and pkcs7 files

      Synopsis

      pp -t type [-a] [-i input] [-o output] [-u] [-w]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -+

      Description

      pp pretty-prints private and public key, certificate, certificate-request, -+ pkcs7, pkcs12 or crl files -+

      Options

      -t type

      specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | pkcs12 | crl | name}

      -a
      Input is in ascii encoded form (RFC1113)
      -i inputfile
      Define an input file to use (default is stdin)
      -o outputfile
      Define an output file to use (default is stdout)
      -u
      Use UTF-8 (default is to show non-ascii as .)
      -w
      Don't wrap long output lines

      Additional Resources

      NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

      For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

      - Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -

      LICENSE

      Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. -

      -diff --git a/doc/html/signver.html b/doc/html/signver.html ---- a/doc/html/signver.html -+++ b/doc/html/signver.html -@@ -1,12 +1,12 @@ --SIGNVER
      SIGNVER

      Name

      signver — Verify a detached PKCS#7 signature for a file.

      Synopsis

      signtool -A | -V -d directory [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 --

      Description

      The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.

      Options

      -A

      Displays all of the information in the PKCS#7 signature.

      -V

      Verifies the digital signature.

      -d [sql:]directory

      Specify the database directory which contains the certificates and keys.

      signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format.

      -a

      Sets that the given signature file is in ASCII format.

      -i input_file

      Gives the input file for the object with signed data.

      -o output_file

      Gives the output file to which to write the results.

      -s signature_file

      Gives the input file for the digital signature.

      -v

      Enables verbose output.

      Extended Examples

      Verifying a Signature

      The -V option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).

      signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb
-+SIGNVER
      SIGNVER
      Name
      signver — Verify a detached PKCS#7 signature for a file.
      Synopsis
      signtool    -A  |   -V    -d directory  [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]
      STATUS
      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477
-+    
      Description
      The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.
      Options
      -A
      Displays all of the information in the PKCS#7 signature.
      -V
      Verifies the digital signature.
      -d directory
      Specify the database directory which contains the certificates and keys.
      signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.
      -a
      Sets that the given signature file is in ASCII format.
      -i input_file
      Gives the input file for the object with signed data.
      -o output_file
      Gives the output file to which to write the results.
      -s signature_file
      Gives the input file for the digital signature.
      -v
      Enables verbose output.
      Extended Examples
      Verifying a Signature
      The -V option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).
      signver -V -s signature_file -i signed_file -d /home/my/sharednssdb
- 
--signatureValid=yes
      Printing Signature Data
      
-+signatureValid=yes

      Printing Signature Data

      - The -A option prints all of the information contained in a signature file. Using the -o option prints the signature file information to the given output file rather than stdout. - 

      signver -A -s signature_file -o output_file

      NSS Database Types

      NSS originally used BerkeleyDB databases to store security information. - The last versions of these legacy databases are:

      • - cert8.db for certificates -

      • - key3.db for keys -

      • - secmod.db for PKCS #11 module information -@@ -14,18 +14,18 @@ The last versions of these

        • - cert9.db for certificates -

        • - key4.db for keys -

        • - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory --

      Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

      By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example:

      # signver -A -s signature -d sql:/home/my/sharednssdb

      To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql:

      export NSS_DEFAULT_DB_TYPE="sql"

      This line can be added to the ~/.bashrc file to make the change permanent for the user.

      Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:

      • -+

      Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

      By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

      # signver -A -s signature -d dbm:/home/my/sharednssdb

      To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

      export NSS_DEFAULT_DB_TYPE="dbm"

      This line can be added to the ~/.bashrc file to make the change permanent for the user.

      • - https://wiki.mozilla.org/NSS_Shared_DB_Howto

      For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

      • - https://wiki.mozilla.org/NSS_Shared_DB -

      See Also

      signtool (1)

      The NSS wiki has information on the new database design and how to configure applications to use it.

      • Setting up the shared NSS database

        https://wiki.mozilla.org/NSS_Shared_DB_Howto

      • - Engineering and technical information about the shared NSS database -

        - https://wiki.mozilla.org/NSS_Shared_DB -

      Additional Resources

      For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

      Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

      IRC: Freenode at #dogtag-pki

      Authors

      The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

      - Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. -diff --git a/doc/html/ssltap.html b/doc/html/ssltap.html ---- a/doc/html/ssltap.html -+++ b/doc/html/ssltap.html -@@ -1,9 +1,9 @@ --SSLTAP

      SSLTAP

      Name

      ssltap — Tap into SSL connections and display the data going by

      Synopsis

      ssltap [-fhlsvx] [-p port] [hostname:port]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -+SSLTAP

      SSLTAP

      Name

      ssltap — Tap into SSL connections and display the data going by

      Synopsis

      ssltap [-fhlsvx] [-p port] [hostname:port]

      STATUS

      This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

      Description

      The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking

      Options

      -f

      - Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. -

      -h

      - Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots. -

      -l prefix

      - Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete. -

      -p port

      Change the default rendezvous port (1924) to another port.

      The following are well-known port numbers:

      - * HTTP 80 -diff --git a/doc/modutil.xml b/doc/modutil.xml ---- a/doc/modutil.xml -+++ b/doc/modutil.xml -@@ -144,24 +144,24 @@ - - - - -ciphers cipher-enable-list - Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces. - - - -- -dbdir [sql:]directory -+ -dbdir directory - Specify the database directory in which to access or create security module database files. -- modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. -+ modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in SQLite format. - - - - --dbprefix prefix -- Specify the prefix used on the database files, such as my_ for my_cert8.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. -+ Specify the prefix used on the database files, such as my_ for my_cert9.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. - - - - -installdir root-installation-directory - Specify the root installation directory relative to which files will be installed by the option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory. - - - -@@ -224,23 +224,23 @@ - - - - - Usage and Examples - - Creating Database Files - Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located. --modutil -create -dbdir [sql:]directory -+modutil -create -dbdir directory - - Adding a Cryptographic Module - Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library: - modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] - For example: --modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM -+modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM - - Using database directory ... - Module "Example PKCS #11 Module" added to database. - - - - Installing a Cryptographic Module from a JAR File - PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in . -@@ -262,17 +262,17 @@ Module "Example PKCS #11 Module" added t - } - } - Linux:6.0.0:x86 { - EquivalentPlatform { Linux:5.4.08:x86 } - } - } - Both the install script and the required libraries must be bundled in a JAR file, which is specified with the argument. - --modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb -+modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb - - This installation JAR file was signed by: - ---------------------------------------------- - - **SUBJECT NAME** - - C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID - Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS -@@ -299,42 +299,42 @@ Installation completed successfully Adding Module Spec - Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the command. For the current settings or to see the format of the module spec in the database, use the option. - modutil -rawadd modulespec - - - Deleting a Module - A specific PKCS #11 module can be deleted from the secmod.db database: --modutil -delete modulename -dbdir [sql:]directory -+modutil -delete modulename -dbdir directory - - Displaying Module Information - The secmod.db database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed. - To simply get a list of modules in the database, use the command. --modutil -list [modulename] -dbdir [sql:]directory -+modutil -list [modulename] -dbdir directory - Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example: - --modutil -list -dbdir sql:/home/my/sharednssdb -+modutil -list -dbdir /home/my/sharednssdb - - Listing of PKCS #11 Modules - ----------------------------------------------------------- - 1. NSS Internal PKCS #11 Module - slots: 2 slots attached - status: loaded - - slot: NSS Internal Cryptographic Services - token: NSS Generic Crypto Services - uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - slot: NSS User Private Key and Certificate Services - token: NSS Certificate DB - uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - ----------------------------------------------------------- - Passing a specific module name with the returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example: -- modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb -+ modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb - - ----------------------------------------------------------- - Name: NSS Internal PKCS #11 Module - Library file: **Internal ONLY module** - Manufacturer: Mozilla Foundation - Description: NSS Internal Crypto Services - PKCS #11 Version 2.20 - Library Version: 3.11 -@@ -370,17 +370,17 @@ Default Mechanism Flags: RSA:RC2:RC4:DES - Token Model: NSS 3 - Token Serial Number: 0000000000000000 - Token Version: 8.3 - Token Firmware Version: 0.0 - Access: NOT Write Protected - Login Type: Login required - User Pin: Initialized - A related command, returns information about the database configuration for the modules. (This information can be edited by loading new specs using the command.) -- modutil -rawlist -dbdir sql:/home/my/sharednssdb -+ modutil -rawlist -dbdir /home/my/sharednssdb - name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" - - Setting a Default Provider for Security Mechanisms - Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms). - modutil -default modulename -mechanisms mechanism-list - To set a module as the default provider for mechanisms, use the command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example: - modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 - -@@ -398,29 +398,29 @@ Successfully changed defaults.For example: - modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services " -dbdir . - - Slot "NSS Internal Cryptographic Services " enabled. - Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail. - - Enabling and Verifying FIPS Compliance - The NSS modules can have FIPS 140-2 compliance enabled or disabled using modutil with the option. For example: --modutil -fips true -dbdir sql:/home/my/sharednssdb/ -+modutil -fips true -dbdir /home/my/sharednssdb/ - - FIPS mode enabled. - To verify that status of FIPS mode, run the command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting. --modutil -chkfips false -dbdir sql:/home/my/sharednssdb/ -+modutil -chkfips false -dbdir /home/my/sharednssdb/ - - FIPS mode enabled. - - Changing the Password on a Token - - Initializing or changing a token's password: - modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] --modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB" -+modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB" - - Enter old password: - Incorrect password, try again... - Enter old password: - Enter new password: - Re-enter new password: - Token "Communicator Certificate DB" password changed successfully. - -@@ -684,27 +684,26 @@ BerkleyDB. These new databases provide m - - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --modutil -create -dbdir sql:/home/my/sharednssdb -+modutil -create -dbdir dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be added to the ~/.bashrc file to make the change permanent for the user. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - -diff --git a/doc/nroff/certutil.1 b/doc/nroff/certutil.1 ---- a/doc/nroff/certutil.1 -+++ b/doc/nroff/certutil.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: CERTUTIL - .\" Author: [see the "Authors" section] - .\" Generator: DocBook XSL Stylesheets vsnapshot --.\" Date: 5 October 2017 -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools" -+.TH "CERTUTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -@@ -182,16 +182,21 @@ key4\&.db)\&. - .PP - Arguments modify a command option and are usually lower case, numbers, or symbols\&. - .PP - \-a - .RS 4 - Use ASCII format or allow the use of ASCII format for input or output\&. This formatting follows RFC 1113\&. For certificate requests, ASCII output defaults to standard output unless redirected\&. - .RE - .PP -+\-\-simple\-self\-signed -+.RS 4 -+When printing the certificate chain, don\*(Aqt search for a chain if issuer name equals to subject name\&. -+.RE -+.PP - \-b validity\-time - .RS 4 - Specify a time at which a certificate is required to be valid\&. Use when checking certificate validity with the - \fB\-V\fR - option\&. The format of the - \fIvalidity\-time\fR - argument is - \fIYYMMDDHHMMSS[+HHMM|\-HHMM|Z]\fR, which allows offsets to be set relative to the validity end time\&. Specifying seconds (\fISS\fR) is optional\&. When specifying an explicit time, use a Z at the end of the term, -@@ -242,17 +247,17 @@ requests the newer database - .sp -1 - .IP \(bu 2.3 - .\} - \fBdbm:\fR - requests the legacy database - .RE - .sp - If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then --\fBdbm:\fR -+\fBsql:\fR - is the default\&. - .RE - .PP - \-\-dump\-ext\-val OID - .RS 4 - For single cert, print binary DER encoding of extension OID\&. - .RE - .PP -@@ -569,16 +574,28 @@ The contexts are the following: - .\} - .el \{\ - .sp -1 - .IP \(bu 2.3 - .\} - \fBJ\fR - (as an object signer) - .RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+\fBI\fR -+(as an IPSEC user) -+.RE - .RE - .PP - \-v valid\-months - .RS 4 - Set the number of months a new certificate will be valid\&. The validity period begins at the current system time unless an offset is added or subtracted with the - \fB\-w\fR - option\&. If this argument is not used, the default validity period is three months\&. - .RE -@@ -1041,16 +1058,93 @@ msTrustListSign - .\} - .el \{\ - .sp -1 - .IP \(bu 2.3 - .\} - critical - .RE - .sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+x509Any -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ipsecIKE -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ipsecIKEEnd -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ipsecIKEIntermediate -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ipsecEnd -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ipsecTunnel -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04'\(bu\h'+03'\c -+.\} -+.el \{\ -+.sp -1 -+.IP \(bu 2.3 -+.\} -+ipsecUser -+.RE -+.sp - X\&.509 certificate extensions are described in RFC 5280\&. - .RE - .PP - \-7 emailAddrs - .RS 4 - Add a comma\-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database\&. Subject alternative name extensions are described in Section 4\&.2\&.1\&.7 of RFC 3280\&. - .RE - .PP -@@ -1194,31 +1288,31 @@ secmod\&.db or pkcs11\&.txt - .RE - .PP - These databases must be created before certificates or keys can be generated\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-N \-d [sql:]directory -+certutil \-N \-d directory - .fi - .if n \{\ - .RE - .\} - .PP - \fBCreating a Certificate Request\fR - .PP - A certificate request contains most or all of the information that is used to generate the final certificate\&. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review)\&. Once the request is approved, then the certificate is generated\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-R \-k key\-type\-or\-id [\-q pqgfile|curve\-name] \-g key\-size \-s subject [\-h tokenname] \-d [sql:]directory [\-p phone] [\-o output\-file] [\-a] -+$ certutil \-R \-k key\-type\-or\-id [\-q pqgfile|curve\-name] \-g key\-size \-s subject [\-h tokenname] \-d directory [\-p phone] [\-o output\-file] [\-a] - .fi - .if n \{\ - .RE - .\} - .PP - The - \fB\-R\fR - command options requires four arguments: -@@ -1274,17 +1368,17 @@ to give the security database directory - The new certificate request can be output in ASCII format (\fB\-a\fR) or can be written to a specified file (\fB\-o\fR)\&. - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" \-d sql:$HOME/nssdb \-p 650\-555\-0123 \-a \-o cert\&.cer -+$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" \-d $HOME/nssdb \-p 650\-555\-0123 \-a \-o cert\&.cer - - Generating key\&. This may take a few moments\&.\&.\&. - - .fi - .if n \{\ - .RE - .\} - .PP -@@ -1295,17 +1389,17 @@ A valid certificate must be issued by a - argument with the - \fB\-S\fR - command option\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t trustargs \-d [sql:]directory [\-m serial\-number] [\-v valid\-months] [\-w offset\-months] [\-p phone] [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8 dns\-names] [\-\-extAIA] [\-\-extSIA] [\-\-extCP] [\-\-extPM] [\-\-extPC] [\-\-extIA] [\-\-extSKID] -+$ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t trustargs \-d directory [\-m serial\-number] [\-v valid\-months] [\-w offset\-months] [\-p phone] [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8 dns\-names] [\-\-extAIA] [\-\-extSIA] [\-\-extCP] [\-\-extPM] [\-\-extPC] [\-\-extIA] [\-\-extSKID] - .fi - .if n \{\ - .RE - .\} - .PP - The series of numbers and - \fB\-\-ext*\fR - options set certificate extensions that can be added to the certificate when it is generated by the CA\&. Interactive prompts will result\&. -@@ -1343,45 +1437,45 @@ When a certificate request is created, a - specified in the - \fB\-c\fR - argument)\&. The issuing certificate must be in the certificate database in the specified directory\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-C \-c issuer \-i cert\-request\-file \-o output\-file [\-m serial\-number] [\-v valid\-months] [\-w offset\-months] \-d [sql:]directory [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8 dns\-names] -+certutil \-C \-c issuer \-i cert\-request\-file \-o output\-file [\-m serial\-number] [\-v valid\-months] [\-w offset\-months] \-d directory [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8 dns\-names] - .fi - .if n \{\ - .RE - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \-m 010 \-v 12 \-w 1 \-d sql:$HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5 sslClient \-6 clientAuth \-7 jsmith@example\&.com -+$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \-m 010 \-v 12 \-w 1 \-d $HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5 sslClient \-6 clientAuth \-7 jsmith@example\&.com - .fi - .if n \{\ - .RE - .\} - .PP - \fBListing Certificates\fR - .PP - The - \fB\-L\fR - command option lists all of the certificates listed in the certificate database\&. The path to the directory (\fB\-d\fR) is required\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-L \-d sql:/home/my/sharednssdb -+$ certutil \-L \-d /home/my/sharednssdb - - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - - CA Administrator of Instance pki\-ca1\*(Aqs Example Domain ID u,u,u - TPS Administrator\*(Aqs Example Domain ID u,u,u - Google Internet Authority ,, - Certificate Authority \- Example Domain CT,C,C -@@ -1397,17 +1491,17 @@ can return and print the information for - argument passes the certificate name, while the - \fB\-a\fR - argument prints the certificate in ASCII format: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-L \-d sql:$HOME/nssdb \-a \-n my\-ca\-cert -+$ certutil \-L \-d $HOME/nssdb \-a \-n my\-ca\-cert - \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- - MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh - bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV - BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz - JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x - XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk - 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB - AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B -@@ -1421,17 +1515,17 @@ ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qx - .\} - .PP - For a human\-readable display - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-L \-d sql:$HOME/nssdb \-n my\-ca\-cert -+$ certutil \-L \-d $HOME/nssdb \-n my\-ca\-cert - Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3650 (0xe42) - Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption - Issuer: "CN=Example CA" - Validity: - Not Before: Wed Mar 13 19:10:29 2013 -@@ -1504,17 +1598,17 @@ To list all keys in the database, use th - command option and the (required) - \fB\-d\fR - argument to give the path to the directory\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-K \-d sql:$HOME/nssdb -+$ certutil \-K \-d $HOME/nssdb - certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " - < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID - < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert - < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert - .fi - .if n \{\ - .RE - .\} -@@ -1570,17 +1664,17 @@ The devices that can be used to store ce - command option lists all of the security modules listed in the - secmod\&.db - database\&. The path to the directory (\fB\-d\fR) is required\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-U \-d sql:/home/my/sharednssdb -+$ certutil \-U \-d /home/my/sharednssdb - - slot: NSS User Private Key and Certificate Services - token: NSS Certificate DB - uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - slot: NSS Internal Cryptographic Services - token: NSS Generic Crypto Services - uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 -@@ -1594,29 +1688,29 @@ database\&. The path to the directory (\ - Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere\&. This uses the - \fB\-A\fR - command option\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-A \-n certname \-t trustargs \-d [sql:]directory [\-a] [\-i input\-file] -+certutil \-A \-n certname \-t trustargs \-d directory [\-a] [\-i input\-file] - .fi - .if n \{\ - .RE - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d sql:/home/my/sharednssdb \-i /home/example\-certs/cert\&.cer -+$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d /home/my/sharednssdb \-i /home/example\-certs/cert\&.cer - .fi - .if n \{\ - .RE - .\} - .PP - A related command option, - \fB\-E\fR, is used specifically to add email certificates to the certificate database\&. The - \fB\-E\fR -@@ -1624,99 +1718,99 @@ command has the same arguments as the - \fB\-A\fR - command\&. The trust arguments for certificates have the format - \fISSL,S/MIME,Code\-signing\fR, so the middle trust settings relate most to email certificates (though the others can be set)\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d sql:/home/my/sharednssdb \-i /home/example\-certs/email\&.cer -+$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d /home/my/sharednssdb \-i /home/example\-certs/email\&.cer - .fi - .if n \{\ - .RE - .\} - .PP - \fBDeleting Certificates to the Database\fR - .PP - Certificates can be deleted from a database using the - \fB\-D\fR - option\&. The only required options are to give the security database directory and to identify the certificate nickname\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-D \-d [sql:]directory \-n "nickname" -+certutil \-D \-d directory \-n "nickname" - .fi - .if n \{\ - .RE - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-D \-d sql:/home/my/sharednssdb \-n "my\-ssl\-cert" -+$ certutil \-D \-d /home/my/sharednssdb \-n "my\-ssl\-cert" - .fi - .if n \{\ - .RE - .\} - .PP - \fBValidating Certificates\fR - .PP - A certificate contains an expiration date in itself, and expired certificates are easily rejected\&. However, certificates can also be revoked before they hit their expiration date\&. Checking whether a certificate has been revoked requires validating the certificate\&. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for\&. Validation is carried out by the - \fB\-V\fR - command option\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-V \-n certificate\-name [\-b time] [\-e] [\-u cert\-usage] \-d [sql:]directory -+certutil \-V \-n certificate\-name [\-b time] [\-e] [\-u cert\-usage] \-d directory - .fi - .if n \{\ - .RE - .\} - .PP - For example, to validate an email certificate: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-V \-n "John Smith\*(Aqs Email Cert" \-e \-u S,R \-d sql:/home/my/sharednssdb -+$ certutil \-V \-n "John Smith\*(Aqs Email Cert" \-e \-u S,R \-d /home/my/sharednssdb - .fi - .if n \{\ - .RE - .\} - .PP - \fBModifying Certificate Trust Settings\fR - .PP - The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database\&. This is especially useful for CA certificates, but it can be performed for any type of certificate\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-M \-n certificate\-name \-t trust\-args \-d [sql:]directory -+certutil \-M \-n certificate\-name \-t trust\-args \-d directory - .fi - .if n \{\ - .RE - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-M \-n "My CA Certificate" \-d sql:/home/my/sharednssdb \-t "CT,CT,CT" -+$ certutil \-M \-n "My CA Certificate" \-d /home/my/sharednssdb \-t "CT,CT,CT" - .fi - .if n \{\ - .RE - .\} - .PP - \fBPrinting the Certificate Chain\fR - .PP - Certificates can be issued in -@@ -1724,17 +1818,17 @@ Certificates can be issued in - because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint\&. The - \fB\-O\fR - prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate\&. For example, for an email certificate with two CAs in the chain: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-d sql:/home/my/sharednssdb \-O \-n "jsmith@example\&.com" -+$ certutil \-d /home/my/sharednssdb \-O \-n "jsmith@example\&.com" - "Builtin Object Token:Thawte Personal Freemail CA" [E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] - - "Thawte Personal Freemail Issuing CA \- Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd\&.,C=ZA] - - "(null)" [E=jsmith@example\&.com,CN=Thawte Freemail Member] - .fi - .if n \{\ - .RE -@@ -1743,29 +1837,29 @@ prints the full chain of a certificate, - \fBResetting a Token\fR - .PP - The device which stores certificates \-\- both external hardware devices and internal software databases \-\- can be blanked and reused\&. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (\fB\-h\fR) as well as any directory path\&. If there is no external token used, the default value is internal\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-T \-d [sql:]directory \-h token\-name \-0 security\-officer\-password -+certutil \-T \-d directory \-h token\-name \-0 security\-officer\-password - .fi - .if n \{\ - .RE - .\} - .PP - Many networks have dedicated personnel who handle changes to security tokens (the security officer)\&. This person must supply the password to access the specified token\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-T \-d sql:/home/my/sharednssdb \-h nethsm \-0 secret -+$ certutil \-T \-d /home/my/sharednssdb \-h nethsm \-0 secret - .fi - .if n \{\ - .RE - .\} - .PP - \fBUpgrading or Merging the Security Databases\fR - .PP - Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8\&.db)\&. Databases can be upgraded to the new SQLite version of the database (cert9\&.db) using the -@@ -1780,55 +1874,55 @@ The - \fB\-\-upgrade\-merge\fR - command must give information about the original database and then use the standard arguments (like - \fB\-d\fR) to give the information about the new databases\&. The command also requires information that the tool uses for the process to upgrade and write over the original database\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-\-upgrade\-merge \-d [sql:]directory [\-P dbprefix] \-\-source\-dir directory \-\-source\-prefix dbprefix \-\-upgrade\-id id \-\-upgrade\-token\-name name [\-@ password\-file] -+certutil \-\-upgrade\-merge \-d directory [\-P dbprefix] \-\-source\-dir directory \-\-source\-prefix dbprefix \-\-upgrade\-id id \-\-upgrade\-token\-name name [\-@ password\-file] - .fi - .if n \{\ - .RE - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-\-upgrade\-merge \-d sql:/home/my/sharednssdb \-\-source\-dir /opt/my\-app/alias/ \-\-source\-prefix serverapp\- \-\-upgrade\-id 1 \-\-upgrade\-token\-name internal -+$ certutil \-\-upgrade\-merge \-d /home/my/sharednssdb \-\-source\-dir /opt/my\-app/alias/ \-\-source\-prefix serverapp\- \-\-upgrade\-id 1 \-\-upgrade\-token\-name internal - .fi - .if n \{\ - .RE - .\} - .PP - The - \fB\-\-merge\fR - command only requires information about the location of the original database; since it doesn\*(Aqt change the format of the database, it can write over information without performing interim step\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --certutil \-\-merge \-d [sql:]directory [\-P dbprefix] \-\-source\-dir directory \-\-source\-prefix dbprefix [\-@ password\-file] -+certutil \-\-merge \-d directory [\-P dbprefix] \-\-source\-dir directory \-\-source\-prefix dbprefix [\-@ password\-file] - .fi - .if n \{\ - .RE - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-\-merge \-d sql:/home/my/sharednssdb \-\-source\-dir /opt/my\-app/alias/ \-\-source\-prefix serverapp\- -+$ certutil \-\-merge \-d /home/my/sharednssdb \-\-source\-dir /opt/my\-app/alias/ \-\-source\-prefix serverapp\- - .fi - .if n \{\ - .RE - .\} - .PP - \fBRunning certutil Commands from a Batch File\fR - .PP - A series of commands can be run sequentially from a text file with the -@@ -1921,50 +2015,48 @@ pkcs11\&.txt, a listing of all of the PK - .RE - .PP - Because the SQLite databases are designed to be shared, these are the - \fIshared\fR - database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. - .PP - By default, the tools (\fBcertutil\fR, - \fBpk12util\fR, --\fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the --\fBsql:\fR -+\fBmodutil\fR) assume that the given security databases use the SQLite type\&. Using the legacy databases must be manually specified by using the -+\fBdbm:\fR - prefix with the given security directory\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --$ certutil \-L \-d sql:/home/my/sharednssdb -+$ certutil \-L \-d dbm:/home/my/sharednssdb - .fi - .if n \{\ - .RE - .\} - .PP --To set the shared database type as the default type for the tools, set the -+To set the legacy database type as the default type for the tools, set the - \fBNSS_DEFAULT_DB_TYPE\fR - environment variable to --\fBsql\fR: -+\fBdbm\fR: - .sp - .if n \{\ - .RS 4 - .\} - .nf --export NSS_DEFAULT_DB_TYPE="sql" -+export NSS_DEFAULT_DB_TYPE="dbm" - .fi - .if n \{\ - .RE - .\} - .PP - This line can be set added to the - ~/\&.bashrc - file to make the change permanent\&. --.PP --Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - .sp - .RS 4 - .ie n \{\ - \h'-04'\(bu\h'+03'\c - .\} - .el \{\ - .sp -1 - .IP \(bu 2.3 -diff --git a/doc/nroff/crlutil.1 b/doc/nroff/crlutil.1 ---- a/doc/nroff/crlutil.1 -+++ b/doc/nroff/crlutil.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: CRLUTIL - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 5 June 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "CRLUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" -+.TH "CRLUTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -diff --git a/doc/nroff/derdump.1 b/doc/nroff/derdump.1 ---- a/doc/nroff/derdump.1 -+++ b/doc/nroff/derdump.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: DERDUMP - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.77.1 --.\" Date: 15 February 2013 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "DERDUMP" "1" "15 February 2013" "nss-tools" "NSS Security Tools" -+.TH "DERDUMP" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -@@ -63,22 +63,22 @@ NSS is maintained in conjunction with PK - For information specifically about NSS, the NSS project wiki is located at - \m[blue]\fBMozilla NSS site\fR\m[]\&\s-2\u[3]\d\s+2\&. The NSS site relates directly to NSS code changes and releases\&. - .PP - Mailing lists: pki\-devel@redhat\&.com and pki\-users@redhat\&.com - .PP - IRC: Freenode at #dogtag\-pki - .SH "AUTHORS" - .PP --The NSS tools were written and maintained by developers with Netscape and now with Red Hat\&. -+The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. - .PP - Authors: Gerhardus Geldenhuis \&. Elio Maldonado , Deon Lackey - .SH "LICENSE" - .PP --Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. -+Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. - .SH "NOTES" - .IP " 1." 4 - Mozilla NSS bug 836477 - .RS 4 - \%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 - .RE - .IP " 2." 4 - PKI Wiki -diff --git a/doc/nroff/modutil.1 b/doc/nroff/modutil.1 ---- a/doc/nroff/modutil.1 -+++ b/doc/nroff/modutil.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: MODUTIL - .\" Author: [see the "Authors" section] - .\" Generator: DocBook XSL Stylesheets vsnapshot --.\" Date: 5 October 2017 -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "MODUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools" -+.TH "MODUTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -@@ -183,36 +183,36 @@ Give the security module spec to load in - .PP - \-ciphers cipher\-enable\-list - .RS 4 - Enable specific ciphers in a module that is being added to the database\&. The - \fIcipher\-enable\-list\fR - is a colon\-delimited list of cipher names\&. Enclose this list in quotation marks if it contains spaces\&. - .RE - .PP --\-dbdir [sql:]directory -+\-dbdir directory - .RS 4 - Specify the database directory in which to access or create security module database files\&. - .sp - \fBmodutil\fR - supports two types of databases: the legacy security databases (cert8\&.db, - key3\&.db, and --secmod\&.db) and new SQLite databases (cert9\&.db, -+secmod\&.db) and SQLite databases (cert9\&.db, - key4\&.db, and - pkcs11\&.txt)\&. If the prefix --\fBsql:\fR --is not used, then the tool assumes that the given databases are in the old format\&. -+\fBdbm:\fR -+is not used, then the tool assumes that the given databases are in SQLite format\&. - .RE - .PP - \-\-dbprefix prefix - .RS 4 - Specify the prefix used on the database files, such as - my_ - for --my_cert8\&.db\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. -+my_cert9\&.db\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. - .RE - .PP - \-installdir root\-installation\-directory - .RS 4 - Specify the root installation directory relative to which files will be installed by the - \fB\-jar\fR - option\&. This directory should be one below which it is appropriate to store dynamic library files, such as a server\*(Aqs root directory\&. - .RE -@@ -325,17 +325,17 @@ option\&. If no temporary directory is s - Before any operations can be performed, there must be a set of security databases available\&. - \fBmodutil\fR - can be used to create these files\&. The only required argument is the database that where the databases will be located\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-create \-dbdir [sql:]directory -+modutil \-create \-dbdir directory - .fi - .if n \{\ - .RE - .\} - .PP - \fBAdding a Cryptographic Module\fR - .PP - Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms\&. This can be done by supplying all of the information through -@@ -353,17 +353,17 @@ modutil \-add modulename \-libfile libra - .\} - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-dbdir sql:/home/my/sharednssdb \-add "Example PKCS #11 Module" \-libfile "/tmp/crypto\&.so" \-mechanisms RSA:DSA:RC2:RANDOM -+modutil \-dbdir /home/my/sharednssdb \-add "Example PKCS #11 Module" \-libfile "/tmp/crypto\&.so" \-mechanisms RSA:DSA:RC2:RANDOM - - Using database directory \&.\&.\&. - Module "Example PKCS #11 Module" added to database\&. - .fi - .if n \{\ - .RE - .\} - .PP -@@ -406,17 +406,17 @@ Platforms { - Both the install script and the required libraries must be bundled in a JAR file, which is specified with the - \fB\-jar\fR - argument\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-dbdir sql:/home/mt"jar\-install\-filey/sharednssdb \-jar install\&.jar \-installdir sql:/home/my/sharednssdb -+modutil \-dbdir /home/mt"jar\-install\-filey/sharednssdb \-jar install\&.jar \-installdir /home/my/sharednssdb - - This installation JAR file was signed by: - \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- - - **SUBJECT NAME** - - C=US, ST=California, L=Mountain View, CN=Cryptorific Inc\&., OU=Digital ID - Class 3 \- Netscape Object Signing, OU="www\&.verisign\&.com/repository/CPS -@@ -468,17 +468,17 @@ modutil \-rawadd modulespec - A specific PKCS #11 module can be deleted from the - secmod\&.db - database: - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-delete modulename \-dbdir [sql:]directory -+modutil \-delete modulename \-dbdir directory - .fi - .if n \{\ - .RE - .\} - .PP - \fBDisplaying Module Information\fR - .PP - The -@@ -488,29 +488,29 @@ database contains information about the - To simply get a list of modules in the database, use the - \fB\-list\fR - command\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-list [modulename] \-dbdir [sql:]directory -+modutil \-list [modulename] \-dbdir directory - .fi - .if n \{\ - .RE - .\} - .PP - Listing the modules shows the module name, their status, and other associated security databases for certificates and keys\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-list \-dbdir sql:/home/my/sharednssdb -+modutil \-list \-dbdir /home/my/sharednssdb - - Listing of PKCS #11 Modules - \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- - 1\&. NSS Internal PKCS #11 Module - slots: 2 slots attached - status: loaded - - slot: NSS Internal Cryptographic Services -@@ -529,17 +529,17 @@ Listing of PKCS #11 Modules - Passing a specific module name with the - \fB\-list\fR - returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf -- modutil \-list "NSS Internal PKCS #11 Module" \-dbdir sql:/home/my/sharednssdb -+ modutil \-list "NSS Internal PKCS #11 Module" \-dbdir /home/my/sharednssdb - - \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- - Name: NSS Internal PKCS #11 Module - Library file: **Internal ONLY module** - Manufacturer: Mozilla Foundation - Description: NSS Internal Crypto Services - PKCS #11 Version 2\&.20 - Library Version: 3\&.11 -@@ -589,17 +589,17 @@ A related command, - returns information about the database configuration for the modules\&. (This information can be edited by loading new specs using the - \fB\-rawadd\fR - command\&.) - .sp - .if n \{\ - .RS 4 - .\} - .nf -- modutil \-rawlist \-dbdir sql:/home/my/sharednssdb -+ modutil \-rawlist \-dbdir /home/my/sharednssdb - name="NSS Internal PKCS #11 Module" parameters="configdir=\&. certPrefix= keyPrefix= secmod=secmod\&.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" - .fi - .if n \{\ - .RE - .\} - .PP - \fBSetting a Default Provider for Security Mechanisms\fR - .PP -@@ -683,33 +683,33 @@ The NSS modules can have FIPS 140\-2 com - with the - \fB\-fips\fR - option\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-fips true \-dbdir sql:/home/my/sharednssdb/ -+modutil \-fips true \-dbdir /home/my/sharednssdb/ - - FIPS mode enabled\&. - .fi - .if n \{\ - .RE - .\} - .PP - To verify that status of FIPS mode, run the - \fB\-chkfips\fR - command with either a true or false flag (it doesn\*(Aqt matter which)\&. The tool returns the current FIPS setting\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-chkfips false \-dbdir sql:/home/my/sharednssdb/ -+modutil \-chkfips false \-dbdir /home/my/sharednssdb/ - - FIPS mode enabled\&. - .fi - .if n \{\ - .RE - .\} - .PP - \fBChanging the Password on a Token\fR -@@ -725,17 +725,17 @@ modutil \-changepw tokenname [\-pwfile o - .if n \{\ - .RE - .\} - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-dbdir sql:/home/my/sharednssdb \-changepw "NSS Certificate DB" -+modutil \-dbdir /home/my/sharednssdb \-changepw "NSS Certificate DB" - - Enter old password: - Incorrect password, try again\&.\&.\&. - Enter old password: - Enter new password: - Re\-enter new password: - Token "Communicator Certificate DB" password changed successfully\&. - .fi -@@ -1336,50 +1336,48 @@ pkcs11\&.txt, which is listing of all of - .RE - .PP - Because the SQLite databases are designed to be shared, these are the - \fIshared\fR - database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. - .PP - By default, the tools (\fBcertutil\fR, - \fBpk12util\fR, --\fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the --\fBsql:\fR -+\fBmodutil\fR) assume that the given security databases use the SQLite type\&. Using the legacy databases must be manually specified by using the -+\fBdbm:\fR - prefix with the given security directory\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --modutil \-create \-dbdir sql:/home/my/sharednssdb -+modutil \-create \-dbdir dbm:/home/my/sharednssdb - .fi - .if n \{\ - .RE - .\} - .PP --To set the shared database type as the default type for the tools, set the -+To set the legacy database type as the default type for the tools, set the - \fBNSS_DEFAULT_DB_TYPE\fR - environment variable to --\fBsql\fR: -+\fBdbm\fR: - .sp - .if n \{\ - .RS 4 - .\} - .nf --export NSS_DEFAULT_DB_TYPE="sql" -+export NSS_DEFAULT_DB_TYPE="dbm" - .fi - .if n \{\ - .RE - .\} - .PP - This line can be added to the - ~/\&.bashrc - file to make the change permanent for the user\&. --.PP --Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - .sp - .RS 4 - .ie n \{\ - \h'-04'\(bu\h'+03'\c - .\} - .el \{\ - .sp -1 - .IP \(bu 2.3 -diff --git a/doc/nroff/pk12util.1 b/doc/nroff/pk12util.1 ---- a/doc/nroff/pk12util.1 -+++ b/doc/nroff/pk12util.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: PK12UTIL - .\" Author: [see the "Authors" section] - .\" Generator: DocBook XSL Stylesheets vsnapshot --.\" Date: 5 October 2017 -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "PK12UTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools" -+.TH "PK12UTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -@@ -26,17 +26,17 @@ - .ad l - .\" ----------------------------------------------------------------- - .\" * MAIN CONTENT STARTS HERE * - .\" ----------------------------------------------------------------- - .SH "NAME" - pk12util \- Export and import keys and certificate to or from a PKCS #12 file and the NSS database - .SH "SYNOPSIS" - .HP \w'\fBpk12util\fR\ 'u --\fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-d\ [sql:]directory] [\-h\ tokenname] [\-P\ dbprefix] [\-r] [\-v] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword] -+\fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-c\ keyCipher] [\-C\ certCipher] [\-d\ directory] [\-h\ tokenname] [\-m\ |\ \-\-key\-len\ keyLength] [\-M\ hashAlg] [\-n\ certname] [\-P\ dbprefix] [\-r] [\-v] [\-\-cert\-key\-len\ certKeyLength] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword] - .SH "STATUS" - .PP - This documentation is still work in progress\&. Please contribute to the initial review in - \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 - .SH "DESCRIPTION" - .PP - The PKCS #12 utility, - \fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&. -@@ -66,28 +66,28 @@ Export keys and certificates from the se - Specify the key encryption algorithm\&. - .RE - .PP - \-C certCipher - .RS 4 - Specify the certiticate encryption algorithm\&. - .RE - .PP --\-d [sql:]directory -+\-d directory - .RS 4 - Specify the database directory into which to import to or export from certificates and keys\&. - .sp - \fBpk12util\fR - supports two types of databases: the legacy security databases (cert8\&.db, - key3\&.db, and - secmod\&.db) and new SQLite databases (cert9\&.db, - key4\&.db, and - pkcs11\&.txt)\&. If the prefix --\fBsql:\fR --is not used, then the tool assumes that the given databases are in the old format\&. -+\fBdbm:\fR -+is not used, then the tool assumes that the given databases are in the SQLite format\&. - .RE - .PP - \-h tokenname - .RS 4 - Specify the name of the token to import into or export from\&. - .RE - .PP - \-k slotPasswordFile -@@ -100,17 +100,22 @@ Specify the text file containing the slo - Specify the slot\*(Aqs password\&. - .RE - .PP - \-m | \-\-key\-len keyLength - .RS 4 - Specify the desired length of the symmetric key to be used to encrypt the private key\&. - .RE - .PP --\-n | \-\-cert\-key\-len certKeyLength -+\-M hashAlg -+.RS 4 -+Specify the hash algorithm used in the pkcs #12 mac\&. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2\&. -+.RE -+.PP -+\-\-cert\-key\-len certKeyLength - .RS 4 - Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&. - .RE - .PP - \-n certname - .RS 4 - Specify the nickname of the cert and private key to export\&. - .sp -@@ -435,27 +440,27 @@ 29 \- PKCS12 encode error - The most basic usage of - \fBpk12util\fR - for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either - \fB\-d\fR - for a directory or - \fB\-h\fR - for a token)\&. - .PP --pk12util \-i p12File [\-h tokenname] [\-v] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] -+pk12util \-i p12File [\-h tokenname] [\-v] [\-d directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] - .PP - For example: - .PP - - .sp - .if n \{\ - .RS 4 - .\} - .nf --# pk12util \-i /tmp/cert\-files/users\&.p12 \-d sql:/home/my/sharednssdb -+# pk12util \-i /tmp/cert\-files/users\&.p12 \-d /home/my/sharednssdb - - Enter a password which will be used to encrypt your keys\&. - The password should be at least 8 characters long, - and should contain at least one non\-alphabetic character\&. - - Enter new password: - Re\-enter password: - Enter password for PKCS12 file: -@@ -466,41 +471,41 @@ pk12util: PKCS12 IMPORT SUCCESSFUL - .\} - .PP - \fBExporting Keys and Certificates\fR - .PP - Using the - \fBpk12util\fR - command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. - .PP --pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] -+pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] - .PP - For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --# pk12util \-o certs\&.p12 \-n Server\-Cert \-d sql:/home/my/sharednssdb -+# pk12util \-o certs\&.p12 \-n Server\-Cert \-d /home/my/sharednssdb - Enter password for PKCS12 file: - Re\-enter password: - .fi - .if n \{\ - .RE - .\} - .PP - \fBListing Keys and Certificates\fR - .PP - The information in a - \&.p12 - file are not human\-readable\&. The certificates and keys in the file can be printed (listed) in a human\-readable pretty\-print format that shows information for every certificate and any public keys in the - \&.p12 - file\&. - .PP --pk12util \-l p12File [\-h tokenname] [\-r] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] -+pk12util \-l p12File [\-h tokenname] [\-r] [\-d directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] - .PP - For example, this prints the default ASCII output: - .sp - .if n \{\ - .RS 4 - .\} - .nf - # pk12util \-l certs\&.p12 -@@ -732,50 +737,48 @@ pkcs11\&.txt, which is listing of all of - .RE - .PP - Because the SQLite databases are designed to be shared, these are the - \fIshared\fR - database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. - .PP - By default, the tools (\fBcertutil\fR, - \fBpk12util\fR, --\fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the --\fBsql:\fR -+\fBmodutil\fR) assume that the given security databases use the SQLite type Using the legacy databases must be manually specified by using the -+\fBdbm:\fR - prefix with the given security directory\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --# pk12util \-i /tmp/cert\-files/users\&.p12 \-d sql:/home/my/sharednssdb -+# pk12util \-i /tmp/cert\-files/users\&.p12 \-d dbm:/home/my/sharednssdb - .fi - .if n \{\ - .RE - .\} - .PP --To set the shared database type as the default type for the tools, set the -+To set the legacy database type as the default type for the tools, set the - \fBNSS_DEFAULT_DB_TYPE\fR - environment variable to --\fBsql\fR: -+\fBdbm\fR: - .sp - .if n \{\ - .RS 4 - .\} - .nf --export NSS_DEFAULT_DB_TYPE="sql" -+export NSS_DEFAULT_DB_TYPE="dbm" - .fi - .if n \{\ - .RE - .\} - .PP - This line can be set added to the - ~/\&.bashrc - file to make the change permanent\&. --.PP --Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - .sp - .RS 4 - .ie n \{\ - \h'-04'\(bu\h'+03'\c - .\} - .el \{\ - .sp -1 - .IP \(bu 2.3 -diff --git a/doc/nroff/pp.1 b/doc/nroff/pp.1 ---- a/doc/nroff/pp.1 -+++ b/doc/nroff/pp.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: PP - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 29 July 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "PP" "1" "29 July 2014" "nss-tools" "NSS Security Tools" -+.TH "PP" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -@@ -33,22 +33,22 @@ pp \- Prints certificates, keys, crls, a - .HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\ [\-u]\ [\-w]\fR\ 'u - \fBpp \-t type [\-a] [\-i input] [\-o output] [\-u] [\-w]\fR - .SH "STATUS" - .PP - This documentation is still work in progress\&. Please contribute to the initial review in - \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 - .SH "DESCRIPTION" - .PP --\fBpp \fRpretty\-prints private and public key, certificate, certificate\-request, pkcs7 or crl files -+\fBpp \fRpretty\-prints private and public key, certificate, certificate\-request, pkcs7, pkcs12 or crl files - .SH "OPTIONS" - .PP - \fB\-t \fR \fItype\fR - .RS 4 --specify the input, one of {private\-key | public\-key | certificate | certificate\-request | pkcs7 | crl} -+specify the input, one of {private\-key | public\-key | certificate | certificate\-request | pkcs7 | pkcs12 | crl | name} - .sp - .RE - .PP - \fB\-a \fR - .RS 4 - Input is in ascii encoded form (RFC1113) - .RE - .PP -diff --git a/doc/nroff/signtool.1 b/doc/nroff/signtool.1 ---- a/doc/nroff/signtool.1 -+++ b/doc/nroff/signtool.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: signtool - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 5 June 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "SIGNTOOL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" -+.TH "SIGNTOOL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -diff --git a/doc/nroff/signver.1 b/doc/nroff/signver.1 ---- a/doc/nroff/signver.1 -+++ b/doc/nroff/signver.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: SIGNVER - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 5 June 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "SIGNVER" "1" "5 June 2014" "nss-tools" "NSS Security Tools" -+.TH "SIGNVER" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -@@ -47,28 +47,28 @@ The Signature Verification Tool, - Displays all of the information in the PKCS#7 signature\&. - .RE - .PP - \-V - .RS 4 - Verifies the digital signature\&. - .RE - .PP --\-d [sql:]\fIdirectory\fR -+\-d \fIdirectory\fR - .RS 4 - Specify the database directory which contains the certificates and keys\&. - .sp - \fBsignver\fR - supports two types of databases: the legacy security databases (cert8\&.db, - key3\&.db, and - secmod\&.db) and new SQLite databases (cert9\&.db, - key4\&.db, and - pkcs11\&.txt)\&. If the prefix --\fBsql:\fR --is not used, then the tool assumes that the given databases are in the old format\&. -+\fBdbm:\fR -+is not used, then the tool assumes that the given databases are in the SQLite format\&. - .RE - .PP - \-a - .RS 4 - Sets that the given signature file is in ASCII format\&. - .RE - .PP - \-i \fIinput_file\fR -@@ -96,17 +96,17 @@ Enables verbose output\&. - The - \fB\-V\fR - option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file)\&. - .sp - .if n \{\ - .RS 4 - .\} - .nf --signver \-V \-s \fIsignature_file\fR \-i \fIsigned_file\fR \-d sql:/home/my/sharednssdb -+signver \-V \-s \fIsignature_file\fR \-i \fIsigned_file\fR \-d /home/my/sharednssdb - - signatureValid=yes - .fi - .if n \{\ - .RE - .\} - .SS "Printing Signature Data" - .PP -@@ -202,50 +202,48 @@ pkcs11\&.txt, which is listing of all of - .RE - .PP - Because the SQLite databases are designed to be shared, these are the - \fIshared\fR - database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. - .PP - By default, the tools (\fBcertutil\fR, - \fBpk12util\fR, --\fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the --\fBsql:\fR -+\fBmodutil\fR) assume that the given security databases use the SQLite type Using the legacy databases must be manually specified by using the -+\fBdbm:\fR - prefix with the given security directory\&. For example: - .sp - .if n \{\ - .RS 4 - .\} - .nf --# signver \-A \-s \fIsignature\fR \-d sql:/home/my/sharednssdb -+# signver \-A \-s \fIsignature\fR \-d dbm:/home/my/sharednssdb - .fi - .if n \{\ - .RE - .\} - .PP --To set the shared database type as the default type for the tools, set the -+To set the legacy database type as the default type for the tools, set the - \fBNSS_DEFAULT_DB_TYPE\fR - environment variable to --\fBsql\fR: -+\fBdbm\fR: - .sp - .if n \{\ - .RS 4 - .\} - .nf --export NSS_DEFAULT_DB_TYPE="sql" -+export NSS_DEFAULT_DB_TYPE="dbm" - .fi - .if n \{\ - .RE - .\} - .PP - This line can be added to the - ~/\&.bashrc - file to make the change permanent for the user\&. --.PP --Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - .sp - .RS 4 - .ie n \{\ - \h'-04'\(bu\h'+03'\c - .\} - .el \{\ - .sp -1 - .IP \(bu 2.3 -diff --git a/doc/nroff/ssltap.1 b/doc/nroff/ssltap.1 ---- a/doc/nroff/ssltap.1 -+++ b/doc/nroff/ssltap.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: SSLTAP - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 5 June 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "SSLTAP" "1" "5 June 2014" "nss-tools" "NSS Security Tools" -+.TH "SSLTAP" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -diff --git a/doc/nroff/vfychain.1 b/doc/nroff/vfychain.1 ---- a/doc/nroff/vfychain.1 -+++ b/doc/nroff/vfychain.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: VFYCHAIN - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 5 June 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "VFYCHAIN" "1" "5 June 2014" "nss-tools" "NSS Security Tools" -+.TH "VFYCHAIN" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -diff --git a/doc/nroff/vfyserv.1 b/doc/nroff/vfyserv.1 ---- a/doc/nroff/vfyserv.1 -+++ b/doc/nroff/vfyserv.1 -@@ -1,18 +1,18 @@ - '\" t - .\" Title: VFYSERV - .\" Author: [see the "Authors" section] --.\" Generator: DocBook XSL Stylesheets v1.78.1 --.\" Date: 5 June 2014 -+.\" Generator: DocBook XSL Stylesheets vsnapshot -+.\" Date: 19 May 2021 - .\" Manual: NSS Security Tools - .\" Source: nss-tools - .\" Language: English - .\" --.TH "VFYSERV" "1" "5 June 2014" "nss-tools" "NSS Security Tools" -+.TH "VFYSERV" "1" "19 May 2021" "nss-tools" "NSS Security Tools" - .\" ----------------------------------------------------------------- - .\" * Define some portability stuff - .\" ----------------------------------------------------------------- - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .\" http://bugs.debian.org/507673 - .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html - .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - .ie \n(.g .ds Aq \(aq -diff --git a/doc/pk12util.xml b/doc/pk12util.xml ---- a/doc/pk12util.xml -+++ b/doc/pk12util.xml -@@ -25,17 +25,17 @@ - - - - - pk12util - -i p12File|-l p12File|-o p12File - -c keyCipher - -C certCipher -- -d [sql:]directory -+ -d directory - -h tokenname - -m | --key-len keyLength - -M hashAlg - -n certname - -P dbprefix - -r - -v - --cert-key-len certKeyLength -@@ -83,19 +83,19 @@ - - - - -C certCipher - Specify the certiticate encryption algorithm. - - - -- -d [sql:]directory -+ -d directory - Specify the database directory into which to import to or export from certificates and keys. -- pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. -+ pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format. - - - - -h tokenname - Specify the name of the token to import into or export from. - - - -@@ -244,44 +244,44 @@ - - - - Examples - Importing Keys and Certificates - The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file () and some way to specify the security database being accessed (either for a directory or for a token). - - -- pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -+ pk12util -i p12File [-h tokenname] [-v] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - - For example: - -- # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb -+ # pk12util -i /tmp/cert-files/users.p12 -d /home/my/sharednssdb - - Enter a password which will be used to encrypt your keys. - The password should be at least 8 characters long, - and should contain at least one non-alphabetic character. - - Enter new password: - Re-enter password: - Enter password for PKCS12 file: - pk12util: PKCS12 IMPORT SUCCESSFUL - - Exporting Keys and Certificates - Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. - -- pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -+ pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - For example: -- # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb -+ # pk12util -o certs.p12 -n Server-Cert -d /home/my/sharednssdb - Enter password for PKCS12 file: - Re-enter password: - - Listing Keys and Certificates - The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file. - -- pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -+ pk12util -l p12File [-h tokenname] [-r] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - For example, this prints the default ASCII output: - # pk12util -l certs.p12 - - Enter password for PKCS12 file: - Key(shrouded): - Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - - Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC -@@ -389,27 +389,26 @@ BerkleyDB. These new databases provide m - - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --# pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb -+# pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be set added to the ~/.bashrc file to make the change permanent. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - -diff --git a/doc/signver.xml b/doc/signver.xml ---- a/doc/signver.xml -+++ b/doc/signver.xml -@@ -59,19 +59,19 @@ - -A - Displays all of the information in the PKCS#7 signature. - - - -V - Verifies the digital signature. - - -- -d [sql:]directory -+ -d directory - Specify the database directory which contains the certificates and keys. -- signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. -+ signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format. - - - -a - Sets that the given signature file is in ASCII format. - - - -i input_file - Gives the input file for the object with signed data. -@@ -90,17 +90,17 @@ - - - - - - Extended Examples - Verifying a Signature - The option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file). --signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb -+signver -V -s signature_file -i signed_file -d /home/my/sharednssdb - - signatureValid=yes - - - Printing Signature Data - - The option prints all of the information contained in a signature file. Using the option prints the signature file information to the given output file rather than stdout. - -@@ -150,27 +150,26 @@ BerkleyDB. These new databases provide m - - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --# signver -A -s signature -d sql:/home/my/sharednssdb -+# signver -A -s signature -d dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be added to the ~/.bashrc file to make the change permanent for the user. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - diff --git a/nss-3.71-camellia-pkcs12-doc.patch b/nss-3.71-camellia-pkcs12-doc.patch new file mode 100644 index 0000000..f14b5a9 --- /dev/null +++ b/nss-3.71-camellia-pkcs12-doc.patch @@ -0,0 +1,20 @@ +diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml +--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800 ++++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800 +@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre + + + Password Encryption +- PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. ++ PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + The private key is always protected with strong encryption by default. + Several types of ciphers are supported. + +@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre + + + PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") ++ PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme ("CAMELLIA-128-CBC", "CAMELLIA-192-CBC", and "CAMELLIA-256-CBC") + + + diff --git a/nss-3.79-dbtool.patch b/nss-3.79-dbtool.patch new file mode 100644 index 0000000..b61942b --- /dev/null +++ b/nss-3.79-dbtool.patch @@ -0,0 +1,3411 @@ +diff --git a/cmd/dbtool/Makefile b/cmd/dbtool/Makefile +new file mode 100644 +--- /dev/null ++++ b/cmd/dbtool/Makefile +@@ -0,0 +1,46 @@ ++#! gmake ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++####################################################################### ++# (1) Include initial platform-independent assignments (MANDATORY). # ++####################################################################### ++ ++include manifest.mn ++ ++####################################################################### ++# (2) Include "global" configuration information. (OPTIONAL) # ++####################################################################### ++ ++include $(CORE_DEPTH)/coreconf/config.mk ++ ++####################################################################### ++# (3) Include "component" configuration information. (OPTIONAL) # ++####################################################################### ++ ++####################################################################### ++# (4) Include "local" platform-dependent assignments (OPTIONAL). # ++####################################################################### ++ ++include ../platlibs.mk ++ ++####################################################################### ++# (5) Execute "global" rules. (OPTIONAL) # ++####################################################################### ++ ++include $(CORE_DEPTH)/coreconf/rules.mk ++ ++####################################################################### ++# (6) Execute "component" rules. (OPTIONAL) # ++####################################################################### ++ ++#include ../platlibs.mk ++ ++####################################################################### ++# (7) Execute "local" rules. (OPTIONAL). # ++####################################################################### ++ ++include ../platrules.mk ++ +diff --git a/cmd/dbtool/dbtool.c b/cmd/dbtool/dbtool.c +new file mode 100644 +--- /dev/null ++++ b/cmd/dbtool/dbtool.c +@@ -0,0 +1,806 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++/* ++** dbtool.c ++** ++** tool to dump the underlying encoding of a database. This tool duplicates ++** some private functions in softoken. It uses libsec and libutil, but no ++** other portions of NSS. It currently only works on sqlite databases. For ++** an even more primitive dump, use sqlite3 on the individual files. ++** ++** TODO: dump the meta data for the databases. ++** optionally dump more PKCS5 information (KDF/salt/iterations) ++** take a password and decode encrypted attributes/verify signed ++** attributes. ++*/ ++#include ++#include ++ ++#if defined(WIN32) ++#include "fcntl.h" ++#include "io.h" ++#endif ++ ++#include "secutil.h" ++#include "pk11pub.h" ++ ++#if defined(XP_UNIX) ++#include ++#endif ++ ++#include "nspr.h" ++#include "prtypes.h" ++#include "certdb.h" ++#include "nss.h" ++#include "../modutil/modutil.h" ++#include "pk11table.h" ++#include "sftkdbt.h" ++#include "sdb.h" ++#include "secoid.h" ++ ++#include "plgetopt.h" ++ ++static char *progName; ++ ++char *dbDir = NULL; ++ ++static void ++Usage() ++{ ++ printf("Usage: %s [-c certprefix] [-k keyprefix] " ++ "[-V certversion] [-v keyversion]\n" ++ " [-d dbdir]\n", ++ progName); ++ printf("%-20s Directory with cert database (default is .)\n", ++ "-d certdir"); ++ printf("%-20s prefix for the cert database (default is \"\")\n", ++ "-c certprefix"); ++ printf("%-20s prefix for the key database (default is \"\")\n", ++ "-k keyprefix"); ++ printf("%-20s version of the cert database (default is 9)\n", ++ "-V certversion"); ++ printf("%-20s version of the key database (default is 4)\n", ++ "-v keyversion"); ++ exit(1); ++} ++#define SFTK_KEYDB_TYPE 0x40000000 ++#define SFTK_TOKEN_TYPE 0x80000000 ++ ++/* ++ * known attributes ++ */ ++static const CK_ATTRIBUTE_TYPE known_attributes[] = { ++ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION, ++ CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER, ++ CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED, ++ CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL, ++ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY, ++ CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE, ++ CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER, ++ CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE, ++ CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, ++ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT, ++ CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, ++ CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE, ++ CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, ++ CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS, ++ CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, ++ CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_WRAP_TEMPLATE, ++ CKA_UNWRAP_TEMPLATE, CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, ++ CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, CKA_RESOLUTION, CKA_CHAR_ROWS, ++ CKA_CHAR_COLUMNS, CKA_COLOR, CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, ++ CKA_ENCODING_METHODS, CKA_MIME_TYPES, CKA_MECHANISM_TYPE, ++ CKA_REQUIRED_CMS_ATTRIBUTES, CKA_DEFAULT_CMS_ATTRIBUTES, ++ CKA_SUPPORTED_CMS_ATTRIBUTES, CKA_NSS_URL, CKA_NSS_EMAIL, ++ CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP, ++ CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES, ++ CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, ++ CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC, ++ CKA_TRUST_DIGITAL_SIGNATURE, CKA_TRUST_NON_REPUDIATION, ++ CKA_TRUST_KEY_ENCIPHERMENT, CKA_TRUST_DATA_ENCIPHERMENT, ++ CKA_TRUST_KEY_AGREEMENT, CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, ++ CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, ++ CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM, ++ CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING, ++ CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, ++ CKA_NSS_DB, CKA_NSS_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS, ++ CKA_PUBLIC_KEY_INFO ++}; ++ ++static unsigned int known_attributes_size = sizeof(known_attributes) / ++ sizeof(known_attributes[0]); ++ ++PRBool ++isULONGAttribute(CK_ATTRIBUTE_TYPE type) ++{ ++ switch (type) { ++ case CKA_CERTIFICATE_CATEGORY: ++ case CKA_CERTIFICATE_TYPE: ++ case CKA_CLASS: ++ case CKA_JAVA_MIDP_SECURITY_DOMAIN: ++ case CKA_KEY_GEN_MECHANISM: ++ case CKA_KEY_TYPE: ++ case CKA_MECHANISM_TYPE: ++ case CKA_MODULUS_BITS: ++ case CKA_PRIME_BITS: ++ case CKA_SUBPRIME_BITS: ++ case CKA_VALUE_BITS: ++ case CKA_VALUE_LEN: ++ ++ case CKA_TRUST_DIGITAL_SIGNATURE: ++ case CKA_TRUST_NON_REPUDIATION: ++ case CKA_TRUST_KEY_ENCIPHERMENT: ++ case CKA_TRUST_DATA_ENCIPHERMENT: ++ case CKA_TRUST_KEY_AGREEMENT: ++ case CKA_TRUST_KEY_CERT_SIGN: ++ case CKA_TRUST_CRL_SIGN: ++ ++ case CKA_TRUST_SERVER_AUTH: ++ case CKA_TRUST_CLIENT_AUTH: ++ case CKA_TRUST_CODE_SIGNING: ++ case CKA_TRUST_EMAIL_PROTECTION: ++ case CKA_TRUST_IPSEC_END_SYSTEM: ++ case CKA_TRUST_IPSEC_TUNNEL: ++ case CKA_TRUST_IPSEC_USER: ++ case CKA_TRUST_TIME_STAMPING: ++ case CKA_TRUST_STEP_UP_APPROVED: ++ return PR_TRUE; ++ default: ++ break; ++ } ++ return PR_FALSE; ++} ++ ++/* are the attributes private? */ ++static PRBool ++isPrivateAttribute(CK_ATTRIBUTE_TYPE type) ++{ ++ switch (type) { ++ case CKA_VALUE: ++ case CKA_PRIVATE_EXPONENT: ++ case CKA_PRIME_1: ++ case CKA_PRIME_2: ++ case CKA_EXPONENT_1: ++ case CKA_EXPONENT_2: ++ case CKA_COEFFICIENT: ++ return PR_TRUE; ++ default: ++ break; ++ } ++ return PR_FALSE; ++} ++ ++/* These attributes must be authenticated with an hmac. */ ++static PRBool ++isAuthenticatedAttribute(CK_ATTRIBUTE_TYPE type) ++{ ++ switch (type) { ++ case CKA_MODULUS: ++ case CKA_PUBLIC_EXPONENT: ++ case CKA_CERT_SHA1_HASH: ++ case CKA_CERT_MD5_HASH: ++ case CKA_TRUST_SERVER_AUTH: ++ case CKA_TRUST_CLIENT_AUTH: ++ case CKA_TRUST_EMAIL_PROTECTION: ++ case CKA_TRUST_CODE_SIGNING: ++ case CKA_TRUST_STEP_UP_APPROVED: ++ case CKA_NSS_OVERRIDE_EXTENSIONS: ++ return PR_TRUE; ++ default: ++ break; ++ } ++ return PR_FALSE; ++} ++ ++/* ++ * convert a database ulong back to a native ULONG. (reverse of the above ++ * function. ++ */ ++static CK_ULONG ++sdbULong2ULong(unsigned char *data) ++{ ++ int i; ++ CK_ULONG value = 0; ++ ++ for (i = 0; i < SDB_ULONG_SIZE; i++) { ++ value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) ++ * PR_BITS_PER_BYTE); ++ } ++ return value; ++} ++ ++/* PBE defines and functions */ ++ ++typedef struct EncryptedDataInfoStr { ++ SECAlgorithmID algorithm; ++ SECItem encryptedData; ++} EncryptedDataInfo; ++ ++static const SEC_ASN1Template encryptedDataInfoTemplate[] = { ++ { SEC_ASN1_SEQUENCE, ++ 0, NULL, sizeof(EncryptedDataInfo) }, ++ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, ++ offsetof(EncryptedDataInfo, algorithm), ++ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, ++ { SEC_ASN1_OCTET_STRING, ++ offsetof(EncryptedDataInfo, encryptedData) }, ++ { 0 } ++}; ++ ++typedef struct PBEParameterStr { ++ SECAlgorithmID prfAlg; ++ SECItem salt; ++ SECItem iteration; ++ SECItem keyLength; ++} PBEParameter; ++ ++static const SEC_ASN1Template pkcs5V1PBEParameterTemplate[] = ++ { ++ { SEC_ASN1_SEQUENCE, ++ 0, NULL, sizeof(PBEParameter) }, ++ { SEC_ASN1_OCTET_STRING, ++ offsetof(PBEParameter, salt) }, ++ { SEC_ASN1_INTEGER, ++ offsetof(PBEParameter, iteration) }, ++ { 0 } ++ }; ++ ++static const SEC_ASN1Template pkcs12V2PBEParameterTemplate[] = ++ { ++ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PBEParameter) }, ++ { SEC_ASN1_OCTET_STRING, offsetof(PBEParameter, salt) }, ++ { SEC_ASN1_INTEGER, offsetof(PBEParameter, iteration) }, ++ { 0 } ++ }; ++ ++ ++static const SEC_ASN1Template pkcs5V2PBEParameterTemplate[] = ++ { ++ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PBEParameter) }, ++ /* this is really a choice, but since we don't understand any other ++ * choice, just inline it. */ ++ { SEC_ASN1_OCTET_STRING, offsetof(PBEParameter, salt) }, ++ { SEC_ASN1_INTEGER, offsetof(PBEParameter, iteration) }, ++ { SEC_ASN1_INTEGER, offsetof(PBEParameter, keyLength) }, ++ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, ++ offsetof(PBEParameter, prfAlg), ++ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, ++ { 0 } ++ }; ++ ++typedef struct Pkcs5v2PBEParameterStr { ++ SECAlgorithmID keyParams; /* parameters of the key generation */ ++ SECAlgorithmID algParams; /* parameters for the encryption or mac op */ ++} Pkcs5v2PBEParameter; ++ ++static const SEC_ASN1Template pkcs5v2PBES2ParameterTemplate[] = { ++ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(Pkcs5v2PBEParameter) }, ++ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, ++ offsetof(Pkcs5v2PBEParameter, keyParams), ++ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, ++ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, ++ offsetof(Pkcs5v2PBEParameter, algParams), ++ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, ++ { 0 } ++}; ++ ++static inline PRBool ++isPKCS12PBE(SECOidTag alg) { ++ switch (alg) { ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: ++ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: ++ return PR_TRUE; ++ default: ++ break; ++ } ++ return PR_FALSE; ++} ++ ++ ++/* helper functions */ ++ ++/* output an NSS specific attribute or name that wasn't found in our ++ * pkcs #11 table */ ++const char * ++makeNSSVendorName(CK_ATTRIBUTE_TYPE attribute, const char *nameType) ++{ ++ static char nss_name[256]; ++ const char *name = NULL; ++ if ((attribute >= CKA_NSS) && (attribute <= 0xffffffff)) { ++ sprintf(nss_name,"%s+%d", nameType, (int)(attribute-CKA_NSS)); ++ name = nss_name; ++ } ++ return name; ++} ++ ++/* turn and attribute into a name */ ++const char * ++AttributeName(CK_ATTRIBUTE_TYPE attribute) ++{ ++ const char *name = getNameFromAttribute(attribute); ++ if (!name) { ++ name = makeNSSVendorName(attribute, "CKA_NSS"); ++ } ++ ++ return name ? name : "UNKNOWN_ATTRIBUTE_TYPE"; ++} ++ ++/* turn and error code into a name */ ++const char * ++ErrorName(CK_RV crv) ++{ ++ const char *error = getName(crv, ConstResult); ++ if (!error) { ++ error = makeNSSVendorName(crv, "CKR_NSS"); ++ } ++ return error ? error : "UNKNOWN_ERROR"; ++} ++ ++/* turn an oud tag into a string */ ++const char * ++oid2string(SECOidTag alg) ++{ ++ const char *oidstring = SECOID_FindOIDTagDescription(alg); ++ const char *def="Invalid oid tag"; /* future build a dotted oid string value here */ ++ return oidstring ? oidstring : def; ++} ++ ++/* dump an arbitary data blob. Dump it has hex with ascii on the side */ ++#define ASCCHAR(val) ((val) >= ' ' && (val) <= 0x7e ? (val) : '.') ++#define LINE_LENGTH 16 ++void ++dumpValue(const unsigned char *v, int len) ++{ ++ int i, next = 0; ++ char string[LINE_LENGTH+1]; ++ char space[LINE_LENGTH*2+1]; ++ char *nl = ""; ++ char *sp = ""; ++ PORT_Memset(string, 0, sizeof(string)); ++ ++ for (i=0; i < len; i++) { ++ if ((i % LINE_LENGTH) == 0) { ++ printf("%s%s%s ", sp, string, nl); ++ PORT_Memset(string, 0, sizeof(string)); ++ next = 0; ++ nl = "\n"; ++ sp = " "; ++ } ++ printf("%02x", v[i]); ++ string[next++] = ASCCHAR(v[i]); ++ } ++ PORT_Memset(space, 0, sizeof(space)); ++ i = LINE_LENGTH - (len % LINE_LENGTH); ++ if (i != LINE_LENGTH) { ++ int j; ++ for (j=0 ; j < i; j++) { ++ space[j*2] = ' '; ++ space[j*2+1] = ' '; ++ } ++ } ++ printf("%s%s%s%s", space, sp, string, nl); ++} ++ ++/* dump a PKCS5/12 PBE blob */ ++void ++dumpPKCS(unsigned char *val, CK_ULONG len, PRBool *hasSig) ++{ ++ EncryptedDataInfo edi; ++ SECStatus rv; ++ SECItem data; ++ PLArenaPool *arena; ++ SECOidTag alg, prfAlg; ++ PBEParameter pbeParam; ++ unsigned char zero = 0; ++ const SEC_ASN1Template *template = pkcs5V1PBEParameterTemplate; ++ int iter, keyLen, i; ++ ++ if (hasSig) { *hasSig = PR_FALSE; } ++ ++ ++ data.data = val; ++ data.len = len; ++ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ if (arena == NULL) { ++ printf("Couldn't allocate arena\n"); ++ return; ++ } ++ ++ /* initialize default values */ ++ PORT_Memset(&pbeParam, 0, sizeof(pbeParam)); ++ pbeParam.keyLength.data = &zero; ++ pbeParam.keyLength.len = sizeof(zero); ++ SECOID_SetAlgorithmID(arena, &pbeParam.prfAlg, SEC_OID_SHA1, NULL); ++ ++ /* first crack the encrypted data from the PBE algorithm ID */ ++ rv = SEC_QuickDERDecodeItem(arena, &edi, encryptedDataInfoTemplate, &data); ++ if (rv != SECSuccess) { ++ printf("Encrypted Data, failed to decode\n"); ++ dumpValue(val,len); ++ PORT_FreeArena(arena, PR_FALSE); ++ return; ++ } ++ /* now use the pbe secalg to dump info on the pbe */ ++ alg = SECOID_GetAlgorithmTag(&edi.algorithm); ++ if ((alg == SEC_OID_PKCS5_PBES2) || (alg == SEC_OID_PKCS5_PBMAC1)){ ++ Pkcs5v2PBEParameter param; ++ SECOidTag palg; ++ const char *typeName = (alg == SEC_OID_PKCS5_PBES2) ? ++ "Encrypted Data PBES2" : ++ "Mac Data PBMAC1"; ++ ++ rv = SEC_QuickDERDecodeItem(arena, ¶m, ++ pkcs5v2PBES2ParameterTemplate, ++ &edi.algorithm.parameters); ++ if (rv != SECSuccess) { ++ printf("%s, failed to decode\n", typeName); ++ dumpValue(val,len); ++ PORT_FreeArena(arena, PR_FALSE); ++ return; ++ } ++ palg = SECOID_GetAlgorithmTag(¶m.algParams); ++ printf("%s alg=%s ", typeName, oid2string(palg)); ++ if (hasSig && palg == SEC_OID_AES_256_CBC) { ++ *hasSig = PR_TRUE; ++ } ++ template = pkcs5V2PBEParameterTemplate; ++ edi.algorithm.parameters = param.keyParams.parameters; ++ } else { ++ printf("Encrypted Data alg=%s ", oid2string(alg)); ++ if (alg == SEC_OID_PKCS5_PBKDF2) { ++ template = pkcs5V2PBEParameterTemplate; ++ } else if (isPKCS12PBE(alg)) { ++ template = pkcs12V2PBEParameterTemplate; ++ } else { ++ template = pkcs5V1PBEParameterTemplate; ++ } ++ } ++ rv = SEC_QuickDERDecodeItem(arena, &pbeParam, ++ template, ++ &edi.algorithm.parameters); ++ if (rv != SECSuccess) { ++ printf("( failed to decode params)\n"); ++ PORT_FreeArena(arena, PR_FALSE); ++ return; ++ } ++ /* dump the pbe parmeters */ ++ iter = DER_GetInteger(&pbeParam.iteration); ++ keyLen = DER_GetInteger(&pbeParam.keyLength); ++ prfAlg = SECOID_GetAlgorithmTag(&pbeParam.prfAlg); ++ printf("(prf=%s iter=%d keyLen=%d salt=0x", ++ oid2string(prfAlg), iter, keyLen); ++ for(i=0;i < pbeParam.salt.len; i++) printf("%02x",pbeParam.salt.data[i]); ++ printf(")\n"); ++ /* finally dump the raw encrypted data */ ++ dumpValue(edi.encryptedData.data, edi.encryptedData.len); ++ PORT_FreeArena(arena, PR_FALSE); ++} ++ ++/* dump a long attribute, convert to an unsigned long. PKCS #11 Longs are ++ * limited to 32 bits by the spec, even if the CK_ULONG is longer */ ++void ++dumpLongAttribute(CK_ATTRIBUTE_TYPE type, CK_ULONG value) ++{ ++ const char *nameType = "CK_NSS"; ++ ConstType constType = ConstNone; ++ const char *valueName = NULL; ++ ++ switch (type) { ++ case CKA_CLASS: ++ nameType = "CKO_NSS"; ++ constType = ConstObject; ++ break; ++ case CKA_CERTIFICATE_TYPE: ++ nameType = "CKC_NSS"; ++ constType = ConstCertType; ++ break; ++ case CKA_KEY_TYPE: ++ nameType = "CKK_NSS"; ++ constType = ConstKeyType; ++ break; ++ case CKA_MECHANISM_TYPE: ++ nameType = "CKM_NSS"; ++ constType = ConstMechanism; ++ break; ++ case CKA_TRUST_SERVER_AUTH: ++ case CKA_TRUST_CLIENT_AUTH: ++ case CKA_TRUST_CODE_SIGNING: ++ case CKA_TRUST_EMAIL_PROTECTION: ++ case CKA_TRUST_IPSEC_END_SYSTEM: ++ case CKA_TRUST_IPSEC_TUNNEL: ++ case CKA_TRUST_IPSEC_USER: ++ case CKA_TRUST_TIME_STAMPING: ++ nameType = "CKT_NSS"; ++ constType = ConstTrust; ++ break; ++ default: ++ break; ++ } ++ /* if value has a symbolic name, use it */ ++ if (constType != ConstNone) { ++ valueName = getName(value, constType); ++ } ++ if (!valueName) { ++ valueName = makeNSSVendorName(value, nameType); ++ } ++ if (!valueName) { ++ printf("%d (0x%08x)\n", (int) value, (int)value); ++ } else { ++ printf("%s (0x%08x)\n", valueName, (int)value); ++ } ++} ++ ++/* dump a signature for an object */ ++static const char META_SIG_TEMPLATE[] = "sig_%s_%08x_%08x"; ++void ++dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey, ++ CK_OBJECT_HANDLE objectID, PRBool force) ++{ ++ char id[30]; ++ CK_RV crv; ++ SECItem signText; ++ unsigned char signData[SDB_MAX_META_DATA_LEN]; ++ ++ if (!force && !isAuthenticatedAttribute(attribute)) { ++ return; ++ } ++ sprintf(id, META_SIG_TEMPLATE, ++ isKey ? "key" : "cert", ++ (unsigned int)objectID, (unsigned int)attribute); ++ printf(" Signature %s:",id); ++ signText.data = signData; ++ signText.len = sizeof(signData); ++ ++ ++ crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL); ++ if ((crv != CKR_OK) && isKey) { ++ sprintf(id, META_SIG_TEMPLATE, ++ isKey ? "key" : "cert", (unsigned int) ++ (objectID | SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE), ++ (unsigned int)attribute); ++ crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL); ++ } ++ if (crv != CKR_OK) { ++ printf(" FAILED %s with %s (0x%08x)\n", id, ErrorName(crv), (int) crv); ++ return; ++ } ++ dumpPKCS(signText.data, signText.len, NULL); ++ return; ++} ++ ++/* dump an attribute. use the helper functions above */ ++void ++dumpAttribute(CK_ATTRIBUTE *template, SDB *keydb, PRBool isKey, ++ CK_OBJECT_HANDLE id) ++{ ++ CK_ATTRIBUTE_TYPE attribute = template->type; ++ printf(" %s(0x%08x): ", AttributeName(attribute), (int)attribute); ++ if (template->pValue == NULL) { ++ printf("NULL (%d)\n", (int)template->ulValueLen); ++ return; ++ } ++ if (template->ulValueLen == SDB_ULONG_SIZE ++ && isULONGAttribute(attribute)) { ++ CK_ULONG value=sdbULong2ULong(template->pValue); ++ dumpLongAttribute(attribute, value); ++ return; ++ } ++ if (template->ulValueLen == 1) { ++ unsigned char val = *(unsigned char *)template->pValue; ++ switch (val) { ++ case 0: ++ printf("CK_FALSE\n"); ++ break; ++ case 1: ++ printf("CK_TRUE\n"); ++ break; ++ default: ++ printf("%d 0x%02x %c\n", val, val, ASCCHAR(val)); ++ break; ++ } ++ return; ++ } ++ if (isKey && isPrivateAttribute(attribute)) { ++ PRBool hasSig = PR_FALSE; ++ dumpPKCS(template->pValue, template->ulValueLen, &hasSig); ++ if (hasSig) { ++ dumpSignature(attribute, keydb, isKey, id, PR_TRUE); ++ } ++ return; ++ } ++ if (template->ulValueLen == 0) { printf("empty"); } ++ printf("\n"); ++ dumpValue(template->pValue, template->ulValueLen); ++} ++ ++/* dump all the attributes in an object */ ++void ++dumpObject(CK_OBJECT_HANDLE id, SDB *db, SDB *keydb, PRBool isKey) ++{ ++ CK_RV crv; ++ int i; ++ CK_ATTRIBUTE template; ++ char buffer[2048]; ++ char * alloc = NULL; ++ ++ printf(" Object 0x%08x:\n", (int)id); ++ for (i = 0; i < known_attributes_size; i++) { ++ CK_ATTRIBUTE_TYPE attribute = known_attributes[i]; ++ template.type = attribute; ++ template.pValue = NULL; ++ template.ulValueLen = 0; ++ crv = (*db->sdb_GetAttributeValue)(db, id, &template, 1); ++ ++ if (crv != CKR_OK) { ++ if (crv != CKR_ATTRIBUTE_TYPE_INVALID) { ++ PR_fprintf(PR_STDERR, " " ++ "Get Attribute %s (0x%08x):FAILED\"%s\"(0x%08x)\n", ++ AttributeName(attribute), (int)attribute, ++ ErrorName(crv), (int)crv); ++ } ++ continue; ++ } ++ ++ if (template.ulValueLen < sizeof(buffer)) { ++ template.pValue = buffer; ++ } else { ++ alloc = PORT_Alloc(template.ulValueLen); ++ template.pValue = alloc; ++ } ++ if (template.pValue == NULL) { ++ PR_fprintf(PR_STDERR, " " ++ "Could allocate %d bytes for Attribute %s (0x%08x)\n", ++ (int) template.ulValueLen, ++ AttributeName(attribute), (int)attribute); ++ continue; ++ } ++ crv = (*db->sdb_GetAttributeValue)(db, id, &template, 1); ++ ++ if (crv != CKR_OK) { ++ if (crv != CKR_ATTRIBUTE_TYPE_INVALID) { ++ PR_fprintf(PR_STDERR, " " ++ "Get Attribute %s (0x%08x):FAILED\"%s\"(0x%08x)\n", ++ AttributeName(attribute), (int)attribute, ++ ErrorName(crv), (int)crv); ++ } ++ if (alloc) { ++ PORT_Free(alloc); ++ alloc = NULL; ++ } ++ continue; ++ } ++ ++ dumpAttribute(&template, keydb, isKey, id); ++ dumpSignature(template.type, keydb, isKey, id, PR_FALSE); ++ if (alloc) { ++ PORT_Free(alloc); ++ alloc = NULL; ++ } ++ } ++} ++ ++/* dump all the objects in a database */ ++void ++dumpDB(SDB *db, const char *name, SDB *keydb, PRBool isKey) ++{ ++ SDBFind *findHandle= NULL; ++ CK_BBOOL isTrue = 1; ++ CK_ATTRIBUTE allObjectTemplate = {CKA_TOKEN, NULL, 1 }; ++ CK_ULONG allObjectTemplateCount = 1; ++ PRBool recordFound = PR_FALSE; ++ CK_RV crv = CKR_OK; ++ CK_ULONG objectCount = 0; ++ printf("%s:\n",name); ++ ++ allObjectTemplate.pValue = &isTrue; ++ crv = (*db->sdb_FindObjectsInit)(db, &allObjectTemplate, ++ allObjectTemplateCount, &findHandle); ++ do { ++ CK_OBJECT_HANDLE id; ++ recordFound = PR_FALSE; ++ crv =(*db->sdb_FindObjects)(db, findHandle, &id, 1, &objectCount); ++ if ((crv == CKR_OK) && (objectCount == 1)) { ++ recordFound = PR_TRUE; ++ dumpObject(id, db, keydb, isKey); ++ } ++ } while (recordFound); ++ if (crv != CKR_OK) { ++ PR_fprintf(PR_STDERR, ++ "Last record return PKCS #11 error = %s (0x%08x)\n", ++ ErrorName(crv), (int)crv); ++ } ++ (*db->sdb_FindObjectsFinal)(db,findHandle); ++} ++ ++int ++main(int argc, char **argv) ++{ ++ PLOptState *optstate; ++ PLOptStatus optstatus; ++ char *certPrefix="", *keyPrefix=""; ++ int cert_version = 9; ++ int key_version = 4; ++ SDB *certdb = NULL; ++ SDB *keydb = NULL; ++ PRBool isNew = PR_FALSE; ++ ++ CK_RV crv; ++ ++ progName = strrchr(argv[0], '/'); ++ if (!progName) ++ progName = strrchr(argv[0], '\\'); ++ progName = progName ? progName + 1 : argv[0]; ++ ++ optstate = PL_CreateOptState(argc, argv, "d:c:k:v:V:h"); ++ ++ while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++ switch (optstate->option) { ++ case 'h': ++ default: ++ Usage(); ++ break; ++ ++ case 'd': ++ dbDir = PORT_Strdup(optstate->value); ++ break; ++ ++ case 'c': ++ certPrefix = PORT_Strdup(optstate->value); ++ break; ++ ++ case 'k': ++ keyPrefix = PORT_Strdup(optstate->value); ++ break; ++ ++ case 'v': ++ key_version = atoi(optstate->value); ++ break; ++ ++ case 'V': ++ cert_version = atoi(optstate->value); ++ break; ++ ++ } ++ } ++ PL_DestroyOptState(optstate); ++ if (optstatus == PL_OPT_BAD) ++ Usage(); ++ ++ if (dbDir) { ++ char *tmp = dbDir; ++ dbDir = SECU_ConfigDirectory(tmp); ++ PORT_Free(tmp); ++ } else { ++ /* Look in $SSL_DIR */ ++ dbDir = SECU_ConfigDirectory(SECU_DefaultSSLDir()); ++ } ++ PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir); ++ ++ if (dbDir[0] == '\0') { ++ PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir); ++ return 1; ++ } ++ ++ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); ++ SECOID_Init(); ++ ++ crv = s_open(dbDir, certPrefix, keyPrefix, cert_version, key_version, ++ SDB_RDONLY, &certdb, &keydb, &isNew); ++ if (crv != CKR_OK) { ++ PR_fprintf(PR_STDERR, ++ "Couldn't open databased in %s, error=%s (0x%08x)\n", ++ dbDir, ErrorName(crv), (int)crv); ++ return 1; ++ } ++ ++ /* now dump the objects in the cert database */ ++ dumpDB(certdb, "CertDB", keydb, PR_FALSE); ++ dumpDB(keydb, "KeyDB", keydb, PR_TRUE); ++ return 0; ++} +diff --git a/cmd/dbtool/dbtool.gyp b/cmd/dbtool/dbtool.gyp +new file mode 100644 +--- /dev/null ++++ b/cmd/dbtool/dbtool.gyp +@@ -0,0 +1,25 @@ ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++{ ++ 'includes': [ ++ '../../coreconf/config.gypi', ++ '../../cmd/platlibs.gypi' ++ ], ++ 'targets': [ ++ { ++ 'target_name': 'dbtest', ++ 'type': 'executable', ++ 'sources': [ ++ 'dbtest.c' ++ ], ++ 'dependencies': [ ++ '<(DEPTH)/exports.gyp:dbm_exports', ++ '<(DEPTH)/exports.gyp:nss_exports' ++ ] ++ } ++ ], ++ 'variables': { ++ 'module': 'nss' ++ } ++} +\ No newline at end of file +diff --git a/cmd/dbtool/manifest.mn b/cmd/dbtool/manifest.mn +new file mode 100644 +--- /dev/null ++++ b/cmd/dbtool/manifest.mn +@@ -0,0 +1,18 @@ ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++CORE_DEPTH = ../.. ++ ++# MODULE public and private header directories are implicitly REQUIRED. ++MODULE = nss ++ ++USE_STATIC_LIBS = 1 ++ ++# DIRS = ++ ++CSRCS = dbtool.c sdb.c ++ ++PROGRAM = dbtool ++ +diff --git a/cmd/dbtool/sdb.c b/cmd/dbtool/sdb.c +new file mode 100644 +--- /dev/null ++++ b/cmd/dbtool/sdb.c +@@ -0,0 +1,2469 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++/* ++ * This file implements PKCS 11 on top of our existing security modules ++ * ++ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. ++ * This implementation has two slots: ++ * slot 1 is our generic crypto support. It does not require login. ++ * It supports Public Key ops, and all they bulk ciphers and hashes. ++ * It can also support Private Key ops for imported Private keys. It does ++ * not have any token storage. ++ * slot 2 is our private key support. It requires a login before use. It ++ * can store Private Keys and Certs as token objects. Currently only private ++ * keys and their associated Certificates are saved on the token. ++ * ++ * In this implementation, session objects are only visible to the session ++ * that created or generated them. ++ */ ++ ++#include "sdb.h" ++#include "pkcs11t.h" ++#include "seccomon.h" ++#include ++#include "prthread.h" ++#include "prio.h" ++#include ++#include "secport.h" ++#include "prmon.h" ++#include "prenv.h" ++#include "prprf.h" ++#include "prsystem.h" /* for PR_GetDirectorySeparator() */ ++#include ++#if defined(_WIN32) ++#include ++#include ++#elif defined(XP_UNIX) ++#include ++#endif ++#if defined(LINUX) && !defined(ANDROID) ++#include ++#include ++#endif ++#include "utilpars.h" ++ ++#ifdef SQLITE_UNSAFE_THREADS ++#include "prlock.h" ++/* ++ * SQLite can be compiled to be thread safe or not. ++ * turn on SQLITE_UNSAFE_THREADS if the OS does not support ++ * a thread safe version of sqlite. ++ */ ++static PRLock *sqlite_lock = NULL; ++ ++#define LOCK_SQLITE() PR_Lock(sqlite_lock); ++#define UNLOCK_SQLITE() PR_Unlock(sqlite_lock); ++#else ++#define LOCK_SQLITE() ++#define UNLOCK_SQLITE() ++#endif ++ ++typedef enum { ++ SDB_CERT = 1, ++ SDB_KEY = 2 ++} sdbDataType; ++ ++/* ++ * defines controlling how long we wait to acquire locks. ++ * ++ * SDB_SQLITE_BUSY_TIMEOUT specifies how long (in milliseconds) ++ * sqlite will wait on lock. If that timeout expires, sqlite will ++ * return SQLITE_BUSY. ++ * SDB_BUSY_RETRY_TIME specifies how many seconds the sdb_ code waits ++ * after receiving a busy before retrying. ++ * SDB_MAX_BUSY_RETRIES specifies how many times the sdb_ will retry on ++ * a busy condition. ++ * ++ * SDB_SQLITE_BUSY_TIMEOUT affects all opertions, both manual ++ * (prepare/step/reset/finalize) and automatic (sqlite3_exec()). ++ * SDB_BUSY_RETRY_TIME and SDB_MAX_BUSY_RETRIES only affect manual operations ++ * ++ * total wait time for automatic operations: ++ * 1 second (SDB_SQLITE_BUSY_TIMEOUT/1000). ++ * total wait time for manual operations: ++ * (1 second + SDB_BUSY_RETRY_TIME) * 30 = 30 seconds. ++ * (SDB_SQLITE_BUSY_TIMEOUT/1000 + SDB_BUSY_RETRY_TIME)*SDB_MAX_BUSY_RETRIES ++ */ ++#define SDB_SQLITE_BUSY_TIMEOUT 1000 /* milliseconds */ ++#define SDB_BUSY_RETRY_TIME 5 /* 'ticks', varies by platforms */ ++#define SDB_MAX_BUSY_RETRIES 30 ++ ++/* ++ * known attributes ++ */ ++static const CK_ATTRIBUTE_TYPE known_attributes[] = { ++ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION, ++ CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER, ++ CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED, ++ CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL, ++ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY, ++ CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE, ++ CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER, ++ CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE, ++ CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, ++ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT, ++ CKA_PUBLIC_KEY_INFO, CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, ++ CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE, ++ CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, ++ CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS, ++ CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, ++ CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_HW_FEATURE_TYPE, ++ CKA_RESET_ON_INIT, CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, ++ CKA_RESOLUTION, CKA_CHAR_ROWS, CKA_CHAR_COLUMNS, CKA_COLOR, ++ CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, CKA_ENCODING_METHODS, CKA_MIME_TYPES, ++ CKA_MECHANISM_TYPE, CKA_REQUIRED_CMS_ATTRIBUTES, ++ CKA_DEFAULT_CMS_ATTRIBUTES, CKA_SUPPORTED_CMS_ATTRIBUTES, ++ CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, CKA_NSS_TRUST, CKA_NSS_URL, ++ CKA_NSS_EMAIL, CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP, ++ CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES, ++ CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, ++ CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC, ++ CKA_NSS_OVERRIDE_EXTENSIONS, CKA_NSS_SERVER_DISTRUST_AFTER, ++ CKA_NSS_EMAIL_DISTRUST_AFTER, CKA_TRUST_DIGITAL_SIGNATURE, ++ CKA_TRUST_NON_REPUDIATION, CKA_TRUST_KEY_ENCIPHERMENT, ++ CKA_TRUST_DATA_ENCIPHERMENT, CKA_TRUST_KEY_AGREEMENT, ++ CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, CKA_TRUST_SERVER_AUTH, ++ CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, ++ CKA_TRUST_IPSEC_END_SYSTEM, CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, ++ CKA_TRUST_TIME_STAMPING, CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, ++ CKA_CERT_MD5_HASH, CKA_NSS_DB ++}; ++ ++static const int known_attributes_size = PR_ARRAY_SIZE(known_attributes); ++ ++/* ++ * Note on use of sqlReadDB: Only one thread at a time may have an actual ++ * operation going on given sqlite3 * database. An operation is defined as ++ * the time from a sqlite3_prepare() until the sqlite3_finalize(). ++ * Multiple sqlite3 * databases can be open and have simultaneous operations ++ * going. We use the sqlXactDB for all write operations. This database ++ * is only opened when we first create a transaction and closed when the ++ * transaction is complete. sqlReadDB is open when we first opened the database ++ * and is used for all read operation. It's use is protected by a monitor. This ++ * is because an operation can span the use of FindObjectsInit() through the ++ * call to FindObjectsFinal(). In the intermediate time it is possible to call ++ * other operations like NSC_GetAttributeValue */ ++ ++struct SDBPrivateStr { ++ char *sqlDBName; /* invariant, path to this database */ ++ sqlite3 *sqlXactDB; /* access protected by dbMon, use protected ++ * by the transaction. Current transaction db*/ ++ PRThread *sqlXactThread; /* protected by dbMon, ++ * current transaction thread */ ++ sqlite3 *sqlReadDB; /* use protected by dbMon, value invariant */ ++ PRIntervalTime lastUpdateTime; /* last time the cache was updated */ ++ PRIntervalTime updateInterval; /* how long the cache can go before it ++ * must be updated again */ ++ sdbDataType type; /* invariant, database type */ ++ char *table; /* invariant, SQL table which contains the db */ ++ char *cacheTable; /* invariant, SQL table cache of db */ ++ PRMonitor *dbMon; /* invariant, monitor to protect ++ * sqlXact* fields, and use of the sqlReadDB */ ++ CK_ATTRIBUTE_TYPE *schemaAttrs; /* Attribute columns that exist in the table. */ ++ unsigned int numSchemaAttrs; ++}; ++ ++typedef struct SDBPrivateStr SDBPrivate; ++ ++/* Magic for an explicit NULL. NOTE: ideally this should be ++ * out of band data. Since it's not completely out of band, pick ++ * a value that has no meaning to any existing PKCS #11 attributes. ++ * This value is 1) not a valid string (imbedded '\0'). 2) not a U_LONG ++ * or a normal key (too short). 3) not a bool (too long). 4) not an RSA ++ * public exponent (too many bits). ++ */ ++const unsigned char SQLITE_EXPLICIT_NULL[] = { 0xa5, 0x0, 0x5a }; ++#define SQLITE_EXPLICIT_NULL_LEN 3 ++ ++/* ++ * determine when we've completed our tasks ++ */ ++static int ++sdb_done(int err, int *count) ++{ ++ /* allow as many rows as the database wants to give */ ++ if (err == SQLITE_ROW) { ++ *count = 0; ++ return 0; ++ } ++ if (err != SQLITE_BUSY) { ++ return 1; ++ } ++ /* err == SQLITE_BUSY, Dont' retry forever in this case */ ++ if (++(*count) >= SDB_MAX_BUSY_RETRIES) { ++ return 1; ++ } ++ return 0; ++} ++ ++#if defined(_WIN32) ++/* ++ * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that ++ * sqlite3 expects. ++ */ ++ ++static int ++sdb_chmod(const char *filename, int pmode) ++{ ++ int result; ++ ++ if (!filename) { ++ return -1; ++ } ++ ++ wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); ++ if (!filenameWide) { ++ return -1; ++ } ++ result = _wchmod(filenameWide, pmode); ++ PORT_Free(filenameWide); ++ ++ return result; ++} ++#else ++#define sdb_chmod(filename, pmode) chmod((filename), (pmode)) ++#endif ++ ++/* ++ * find out where sqlite stores the temp tables. We do this by replicating ++ * the logic from sqlite. ++ */ ++#if defined(_WIN32) ++static char * ++sdb_getFallbackTempDir(void) ++{ ++ /* sqlite uses sqlite3_temp_directory if it is not NULL. We don't have ++ * access to sqlite3_temp_directory because it is not exported from ++ * sqlite3.dll. Assume sqlite3_win32_set_directory isn't called and ++ * sqlite3_temp_directory is NULL. ++ */ ++ char path[MAX_PATH]; ++ DWORD rv; ++ size_t len; ++ ++ rv = GetTempPathA(MAX_PATH, path); ++ if (rv > MAX_PATH || rv == 0) ++ return NULL; ++ len = strlen(path); ++ if (len == 0) ++ return NULL; ++ /* The returned string ends with a backslash, for example, "C:\TEMP\". */ ++ if (path[len - 1] == '\\') ++ path[len - 1] = '\0'; ++ return PORT_Strdup(path); ++} ++#elif defined(XP_UNIX) ++static char * ++sdb_getFallbackTempDir(void) ++{ ++ const char *azDirs[] = { ++ NULL, ++ NULL, ++ "/var/tmp", ++ "/usr/tmp", ++ "/tmp", ++ NULL /* List terminator */ ++ }; ++ unsigned int i; ++ struct stat buf; ++ const char *zDir = NULL; ++ ++ azDirs[0] = sqlite3_temp_directory; ++ azDirs[1] = PR_GetEnvSecure("TMPDIR"); ++ ++ for (i = 0; i < PR_ARRAY_SIZE(azDirs); i++) { ++ zDir = azDirs[i]; ++ if (zDir == NULL) ++ continue; ++ if (stat(zDir, &buf)) ++ continue; ++ if (!S_ISDIR(buf.st_mode)) ++ continue; ++ if (access(zDir, 07)) ++ continue; ++ break; ++ } ++ ++ if (zDir == NULL) ++ return NULL; ++ return PORT_Strdup(zDir); ++} ++#else ++#error "sdb_getFallbackTempDir not implemented" ++#endif ++ ++#ifndef SQLITE_FCNTL_TEMPFILENAME ++/* SQLITE_FCNTL_TEMPFILENAME was added in SQLite 3.7.15 */ ++#define SQLITE_FCNTL_TEMPFILENAME 16 ++#endif ++ ++static char * ++sdb_getTempDir(sqlite3 *sqlDB) ++{ ++ int sqlrv; ++ char *result = NULL; ++ char *tempName = NULL; ++ char *foundSeparator = NULL; ++ ++ /* Obtain temporary filename in sqlite's directory for temporary tables */ ++ sqlrv = sqlite3_file_control(sqlDB, 0, SQLITE_FCNTL_TEMPFILENAME, ++ (void *)&tempName); ++ if (sqlrv == SQLITE_NOTFOUND) { ++ /* SQLITE_FCNTL_TEMPFILENAME not implemented because we are using ++ * an older SQLite. */ ++ return sdb_getFallbackTempDir(); ++ } ++ if (sqlrv != SQLITE_OK) { ++ return NULL; ++ } ++ ++ /* We'll extract the temporary directory from tempName */ ++ foundSeparator = PORT_Strrchr(tempName, PR_GetDirectorySeparator()); ++ if (foundSeparator) { ++ /* We shorten the temp filename string to contain only ++ * the directory name (including the trailing separator). ++ * We know the byte after the foundSeparator position is ++ * safe to use, in the shortest scenario it contains the ++ * end-of-string byte. ++ * By keeping the separator at the found position, it will ++ * even work if tempDir consists of the separator, only. ++ * (In this case the toplevel directory will be used for ++ * access speed testing). */ ++ ++foundSeparator; ++ *foundSeparator = 0; ++ ++ /* Now we copy the directory name for our caller */ ++ result = PORT_Strdup(tempName); ++ } ++ ++ sqlite3_free(tempName); ++ return result; ++} ++ ++/* ++ * Map SQL_LITE errors to PKCS #11 errors as best we can. ++ */ ++static CK_RV ++sdb_mapSQLError(sdbDataType type, int sqlerr) ++{ ++ switch (sqlerr) { ++ /* good matches */ ++ case SQLITE_OK: ++ case SQLITE_DONE: ++ return CKR_OK; ++ case SQLITE_NOMEM: ++ return CKR_HOST_MEMORY; ++ case SQLITE_READONLY: ++ return CKR_TOKEN_WRITE_PROTECTED; ++ /* close matches */ ++ case SQLITE_AUTH: ++ case SQLITE_PERM: ++ /*return CKR_USER_NOT_LOGGED_IN; */ ++ case SQLITE_CANTOPEN: ++ case SQLITE_NOTFOUND: ++ /* NSS distiguishes between failure to open the cert and the key db */ ++ return type == SDB_CERT ? CKR_NSS_CERTDB_FAILED : CKR_NSS_KEYDB_FAILED; ++ case SQLITE_IOERR: ++ return CKR_DEVICE_ERROR; ++ default: ++ break; ++ } ++ return CKR_GENERAL_ERROR; ++} ++ ++/* ++ * build up database name from a directory, prefix, name, version and flags. ++ */ ++static char * ++sdb_BuildFileName(const char *directory, ++ const char *prefix, const char *type, ++ int version) ++{ ++ char *dbname = NULL; ++ /* build the full dbname */ ++ dbname = sqlite3_mprintf("%s%c%s%s%d.db", directory, ++ (int)(unsigned char)PR_GetDirectorySeparator(), ++ prefix, type, version); ++ return dbname; ++} ++ ++/* ++ * find out how expensive the access system call is for non-existant files ++ * in the given directory. Return the number of operations done in 33 ms. ++ */ ++static PRUint32 ++sdb_measureAccess(const char *directory) ++{ ++ PRUint32 i; ++ PRIntervalTime time; ++ PRIntervalTime delta; ++ PRIntervalTime duration = PR_MillisecondsToInterval(33); ++ const char *doesntExistName = "_dOeSnotExist_.db"; ++ char *temp, *tempStartOfFilename; ++ size_t maxTempLen, maxFileNameLen, directoryLength, tmpdirLength = 0; ++#ifdef SDB_MEASURE_USE_TEMP_DIR ++ /* ++ * on some OS's and Filesystems, creating a bunch of files and deleting ++ * them messes up the systems's caching, but if we create the files in ++ * a temp directory which we later delete, then the cache gets cleared ++ * up. This code uses several OS dependent calls, and it's not clear ++ * that temp directory use won't mess up other filesystems and OS caching, ++ * so if you need this for your OS, you can turn on the ++ * 'SDB_MEASURE_USE_TEMP_DIR' define in coreconf ++ */ ++ const char template[] = "dbTemp.XXXXXX"; ++ tmpdirLength = sizeof(template); ++#endif ++ /* no directory, just return one */ ++ if (directory == NULL) { ++ return 1; ++ } ++ ++ /* our calculation assumes time is a 4 bytes == 32 bit integer */ ++ PORT_Assert(sizeof(time) == 4); ++ ++ directoryLength = strlen(directory); ++ ++ maxTempLen = directoryLength + 1 /* dirname + / */ ++ + tmpdirLength /* tmpdirname includes / */ ++ + strlen(doesntExistName) /* filename base */ ++ + 11 /* max chars for 32 bit int plus potential sign */ ++ + 1; /* zero terminator */ ++ ++ temp = PORT_ZAlloc(maxTempLen); ++ if (!temp) { ++ return 1; ++ } ++ ++ /* We'll copy directory into temp just once, then ensure it ends ++ * with the directory separator. */ ++ ++ strcpy(temp, directory); ++ if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) { ++ temp[directoryLength++] = PR_GetDirectorySeparator(); ++ } ++ ++#ifdef SDB_MEASURE_USE_TEMP_DIR ++ /* add the template for a temporary subdir, and create it */ ++ strcat(temp, template); ++ if (!mkdtemp(temp)) { ++ PORT_Free(temp); ++ return 1; ++ } ++ /* and terminate that tmp subdir with a / */ ++ strcat(temp, "/"); ++#endif ++ ++ /* Remember the position after the last separator, and calculate the ++ * number of remaining bytes. */ ++ tempStartOfFilename = temp + directoryLength + tmpdirLength; ++ maxFileNameLen = maxTempLen - directoryLength; ++ ++ /* measure number of Access operations that can be done in 33 milliseconds ++ * (1/30'th of a second), or 10000 operations, which ever comes first. ++ */ ++ time = PR_IntervalNow(); ++ for (i = 0; i < 10000u; i++) { ++ PRIntervalTime next; ++ ++ /* We'll use the variable part first in the filename string, just in ++ * case it's longer than assumed, so if anything gets cut off, it ++ * will be cut off from the constant part. ++ * This code assumes the directory name at the beginning of ++ * temp remains unchanged during our loop. */ ++ PR_snprintf(tempStartOfFilename, maxFileNameLen, ++ ".%lu%s", (PRUint32)(time + i), doesntExistName); ++ PR_Access(temp, PR_ACCESS_EXISTS); ++ next = PR_IntervalNow(); ++ delta = next - time; ++ if (delta >= duration) ++ break; ++ } ++ ++#ifdef SDB_MEASURE_USE_TEMP_DIR ++ /* turn temp back into our tmpdir path by removing doesntExistName, and ++ * remove the tmp dir */ ++ *tempStartOfFilename = '\0'; ++ (void)rmdir(temp); ++#endif ++ PORT_Free(temp); ++ ++ /* always return 1 or greater */ ++ return i ? i : 1u; ++} ++ ++/* ++ * some file sytems are very slow to run sqlite3 on, particularly if the ++ * access count is pretty high. On these filesystems is faster to create ++ * a temporary database on the local filesystem and access that. This ++ * code uses a temporary table to create that cache. Temp tables are ++ * automatically cleared when the database handle it was created on ++ * Is freed. ++ */ ++static const char DROP_CACHE_CMD[] = "DROP TABLE %s"; ++static const char CREATE_CACHE_CMD[] = ++ "CREATE TEMPORARY TABLE %s AS SELECT * FROM %s"; ++static const char CREATE_ISSUER_INDEX_CMD[] = ++ "CREATE INDEX issuer ON %s (a81)"; ++static const char CREATE_SUBJECT_INDEX_CMD[] = ++ "CREATE INDEX subject ON %s (a101)"; ++static const char CREATE_LABEL_INDEX_CMD[] = "CREATE INDEX label ON %s (a3)"; ++static const char CREATE_ID_INDEX_CMD[] = "CREATE INDEX ckaid ON %s (a102)"; ++ ++static CK_RV ++sdb_buildCache(sqlite3 *sqlDB, sdbDataType type, ++ const char *cacheTable, const char *table) ++{ ++ char *newStr; ++ int sqlerr = SQLITE_OK; ++ ++ newStr = sqlite3_mprintf(CREATE_CACHE_CMD, cacheTable, table); ++ if (newStr == NULL) { ++ return CKR_HOST_MEMORY; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) { ++ return sdb_mapSQLError(type, sqlerr); ++ } ++ /* failure to create the indexes is not an issue */ ++ newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, cacheTable); ++ if (newStr == NULL) { ++ return CKR_OK; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, cacheTable); ++ if (newStr == NULL) { ++ return CKR_OK; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, cacheTable); ++ if (newStr == NULL) { ++ return CKR_OK; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, cacheTable); ++ if (newStr == NULL) { ++ return CKR_OK; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ return CKR_OK; ++} ++ ++/* ++ * update the cache and the data records describing it. ++ * The cache is updated by dropping the temp database and recreating it. ++ */ ++static CK_RV ++sdb_updateCache(SDBPrivate *sdb_p) ++{ ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ char *newStr; ++ ++ /* drop the old table */ ++ newStr = sqlite3_mprintf(DROP_CACHE_CMD, sdb_p->cacheTable); ++ if (newStr == NULL) { ++ return CKR_HOST_MEMORY; ++ } ++ sqlerr = sqlite3_exec(sdb_p->sqlReadDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if ((sqlerr != SQLITE_OK) && (sqlerr != SQLITE_ERROR)) { ++ /* something went wrong with the drop, don't try to refresh... ++ * NOTE: SQLITE_ERROR is returned if the table doesn't exist. In ++ * that case, we just continue on and try to reload it */ ++ return sdb_mapSQLError(sdb_p->type, sqlerr); ++ } ++ ++ /* set up the new table */ ++ error = sdb_buildCache(sdb_p->sqlReadDB, sdb_p->type, ++ sdb_p->cacheTable, sdb_p->table); ++ if (error == CKR_OK) { ++ /* we have a new cache! */ ++ sdb_p->lastUpdateTime = PR_IntervalNow(); ++ } ++ return error; ++} ++ ++/* ++ * The sharing of sqlite3 handles across threads is tricky. Older versions ++ * couldn't at all, but newer ones can under strict conditions. Basically ++ * no 2 threads can use the same handle while another thread has an open ++ * stmt running. Once the sqlite3_stmt is finalized, another thread can then ++ * use the database handle. ++ * ++ * We use monitors to protect against trying to use a database before ++ * it's sqlite3_stmt is finalized. This is preferable to the opening and ++ * closing the database each operation because there is significant overhead ++ * in the open and close. Also continually opening and closing the database ++ * defeats the cache code as the cache table is lost on close (thus ++ * requiring us to have to reinitialize the cache every operation). ++ * ++ * An execption to the shared handle is transations. All writes happen ++ * through a transaction. When we are in a transaction, we must use the ++ * same database pointer for that entire transation. In this case we save ++ * the transaction database and use it for all accesses on the transaction ++ * thread. Other threads use the common database. ++ * ++ * There can only be once active transaction on the database at a time. ++ * ++ * sdb_openDBLocal() provides us with a valid database handle for whatever ++ * state we are in (reading or in a transaction), and acquires any locks ++ * appropriate to that state. It also decides when it's time to refresh ++ * the cache before we start an operation. Any database handle returned ++ * just eventually be closed with sdb_closeDBLocal(). ++ * ++ * The table returned either points to the database's physical table, or ++ * to the cached shadow. Tranactions always return the physical table ++ * and read operations return either the physical table or the cache ++ * depending on whether or not the cache exists. ++ */ ++static CK_RV ++sdb_openDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB, const char **table) ++{ ++ *sqlDB = NULL; ++ ++ PR_EnterMonitor(sdb_p->dbMon); ++ ++ if (table) { ++ *table = sdb_p->table; ++ } ++ ++ /* We're in a transaction, use the transaction DB */ ++ if ((sdb_p->sqlXactDB) && (sdb_p->sqlXactThread == PR_GetCurrentThread())) { ++ *sqlDB = sdb_p->sqlXactDB; ++ /* only one thread can get here, safe to unlock */ ++ PR_ExitMonitor(sdb_p->dbMon); ++ return CKR_OK; ++ } ++ ++ /* ++ * if we are just reading from the table, we may have the table ++ * cached in a temporary table (especially if it's on a shared FS). ++ * In that case we want to see updates to the table, the the granularity ++ * is on order of human scale, not computer scale. ++ */ ++ if (table && sdb_p->cacheTable) { ++ PRIntervalTime now = PR_IntervalNow(); ++ if ((now - sdb_p->lastUpdateTime) > sdb_p->updateInterval) { ++ sdb_updateCache(sdb_p); ++ } ++ *table = sdb_p->cacheTable; ++ } ++ ++ *sqlDB = sdb_p->sqlReadDB; ++ ++ /* leave holding the lock. only one thread can actually use a given ++ * database connection at once */ ++ ++ return CKR_OK; ++} ++ ++/* closing the local database currenly means unlocking the monitor */ ++static CK_RV ++sdb_closeDBLocal(SDBPrivate *sdb_p, sqlite3 *sqlDB) ++{ ++ if (sdb_p->sqlXactDB != sqlDB) { ++ /* if we weren't in a transaction, we got a lock */ ++ PR_ExitMonitor(sdb_p->dbMon); ++ } ++ return CKR_OK; ++} ++ ++/* ++ * wrapper to sqlite3_open which also sets the busy_timeout ++ */ ++static int ++sdb_openDB(const char *name, sqlite3 **sqlDB, int flags) ++{ ++ int sqlerr; ++ int openFlags; ++ ++ *sqlDB = NULL; ++ ++ if (flags & SDB_RDONLY) { ++ openFlags = SQLITE_OPEN_READONLY; ++ } else { ++ openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; ++ /* sqlite 3.34 seem to incorrectly open readwrite. ++ * when the file is readonly. Explicitly reject that issue here */ ++ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { ++ return SQLITE_READONLY; ++ } ++ } ++ ++ /* Requires SQLite 3.5.0 or newer. */ ++ sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL); ++ if (sqlerr != SQLITE_OK) { ++ return sqlerr; ++ } ++ ++ sqlerr = sqlite3_busy_timeout(*sqlDB, SDB_SQLITE_BUSY_TIMEOUT); ++ if (sqlerr != SQLITE_OK) { ++ sqlite3_close(*sqlDB); ++ *sqlDB = NULL; ++ return sqlerr; ++ } ++ return SQLITE_OK; ++} ++ ++/* Sigh, if we created a new table since we opened the database, ++ * the database handle will not see the new table, we need to close this ++ * database and reopen it. Caller must be in a transaction or holding ++ * the dbMon. sqlDB is changed on success. */ ++static int ++sdb_reopenDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB) ++{ ++ sqlite3 *newDB; ++ int sqlerr; ++ ++ /* open a new database */ ++ sqlerr = sdb_openDB(sdb_p->sqlDBName, &newDB, SDB_RDONLY); ++ if (sqlerr != SQLITE_OK) { ++ return sqlerr; ++ } ++ ++ /* if we are in a transaction, we may not be holding the monitor. ++ * grab it before we update the transaction database. This is ++ * safe since are using monitors. */ ++ PR_EnterMonitor(sdb_p->dbMon); ++ /* update our view of the database */ ++ if (sdb_p->sqlReadDB == *sqlDB) { ++ sdb_p->sqlReadDB = newDB; ++ } else if (sdb_p->sqlXactDB == *sqlDB) { ++ sdb_p->sqlXactDB = newDB; ++ } ++ PR_ExitMonitor(sdb_p->dbMon); ++ ++ /* close the old one */ ++ sqlite3_close(*sqlDB); ++ ++ *sqlDB = newDB; ++ return SQLITE_OK; ++} ++ ++struct SDBFindStr { ++ sqlite3 *sqlDB; ++ sqlite3_stmt *findstmt; ++}; ++ ++static const char FIND_OBJECTS_CMD[] = "SELECT ALL id FROM %s WHERE %s;"; ++static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL id FROM %s;"; ++CK_RV ++sdb_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *template, CK_ULONG count, ++ SDBFind **find) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ const char *table; ++ char *newStr, *findStr = NULL; ++ sqlite3_stmt *findstmt = NULL; ++ char *join = ""; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ unsigned int i; ++ ++ LOCK_SQLITE() ++ *find = NULL; ++ error = sdb_openDBLocal(sdb_p, &sqlDB, &table); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ ++ findStr = sqlite3_mprintf(""); ++ for (i = 0; findStr && i < count; i++) { ++ newStr = sqlite3_mprintf("%s%sa%x=$DATA%d", findStr, join, ++ template[i].type, i); ++ join = " AND "; ++ sqlite3_free(findStr); ++ findStr = newStr; ++ } ++ ++ if (findStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ ++ if (count == 0) { ++ newStr = sqlite3_mprintf(FIND_OBJECTS_ALL_CMD, table); ++ } else { ++ newStr = sqlite3_mprintf(FIND_OBJECTS_CMD, table, findStr); ++ } ++ sqlite3_free(findStr); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &findstmt, NULL); ++ sqlite3_free(newStr); ++ for (i = 0; sqlerr == SQLITE_OK && i < count; i++) { ++ const void *blobData = template[i].pValue; ++ unsigned int blobSize = template[i].ulValueLen; ++ if (blobSize == 0) { ++ blobSize = SQLITE_EXPLICIT_NULL_LEN; ++ blobData = SQLITE_EXPLICIT_NULL; ++ } ++ sqlerr = sqlite3_bind_blob(findstmt, i + 1, blobData, blobSize, ++ SQLITE_TRANSIENT); ++ } ++ if (sqlerr == SQLITE_OK) { ++ *find = PORT_New(SDBFind); ++ if (*find == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ (*find)->findstmt = findstmt; ++ (*find)->sqlDB = sqlDB; ++ UNLOCK_SQLITE() ++ return CKR_OK; ++ } ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ ++loser: ++ if (findstmt) { ++ sqlite3_reset(findstmt); ++ sqlite3_finalize(findstmt); ++ } ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ UNLOCK_SQLITE() ++ return error; ++} ++ ++CK_RV ++sdb_FindObjects(SDB *sdb, SDBFind *sdbFind, CK_OBJECT_HANDLE *object, ++ CK_ULONG arraySize, CK_ULONG *count) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3_stmt *stmt = sdbFind->findstmt; ++ int sqlerr = SQLITE_OK; ++ int retry = 0; ++ ++ *count = 0; ++ ++ if (arraySize == 0) { ++ return CKR_OK; ++ } ++ LOCK_SQLITE() ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ if (sqlerr == SQLITE_ROW) { ++ /* only care about the id */ ++ *object++ = sqlite3_column_int(stmt, 0); ++ arraySize--; ++ (*count)++; ++ } ++ } while (!sdb_done(sqlerr, &retry) && (arraySize > 0)); ++ ++ /* we only have some of the objects, there is probably more, ++ * set the sqlerr to an OK value so we return CKR_OK */ ++ if (sqlerr == SQLITE_ROW && arraySize == 0) { ++ sqlerr = SQLITE_DONE; ++ } ++ UNLOCK_SQLITE() ++ ++ return sdb_mapSQLError(sdb_p->type, sqlerr); ++} ++ ++CK_RV ++sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3_stmt *stmt = sdbFind->findstmt; ++ sqlite3 *sqlDB = sdbFind->sqlDB; ++ int sqlerr = SQLITE_OK; ++ ++ LOCK_SQLITE() ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlerr = sqlite3_finalize(stmt); ++ } ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ PORT_Free(sdbFind); ++ ++ UNLOCK_SQLITE() ++ return sdb_mapSQLError(sdb_p->type, sqlerr); ++} ++ ++static CK_RV ++sdb_GetValidAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id, ++ CK_ATTRIBUTE *template, CK_ULONG count) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ sqlite3_stmt *stmt = NULL; ++ const char *table = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ int found = 0; ++ int retry = 0; ++ unsigned int i; ++ ++ if (count == 0) { ++ error = CKR_OBJECT_HANDLE_INVALID; ++ goto loser; ++ } ++ ++ /* open a new db if necessary */ ++ error = sdb_openDBLocal(sdb_p, &sqlDB, &table); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ ++ char *columns = NULL; ++ for (i = 0; i < count; i++) { ++ char *newColumns; ++ if (columns) { ++ newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type); ++ sqlite3_free(columns); ++ columns = NULL; ++ } else { ++ newColumns = sqlite3_mprintf("a%x", template[i].type); ++ } ++ if (!newColumns) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ columns = newColumns; ++ } ++ ++ PORT_Assert(columns); ++ ++ char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;", ++ columns, table); ++ sqlite3_free(columns); ++ columns = NULL; ++ if (!statement) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ ++ sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL); ++ sqlite3_free(statement); ++ statement = NULL; ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ ++ // NB: indices in sqlite3_bind_int are 1-indexed ++ sqlerr = sqlite3_bind_int(stmt, 1, object_id); ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ if (sqlerr == SQLITE_ROW) { ++ PORT_Assert(!found); ++ for (i = 0; i < count; i++) { ++ unsigned int blobSize; ++ const char *blobData; ++ ++ // NB: indices in sqlite_column_{bytes,blob} are 0-indexed ++ blobSize = sqlite3_column_bytes(stmt, i); ++ blobData = sqlite3_column_blob(stmt, i); ++ if (blobData == NULL) { ++ /* PKCS 11 requires that get attributes process all the ++ * attributes in the template, marking the attributes with ++ * issues with -1. Mark the error but continue */ ++ template[i].ulValueLen = -1; ++ error = CKR_ATTRIBUTE_TYPE_INVALID; ++ continue; ++ } ++ /* If the blob equals our explicit NULL value, then the ++ * attribute is a NULL. */ ++ if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) && ++ (PORT_Memcmp(blobData, SQLITE_EXPLICIT_NULL, ++ SQLITE_EXPLICIT_NULL_LEN) == 0)) { ++ blobSize = 0; ++ } ++ if (template[i].pValue) { ++ if (template[i].ulValueLen < blobSize) { ++ /* like CKR_ATTRIBUTE_TYPE_INVALID, continue processing */ ++ template[i].ulValueLen = -1; ++ error = CKR_BUFFER_TOO_SMALL; ++ continue; ++ } ++ PORT_Memcpy(template[i].pValue, blobData, blobSize); ++ } ++ template[i].ulValueLen = blobSize; ++ } ++ found = 1; ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ stmt = NULL; ++ ++loser: ++ /* fix up the error if necessary */ ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ if (!found && error == CKR_OK) { ++ error = CKR_OBJECT_HANDLE_INVALID; ++ } ++ } ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ /* if we had to open a new database, free it now */ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ return error; ++} ++ ++/* NOTE: requires sdb_p->schemaAttrs to be sorted asc. */ ++inline static PRBool ++sdb_attributeExists(SDB *sdb, CK_ATTRIBUTE_TYPE attr) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ int first = 0; ++ int last = (int)sdb_p->numSchemaAttrs - 1; ++ while (last >= first) { ++ int mid = first + (last - first) / 2; ++ if (sdb_p->schemaAttrs[mid] == attr) { ++ return PR_TRUE; ++ } ++ if (attr > sdb_p->schemaAttrs[mid]) { ++ first = mid + 1; ++ } else { ++ last = mid - 1; ++ } ++ } ++ ++ return PR_FALSE; ++} ++ ++CK_RV ++sdb_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, ++ CK_ATTRIBUTE *template, CK_ULONG count) ++{ ++ CK_RV crv = CKR_OK; ++ unsigned int tmplIdx; ++ unsigned int resIdx = 0; ++ unsigned int validCount = 0; ++ unsigned int i; ++ ++ if (count == 0) { ++ return crv; ++ } ++ ++ CK_ATTRIBUTE *validTemplate; ++ PRBool invalidExists = PR_FALSE; ++ for (tmplIdx = 0; tmplIdx < count; tmplIdx++) { ++ if (!sdb_attributeExists(sdb, template[tmplIdx].type)) { ++ template[tmplIdx].ulValueLen = -1; ++ crv = CKR_ATTRIBUTE_TYPE_INVALID; ++ invalidExists = PR_TRUE; ++ break; ++ } ++ } ++ ++ if (!invalidExists) { ++ validTemplate = template; ++ validCount = count; ++ } else { ++ /* Create a new template containing only the valid subset of ++ * input |template|, and query with that. */ ++ validCount = tmplIdx; ++ validTemplate = malloc(sizeof(CK_ATTRIBUTE) * count); ++ if (!validTemplate) { ++ return CKR_HOST_MEMORY; ++ } ++ /* Copy in what we already know is valid. */ ++ for (i = 0; i < validCount; i++) { ++ validTemplate[i] = template[i]; ++ } ++ ++ /* tmplIdx was left at the index of the first invalid ++ * attribute, which has been handled. We only need to ++ * deal with the remainder. */ ++ tmplIdx++; ++ for (; tmplIdx < count; tmplIdx++) { ++ if (sdb_attributeExists(sdb, template[tmplIdx].type)) { ++ validTemplate[validCount++] = template[tmplIdx]; ++ } else { ++ template[tmplIdx].ulValueLen = -1; ++ } ++ } ++ } ++ ++ if (validCount) { ++ LOCK_SQLITE() ++ CK_RV crv2 = sdb_GetValidAttributeValueNoLock(sdb, object_id, validTemplate, validCount); ++ UNLOCK_SQLITE() ++ ++ /* If an invalid attribute was removed above, let ++ * the caller know. Any other error from the actual ++ * query should propogate. */ ++ crv = (crv2 == CKR_OK) ? crv : crv2; ++ } ++ ++ if (invalidExists) { ++ /* Copy out valid lengths. */ ++ tmplIdx = 0; ++ for (resIdx = 0; resIdx < validCount; resIdx++) { ++ for (; tmplIdx < count; tmplIdx++) { ++ if (template[tmplIdx].type != validTemplate[resIdx].type) { ++ continue; ++ } ++ template[tmplIdx].ulValueLen = validTemplate[resIdx].ulValueLen; ++ tmplIdx++; ++ break; ++ } ++ } ++ free(validTemplate); ++ } ++ ++ return crv; ++} ++ ++static const char SET_ATTRIBUTE_CMD[] = "UPDATE %s SET %s WHERE id=$ID;"; ++CK_RV ++sdb_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, ++ const CK_ATTRIBUTE *template, CK_ULONG count) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ sqlite3_stmt *stmt = NULL; ++ char *setStr = NULL; ++ char *newStr = NULL; ++ int sqlerr = SQLITE_OK; ++ int retry = 0; ++ CK_RV error = CKR_OK; ++ unsigned int i; ++ ++ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { ++ return CKR_TOKEN_WRITE_PROTECTED; ++ } ++ ++ if (count == 0) { ++ return CKR_OK; ++ } ++ ++ LOCK_SQLITE() ++ setStr = sqlite3_mprintf(""); ++ for (i = 0; setStr && i < count; i++) { ++ if (i == 0) { ++ sqlite3_free(setStr); ++ setStr = sqlite3_mprintf("a%x=$VALUE%d", ++ template[i].type, i); ++ continue; ++ } ++ newStr = sqlite3_mprintf("%s,a%x=$VALUE%d", setStr, ++ template[i].type, i); ++ sqlite3_free(setStr); ++ setStr = newStr; ++ } ++ newStr = NULL; ++ ++ if (setStr == NULL) { ++ return CKR_HOST_MEMORY; ++ } ++ newStr = sqlite3_mprintf(SET_ATTRIBUTE_CMD, sdb_p->table, setStr); ++ sqlite3_free(setStr); ++ if (newStr == NULL) { ++ UNLOCK_SQLITE() ++ return CKR_HOST_MEMORY; ++ } ++ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ for (i = 0; i < count; i++) { ++ if (template[i].ulValueLen != 0) { ++ sqlerr = sqlite3_bind_blob(stmt, i + 1, template[i].pValue, ++ template[i].ulValueLen, SQLITE_STATIC); ++ } else { ++ sqlerr = sqlite3_bind_blob(stmt, i + 1, SQLITE_EXPLICIT_NULL, ++ SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC); ++ } ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ } ++ sqlerr = sqlite3_bind_int(stmt, i + 1, object_id); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++loser: ++ if (newStr) { ++ sqlite3_free(newStr); ++ } ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ } ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ ++ UNLOCK_SQLITE() ++ return error; ++} ++ ++/* ++ * check to see if a candidate object handle already exists. ++ */ ++static PRBool ++sdb_objectExists(SDB *sdb, CK_OBJECT_HANDLE candidate) ++{ ++ CK_RV crv; ++ CK_ATTRIBUTE template = { CKA_LABEL, NULL, 0 }; ++ ++ crv = sdb_GetValidAttributeValueNoLock(sdb, candidate, &template, 1); ++ if (crv == CKR_OBJECT_HANDLE_INVALID) { ++ return PR_FALSE; ++ } ++ return PR_TRUE; ++} ++ ++/* ++ * if we're here, we are in a transaction, so it's safe ++ * to examine the current state of the database ++ */ ++static CK_OBJECT_HANDLE ++sdb_getObjectId(SDB *sdb) ++{ ++ CK_OBJECT_HANDLE candidate; ++ static CK_OBJECT_HANDLE next_obj = CK_INVALID_HANDLE; ++ int count; ++ /* ++ * get an initial object handle to use ++ */ ++ if (next_obj == CK_INVALID_HANDLE) { ++ PRTime time; ++ time = PR_Now(); ++ ++ next_obj = (CK_OBJECT_HANDLE)(time & 0x3fffffffL); ++ } ++ candidate = next_obj++; ++ /* detect that we've looped through all the handles... */ ++ for (count = 0; count < 0x40000000; count++, candidate = next_obj++) { ++ /* mask off excess bits */ ++ candidate &= 0x3fffffff; ++ /* if we hit zero, go to the next entry */ ++ if (candidate == CK_INVALID_HANDLE) { ++ continue; ++ } ++ /* make sure we aren't already using */ ++ if (!sdb_objectExists(sdb, candidate)) { ++ /* this one is free */ ++ return candidate; ++ } ++ } ++ ++ /* no handle is free, fail */ ++ return CK_INVALID_HANDLE; ++} ++ ++CK_RV ++sdb_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *object) ++{ ++ CK_OBJECT_HANDLE id; ++ ++ id = sdb_getObjectId(sdb); ++ if (id == CK_INVALID_HANDLE) { ++ return CKR_DEVICE_MEMORY; /* basically we ran out of resources */ ++ } ++ *object = id; ++ return CKR_OK; ++} ++ ++static const char CREATE_CMD[] = "INSERT INTO %s (id%s) VALUES($ID%s);"; ++CK_RV ++sdb_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *object_id, ++ const CK_ATTRIBUTE *template, CK_ULONG count) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ sqlite3_stmt *stmt = NULL; ++ char *columnStr = NULL; ++ char *valueStr = NULL; ++ char *newStr = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ CK_OBJECT_HANDLE this_object = CK_INVALID_HANDLE; ++ int retry = 0; ++ unsigned int i; ++ ++ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { ++ return CKR_TOKEN_WRITE_PROTECTED; ++ } ++ ++ LOCK_SQLITE() ++ if ((*object_id != CK_INVALID_HANDLE) && ++ !sdb_objectExists(sdb, *object_id)) { ++ this_object = *object_id; ++ } else { ++ this_object = sdb_getObjectId(sdb); ++ } ++ if (this_object == CK_INVALID_HANDLE) { ++ UNLOCK_SQLITE(); ++ return CKR_HOST_MEMORY; ++ } ++ columnStr = sqlite3_mprintf(""); ++ valueStr = sqlite3_mprintf(""); ++ *object_id = this_object; ++ for (i = 0; columnStr && valueStr && i < count; i++) { ++ newStr = sqlite3_mprintf("%s,a%x", columnStr, template[i].type); ++ sqlite3_free(columnStr); ++ columnStr = newStr; ++ newStr = sqlite3_mprintf("%s,$VALUE%d", valueStr, i); ++ sqlite3_free(valueStr); ++ valueStr = newStr; ++ } ++ newStr = NULL; ++ if ((columnStr == NULL) || (valueStr == NULL)) { ++ if (columnStr) { ++ sqlite3_free(columnStr); ++ } ++ if (valueStr) { ++ sqlite3_free(valueStr); ++ } ++ UNLOCK_SQLITE() ++ return CKR_HOST_MEMORY; ++ } ++ newStr = sqlite3_mprintf(CREATE_CMD, sdb_p->table, columnStr, valueStr); ++ sqlite3_free(columnStr); ++ sqlite3_free(valueStr); ++ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ sqlerr = sqlite3_bind_int(stmt, 1, *object_id); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ for (i = 0; i < count; i++) { ++ if (template[i].ulValueLen) { ++ sqlerr = sqlite3_bind_blob(stmt, i + 2, template[i].pValue, ++ template[i].ulValueLen, SQLITE_STATIC); ++ } else { ++ sqlerr = sqlite3_bind_blob(stmt, i + 2, SQLITE_EXPLICIT_NULL, ++ SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC); ++ } ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ } ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++loser: ++ if (newStr) { ++ sqlite3_free(newStr); ++ } ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ } ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ UNLOCK_SQLITE() ++ ++ return error; ++} ++ ++/* ++ * Generic destroy that can destroy metadata or objects ++ */ ++static const char DESTROY_CMD[] = "DELETE FROM %s WHERE (id=$ID);"; ++CK_RV ++sdb_destroyAnyObject(SDB *sdb, const char *table, ++ CK_OBJECT_HANDLE object_id, const char *string_id) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ sqlite3_stmt *stmt = NULL; ++ char *newStr = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ int retry = 0; ++ ++ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { ++ return CKR_TOKEN_WRITE_PROTECTED; ++ } ++ ++ LOCK_SQLITE() ++ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ newStr = sqlite3_mprintf(DESTROY_CMD, table); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ if (string_id == NULL) { ++ sqlerr = sqlite3_bind_int(stmt, 1, object_id); ++ } else { ++ sqlerr = sqlite3_bind_text(stmt, 1, string_id, ++ PORT_Strlen(string_id), SQLITE_STATIC); ++ } ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++loser: ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ } ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ ++ UNLOCK_SQLITE() ++ return error; ++} ++ ++CK_RV ++sdb_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ return sdb_destroyAnyObject(sdb, sdb_p->table, object_id, NULL); ++} ++ ++CK_RV ++sdb_DestroyMetaData(SDB *sdb, const char *id) ++{ ++ return sdb_destroyAnyObject(sdb, "metaData", 0, id); ++} ++ ++static const char BEGIN_CMD[] = "BEGIN IMMEDIATE TRANSACTION;"; ++ ++/* ++ * start a transaction. ++ * ++ * We need to open a new database, then store that new database into ++ * the private data structure. We open the database first, then use locks ++ * to protect storing the data to prevent deadlocks. ++ */ ++CK_RV ++sdb_Begin(SDB *sdb) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ sqlite3_stmt *stmt = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ int retry = 0; ++ ++ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { ++ return CKR_TOKEN_WRITE_PROTECTED; ++ } ++ ++ LOCK_SQLITE() ++ ++ /* get a new version that we will use for the entire transaction */ ++ sqlerr = sdb_openDB(sdb_p->sqlDBName, &sqlDB, SDB_RDWR); ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ ++ sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL); ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ /* don't retry BEGIN transaction*/ ++ retry = 0; ++ } while (!sdb_done(sqlerr, &retry)); ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++loser: ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ ++ /* we are starting a new transaction, ++ * and if we succeeded, then save this database for the rest of ++ * our transaction */ ++ if (error == CKR_OK) { ++ /* we hold a 'BEGIN TRANSACTION' and a sdb_p->lock. At this point ++ * sdb_p->sqlXactDB MUST be null */ ++ PR_EnterMonitor(sdb_p->dbMon); ++ PORT_Assert(sdb_p->sqlXactDB == NULL); ++ sdb_p->sqlXactDB = sqlDB; ++ sdb_p->sqlXactThread = PR_GetCurrentThread(); ++ PR_ExitMonitor(sdb_p->dbMon); ++ } else { ++ /* we failed to start our transaction, ++ * free any databases we opened. */ ++ if (sqlDB) { ++ sqlite3_close(sqlDB); ++ } ++ } ++ ++ UNLOCK_SQLITE() ++ return error; ++} ++ ++/* ++ * Complete a transaction. Basically undo everything we did in begin. ++ * There are 2 flavors Abort and Commit. Basically the only differerence between ++ * these 2 are what the database will show. (no change in to former, change in ++ * the latter). ++ */ ++static CK_RV ++sdb_complete(SDB *sdb, const char *cmd) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ sqlite3_stmt *stmt = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ int retry = 0; ++ ++ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { ++ return CKR_TOKEN_WRITE_PROTECTED; ++ } ++ ++ /* We must have a transation database, or we shouldn't have arrived here */ ++ PR_EnterMonitor(sdb_p->dbMon); ++ PORT_Assert(sdb_p->sqlXactDB); ++ if (sdb_p->sqlXactDB == NULL) { ++ PR_ExitMonitor(sdb_p->dbMon); ++ return CKR_GENERAL_ERROR; /* shouldn't happen */ ++ } ++ PORT_Assert(sdb_p->sqlXactThread == PR_GetCurrentThread()); ++ if (sdb_p->sqlXactThread != PR_GetCurrentThread()) { ++ PR_ExitMonitor(sdb_p->dbMon); ++ return CKR_GENERAL_ERROR; /* shouldn't happen */ ++ } ++ sqlDB = sdb_p->sqlXactDB; ++ sdb_p->sqlXactDB = NULL; /* no one else can get to this DB, ++ * safe to unlock */ ++ sdb_p->sqlXactThread = NULL; ++ PR_ExitMonitor(sdb_p->dbMon); ++ ++ sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL); ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++ /* Pending BEGIN TRANSACTIONS Can move forward at this point. */ ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ /* we we have a cached DB image, update it as well */ ++ if (sdb_p->cacheTable) { ++ PR_EnterMonitor(sdb_p->dbMon); ++ sdb_updateCache(sdb_p); ++ PR_ExitMonitor(sdb_p->dbMon); ++ } ++ ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ ++ /* We just finished a transaction. ++ * Free the database, and remove it from the list */ ++ sqlite3_close(sqlDB); ++ ++ return error; ++} ++ ++static const char COMMIT_CMD[] = "COMMIT TRANSACTION;"; ++CK_RV ++sdb_Commit(SDB *sdb) ++{ ++ CK_RV crv; ++ LOCK_SQLITE() ++ crv = sdb_complete(sdb, COMMIT_CMD); ++ UNLOCK_SQLITE() ++ return crv; ++} ++ ++static const char ROLLBACK_CMD[] = "ROLLBACK TRANSACTION;"; ++CK_RV ++sdb_Abort(SDB *sdb) ++{ ++ CK_RV crv; ++ LOCK_SQLITE() ++ crv = sdb_complete(sdb, ROLLBACK_CMD); ++ UNLOCK_SQLITE() ++ return crv; ++} ++ ++static int tableExists(sqlite3 *sqlDB, const char *tableName); ++ ++static const char GET_PW_CMD[] = "SELECT ALL * FROM metaData WHERE id=$ID;"; ++CK_RV ++sdb_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = sdb_p->sqlXactDB; ++ sqlite3_stmt *stmt = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ int found = 0; ++ int retry = 0; ++ ++ LOCK_SQLITE() ++ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ ++ /* handle 'test' versions of the sqlite db */ ++ sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL); ++ /* Sigh, if we created a new table since we opened the database, ++ * the database handle will not see the new table, we need to close this ++ * database and reopen it. This is safe because we are holding the lock ++ * still. */ ++ if (sqlerr == SQLITE_SCHEMA) { ++ sqlerr = sdb_reopenDBLocal(sdb_p, &sqlDB); ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL); ++ } ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC); ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ if (sqlerr == SQLITE_ROW) { ++ const char *blobData; ++ unsigned int len = item1->len; ++ item1->len = sqlite3_column_bytes(stmt, 1); ++ if (item1->len > len) { ++ error = CKR_BUFFER_TOO_SMALL; ++ continue; ++ } ++ blobData = sqlite3_column_blob(stmt, 1); ++ PORT_Memcpy(item1->data, blobData, item1->len); ++ if (item2) { ++ len = item2->len; ++ item2->len = sqlite3_column_bytes(stmt, 2); ++ if (item2->len > len) { ++ error = CKR_BUFFER_TOO_SMALL; ++ continue; ++ } ++ blobData = sqlite3_column_blob(stmt, 2); ++ PORT_Memcpy(item2->data, blobData, item2->len); ++ } ++ found = 1; ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++loser: ++ /* fix up the error if necessary */ ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ if (!found && error == CKR_OK) { ++ error = CKR_OBJECT_HANDLE_INVALID; ++ } ++ } ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ UNLOCK_SQLITE() ++ ++ return error; ++} ++ ++static const char PW_CREATE_TABLE_CMD[] = ++ "CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);"; ++static const char PW_CREATE_CMD[] = ++ "INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);"; ++static const char MD_CREATE_CMD[] = ++ "INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);"; ++ ++CK_RV ++sdb_PutMetaData(SDB *sdb, const char *id, const SECItem *item1, ++ const SECItem *item2) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = sdb_p->sqlXactDB; ++ sqlite3_stmt *stmt = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ int retry = 0; ++ const char *cmd = PW_CREATE_CMD; ++ ++ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { ++ return CKR_TOKEN_WRITE_PROTECTED; ++ } ++ ++ LOCK_SQLITE() ++ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ ++ if (!tableExists(sqlDB, "metaData")) { ++ sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ } ++ if (item2 == NULL) { ++ cmd = MD_CREATE_CMD; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ sqlerr = sqlite3_bind_blob(stmt, 2, item1->data, item1->len, SQLITE_STATIC); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ if (item2) { ++ sqlerr = sqlite3_bind_blob(stmt, 3, item2->data, ++ item2->len, SQLITE_STATIC); ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ } ++ ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++loser: ++ /* fix up the error if necessary */ ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ } ++ ++ if (stmt) { ++ sqlite3_reset(stmt); ++ sqlite3_finalize(stmt); ++ } ++ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ UNLOCK_SQLITE() ++ ++ return error; ++} ++ ++static const char RESET_CMD[] = "DELETE FROM %s;"; ++CK_RV ++sdb_Reset(SDB *sdb) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ sqlite3 *sqlDB = NULL; ++ char *newStr; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ ++ /* only Key databases can be reset */ ++ if (sdb_p->type != SDB_KEY) { ++ return CKR_OBJECT_HANDLE_INVALID; ++ } ++ ++ LOCK_SQLITE() ++ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ ++ if (tableExists(sqlDB, sdb_p->table)) { ++ /* delete the contents of the key table */ ++ newStr = sqlite3_mprintf(RESET_CMD, sdb_p->table); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ ++ if (sqlerr != SQLITE_OK) ++ goto loser; ++ } ++ ++ /* delete the password entry table */ ++ sqlerr = sqlite3_exec(sqlDB, "DROP TABLE IF EXISTS metaData;", ++ NULL, 0, NULL); ++ ++loser: ++ /* fix up the error if necessary */ ++ if (error == CKR_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ } ++ ++ if (sqlDB) { ++ sdb_closeDBLocal(sdb_p, sqlDB); ++ } ++ ++ UNLOCK_SQLITE() ++ return error; ++} ++ ++CK_RV ++sdb_Close(SDB *sdb) ++{ ++ SDBPrivate *sdb_p = sdb->private; ++ int sqlerr = SQLITE_OK; ++ sdbDataType type = sdb_p->type; ++ ++ sqlerr = sqlite3_close(sdb_p->sqlReadDB); ++ PORT_Free(sdb_p->sqlDBName); ++ if (sdb_p->cacheTable) { ++ sqlite3_free(sdb_p->cacheTable); ++ } ++ if (sdb_p->dbMon) { ++ PR_DestroyMonitor(sdb_p->dbMon); ++ } ++ free(sdb_p->schemaAttrs); ++ free(sdb_p); ++ free(sdb); ++ return sdb_mapSQLError(type, sqlerr); ++} ++ ++/* ++ * functions to support open ++ */ ++ ++static const char CHECK_TABLE_CMD[] = "SELECT ALL * FROM %s LIMIT 0;"; ++ ++/* return 1 if sqlDB contains table 'tableName */ ++static int ++tableExists(sqlite3 *sqlDB, const char *tableName) ++{ ++ char *cmd = sqlite3_mprintf(CHECK_TABLE_CMD, tableName); ++ int sqlerr = SQLITE_OK; ++ ++ if (cmd == NULL) { ++ return 0; ++ } ++ ++ sqlerr = sqlite3_exec(sqlDB, cmd, NULL, 0, 0); ++ sqlite3_free(cmd); ++ ++ return (sqlerr == SQLITE_OK) ? 1 : 0; ++} ++ ++void ++sdb_SetForkState(PRBool forked) ++{ ++ /* XXXright now this is a no-op. The global fork state in the softokn3 ++ * shared library is already taken care of at the PKCS#11 level. ++ * If and when we add fork state to the sqlite shared library and extern ++ * interface, we will need to set it and reset it from here */ ++} ++ ++static int ++sdb_attributeComparator(const void *a, const void *b) ++{ ++ if (*(CK_ATTRIBUTE_TYPE *)a < *(CK_ATTRIBUTE_TYPE *)b) { ++ return -1; ++ } ++ if (*(CK_ATTRIBUTE_TYPE *)a > *(CK_ATTRIBUTE_TYPE *)b) { ++ return 1; ++ } ++ return 0; ++} ++ ++/* ++ * initialize a single database ++ */ ++static const char INIT_CMD[] = ++ "CREATE TABLE %s (id PRIMARY KEY UNIQUE ON CONFLICT ABORT%s)"; ++ ++CK_RV ++sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, ++ int *newInit, int inFlags, PRUint32 accessOps, SDB **pSdb) ++{ ++ int i; ++ char *initStr = NULL; ++ char *newStr; ++ char *queryStr = NULL; ++ int inTransaction = 0; ++ SDB *sdb = NULL; ++ SDBPrivate *sdb_p = NULL; ++ sqlite3 *sqlDB = NULL; ++ int sqlerr = SQLITE_OK; ++ CK_RV error = CKR_OK; ++ char *cacheTable = NULL; ++ PRIntervalTime now = 0; ++ char *env; ++ PRBool enableCache = PR_FALSE; ++ PRBool checkFSType = PR_FALSE; ++ PRBool measureSpeed = PR_FALSE; ++ PRBool create; ++ int flags = inFlags & 0x7; ++ ++ *pSdb = NULL; ++ *inUpdate = 0; ++ ++ /* sqlite3 doesn't have a flag to specify that we want to ++ * open the database read only. If the db doesn't exist, ++ * sqlite3 will always create it. ++ */ ++ LOCK_SQLITE(); ++ create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS); ++ if ((flags == SDB_RDONLY) && create) { ++ error = sdb_mapSQLError(type, SQLITE_CANTOPEN); ++ goto loser; ++ } ++ sqlerr = sdb_openDB(dbname, &sqlDB, flags); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ ++ /* ++ * SQL created the file, but it doesn't set appropriate modes for ++ * a database. ++ * ++ * NO NSPR call for chmod? :( ++ */ ++ if (create && sdb_chmod(dbname, 0600) != 0) { ++ error = sdb_mapSQLError(type, SQLITE_CANTOPEN); ++ goto loser; ++ } ++ ++ if (flags != SDB_RDONLY) { ++ sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ inTransaction = 1; ++ } ++ if (!tableExists(sqlDB, table)) { ++ *newInit = 1; ++ if (flags != SDB_CREATE) { ++ error = sdb_mapSQLError(type, SQLITE_CANTOPEN); ++ goto loser; ++ } ++ initStr = sqlite3_mprintf(""); ++ for (i = 0; initStr && i < known_attributes_size; i++) { ++ newStr = sqlite3_mprintf("%s, a%x", initStr, known_attributes[i]); ++ sqlite3_free(initStr); ++ initStr = newStr; ++ } ++ if (initStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ ++ newStr = sqlite3_mprintf(INIT_CMD, table, initStr); ++ sqlite3_free(initStr); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ ++ newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, table); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ ++ newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, table); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ ++ newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, table); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ ++ newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, table); ++ if (newStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); ++ sqlite3_free(newStr); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(type, sqlerr); ++ goto loser; ++ } ++ } ++ /* ++ * detect the case where we have created the database, but have ++ * not yet updated it. ++ * ++ * We only check the Key database because only the key database has ++ * a metaData table. The metaData table is created when a password ++ * is set, or in the case of update, when a password is supplied. ++ * If no key database exists, then the update would have happened immediately ++ * on noticing that the cert database didn't exist (see newInit set above). ++ */ ++ if (type == SDB_KEY && !tableExists(sqlDB, "metaData")) { ++ *newInit = 1; ++ } ++ ++ /* access to network filesystems are significantly slower than local ones ++ * for database operations. In those cases we need to create a cached copy ++ * of the database in a temporary location on the local disk. SQLITE ++ * already provides a way to create a temporary table and initialize it, ++ * so we use it for the cache (see sdb_buildCache for how it's done).*/ ++ ++ /* ++ * we decide whether or not to use the cache based on the following input. ++ * ++ * NSS_SDB_USE_CACHE environment variable is set to anything other than ++ * "yes" or "no" (for instance, "auto"): NSS will measure the performance ++ * of access to the temp database versus the access to the user's ++ * passed-in database location. If the temp database location is ++ * "significantly" faster we will use the cache. ++ * ++ * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no": ++ * cache will not be used. ++ * ++ * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will ++ * always be used. ++ * ++ * It is expected that most applications will not need this feature, and ++ * thus it is disabled by default. ++ */ ++ ++ env = PR_GetEnvSecure("NSS_SDB_USE_CACHE"); ++ ++ /* Variables enableCache, checkFSType, measureSpeed are PR_FALSE by default, ++ * which is the expected behavior for NSS_SDB_USE_CACHE="no". ++ * We don't need to check for "no" here. */ ++ if (!env) { ++ /* By default, with no variable set, we avoid expensive measuring for ++ * most FS types. We start with inexpensive FS type checking, and ++ * might perform measuring for some types. */ ++ checkFSType = PR_TRUE; ++ } else if (PORT_Strcasecmp(env, "yes") == 0) { ++ enableCache = PR_TRUE; ++ } else if (PORT_Strcasecmp(env, "no") != 0) { /* not "no" => "auto" */ ++ measureSpeed = PR_TRUE; ++ } ++ ++ if (checkFSType) { ++#if defined(LINUX) && !defined(ANDROID) ++ struct statfs statfs_s; ++ if (statfs(dbname, &statfs_s) == 0) { ++ switch (statfs_s.f_type) { ++ case SMB_SUPER_MAGIC: ++ case 0xff534d42: /* CIFS_MAGIC_NUMBER */ ++ case NFS_SUPER_MAGIC: ++ /* We assume these are slow. */ ++ enableCache = PR_TRUE; ++ break; ++ case CODA_SUPER_MAGIC: ++ case 0x65735546: /* FUSE_SUPER_MAGIC */ ++ case NCP_SUPER_MAGIC: ++ /* It's uncertain if this FS is fast or slow. ++ * It seems reasonable to perform slow measuring for users ++ * with questionable FS speed. */ ++ measureSpeed = PR_TRUE; ++ break; ++ case AFS_SUPER_MAGIC: /* Already implements caching. */ ++ default: ++ break; ++ } ++ } ++#endif ++ } ++ ++ if (measureSpeed) { ++ char *tempDir = NULL; ++ PRUint32 tempOps = 0; ++ /* ++ * Use PR_Access to determine how expensive it ++ * is to check for the existance of a local file compared to the same ++ * check in the temp directory. If the temp directory is faster, cache ++ * the database there. */ ++ tempDir = sdb_getTempDir(sqlDB); ++ if (tempDir) { ++ tempOps = sdb_measureAccess(tempDir); ++ PORT_Free(tempDir); ++ ++ /* There is a cost to continually copying the database. ++ * Account for that cost with the arbitrary factor of 10 */ ++ enableCache = (PRBool)(tempOps > accessOps * 10); ++ } ++ } ++ ++ if (enableCache) { ++ /* try to set the temp store to memory.*/ ++ sqlite3_exec(sqlDB, "PRAGMA temp_store=MEMORY", NULL, 0, NULL); ++ /* Failure to set the temp store to memory is not fatal, ++ * ignore the error */ ++ ++ cacheTable = sqlite3_mprintf("%sCache", table); ++ if (cacheTable == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ /* build the cache table */ ++ error = sdb_buildCache(sqlDB, type, cacheTable, table); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ /* initialize the last cache build time */ ++ now = PR_IntervalNow(); ++ } ++ ++ sdb = (SDB *)malloc(sizeof(SDB)); ++ if (!sdb) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sdb_p = (SDBPrivate *)malloc(sizeof(SDBPrivate)); ++ if (!sdb_p) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ ++ /* Cache the attributes that are held in the table, so we can later check ++ * that queried attributes actually exist. We don't assume the schema ++ * to be exactly |known_attributes|, as it may change over time. */ ++ sdb_p->schemaAttrs = NULL; ++ if (!PORT_Strcmp("nssPublic", table) || ++ !PORT_Strcmp("nssPrivate", table)) { ++ sqlite3_stmt *stmt = NULL; ++ int retry = 0; ++ unsigned int backedAttrs = 0; ++ ++ /* Can't bind parameters to a PRAGMA. */ ++ queryStr = sqlite3_mprintf("PRAGMA table_info(%s);", table); ++ if (queryStr == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ sqlerr = sqlite3_prepare_v2(sqlDB, queryStr, -1, &stmt, NULL); ++ sqlite3_free(queryStr); ++ queryStr = NULL; ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ unsigned int schemaAttrsCapacity = known_attributes_size; ++ sdb_p->schemaAttrs = malloc(schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE)); ++ if (!sdb_p->schemaAttrs) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ do { ++ sqlerr = sqlite3_step(stmt); ++ if (sqlerr == SQLITE_BUSY) { ++ PR_Sleep(SDB_BUSY_RETRY_TIME); ++ } ++ if (sqlerr == SQLITE_ROW) { ++ if (backedAttrs == schemaAttrsCapacity) { ++ schemaAttrsCapacity += known_attributes_size; ++ sdb_p->schemaAttrs = realloc(sdb_p->schemaAttrs, ++ schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE)); ++ if (!sdb_p->schemaAttrs) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ } ++ /* Record the ULONG attribute value. */ ++ char *val = (char *)sqlite3_column_text(stmt, 1); ++ if (val && val[0] == 'a') { ++ CK_ATTRIBUTE_TYPE attr = strtoul(&val[1], NULL, 16); ++ sdb_p->schemaAttrs[backedAttrs++] = attr; ++ } ++ } ++ } while (!sdb_done(sqlerr, &retry)); ++ ++ if (sqlerr != SQLITE_DONE) { ++ goto loser; ++ } ++ sqlerr = sqlite3_reset(stmt); ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ sqlerr = sqlite3_finalize(stmt); ++ if (sqlerr != SQLITE_OK) { ++ goto loser; ++ } ++ ++ sdb_p->numSchemaAttrs = backedAttrs; ++ ++ /* Sort these once so we can shortcut invalid attribute searches. */ ++ qsort(sdb_p->schemaAttrs, sdb_p->numSchemaAttrs, ++ sizeof(CK_ATTRIBUTE_TYPE), sdb_attributeComparator); ++ } ++ ++ /* invariant fields */ ++ sdb_p->sqlDBName = PORT_Strdup(dbname); ++ sdb_p->type = type; ++ sdb_p->table = table; ++ sdb_p->cacheTable = cacheTable; ++ sdb_p->lastUpdateTime = now; ++ /* set the cache delay time. This is how long we will wait before we ++ * decide the existing cache is stale. Currently set to 10 sec */ ++ sdb_p->updateInterval = PR_SecondsToInterval(10); ++ sdb_p->dbMon = PR_NewMonitor(); ++ /* these fields are protected by the lock */ ++ sdb_p->sqlXactDB = NULL; ++ sdb_p->sqlXactThread = NULL; ++ sdb->private = sdb_p; ++ sdb->version = 1; ++ sdb->sdb_flags = inFlags | SDB_HAS_META; ++ sdb->app_private = NULL; ++ sdb->sdb_FindObjectsInit = sdb_FindObjectsInit; ++ sdb->sdb_FindObjects = sdb_FindObjects; ++ sdb->sdb_FindObjectsFinal = sdb_FindObjectsFinal; ++ sdb->sdb_GetAttributeValue = sdb_GetAttributeValue; ++ sdb->sdb_SetAttributeValue = sdb_SetAttributeValue; ++ sdb->sdb_CreateObject = sdb_CreateObject; ++ sdb->sdb_DestroyObject = sdb_DestroyObject; ++ sdb->sdb_GetMetaData = sdb_GetMetaData; ++ sdb->sdb_PutMetaData = sdb_PutMetaData; ++ sdb->sdb_DestroyMetaData = sdb_DestroyMetaData; ++ sdb->sdb_Begin = sdb_Begin; ++ sdb->sdb_Commit = sdb_Commit; ++ sdb->sdb_Abort = sdb_Abort; ++ sdb->sdb_Reset = sdb_Reset; ++ sdb->sdb_Close = sdb_Close; ++ sdb->sdb_SetForkState = sdb_SetForkState; ++ sdb->sdb_GetNewObjectID = sdb_GetNewObjectID; ++ ++ if (inTransaction) { ++ sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL); ++ if (sqlerr != SQLITE_OK) { ++ error = sdb_mapSQLError(sdb_p->type, sqlerr); ++ goto loser; ++ } ++ inTransaction = 0; ++ } ++ ++ sdb_p->sqlReadDB = sqlDB; ++ ++ *pSdb = sdb; ++ UNLOCK_SQLITE(); ++ return CKR_OK; ++ ++loser: ++ /* lots of stuff to do */ ++ if (inTransaction) { ++ sqlite3_exec(sqlDB, ROLLBACK_CMD, NULL, 0, NULL); ++ } ++ if (sdb) { ++ free(sdb); ++ } ++ if (sdb_p) { ++ if (sdb_p->schemaAttrs) { ++ free(sdb_p->schemaAttrs); ++ } ++ free(sdb_p); ++ } ++ if (sqlDB) { ++ sqlite3_close(sqlDB); ++ } ++ UNLOCK_SQLITE(); ++ return error; ++} ++ ++/* sdbopen */ ++CK_RV ++s_open(const char *directory, const char *certPrefix, const char *keyPrefix, ++ int cert_version, int key_version, int flags, ++ SDB **certdb, SDB **keydb, int *newInit) ++{ ++ char *cert = sdb_BuildFileName(directory, certPrefix, ++ "cert", cert_version); ++ char *key = sdb_BuildFileName(directory, keyPrefix, ++ "key", key_version); ++ CK_RV error = CKR_OK; ++ int inUpdate; ++ PRUint32 accessOps; ++ ++ if (certdb) ++ *certdb = NULL; ++ if (keydb) ++ *keydb = NULL; ++ *newInit = 0; ++ ++#ifdef SQLITE_UNSAFE_THREADS ++ if (sqlite_lock == NULL) { ++ sqlite_lock = PR_NewLock(); ++ if (sqlite_lock == NULL) { ++ error = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ } ++#endif ++ ++ /* how long does it take to test for a non-existant file in our working ++ * directory? Allows us to test if we may be on a network file system */ ++ accessOps = 1; ++ { ++ char *env; ++ env = PR_GetEnvSecure("NSS_SDB_USE_CACHE"); ++ /* If the environment variable is undefined or set to yes or no, ++ * sdb_init() will ignore the value of accessOps, and we can skip the ++ * measuring.*/ ++ if (env && PORT_Strcasecmp(env, "no") != 0 && ++ PORT_Strcasecmp(env, "yes") != 0) { ++ accessOps = sdb_measureAccess(directory); ++ } ++ } ++ ++ /* ++ * open the cert data base ++ */ ++ if (certdb) { ++ /* initialize Certificate database */ ++ error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate, ++ newInit, flags, accessOps, certdb); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ } ++ ++ /* ++ * open the key data base: ++ * NOTE:if we want to implement a single database, we open ++ * the same database file as the certificate here. ++ * ++ * cert an key db's have different tables, so they will not ++ * conflict. ++ */ ++ if (keydb) { ++ /* initialize the Key database */ ++ error = sdb_init(key, "nssPrivate", SDB_KEY, &inUpdate, ++ newInit, flags, accessOps, keydb); ++ if (error != CKR_OK) { ++ goto loser; ++ } ++ } ++ ++loser: ++ if (cert) { ++ sqlite3_free(cert); ++ } ++ if (key) { ++ sqlite3_free(key); ++ } ++ ++ if (error != CKR_OK) { ++ /* currently redundant, but could be necessary if more code is added ++ * just before loser */ ++ if (keydb && *keydb) { ++ sdb_Close(*keydb); ++ } ++ if (certdb && *certdb) { ++ sdb_Close(*certdb); ++ } ++ } ++ ++ return error; ++} ++ ++CK_RV ++s_shutdown() ++{ ++#ifdef SQLITE_UNSAFE_THREADS ++ if (sqlite_lock) { ++ PR_DestroyLock(sqlite_lock); ++ sqlite_lock = NULL; ++ } ++#endif ++ return CKR_OK; ++} +diff --git a/cmd/manifest.mn b/cmd/manifest.mn +--- a/cmd/manifest.mn ++++ b/cmd/manifest.mn +@@ -36,16 +36,17 @@ NSS_SRCDIRS = \ + addbuiltin \ + atob \ + btoa \ + certutil \ + chktest \ + crlutil \ + crmftest \ + dbtest \ ++ dbtool \ + derdump \ + digest \ + httpserv \ + listsuites \ + makepqg \ + multinit \ + nss-policy-check \ + ocspclnt \ diff --git a/nss-3.79-distrusted-certs.patch b/nss-3.79-distrusted-certs.patch deleted file mode 100644 index 14a5b0c..0000000 --- a/nss-3.79-distrusted-certs.patch +++ /dev/null @@ -1,375 +0,0 @@ -# HG changeset patch -# User John M. Schanck -# Date 1648094761 0 -# Thu Mar 24 04:06:01 2022 +0000 -# Node ID b722e523d66297fe4bc1fac0ebb06203138eccbb -# Parent 853b64626b19a46f41f4ba9c684490dc15923c94 -Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. r=KathleenWilson - -Differential Revision: https://phabricator.services.mozilla.com/D141919 - -diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt ---- a/lib/ckfw/builtins/certdata.txt -+++ b/lib/ckfw/builtins/certdata.txt -@@ -7663,197 +7663,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL - \377\377 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - - # --# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" --# --# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL --# Serial Number: 268435455 (0xfffffff) --# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL --# Not Valid Before: Wed May 12 08:51:39 2010 --# Not Valid After : Mon Mar 23 09:50:05 2020 --# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C --# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 --CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" --CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 --CKA_SUBJECT MULTILINE_OCTAL --\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 --\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 --\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 --\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 --\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 --\156\151\163\141\164\151\145\040\055\040\107\062 --END --CKA_ID UTF8 "0" --CKA_ISSUER MULTILINE_OCTAL --\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 --\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 --\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 --\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 --\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 --\156\151\163\141\164\151\145\040\055\040\107\062 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\004\017\377\377\377 --END --CKA_VALUE MULTILINE_OCTAL --\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017 --\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013 --\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116 --\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151 --\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003 --\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120 --\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162 --\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036 --\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027 --\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132 --\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060 --\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141 --\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014 --\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166 --\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151 --\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015 --\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 --\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047 --\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275 --\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366 --\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045 --\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004 --\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202 --\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072 --\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253 --\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154 --\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365 --\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257 --\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324 --\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063 --\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304 --\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241 --\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000 --\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052 --\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163 --\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205 --\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055 --\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231 --\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201 --\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216 --\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351 --\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124 --\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267 --\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247 --\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200 --\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325 --\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220 --\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017 --\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256 --\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001 --\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004 --\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006 --\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072 --\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056 --\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145 --\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003 --\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 --\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200 --\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216 --\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006 --\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004 --\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144 --\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004 --\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144 --\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101 --\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125 --\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164 --\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162 --\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156 --\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055 --\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004 --\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356 --\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001 --\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055 --\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234 --\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064 --\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066 --\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243 --\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364 --\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116 --\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164 --\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174 --\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103 --\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134 --\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323 --\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057 --\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347 --\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224 --\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015 --\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026 --\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053 --\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166 --\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135 --\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244 --\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025 --\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222 --\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235 --\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245 --\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327 --\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053 --\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377 --\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321 --\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374 --\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035 --\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305 --\244\363\116\272\067\230\173\202\271 --END -- --# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" --# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL --# Serial Number: 268435455 (0xfffffff) --# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL --# Not Valid Before: Wed May 12 08:51:39 2010 --# Not Valid After : Mon Mar 23 09:50:05 2020 --# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C --# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" --CKA_CERT_SHA1_HASH MULTILINE_OCTAL --\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306 --\222\341\102\102 --END --CKA_CERT_MD5_HASH MULTILINE_OCTAL --\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034 --END --CKA_ISSUER MULTILINE_OCTAL --\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 --\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 --\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 --\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 --\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 --\156\151\163\141\164\151\145\040\055\040\107\062 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\004\017\377\377\377 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# - # Certificate "Security Communication RootCA2" - # - # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP - # Serial Number: 0 (0x0) - # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP - # Not Valid Before: Fri May 29 05:00:39 2009 - # Not Valid After : Tue May 29 05:00:39 2029 - # Fingerprint (SHA-256): 51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6 -@@ -8337,78 +8156,16 @@ END - CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\001\000 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - --# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 --# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US --# Serial Number: 1800000005 (0x6b49d205) --# Not Before: Apr 7 15:37:15 2011 GMT --# Not After : Apr 4 15:37:15 2021 GMT --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave" --CKA_ISSUER MULTILINE_OCTAL --\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 --\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 --\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 --\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 --\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 --\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 --\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 --\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 --\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 --\100\164\162\165\163\164\167\141\166\145\056\143\157\155 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\004\153\111\322\005 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929 --# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US --# Serial Number: 1800000006 (0x6b49d206) --# Not Before: Apr 18 21:09:30 2011 GMT --# Not After : Apr 15 21:09:30 2021 GMT --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave" --CKA_ISSUER MULTILINE_OCTAL --\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 --\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 --\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 --\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 --\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 --\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 --\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 --\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 --\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 --\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 --\100\164\162\165\163\164\167\141\166\145\056\143\157\155 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\004\153\111\322\006 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- - # - # Certificate "Actalis Authentication Root CA" - # - # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT - # Serial Number:57:0a:11:97:42:c4:e3:cc - # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT - # Not Valid Before: Thu Sep 22 11:22:02 2011 - # Not Valid After : Sun Sep 22 11:22:02 2030 -@@ -9042,84 +8799,16 @@ END - CKA_SERIAL_NUMBER MULTILINE_OCTAL - \002\001\001 - END - CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR - CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST - CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - --# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 --# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri --# Serial Number: 2087 (0x827) --# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR --# Not Valid Before: Mon Aug 08 07:07:51 2011 --# Not Valid After : Tue Jul 06 07:07:51 2021 --# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E --# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1 --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1" --CKA_ISSUER MULTILINE_OCTAL --\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 --\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 --\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 --\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 --\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 --\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 --\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 --\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 --\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 --\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 --\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\002\010\047 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- --# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022 --# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri --# Serial Number: 2148 (0x864) --# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR --# Not Valid Before: Mon Aug 08 07:07:51 2011 --# Not Valid After : Thu Aug 05 07:07:51 2021 --# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2 --# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB --CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST --CKA_TOKEN CK_BBOOL CK_TRUE --CKA_PRIVATE CK_BBOOL CK_FALSE --CKA_MODIFIABLE CK_BBOOL CK_FALSE --CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2" --CKA_ISSUER MULTILINE_OCTAL --\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 --\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 --\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 --\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 --\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 --\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 --\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 --\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 --\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 --\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 --\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 --END --CKA_SERIAL_NUMBER MULTILINE_OCTAL --\002\002\010\144 --END --CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED --CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -- - # - # Certificate "D-TRUST Root Class 3 CA 2 2009" - # - # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE - # Serial Number: 623603 (0x983f3) - # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE - # Not Valid Before: Thu Nov 05 08:35:58 2009 - # Not Valid After : Mon Nov 05 08:35:58 2029 diff --git a/nss-3.79-fips-review.patches b/nss-3.79-fips-review.patches new file mode 100644 index 0000000..14c904a --- /dev/null +++ b/nss-3.79-fips-review.patches @@ -0,0 +1,497 @@ +diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c +--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700 +@@ -445,7 +445,7 @@ cleanup: + PRBool + KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) + { +- mp_int p, q, y, r; ++ mp_int p, q, y, r, psub1; + mp_err err; + int cmp = 1; /* default is false */ + if (!Y || !prime || !subPrime) { +@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S + MP_DIGITS(&q) = 0; + MP_DIGITS(&y) = 0; + MP_DIGITS(&r) = 0; ++ MP_DIGITS(&psub1) = 0; + CHECK_MPI_OK(mp_init(&p)); + CHECK_MPI_OK(mp_init(&q)); + CHECK_MPI_OK(mp_init(&y)); + CHECK_MPI_OK(mp_init(&r)); ++ CHECK_MPI_OK(mp_init(&psub1)); + SECITEM_TO_MPINT(*prime, &p); + SECITEM_TO_MPINT(*subPrime, &q); + SECITEM_TO_MPINT(*Y, &y); ++ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); ++ /* ++ * We check that the public value isn't zero (which isn't in the ++ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We ++ * also check that the public value is less than p, to avoid being fooled ++ * by values like p+1 or 2*p-1. ++ * This check is required by SP-800-56Ar3. It's also done in derive, ++ * but this is only called in various FIPS cases, so put it here to help ++ * reviewers find it. ++ */ ++ if (mp_cmp_d(&y, 1) <= 0 || ++ mp_cmp(&y, &psub1) >= 0) { ++ err = MP_BADARG; ++ goto cleanup; ++ } + /* compute r = y**q mod p */ + CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); + /* compare to 1 */ +@@ -472,6 +489,7 @@ cleanup: + mp_clear(&q); + mp_clear(&y); + mp_clear(&r); ++ mp_clear(&psub1); + if (err) { + MP_TO_SEC_ERROR(err); + return PR_FALSE; +diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700 ++++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700 +@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + * handle the base object stuff + */ + crv = sftk_handleObject(key, session); ++ /* we need to do this check at the end, so we can check the generated ++ * key length against fips requirements */ ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); ++ session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); +@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); + } +- /* we need to do this check at the end, so we can check the generated key length against +- * fips requirements */ +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); + if (crv == CKR_OK) { + *phKey = key->handle; + } +@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + + if (isDerivable) { + SFTKAttribute *pubAttribute = NULL; +- CK_OBJECT_HANDLE newKey; + PRBool isFIPS = sftk_isFIPS(slot->slotID); +- CK_RV crv2; +- CK_OBJECT_CLASS secret = CKO_SECRET_KEY; +- CK_KEY_TYPE generic = CKK_GENERIC_SECRET; +- CK_ULONG keyLen = 128; +- CK_BBOOL ckTrue = CK_TRUE; +- CK_ATTRIBUTE template[] = { +- { CKA_CLASS, &secret, sizeof(secret) }, +- { CKA_KEY_TYPE, &generic, sizeof(generic) }, +- { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, +- { CKA_DERIVE, &ckTrue, sizeof(ckTrue) } +- }; +- CK_ULONG templateCount = PR_ARRAY_SIZE(template); +- CK_ECDH1_DERIVE_PARAMS ecParams; ++ NSSLOWKEYPrivateKey *lowPrivKey = NULL; ++ ECPrivateKey *ecPriv; ++ SECItem *lowPubValue = NULL; ++ SECItem item; ++ SECStatus rv; + + crv = CKR_OK; /*paranoia, already get's set before we drop to the end */ +- /* FIPS 140-2 requires we verify that the resulting key is a valid key. +- * The easiest way to do this is to do a derive operation, which checks +- * the validity of the key */ +- ++ /* FIPS 140-3 requires we verify that the resulting key is a valid key ++ * by recalculating the public can an compare it to our own public ++ * key. */ ++ lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv); ++ if (lowPrivKey == NULL) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ /* recalculate the public key from the private key */ + switch (keyType) { +- case CKK_DH: +- mech.mechanism = CKM_DH_PKCS_DERIVE; +- pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); +- if (pubAttribute == NULL) { +- return CKR_DEVICE_ERROR; +- } +- mech.pParameter = pubAttribute->attrib.pValue; +- mech.ulParameterLen = pubAttribute->attrib.ulValueLen; +- break; +- case CKK_EC: +- mech.mechanism = CKM_ECDH1_DERIVE; +- pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); +- if (pubAttribute == NULL) { +- return CKR_DEVICE_ERROR; +- } +- ecParams.kdf = CKD_NULL; +- ecParams.ulSharedDataLen = 0; +- ecParams.pSharedData = NULL; +- ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen; +- ecParams.pPublicData = pubAttribute->attrib.pValue; +- mech.pParameter = &ecParams; +- mech.ulParameterLen = sizeof(ecParams); +- break; +- default: +- return CKR_DEVICE_ERROR; ++ case CKK_DH: ++ rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime, ++ &lowPrivKey->u.dh.privateValue, &item, 0); ++ if (rv != SECSuccess) { ++ return CKR_GENERAL_ERROR; ++ } ++ lowPubValue = SECITEM_DupItem(&item); ++ SECITEM_ZfreeItem(&item, PR_FALSE); ++ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); ++ break; ++ case CKK_EC: ++ rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv, ++ lowPrivKey->u.ec.privateValue.data, ++ lowPrivKey->u.ec.privateValue.len); ++ if (rv != SECSuccess) { ++ return CKR_GENERAL_ERROR; ++ } ++ /* make sure it has the same encoding */ ++ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || ++ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) { ++ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue); ++ } else { ++ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue, ++ SEC_ASN1_GET(SEC_OctetStringTemplate));; ++ } ++ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); ++ /* clear out our generated private key */ ++ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE); ++ break; ++ default: ++ return CKR_DEVICE_ERROR; + } +- +- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey); +- if (crv != CKR_OK) { +- sftk_FreeAttribute(pubAttribute); +- return crv; ++ /* now compare new public key with our already generated key */ ++ if ((pubAttribute == NULL) || (lowPubValue == NULL) || ++ (pubAttribute->attrib.ulValueLen != lowPubValue->len) || ++ (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data, ++ lowPubValue->len) != 0)) { ++ if (pubAttribute) sftk_FreeAttribute(pubAttribute); ++ if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE); ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ return CKR_GENERAL_ERROR; + } ++ SECITEM_ZfreeItem(lowPubValue, PR_TRUE); ++ + /* FIPS requires full validation, but in fipx mode NSC_Derive + * only does partial validation with approved primes, now handle + * full validation */ +@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + SECItem pubKey; + SECItem prime; + SECItem subPrime; ++ SECItem base; ++ SECItem generator; + const SECItem *subPrimePtr = &subPrime; + + pubKey.data = pubAttribute->attrib.pValue; + pubKey.len = pubAttribute->attrib.ulValueLen; +- prime.data = subPrime.data = NULL; +- prime.len = subPrime.len = 0; ++ base.data = prime.data = subPrime.data = NULL; ++ base.len = prime.len = subPrime.len = 0; + crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); + if (crv != CKR_OK) { + goto done; + } +- crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); ++ crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE); ++ if (crv != CKR_OK) { ++ goto done; ++ } + /* we ignore the return code an only look at the length */ +- if (subPrime.len == 0) { +- /* subprime not supplied, In this case look it up. +- * This only works with approved primes, but in FIPS mode +- * that's the only kine of prime that will get here */ +- subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); +- if (subPrimePtr == NULL) { +- crv = CKR_GENERAL_ERROR; ++ /* do we have a known prime ? */ ++ subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS); ++ if (subPrimePtr == NULL) { ++ if (subPrime.len == 0) { ++ /* if not a known prime, subprime must be supplied */ ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } else { ++ /* not a known prime, check for primality of prime ++ * and subPrime */ ++ if (!KEA_PrimeCheck(&prime)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ if (!KEA_PrimeCheck(&subPrime)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ /* if we aren't using a defined group, make sure base is in the ++ * subgroup. If it's not, then our key could fail or succeed sometimes. ++ * This makes the failure reliable */ ++ if (!KEA_Verify(&base, &prime, (SECItem *)subPrimePtr)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ } ++ } ++ subPrimePtr = &subPrime; ++ } else { ++ /* we're using a known group, make sure we are using the known generator for that group */ ++ if (SECITEM_CompareItem(&generator, &base) != 0) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } ++ if (subPrime.len != 0) { ++ /* we have a known prime and a supplied subPrime, ++ * make sure the subPrime matches the subPrime for ++ * the known Prime */ ++ if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ } + } + if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) { +- crv = CKR_GENERAL_ERROR; ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; + } + done: ++ SECITEM_ZfreeItem(&base, PR_FALSE); + SECITEM_ZfreeItem(&subPrime, PR_FALSE); + SECITEM_ZfreeItem(&prime, PR_FALSE); + } + /* clean up before we return */ + sftk_FreeAttribute(pubAttribute); +- crv2 = NSC_DestroyObject(hSession, newKey); + if (crv != CKR_OK) { + return crv; + } +- if (crv2 != CKR_OK) { +- return crv2; +- } + } + + return CKR_OK; +@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + * created and linked. + */ + crv = sftk_handleObject(publicKey, session); +- sftk_FreeSession(session); + if (crv != CKR_OK) { ++ sftk_FreeSession(session); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); +@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + } + + if (crv != CKR_OK) { ++ sftk_FreeSession(session); + NSC_DestroyObject(hSession, publicKey->handle); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); +@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + /* we need to do this check at the end to make sure the generated key meets the key length requirements */ + privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); + publicKey->isFIPS = privateKey->isFIPS; ++ session->lastOpWasFIPS = privateKey->isFIPS; ++ sftk_FreeSession(session); + + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; +@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + + /* if the prime is an approved prime, we can skip all the other + * checks. */ +- subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS); ++ subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS); + if (subPrime == NULL) { + SECItem dhSubPrime; + /* If the caller set the subprime value, it means that +@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + secretlen = tmp.len; + } else { + secretlen = keySize; ++ key->isFIPS = PR_FALSE; + crv = sftk_ANSI_X9_63_kdf(&secret, keySize, + &tmp, mechParams->pSharedData, + mechParams->ulSharedDataLen, mechParams->kdf); +diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c +--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700 +@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess + if (object == NULL) { + return CKR_HOST_MEMORY; + } +- object->isFIPS = PR_FALSE; /* if we created the object on the fly, ++ /* object types that we aren't allowed to create in FIPS mode are ++ * already rejected explicitly. If we get here, then the object is ++ * FIPS OK (most notably public key objects )*/ ++ /* object->isFIPS = PR_FALSE; if we created the object on the fly, + * it's not a FIPS object */ + + /* +diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h +--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700 ++++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700 +@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu + /* dh verify functions */ + /* verify that dhPrime matches one of our known primes, and if so return + * it's subprime value */ +-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS); ++const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS); + /* check if dhSubPrime claims dhPrime is a safe prime. */ + SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); + /* map an operation Attribute to a Mechanism flag */ +diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700 ++++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700 +@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + switch (mechInfo->special) { + case SFTKFIPSDH: { + SECItem dhPrime; ++ SECItem dhBase; ++ SECItem dhGenerator; ++ PRBool val = PR_FALSE; + const SECItem *dhSubPrime; + CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime, + source, CKA_PRIME); + if (crv != CKR_OK) { + return PR_FALSE; + } +- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE); ++ crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE); ++ if (crv != CKR_OK) { ++ return PR_FALSE; ++ } ++ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE); ++ val = (dhSubPrime) ? PR_TRUE : PR_FALSE; ++ if (val && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) { ++ val = PR_FALSE; ++ } + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); +- return (dhSubPrime) ? PR_TRUE : PR_FALSE; ++ SECITEM_ZfreeItem(&dhBase, PR_FALSE); ++ return val; + } + case SFTKFIPSNone: + return PR_FALSE; +diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c +--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700 +@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 = + (unsigned char *)subprime_tls_8192_data, + sizeof(subprime_tls_8192_data) }; + ++/* generator for all the groups is 2 */ ++static const unsigned char generator_2_data[] = { 2 }; ++ ++ ++static const SECItem generator_2 = ++ { siBuffer, ++ (unsigned char *)generator_2_data, ++ sizeof(generator_2_data) }; ++ + /* + * verify that dhPrime matches one of our known primes + */ + const SECItem * +-sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) ++sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS) + { + /* use the length to decide which primes to check */ + switch (dhPrime->len) { +@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR + } + if (PORT_Memcmp(dhPrime->data, prime_ike_1536, + sizeof(prime_ike_1536)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_1536; + } + break; + case 2048 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_2048, + sizeof(prime_tls_2048)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_2048; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_2048, + sizeof(prime_ike_2048)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_2048; + } + break; + case 3072 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_3072, + sizeof(prime_tls_3072)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_3072; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_3072, + sizeof(prime_ike_3072)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_3072; + } + break; + case 4096 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_4096, + sizeof(prime_tls_4096)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_4096; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_4096, + sizeof(prime_ike_4096)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_4096; + } + break; + case 6144 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_6144, + sizeof(prime_tls_6144)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_6144; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_6144, + sizeof(prime_ike_6144)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_6144; + } + break; + case 8192 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_8192, + sizeof(prime_tls_8192)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_8192; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_8192, + sizeof(prime_ike_8192)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_8192; + } + break; +diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c +--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700 +@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession, + goto fail; + } + } else { ++ /* ikev1 isn't validated, if we use this function in ikev1 mode, ++ * mark the resulting key as not FIPS */ ++ if (!params->bRekey) { ++ outKey->isFIPS = PR_FALSE; ++ } + crv = prf_init(&context, inKey->attrib.pValue, + inKey->attrib.ulValueLen); + if (crv != CKR_OK) { diff --git a/nss-3.79-fips.patch b/nss-3.79-fips.patch new file mode 100644 index 0000000..07c500f --- /dev/null +++ b/nss-3.79-fips.patch @@ -0,0 +1,578 @@ +diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk +--- a/lib/freebl/config.mk ++++ b/lib/freebl/config.mk +@@ -85,9 +85,13 @@ EXTRA_SHARED_LIBS += \ + $(NULL) + endif + endif + + ifeq ($(OS_ARCH), Darwin) + EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib + endif + ++ifdef NSS_FIPS_140_3 ++DEFINES += -DNSS_FIPS_140_3 + endif ++ ++endif +diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c +--- a/lib/freebl/unix_urandom.c ++++ b/lib/freebl/unix_urandom.c +@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void) + if (!numBytes) { + /* error is set */ + return; + } + RNG_RandomUpdate(bytes, numBytes); + PORT_Memset(bytes, 0, sizeof bytes); + } + ++#ifdef NSS_FIPS_140_3 ++#include ++#include "prinit.h" ++ ++static int rng_grndFlags= 0; ++static PRCallOnceType rng_KernelFips; ++ ++static PRStatus ++rng_getKernelFips() ++{ ++#ifdef LINUX ++ FILE *f; ++ char d; ++ size_t size; ++ ++ f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (!f) ++ return PR_FAILURE; ++ ++ size = fread(&d, 1, 1, f); ++ fclose(f); ++ if (size != 1) ++ return PR_SUCCESS; ++ if (d != '1') ++ return PR_SUCCESS; ++ /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */ ++ rng_grndFlags = GRND_RANDOM; ++#endif /* LINUX */ ++ return PR_SUCCESS; ++} ++#endif ++ + size_t + RNG_SystemRNG(void *dest, size_t maxLen) + { ++ size_t fileBytes = 0; ++ unsigned char *buffer = dest; ++#ifndef NSS_FIPS_140_3 + int fd; + int bytes; +- size_t fileBytes = 0; +- unsigned char *buffer = dest; ++#else ++ PR_CallOnce(&rng_KernelFips, rng_getKernelFips); ++#endif + + #if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25)))) + int result; +- + while (fileBytes < maxLen) { + size_t getBytes = maxLen - fileBytes; + if (getBytes > GETENTROPY_MAX_BYTES) { + getBytes = GETENTROPY_MAX_BYTES; + } ++#ifdef NSS_FIPS_140_3 ++ /* FIP 140-3 requires full kernel reseeding for chained entropy sources ++ * so we need to use getrandom with GRND_RANDOM. ++ * getrandom returns -1 on failure, otherwise returns ++ * the number of bytes, which can be less than getBytes */ ++ result = getrandom(buffer, getBytes, rng_grndFlags); ++ if (result < 0) { ++ break; ++ } ++ fileBytes += result; ++ buffer += result; ++#else ++ /* get entropy returns 0 on success and always return ++ * getBytes on success */ + result = getentropy(buffer, getBytes); + if (result == 0) { /* success */ + fileBytes += getBytes; + buffer += getBytes; + } else { + break; + } ++#endif + } + if (fileBytes == maxLen) { /* success */ + return maxLen; + } ++#ifdef NSS_FIPS_140_3 ++ /* in FIPS 104-3 we don't fallback, just fail */ ++ PORT_SetError(SEC_ERROR_NEED_RANDOM); ++ return 0; ++#else + /* If we failed with an error other than ENOSYS, it means the destination + * buffer is not writeable. We don't need to try writing to it again. */ + if (errno != ENOSYS) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; + } ++#endif /*!NSS_FIPS_140_3 */ ++#endif /* platorm has getentropy */ ++#ifndef NSS_FIPS_140_3 + /* ENOSYS means the kernel doesn't support getentropy()/getrandom(). + * Reset the number of bytes to get and fall back to /dev/urandom. */ + fileBytes = 0; +-#endif + fd = open("/dev/urandom", O_RDONLY); + if (fd < 0) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; + } + while (fileBytes < maxLen) { + bytes = read(fd, buffer, maxLen - fileBytes); + if (bytes <= 0) { +@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen) + buffer += bytes; + } + (void)close(fd); + if (fileBytes != maxLen) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; + } + return fileBytes; ++#endif + } +diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk +--- a/lib/softoken/config.mk ++++ b/lib/softoken/config.mk +@@ -58,8 +58,12 @@ endif + ifdef NSS_ENABLE_FIPS_INDICATORS + DEFINES += -DNSS_ENABLE_FIPS_INDICATORS + endif + + ifdef NSS_FIPS_MODULE_ID + DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\" + endif + ++ifdef NSS_FIPS_140_3 ++DEFINES += -DNSS_FIPS_140_3 ++endif ++ +diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c +--- a/lib/softoken/lowpbe.c ++++ b/lib/softoken/lowpbe.c +@@ -1766,16 +1766,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) + unsigned char iteration_count = 5; + unsigned char keyLen = 64; + char *inKeyData = TEST_KEY; +- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; ++ static const unsigned char saltData[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f ++ }; ++ + static const unsigned char pbkdf_known_answer[] = { +- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, +- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, +- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37, +- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90, +- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa, +- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1, +- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66, +- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5 ++ 0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4, ++ 0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b, ++ 0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a, ++ 0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5, ++ 0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06, ++ 0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90, ++ 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8, ++ 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33 + }; + + sftk_PBELockInit(); +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -4609,16 +4609,17 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + goto loser; + } + + /* make sure we don't have any class, key_type, or value fields */ + sftk_DeleteAttributeType(key, CKA_CLASS); + sftk_DeleteAttributeType(key, CKA_KEY_TYPE); + sftk_DeleteAttributeType(key, CKA_VALUE); + ++ + /* Now Set up the parameters to generate the key (based on mechanism) */ + key_gen_type = nsc_bulk; /* bulk key by default */ + switch (pMechanism->mechanism) { + case CKM_CDMF_KEY_GEN: + case CKM_DES_KEY_GEN: + case CKM_DES2_KEY_GEN: + case CKM_DES3_KEY_GEN: + checkWeak = PR_TRUE; +@@ -4812,16 +4813,19 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + crv = sftk_handleObject(key, session); + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); + } + if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); + } ++ /* we need to do this check at the end, so we can check the generated key length against ++ * fips requirements */ ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); + if (crv == CKR_OK) { + *phKey = key->handle; + } + loser: + PORT_Memset(buf, 0, sizeof buf); + sftk_FreeObject(key); + return crv; + } +@@ -5780,16 +5784,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + + if (crv != CKR_OK) { + NSC_DestroyObject(hSession, publicKey->handle); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); + return crv; + } ++ /* we need to do this check at the end to make sure the generated key meets the key length requirements */ ++ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); ++ publicKey->isFIPS = privateKey->isFIPS; + + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; + sftk_FreeObject(publicKey); + sftk_FreeObject(privateKey); + + return CKR_OK; + } +@@ -6990,16 +6997,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + } + + /* HKDF-Extract(salt, base key value) */ + if (params->bExtract) { + CK_BYTE *salt; + CK_ULONG saltLen; + HMACContext *hmac; + unsigned int bufLen; ++ SFTKSource saltKeySource = SFTK_SOURCE_DEFAULT; + + switch (params->ulSaltType) { + case CKF_HKDF_SALT_NULL: + saltLen = hashLen; + salt = hashbuf; + memset(salt, 0, saltLen); + break; + case CKF_HKDF_SALT_DATA: +@@ -7026,29 +7034,54 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) { + CK_MECHANISM mech; + mech.mechanism = CKM_HKDF_DERIVE; + mech.pParameter = params; + mech.ulParameterLen = sizeof(*params); + key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech, + CKA_DERIVE, saltKey); + } ++ saltKeySource = saltKey->source; + saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE); + if (saltKey_att == NULL) { + sftk_FreeObject(saltKey); + return CKR_KEY_HANDLE_INVALID; + } + /* save the resulting salt */ + salt = saltKey_att->attrib.pValue; + saltLen = saltKey_att->attrib.ulValueLen; + break; + default: + return CKR_MECHANISM_PARAM_INVALID; + break; + } ++ /* only TLS style usage is FIPS approved, ++ * turn off the FIPS indicator for other usages */ ++ if (isFIPS && key && sourceKey) { ++ PRBool fipsOK = PR_FALSE; ++ /* case one: mix the kea with a previous or default ++ * salt */ ++ if ((sourceKey->source == SFTK_SOURCE_KEA) && ++ (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) && ++ (saltLen == rawHash->length)) { ++ fipsOK = PR_TRUE; ++ } ++ /* case two: restart, remix the previous secret as a salt */ ++ if ((sourceKey->objclass == CKO_DATA) && ++ (NSS_SecureMemcmpZero(sourceKeyBytes, sourceKeyLen) == 0) && ++ (sourceKeyLen == rawHash->length) && ++ (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) && ++ (saltLen == rawHash->length)) { ++ fipsOK = PR_TRUE; ++ } ++ if (!fipsOK) { ++ key->isFIPS = PR_FALSE; ++ } ++ } ++ if (key) key->source = SFTK_SOURCE_HKDF_EXTRACT; + + hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS); + if (saltKey_att) { + sftk_FreeAttribute(saltKey_att); + } + if (saltKey) { + sftk_FreeObject(saltKey); + } +@@ -7076,16 +7109,40 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + /* T(1) = HMAC-Hash(prk, "" | info | 0x01) + * T(n) = HMAC-Hash(prk, T(n-1) | info | n + * key material = T(1) | ... | T(n) + */ + HMACContext *hmac; + CK_BYTE bi; + unsigned iterations; + ++ /* only TLS style usage is FIPS approved, ++ * turn off the FIPS indicator for other usages */ ++ if (isFIPS && key && key->isFIPS && sourceKey) { ++ unsigned char *info=¶ms->pInfo[3]; ++ /* only one case, ++ * 1) Expand only ++ * 2) with a key whose source was ++ * SFTK_SOURCE_HKDF_EXPAND or SFTK_SOURCE_HKDF_EXTRACT ++ * 3) source key length == rawHash->length ++ * 4) Info has tls or dtls ++ * If any of those conditions aren't met, then we turn ++ * off the fips indicator */ ++ if (params->bExtract || ++ ((sourceKey->source != SFTK_SOURCE_HKDF_EXTRACT) && ++ (sourceKey->source != SFTK_SOURCE_HKDF_EXPAND)) || ++ (sourceKeyLen != rawHash->length) || ++ (params->ulInfoLen < 7) || ++ ((PORT_Memcmp(info,"tls",3) != 0) && ++ (PORT_Memcmp(info,"dtls",4) != 0))) { ++ key->isFIPS = PR_FALSE; ++ } ++ } ++ if (key) key->source = SFTK_SOURCE_HKDF_EXPAND; ++ + genLen = PR_ROUNDUP(keySize, hashLen); + iterations = genLen / hashLen; + + if (genLen > sizeof(keyBlock)) { + keyBlockAlloc = PORT_Alloc(genLen); + if (keyBlockAlloc == NULL) { + return CKR_HOST_MEMORY; + } +@@ -8434,16 +8491,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + + /* calculate private value - oct */ + rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); + + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + SECITEM_ZfreeItem(&dhValue, PR_FALSE); + + if (rv == SECSuccess) { ++ key->source = SFTK_SOURCE_KEA; + sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len); + SECITEM_ZfreeItem(&derived, PR_FALSE); + crv = CKR_OK; + } else + crv = CKR_HOST_MEMORY; + + break; + } +@@ -8564,16 +8622,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + } + PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen); + secret = keyData; + } else { + secret += (secretlen - keySize); + } + secretlen = keySize; + } ++ key->source = SFTK_SOURCE_KEA; + + sftk_forceAttribute(key, CKA_VALUE, secret, secretlen); + PORT_ZFree(tmp.data, tmp.len); + if (keyData) { + PORT_ZFree(keyData, keySize); + } + break; + +diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h +--- a/lib/softoken/pkcs11i.h ++++ b/lib/softoken/pkcs11i.h +@@ -147,16 +147,26 @@ typedef enum { + */ + typedef enum { + SFTK_DestroyFailure, + SFTK_Destroyed, + SFTK_Busy + } SFTKFreeStatus; + + /* ++ * Source of various objects ++ */ ++typedef enum { ++ SFTK_SOURCE_DEFAULT=0, ++ SFTK_SOURCE_KEA, ++ SFTK_SOURCE_HKDF_EXPAND, ++ SFTK_SOURCE_HKDF_EXTRACT ++} SFTKSource; ++ ++/* + * attribute values of an object. + */ + struct SFTKAttributeStr { + SFTKAttribute *next; + SFTKAttribute *prev; + PRBool freeAttr; + PRBool freeData; + /*must be called handle to make sftkqueue_find work */ +@@ -189,16 +199,17 @@ struct SFTKObjectStr { + CK_OBJECT_CLASS objclass; + CK_OBJECT_HANDLE handle; + int refCount; + PZLock *refLock; + SFTKSlot *slot; + void *objectInfo; + SFTKFree infoFree; + PRBool isFIPS; ++ SFTKSource source; + }; + + struct SFTKTokenObjectStr { + SFTKObject obj; + SECItem dbKey; + }; + + struct SFTKSessionObjectStr { +diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c +--- a/lib/softoken/pkcs11u.c ++++ b/lib/softoken/pkcs11u.c +@@ -1090,16 +1090,17 @@ sftk_NewObject(SFTKSlot *slot) + sessObject->attrList[i].freeData = PR_FALSE; + } + sessObject->optimizeSpace = slot->optimizeSpace; + + object->handle = 0; + object->next = object->prev = NULL; + object->slot = slot; + object->isFIPS = sftk_isFIPS(slot->slotID); ++ object->source = SFTK_SOURCE_DEFAULT; + + object->refCount = 1; + sessObject->sessionList.next = NULL; + sessObject->sessionList.prev = NULL; + sessObject->sessionList.parent = object; + sessObject->session = NULL; + sessObject->wasDerived = PR_FALSE; + if (!hasLocks) +@@ -1674,16 +1675,17 @@ fail: + CK_RV + sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject) + { + SFTKAttribute *attribute; + SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject); + unsigned int i; + + destObject->isFIPS = srcObject->isFIPS; ++ destObject->source = srcObject->source; + if (src_so == NULL) { + return sftk_CopyTokenObject(destObject, srcObject); + } + + PZ_Lock(src_so->attributeLock); + for (i = 0; i < src_so->hashSize; i++) { + attribute = src_so->head[i]; + do { +@@ -2059,16 +2061,17 @@ sftk_NewTokenObject(SFTKSlot *slot, SECI + /* every object must have a class, if we can't get it, the object + * doesn't exist */ + crv = handleToClass(slot, handle, &object->objclass); + if (crv != CKR_OK) { + goto loser; + } + object->slot = slot; + object->isFIPS = sftk_isFIPS(slot->slotID); ++ object->source = SFTK_SOURCE_DEFAULT; + object->objectInfo = NULL; + object->infoFree = NULL; + if (!hasLocks) { + object->refLock = PZ_NewLock(nssILockRefLock); + } + if (object->refLock == NULL) { + goto loser; + } +@@ -2225,16 +2228,25 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE + break; + case CKA_DERIVE: + flags = CKF_DERIVE; + break; + /* fake attribute to select digesting */ + case CKA_DIGEST: + flags = CKF_DIGEST; + break; ++ /* fake attribute to select key gen */ ++ case CKA_NSS_GENERATE: ++ flags = CKF_GENERATE; ++ break; ++ /* fake attribute to select key pair gen */ ++ case CKA_NSS_GENERATE_KEY_PAIR: ++ flags = CKF_GENERATE_KEY_PAIR; ++ break; ++ /* fake attributes to to handle MESSAGE* flags */ + case CKA_NSS_MESSAGE | CKA_ENCRYPT: + flags = CKF_MESSAGE_ENCRYPT; + break; + case CKA_NSS_MESSAGE | CKA_DECRYPT: + flags = CKF_MESSAGE_DECRYPT; + break; + case CKA_NSS_MESSAGE | CKA_SIGN: + flags = CKF_MESSAGE_SIGN; +@@ -2278,17 +2290,17 @@ sftk_quickGetECCCurveOid(SFTKObject *sou + } + + /* This function currently only returns valid lengths for + * FIPS approved ECC curves. If we want to make this generic + * in the future, that Curve determination can be done in + * the sftk_handleSpecial. Since it's currently only used + * in FIPS indicators, it's currently only compiled with + * the FIPS indicator code */ +-static int ++static CK_ULONG + sftk_getKeyLength(SFTKObject *source) + { + CK_KEY_TYPE keyType = CK_INVALID_HANDLE; + CK_ATTRIBUTE_TYPE keyAttribute; + CK_ULONG keyLength = 0; + SFTKAttribute *attribute; + CK_RV crv; + +diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h +--- a/lib/util/pkcs11n.h ++++ b/lib/util/pkcs11n.h +@@ -58,16 +58,18 @@ + /* + * NSS-defined certificate types + * + */ + #define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS) + + /* FAKE PKCS #11 defines */ + #define CKA_DIGEST 0x81000000L ++#define CKA_NSS_GENERATE 0x81000001L ++#define CKA_NSS_GENERATE_KEY_PAIR 0x81000002L + #define CKA_NSS_MESSAGE 0x82000000L + #define CKA_NSS_MESSAGE_MASK 0xff000000L + #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */ + + /* + * NSS-defined object attributes + * + */ diff --git a/nss-3.79-fix-client-cert-crash.patch b/nss-3.79-fix-client-cert-crash.patch deleted file mode 100644 index 2d752e4..0000000 --- a/nss-3.79-fix-client-cert-crash.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c ---- a/lib/ssl/authcert.c -+++ b/lib/ssl/authcert.c -@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg, - - /* otherwise look through the cache based on usage - * if chosenNickname is set, we ignore the expiration date */ - if (certList == NULL) { - certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), - certUsageSSLClient, - PR_FALSE, chosenNickName == NULL, - pw_arg); -+ if (certList == NULL) { -+ return SECFailure; -+ } - /* filter only the certs that meet the nickname requirements */ - if (chosenNickName) { - rv = CERT_FilterCertListByNickname(certList, chosenNickName, - pw_arg); - } else { - int nnames = 0; - char **names = ssl_DistNamesToStrings(caNames, &nnames); - rv = CERT_FilterCertListByCANames(certList, nnames, names, diff --git a/nss-3.79-pkcs12-fips-defaults.patch b/nss-3.79-pkcs12-fips-defaults.patch new file mode 100644 index 0000000..fd8cb4d --- /dev/null +++ b/nss-3.79-pkcs12-fips-defaults.patch @@ -0,0 +1,25 @@ +diff -up ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults ./cmd/pk12util/pk12util.c +--- ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults 2022-07-20 13:40:24.152212683 -0700 ++++ ./cmd/pk12util/pk12util.c 2022-07-20 13:42:40.031094190 -0700 +@@ -1146,6 +1146,11 @@ main(int argc, char **argv) + goto done; + } + ++ if (PK11_IsFIPS()) { ++ cipher = SEC_OID_AES_256_CBC; ++ certCipher = SEC_OID_AES_128_CBC; ++ } ++ + if (pk12util.options[opt_Cipher].activated) { + char *cipherString = pk12util.options[opt_Cipher].arg; + +@@ -1160,9 +1165,6 @@ main(int argc, char **argv) + } + } + +- if (PK11_IsFIPS()) { +- certCipher = SEC_OID_UNKNOWN; +- } + if (pk12util.options[opt_CertCipher].activated) { + char *cipherString = pk12util.options[opt_CertCipher].arg; + diff --git a/nss-3.79-pkcs12-fix-null-password.patch b/nss-3.79-pkcs12-fix-null-password.patch deleted file mode 100644 index 1195e5c..0000000 --- a/nss-3.79-pkcs12-fix-null-password.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c ---- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700 -+++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700 -@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre - if (zeroTerm) { - /* unicode adds two nulls at the end */ - if (toUnicode) { -- if ((dest->len >= 2) && -- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) { -+ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) { - /* we've already allocated space for these new NULLs */ - PORT_Assert(dest->len + 2 <= bufferSize); - dest->len += 2; - dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; - } - /* ascii/utf-8 adds just 1 */ -- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) { -+ } else if (!dest->len || dest->data[dest->len - 1]) { - PORT_Assert(dest->len + 1 <= bufferSize); - dest->len++; - dest->data[dest->len - 1] = 0; diff --git a/nss-3.79-r7-remove-explicit-ipv4.patch b/nss-3.79-r7-remove-explicit-ipv4.patch deleted file mode 100644 index 845dc6e..0000000 --- a/nss-3.79-r7-remove-explicit-ipv4.patch +++ /dev/null @@ -1,258 +0,0 @@ -diff -up ./tests/ssl/ssl.sh.remove-explicit-ipv4 ./tests/ssl/ssl.sh ---- ./tests/ssl/ssl.sh.remove-explicit-ipv4 2022-06-08 19:00:03.508875175 -0700 -+++ ./tests/ssl/ssl.sh 2022-06-08 19:02:17.230744026 -0700 -@@ -86,6 +86,8 @@ ssl_init() - NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} - nss_ssl_run="stapling signed_cert_timestamps cov auth dtls scheme exporter" - NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} -+ IPVER=${NSS_CLIENT_IPVER} -+ - - # Test case files - if [ "${NSS_NO_SSL2}" = "1" ]; then -@@ -180,16 +182,16 @@ wait_for_selfserv() - { - #verbose="-v" - echo "trying to connect to selfserv at `date`" -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" - echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" -- ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -+ ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ - -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} - if [ $? -ne 0 ]; then - sleep 5 - echo "retrying to connect to selfserv at `date`" - echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" - echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" -- ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -+ ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ - -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} - if [ $? -ne 0 ]; then - if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then -@@ -395,11 +397,11 @@ ssl_cov() - - - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" - echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" - - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ - -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -451,11 +453,11 @@ ssl_cov_rsa_pss() - - echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" - echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" - - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ - -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -504,10 +506,10 @@ ssl_auth() - fi - start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -552,10 +554,10 @@ ssl_stapling_sub() - - start_selfserv - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" - echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -596,10 +598,10 @@ ssl_stapling_stress() - echo "${testname}" - start_selfserv - -- echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" -+ echo "strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" - echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" - echo "strsclnt started at `date`" -- ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ -+ ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ - -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} - ret=$? - -@@ -662,10 +664,10 @@ ssl_signed_cert_timestamps() - - # Since we don't have server-side support, this test only covers advertising the - # extension in the client hello. -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" - echo " -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -721,10 +723,10 @@ ssl_stress() - dbdir=${P_R_CLIENTDIR} - fi - -- echo "strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\" -+ echo "strsclnt ${IPVER} -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\" - echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}" - echo "strsclnt started at `date`" -- ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \ -+ ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \ - -V ssl3:tls1.2 $verbose ${HOSTADDR} - ret=$? - echo "strsclnt completed at `date`" -@@ -813,10 +815,10 @@ ssl_crl_ssl() - cparam=`echo $_cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` - start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -908,11 +910,11 @@ ssl_policy() - policy=`echo ${policy} | sed -e 's;_; ;g'` - setup_policy "$policy" ${P_R_CLIENTDIR} - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" - echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" - - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ - -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -1090,12 +1092,12 @@ ssl_policy_selfserv() - VMAX="tls1.2" - - # Try to connect to the server with a ciphersuite using RSA in key exchange -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" - echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" - - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - RET_EXP=254 -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ - -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - RET=$? -@@ -1180,7 +1182,7 @@ load_group_crl() { - fi - echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" - echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" - echo "Request:" - echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" -@@ -1193,7 +1195,7 @@ GET crl://${SERVERDIR}/root.crl_${grpBeg - - _EOF_REQUEST_ - -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f \ - -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ - >${OUTFILE_TMP} 2>&1 < ${REQF} - -@@ -1281,10 +1283,10 @@ ssl_crl_cache() - cparam=`echo $_cparam | sed -e 's;\([^\]\)_;\1 ;g' -e 's;\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` - - echo "Server Args: $SERV_ARG" -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" - echo " ${cparam} < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ - -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? -@@ -1349,19 +1351,19 @@ ssl_dtls() - - echo "${testname}" - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\" - echo " -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} &" - -- (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \ -+ (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \ - -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss 2>&1 & - - PID=$! - - sleep 1 - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\" - echo " -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE}" -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 - ret=$? - html_msg $ret $value "${testname}" \ -@@ -1388,9 +1390,9 @@ ssl_scheme() - - start_selfserv -V tls1.2:tls1.2 -J "$sscheme" - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" - echo " -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE}" -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 - ret=$? - # If both schemes include just one option and those options don't -@@ -1428,9 +1430,9 @@ ssl_scheme_stress() - - start_selfserv -V tls1.2:tls1.2 -J "$sscheme" - -- echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" -+ echo "strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" - echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE}" -- ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 - ret=$? - # If both schemes include just one option and those options don't -@@ -1467,9 +1469,9 @@ ssl_exporter() - for exporter in "${exporters[@]}"; do - start_selfserv -V tls1.2:tls1.2 -x "$exporter" - -- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" -+ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" - echo " -V tls1.2:tls1.2 -x $exporter ${CLIENT_PW} < ${REQUEST_FILE}" -- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ -+ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ - -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -x "$exporter" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 > client.out - kill_selfserv - diff <(LC_ALL=C grep -A1 "^ *Keying Material:" server.out) \ diff --git a/nss-3.79-revert-distrusted-certs.patch b/nss-3.79-revert-distrusted-certs.patch new file mode 100644 index 0000000..8a607a3 --- /dev/null +++ b/nss-3.79-revert-distrusted-certs.patch @@ -0,0 +1,335 @@ +diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt +--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700 ++++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700 +@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_ + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # ++# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" ++# ++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Serial Number: 268435455 (0xfffffff) ++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Not Valid Before: Wed May 12 08:51:39 2010 ++# Not Valid After : Mon Mar 23 09:50:05 2020 ++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C ++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 ++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" ++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 ++CKA_SUBJECT MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_ID UTF8 "0" ++CKA_ISSUER MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\017\377\377\377 ++END ++CKA_VALUE MULTILINE_OCTAL ++\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017 ++\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013 ++\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116 ++\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151 ++\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003 ++\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120 ++\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162 ++\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036 ++\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027 ++\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132 ++\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060 ++\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141 ++\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014 ++\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166 ++\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151 ++\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015 ++\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 ++\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047 ++\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275 ++\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366 ++\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045 ++\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004 ++\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202 ++\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072 ++\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253 ++\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154 ++\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365 ++\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257 ++\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324 ++\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063 ++\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304 ++\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241 ++\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000 ++\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052 ++\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163 ++\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205 ++\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055 ++\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231 ++\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201 ++\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216 ++\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351 ++\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124 ++\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267 ++\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247 ++\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200 ++\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325 ++\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220 ++\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017 ++\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256 ++\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001 ++\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004 ++\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006 ++\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072 ++\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056 ++\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145 ++\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003 ++\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 ++\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200 ++\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216 ++\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006 ++\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004 ++\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144 ++\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004 ++\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144 ++\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101 ++\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125 ++\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164 ++\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162 ++\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156 ++\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055 ++\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004 ++\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356 ++\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001 ++\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055 ++\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234 ++\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064 ++\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066 ++\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243 ++\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364 ++\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116 ++\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164 ++\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174 ++\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103 ++\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134 ++\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323 ++\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057 ++\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347 ++\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224 ++\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015 ++\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026 ++\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053 ++\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166 ++\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135 ++\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244 ++\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025 ++\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222 ++\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235 ++\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245 ++\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327 ++\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053 ++\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377 ++\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321 ++\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374 ++\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035 ++\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305 ++\244\363\116\272\067\230\173\202\271 ++END ++ ++# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" ++# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Serial Number: 268435455 (0xfffffff) ++# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL ++# Not Valid Before: Wed May 12 08:51:39 2010 ++# Not Valid After : Mon Mar 23 09:50:05 2020 ++# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C ++# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" ++CKA_CERT_SHA1_HASH MULTILINE_OCTAL ++\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306 ++\222\341\102\102 ++END ++CKA_CERT_MD5_HASH MULTILINE_OCTAL ++\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034 ++END ++CKA_ISSUER MULTILINE_OCTAL ++\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 ++\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 ++\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 ++\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 ++\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 ++\156\151\163\141\164\151\145\040\055\040\107\062 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\017\377\377\377 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# + # Certificate "Security Communication RootCA2" + # + # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP +@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_ + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + ++# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 ++# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US ++# Serial Number: 1800000005 (0x6b49d205) ++# Not Before: Apr 7 15:37:15 2011 GMT ++# Not After : Apr 4 15:37:15 2021 GMT ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 ++\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 ++\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 ++\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 ++\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 ++\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 ++\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 ++\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 ++\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 ++\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 ++\100\164\162\165\163\164\167\141\166\145\056\143\157\155 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\153\111\322\005 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929 ++# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US ++# Serial Number: 1800000006 (0x6b49d206) ++# Not Before: Apr 18 21:09:30 2011 GMT ++# Not After : Apr 15 21:09:30 2021 GMT ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 ++\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 ++\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 ++\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 ++\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 ++\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 ++\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 ++\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 ++\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 ++\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 ++\100\164\162\165\163\164\167\141\166\145\056\143\157\155 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\153\111\322\006 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ + # + # Certificate "Actalis Authentication Root CA" + # +@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_ + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + ++# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri ++# Serial Number: 2087 (0x827) ++# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR ++# Not Valid Before: Mon Aug 08 07:07:51 2011 ++# Not Valid After : Tue Jul 06 07:07:51 2021 ++# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E ++# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 ++\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 ++\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 ++\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 ++\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 ++\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 ++\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 ++\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 ++\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 ++\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\002\010\047 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri ++# Serial Number: 2148 (0x864) ++# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR ++# Not Valid Before: Mon Aug 08 07:07:51 2011 ++# Not Valid After : Thu Aug 05 07:07:51 2021 ++# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2 ++# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2" ++CKA_ISSUER MULTILINE_OCTAL ++\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 ++\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 ++\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 ++\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 ++\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 ++\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 ++\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 ++\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 ++\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 ++\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 ++\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\002\010\144 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ + # + # Certificate "D-TRUST Root Class 3 CA 2 2009" + # diff --git a/nss-3.79-skip-pwdecrypt-time.patch b/nss-3.79-skip-pwdecrypt-time.patch deleted file mode 100644 index 004ea51..0000000 --- a/nss-3.79-skip-pwdecrypt-time.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./tests/sdr/sdr.sh.skip ./tests/sdr/sdr.sh ---- ./tests/sdr/sdr.sh.skip 2022-06-11 09:52:05.037086587 -0700 -+++ ./tests/sdr/sdr.sh 2022-06-11 09:52:16.825162027 -0700 -@@ -146,7 +146,10 @@ sdr_main() - RARRAY=($dtime) - TIMEARRAY=(${RARRAY[1]//./ }) - echo "${TIMEARRAY[0]} seconds" -+ # allow an environment variable to skip the test -+ if [ "${NSS_SKIP_PWDECRYPT_TIME}" != "true" ]; then - html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression" -+ fi - export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS - } - diff --git a/nss-3.79-ssl2-compatible-client-hello.patch b/nss-3.79-ssl2-compatible-client-hello.patch deleted file mode 100644 index 4451ea3..0000000 --- a/nss-3.79-ssl2-compatible-client-hello.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./lib/ssl/sslsock.c.ssl2hello ./lib/ssl/sslsock.c ---- ./lib/ssl/sslsock.c.ssl2hello 2022-06-08 18:56:58.420672624 -0700 -+++ ./lib/ssl/sslsock.c 2022-06-08 18:58:37.801318314 -0700 -@@ -90,7 +90,7 @@ static sslOptions ssl_defaults = { - .enableDtls13VersionCompat = PR_FALSE, - .enableDtlsShortHeader = PR_FALSE, - .enableHelloDowngradeCheck = PR_TRUE, -- .enableV2CompatibleHello = PR_FALSE, -+ .enableV2CompatibleHello = PR_TRUE, - .enablePostHandshakeAuth = PR_FALSE, - .suppressEndOfEarlyData = PR_FALSE, - .enableTls13GreaseEch = PR_FALSE, diff --git a/nss-3.79-version-range.patch b/nss-3.79-version-range.patch deleted file mode 100644 index f131883..0000000 --- a/nss-3.79-version-range.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./lib/ssl/sslsock.c.version-range ./lib/ssl/sslsock.c ---- ./lib/ssl/sslsock.c.version-range 2022-06-08 18:47:18.882918821 -0700 -+++ ./lib/ssl/sslsock.c 2022-06-08 18:55:05.555939293 -0700 -@@ -102,8 +102,8 @@ static sslOptions ssl_defaults = { - * default range of enabled SSL/TLS protocols - */ - static SSLVersionRange versions_defaults_stream = { -- SSL_LIBRARY_VERSION_TLS_1_2, -- SSL_LIBRARY_VERSION_TLS_1_3 -+ SSL_LIBRARY_VERSION_3_0, -+ SSL_LIBRARY_VERSION_TLS_1_2 - }; - - static SSLVersionRange versions_defaults_datagram = { diff --git a/nss-3.90-DisablingASM.patch b/nss-3.90-DisablingASM.patch new file mode 100644 index 0000000..7d1a17f --- /dev/null +++ b/nss-3.90-DisablingASM.patch @@ -0,0 +1,57 @@ +diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile +index 74e8e65..8995752 100644 +--- a/lib/freebl/Makefile ++++ b/lib/freebl/Makefile +@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null + +@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s + CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; + unsigned int master_params_len; + ++ /* if we are using TLS and we aren't using the extended master secret, ++ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will ++ * send and alert (eventually). In the RSA Server case, the alert ++ * won't happen until Finish time because the upper level code ++ * can't tell a difference between this failure and an RSA decrypt ++ * failure, so it will proceed with a faux key */ ++ if (isTLS) { ++ PRUint32 policy; ++ SECStatus rv; ++ ++ /* first fetch the policy for this algorithm */ ++ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy); ++ /* we only look at the policy if we can fetch it. */ ++ if (rv == SECSuccess) { ++ if (policy & NSS_USE_ALG_IN_SSL_KX) { ++ /* just set the error, we don't want to map any errors ++ * set by NSS_GetAlgorithmPolicy here */ ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); ++ return SECFailure; ++ } ++ } ++ } ++ + if (isTLS12) { + if (isDH) + master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; +diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c +--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700 ++++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700 +@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT + SEC_OID_EXT_KEY_USAGE_IPSEC_USER, + "IPsec User", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* we need it for the policy code. */ ++ ODE(SEC_OID_PRIVATE_1, ++ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; + + /* PRIVATE EXTENDED SECOID Table +@@ -2095,6 +2100,8 @@ SECOID_Init(void) + + /* turn off NSS_USE_POLICY_IN_SSL by default */ + xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; ++ /* turn off TLS REQUIRE EMS by default */ ++ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0; + + envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); + if (envVal) +diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h +--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700 ++++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700 +@@ -501,6 +501,9 @@ typedef enum { + SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361, + SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362, + SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* give it an obscure name here */ ++ SEC_OID_PRIVATE_1 = 372, + + SEC_OID_TOTAL + } SECOidTag; diff --git a/nss-3.90-disable-ech.patch b/nss-3.90-disable-ech.patch new file mode 100644 index 0000000..eee8c39 --- /dev/null +++ b/nss-3.90-disable-ech.patch @@ -0,0 +1,96 @@ +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f + } + PORT_Free(cursor); + } + } + + SECStatus + SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.enableTls13GreaseEch = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss || size == 0) { + return SECFailure; + } + ssl_Get1stHandshakeLock(ss); + ssl_GetSSL3HandshakeLock(ss); + + ss->ssl3.hs.greaseEchSize = size; + + ssl_ReleaseSSL3HandshakeLock(ss); + ssl_Release1stHandshakeLock(ss); + + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.enableTls13BackendEch = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.callExtensionWriterOnEchInner = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled) + { + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; +diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn +--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200 ++++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200 +@@ -57,7 +57,6 @@ CPPSRCS = \ + tls_filter.cc \ + tls_protect.cc \ + tls_psk_unittest.cc \ +- tls_ech_unittest.cc \ + $(SSLKEYLOGFILE_FILES) \ + $(NULL) diff --git a/nss-3.90-no-dbm-25519.patch b/nss-3.90-no-dbm-25519.patch new file mode 100644 index 0000000..3c7c614 --- /dev/null +++ b/nss-3.90-no-dbm-25519.patch @@ -0,0 +1,18 @@ +diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh +--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700 ++++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700 +@@ -46,11 +46,13 @@ ectest_genkeydb_test() + return $? + fi + curves=( \ +- "curve25519" \ + "secp256r1" \ + "secp384r1" \ + "secp521r1" \ + ) ++ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then ++ curves=( "curve25519" "${curves[@]}" ) ++ fi + for curve in "${curves[@]}"; do + echo "Test $curve key generation using certutil ..." + certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE} diff --git a/nss-3.90-pbkdf2-indicator.patch b/nss-3.90-pbkdf2-indicator.patch new file mode 100644 index 0000000..dbb7765 --- /dev/null +++ b/nss-3.90-pbkdf2-indicator.patch @@ -0,0 +1,42 @@ +diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.pkcs12_indicator 2023-08-03 10:50:37.067109367 -0700 ++++ ./lib/softoken/pkcs11u.c 2023-08-03 11:41:55.641541953 -0700 +@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + return PR_FALSE; + case SFTKFIPSECC: + /* we've already handled the curve selection in the 'getlength' +- * function */ ++ * function */ + return PR_TRUE; + case SFTKFIPSAEAD: { + if (mech->ulParameterLen == 0) { +@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + return PR_TRUE; + } ++ case SFTKFIPSPBKDF2: { ++ /* PBKDF2 must have the following addition restrictions ++ * (independent of keysize). ++ * 1. iteration count must be at least 1000. ++ * 2. salt must be at least 128 bits (16 bytes). ++ * 3. password must match the length specified in the SP ++ */ ++ CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *) ++ mech->pParameter; ++ if (mech->ulParameterLen != sizeof(*pbkdf2)) { ++ return PR_FALSE; ++ } ++ if (pbkdf2->iterations < 1000) { ++ return PR_FALSE; ++ } ++ if (pbkdf2->ulSaltSourceDataLen < 16) { ++ return PR_FALSE; ++ } ++ if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) { ++ return PR_FALSE; ++ } ++ return PR_TRUE; ++ } + default: + break; + } diff --git a/nss-disable-cipher-suites.patch b/nss-disable-cipher-suites.patch deleted file mode 100644 index 92a7472..0000000 --- a/nss-disable-cipher-suites.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2019-03-21 14:24:14.660150519 +0100 -+++ nss/lib/ssl/ssl3con.c 2019-03-21 14:25:12.997929443 +0100 -@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default. -+ * The GCM variant is preferred for new applications. -+ */ -+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -@@ -105,7 +108,10 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default. -+ * The GCM variant is preferred for new applications. -+ */ -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, diff --git a/nss-disable-md5.patch b/nss-disable-md5.patch new file mode 100644 index 0000000..827928f --- /dev/null +++ b/nss-disable-md5.patch @@ -0,0 +1,41 @@ +diff -r 699541a7793b lib/pk11wrap/pk11pars.c +--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700 ++++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700 +@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] = + static const oidValDef hashOptList[] = { + /* Hashes */ + { CIPHER_NAME("MD2"), SEC_OID_MD2, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, ++ 0 }, + { CIPHER_NAME("MD4"), SEC_OID_MD4, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, ++ 0 }, + { CIPHER_NAME("MD5"), SEC_OID_MD5, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, ++ 0 }, + { CIPHER_NAME("SHA1"), SEC_OID_SHA1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + { CIPHER_NAME("SHA224"), SEC_OID_SHA224, +diff -r 699541a7793b lib/util/secoid.c +--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000 ++++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200 +@@ -2042,6 +2042,19 @@ + int i; + + for (i = 1; i < SEC_OID_TOTAL; i++) { ++ switch (i) { ++ case SEC_OID_MD2: ++ case SEC_OID_MD4: ++ case SEC_OID_MD5: ++ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: ++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: ++ continue; ++ default: ++ break; ++ } + if (oids[i].desc && strstr(arg, oids[i].desc)) { + xOids[i].notPolicyFlags = notEnable | + (xOids[i].notPolicyFlags & ~(DEF_FLAGS)); diff --git a/nss-dso-ldflags.patch b/nss-dso-ldflags.patch new file mode 100644 index 0000000..d5485ae --- /dev/null +++ b/nss-dso-ldflags.patch @@ -0,0 +1,13 @@ +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -144,7 +144,7 @@ ifdef USE_PTHREADS + endif + + DSO_CFLAGS = -fPIC +-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections ++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS) + # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) + # incorrectly reports undefined references in the libraries we link with, so + # we don't use -z defs there. diff --git a/nss-fix-deadlock-squash.patch b/nss-fix-deadlock-squash.patch deleted file mode 100644 index c8222c7..0000000 --- a/nss-fix-deadlock-squash.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c ---- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100 -+++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100 -@@ -374,13 +374,19 @@ struct token_cert_dtor { - PRUint32 numCerts, arrSize; - }; - --static void --remove_token_certs(const void *k, void *v, void *a) -+static void cert_iter(const void *k, void *v, void *a) - { -+ nssList *certList = (nssList *)a; - NSSCertificate *c = (NSSCertificate *)k; -+ nssList_Add(certList, nssCertificate_AddRef(c)); -+} -+ -+static void -+remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor) -+{ - nssPKIObject *object = &c->object; -- struct token_cert_dtor *dtor = a; - PRUint32 i; -+ - nssPKIObject_AddRef(object); - nssPKIObject_Lock(object); - for (i = 0; i < object->numInstances; i++) { -@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache - NSSCertificate **certs; - PRUint32 i, arrSize = 10; - struct token_cert_dtor dtor; -+ nssList *certList; -+ PRStatus nspr_rv = PR_FAILURE; -+ nssListIterator *iter; -+ NSSCertificate *c; -+ - certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize); - if (!certs) { - return PR_FAILURE; -@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache - dtor.certs = certs; - dtor.numCerts = 0; - dtor.arrSize = arrSize; -+ -+ certList = nssList_Create(NULL, PR_FALSE); -+ if (!certList) { -+ goto loser; -+ } -+ /* fetch the list of certs in the cache */ -+ PZ_Lock(td->cache->lock); -+ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList); -+ PZ_Unlock(td->cache->lock); -+ -+ /* find the certs that match this token without olding the td cache lock */ -+ iter=nssList_CreateIterator(certList); -+ if (!iter) { -+ goto loser; -+ } -+ for (c = (NSSCertificate *)nssListIterator_Start(iter); -+ c != (NSSCertificate *)NULL; -+ c = (NSSCertificate *)nssListIterator_Next(iter)) { -+ remove_token_certs( c, &dtor); -+ } -+ nssListIterator_Finish(iter); -+ nssListIterator_Destroy(iter); -+ nssList_Destroy(certList); -+ certList = NULL; -+ -+ /* now remove theose certs attached to this token */ - PZ_Lock(td->cache->lock); -- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor); - for (i = 0; i < dtor.numCerts; i++) { - if (dtor.certs[i]->object.numInstances == 0) { - nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); -@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache - } - } - PZ_Unlock(td->cache->lock); -+ -+ /* clean up */ - for (i = 0; i < dtor.numCerts; i++) { - if (dtor.certs[i]) { - STAN_ForceCERTCertificateUpdate(dtor.certs[i]); - nssCertificate_Destroy(dtor.certs[i]); - } - } -+ -+ nspr_rv = PR_SUCCESS; -+loser: -+ if (certList) { -+ nssList_Destroy(certList); -+ } - nss_ZFreeIf(dtor.certs); -- return PR_SUCCESS; -+ return nspr_rv; - } - - NSS_IMPLEMENT PRStatus -@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache( - return rvCert; - } - --static void --cert_iter(const void *k, void *v, void *a) --{ -- nssList *certList = (nssList *)a; -- NSSCertificate *c = (NSSCertificate *)k; -- nssList_Add(certList, nssCertificate_AddRef(c)); --} -- - NSS_EXTERN NSSCertificate ** - nssTrustDomain_GetCertsFromCache( - NSSTrustDomain *td, diff --git a/nss-gcm-param-default-pkcs11v2.patch b/nss-gcm-param-default-pkcs11v2.patch new file mode 100644 index 0000000..2d6cba8 --- /dev/null +++ b/nss-gcm-param-default-pkcs11v2.patch @@ -0,0 +1,21 @@ +diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h +--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700 ++++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700 +@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS { + typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR; + + /* deprecated #defines. Drop in future NSS releases */ +-#ifdef NSS_PKCS11_2_0_COMPAT ++#ifndef NSS_PKCS11_3_0_STRICT + + /* defines that were changed between NSS's PKCS #11 and the Oasis headers */ + #define CKF_EC_FP CKF_EC_F_P +@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_ + #define CKT_NETSCAPE_VALID CKT_NSS_VALID + #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR + #else +-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */ ++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */ + typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS; + typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR; + #endif diff --git a/nss-modutil-skip-changepw-fips.patch b/nss-modutil-skip-changepw-fips.patch deleted file mode 100644 index 9ed2983..0000000 --- a/nss-modutil-skip-changepw-fips.patch +++ /dev/null @@ -1,22 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1523546409 -7200 -# Thu Apr 12 17:20:09 2018 +0200 -# Node ID 919e116728f29263c17ec31716ac2bd04c10e9ca -# Parent 2eefd697d661efb82a77c84d893e6fbceefdf458 -Bug 1453408, modutil -changepw fails in FIPS mode if password is an empty string - -diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c ---- a/cmd/modutil/pk11.c -+++ b/cmd/modutil/pk11.c -@@ -764,6 +764,10 @@ ChangePW(char *tokenName, char *pwFile, - ret = CHANGEPW_FAILED_ERR; - goto loser; - } -+ } else if (PK11_IsFIPS() && *newpw == '\0' && PK11_CheckUserPassword(slot, newpw) == SECSuccess) { -+ /* Workaround to suppress harmless error in FIPS mode: -+ * When explicitly setting empty password while the old -+ * password is also empty, skip */ - } else { - if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { - PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); diff --git a/nss-p11-kit.config b/nss-p11-kit.config new file mode 100644 index 0000000..0ebf073 --- /dev/null +++ b/nss-p11-kit.config @@ -0,0 +1,4 @@ +name=p11-kit-proxy +library=p11-kit-proxy.so + + diff --git a/nss-reorder-cipher-suites-gtests.patch b/nss-reorder-cipher-suites-gtests.patch deleted file mode 100644 index fbedd09..0000000 --- a/nss-reorder-cipher-suites-gtests.patch +++ /dev/null @@ -1,109 +0,0 @@ -diff -up ./gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/ssl_auth_unittest.cc ---- ./gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2021-05-28 02:50:43.000000000 -0700 -+++ ./gtests/ssl_gtest/ssl_auth_unittest.cc 2021-06-03 17:01:27.530383629 -0700 -@@ -1036,7 +1036,9 @@ static SSLNamedGroup NamedGroupForEcdsa3 - // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and - // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so - // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519. -- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) { -+ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -+ // a higher priority than AES-128 GCM. -+ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) { - return ssl_grp_ec_secp384r1; - } - return ssl_grp_ec_curve25519; -@@ -1831,27 +1833,31 @@ INSTANTIATE_TEST_SUITE_P( - ::testing::Values(TlsAgent::kServerRsa), - ::testing::Values(ssl_auth_rsa_sign), - ::testing::Values(ssl_sig_rsa_pkcs1_sha1))); -+// FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 -+// a higher priority than AES-128 GCM, and that causes the following -+// 4 TLS 1.2 tests to fail. - INSTANTIATE_TEST_SUITE_P( - SignatureSchemeEcdsaP256, TlsSignatureSchemeConfiguration, - ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, -- TlsConnectTestBase::kTlsV12Plus, -+ TlsConnectTestBase::kTlsV13, - ::testing::Values(TlsAgent::kServerEcdsa256), - ::testing::Values(ssl_auth_ecdsa), - ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256))); - INSTANTIATE_TEST_SUITE_P( - SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration, - ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, -- TlsConnectTestBase::kTlsV12Plus, -+ TlsConnectTestBase::kTlsV13, - ::testing::Values(TlsAgent::kServerEcdsa384), - ::testing::Values(ssl_auth_ecdsa), - ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384))); - INSTANTIATE_TEST_SUITE_P( - SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration, - ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, -- TlsConnectTestBase::kTlsV12Plus, -+ TlsConnectTestBase::kTlsV13, - ::testing::Values(TlsAgent::kServerEcdsa521), - ::testing::Values(ssl_auth_ecdsa), - ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512))); -+#if 0 - INSTANTIATE_TEST_SUITE_P( - SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration, - ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, -@@ -1860,4 +1866,5 @@ INSTANTIATE_TEST_SUITE_P( - TlsAgent::kServerEcdsa384), - ::testing::Values(ssl_auth_ecdsa), - ::testing::Values(ssl_sig_ecdsa_sha1))); -+#endif - } // namespace nss_test -diff -up ./gtests/ssl_gtest/ssl_recordsize_unittest.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/ssl_recordsize_unittest.cc ---- ./gtests/ssl_gtest/ssl_recordsize_unittest.cc.reorder-cipher-suites-gtests 2021-05-28 02:50:43.000000000 -0700 -+++ ./gtests/ssl_gtest/ssl_recordsize_unittest.cc 2021-06-03 16:47:23.130301387 -0700 -@@ -72,11 +72,13 @@ void CheckRecordSizes(const std::shared_ - break; - - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: -+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - expansion = 16; - iv = 8; - break; - - case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: -+ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - // Expansion is 20 for the MAC. Maximum block padding is 16. Maximum - // padding is added when the input plus the MAC is an exact multiple of - // the block size. -diff -up ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc ---- ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc.reorder-cipher-suites-gtests 2021-05-28 02:50:43.000000000 -0700 -+++ ./gtests/ssl_gtest/ssl_staticrsa_unittest.cc 2021-06-03 16:47:23.130301387 -0700 -@@ -133,7 +133,19 @@ TEST_P(TlsConnectGenericPre13, TooLargeR - TEST_P(TlsConnectGeneric, ServerAuthBiggestRsa) { - Reset(TlsAgent::kRsa8192); - Connect(); -- CheckKeys(); -+ if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) { -+ CheckKeys(); -+ } else { -+ // in TLS 1.2 or TLS 1.1, AES-256 is selected by default, which -+ // needs a different kea setup -+ SSLSignatureScheme scheme; -+ if (version_ >= SSL_LIBRARY_VERSION_TLS_1_2) { -+ scheme = ssl_sig_rsa_pss_rsae_sha256; -+ } else { -+ scheme = ssl_sig_rsa_pkcs1_sha256; -+ } -+ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp521r1, ssl_auth_rsa_sign, scheme); -+ } - } - - } // namespace nss_test -diff -up ./gtests/ssl_gtest/tls_agent.cc.reorder-cipher-suites-gtests ./gtests/ssl_gtest/tls_agent.cc ---- ./gtests/ssl_gtest/tls_agent.cc.reorder-cipher-suites-gtests 2021-05-28 02:50:43.000000000 -0700 -+++ ./gtests/ssl_gtest/tls_agent.cc 2021-06-03 16:47:23.130301387 -0700 -@@ -603,6 +603,9 @@ void TlsAgent::CheckKEA(SSLKEAType kea, - case ssl_grp_ec_secp384r1: - kea_size = 384; - break; -+ case ssl_grp_ec_secp521r1: -+ kea_size = 521; -+ break; - case ssl_grp_ffdhe_2048: - kea_size = 2048; - break; diff --git a/nss-reorder-cipher-suites.patch b/nss-reorder-cipher-suites.patch deleted file mode 100644 index c295c1d..0000000 --- a/nss-reorder-cipher-suites.patch +++ /dev/null @@ -1,205 +0,0 @@ -diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c ---- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2019-03-16 01:25:08.000000000 +0100 -+++ nss/lib/ssl/ssl3con.c 2019-03-21 14:22:01.578936057 +0100 -@@ -90,49 +90,44 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, - { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, - -- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around -- * bug 946147. -- */ - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- -+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- - { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -@@ -141,27 +136,21 @@ static ssl3CipherSuiteCfg cipherSuites[s - { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- -- /* RSA */ -- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -- -- /* 56-bit DES "domestic" cipher suites */ - { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- -- /* ciphersuites with no encryption */ - { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c ---- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2019-03-16 01:25:08.000000000 +0100 -+++ nss/lib/ssl/sslenum.c 2019-03-21 14:22:16.479624167 +0100 -@@ -59,49 +59,44 @@ const PRUint16 SSL_ImplementedCiphers[] - TLS_CHACHA20_POLY1305_SHA256, - TLS_AES_256_GCM_SHA384, - -- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, -- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, -- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, -- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before -- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. -- */ - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, -+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, -+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, -+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, -- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, -+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, -+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, -- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - TLS_ECDHE_RSA_WITH_RC4_128_SHA, -- -+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, -+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, -+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, -+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, - TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, -- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, -- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, - TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, -- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -- TLS_DHE_DSS_WITH_AES_256_CBC_SHA, -- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, -- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, -- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, - TLS_DHE_DSS_WITH_RC4_128_SHA, -- - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, -@@ -110,26 +105,21 @@ const PRUint16 SSL_ImplementedCiphers[] - TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_ECDH_ECDSA_WITH_RC4_128_SHA, - TLS_ECDH_RSA_WITH_RC4_128_SHA, -- -- TLS_RSA_WITH_AES_128_GCM_SHA256, - TLS_RSA_WITH_AES_256_GCM_SHA384, -- TLS_RSA_WITH_AES_128_CBC_SHA, -- TLS_RSA_WITH_AES_128_CBC_SHA256, -- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS_RSA_WITH_AES_256_CBC_SHA, - TLS_RSA_WITH_AES_256_CBC_SHA256, - TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, -+ TLS_RSA_WITH_AES_128_GCM_SHA256, -+ TLS_RSA_WITH_AES_128_CBC_SHA, -+ TLS_RSA_WITH_AES_128_CBC_SHA256, -+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, - TLS_RSA_WITH_SEED_CBC_SHA, - TLS_RSA_WITH_3DES_EDE_CBC_SHA, - TLS_RSA_WITH_RC4_128_SHA, - TLS_RSA_WITH_RC4_128_MD5, -- -- /* 56-bit DES "domestic" cipher suites */ - TLS_DHE_RSA_WITH_DES_CBC_SHA, - TLS_DHE_DSS_WITH_DES_CBC_SHA, - TLS_RSA_WITH_DES_CBC_SHA, -- -- /* ciphersuites with no encryption */ - TLS_ECDHE_ECDSA_WITH_NULL_SHA, - TLS_ECDHE_RSA_WITH_NULL_SHA, - TLS_ECDH_RSA_WITH_NULL_SHA, diff --git a/nss-rhel7.config b/nss-rhel7.config deleted file mode 100644 index 84e18ce..0000000 --- a/nss-rhel7.config +++ /dev/null @@ -1,7 +0,0 @@ -# To re-enable legacy algorithms, edit this file -# Note that the last empty line in this file must be preserved -library= -name=Policy -NSS=flags=policyOnly,moduleDB -config="disallow=MD5:RC4 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0" - diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch deleted file mode 100644 index 1045573..0000000 --- a/nss-skip-bltest-and-fipstest.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up ./cmd/Makefile.skipthem ./cmd/Makefile ---- ./cmd/Makefile.skipthem 2021-05-28 02:50:43.000000000 -0700 -+++ ./cmd/Makefile 2021-06-03 15:16:36.015186252 -0700 -@@ -19,7 +19,11 @@ BLTEST_SRCDIR = - ECPERF_SRCDIR = - FREEBL_ECTEST_SRCDIR = - FIPSTEST_SRCDIR = -+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) -+SHLIBSIGN_SRCDIR = shlibsign -+else - SHLIBSIGN_SRCDIR = -+endif - else - BLTEST_SRCDIR = bltest - ECPERF_SRCDIR = ecperf -diff -up ./cmd/shlibsign/Makefile.skipthem ./cmd/shlibsign/Makefile ---- ./cmd/shlibsign/Makefile.skipthem 2021-06-03 15:16:36.015186252 -0700 -+++ ./cmd/shlibsign/Makefile 2021-06-03 15:18:49.494720335 -0700 -@@ -95,7 +95,3 @@ else - endif - endif - --libs: install --ifdef CHECKLOC -- $(MAKE) $(CHECKLOC) --endif diff --git a/nss-skip-cavs-tests.patch b/nss-skip-cavs-tests.patch deleted file mode 100644 index 2ce3622..0000000 --- a/nss-skip-cavs-tests.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up nss/tests/fips/fips.sh.skip-cavs nss/tests/fips/fips.sh ---- nss/tests/fips/fips.sh.skip-cavs 2020-07-29 08:38:23.930846917 +0200 -+++ nss/tests/fips/fips.sh 2020-07-29 08:38:30.001805500 +0200 -@@ -318,6 +318,6 @@ fips_cleanup() - - fips_init - fips_140 --fips_cavs -+#fips_cavs - fips_cleanup - echo "fips.sh done" diff --git a/nss-skip-sysinit-gtests.patch b/nss-skip-sysinit-gtests.patch index ca0e3d6..0a80e48 100644 --- a/nss-skip-sysinit-gtests.patch +++ b/nss-skip-sysinit-gtests.patch @@ -1,6 +1,7 @@ -diff -up nss/gtests/manifest.mn.skip-sysinit-gtests nss/gtests/manifest.mn ---- nss/gtests/manifest.mn.skip-sysinit-gtests 2020-07-22 17:52:34.117219907 +0200 -+++ nss/gtests/manifest.mn 2020-07-22 17:53:10.196957474 +0200 +Index: nss/gtests/manifest.mn +=================================================================== +--- nss.orig/gtests/manifest.mn ++++ nss/gtests/manifest.mn @@ -31,7 +31,6 @@ NSS_SRCDIRS = \ smime_gtest \ softoken_gtest \ diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch deleted file mode 100644 index 2a914d3..0000000 --- a/nss-skip-util-gtest.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn ---- nss/gtests/manifest.mn.skip-util-gtests 2019-03-16 01:25:08.000000000 +0100 -+++ nss/gtests/manifest.mn 2019-03-21 12:41:02.264072681 +0100 -@@ -35,6 +35,5 @@ endif - - DIRS = \ - $(LIB_SRCDIRS) \ -- $(UTIL_SRCDIRS) \ - $(NSS_SRCDIRS) \ - $(NULL) -diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn ---- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2019-03-16 01:25:08.000000000 +0100 -+++ nss/gtests/ssl_gtest/manifest.mn 2019-03-21 12:41:02.265072660 +0100 -@@ -67,6 +67,7 @@ PROGRAM = ssl_gtest - EXTRA_LIBS += \ - $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ - $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ -+ -lsoftokn3 - $(NULL) - - USE_STATIC_LIBS = 1 diff --git a/nss-sni-c-v-fix.patch b/nss-sni-c-v-fix.patch deleted file mode 100644 index cc52515..0000000 --- a/nss-sni-c-v-fix.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up nss/tests/ssl/sslauth.txt.sni_c_v_fix nss/tests/ssl/sslauth.txt ---- nss/tests/ssl/sslauth.txt.sni_c_v_fix 2017-04-05 14:23:56.000000000 +0200 -+++ nss/tests/ssl/sslauth.txt 2017-06-02 10:22:27.457072785 +0200 -@@ -64,13 +64,13 @@ - # - # SNI Tests - # -- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI -+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI - SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert -- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI -+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI - SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions -- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI -+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI - SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI -- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS -+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS - SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS - SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert diff --git a/nss-softokn-config.in b/nss-softokn-config.in new file mode 100644 index 0000000..c7abe29 --- /dev/null +++ b/nss-softokn-config.in @@ -0,0 +1,116 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-softokn` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-softokn` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-softokn` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + echo $libdirs +fi + diff --git a/nss-softokn-dracut-module-setup.sh b/nss-softokn-dracut-module-setup.sh new file mode 100644 index 0000000..010ec18 --- /dev/null +++ b/nss-softokn-dracut-module-setup.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +check() { + return 255 +} + +depends() { + return 0 +} + +install() { + local _dir + + inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ + libfreebl3.so +} diff --git a/nss-softokn-dracut.conf b/nss-softokn-dracut.conf new file mode 100644 index 0000000..2d9232e --- /dev/null +++ b/nss-softokn-dracut.conf @@ -0,0 +1,3 @@ +# turn on nss-softokn module + +add_dracutmodules+=" nss-softokn " diff --git a/nss-softokn.pc.in b/nss-softokn.pc.in new file mode 100644 index 0000000..022ebbf --- /dev/null +++ b/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/nss-sql-default-tests.patch b/nss-sql-default-tests.patch deleted file mode 100644 index 6aabecd..0000000 --- a/nss-sql-default-tests.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff -up ./tests/all.sh.sql-default-tests ./tests/all.sh ---- ./tests/all.sh.sql-default-tests 2021-06-03 15:44:45.759708770 -0700 -+++ ./tests/all.sh 2021-06-03 15:50:12.649678081 -0700 -@@ -51,10 +51,10 @@ - # pkix - run test suites with PKIX enabled - # upgradedb - upgrade existing certificate databases to shareable - # format (creates them if doesn't exist yet) and run --# test suites with those databases. Requires to enable libdm. -+# test suites with those databases. - # sharedb - run test suites with shareable database format - # enabled (databases are created directly to this --# format). This is the default and doesn't need to be run separately. -+# format). - # threadunsafe - run test suites with thread unsafe environment variable - # so simulate running NSS locking for PKCS #11 modules which - # are not thread safe. -@@ -137,7 +137,7 @@ run_tests() - } - - ########################## run_cycle_standard ########################## --# run test suites with sql database (no PKIX) -+# run test suites with dbm database (no PKIX, no sharedb) - ######################################################################## - run_cycle_standard() - { -@@ -146,7 +146,7 @@ run_cycle_standard() - TESTS="${ALL_TESTS}" - TESTS_SKIP="libpkix pkits" - -- NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"} -+ NSS_DEFAULT_DB_TYPE=dbm - export NSS_DEFAULT_DB_TYPE - - run_tests -@@ -323,7 +323,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU - . ./init.sh - fi - --cycles="standard pkix threadunsafe" -+cycles="standard pkix upgradedb sharedb threadunsafe" - CYCLES=${NSS_CYCLES:-$cycles} - - NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT` -diff -up ./tests/common/init.sh.sql-default-tests ./tests/common/init.sh ---- ./tests/common/init.sh.sql-default-tests 2021-05-28 02:50:43.000000000 -0700 -+++ ./tests/common/init.sh 2021-06-03 15:44:45.771708842 -0700 -@@ -651,9 +651,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU - - RELOAD_CRL=1 - -- # if test mode isn't set, test scripts default to expecting sql -+ # if test mode isn't set, test scripts default to expecting dbm - if [ "${TEST_MODE}" = "" ]; then -- NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"} -+ NSS_DEFAULT_DB_TYPE="dbm" - export NSS_DEFAULT_DB_TYPE - fi - -diff -up ./tests/remote/Makefile.sql-default-tests ./tests/remote/Makefile ---- ./tests/remote/Makefile.sql-default-tests 2021-05-28 02:50:43.000000000 -0700 -+++ ./tests/remote/Makefile 2021-06-03 15:44:45.771708842 -0700 -@@ -56,7 +56,7 @@ ifeq ($(OS_TARGET),Android) - TEST_SHELL?=$$HOME/bin/sh - ANDROID_PORT?="2222" - #Define the subset of tests that is known to work on Android --NSS_CYCLES?="standard pkix sharedb" -+NSS_CYCLES?="standard pkix upgradedb sharedb" - NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains" - NSS_SSL_TESTS?="crl normal_normal iopr" - NSS_SSL_RUN?="cov auth stress" diff --git a/nss-sql-default.patch b/nss-sql-default.patch deleted file mode 100644 index d2dbcc4..0000000 --- a/nss-sql-default.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up nss/tests/all.sh.sql-default nss/tests/all.sh ---- nss/tests/all.sh.sql-default 2020-06-17 00:50:59.000000000 +0200 -+++ nss/tests/all.sh 2020-07-22 17:41:08.591206201 +0200 -@@ -114,8 +114,6 @@ RUN_FIPS="" - ######################################################################## - run_tests() - { -- echo "Running test cycle: ${TEST_MODE} ----------------------" -- echo "List of tests that will be executed: ${TESTS}" - for TEST in ${TESTS} - do - # NOTE: the spaces are important. If you don't include -@@ -173,9 +171,8 @@ run_cycle_pkix() - - export -n NSS_SSL_RUN - -- # use the default format. (unset for the shell, export -n for binaries) -+ # use the default format - export -n NSS_DEFAULT_DB_TYPE -- unset NSS_DEFAULT_DB_TYPE - - run_tests - } -diff -up nss/tests/merge/merge.sh.sql-default nss/tests/merge/merge.sh ---- nss/tests/merge/merge.sh.sql-default 2020-06-17 00:50:59.000000000 +0200 -+++ nss/tests/merge/merge.sh 2020-07-22 17:24:45.819348633 +0200 -@@ -98,7 +98,7 @@ merge_init() - # are dbm databases. - if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then - save=${NSS_DEFAULT_DB_TYPE} -- NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE -+ NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE - fi - - certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE} diff --git a/nss-sysinit-getenv.patch b/nss-sysinit-getenv.patch deleted file mode 100644 index 9352e33..0000000 --- a/nss-sysinit-getenv.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up nss/lib/sysinit/nsssysinit.c.sysinit-getenv nss/lib/sysinit/nsssysinit.c ---- nss/lib/sysinit/nsssysinit.c.sysinit-getenv 2019-04-26 12:08:48.155862312 +0200 -+++ nss/lib/sysinit/nsssysinit.c 2019-04-26 12:09:13.228344780 +0200 -@@ -1,6 +1,10 @@ - /* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -+ -+#define _GNU_SOURCE 1 -+#include -+ - #include "seccomon.h" - #include "prio.h" - #include "prprf.h" -@@ -41,7 +45,7 @@ testdir(char *dir) - static char * - getUserDB(void) - { -- char *userdir = PR_GetEnvSecure("HOME"); -+ char *userdir = secure_getenv("HOME"); - char *nssdir = NULL; - - if (userdir == NULL) { -@@ -95,7 +99,7 @@ userCanModifySystemDB() - static PRBool - getFIPSEnv(void) - { -- char *fipsEnv = PR_GetEnvSecure("NSS_FIPS"); -+ char *fipsEnv = secure_getenv("NSS_FIPS"); - if (!fipsEnv) { - return PR_FALSE; - } diff --git a/nss-sysinit-userdb.patch b/nss-sysinit-userdb.patch index a88132a..7347260 100644 --- a/nss-sysinit-userdb.patch +++ b/nss-sysinit-userdb.patch @@ -1,132 +1,106 @@ -# HG changeset patch -# User Edênis Freindorfer Azevedo -# Date 1547073505 -39600 -# Thu Jan 10 09:38:25 2019 +1100 -# Node ID da45424cb9a0b4d8e45e5040e2e3b574d994e254 -# Parent f7187a33fad7b9cafe0c2947c6d48618fdda57e4 -Bug 818686 - XDG Base Directory Specification support with fallback, r=mt - -Summary: -We check if $HOME/.pki and $HOME/.pki/nssdb exist; if they do, then we use -this path. Otherwise, use ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb - -Test Plan: -Create dummy empty dir and set HOME to it. Then, check if getUserDb returns: -1. $HOME/.pki/nssdb when this path exists; -2. $HOME/.local/share/pki/nssdb when $HOME/.pki/nssdb does not and XDG_DATA_HOME is not defined; -3. $XDG_DATA_HOME/pki/nssdb when $HOME/.pki/nssdb does not exist and XDG_DATA_HOME is defined. - -Reviewers: mt - -Reviewed By: mt - -Bug #: 818686 - -Differential Revision: https://phabricator.services.mozilla.com/D14007 - -diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c ---- a/lib/sysinit/nsssysinit.c -+++ b/lib/sysinit/nsssysinit.c -@@ -37,9 +37,41 @@ testdir(char *dir) +Index: nss/lib/sysinit/nsssysinit.c +=================================================================== +--- nss.orig/lib/sysinit/nsssysinit.c ++++ nss/lib/sysinit/nsssysinit.c +@@ -36,41 +36,9 @@ testdir(char *dir) return S_ISDIR(buf.st_mode); } -+/** -+ * Append given @dir to @path and creates the directory with mode @mode. -+ * Returns 0 if successful, -1 otherwise. -+ * Assumes that the allocation for @path has sufficient space for @dir -+ * to be added. -+ */ -+static int -+appendDirAndCreate(char *path, char *dir, mode_t mode) -+{ -+ PORT_Strcat(path, dir); -+ if (!testdir(path)) { -+ if (mkdir(path, mode)) { -+ return -1; -+ } -+ } -+ return 0; -+} -+ -+#define XDG_NSS_USER_PATH1 "/.local" -+#define XDG_NSS_USER_PATH2 "/share" -+#define XDG_NSS_USER_PATH3 "/pki" -+ +-/** +- * Append given @dir to @path and creates the directory with mode @mode. +- * Returns 0 if successful, -1 otherwise. +- * Assumes that the allocation for @path has sufficient space for @dir +- * to be added. +- */ +-static int +-appendDirAndCreate(char *path, char *dir, mode_t mode) +-{ +- PORT_Strcat(path, dir); +- if (!testdir(path)) { +- if (mkdir(path, mode)) { +- return -1; +- } +- } +- return 0; +-} +- +-#define XDG_NSS_USER_PATH1 "/.local" +-#define XDG_NSS_USER_PATH2 "/share" +-#define XDG_NSS_USER_PATH3 "/pki" +- #define NSS_USER_PATH1 "/.pki" #define NSS_USER_PATH2 "/nssdb" --static char * -+ -+/** -+ * Return the path to user's NSS database. -+ * We search in the following dirs in order: -+ * (1) $HOME/.pki/nssdb; -+ * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set; -+ * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value). -+ * If (1) does not exist, then the returned dir will be set to either -+ * (2) or (3), depending if XDG_DATA_HOME is set. -+ */ -+char * +- +-/** +- * Return the path to user's NSS database. +- * We search in the following dirs in order: +- * (1) $HOME/.pki/nssdb; +- * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set; +- * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value). +- * If (1) does not exist, then the returned dir will be set to either +- * (2) or (3), depending if XDG_DATA_HOME is set. +- */ +-char * ++static char * getUserDB(void) { char *userdir = PR_GetEnvSecure("HOME"); -@@ -50,22 +82,47 @@ getUserDB(void) +@@ -81,47 +49,22 @@ getUserDB(void) } nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2)); -+ PORT_Strcpy(nssdir, userdir); -+ PORT_Strcat(nssdir, NSS_USER_PATH1 NSS_USER_PATH2); -+ if (testdir(nssdir)) { -+ /* $HOME/.pki/nssdb exists */ -+ return nssdir; -+ } else { -+ /* either $HOME/.pki or $HOME/.pki/nssdb does not exist */ -+ PORT_Free(nssdir); ++ if (nssdir == NULL) { ++ return NULL; + } -+ int size = 0; -+ char *xdguserdatadir = PR_GetEnvSecure("XDG_DATA_HOME"); -+ if (xdguserdatadir) { -+ size = strlen(xdguserdatadir); -+ } else { -+ size = strlen(userdir) + sizeof(XDG_NSS_USER_PATH1) + sizeof(XDG_NSS_USER_PATH2); -+ } -+ size += sizeof(XDG_NSS_USER_PATH3) + sizeof(NSS_USER_PATH2); -+ -+ nssdir = PORT_Alloc(size); - if (nssdir == NULL) { + PORT_Strcpy(nssdir, userdir); +- PORT_Strcat(nssdir, NSS_USER_PATH1 NSS_USER_PATH2); +- if (testdir(nssdir)) { +- /* $HOME/.pki/nssdb exists */ +- return nssdir; +- } else { +- /* either $HOME/.pki or $HOME/.pki/nssdb does not exist */ ++ /* verify it exists */ ++ if (!testdir(nssdir)) { + PORT_Free(nssdir); +- } +- int size = 0; +- char *xdguserdatadir = PR_GetEnvSecure("XDG_DATA_HOME"); +- if (xdguserdatadir) { +- size = strlen(xdguserdatadir); +- } else { +- size = strlen(userdir) + sizeof(XDG_NSS_USER_PATH1) + sizeof(XDG_NSS_USER_PATH2); +- } +- size += sizeof(XDG_NSS_USER_PATH3) + sizeof(NSS_USER_PATH2); +- +- nssdir = PORT_Alloc(size); +- if (nssdir == NULL) { return NULL; } -- PORT_Strcpy(nssdir, userdir); -- /* verify it exists */ -- if (!testdir(nssdir)) { -- PORT_Free(nssdir); -- return NULL; -+ -+ if (xdguserdatadir) { -+ PORT_Strcpy(nssdir, xdguserdatadir); -+ if (!testdir(nssdir)) { -+ PORT_Free(nssdir); -+ return NULL; -+ } -+ -+ } else { -+ PORT_Strcpy(nssdir, userdir); -+ if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH1, 0755) || -+ appendDirAndCreate(nssdir, XDG_NSS_USER_PATH2, 0755)) { -+ PORT_Free(nssdir); -+ return NULL; -+ } +- +- if (xdguserdatadir) { +- PORT_Strcpy(nssdir, xdguserdatadir); +- if (!testdir(nssdir)) { +- PORT_Free(nssdir); +- return NULL; +- } +- +- } else { +- PORT_Strcpy(nssdir, userdir); +- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH1, 0755) || +- appendDirAndCreate(nssdir, XDG_NSS_USER_PATH2, 0755)) { +- PORT_Free(nssdir); +- return NULL; +- } ++ PORT_Strcat(nssdir, NSS_USER_PATH1); ++ if (!testdir(nssdir) && mkdir(nssdir, 0760)) { ++ PORT_Free(nssdir); ++ return NULL; } -- PORT_Strcat(nssdir, NSS_USER_PATH1); -- if (!testdir(nssdir) && mkdir(nssdir, 0760)) { -- PORT_Free(nssdir); -- return NULL; -- } -- PORT_Strcat(nssdir, NSS_USER_PATH2); -- if (!testdir(nssdir) && mkdir(nssdir, 0760)) { -+ /* ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb */ -+ if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH3, 0760) || -+ appendDirAndCreate(nssdir, NSS_USER_PATH2, 0760)) { +- /* ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb */ +- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH3, 0760) || +- appendDirAndCreate(nssdir, NSS_USER_PATH2, 0760)) { ++ PORT_Strcat(nssdir, NSS_USER_PATH2); ++ if (!testdir(nssdir) && mkdir(nssdir, 0760)) { PORT_Free(nssdir); return NULL; } diff --git a/nss-util-config.in b/nss-util-config.in new file mode 100644 index 0000000..532abbe --- /dev/null +++ b/nss-util-config.in @@ -0,0 +1,118 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-util` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-util` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-util` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-util.pc.in b/nss-util.pc.in new file mode 100644 index 0000000..1310248 --- /dev/null +++ b/nss-util.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: %NSSUTIL_VERSION% +Requires: nspr >= %NSPR_VERSION% +Libs: -L${libdir} -lnssutil3 +Cflags: -I${includedir} diff --git a/nss-version-range-set.patch b/nss-version-range-set.patch deleted file mode 100644 index 8b3b25a..0000000 --- a/nss-version-range-set.patch +++ /dev/null @@ -1,43 +0,0 @@ -diff -up nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc.version-range-set nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc ---- nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc.version-range-set 2019-04-26 16:56:32.753283497 +0200 -+++ nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc 2019-04-26 16:56:51.096889439 +0200 -@@ -151,12 +151,6 @@ class TestPolicyVersionRange - } - - bool IsValidInputForVersionRangeSet(SSLVersionRange* expectedEffectiveRange) { -- if (input_.min() <= SSL_LIBRARY_VERSION_3_0 && -- input_.max() >= SSL_LIBRARY_VERSION_TLS_1_3) { -- // This is always invalid input, independent of policy -- return false; -- } -- - if (input_.min() < library_.min() || input_.max() > library_.max() || - input_.min() > input_.max()) { - // Asking for unsupported ranges is invalid input for VersionRangeSet -diff -up nss/lib/ssl/sslsock.c.version-range-set nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.version-range-set 2019-04-26 16:56:11.810733383 +0200 -+++ nss/lib/ssl/sslsock.c 2019-04-26 16:56:11.813733319 +0200 -@@ -2542,13 +2542,6 @@ SSL_VersionRangeGetDefault(SSLProtocolVa - return ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange); - } - --static PRBool --ssl3_HasConflictingSSLVersions(const SSLVersionRange *vrange) --{ -- return (vrange->min <= SSL_LIBRARY_VERSION_3_0 && -- vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3); --} -- - static SECStatus - ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant, - SSLVersionRange *vrange) -@@ -2557,8 +2550,7 @@ ssl3_CheckRangeValidAndConstrainByPolicy - - if (vrange->min > vrange->max || - !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) || -- !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) || -- ssl3_HasConflictingSSLVersions(vrange)) { -+ !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max)) { - PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); - return SECFailure; - } diff --git a/nss.spec b/nss.spec index 2ed4f53..1f73285 100644 --- a/nss.spec +++ b/nss.spec @@ -1,21 +1,37 @@ -%global nspr_version 4.34.0 -%global nss_util_version 3.79.0 -%global nss_util_build -1 -# adjust to the version that gets submitted for FIPS validation -# Attention: Separate softokn versions for build and runtime. -%global nss_softokn_version 3.79.0 -%global runtime_required_softokn_build_version -1 -# Building NSS doesn't require the same version of softokn built for runtime. -%global nss_softokn_build_version 3.67.0 -%global build_required_softokn_build_version -1 -%global nss_version 3.79.0 - +%global nspr_build_version 4.35.0-1 +%global nspr_release -1 +%global nspr_version 4.35.0 +%global nss_version 3.90.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools -%global allTools "certutil cmsutil crlutil derdump modutil nss-policy-check pk12util pp signtool signver ssltap vfychain vfyserv" +%global saved_files_dir %{_libdir}/nss/saved +%global dracutlibdir %{_prefix}/lib/dracut +%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ +%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d # The timestamp of our downstream manual pages, e.g., nss-config.1 %global manual_date "Nov 13 2013" +%bcond_without tests + +# Produce .chk files for the final stripped binaries +# +# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links +# against the freebl that we just built. This is necessary +# because the signing algorithm changed on 3.14 to DSA2 with SHA256 +# whereas we previously signed with DSA and SHA1. We must Keep this line +# until all mock platforms have been updated. +# After %%{__os_install_post} we would add +# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \ +%{nil} + # The upstream omits the trailing ".0", while we need it for # consistency with the pkg-config version: # https://bugzilla.redhat.com/show_bug.cgi?id=1578106 @@ -24,70 +40,66 @@ rpm.define(string.format("nss_archive_version %s", string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1"))) } -# solution taken from icedtea-web.spec -%define multilib_arches ppc64 s390x sparc64 x86_64 -%ifarch %{multilib_arches} -%define alt_ckbi libnssckbi.so.%{_arch} -%else -%define alt_ckbi libnssckbi.so -%endif - -# Define if using a source archive like "nss-version.with.ckbi.version". -# To "disable", add "#" to start of line, AND a space after "%". -#% define nss_ckbi_suffix .with.ckbi.1.93 +%{lua: +rpm.define(string.format("nss_release_tag NSS_%s_RTM", + string.gsub(rpm.expand("%nss_archive_version"), "%.", "_"))) +} -%bcond_without tests -%bcond_with gtests +# This is taken from gnutls.spec +%define srpmhash() %{lua: +local files = rpm.expand("%_specdir/nss.spec") +for i, p in ipairs(patches) do + files = files.." "..p +end +for i, p in ipairs(sources) do + files = files.." "..p +end +local sha256sum = assert(io.popen("cat "..files.."| sha256sum")) +local hash = sha256sum:read("*a") +sha256sum:close() +print(string.sub(hash, 0, 16)) +} Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 5%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ -Group: System Environment/Libraries -Requires: nspr >= %{nspr_version} -Requires: nss-util >= %{nss_util_version}%{nss_util_build} +Requires: nspr >= %{nspr_version}%{nspr_release} +Requires: nss-util >= %{nss_version} # TODO: revert to same version as nss once we are done with the merge -Requires: nss-softokn%{_isa} >= %{nss_softokn_version}%{runtime_required_softokn_build_version} +Requires: nss-softokn%{_isa} >= %{nss_version} Requires: nss-system-init -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: nspr-devel >= %{nspr_version} -# TODO: revert to same version as nss once we are done with the merge -# Using '>=' but on RHEL the requires should be '=' -BuildRequires: nss-softokn-devel >= %{nss_softokn_build_version}%{build_required_softokn_build_version} -BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +Requires: p11-kit-trust +Requires: /usr/bin/update-crypto-policies +BuildRequires: nspr-devel >= %{nspr_build_version} +# for shlibsign +BuildRequires: nss-softokn BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig BuildRequires: gawk BuildRequires: psmisc -BuildRequires: perl - -# nss-pem used to be bundled with the nss package on Fedora -- make sure that -# programs relying on that continue to work until they are fixed to require -# nss-pem instead. Once all of them are fixed, the following line can be -# removed. See https://bugzilla.redhat.com/1346806 for details. -Requires: nss-pem%{?_isa} - -%if %{defined nss_ckbi_suffix} -%define full_nss_version %{version}%{nss_ckbi_suffix} -%else -%define full_nss_version %{version} -%endif - -Source0: %{name}-%{nss_archive_version}.tar.gz -Source1: nss.pc.in -Source2: nss-config.in -Source3: blank-cert8.db -Source4: blank-key3.db -Source5: blank-secmod.db -Source6: blank-cert9.db -Source7: blank-key4.db -Source8: system-pkcs11.txt -Source9: setup-nsssysinit.sh +BuildRequires: perl-interpreter +BuildRequires: gcc-c++ + +Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz +Source1: nss-util.pc.in +Source2: nss-util-config.in +Source3: nss-softokn.pc.in +Source4: nss-softokn-config.in +Source6: nss-softokn-dracut-module-setup.sh +Source7: nss-softokn-dracut.conf +Source8: nss.pc.in +Source9: nss-config.in +Source10: blank-cert8.db +Source11: blank-key3.db +Source12: blank-secmod.db +Source13: blank-cert9.db +Source14: blank-key4.db +Source15: system-pkcs11.txt +Source16: setup-nsssysinit.sh Source20: nss-config.xml Source21: setup-nsssysinit.xml Source22: pkcs11.txt.xml @@ -96,87 +108,71 @@ Source24: cert9.db.xml Source25: key3.db.xml Source26: key4.db.xml Source27: secmod.db.xml -Source32: nss-rhel7.config - -Patch2: add-relro-linker-option.patch -Patch3: renegotiate-transitional.patch -#Patch16: nss-539183.patch -# TODO: Remove this patch when the ocsp test are fixed -Patch40: nss-3.14.0.0-disble-ocsp-test.patch -# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator -Patch47: utilwrap-include-templates.patch -# TODO remove when we switch to building nss without softoken -Patch49: nss-skip-bltest-and-fipstest.patch -# This patch uses the gcc-iquote dir option documented at +Source28: nss-p11-kit.config +# fips algorithms are tied to the red hat validation, others +# will have their own validation +Source30: fips_algorithms.h + +# To inject hardening flags for DSO +Patch1: nss-dso-ldflags.patch +# This patch uses the GCC -iquote option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options -# to place the in-tree directories at the head of the list of list of directories -# to be searched for for header files. This ensures a build even when system -# headers are older. Such is the case when starting an update with API changes or even private export changes. -# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. -Patch50: iquote.patch -Patch52: Bug-1001841-disable-sslv2-libssl.patch -Patch53: Bug-1001841-disable-sslv2-tests.patch -# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 -Patch56: p-ignore-setpolicy.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144 -Patch62: nss-fix-deadlock-squash.patch -# In RHEL-7, we still disable TLS 1.3 by default, and set SSL 3.0 as -# the hard minimum -Patch100: nss-3.79-version-range.patch -Patch108: nss-sni-c-v-fix.patch -Patch123: nss-skip-util-gtest.patch -Patch126: nss-reorder-cipher-suites.patch -Patch127: nss-disable-cipher-suites.patch -# revert sql man page changes -Patch128: nss-3.67-revert-sql-manage-change.patch -Patch130: nss-reorder-cipher-suites-gtests.patch -# To revert the change in: -# https://bugzilla.mozilla.org/show_bug.cgi?id=1377940 -Patch136: nss-sql-default.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1453408 -Patch139: nss-modutil-skip-changepw-fips.patch -# Work around for yum -# https://bugzilla.redhat.com/show_bug.cgi?id=1469526 -Patch141: nss-sysinit-getenv.patch +# to give the in-tree headers a higher priority over the system headers, +# when they are included through the quote form (#include "file.h"). +# +# This ensures a build even when system headers are older. Such is the +# case when starting an update with API changes or even private export +# changes. +# +# Once the buildroot aha been bootstrapped the patch may be removed +# but it doesn't hurt to keep it. +Patch4: iquote.patch # To revert the change in: # https://bugzilla.mozilla.org/show_bug.cgi?id=818686 -Patch148: nss-sysinit-userdb.patch +Patch9: nss-sysinit-userdb.patch # Disable nss-sysinit test which is solely to test the above change -Patch149: nss-skip-sysinit-gtests.patch -# Enable SSLv2 compatible ClientHello, disabled in the change: -# https://bugzilla.mozilla.org/show_bug.cgi?id=1483128 -Patch150: nss-3.79-ssl2-compatible-client-hello.patch -# For backward compatibility: make -V "ssl3:" continue working, while -# the minimum version is clamped to tls1.0 -Patch152: nss-version-range-set.patch -# CAVS testing should be done in nss-softkn package -Patch156: nss-skip-cavs-tests.patch -# To revert the testing portion of the change: -# https://bugzilla.mozilla.org/show_bug.cgi?id=1594933 -Patch158: nss-sql-default-tests.patch -# Local patch: disable Delegated Credentials -Patch159: nss-disable-dc.patch -# restore defaults when creating pkcs12 files -Patch160:nss-3.66-restore-old-pkcs12-default.patch -# disable tests that don't work in the brew environment -# because we can't reference external servers. -Patch161: nss-3.66-disable-external-host-test.patch -# keep expired distrusted certs -Patch162: nss-3.79-distrusted-certs.patch -#----------------------------------- -# cve 2023-0767, remove on rebase to nss 3.88.1 or later -# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640 -Patch170: cve-2023-0767.patch - -# remove when nss-softokn is 3.79 during builds -Patch200: nss-3.79-skip-pwdecrypt-time.patch - -# patches that just need to be upstreamed -Patch300: nss-3.79-r7-remove-explicit-ipv4.patch -Patch301: nss-3.79-fix-client-cert-crash.patch -Patch302: nss-3.79-pkcs12-fix-null-password.patch - +Patch10: nss-skip-sysinit-gtests.patch +# For compatibility reasons, we stick with the old PKCS #11 2.40 +# definition of CK_GCM_PARAMS: +%if 0%{?fedora} < 34 +%if 0%{?rhel} < 9 +Patch20: nss-gcm-param-default-pkcs11v2.patch +%endif +%endif +# Local patch: disable MD5 (also MD2 and MD4) completely +# https://bugzilla.redhat.com/show_bug.cgi?id=1849938 +Patch25: nss-disable-md5.patch +# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers +Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +# Local patch: disable Delegated Credentials +Patch35: nss-disable-dc.patch +# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies +# is updated. +Patch40: nss-3.66-disable-signature-policies.patch +# Local patch: disable tests that require external reference so brew completes +Patch45: nss-3.66-disable-external-host-test.patch +# Local patch: restore old pkcs 12 defaults on old version of rhel +Patch50: nss-3.66-restore-old-pkcs12-default.patch +# Local Patch: restore expired distrusted certs for now +Patch51: nss-3.79-revert-distrusted-certs.patch +# Local Patch: update fipsdefaults to AES +Patch52: nss-3.79-pkcs12-fips-defaults.patch +Patch53: nss-3.71-camellia-pkcs12-doc.patch +Patch54: nss-3.90-disable-ech.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1774659 +Patch57: nss-3.79-dbtool.patch +Patch58: nss-3.79-fips.patch +Patch61: nss-3.79-fips-review.patches +# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 +# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 +Patch62: nss-3.90-DisablingASM.patch +Patch63: nss-3.90-no-dbm-25519.patch +Patch64: nss-3.90-pbkdf2-indicator.patch + +#ems policy. needs to upstream +Patch70: nss-3.90-add-ems-policy.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -187,7 +183,6 @@ v3 certificates, and other security standards. %package tools Summary: Tools for the Network Security Services -Group: System Environment/Base Requires: %{name}%{?_isa} = %{version}-%{release} %description tools @@ -202,11 +197,10 @@ manipulate the NSS certificate and key database. %package sysinit Summary: System NSS Initialization -Group: System Environment/Base # providing nss-system-init without version so that it can # be replaced by a better one, e.g. supplied by the os vendor Provides: nss-system-init -Requires: nss = %{version}-%{release} +Requires: nss%{?_isa} = %{version}-%{release} Requires(post): coreutils, sed %description sysinit @@ -217,12 +211,11 @@ any system or user configured modules. %package devel Summary: Development libraries for Network Security Services -Group: Development/Libraries Provides: nss-static = %{version}-%{release} -Requires: nss = %{version}-%{release} +Requires: nss%{?_isa} = %{version}-%{release} Requires: nss-util-devel Requires: nss-softokn-devel -Requires: nspr-devel >= %{nspr_version} +Requires: nspr-devel >= %{nspr_version}%{nspr_release} Requires: pkgconfig BuildRequires: xmlto @@ -232,227 +225,235 @@ Header and Library files for doing development with Network Security Services. %package pkcs11-devel Summary: Development libraries for PKCS #11 (Cryptoki) using NSS -Group: Development/Libraries Provides: nss-pkcs11-devel-static = %{version}-%{release} Requires: nss-devel = %{version}-%{release} -# TODO: revert to using nss_softokn_version once we are done with -# the merge into to new rhel git repo -# For RHEL we should have '=' instead of '>=' -Requires: nss-softokn-freebl-devel >= %{nss_softokn_build_version} +Requires: nss-softokn-freebl-devel = %{version}-%{release} %description pkcs11-devel -Library files for developing PKCS #11 modules using basic NSS +Library files for developing PKCS #11 modules using basic NSS low level services. +%package util +Summary: Network Security Services Utilities Library +Requires: nspr >= %{nspr_version}%{nspr_release} + +%description util +Utilities for Network Security Services and the Softoken module + +%package util-devel +Summary: Development libraries for Network Security Services Utilities +Requires: nss-util%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version}%{nspr_release} +Requires: pkgconfig + +%description util-devel +Header and library files for doing development with Network Security Services. + + +%package softokn +Summary: Network Security Services Softoken Module +Requires: nspr >= %{nspr_version}%{nspr_release} +Requires: nss-util >= %{version}-%{release} +Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} + +%description softokn +Network Security Services Softoken Cryptographic Module + +%package softokn-freebl +Summary: Freebl library for the Network Security Services +# For PR_GetEnvSecure() from nspr >= 4.12 +Requires: nspr >= 4.12 +# For NSS_SecureMemcmpZero() from nss-util >= 3.33 +Requires: nss-util >= 3.33 +Conflicts: nss < 3.12.2.99.3-5 +Conflicts: filesystem < 3 + +%description softokn-freebl +NSS Softoken Cryptographic Module Freebl Library + +Install the nss-softokn-freebl package if you need the freebl library. + +%package softokn-freebl-devel +Summary: Header and Library files for doing development with the Freebl library for NSS +Provides: nss-softokn-freebl-static = %{version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} + +%description softokn-freebl-devel +NSS Softoken Cryptographic Module Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package softokn-devel +Summary: Development libraries for Network Security Services +Requires: nss-softokn%{?_isa} = %{version}-%{release} +Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version}%{nspr_release} +Requires: nss-util-devel >= %{version}-%{release} +Requires: pkgconfig +BuildRequires: nspr-devel >= %{nspr_build_version} + +%description softokn-devel +Header and library files for doing development with Network Security Services. + + %prep -%setup -q -n %{name}-%{nss_archive_version} - -%patch2 -p0 -b .relro -%patch3 -p0 -b .transitional -#%patch16 -p0 -b .539183 -%patch40 -p0 -b .noocsptest -%patch47 -p0 -b .templates -%patch50 -p0 -b .iquote -pushd nss -%patch49 -p0 -b .skipthem -%patch52 -p1 -b .disableSSL2libssl -%patch53 -p1 -b .disableSSL2tests -%patch56 -p1 -b .1026677_ignore_set_policy -%patch62 -p1 -b .fix_deadlock -%patch100 -p1 -b .version-range -popd -%patch108 -p0 -b .sni_c_v_fix +%autosetup -N -n %{name}-%{nss_archive_version} pushd nss -%patch123 -p1 -b .skip-util-gtests -%patch126 -p1 -b .reorder-cipher-suites -%patch127 -p1 -b .disable-cipher-suites -%patch130 -p1 -b .reorder-cipher-suites-gtests -%patch136 -p1 -b .sql-default -%patch139 -p1 -b .modutil-skip-changepw-fips -%patch148 -R -p1 -b .sysinit-userdb -%patch141 -p1 -b .sysinit-getenv -%patch149 -p1 -b .skip-sysinit-gtests -%patch150 -p1 -b .ssl2hello -%patch152 -p1 -b .version-range-set -%patch156 -p1 -b .skip-cavs -%patch128 -R -p1 -b .sql-man-page -%patch158 -p1 -b .sql-default-tests -%patch159 -p1 -b .dc -%patch160 -p1 -b .restore-pkcs12-defaults -%patch161 -p1 -b .brew -%patch162 -R -p1 -b .distrusted-certs -%patch170 -p1 -b .cve-2023-0767 - -%patch200 -p1 -b .skip-pwdecrypt-time -%patch300 -p1 -b .remove-explicit-ipv4 -%patch301 -p1 -b .client-cert-crash -%patch302 -p1 -b .fix-pkcs12-null +%autopatch -p1 popd -######################################################### -# Higher-level libraries and test tools need access to -# module-private headers from util, freebl, and softoken -# until fixed upstream we must copy some headers locally -######################################################### - -# Copying these header until the upstream bug is accepted -# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 -%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf -%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf - -# Before removing util directory we must save verref.h -# as it will be needed later during the build phase. -%{__mv} ./nss/lib/util/verref.h ./nss/verref.h - -##### Remove util/freebl/softoken and low level tools -######## Remove freebl, softoken and util -%{__rm} -rf ./nss/lib/freebl -%{__rm} -rf ./nss/lib/softoken -%{__rm} -rf ./nss/lib/util -######## Remove nss-softokn test tools as we already ran -# the cipher test suite as part of the nss-softokn build -%{__rm} -rf ./nss/cmd/bltest -%{__rm} -rf ./nss/cmd/fipstest -%{__rm} -rf ./nss/cmd/rsaperf_low - -pushd nss/tests/ssl -# Create versions of sslcov.txt and sslstress.txt that disable tests -# for SSL2 and EXPORT ciphers. -cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt -cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt -popd +# copy the fips_algorithms.h for this release +# this file is release specific and matches what +# each vendors claim in their own FIPS certification +cp %{SOURCE30} nss/lib/softoken/ + +# https://bugzilla.redhat.com/show_bug.cgi?id=1247353 +find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; %build -export NSS_NO_SSL2=1 +export FREEBL_NO_DEPEND=1 -FREEBL_NO_DEPEND=1 -export FREEBL_NO_DEPEND +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +export FREEBL_LOWHASH=1 + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +# FIPS related defines +export NSS_FORCE_FIPS=1 +export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}" +eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g') +export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}" +export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}" +export NSS_FIPS_140_3=1 +export NSS_ENABLE_FIPS_INDICATORS=1 # Enable compiler optimizations and disable debugging code export BUILD_OPT=1 # Uncomment to disable optimizations -# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'` -# export RPM_OPT_FLAGS +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS # Generate symbolic info for debuggers -XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS=$RPM_OPT_FLAGS -export XCFLAGS +export LDFLAGS=$RPM_LD_FLAGS -PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 -PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 +export DSO_LDFLAGS=$RPM_LD_FLAGS -export PKG_CONFIG_ALLOW_SYSTEM_LIBS -export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS +export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 -NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` -NSPR_LIB_DIR=%{_libdir} +export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +export NSPR_LIB_DIR=%{_libdir} -export NSPR_INCLUDE_DIR -export NSPR_LIB_DIR - -export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` -export NSSUTIL_LIB_DIR=%{_libdir} - -export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'` -export FREEBL_LIB_DIR=%{_libdir} -export USE_SYSTEM_FREEBL=1 -# FIXME choose one or the other style and submit a patch upstream -# wtc has suggested using NSS_USE_SYSTEM_FREEBL -export NSS_USE_SYSTEM_FREEBL=1 - -export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn` - -export SOFTOKEN_LIB_DIR=%{_libdir} -# use the system ones -export USE_SYSTEM_NSSUTIL=1 -export USE_SYSTEM_SOFTOKEN=1 - -# tell the upstream build system what we are doing -export NSS_BUILD_WITHOUT_SOFTOKEN=1 - -NSS_USE_SYSTEM_SQLITE=1 -export NSS_USE_SYSTEM_SQLITE +export NSS_USE_SYSTEM_SQLITE=1 export NSS_ALLOW_SSLKEYLOGFILE=1 +export NSS_SEED_ONLY_DEV_URANDOM=1 + %ifnarch noarch %if 0%{__isa_bits} == 64 -USE_64=1 -export USE_64 +export USE_64=1 %endif %endif -# uncomment if the iquote patch is activated -export IN_TREE_FREEBL_HEADERS_FIRST=1 - -##### phase 2: build the rest of nss -export NSS_BLTEST_NOT_AVAILABLE=1 - -export NSS_FORCE_FIPS=1 - # Set the policy file location # if set NSS will always check for the policy file and load if it exists -export POLICY_FILE="nss-rhel7.config" +export POLICY_FILE="nss.config" # location of the policy file -export POLICY_PATH="/etc/pki/nss-legacy" - -# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c -# need nss/lib/util/verref.h which is exported privately, -# copy the one we saved during prep so it they can find it. -%{__mkdir_p} ./dist/private/nss -%{__mv} ./nss/verref.h ./dist/private/nss/verref.h - -# gtests require a newer version of g++ than we have natively on rhel 7.9 -# first build nss proper with our native tools -%if %{without gtests} -export NSS_DISABLE_GTESTS=1 -%endif +export POLICY_PATH="/etc/crypto-policies/back-ends" + %{__make} -C ./nss all %{__make} -C ./nss latest -unset NSS_BLTEST_NOT_AVAILABLE - # build the man pages clean pushd ./nss/doc rm -rf ./nroff -%{__make} clean +make clean echo -n %{manual_date} > date.xml echo -n %{version} > version.xml -%{__make} +make popd # and copy them to the dist directory for %%install to find them -%{__mkdir_p} ./dist/doc/nroff -%{__cp} ./nss/doc/nroff/* ./dist/doc/nroff - -# Set up our package file -# The nspr_version and nss_{util|softokn}_version globals used -# here match the ones nss has for its Requires. -# Using the current %%{nss_softokn_version} for fedora again -%{__mkdir_p} ./dist/pkgconfig -%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ +mkdir -p ./dist/docs/nroff +cp ./nss/doc/nroff/* ./dist/docs/nroff + +# Set up our package files +mkdir -p ./dist/pkgconfig + +cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-util.pc + +NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` + +cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \ + > ./dist/pkgconfig/nss-util-config + +chmod 755 ./dist/pkgconfig/nss-util-config + +cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \ + > ./dist/pkgconfig/nss-softokn-config + +chmod 755 ./dist/pkgconfig/nss-softokn-config + +cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \ -e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%includedir%%,%{_includedir}/nss3,g" \ -e "s,%%NSS_VERSION%%,%{version},g" \ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ - -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ - -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \ ./dist/pkgconfig/nss.pc NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` -export NSS_VMAJOR -export NSS_VMINOR -export NSS_VPATCH - -%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ +cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ @@ -463,12 +464,12 @@ export NSS_VPATCH chmod 755 ./dist/pkgconfig/nss-config -%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh +cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh -%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/ +cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/ -echo -n %{manual_date} > date.xml +date +"%e %B %Y" | tr -d '\n' > date.xml echo -n %{version} > version.xml # configuration files and setup script @@ -486,52 +487,27 @@ done for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do xmlto man ${m} done - + %check %if %{with tests} -if [ ${DISABLETEST:-0} -eq 1 ]; then - echo "testing disabled" - exit 0 -fi - # Begin -- copied from the build section -# inform the ssl test scripts that SSL2 is disabled -export NSS_NO_SSL2=1 - -FREEBL_NO_DEPEND=1 -export FREEBL_NO_DEPEND +export FREEBL_NO_DEPEND=1 export BUILD_OPT=1 %ifnarch noarch %if 0%{__isa_bits} == 64 -USE_64=1 -export USE_64 +export USE_64=1 %endif %endif -export NSS_BLTEST_NOT_AVAILABLE=1 - -export NSS_FORCE_FIPS=1 -export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}" -eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g') -export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}" -export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}" - -# needed for the fips mangling test -export SOFTOKEN_LIB_DIR=%{_libdir} - # End -- copied from the build section -export GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest smime_gtest" -export GTESTFILTER='-TlsConnectTest.DisallowSSLv3HelloWithTLSv13Enabled' - # This is necessary because the test suite tests algorithms that are # disabled by the system policy. export NSS_IGNORE_SYSTEM_POLICY=1 -export NSS_SKIP_PWDECRYPT_TIME="true" # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f @@ -555,8 +531,7 @@ fi MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: -pushd `pwd` -cd $DISTBINDIR +pushd "$DISTBINDIR" ln -s selfserv $RANDSERV popd # man perlrun, man perlrequick @@ -569,242 +544,169 @@ find ./nss/tests -type f |\ killall $RANDSERV || : rm -rf ./tests_results -pushd ./nss/tests/ +pushd nss/tests # all.sh is the test suite script # don't need to run all the tests when testing packaging -export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want +export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 8, the default db is sql, but we want # standard to test dbm, or upgradedb will fail -%global nss_full_cycles "standard pkix upgradedb sharedb threadunsafe" -%global nss_cycles "standard pkix upgradedb sharedb" -%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec" -%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec" -%ifarch x86_64 -%global nss_cycles "standard pkix upgradedb sharedb threadunsafe" -%endif -%if %{with gtests} -%global nss_full_tests "%{nss_full_tests} gtests ssl_gtests" -%global nss_tests "%{nss_tests} ssl_gtests" -%endif -# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr -# nss_ssl_run: cov auth stress +%define nss_cycles "standard pkix upgradedb sharedb threadunsafe" +# the full list from all.sh is: +# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy +# nss_ssl_run: cov auth stapling stress # # Uncomment these lines if you need to temporarily # disable some test suites for faster test builds -# global nss_ssl_tests "normal_fips" -# global nss_ssl_run "cov auth" - -# Temporarily disabling tests for s390 -%ifarch s390 -%global nss_ssl_run "cov auth" -%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec" -%endif -%ifarch s390x -%global nss_ssl_run "cov auth" -%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec" -%endif -%if %{with gtests} -%global nss_tests "%{nss_tests} gtests" -%endif -# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr -soft=$(rpm -q nss-softokn) -soft_minor=${soft:14:2} -nss_soft=%{nss_softokn_version} -nss_soft_minor=${nss_soft:2:2} -export NSS_CYCLES=%{?nss_full_cycles} -export NSS_TESTS=%{?nss_full_tests} -export NSS_SSL_RUN=%{?nss_full_ssl_run} -export NSS_SSL_TESTS=%{?nss_full_ssl_tests} -if [ ${soft_minor} -lt ${nss_soft_minor} ]; then - export NSS_OLD_SOFTOKEN=1 - export NSS_DISABLE_PPC_GHASH=1 - export NSS_CYCLES=%{?nss_cycles} - export NSS_TESTS=%{?nss_tests} - export NSS_SSL_RUN=%{?nss_ssl_run} - export NSS_SSL_TESTS=%{?nss_ssl_tests} -fi - -HOST=localhost DOMSUF=localdomain PORT=$MYRAND ./all.sh +# % define nss_ssl_tests "normal_fips" +# % define nss_ssl_run "cov" +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh popd -# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, -# Grep exits with status greater than 1 if an error ocurred. -# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, -# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas -# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. -killall $RANDSERV || : - -TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? -if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then - echo "okay: test suite detected no failures" -else - %ifarch %{arm} - : - # do nothing on arm where the test suite is failing and has been - # for while, do run the test suite but make it non fatal on arm - %else - if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then - # while a situation in which grep return status is 0 and it doesn't output - # anything shouldn't happen, set the default to something that is - # obviously wrong (-1) - echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" - exit 1 - else - if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then - echo "error: grep has not found log file" - exit 1 - else - echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" - exit 1 - fi - fi -%endif -fi -echo "test suite completed" %endif %install -%{__rm} -rf $RPM_BUILD_ROOT - # There is no make install target so we'll do it ourselves. -%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 -%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates -%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} -%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} -%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} -%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3 +mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +mkdir -p $RPM_BUILD_ROOT/%{_bindir} +mkdir -p $RPM_BUILD_ROOT/%{_libdir} +mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory} +mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir} +mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir} +mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir} +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d +%if %{defined rhel} +# not needed for rhel and its derivatives only fedora +%else +# because of the pp.1 conflict with perl-PAR-Packer +mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools +%endif + +install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 -touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so -%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so - # Copy the binary libraries we want -for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so +for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so do - %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} + install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Install the empty NSS db files # Legacy db -%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb -%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db -%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db -%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb +install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db # Shared db -%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db -%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db -%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt +install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a do - %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} + install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the binaries we want for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap do - %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} + install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} done # Copy the binaries we ship as unsupported -for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain validation +for file in bltest dbtool ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt validation vfyserv vfychain do - %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} + install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done # Copy the include files we want for file in dist/public/nss/*.h do - %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 + install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy some freebl include files we also want +for file in blapi.h alghmac.h cmac.h +do + install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the static freebl library +for file in libfreebl.a +do +install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the template files we want -for file in dist/private/nss/nssck.api +for file in dist/private/nss/templates.c dist/private/nss/nssck.api do - %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates + install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates done # Copy the package configuration files -%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc -%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config +install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc +install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config +install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config +install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc +install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config # Copy the pkcs #11 configuration script -%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh # install a symbolic link to it, without the ".sh" suffix, # that matches the man page documentation ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit # Copy the man pages for scripts -for f in nss-config setup-nsssysinit; do +for f in nss-config setup-nsssysinit; do install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done # Copy the man pages for the nss tools -for f in "%{allTools}"; do - install -c -m 644 ./dist/doc/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do + install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done +%if %{defined rhel} +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 +%else +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1 +%endif + # Copy the man pages for the configuration files -for f in pkcs11.txt; do +for f in pkcs11.txt; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done # Copy the man pages for the nss databases -for f in cert8.db cert9.db key3.db key4.db secmod.db; do +for f in cert8.db cert9.db key3.db key4.db secmod.db; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done -%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy -%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config - -%clean -%{__rm} -rf $RPM_BUILD_ROOT +# Copy the crypto-policies configuration file +install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet # from previous versions of nss.spec /usr/bin/setup-nsssysinit.sh on -%post -# If we upgrade, and the shared filename is a regular file, then we must -# remove it, before we can install the alternatives symbolic link. -if [ $1 -gt 1 ] ; then - # when upgrading or downgrading - if ! test -L %{_libdir}/libnssckbi.so; then - rm -f %{_libdir}/libnssckbi.so - fi -fi -# Install the symbolic link -# FYI: Certain other packages use alternatives --set to enforce that the first -# installed package is preferred. We don't do that. Highest priority wins. -%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ - %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10 -/sbin/ldconfig - -%postun -if [ $1 -eq 0 ] ; then - # package removal - %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so -else - # upgrade or downgrade - # If the new installed package uses a regular file (not a symblic link), - # then cleanup the alternatives link. - if ! test -L %{_libdir}/libnssckbi.so; then - %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so - fi -fi -/sbin/ldconfig +%posttrans +update-crypto-policies --no-reload &> /dev/null || : %files -%defattr(-,root,root) +%{!?_licensedir:%global license %%doc} +%license nss/COPYING %{_libdir}/libnss3.so %{_libdir}/libssl3.so %{_libdir}/libsmime3.so -%ghost %{_libdir}/libnssckbi.so -%{_libdir}/nss/libnssckbi.so %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db @@ -812,25 +714,22 @@ fi %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt -%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz -%dir %{_sysconfdir}/pki/nss-legacy -%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config +%doc %{_mandir}/man5/cert8.db.5* +%doc %{_mandir}/man5/key3.db.5* +%doc %{_mandir}/man5/secmod.db.5* +%doc %{_mandir}/man5/cert9.db.5* +%doc %{_mandir}/man5/key4.db.5* +%doc %{_mandir}/man5/pkcs11.txt.5* %files sysinit -%defattr(-,root,root) %{_libdir}/libnsssysinit.so %{_bindir}/setup-nsssysinit.sh # symbolic link to setup-nsssysinit.sh %{_bindir}/setup-nsssysinit -%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz +%doc %{_mandir}/man1/setup-nsssysinit.1* %files tools -%defattr(-,root,root) %{_bindir}/certutil %{_bindir}/cmsutil %{_bindir}/crlutil @@ -853,29 +752,33 @@ fi %{unsupported_tools_directory}/validation %{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfychain -# instead of %%{_mandir}/man*/* let's list them explicitely +# instead of %%{_mandir}/man*/* let's list them explicitly # supported tools -%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/nss-policy-check.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz +%doc %{_mandir}/man1/certutil.1* +%doc %{_mandir}/man1/cmsutil.1* +%doc %{_mandir}/man1/crlutil.1* +%doc %{_mandir}/man1/modutil.1* +%doc %{_mandir}/man1/nss-policy-check.1* +%doc %{_mandir}/man1/pk12util.1* +%doc %{_mandir}/man1/signver.1* # unsupported tools -%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz +%doc %{_mandir}/man1/derdump.1* +%doc %{_mandir}/man1/signtool.1* +%if %{defined rhel} +%doc %{_mandir}/man1/pp.1* +%else +%dir %{_datadir}/doc/nss-tools +%doc %{_datadir}/doc/nss-tools/pp.1 +%endif +%doc %{_mandir}/man1/ssltap.1* +%doc %{_mandir}/man1/vfychain.1* +%doc %{_mandir}/man1/vfyserv.1* %files devel -%defattr(-,root,root) %{_libdir}/libcrmf.a %{_libdir}/pkgconfig/nss.pc %{_bindir}/nss-config -%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz +%doc %{_mandir}/man1/nss-config.1* %dir %{_includedir}/nss3 %{_includedir}/nss3/cert.h @@ -927,9 +830,7 @@ fi %{_includedir}/nss3/sslproto.h %{_includedir}/nss3/sslt.h - %files pkcs11-devel -%defattr(-, root, root) %{_includedir}/nss3/nssbase.h %{_includedir}/nss3/nssbaset.h %{_includedir}/nss3/nssckepv.h @@ -944,84 +845,315 @@ fi %{_libdir}/libnssb.a %{_libdir}/libnssckfw.a +%files util +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnssutil3.so + +%files util-devel +# package configuration files +%{_libdir}/pkgconfig/nss-util.pc +%{_bindir}/nss-util-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# these are marked as public export in nss/lib/util/manifest.mk +%{_includedir}/nss3/base64.h +%{_includedir}/nss3/ciferfam.h +%{_includedir}/nss3/eccutil.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/nssb64.h +%{_includedir}/nss3/nssb64t.h +%{_includedir}/nss3/nsslocks.h +%{_includedir}/nss3/nssilock.h +%{_includedir}/nss3/nssilckt.h +%{_includedir}/nss3/nssrwlk.h +%{_includedir}/nss3/nssrwlkt.h +%{_includedir}/nss3/nssutil.h +%{_includedir}/nss3/pkcs1sig.h +%{_includedir}/nss3/pkcs11.h +%{_includedir}/nss3/pkcs11f.h +%{_includedir}/nss3/pkcs11n.h +%{_includedir}/nss3/pkcs11p.h +%{_includedir}/nss3/pkcs11t.h +%{_includedir}/nss3/pkcs11u.h +%{_includedir}/nss3/pkcs11uri.h +%{_includedir}/nss3/portreg.h +%{_includedir}/nss3/secasn1.h +%{_includedir}/nss3/secasn1t.h +%{_includedir}/nss3/seccomon.h +%{_includedir}/nss3/secder.h +%{_includedir}/nss3/secdert.h +%{_includedir}/nss3/secdig.h +%{_includedir}/nss3/secdigt.h +%{_includedir}/nss3/secerr.h +%{_includedir}/nss3/secitem.h +%{_includedir}/nss3/secoid.h +%{_includedir}/nss3/secoidt.h +%{_includedir}/nss3/secport.h +%{_includedir}/nss3/utilmodt.h +%{_includedir}/nss3/utilpars.h +%{_includedir}/nss3/utilparst.h +%{_includedir}/nss3/utilrename.h +%{_includedir}/nss3/templates/templates.c + +%files softokn +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +# shared with nss-tools +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/dbtool +%{unsupported_tools_directory}/ecperf +%{unsupported_tools_directory}/fbectest +%{unsupported_tools_directory}/fipstest +%{unsupported_tools_directory}/shlibsign + +%files softokn-freebl +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk +#shared +%dir %{dracut_modules_dir} +%{dracut_modules_dir}/module-setup.sh +%{dracut_conf_dir}/50-nss-softokn.conf + +%files softokn-freebl-devel +%{_libdir}/libfreebl.a +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/cmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h + +%files softokn-devel +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# +# The following headers are those exported public in +# nss/lib/freebl/manifest.mn and +# nss/lib/softoken/manifest.mn +# +# The following list is short because many headers, such as +# the pkcs #11 ones, have been provided by nss-util-devel +# which installed them before us. +# +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h + %changelog -* Wed Mar 8 2023 Bob Relyea - 3.79.0-5 -- fix CVE-2023-0767 +* Thu Aug 3 2023 Bob Relyea - 3.90.0-3 +- add indicators for pbkdf2 +- add camellia to pkcs12 doc files +- fix ems policy bug +- disable ech + +* Thu Jul 27 2023 Bob Relyea - 3.90.0-2 +- fix the change log + +* Thu Jul 27 2023 Bob Relyea - 3.90.0-1 +- rebase to NSS 3.90 + +* Wed Mar 8 2023 Bob Relyea - 3.79.0-11 +- Fix CVE-2023-0767 + +* Thu Aug 11 2022 Bob Relyea - 3.79.0-10 +- Fix QA found failures: +- remove extra '+' from sslpolicy.txt file causing test error values +- only use GRND_RANDOM if the kernel is in FIPS mode. + +* Fri Aug 5 2022 Bob Relyea - 3.79.0-9 +- FIPS 140-3 changes -* Thu Jul 21 2022 Bob Relyea - 3.79.0-4 -- fix regression for pkcs12. +* Wed Jul 13 2022 Bob Relyea - 3.79.0-8 +- Update fips default for pk12util to AES rather than TDES +- Fix bug in pkcs12 files with null passwords -* Wed Jul 6 2022 Bob Relyea - 3.79.0-3 -- fix crash in curl. better fix for the regression below +* Wed Jul 6 2022 Bob Relyea - 3.79.0-7 +- Better fix for test regressions + +* Mon Jun 27 2022 Bob Relyea - 3.79.0-6 +- fix nss.spec so it works in a rhel-8.1.0 buildroot + +* Mon Jun 20 2022 Bob Relyea - 3.79.0-5 +- FIPS 140-3 changes +- Reject Small RSA keys, 1024 bit keys are marked as FIP OK when verifying, reject + signature keys by policy +- Allow applications to retrigger selftests on demand. + +* Fri Jun 17 2022 Bob Relyea - 3.79.0-4 +- Fix pkgconfig output + +* Wed Jun 15 2022 Bob Relyea - 3.79.0-3 +- NSR Coverity fix changed selfserv from passive to active, change it back * Sat Jun 11 2022 Bob Relyea - 3.79.0-2 -- fix regressions found in test suite +- Fix regressions found in test suites. -* Wed Jun 8 2022 Bob Relyea - 3.79.0-1 +* Thu Jun 2 2022 Bob Relyea - 3.79.0-1 - Rebase to NSS 3.79 - Set FIPS Module ID +- skip attribute verification on attributes with default values +- don't export trust objects if they are default trust objects from dbm +- add dbtool to nss-tools -* Thu Nov 18 2021 Bob Relyea - 3.67.0-4 -- fix CVE-2021-43527 +* Thu Nov 18 2021 Bob Relyea - 3.67.0-7 +- Fix CVE 2021 43527 -* Tue Sep 14 2021 Bob Relyea - 3.67.0-3 -- revert sql default language in man pages -- fix SEC_PKCS12EnableCipher so python-nss tests will still work. +* Tue Jul 6 2021 Bob Relyea - 3.67.0-6 +- Fix ssl alert issue -* Wed Jul 7 2021 Bob Relyea - 3.67.0-2 -- fix sdb timeout issue -- fix incorrect ssl alerts in Signature scheme processing +* Thu Jul 1 2021 Bob Relyea - 3.67.0-5 +- Fix issue with reading databases that were updated using + unpatched versions of nss -* Tue Jun 22 2021 Bob Relyea - 3.67.0-1 +* Tue Jun 29 2021 Bob Relyea - 3.67.0-4 +- Better fix for the sdb timeout. The issue wasn't a race, it was + the sqlite timeout waiting to begin a transaction under heavy + thread usage. + +* Mon Jun 28 2021 Bob Relyea - 3.67.0-3 +- Fix sdb race condition + +* Fri Jun 18 2021 Bob Relyea - 3.67.0-2 +- Fix coverity issues + +* Thu Jun 17 2021 Bob Relyea - 3.67.0-1 - Rebase to NSS 3.67 * Tue Jun 15 2021 Bob Relyea - 3.66.0-2 -- restore pkcs12 defaults +- Restore old pkcs12 defaults. + +* Mon Jun 14 2021 Bob Relyea - 3.66.0-1.1 +- build nss for older nspr so we can pass gating with + the new nspr in the build root -* Thu Jun 03 2021 Bob Relyea - 3.66.0-1 +* Wed Jun 2 2021 Bob Relyea - 3.66.0-1 - Rebase to NSS 3.66 -* Wed Mar 03 2021 Bob Relyea - 3.53.1-7 -- Fix HSM load failure because of CKO_Profile -- Allow builds with strict-proto +* Thu Dec 3 2020 Bob Relyea - 3.53.1-17 +- Fix various corner cases with ike v1 app b support. -* Mon Feb 22 2021 Bob Relyea - 3.53.1-6 -- Update to CVE 2020-256423 TLS flood DOS attack patch. +* Thu Nov 19 2020 Bob Relyea - 3.53.1-16 +- Fix the following CVE +- CVE-2020-12403 chacha-poly issues +- CVE-2020-12400 constant time ECC. +- CVE-2020-6829 constant time ECC. -* Thu Feb 18 2021 Bob Relyea - 3.53.1-5 -- Fix CVE 2020-256423 TLS flood DOS Attack. +* Wed Nov 4 2020 Bob Relyea - 3.53.1-15 +- Revert some policy changes the generate ABI runtime issues. -* Mon Feb 1 2021 Bob Relyea - 3.53.1-4 -- Fix deadlock issue -- Fix 3 FTBS issues, 2 expired certs, one semantic change in nss-softokn. +* Thu Oct 29 2020 Bob Relyea - 3.53.1-14 +- Add support for enable/disable in policy. Now if your policy + file has disallow=x enable=y it will act just like our other + libraries. -* Sat Aug 1 2020 Daiki Ueno - 3.53.1-3 -- Disable dh timing test because it's unreliable on s390 (from Bob Relyea) +* Mon Oct 26 2020 Bob Relyea - 3.53.1-13 +- Add OAEP interface so applications can wrap keys with RSA-OAEP + rather than RSA-PKCS-1. + +* Mon Oct 19 2020 Bob Relyea - 3.53.1-12 +- fips need to reject small primes even if they are approved +- code to autodetect whether or not to use the cache needs to do so + in a way that doesn't mess with filesystem negative file caching. +- add kdf selftests + +* Thu Jul 30 2020 Bob Relyea - 3.53.1-11 +- Fix issue with upgradedb where upgradedb expects standard to + generate dbm databases, not sql databases (default in RHEL8) + +* Thu Jul 30 2020 Bob Relyea - 3.53.1-10 +- Disable dh timing test because it's unreliable on s390 + +* Thu Jul 30 2020 Daiki Ueno - 3.53.1-9 - Explicitly enable upgradedb/sharedb test cycles -* Thu Jul 30 2020 Daiki Ueno - 3.53.1-2 -- Disable TLS 1.3 by default +* Wed Jul 29 2020 Daiki Ueno - 3.53.1-8 +- Disable Delegated Credentials for TLS + +* Fri Jul 24 2020 Bob Relyea - 3.53.1-7 +- Fix attribute decryption issue where the private key components + integrity check on private attributes where not being checked. + +* Mon Jul 13 2020 Daiki Ueno - 3.53.1-6 +- Update nss-rsa-pkcs1-sigalgs.patch to the upstream version + +* Sat Jul 11 2020 Bob Relyea - 3.53.1-5 +- Include required checks for dh and ecdh key generation in FIPS mode. + +* Wed Jul 8 2020 Bob Relyea - 3.53.1-4 +- Add better checks for dh derive operations in FIPS mode. + +* Thu Jun 25 2020 Daiki Ueno - 3.53.1-3 +- Disable NSS_HASH_ALG_SUPPORT as well for MD5 (#1849938) +- Adjust for update-crypto-policies packaging change (#1848649) +- Fix compilation with -Werror=strict-prototypes (#1843417) + +* Wed Jun 24 2020 Daiki Ueno - 3.53.1-2 +- Fix regression in MD5 disablement (#1849938) +- Include rsa_pkcs1_* in signature_algorithms extension (#1847945) + +* Mon Jun 22 2020 Daiki Ueno - 3.53.1-1 +- Update to NSS 3.53.1 + +* Sat Jun 6 2020 Daiki Ueno - 3.53.0-1 +- Update to NSS 3.53 + +* Fri Jan 31 2020 Bob Relyea - 3.44.0-15 +- Fix swapped CMAC PKCS #11 values. +- Fix data alignment crash in CMAC. + +* Tue Dec 3 2019 Bob Relyea - 3.44.0-14 +- Fix coverify scan issue + +* Mon Dec 2 2019 Bob Relyea - 3.44.0-13 +- Fix endian problem in SP-800 108 code. + +* Thu Nov 28 2019 Daiki Ueno - 3.44.0-12 +- Install cmac.h required by blapi.h (#1764513) +- Fix out-of-bounds write in NSC_EncryptUpdate (#1775913) + +* Wed Nov 27 2019 Bob Relyea - 3.44.0-11 +- Add SP-800 108 Generalized kdf -* Wed Jul 22 2020 Daiki Ueno - 3.53.1-1 -- Rebase to NSS 3.53.1 +* Mon Nov 11 2019 Daiki Ueno - 3.44.0-10 +- Check policy against hash algorithms used for ServerKeyExchange (#1730039) -* Fri Dec 6 2019 Bob Relyea - 3.44.0-8 -- Increase timeout on ssl_gtest so that slow platforms can complete when - running on a busy system. +* Wed Nov 6 2019 Bob Relyea - 3.44.0-9 +- Add CMAC -* Thu Dec 5 2019 Bob Relyea - 3.44.0-7 -- back out out-of-bounds patch (patch for nss-softokn). -- Fix segfault on empty or malformed ecdh keys (#1777712) +* Thu Aug 8 2019 Bob Relyea - 3.44.0-8 +- CKM_NSS_IKE1_APP_B_PRF_DERIVE was missing from the mechanism list, preventing + PK11_Derive*() from using it. Add gtests for the PK11_Derive interface for + all the CKM_NSS_IKE*_DERIVE mechanism. -* Wed Dec 4 2019 Bob Relyea - 3.44.0-6 -- Fix out-of-bounds write in NSC_EncryptUpdate (#1775911,#1775910) +* Wed Jul 3 2019 Daiki Ueno - 3.44.0-7 +- Backport fixes from 3.44.1 -* Wed Aug 14 2019 Bob Relyea - 3.44.0-5 -- Fix pkix name constraints processing to only process the common name if the - certusage you are checking is IPSEC or SSL Server. +* Wed Jun 26 2019 Daiki Ueno - 3.44.0-6 +- Add continuous RNG test required by FIPS +- fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism -* Wed Jun 5 2019 Bob Relyea - 3.44.0-4 +* Mon Jun 10 2019 Daiki Ueno - 3.44.0-5 +- Rebuild with the correct build target + +*Fri Jun 7 2019 Bob Relyea - 3.44.0-4.1 +- rebuild to try to retrigger CI tests + +*Wed Jun 5 2019 Bob Relyea - 3.44.0-4 - Fix certutil man page - Fix extracting a public key from a private key for dh, ec, and dsa @@ -1030,554 +1162,564 @@ fi - Disable RSASSA-PKCS1-v1_5 in TLS 1.3 - Fix post-handshake auth transcript calculation if SSL_ENABLE_SESSION_TICKETS is set +- Revert the change to use XDG basedirs (mozilla#818686) -* Thu May 16 2019 Daiki Ueno - 3.44.0-2 -- Skip sysinit gtests properly -- Fix shell syntax error in tests/ssl/ssl.sh -- Regenerate manual pages +* Fri May 24 2019 Bob Relyea - 3.44.0-2 +- Add ike mechanisms in softokn +- Add FIPS checks in softoken -* Wed May 15 2019 Daiki Ueno - 3.44.0-1 -- Rebase to NSS 3.44 -- Restore fix-min-library-version-in-SSLVersionRange.patch to keep - SSL3 supported in the code level while it is disabled by policy -- Skip TLS 1.3 tests under FIPS mode +* Fri May 24 2019 Daiki Ueno - 3.44.0-1 +- Update to NSS 3.44 +- Define NSS_SEED_ONLY_DEV_URANDOM=1 to exclusively use getentropy +- Use %%autosetup +- Clean up manual pages generation +- Clean up %%check +- Remove prelink dependency, which is not available in RHEL-8 +- Remove upstreamed patches -* Fri May 10 2019 Daiki Ueno - 3.43.0-9 -- Ignore system policy when running %%check +* Mon Dec 17 2018 Daiki Ueno - 3.41.0-5 +- Update manual pages to reflect recent changes in commands -* Fri May 3 2019 Daiki Ueno - 3.43.0-8 -- Fix policy string +* Fri Dec 14 2018 Bob Relyea - 3.41.0-4 +- Make sure corresponding public keys are created when importing private keys. -* Fri Apr 26 2019 Daiki Ueno - 3.43.0-7 -- Don't override date in man-pages -- Revert the change to use XDG basedirs (mozilla#818686) -- Enable SSL2 compatible ClientHello by default -- Disable SSL3 and RC4 by default +* Thu Dec 13 2018 Daiki Ueno - 3.41.0-3 +- Fix the last change +- Add --no-reload option to update-crypto-policies to avoid + unnecessary restart of daemons -* Mon Apr 8 2019 Daiki Ueno - 3.43.0-6 -- Make "-V ssl3:" option work with tools +* Thu Dec 13 2018 Daiki Ueno - 3.41.0-2 +- Restore LDFLAGS injection when linking DSO -* Fri Apr 5 2019 Daiki Ueno - 3.43.0-5 -- Fix regression in MD5 disablement +* Mon Dec 10 2018 Daiki Ueno - 3.41.0-1 +- Update to NSS 3.41 +- Consolidate nss-util, nss-softokn, and nss into a single source package -* Mon Apr 1 2019 Bob Relyea - 3.43.0-4 -- add certutil documentation +* Fri Dec 7 2018 Daiki Ueno - 3.39.0-1.5 +- Fix the last commit -* Thu Mar 28 2019 Daiki Ueno - 3.43.0-3 -- Restore complete removal of SSLv2 -- Disable SSLv3 -- Move signtool to unsupported directory +* Tue Dec 4 2018 Bob Relyea - 3.39.0-1.4 +- Support for IKE/IPsec typical PKIX usage so libreswan can use nss + without rejecting certs based on EKU -* Mon Mar 25 2019 Bob Relyea - 3.43.0-2 -- Expand IPSEC usage to include ssl and email certs. Remove special - processing of the usage based on the critical flag +* Thu Nov 29 2018 Daiki Ueno - 3.39.0-1.3 +- Backport upstream fixes for rhbz#1649026, rhbz#1608895, rhbz#1644854 +- Document PKCS #11 URI +- Add warning when adding module with modutil while p11-kit is enabled -* Thu Mar 21 2019 Daiki Ueno - 3.43.0-1 -- Rebase to NSS 3.43 +* Tue Nov 13 2018 Daiki Ueno - 3.39.0-1.2 +- Update nss-dsa.patch to not advertise DSA signature algorithm +- Update PayPal test certs for testing -* Mon Feb 25 2019 Bob Relyea - 3.36.0-8.1 -- move key on unwrap failure and retry. +* Thu Oct 18 2018 Daiki Ueno - 3.39.0-1.1 +- Backport "DSA" keyword in crypto-policies -* Mon Nov 12 2018 Bob Relyea - 3.36.0-8 -- Update the cert verify code to allow a new ipsec usage and follow RFC 4945 +* Tue Sep 25 2018 Daiki Ueno - 3.39.0-1.0 +- Update to NSS 3.39 -* Wed Aug 29 2018 Daiki Ueno - 3.36.0-7 -- Backport upstream fix for CVE-2018-12384 -- Remove nss-lockcert-api-change.patch, which turned out to be a - mistake (the symbol was not exported from libnss) +* Fri Sep 14 2018 Daiki Ueno - 3.38.0-1.2 +- Fix LDFLAGS injection when linking DSO -* Thu Apr 19 2018 Daiki Ueno - 3.36.0-6 -- Exercise SSL tests which only run under non-FIPS setting +* Tue Jul 24 2018 Daiki Ueno - 3.38.0-1.1 +- Install crypto-policies configuration file for + https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules +- Port enable-fips-when-system-is-in-fips-mode.patch from RHEL-7 +- Use %%ldconfig_scriptlets +- Remove needless use of %defattr, by Jason Tibbitts -* Wed Apr 18 2018 Daiki Ueno - 3.36.0-5 -- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h +* Wed Jul 18 2018 Daiki Ueno - 3.38.0-1.0 +- Update to NSS 3.38 -* Fri Apr 13 2018 Daiki Ueno - 3.36.0-4 -- Work around modutil -changepw error if the old and new passwords are - both empty in FIPS mode +* Tue Jul 17 2018 Kai Engert - 3.36.1-1.2 +- Backport upstream addition of nss-policy-check utility, rhbz#1428746, + includes required fixes for mozbz#1296263 and mozbz#1474875 -* Tue Mar 27 2018 Daiki Ueno - 3.36.0-3 -- Decrease the iteration count of PKCS#12 for compatibility with Windows -- Fix deadlock when a token is re-inserted while a client process is running +* Fri May 25 2018 Daiki Ueno - 3.36.1-1.1 +- Switch the default DB type to SQL +- Enable SSLKEYLOGFILE -* Mon Mar 12 2018 Daiki Ueno - 3.36.0-2 -- Set NSS_FORCE_FIPS=1 in %%build -- Revert the changes to tests assuming the default DB type +* Wed Apr 11 2018 Daiki Ueno - 3.36.1-1.0 +- Update to NSS 3.36.1 +- Remove nss-3.14.0.0-disble-ocsp-test.patch +- Fix partial injection of LDFLAGS +- Remove NSS_NO_PKCS11_BYPASS, which is no-op in upstream -* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1 -- Rebase to NSS 3.36 +* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1.0 +- Update to NSS 3.36.0 +- Add gcc-c++ to BuildRequires (C++ is needed for gtests) +- Make test failure detection robuster -* Mon Jan 15 2018 Daiki Ueno - 3.34.0-4 -- Re-enable nss-is-token-present-race.patch +* Thu Feb 08 2018 Fedora Release Engineering - 3.35.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild -* Fri Jan 5 2018 Daiki Ueno - 3.34.0-3 -- Temporarily disable nss-is-token-present-race.patch +* Mon Jan 29 2018 Kai Engert - 3.35.0-4 +- Fix a compiler error with gcc 8, mozbz#1434070 +- Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check. -* Thu Jan 4 2018 Daiki Ueno - 3.34.0-2 -- Backport necessary changes from 3.35 +* Mon Jan 29 2018 Kai Engert - 3.35.0-3 +- Stop pulling in nss-pem automatically, packages that need it should + depend on it, rhbz#1539401 -* Fri Nov 24 2017 Daiki Ueno - 3.34.0-1 -- Rebase to NSS 3.34 +* Tue Jan 23 2018 Daiki Ueno - 3.35.0-2 +- Update to NSS 3.35.0 -* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1 -- Rebase to NSS 3.34.BETA1 +* Tue Nov 14 2017 Daiki Ueno - 3.34.0-2 +- Update to NSS 3.34.0 -* Wed Oct 25 2017 Daiki Ueno - 3.33.0-3 -- Disable TLS 1.3 +* Fri Nov 10 2017 Daiki Ueno - 3.33.0-6 +- Make sure 32bit nss-pem always be installed with 32bit nss in + multlib environment, patch by Kamil Dudka + +* Wed Nov 8 2017 Kai Engert - 3.33.0-5 +- Fix test script + +* Tue Nov 7 2017 Kai Engert - 3.33.0-4 +- Update tests to be compatible with default NSS DB changed to sql + (the default was changed in the nss-util package). + +* Tue Oct 24 2017 Kai Engert - 3.33.0-3 +- rhbz#1505487, backport upstream fixes required for rhbz#1496560 + +* Tue Oct 3 2017 Daiki Ueno - 3.33.0-2 +- Update to NSS 3.33.0 + +* Fri Sep 15 2017 Daiki Ueno - 3.32.1-2 +- Update to NSS 3.32.1 + +* Wed Sep 6 2017 Daiki Ueno - 3.32.0-4 +- Update iquote.patch to really prefer in-tree headers over system headers + +* Wed Aug 23 2017 Kai Engert - 3.32.0-3 +- NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449 + +* Mon Aug 7 2017 Daiki Ueno - 3.32.0-2 +- Update to NSS 3.32.0 + +* Thu Aug 03 2017 Fedora Release Engineering - 3.31.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild -* Wed Oct 18 2017 Daiki Ueno - 3.33.0-2 +* Thu Jul 27 2017 Fedora Release Engineering - 3.31.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jul 18 2017 Daiki Ueno - 3.31.0-4 +- Backport mozbz#1381784 to avoid deadlock in dnf + +* Thu Jul 13 2017 Daiki Ueno - 3.31.0-3 +- Move signtool to %%_libdir/nss/unsupported-tools, for: + https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation + +* Wed Jun 21 2017 Daiki Ueno - 3.31.0-2 +- Rebase to NSS 3.31.0 + +* Fri Jun 2 2017 Daiki Ueno - 3.30.2-3 +- Enable gtests + +* Mon Apr 24 2017 Daiki Ueno - 3.30.2-2 +- Rebase to NSS 3.30.2 - Enable TLS 1.3 -* Mon Oct 16 2017 Daiki Ueno - 3.33.0-1 -- Rebase to NSS 3.33 -- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants) -- Temporarily disable race.patch and nss-3.16-token-init-race.patch, - which causes a deadlock in newly added test cases -- Remove upstreamed patches: moz-1320932.patch, - nss-tstclnt-optspec.patch, - nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch, - nss-tools-sha256-default.patch, nss-is-token-present-race.patch, - nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch +* Thu Mar 30 2017 Kai Engert - 3.30.0-3 +- Backport upstream mozbz#1328318 to support crypto policy FUTURE. -* Mon Oct 16 2017 Daiki Ueno - 3.28.4-14 -- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption +* Tue Mar 21 2017 Daiki Ueno - 3.30.0-2 +- Rebase to NSS 3.30.0 +- Remove upstreamed patches -* Mon Oct 16 2017 Daiki Ueno - 3.28.4-13 -- Update iquote.patch to prefer nss.h from the source +* Thu Mar 02 2017 Kai Engert - 3.29.1-3 +- Backport mozbz#1334976 and mozbz#1336487. -* Mon Oct 16 2017 Daiki Ueno - 3.28.4-12 -- Add backward compatibility to pk12util regarding password encoding +* Fri Feb 17 2017 Daiki Ueno - 3.29.1-2 +- Rebase to NSS 3.29.1 -* Thu Aug 10 2017 Daiki Ueno - 3.28.4-11 -- Backport patch to simplify transcript calculation for CertificateVerify -- Enable TLS 1.3 and RSA-PSS -- Disable some upstream tests failing due to downstream ciphersuites changes +* Thu Feb 9 2017 Daiki Ueno - 3.29.0-3 +- Disable TLS 1.3, following the upstream change -* Thu Jul 13 2017 Daiki Ueno - 3.28.4-10 -- Work around yum crash due to new NSPR symbol being used in nss-sysinit, - patch by Kai Engert +* Wed Feb 8 2017 Daiki Ueno - 3.29.0-2 +- Rebase to NSS 3.29.0 +- Suppress -Werror=int-in-bool-context warnings with GCC7 -* Fri Jun 2 2017 Daiki Ueno - 3.28.4-9 -- Fix typo in nss-sni-c-v-fix.patch +* Mon Jan 23 2017 Daiki Ueno - 3.28.1-6 +- Work around pkgconfig -> pkgconf transition issue (releng#6597) -* Fri May 5 2017 Kai Engert - 3.28.4-8 -- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5 +* Fri Jan 20 2017 Daiki Ueno - 3.28.1-5 +- Disable TLS 1.3 +- Add "Conflicts" with packages using older Mozilla codebase, which is + not compatible with NSS 3.28.1 +- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream -* Fri May 5 2017 Daiki Ueno - 3.28.4-7 -- Update nss-pk12util.patch to include fix from mozbz#1353724. +* Tue Jan 17 2017 Daiki Ueno - 3.28.1-4 +- Add "Conflicts" with older firefox packages which don't have support + for smaller curves added in NSS 3.28.1 -* Wed May 3 2017 Daiki Ueno - 3.28.4-6 -- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207. +* Fri Jan 13 2017 Daiki Ueno - 3.28.1-3 +- Fix incorrect version specification in %%nss_{util,softokn}_version, + pointed by Elio Maldonado -* Fri Apr 28 2017 Daiki Ueno - 3.28.4-5 -- Fix zero-length record treatment for stream ciphers and SSLv2 +* Fri Jan 6 2017 Daiki Ueno - 3.28.1-2 +- Rebase to NSS 3.28.1 +- Remove upstreamed patch for disabling RSA-PSS +- Re-enable TLS 1.3 -* Thu Apr 27 2017 Daiki Ueno - 3.28.4-4 -- Correctly set policy file location when building +* Wed Nov 30 2016 Daiki Ueno - 3.27.2-2 +- Rebase to NSS 3.27.2 -* Wed Apr 26 2017 Daiki Ueno - 3.28.4-3 -- Reorder ChaCha20-Poly1305 cipher suites, as suggested in: - https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9 +* Tue Nov 15 2016 Daiki Ueno - 3.27.0-5 +- Revert the previous fix for RSA-PSS and use the upstream fix instead -* Thu Apr 20 2017 Daiki Ueno - 3.28.4-2 -- Rebase to NSS 3.28.4 -- Update nss-pk12util.patch with backport of mozbz#1353325 +* Wed Nov 02 2016 Kai Engert - 3.27.0-4 +- Disable the use of RSA-PSS with SSL/TLS. #1383809 -* Thu Mar 16 2017 Daiki Ueno - 3.28.3-5 -- Switch default hash algorithm used by tools from SHA-1 to SHA-256 -- Avoid race condition in nssSlot_IsTokenPresent() -- Enable SHA-2 and AES in pk12util -- Disable RSA-PSS for now +* Sun Oct 2 2016 Daiki Ueno - 3.27.0-3 +- Disable TLS 1.3 for now, to avoid reported regression with TLS to + version intolerant servers -* Fri Mar 10 2017 Daiki Ueno - 3.28.3-4 -- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert -- Backport changes adding SSL alert callbacks from upstream -- Add nss-check-policy-file.patch from Fedora -- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config +* Thu Sep 29 2016 Daiki Ueno - 3.27.0-2 +- Rebase to NSS 3.27.0 +- Remove upstreamed ectest patch -* Mon Mar 6 2017 Daiki Ueno - 3.28.3-3 -- Make sure 32bit nss-pem always be installed with 32bit nss in - multlib environment, patch by Kamil Dudka -- Enable new algorithms supported by the new nss-softokn - -* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2 -- Rebase to NSS 3.28.3 -- Bump required version of nss-softokn - -* Wed Feb 15 2017 Daiki Ueno - 3.28.2-3 -- Remove %%nss_cycles setting, which was also mistakenly added -- Re-enable BUILD_OPT, mistakenly disabled in the previous build -- Prevent ABI incompatibilty of SECKEYECPublicKey -- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default -- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream - patch in the previous release -- Fix crash with tstclnt -W -- Always enable gtests for supported features -- Add patch to fix bash syntax error in tests/ssl.sh -- Build with support for SSLKEYLOGFILE -- Disable the use of RSA-PSS with SSL/TLS - -* Tue Feb 14 2017 Daiki Ueno - 3.28.2-2 -- Decouple nss-pem from the nss package -- Resolves: #1316546 - -* Mon Feb 13 2017 Daiki Ueno - 3.28.2-1.1 -- Remove mistakenly added R: nss-pem - -* Fri Feb 10 2017 Daiki Ueno - 3.28.2-1.0 -- Rebase to NSS 3.28.2 -- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which - is no-op now -- Enable gtests when requested -- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are - not necessary -- Remove sslauth-no-v2.patch and - nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is - already disabled in upstream -- Remove ssl-server-min-key-sizes.patch, as we decided to support DH - key size greater than 1023 bits -- Remove local patches for SHA384 cipher suites (now supported in - upstream): dhe-sha384-dss-support.patch, - client_auth_for_sha384_prf_support.patch, - nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch, - nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch, - fix-allowed-sig-alg.patch, tests-extra.patch -- Remove upstreamed patches: rh1238290.patch, - fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch, - call-restartmodules-in-nssinit.patch - -* Wed Oct 26 2016 Daiki Ueno - 3.21.3-1 -- Rebase to NSS 3.21.3 -- Resolves: #1383887 - -* Thu Jun 30 2016 Kai Engert - 3.21.0-17 -- remove additional false duplicates from sha384 downstream patches - -* Tue Jun 28 2016 Kai Engert - 3.21.0-16 -- enable ssl_gtests (without extended master secret tests), Bug 1298692 -- call SECMOD_RestartModules in nss_Init, Bug 1317691 - -* Fri Jun 17 2016 Kai Engert - 3.21.0-15 -- escape all percent characters in all changelog comments - -* Fri Jun 17 2016 Kai Engert - 3.21.0-14 -- Support TLS 1.2 certificate_verify hashes other than PRF, - backported fix from NSS 3.25 (upstream bug 1179338). - -* Mon May 23 2016 Elio Maldonado - 3.21.0-13 -- Fix reuse of session cache entry -- Resolves: Bug 1241172 - Certificate verification fails with multiple https urls - -* Wed Apr 20 2016 Elio Maldonado - 3.21.0-12 -- Fix a flaw in %%check for nss not building on arm -- Resolves: Bug 1200856 - -* Wed Apr 20 2016 Elio Maldonado - 3.21.0-11 -- Cleanup: Remove unnecessary %%posttrans script from nss.spec -- Resolves: Bug 1174201 - -* Wed Apr 20 2016 Elio Maldonado - 3.21.0-10 -- Merge fixes from the rhel-7.2 branch -- Fix a bogus %%changelog entry -- Resolves: Bug 1297941 - -* Fri Apr 15 2016 Kai Engert - 3.21.0-9 -- Rebuild to require the latest nss-util build and nss-softokn build. - -* Mon Apr 11 2016 Kai Engert - 3.21.0-8 -- Update the minimum nss-softokn build required at runtime. - -* Mon Apr 04 2016 Elio Maldonado - 3.21.0-7 -- Delete duplicates from one table - -* Tue Mar 29 2016 Kai Engert - 3.21.0-6 -- Fix missing support for sha384/dsa in certificate_request - -* Wed Mar 23 2016 Kai Engert - 3.21.0-5 -- Merge fixes from the rhel-7.2 branch -- Fix the SigAlgs sent in certificate_request -- Ensure all ssl.sh tests are executed -- Update sslauth test patch to run additional tests - -* Fri Feb 26 2016 Elio Maldonado - 3.21.0-2 -- Fix sha384 support and testing patches - -* Wed Feb 17 2016 Elio Maldonado - 3.21.0-1 -- Rebase to NSS-3.21 - -* Tue Dec 15 2015 Elio Maldonado - 3.19.1-19 -- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol -- Fix a mockbuild reported bad %%if condition when using the __isa_bits macro instead of list of 64-bit architectures -- Change the test to %%if 0%%{__isa_bits} == 64 as required for building the srpm which is noarch -- Resolves: Bug 1289884 - -* Wed Oct 21 2015 Kai Engert - 3.19.1-18 -- Rebuild against updated NSPR - -* Thu Sep 03 2015 Elio Maldonado - 3.19.1-17 -- Change the required_softokn_build_version back to -13 -- Ensure we use nss-softokn-3.16.2.3-13.el7_1 - -* Thu Sep 03 2015 Elio Maldonado - 3.19.1-16 -- Fix check for public key size of DSA certificates -- Use size of prime P not the size of dsa.publicValue - -* Mon Aug 31 2015 Elio Maldonado - 3.19.1-15 -- Reorder the cipher suites and enable two more by default - -* Sun Aug 30 2015 Elio Maldonado - 3.19.1-14 -- Update the required_softokn_build_version to -14 -- Add references to bugs filed upstream for new patches -- Merge ocsp stapling and sslauth sni tests patches into one - -* Sat Aug 29 2015 Elio Maldonado - 3.19.1-13 -- Reorder the cipher suites and enable two more by default -- Fix some of the ssauth sni and ocsp stapling tests +* Mon Aug 8 2016 Daiki Ueno - 3.26.0-2 +- Rebase to NSS 3.26.0 +- Update check policy file patch to better match what was upstreamed +- Remove conditionally ignore system policy patch as it has been upstreamed +- Skip ectest as well as ecperf, which are built as part of nss-softokn +- Fix rpmlint error regarding %%define usage -* Thu Aug 27 2015 Elio Maldonado - 3.19.1-12 -- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers -- Enable ECDSA cipher suites by default, a subset of the ones requested +* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6 +- Incorporate some changes requested in upstream review and commited upstream (#1157720) -* Wed Aug 26 2015 Elio Maldonado - 3.19.1-11 -- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers +* Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 +- Add support for conditionally ignoring the system policy (#1157720) +- Remove unneeded test scripts patches in order to run more tests +- Remove unneeded test data modifications from the spec file -* Mon Aug 17 2015 Elio Maldonado - 3.19.1-10 -- Fix to correctly report integrity mechanism for TLS_RSA_WITH_AES_256_GCM_SHA384 +* Tue Jun 28 2016 Elio Maldonado - 3.25.0-4 +- Remove obsolete patch and spurious lines from the spec file (#1347336) -* Mon Aug 10 2015 Elio Maldonado - 3.19.1-9 -- Fix checks to skip ssl2/export cipher suites tests to not skip needed tests -- Fix libssl ssl2/export disabling patch to handle NULL cipher cases -- Enable additional cipher suites by default +* Sun Jun 26 2016 Elio Maldonado - 3.25.0-3 +- Cleanup spec file and patches and add references to bugs filed upstream -* Thu Jul 16 2015 Elio Maldonado - 3.19.1-8 -- Add links to filed upstream bugs to better track patches in spec file +* Fri Jun 24 2016 Elio Maldonado - 3.25.0-2 +- Rebase to nss 3.25 -* Tue Jul 07 2015 Elio Maldonado - 3.19.1-7 -- Package listsuites as part of the unsupported tools +* Thu Jun 16 2016 Kamil Dudka - 3.24.0-3 +- decouple nss-pem from the nss package (#1347336) -* Thu Jul 02 2015 Elio Maldonado - 3.19.1-6 -- Bump the release tag +* Fri Jun 03 2016 Elio Maldonado - 3.24.0-2.3 +- Apply the patch that was last introduced +- Renumber and reorder some of the patches +- Resolves: Bug 1342158 -* Mon Jun 29 2015 Kai Engert - 3.19.1-5 -- Incremental patches to fix SSL/TLS test suite execution, - fix the earlier SHA384 patch, and inform clients to use SHA384 with - certificate_verify if required by NSS. - -* Thu Jun 18 2015 Elio Maldonado - 3.19.1-4 -- Add support for sha384 tls cipher suites -- Add support for server-side hde key exchange -- Add support for DSS+SHA256 ciphersuites - -* Wed Jun 10 2015 Elio Maldonado - 3.19.1-3 -- Reenable a patch that had been mistakenly disabled - -* Wed Jun 10 2015 Elio Maldonado - 3.19.1-2 -- Build against nss-softokn-3.16.2.3-9 - -* Fri Jun 05 2015 Elio Maldonado - 3.19.1-1 -- Rebase to nss-3.19.1 -- Resolves: Bug 1228913 - Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1] - -* Tue Apr 28 2015 Kai Engert - 3.18.0-6 -- Backport mozbz#1155922 to support SHA512 signatures with TLS 1.2 - -* Thu Apr 23 2015 Kai Engert - 3.18.0-5 -- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) - -* Fri Apr 17 2015 Elio Maldonado - 3.18.0-4 -- Update and reeneable nss-646045.patch on account of the rebase -- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] - -* Tue Apr 14 2015 Elio Maldonado - 3.18.0-3 -- Fix shell syntax error on nss/tests/all.sh -- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] - -* Fri Apr 10 2015 Elio Maldonado - 3.18.0-2 -- Replace expired PayPal test certificate that breaks the build -- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] - -* Mon Mar 30 2015 Elio Maldonado - 3.18.0-1 -- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] - -* Mon Jan 19 2015 Elio Maldonado - 3.16.2.3-5 -- Reverse the sense of a test in patch to fix pk12util segfault -- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files - -* Thu Jan 08 2015 Elio Maldonado - 3.16.2.3-4 -- Fix race condition -- Resolves: Bug 1094468 - 389-ds-base server reported crash in stan_GetCERTCertificate -- under the replication replay failure condition - -* Wed Jan 07 2015 Elio Maldonado - 3.16.2.3-3 -- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files - -* Tue Nov 25 2014 Elio Maldonado - 3.16.2.3-2 -- Restore patch for certutil man page -- supply missing options descriptions -- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 - -* Thu Nov 13 2014 Elio Maldonado - 3.16.2-10 -- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 -- Support TLS_FALLBACK_SCSV in tstclnt and ssltap - -* Mon Sep 29 2014 Elio Maldonado - 3.16.2-9 -- Resolves: Bug 1145434 - CVE-2014-1568 -- Using a release number higher than on rhel-7.0 branch - -* Mon Aug 11 2014 Elio Maldonado - 3.16.2-4 -- Fix crash in stan_GetCERTCertificate -- Resolves: Bug 1094468 - -* Tue Aug 05 2014 Elio Maldonado 3.16.2-3 -- Generic 32/64 bit platform detection (fix ppc64le build) -- Resolves: Bug 1125619 - nss fails to build on arch: ppc64le (missing dependencies) -- Fix contributed by Peter Robinson - -* Fri Aug 01 2014 Elio Maldonado - 3.16.2-2 -- Fix libssl and test patches that disable ssl2 support -- Resolves: Bug 1123435 -- Replace expired PayPal test certificate with current one - -* Tue Jul 08 2014 Elio Maldonado - 3.16.2-1 -- Rebase to nss-3.16.2 -- Resolves: Bug 1103252 - Rebase RHEL 7.1 to at least NSS 3.16.1 (FF 31) -- Fix test failure detection in the %%check section -- Move removal of unwanted source directories to the end of the %%prep section -- Update various patches on account of the rebase -- Remove unused patches rendered obsolete by the rebase - -* Mon Mar 03 2014 Elio Maldonado - 3.15.4-6 -- Disallow disabling the internal module -- Resolves: Bug 1056036 - nss segfaults with opencryptoki module - -* Thu Feb 20 2014 Elio Maldonado - 3.15.4-5 -- Pick up a fix from rhel-6 and fix an rpm conflict -- Don't hold issuer cert handles in crl cache -- Resolves: Bug 1034409 - deadlock in trust domain and object lock -- Move nss shared db files to the main package -- Resolves: Bug 1050163 - Same files in two packages create rpm conflict +* Thu Jun 02 2016 Elio Maldonado - 3.24.0-2.2 +- Allow application requests to disable SSL v2 to succeed +- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails -* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4 +* Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 +- Rebase to NSS 3.24.0 +- Restore setting the policy file location +- Make ssl tests scripts aware of policy +- Ajust tests data expected result for policy + +* Tue May 24 2016 Elio Maldonado - 3.24.0-2.0 +- Bootstrap build to rebase to NSS 3.24.0 +- Temporarily not setting the policy file location + +* Thu May 12 2016 Elio Maldonado - 3.23.0-9 +- Change POLICY_FILE to "nss.config" + +* Fri Apr 22 2016 Elio Maldonado - 3.23.0-8 +- Change POLICY_FILE to "nss.cfg" + +* Wed Apr 20 2016 Elio Maldonado - 3.23.0-7 +- Change the POLICY_PATH to "/etc/crypto-policies/back-ends" +- Regenerate the check policy patch with hg to provide more context + +* Thu Apr 14 2016 Elio Maldonado - 3.23.0-6 +- Fix typo in the last %%changelog entry + +* Thu Mar 24 2016 Elio Maldonado - 3.23.0-5 +- Load policy file if /etc/pki/nssdb/policy.cfg exists +- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy + +* Tue Mar 08 2016 Elio Maldonado - 3.23.0-4 +- Remove unused patch rendered obsolete by pem update + +* Tue Mar 08 2016 Elio Maldonado - 3.23.0-3 - Update pem sources to latest from nss-pem upstream -- Pick up pem module fixes verified on RHEL and applied upstream -- Remove no loger needed pem patches on acccount on this update -- Add comments documenting the iquote.patch -- Resolves: Bug 1054457 - CVE-2013-1740 - -* Sun Jan 26 2014 Elio Maldonado - 3.15.4-3 -- Remove spurious man5 wildcard entry as all manpages are listed by name -- Resolves: Bug 1050163 - Same files in two packages create rpm conflict - -* Fri Jan 24 2014 Daniel Mach - 3.15.4-2 -- Mass rebuild 2014-01-24 - -* Sun Jan 19 2014 Elio Maldonado - 3.15.3-9 -- Rebase to nss-3.15.4 -- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue -- Remove no longer needed patches for manpages that were applied upstream -- Remove no longer needed patch to disable ocsp stapling tests -- Update iquote.patch on account of upstream changes -- Update and rename patch to pem/rsawrapr.c on account of upstream changes -- Use the pristine upstream sources for nss without repackaging -- Avoid unneeded manual step which may introduce errors +- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key -* Sun Jan 19 2014 Elio Maldonado - 3.15.3-8 -- Fix the spec file to apply the nss ecc list patch for bug 752980 -- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc +* Sat Mar 05 2016 Elio Maldonado - 3.23.0-2 +- Rebase to NSS 3.23 -* Fri Jan 17 2014 Elio Maldonado - 3.15.3-7 -- Move several nss-sysinit manpages tar archives to the %%files -- Resolves: Bug 1050163 - Same files in two packages create rpm conflict +* Sat Feb 27 2016 Elio Maldonado - 3.22.2-2 +- Rebase to NSS 3.22.2 -* Fri Jan 17 2014 Elio Maldonado - 3.15.3-6 -- Fix a coverity scan compile time warning for the pem module -- Resolves: Bug 1002271 - NSS pem module should not require unique base file names +* Tue Feb 23 2016 Elio Maldonado - 3.22.1-3 +- Fix ssl2/exp test disabling to run all the required tests -* Wed Jan 15 2014 Elio Maldonado - 3.15.3-5 -- Resolves: Bug 1002271 - NSS pem module should not require unique base file names +* Sun Feb 21 2016 Elio Maldonado - 3.22.1-1 +- Rebase to NSS 3.22.1 -* Thu Jan 09 2014 Elio Maldonado - 3.15.3-4 -- Improve pluggable ECC support for ECDSA -- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package +* Mon Feb 08 2016 Elio Maldonado - 3.22.0-3 +- Update .gitignore as part of updating to nss 3.22 -* Fri Dec 27 2013 Daniel Mach - 3.15.3-3 -- Mass rebuild 2013-12-27 +* Mon Feb 08 2016 Elio Maldonado - 3.22.0-2 +- Update to NSS 3.22 -* Thu Dec 12 2013 Elio Maldonado - 3.15.3-2 -- Revoke trust in one mis-issued anssi certificate -- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0] +* Thu Feb 04 2016 Fedora Release Engineering - 3.21.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild -* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1 -- Update to NSS_3_15_3_RTM -- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 +* Fri Jan 15 2016 Elio Maldonado - 3.21.0-6 +- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite +- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built +- Use %%define when specifying the nss_tests to run -* Wed Nov 13 2013 Elio Maldonado - 3.15.2-10 -- Fix path to script and remove -- from some options in nss-sysinit man page -- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws +* Wed Dec 30 2015 Michal Toman - 3.21.0-5 +- Add 64-bit MIPS to multilib arches -* Tue Nov 12 2013 Elio Maldonado - 3.15.2-9 -- Fix certutil man page options names to be consistent with help -- Resolves: rhbz#948495 - man page scan results for nss -- Remove incorrect count argument in status description in nss-sysinit man page -- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions +* Fri Nov 20 2015 Elio Maldonado - 3.21.0-4 +- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0 +- Resolves: Bug 1284095 - all https fails with sec_error_no_token -* Wed Nov 06 2013 Elio Maldonado - 3.15.2-8 -- Fix patch for disabling ssl2 in ssl to correctly set error code -- Fix syntax error reported in the build.log even tough it succeeds -- Add patch top ignore setpolicy result -- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites -- Resolves: rhbz#1026677 - Attempt to run ipa-client-install fails +* Sun Nov 15 2015 Elio Maldonado - 3.21.0-3 +- Add references to bugs filed upstream -* Sun Nov 03 2013 Elio Maldonado - 3.15.2-7 -- Fix bash syntax error in patch for disabling ssl2 tests -- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites +* Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2 +- Update to NSS 3.21 +- Package listsuites as part of the unsupported tools set +- Resolves: Bug 1279912 - nss-3.21 is available +- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit +- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set -* Sat Nov 02 2013 Elio Maldonado - 3.15.2-6 -- Fix errors in ssl disabling patches for both library and tests -- Add s390x to the multilib_arches definition used for alt_ckbi -- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites +* Fri Oct 30 2015 Elio Maldonado - 3.20.1-2 +- Update to NSS 3.20.1 -* Thu Oct 31 2013 Elio Maldonado - 3.15.2-5 -- Fix errors in nss-sysinit manpage options descriptions -- Resolves: rhbz#982723 +* Wed Sep 30 2015 Elio Maldonado - 3.20.0-6 +- Enable ECC cipher-suites by default [hrbz#1185708] +- Split the enabling patch in two for easier maintenance +- Remove unused patches rendered obsolete by prior rebase -* Tue Oct 29 2013 Elio Maldonado - 3.15.2-4 -- Enable fips when system is in fips mode -- Resolves: rhbz#852023 - FIPS mode detection does not work +* Wed Sep 16 2015 Elio Maldonado - 3.20.0-5 +- Enable ECC cipher-suites by default [hrbz#1185708] +- Implement corrections requested in code review -* Tue Oct 29 2013 Elio Maldonado - 3.15.2-3 -- Remove unused and obsoleted patches -- Related: rhbz#1012656 +* Tue Sep 15 2015 Elio Maldonado - 3.20.0-4 +- Enable ECC cipher-suites by default [hrbz#1185708] -* Mon Oct 28 2013 Elio Maldonado - 3.15.2-2 -- Add description of the certutil's --email option to it's manpage -- Resolves: rhbz#Bug 948495 - Man page scan results for nss +* Mon Sep 14 2015 Elio Maldonado - 3.20.0-3 +- Fix patches that disable ssl2 and export cipher suites support +- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers +- Fix syntax errors in patch to skip ssl2 and export cipher suite tests +- Turn ssl2 off by default in the tstclnt tool +- Disable ssl stress tests containing TLS RC4 128 with MD5 -* Mon Oct 21 2013 Elio Maldonado - 3.15.2-1 -- Rebase to nss-3.15.2 -- Resolves: rhbz#1012656 - pick up NSS 3.15.2 to fix CVE-2013-1739 and disable MD5 in OCSP/CRL +* Thu Aug 20 2015 Elio Maldonado - 3.20.0-2 +- Update to NSS 3.20 -* Fri Oct 11 2013 Elio Maldonado - 3.15.1-4 -- Install symlink to nss-sysinit.sh without the .sh suffix -- Resolves: rhbz#982723 - nss-sysinit man page has wrong path for the script +* Sat Aug 08 2015 Elio Maldonado - 3.19.3-2 +- Update to NSS 3.19.3 -* Tue Oct 08 2013 Elio Maldonado - 3.15.1-3 -- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites +* Fri Jun 26 2015 Elio Maldonado - 3.19.2-3 +- Create on the fly versions of sslcov.txt and sslstress.txt that disable tests for SSL2 and EXPORT ciphers -* Tue Aug 06 2013 Elio Maldonado - 3.15.1-2 -- Add upstream bug URL for a patch subitted upstream and remove obsolete script +* Wed Jun 17 2015 Kai Engert - 3.19.2-2 +- Update to NSS 3.19.2 -* Wed Jul 24 2013 Elio Maldonado - 3.15.1-2 -- Update to NSS_3_15_1_RTM -- Apply various fixes to the man pages and add new ones -- Enable the iquote.patch to access newly introduced types +* Thu May 28 2015 Kai Engert - 3.19.1-2 +- Update to NSS 3.19.1 + +* Tue May 19 2015 Kai Engert - 3.19.0-2 +- Update to NSS 3.19 + +* Fri May 15 2015 Kai Engert - 3.18.0-2 +- Replace expired test certificates, upstream bug 1151037 + +* Thu Mar 19 2015 Elio Maldonado - 3.18.0-1 +- Update to nss-3.18.0 +- Resolves: Bug 1203689 - nss-3.18 is available + +* Tue Mar 03 2015 Elio Maldonado - 3.17.4-5 +- Disable export suites and SSL2 support at build time +- Fix syntax errors in various shell scripts +- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites + +* Sat Feb 21 2015 Till Maas - 3.17.4-4 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Tue Feb 10 2015 Elio Maldonado - 3.17.4-3 +- Commented out the export NSS_NO_SSL2=1 line to not disable ssl2 +- Backing out from disabling ssl2 until the patches are fixed + +* Mon Feb 09 2015 Elio Maldonado - 3.17.4-2 +- Disable SSL2 support at build time +- Fix syntax errors in various shell scripts +- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites + +* Wed Jan 28 2015 Elio Maldonado - 3.17.4-1 +- Update to nss-3.17.4 + +* Sat Jan 24 2015 Ville Skyttä - 3.17.3-4 +- Own the %%{_datadir}/doc/nss-tools dir + +* Tue Dec 16 2014 Elio Maldonado - 3.17.3-3 +- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer +- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1 +- Use %%{_mandir} instead of /usr/share/man as more generic + +* Mon Dec 15 2014 Elio Maldonado - 3.17.3-2 +- Install pp man page in alternative location +- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer + +* Fri Dec 05 2014 Elio Maldonado - 3.17.3-1 +- Update to nss-3.17.3 +- Resolves: Bug 1171012 - nss-3.17.3 is available + +* Thu Oct 16 2014 Elio Maldonado - 3.17.2-2 +- Resolves: Bug 994599 - Enable TLS 1.2 by default + +* Sun Oct 12 2014 Elio Maldonado - 3.17.2-1 +- Update to nss-3.17.2 + +* Wed Sep 24 2014 Kai Engert - 3.17.1-1 +- Update to nss-3.17.1 +- Add a mechanism to skip test suite execution during development work + +* Thu Aug 21 2014 Kevin Fenzi - 3.17.0-2 +- Rebuild for rpm bug 1131960 + +* Tue Aug 19 2014 Elio Maldonado - 3.17.0-1 +- Update to nss-3.17.0 + +* Sun Aug 17 2014 Fedora Release Engineering - 3.16.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Elio Maldonado - 3.16.2-3 +- Replace expired PayPal test cert with current one to prevent build failure + +* Fri Jul 18 2014 Tom Callaway - 3.16.2-2 +- fix license handling + +* Sun Jun 29 2014 Elio Maldonado - 3.16.2-1 +- Update to nss-3.16.2 + +* Sun Jun 15 2014 Elio Maldonado - 3.16.1-4 +- Remove unwanted source directories at end of %%prep so it truly does it +- Skip the cipher suite already run as part of the nss-softokn build + +* Sat Jun 07 2014 Fedora Release Engineering - 3.16.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon May 12 2014 Jaromir Capik - 3.16.1-2 +- Replacing ppc64 and ppc64le with the power64 macro +- Related: Bug 1052545 - Trivial change for ppc64le in nss spec + +* Tue May 06 2014 Elio Maldonado - 3.16.1-1 +- Update to nss-3.16.1 +- Update the iquote patch on account of the rebase +- Improve error detection in the %%section +- Resolves: Bug 1094702 - nss-3.16.1 is available + +* Tue Mar 18 2014 Elio Maldonado - 3.16.0-1 +- Update to nss-3.16.0 +- Cleanup the copying of the tools man pages +- Update the iquote.patch on account of the rebase + +* Tue Mar 04 2014 Elio Maldonado - 3.15.5-2 +- Restore requiring nss_softokn_version >= 3.15.5 + +* Wed Feb 19 2014 Elio Maldonado - 3.15.5-1 +- Update to nss-3.15.5 +- Temporarily requiring only nss_softokn_version >= 3.15.4 +- Fix location of sharedb files and their manpages +- Move cert9.db, key4.db, and pkcs11.txt to the main package +- Move nss-sysinit manpages tar archives to the main package +- Resolves: Bug 1066877 - nss-3.15.5 is available +- Resolves: Bug 1067091 - Move sharedb files to the %%files section + +* Thu Feb 06 2014 Elio Maldonado - 3.15.4-5 +- Revert previous change that moved some sysinit manpages +- Restore nss-sysinit manpages tar archives to %%files sysinit +- Removing spurious wildcard entry was the only change needed + +* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4 +- Add explanatory comments for iquote.patch as was done on f20 + +* Sat Jan 25 2014 Elio Maldonado - 3.15.4-3 +- Update pem sources to latest from nss-pem upstream +- Pick up pem fixes verified on RHEL and applied upstream +- Fix a problem where same files in two rpms created rpm conflict +- Move some nss-sysinit manpages tar archives to the %%files the +- All man pages are listed by name so there shouldn't be wildcard inclusion +- Add support for ppc64le, Resolves: Bug 1052545 + +* Mon Jan 20 2014 Peter Robinson 3.15.4-2 +- ARM tests pass so remove ARM conditional + +* Tue Jan 07 2014 Elio Maldonado - 3.15.4-1 +- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM) +- Resolves: Bug 1049229 - nss-3.15.4 is available +- Update pem sources to latest from the interim upstream for pem +- Remove no longer needed patches +- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken +- Update iquote.patch on account of upstream changes + +* Wed Dec 11 2013 Elio Maldonado - 3.15.3.1-1 +- Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM) +- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) +- Resolves: Bug 1040192 - nss-3.15.3.1 is available + +* Tue Dec 03 2013 Elio Maldonado - 3.15.3-2 +- Bump the release tag + +* Sun Nov 24 2013 Elio Maldonado - 3.15.3-1 +- Update to NSS_3_15_3_RTM +- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws +- Fix option descriptions for setup-nsssysinit manpage +- Fix man page of nss-sysinit wrong path and other flaws +- Document email option for certutil manpage +- Remove unused patches + +* Sun Oct 27 2013 Elio Maldonado - 3.15.2-3 +- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245] + +* Wed Oct 23 2013 Elio Maldonado - 3.15.2-2 +- Use the full sources from upstream +- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird + +* Thu Sep 26 2013 Elio Maldonado - 3.15.2-1 +- Update to NSS_3_15_2_RTM +- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel + +* Wed Aug 28 2013 Elio Maldonado - 3.15.1-7 +- Update pem sources to pick up a patch applied upstream which a faulty merge had missed +- The pem module should not require unique file basenames + +* Tue Aug 27 2013 Elio Maldonado - 3.15.1-6 +- Update pem sources to the latest from interim upstream + +* Mon Aug 19 2013 Elio Maldonado - 3.15.1-5 +- Resolves: rhbz#996639 - Minor bugs in nss man pages +- Fix some typos and improve description and see also sections + +* Sun Aug 11 2013 Elio Maldonado - 3.15.1-4 +- Cleanup spec file to address most rpmlint errors and warnings +- Using double percent symbols to fix macro-in-comment warnings +- Ignore unversioned-explicit-provides nss-system-init per spec comments +- Ignore invalid-url Source0 as it comes from the git lookaside cache +- Ignore invalid-url Source12 as it comes from the git lookaside cache + +* Thu Jul 25 2013 Elio Maldonado - 3.15.1-3 - Add man page for pkcs11.txt configuration file and cert and key databases -- Add missing option descriptions for {cert|cms|crl}util -- Resolves: rhbz#948495 - Man page scan results for nss -- Resolves: rhbz#982723 - Fix path to script in man page for nss-sysinit +- Resolves: rhbz#985114 - Provide man pages for the nss configuration files -* Tue Jul 02 2013 Elio Maldonado - 3.15-6 -- Use the unstripped source tar ball +* Fri Jul 19 2013 Elio Maldonado - 3.15.1-2 +- Fix errors in the man pages +- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util +- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit + +* Tue Jul 02 2013 Elio Maldonado - 3.15.1-1 +- Update to NSS_3_15_1_RTM +- Enable the iquote.patch to access newly introduced types * Wed Jun 19 2013 Elio Maldonado - 3.15-5 - Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts @@ -1596,13 +1738,17 @@ fi * Sat Jun 15 2013 Elio Maldonado - 3.15-1 - Update to NSS_3_15_RTM -* Tue May 14 2013 Elio Maldonado - 3.14.3-13.0 -- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch +* Wed Apr 24 2013 Elio Maldonado - 3.15-0.1.beta1.2 +- Fix incorrect path that hid failed test from view +- Add ocsp to the test suites to run but ... +- Temporarily disable the ocsp stapling tests +- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors -* Fri Apr 19 2013 Kai Engert - 3.14.3-12.0 -- Add upstream patch to fix rhbz#872761 +* Thu Apr 04 2013 Elio Maldonado - 3.15-0.1.beta1.1 +- Update to NSS_3_15_BETA1 +- Update spec file, patches, and helper scripts on account of a shallower source tree -* Sun Mar 24 2013 Kai Engert - 3.14.3-11 +* Sun Mar 24 2013 Kai Engert - 3.14.3-12 - Update expired test certificates (fixed in upstream bug 852781) * Fri Mar 08 2013 Kai Engert - 3.14.3-10 @@ -1655,7 +1801,7 @@ fi - Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs - Bug 872124 - nss-3.14 breaks fedpkg new-sources - Fix should be considered preliminary since the patch may change upon upstream approval - + * Thu Nov 01 2012 Elio Maldonado - 3.14-7 - Add a dummy source file for testing /preventing fedpkg breakage - Helps test the fedpkg new-sources and upload commands for breakage by nss updates @@ -1698,7 +1844,7 @@ fi * Mon Aug 27 2012 Elio Maldonado - 3.13.5-8 - Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 - Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load -- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer +- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer - Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix * Mon Aug 13 2012 Elio Maldonado - 3.13.5-7 @@ -1939,7 +2085,7 @@ fi * Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 - Update to 3.12.8 - Prevent disabling of nss-sysinit on package upgrade (#636787) -- Create pkcs11.txt with correct permissions regardless of umask (#636792) +- Create pkcs11.txt with correct permissions regardless of umask (#636792) - Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801) - Added provides pkcs11-devel-static to comply with packaging guidelines (#609612) @@ -2199,7 +2345,7 @@ fi - fix to not clone internal objects in collect_objects(). (501118) - fix to not bypass initialization if module arguments are omitted. (501058) - fix numerous gcc warnings. (500815) -- fix to support arbitrarily long password while loading a private key. (500180) +- fix to support arbitrarily long password while loading a private key. (500180) - fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191) * Mon Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 - add patch for bug 502133 upstream bug 496997 @@ -2327,7 +2473,7 @@ fi * Fri Mar 02 2007 Kai Engert - 3.11.5-2 - Fix rhbz#230545, failure to enable FIPS mode -- Fix rhbz#220542, make NSS more tolerant of resets when in the +- Fix rhbz#220542, make NSS more tolerant of resets when in the middle of prompting for a user password. * Sat Feb 24 2007 Kai Engert - 3.11.5-1 diff --git a/p-ignore-setpolicy.patch b/p-ignore-setpolicy.patch deleted file mode 100644 index 7334c80..0000000 --- a/p-ignore-setpolicy.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100 -+++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100 -@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 - SECStatus - NSS_SetDomesticPolicy(void) - { -- SECStatus status = SECSuccess; - const PRUint16 *cipher; - SECStatus rv; - PRUint32 policy; -@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void) - } - - for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { -- status = SSL_SetPolicy(*cipher, SSL_ALLOWED); -- if (status != SECSuccess) -- break; -+ (void) SSL_SetPolicy(*cipher, SSL_ALLOWED); - } -- return status; -+ return SECSuccess; - } - - SECStatus diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch deleted file mode 100644 index 5e3dbc7..0000000 --- a/renegotiate-transitional.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2018-03-09 17:21:52.593560971 +0100 -+++ nss/lib/ssl/sslsock.c 2018-03-09 17:22:21.096926523 +0100 -@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { - .noLocks = PR_FALSE, - .enableSessionTickets = PR_FALSE, - .enableDeflate = PR_FALSE, -- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, -+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, - .requireSafeNegotiation = PR_FALSE, - .enableFalseStart = PR_FALSE, - .cbcRandomIV = PR_TRUE, diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch new file mode 100644 index 0000000..970c84e --- /dev/null +++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch @@ -0,0 +1,14 @@ +diff -up nss/lib/ssl/ssl3con.c.1185708_3des nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.1185708_3des 2018-12-11 18:28:06.736592552 +0100 ++++ nss/lib/ssl/ssl3con.c 2018-12-11 18:29:06.273314692 +0100 +@@ -106,8 +106,8 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + diff --git a/utilwrap-include-templates.patch b/utilwrap-include-templates.patch deleted file mode 100644 index 649b548..0000000 --- a/utilwrap-include-templates.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk ---- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700 -+++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700 -@@ -3,6 +3,10 @@ - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - -+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) -+INCLUDES += -I/usr/include/nss3/templates -+#endif -+ - # can't do this in manifest.mn because OS_TARGET isn't defined there. - ifeq (,$(filter-out WIN%,$(OS_TARGET))) - -- Gitee