Bug 1523175 - land NSS a306d84e4c70 UPGRADE_NSS_RELEASE, r=me

--HG--
extra : rebase_source : bef6e6945c8f62707a5daa51bd1a1092769c9c20
This commit is contained in:
J.C. Jones 2019-03-06 21:10:05 +00:00
Родитель 24aacfe9a4
Коммит 129044424e
25 изменённых файлов: 1248 добавлений и 58 удалений

Просмотреть файл

@ -99,6 +99,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
0x1B, 0xB4, 0xAF, 0xAC, 0xF0, 0xAA, 0x9A, 0x58, 0xB5, 0xD5, 0x7A, 0x33, 0x8A, 0x3A, 0xFB, 0xCB },
51 /* Bin Number */
},
{
/* emSign_Root_CA___C1 */
{ 0x12, 0x56, 0x09, 0xAA, 0x30, 0x1D, 0xA0, 0xA2, 0x49, 0xB9, 0x7A, 0x82, 0x39, 0xCB, 0x6A, 0x34,
0x21, 0x6F, 0x44, 0xDC, 0xAC, 0x9F, 0x39, 0x54, 0xB1, 0x42, 0x92, 0xF2, 0xE8, 0xC8, 0x60, 0x8F },
208 /* Bin Number */
},
{
/* Global_Chambersign_Root___2008 */
{ 0x13, 0x63, 0x35, 0x43, 0x93, 0x34, 0xA7, 0x69, 0x80, 0x16, 0xA0, 0xD3, 0x24, 0xDE, 0x72, 0x28,
@ -309,6 +315,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
0x8F, 0xF6, 0x1E, 0x17, 0x08, 0xDF, 0x68, 0x81, 0x72, 0x48, 0x49, 0xCD, 0x5D, 0x27, 0xCB, 0x69 },
30 /* Bin Number */
},
{
/* emSign_Root_CA___G1 */
{ 0x40, 0xF6, 0xAF, 0x03, 0x46, 0xA9, 0x9A, 0xA1, 0xCD, 0x1D, 0x55, 0x5A, 0x4E, 0x9C, 0xCE, 0x62,
0xC7, 0xF9, 0x63, 0x46, 0x03, 0xEE, 0x40, 0x66, 0x15, 0x83, 0x3D, 0xC8, 0xC8, 0xD0, 0x03, 0x67 },
206 /* Bin Number */
},
{
/* OISTE_WISeKey_Global_Root_GA_CA */
{ 0x41, 0xC9, 0x23, 0x86, 0x6A, 0xB4, 0xCA, 0xD6, 0xB7, 0xAD, 0x57, 0x80, 0x81, 0x58, 0x2E, 0x02,
@ -447,6 +459,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B },
139 /* Bin Number */
},
{
/* Hongkong_Post_Root_CA_3 */
{ 0x5A, 0x2F, 0xC0, 0x3F, 0x0C, 0x83, 0xB0, 0x90, 0xBB, 0xFA, 0x40, 0x60, 0x4B, 0x09, 0x88, 0x44,
0x6C, 0x76, 0x36, 0x18, 0x3D, 0xF9, 0x84, 0x6E, 0x17, 0x10, 0x1A, 0x44, 0x7F, 0xB8, 0xEF, 0xD6 },
210 /* Bin Number */
},
{
/* TrustCor_ECA_1 */
{ 0x5A, 0x88, 0x5D, 0xB1, 0x9C, 0x01, 0xD9, 0x12, 0xC5, 0x75, 0x93, 0x88, 0x93, 0x8C, 0xAF, 0xBB,
@ -657,6 +675,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
0x4A, 0xD6, 0x8B, 0x69, 0xB8, 0xEE, 0x88, 0x68, 0x4F, 0xF7, 0x11, 0x37, 0x58, 0x05, 0xB3, 0x48 },
37 /* Bin Number */
},
{
/* emSign_ECC_Root_CA___G3 */
{ 0x86, 0xA1, 0xEC, 0xBA, 0x08, 0x9C, 0x4A, 0x8D, 0x3B, 0xBE, 0x27, 0x34, 0xC6, 0x12, 0xBA, 0x34,
0x1D, 0x81, 0x3E, 0x04, 0x3C, 0xF9, 0xE8, 0xA8, 0x62, 0xCD, 0x5C, 0x57, 0xA3, 0x6B, 0xBE, 0x6B },
207 /* Bin Number */
},
{
/* EC_ACC */
{ 0x88, 0x49, 0x7F, 0x01, 0x60, 0x2F, 0x31, 0x54, 0x24, 0x6A, 0xE2, 0x8C, 0x4D, 0x5A, 0xEF, 0x10,
@ -897,6 +921,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
0x6F, 0x05, 0x45, 0x27, 0xE8, 0x02, 0xEA, 0xA9, 0x2D, 0x59, 0x54, 0x44, 0x25, 0x8A, 0xFE, 0x71 },
120 /* Bin Number */
},
{
/* emSign_ECC_Root_CA___C3 */
{ 0xBC, 0x4D, 0x80, 0x9B, 0x15, 0x18, 0x9D, 0x78, 0xDB, 0x3E, 0x1D, 0x8C, 0xF4, 0xF9, 0x72, 0x6A,
0x79, 0x5D, 0xA1, 0x64, 0x3C, 0xA5, 0xF1, 0x35, 0x8E, 0x1D, 0xDB, 0x0E, 0xDC, 0x0D, 0x7E, 0xB3 },
209 /* Bin Number */
},
{
/* AffirmTrust_Premium_ECC */
{ 0xBD, 0x71, 0xFD, 0xF6, 0xDA, 0x97, 0xE4, 0xCF, 0x62, 0xD1, 0x64, 0x7A, 0xDD, 0x25, 0x81, 0xB0,

Просмотреть файл

@ -1033,7 +1033,32 @@
"label": "Certigna_Root_CA",
"binNumber": 205,
"sha256Fingerprint": "1I09I+7bUKRZ5VGXYBwnd0udexjJTVoFlRGhAlC5MWg="
},
{
"label": "emSign_Root_CA___G1",
"binNumber": 206,
"sha256Fingerprint": "QPavA0apmqHNHVVaTpzOYsf5Y0YD7kBmFYM9yMjQA2c="
},
{
"label": "emSign_ECC_Root_CA___G3",
"binNumber": 207,
"sha256Fingerprint": "hqHsugicSo07vic0xhK6NB2BPgQ8+eioYs1cV6Nrvms="
},
{
"label": "emSign_Root_CA___C1",
"binNumber": 208,
"sha256Fingerprint": "ElYJqjAdoKJJuXqCOctqNCFvRNysnzlUsUKS8ujIYI8="
},
{
"label": "emSign_ECC_Root_CA___C3",
"binNumber": 209,
"sha256Fingerprint": "vE2AmxUYnXjbPh2M9PlyanldoWQ8pfE1jh3bDtwNfrM="
},
{
"label": "Hongkong_Post_Root_CA_3",
"binNumber": 210,
"sha256Fingerprint": "Wi/APwyDsJC7+kBgSwmIRGx2Nhg9+YRuFxAaRH+479Y="
}
],
"maxBin": 205
"maxBin": 210
}

Просмотреть файл

@ -1 +1 @@
536fd7c9db5a
a306d84e4c70

Просмотреть файл

@ -121,6 +121,9 @@ static PRBool enableCertStatus = PR_FALSE;
PRIntervalTime maxInterval = PR_INTERVAL_NO_TIMEOUT;
static const SSLSignatureScheme *enabledSigSchemes = NULL;
static unsigned int enabledSigSchemeCount = 0;
char *progName;
secuPWData pwdata = { PW_NONE, 0 };
@ -143,7 +146,8 @@ Usage(void)
"Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
" [-BDNovqs] [-f filename] [-N | -P percentage]\n"
" [-w dbpasswd] [-C cipher(s)] [-t threads] [-W pwfile]\n"
" [-V [min-version]:[max-version]] [-a sniHostName] hostname\n"
" [-V [min-version]:[max-version]] [-a sniHostName]\n"
" [-J signatureschemes] hostname\n"
" where -v means verbose\n"
" -o flag is interpreted as follows:\n"
" 1 -o means override the result of server certificate validation.\n"
@ -161,7 +165,17 @@ Usage(void)
" -T enable the cert_status extension (OCSP stapling)\n"
" -u enable TLS Session Ticket extension\n"
" -z enable compression\n"
" -g enable false start\n",
" -g enable false start\n"
" -J enable signature schemes\n"
" This takes a comma separated list of signature schemes in preference\n"
" order.\n"
" Possible values are:\n"
" rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
" ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
" ecdsa_secp521r1_sha512,\n"
" rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
" rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
" dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
progName);
exit(1);
}
@ -1158,6 +1172,14 @@ client_main(
errExit("error setting SSL/TLS version range ");
}
if (enabledSigSchemes) {
rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes,
enabledSigSchemeCount);
if (rv < 0) {
errExit("SSL_SignatureSchemePrefSet");
}
}
if (bigBuf.data) { /* doing FDX */
rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1);
if (rv < 0) {
@ -1316,7 +1338,7 @@ main(int argc, char **argv)
/* XXX: 'B' was used in the past but removed in 3.28,
* please leave some time before resuing it. */
optstate = PL_CreateOptState(argc, argv,
"C:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
"C:DJ:NP:TUV:W:a:c:d:f:gin:op:qst:uvw:z");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case 'C':
@ -1330,6 +1352,15 @@ main(int argc, char **argv)
case 'I': /* reserved for OCSP multi-stapling */
break;
case 'J':
rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
if (rv != SECSuccess) {
PL_DestroyOptState(optstate);
fprintf(stderr, "Bad signature scheme specified.\n");
Usage();
}
break;
case 'N':
NoReuse = 1;
break;
@ -1516,6 +1547,8 @@ main(int argc, char **argv)
PL_strfree(hostName);
PORT_Free((SSLSignatureScheme *)enabledSigSchemes);
/* some final stats. */
printf(
"strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n"

Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

Просмотреть файл

@ -0,0 +1,34 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef scoped_ptrs_smime_h__
#define scoped_ptrs_smime_h__
#include <memory>
#include "smime.h"
struct ScopedDeleteSmime {
void operator()(NSSCMSMessage* id) { NSS_CMSMessage_Destroy(id); }
};
template <class T>
struct ScopedMaybeDeleteSmime {
void operator()(T* ptr) {
if (ptr) {
ScopedDeleteSmime del;
del(ptr);
}
}
};
#define SCOPED(x) \
typedef std::unique_ptr<x, ScopedMaybeDeleteSmime<x> > Scoped##x
SCOPED(NSSCMSMessage);
#undef SCOPED
#endif // scoped_ptrs_smime_h__

Просмотреть файл

@ -21,7 +21,7 @@ all: prepare all-man all-html
prepare: date-and-version
mkdir -p html
mkdir -p nroff
clean:
rm -f date.xml version.xml *.tar.bz2
rm -f html/*.proc
@ -45,11 +45,11 @@ version.xml:
nroff/%.1 : %.xml
$(COMPILE.1) $<
MANPAGES = \
nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
all-man: prepare $(MANPAGES)
@ -64,6 +64,6 @@ html/%.html : %.xml
HTMLPAGES = \
html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
html/vfychain.html html/vfyserv.html
html/vfychain.html html/vfyserv.html html/nss-policy-check.html
all-html: prepare $(HTMLPAGES)

Просмотреть файл

@ -179,6 +179,10 @@ Use the -a argument to specify ASCII output.</para></listitem>
For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
</varlistentry>
<varlistentry>
<term>--simple-self-signed</term>
<listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
</varlistentry>
<varlistentry>
<term>-b validity-time</term>
<listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.

Просмотреть файл

@ -0,0 +1,97 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="nss-policy-check">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>NSS-POLICY-CHECK</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>nss-policy-check</refname>
<refpurpose>nss-policy-check policy-file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nss-policy-check</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
<para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
</refsection>
<refsection id="basic-usage">
<title>Usage and Examples</title>
<para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
</para>
<programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
NSS-POLICY-INFO: LOADED-SUCCESSFULLY
NSS-POLICY-INFO: PRIME256V1 is enabled for KX
NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
NSS-POLICY-INFO: SECP256R1 is enabled for KX
NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
NSS-POLICY-INFO: SECP384R1 is enabled for KX
NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
...
NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
...
NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
...
NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
</programlisting>
<para>If there is a failure or warning, it will be prefixed with
NSS-POLICY-FAIL or NSS-POLICY_WARN.
</para>
<para><command>nss-policy-check</command> exits with 2 if any
failure is found, 1 if any warning is found, or 0 if no errors are
found.</para>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

Просмотреть файл

@ -108,7 +108,7 @@
</varlistentry>
<varlistentry>
<term>-n | --cert-key-len certKeyLength</term>
<term>--cert-key-len certKeyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry>

Просмотреть файл

@ -24,6 +24,7 @@ NSS_SRCDIRS = \
cryptohi_gtest \
der_gtest \
pk11_gtest \
smime_gtest \
softoken_gtest \
ssl_gtest \
$(SYSINIT_GTEST) \

Просмотреть файл

@ -0,0 +1,43 @@
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../common/gtest.mk
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################

Просмотреть файл

@ -0,0 +1,22 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../..
DEPTH = ../..
MODULE = nss
CPPSRCS = \
smime_unittest.cc \
$(NULL)
INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-I$(CORE_DEPTH)/gtests/common \
-I$(CORE_DEPTH)/cpputil
REQUIRES = nspr gtest
PROGRAM = smime_gtest
EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) $(EXTRA_OBJS) \
$(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX)

Просмотреть файл

@ -0,0 +1,30 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
{
'includes': [
'../../coreconf/config.gypi',
'../common/gtest.gypi',
],
'targets': [
{
'target_name': 'smime_gtest',
'type': 'executable',
'sources': [
'smime_unittest.cc',
'<(DEPTH)/gtests/common/gtests.cc'
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
'<(DEPTH)/lib/util/util.gyp:nssutil3',
'<(DEPTH)/lib/nss/nss.gyp:nss3',
'<(DEPTH)/lib/smime/smime.gyp:smime',
'<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
]
}
],
'variables': {
'module': 'nss'
}
}

Просмотреть файл

@ -0,0 +1,137 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License v. 2.0. If a copy of the MPL was not distributed with this file
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <string>
#include "gtest/gtest.h"
#include "scoped_ptrs_smime.h"
#include "smime.h"
namespace nss_test {
// See bug 1507174; this is a CMS serialization (RFC 5652) that claims to be
// 12336 bytes long, which ensures CMS validates the streaming decoder's
// incorrect length.
static const unsigned char kHugeLenAsn1[] = {
0x30, 0x82, 0x30, 0x30, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
0x0D, 0x01, 0x07, 0x02, 0xA0, 0x82, 0x02, 0x30, 0x30, 0x30, 0x02,
0x01, 0x30, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x09, 0x30, 0x30, 0x30,
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x00, 0x30, 0x0B, 0x06,
0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05};
// secp256r1 signature with no certs and no attrs
static unsigned char kValidSignature[] = {
0x30, 0x81, 0xFE, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
0x07, 0x02, 0xA0, 0x81, 0xF0, 0x30, 0x81, 0xED, 0x02, 0x01, 0x01, 0x31,
0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x01, 0x07, 0x01, 0x31, 0x81, 0xC9, 0x30, 0x81, 0xC6, 0x02,
0x01, 0x01, 0x30, 0x5D, 0x30, 0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06,
0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53,
0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04,
0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20,
0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20,
0x4C, 0x74, 0x64, 0x02, 0x14, 0x6B, 0x22, 0xCA, 0x91, 0xE0, 0x71, 0x97,
0xEB, 0x45, 0x0D, 0x68, 0xC0, 0xD4, 0xB6, 0xE9, 0x45, 0x38, 0x4C, 0xDD,
0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
0x02, 0x01, 0x05, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE,
0x3D, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x48, 0xEB,
0xE6, 0xBA, 0xFC, 0xFD, 0x83, 0xB3, 0xA2, 0xB5, 0x59, 0x35, 0x0C, 0xA1,
0x31, 0x0E, 0x2F, 0xE3, 0x8D, 0x81, 0xD8, 0xF5, 0x33, 0xE4, 0x83, 0x87,
0xB1, 0xFD, 0x43, 0x9D, 0x95, 0x7D, 0x02, 0x21, 0x00, 0xD0, 0x05, 0x0E,
0x05, 0xA6, 0x80, 0x3C, 0x1A, 0xFE, 0x51, 0xFC, 0x4D, 0x1A, 0x25, 0x05,
0x78, 0xB5, 0x42, 0xF5, 0xDE, 0x4E, 0x8A, 0xF8, 0xE3, 0xD8, 0x52, 0xDC,
0x2B, 0x73, 0x80, 0x4A, 0x1A};
// See bug 1507135; this is a CMS signature that contains only the OID
static unsigned char kTruncatedSignature[] = {0x30, 0x0B, 0x06, 0x09, 0x2A,
0x86, 0x48, 0x86, 0xF7, 0x0D,
0x01, 0x07, 0x02};
// secp256r1 signature that's truncated by one byte.
static unsigned char kSlightlyTruncatedSignature[] = {
0x30, 0x81, 0xFE, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
0x07, 0x02, 0xA0, 0x81, 0xF0, 0x30, 0x81, 0xED, 0x02, 0x01, 0x01, 0x31,
0x0F, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
0x02, 0x01, 0x05, 0x00, 0x30, 0x0B, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x01, 0x07, 0x01, 0x31, 0x81, 0xC9, 0x30, 0x81, 0xC6, 0x02,
0x01, 0x01, 0x30, 0x5D, 0x30, 0x45, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06,
0x03, 0x55, 0x04, 0x08, 0x0C, 0x0A, 0x53, 0x6F, 0x6D, 0x65, 0x2D, 0x53,
0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04,
0x0A, 0x0C, 0x18, 0x49, 0x6E, 0x74, 0x65, 0x72, 0x6E, 0x65, 0x74, 0x20,
0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20,
0x4C, 0x74, 0x64, 0x02, 0x14, 0x6B, 0x22, 0xCA, 0x91, 0xE0, 0x71, 0x97,
0xEB, 0x45, 0x0D, 0x68, 0xC0, 0xD4, 0xB6, 0xE9, 0x45, 0x38, 0x4C, 0xDD,
0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
0x02, 0x01, 0x05, 0x00, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE,
0x3D, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x48, 0xEB,
0xE6, 0xBA, 0xFC, 0xFD, 0x83, 0xB3, 0xA2, 0xB5, 0x59, 0x35, 0x0C, 0xA1,
0x31, 0x0E, 0x2F, 0xE3, 0x8D, 0x81, 0xD8, 0xF5, 0x33, 0xE4, 0x83, 0x87,
0xB1, 0xFD, 0x43, 0x9D, 0x95, 0x7D, 0x02, 0x21, 0x00, 0xD0, 0x05, 0x0E,
0x05, 0xA6, 0x80, 0x3C, 0x1A, 0xFE, 0x51, 0xFC, 0x4D, 0x1A, 0x25, 0x05,
0x78, 0xB5, 0x42, 0xF5, 0xDE, 0x4E, 0x8A, 0xF8, 0xE3, 0xD8, 0x52, 0xDC,
0x2B, 0x73, 0x80, 0x4A};
class SMimeTest : public ::testing::Test {};
TEST_F(SMimeTest, InvalidDER) {
PK11SymKey* bulk_key = nullptr;
NSSCMSDecoderContext* dcx =
NSS_CMSDecoder_Start(nullptr, nullptr, nullptr, /* content callback */
nullptr, nullptr, /* password callback */
nullptr, /* key callback */
bulk_key);
ASSERT_NE(nullptr, dcx);
EXPECT_EQ(SECSuccess, NSS_CMSDecoder_Update(
dcx, reinterpret_cast<const char*>(kHugeLenAsn1),
sizeof(kHugeLenAsn1)));
EXPECT_EQ(nullptr, bulk_key);
ASSERT_FALSE(NSS_CMSDecoder_Finish(dcx));
}
TEST_F(SMimeTest, IsSignedValid) {
SECItem sig_der_item = {siBuffer, kValidSignature, sizeof(kValidSignature)};
ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
&sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
ASSERT_TRUE(cms_msg);
ASSERT_TRUE(NSS_CMSMessage_IsSigned(cms_msg.get()));
}
TEST_F(SMimeTest, TruncatedCmsSignature) {
SECItem sig_der_item = {siBuffer, kTruncatedSignature,
sizeof(kTruncatedSignature)};
ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
&sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
ASSERT_TRUE(cms_msg);
ASSERT_FALSE(NSS_CMSMessage_IsSigned(cms_msg.get()));
}
TEST_F(SMimeTest, SlightlyTruncatedCmsSignature) {
SECItem sig_der_item = {siBuffer, kSlightlyTruncatedSignature,
sizeof(kSlightlyTruncatedSignature)};
ScopedNSSCMSMessage cms_msg(NSS_CMSMessage_CreateFromDER(
&sig_der_item, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
ASSERT_FALSE(cms_msg);
ASSERT_FALSE(NSS_CMSMessage_IsSigned(cms_msg.get()));
}
TEST_F(SMimeTest, IsSignedNull) {
ASSERT_FALSE(NSS_CMSMessage_IsSigned(nullptr));
}
} // namespace nss_test

Просмотреть файл

@ -183,15 +183,12 @@ class TlsHkdfTest : public ::testing::Test,
DumpData("Output", &output[0], output.size());
EXPECT_EQ(0, memcmp(expected.data(), &output[0], expected.len()));
if (session_hash_len > 0) {
return;
}
// Verify that the public API produces the same result.
PRUint16 cs = GetSomeCipherSuiteForHash(base_hash);
PK11SymKey* secret;
rv = SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3, cs, prk->get(),
label, label_len, &secret);
rv = SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3, cs, prk->get(),
session_hash, session_hash_len, label, label_len,
&secret);
EXPECT_EQ(SECSuccess, rv);
ASSERT_NE(nullptr, prk);
VerifyKey(ScopedPK11SymKey(secret), expected);
@ -347,51 +344,62 @@ TEST_P(TlsHkdfTest, BadExtractWrapperInput) {
EXPECT_EQ(nullptr, key);
}
TEST_P(TlsHkdfTest, BadDeriveSecretWrapperInput) {
TEST_P(TlsHkdfTest, BadExpandLabelWrapperInput) {
PK11SymKey* key = nullptr;
static const char* kLabel = "label";
// Bad version.
EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_2,
TLS_AES_128_GCM_SHA256, k1_.get(),
kLabel, strlen(kLabel), &key));
EXPECT_EQ(
SECFailure,
SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
k1_.get(), nullptr, 0, kLabel, strlen(kLabel), &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Bad ciphersuite.
EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_RSA_WITH_NULL_MD5, k1_.get(),
kLabel, strlen(kLabel), &key));
EXPECT_EQ(
SECFailure,
SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3, TLS_RSA_WITH_NULL_MD5,
k1_.get(), nullptr, 0, kLabel, strlen(kLabel), &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Old ciphersuite.
EXPECT_EQ(SECFailure,
SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
kLabel, strlen(kLabel), &key));
SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_RSA_WITH_AES_128_CBC_SHA, k1_.get(),
nullptr, 0, kLabel, strlen(kLabel), &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Null PRK.
EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_2,
TLS_AES_128_GCM_SHA256, nullptr,
kLabel, strlen(kLabel), &key));
EXPECT_EQ(SECFailure, SSL_HkdfExpandLabel(
SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
nullptr, nullptr, 0, kLabel, strlen(kLabel), &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Null, non-zero-length handshake hash.
EXPECT_EQ(
SECFailure,
SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_2, TLS_AES_128_GCM_SHA256,
k1_.get(), nullptr, 2, kLabel, strlen(kLabel), &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Null, non-zero-length label.
EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_AES_128_GCM_SHA256, k1_.get(),
nullptr, strlen(kLabel), &key));
EXPECT_EQ(SECFailure,
SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_AES_128_GCM_SHA256, k1_.get(), nullptr, 0,
nullptr, strlen(kLabel), &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Null, empty label.
EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_AES_128_GCM_SHA256, k1_.get(),
nullptr, 0, &key));
EXPECT_EQ(SECFailure, SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_AES_128_GCM_SHA256, k1_.get(),
nullptr, 0, nullptr, 0, &key));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
// Null key pointer..
EXPECT_EQ(SECFailure, SSL_HkdfDeriveSecret(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_AES_128_GCM_SHA256, k1_.get(),
kLabel, strlen(kLabel), nullptr));
EXPECT_EQ(SECFailure,
SSL_HkdfExpandLabel(SSL_LIBRARY_VERSION_TLS_1_3,
TLS_AES_128_GCM_SHA256, k1_.get(), nullptr, 0,
kLabel, strlen(kLabel), nullptr));
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
EXPECT_EQ(nullptr, key);

Просмотреть файл

@ -23153,3 +23153,678 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "emSign Root CA - G1"
#
# Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8
# Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
# Fingerprint (SHA1): 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign Root CA - G1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
\164\040\103\101\040\055\040\107\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
\164\040\103\101\040\055\040\107\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\012\061\365\344\142\014\154\130\355\326\330
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\224\060\202\002\174\240\003\002\001\002\002\012\061
\365\344\142\014\154\130\355\326\330\060\015\006\011\052\206\110
\206\367\015\001\001\013\005\000\060\147\061\013\060\011\006\003
\125\004\006\023\002\111\116\061\023\060\021\006\003\125\004\013
\023\012\145\155\123\151\147\156\040\120\113\111\061\045\060\043
\006\003\125\004\012\023\034\145\115\165\144\150\162\141\040\124
\145\143\150\156\157\154\157\147\151\145\163\040\114\151\155\151
\164\145\144\061\034\060\032\006\003\125\004\003\023\023\145\155
\123\151\147\156\040\122\157\157\164\040\103\101\040\055\040\107
\061\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
\132\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116
\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
\156\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034
\145\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157
\147\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032
\006\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157
\157\164\040\103\101\040\055\040\107\061\060\202\001\042\060\015
\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
\017\000\060\202\001\012\002\202\001\001\000\223\113\273\351\146
\212\356\235\133\325\064\223\320\033\036\303\347\236\270\144\063
\177\143\170\150\264\315\056\161\165\327\233\040\306\115\051\274
\266\150\140\212\367\041\232\126\065\132\363\166\275\330\315\232
\377\223\126\113\245\131\006\241\223\064\051\335\026\064\165\116
\362\201\264\307\226\116\255\031\025\122\112\376\074\160\165\160
\315\257\053\253\025\232\063\074\252\263\213\252\315\103\375\365
\352\160\377\355\317\021\073\224\316\116\062\026\323\043\100\052
\167\263\257\074\001\054\154\355\231\054\213\331\116\151\230\262
\367\217\101\260\062\170\141\326\015\137\303\372\242\100\222\035
\134\027\346\160\076\065\347\242\267\302\142\342\253\244\070\114
\265\071\065\157\352\003\151\372\072\124\150\205\155\326\362\057
\103\125\036\221\015\016\330\325\152\244\226\321\023\074\054\170
\120\350\072\222\322\027\126\345\065\032\100\034\076\215\054\355
\071\337\102\340\203\101\164\337\243\315\302\206\140\110\150\343
\151\013\124\000\213\344\166\151\041\015\171\116\064\010\136\024
\302\314\261\267\255\327\174\160\212\307\205\002\003\001\000\001
\243\102\060\100\060\035\006\003\125\035\016\004\026\004\024\373
\357\015\206\236\260\343\335\251\271\361\041\027\177\076\374\360
\167\053\032\060\016\006\003\125\035\017\001\001\377\004\004\003
\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
\013\005\000\003\202\001\001\000\131\377\362\214\365\207\175\161
\075\243\237\033\133\321\332\370\323\234\153\066\275\233\251\141
\353\336\026\054\164\075\236\346\165\332\327\272\247\274\102\027
\347\075\221\353\345\175\335\076\234\361\317\222\254\154\110\314
\302\042\077\151\073\305\266\025\057\243\065\306\150\052\034\127
\257\071\357\215\320\065\303\030\014\173\000\126\034\315\213\031
\164\336\276\017\022\340\320\252\241\077\002\064\261\160\316\235
\030\326\010\003\011\106\356\140\340\176\266\304\111\004\121\175
\160\140\274\252\262\377\171\162\172\246\035\075\137\052\370\312
\342\375\071\267\107\271\353\176\337\004\043\257\372\234\006\007
\351\373\143\223\200\100\265\306\154\012\061\050\316\014\237\317
\263\043\065\200\101\215\154\304\067\173\201\057\200\241\100\102
\205\351\331\070\215\350\241\123\315\001\277\151\350\132\006\362
\105\013\220\372\256\341\277\235\362\256\127\074\245\256\262\126
\364\213\145\100\351\375\061\201\054\364\071\011\330\356\153\247
\264\246\035\025\245\230\367\001\201\330\205\175\363\121\134\161
\210\336\272\314\037\200\176\112
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "emSign Root CA - G1"
# Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Serial Number:31:f5:e4:62:0c:6c:58:ed:d6:d8
# Subject: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): 40:F6:AF:03:46:A9:9A:A1:CD:1D:55:5A:4E:9C:CE:62:C7:F9:63:46:03:EE:40:66:15:83:3D:C8:C8:D0:03:67
# Fingerprint (SHA1): 8A:C7:AD:8F:73:AC:4E:C1:B5:75:4D:A5:40:F4:FC:CF:7C:B5:8E:8C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign Root CA - G1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\212\307\255\217\163\254\116\301\265\165\115\245\100\364\374\317
\174\265\216\214
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\234\102\204\127\335\313\013\247\056\225\255\266\363\332\274\254
END
CKA_ISSUER MULTILINE_OCTAL
\060\147\061\013\060\011\006\003\125\004\006\023\002\111\116\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
\151\145\163\040\114\151\155\151\164\145\144\061\034\060\032\006
\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
\164\040\103\101\040\055\040\107\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\012\061\365\344\142\014\154\130\355\326\330
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "emSign ECC Root CA - G3"
#
# Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84
# Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
# Fingerprint (SHA1): 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign ECC Root CA - G3"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
\040\122\157\157\164\040\103\101\040\055\040\107\063
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
\040\122\157\157\164\040\103\101\040\055\040\107\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\012\074\366\007\251\150\160\016\332\213\204
END
CKA_VALUE MULTILINE_OCTAL
\060\202\002\116\060\202\001\323\240\003\002\001\002\002\012\074
\366\007\251\150\160\016\332\213\204\060\012\006\010\052\206\110
\316\075\004\003\003\060\153\061\013\060\011\006\003\125\004\006
\023\002\111\116\061\023\060\021\006\003\125\004\013\023\012\145
\155\123\151\147\156\040\120\113\111\061\045\060\043\006\003\125
\004\012\023\034\145\115\165\144\150\162\141\040\124\145\143\150
\156\157\154\157\147\151\145\163\040\114\151\155\151\164\145\144
\061\040\060\036\006\003\125\004\003\023\027\145\155\123\151\147
\156\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040
\107\063\060\036\027\015\061\070\060\062\061\070\061\070\063\060
\060\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060
\060\132\060\153\061\013\060\011\006\003\125\004\006\023\002\111
\116\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151
\147\156\040\120\113\111\061\045\060\043\006\003\125\004\012\023
\034\145\115\165\144\150\162\141\040\124\145\143\150\156\157\154
\157\147\151\145\163\040\114\151\155\151\164\145\144\061\040\060
\036\006\003\125\004\003\023\027\145\155\123\151\147\156\040\105
\103\103\040\122\157\157\164\040\103\101\040\055\040\107\063\060
\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053\201
\004\000\042\003\142\000\004\043\245\014\270\055\022\365\050\363
\261\262\335\342\002\022\200\236\071\137\111\115\237\311\045\064
\131\164\354\273\006\034\347\300\162\257\350\256\057\341\101\124
\207\024\250\112\262\350\174\202\346\133\152\265\334\263\165\316
\213\006\320\206\043\277\106\325\216\017\077\004\364\327\034\222
\176\366\245\143\302\365\137\216\056\117\241\030\031\002\053\062
\012\202\144\175\026\223\321\243\102\060\100\060\035\006\003\125
\035\016\004\026\004\024\174\135\002\204\023\324\314\212\233\201
\316\027\034\056\051\036\234\110\143\102\060\016\006\003\125\035
\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
\023\001\001\377\004\005\060\003\001\001\377\060\012\006\010\052
\206\110\316\075\004\003\003\003\151\000\060\146\002\061\000\276
\363\141\317\002\020\035\144\225\007\270\030\156\210\205\005\057
\203\010\027\220\312\037\212\114\350\015\033\172\261\255\325\201
\011\107\357\073\254\010\004\174\134\231\261\355\107\007\322\002
\061\000\235\272\125\374\251\112\350\355\355\346\166\001\102\173
\310\370\140\331\215\121\213\125\073\373\214\173\353\145\011\303
\370\226\315\107\250\202\362\026\125\167\044\176\022\020\225\004
\054\243
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "emSign ECC Root CA - G3"
# Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Serial Number:3c:f6:07:a9:68:70:0e:da:8b:84
# Subject: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): 86:A1:EC:BA:08:9C:4A:8D:3B:BE:27:34:C6:12:BA:34:1D:81:3E:04:3C:F9:E8:A8:62:CD:5C:57:A3:6B:BE:6B
# Fingerprint (SHA1): 30:43:FA:4F:F2:57:DC:A0:C3:80:EE:2E:58:EA:78:B2:3F:E6:BB:C1
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign ECC Root CA - G3"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\060\103\372\117\362\127\334\240\303\200\356\056\130\352\170\262
\077\346\273\301
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\316\013\162\321\237\210\216\320\120\003\350\343\270\213\147\100
END
CKA_ISSUER MULTILINE_OCTAL
\060\153\061\013\060\011\006\003\125\004\006\023\002\111\116\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\045\060\043\006\003\125\004\012\023\034\145
\115\165\144\150\162\141\040\124\145\143\150\156\157\154\157\147
\151\145\163\040\114\151\155\151\164\145\144\061\040\060\036\006
\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
\040\122\157\157\164\040\103\101\040\055\040\107\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\012\074\366\007\251\150\160\016\332\213\204
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "emSign Root CA - C1"
#
# Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
# Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2
# Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
# Fingerprint (SHA1): E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign Root CA - C1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
\040\103\101\040\055\040\103\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
\040\103\101\040\055\040\103\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\013\000\256\317\000\272\304\317\062\370\103\262
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\163\060\202\002\133\240\003\002\001\002\002\013\000
\256\317\000\272\304\317\062\370\103\262\060\015\006\011\052\206
\110\206\367\015\001\001\013\005\000\060\126\061\013\060\011\006
\003\125\004\006\023\002\125\123\061\023\060\021\006\003\125\004
\013\023\012\145\155\123\151\147\156\040\120\113\111\061\024\060
\022\006\003\125\004\012\023\013\145\115\165\144\150\162\141\040
\111\156\143\061\034\060\032\006\003\125\004\003\023\023\145\155
\123\151\147\156\040\122\157\157\164\040\103\101\040\055\040\103
\061\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
\132\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
\156\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013
\145\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006
\003\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157
\164\040\103\101\040\055\040\103\061\060\202\001\042\060\015\006
\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
\000\060\202\001\012\002\202\001\001\000\317\353\251\271\361\231
\005\314\330\050\041\112\363\163\064\121\204\126\020\365\240\117
\054\022\343\372\023\232\047\320\317\371\171\032\164\137\035\171
\071\374\133\370\160\216\340\222\122\367\344\045\371\124\203\331
\035\323\310\132\205\077\136\307\266\007\356\076\300\316\232\257
\254\126\102\052\071\045\160\326\277\265\173\066\255\254\366\163
\334\315\327\035\212\203\245\373\053\220\025\067\153\034\046\107
\334\073\051\126\223\152\263\301\152\072\235\075\365\301\227\070
\130\005\213\034\021\343\344\264\270\135\205\035\203\376\170\137
\013\105\150\030\110\245\106\163\064\073\376\017\310\166\273\307
\030\363\005\321\206\363\205\355\347\271\331\062\255\125\210\316
\246\266\221\260\117\254\176\025\043\226\366\077\360\040\064\026
\336\012\306\304\004\105\171\177\247\375\276\322\251\245\257\234
\305\043\052\367\074\041\154\275\257\217\116\305\072\262\363\064
\022\374\337\200\032\111\244\324\251\225\367\236\211\136\242\211
\254\224\313\250\150\233\257\212\145\047\315\211\356\335\214\265
\153\051\160\103\240\151\013\344\271\017\002\003\001\000\001\243
\102\060\100\060\035\006\003\125\035\016\004\026\004\024\376\241
\340\160\036\052\003\071\122\132\102\276\134\221\205\172\030\252
\115\265\060\016\006\003\125\035\017\001\001\377\004\004\003\002
\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\003\202\001\001\000\302\112\126\372\025\041\173\050\242
\351\345\035\373\370\055\304\071\226\101\114\073\047\054\304\154
\030\025\200\306\254\257\107\131\057\046\013\343\066\260\357\073
\376\103\227\111\062\231\022\025\133\337\021\051\377\253\123\370
\273\301\170\017\254\234\123\257\127\275\150\214\075\151\063\360
\243\240\043\143\073\144\147\042\104\255\325\161\313\126\052\170
\222\243\117\022\061\066\066\342\336\376\000\304\243\140\017\047
\255\240\260\212\265\066\172\122\241\275\047\364\040\047\142\350
\115\224\044\023\344\012\004\351\074\253\056\310\103\011\112\306
\141\004\345\111\064\176\323\304\310\365\017\300\252\351\272\124
\136\363\143\053\117\117\120\324\376\271\173\231\214\075\300\056
\274\002\053\323\304\100\344\212\007\061\036\233\316\046\231\023
\373\021\352\232\042\014\021\031\307\136\033\201\120\060\310\226
\022\156\347\313\101\177\221\073\242\107\267\124\200\033\334\000
\314\232\220\352\303\303\120\006\142\014\060\300\025\110\247\250
\131\174\341\256\042\242\342\012\172\017\372\142\253\122\114\341
\361\337\312\276\203\015\102
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "emSign Root CA - C1"
# Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
# Serial Number:00:ae:cf:00:ba:c4:cf:32:f8:43:b2
# Subject: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): 12:56:09:AA:30:1D:A0:A2:49:B9:7A:82:39:CB:6A:34:21:6F:44:DC:AC:9F:39:54:B1:42:92:F2:E8:C8:60:8F
# Fingerprint (SHA1): E7:2E:F1:DF:FC:B2:09:28:CF:5D:D4:D5:67:37:B1:51:CB:86:4F:01
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign Root CA - C1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\347\056\361\337\374\262\011\050\317\135\324\325\147\067\261\121
\313\206\117\001
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\330\343\135\001\041\372\170\132\260\337\272\322\356\052\137\150
END
CKA_ISSUER MULTILINE_OCTAL
\060\126\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
\115\165\144\150\162\141\040\111\156\143\061\034\060\032\006\003
\125\004\003\023\023\145\155\123\151\147\156\040\122\157\157\164
\040\103\101\040\055\040\103\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\013\000\256\317\000\272\304\317\062\370\103\262
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "emSign ECC Root CA - C3"
#
# Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
# Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8
# Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
# Fingerprint (SHA1): B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign ECC Root CA - C3"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
\122\157\157\164\040\103\101\040\055\040\103\063
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
\122\157\157\164\040\103\101\040\055\040\103\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\012\173\161\266\202\126\270\022\174\234\250
END
CKA_VALUE MULTILINE_OCTAL
\060\202\002\053\060\202\001\261\240\003\002\001\002\002\012\173
\161\266\202\126\270\022\174\234\250\060\012\006\010\052\206\110
\316\075\004\003\003\060\132\061\013\060\011\006\003\125\004\006
\023\002\125\123\061\023\060\021\006\003\125\004\013\023\012\145
\155\123\151\147\156\040\120\113\111\061\024\060\022\006\003\125
\004\012\023\013\145\115\165\144\150\162\141\040\111\156\143\061
\040\060\036\006\003\125\004\003\023\027\145\155\123\151\147\156
\040\105\103\103\040\122\157\157\164\040\103\101\040\055\040\103
\063\060\036\027\015\061\070\060\062\061\070\061\070\063\060\060
\060\132\027\015\064\063\060\062\061\070\061\070\063\060\060\060
\132\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147
\156\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013
\145\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006
\003\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103
\040\122\157\157\164\040\103\101\040\055\040\103\063\060\166\060
\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
\042\003\142\000\004\375\245\141\256\173\046\020\035\351\267\042
\060\256\006\364\201\263\261\102\161\225\071\274\323\122\343\257
\257\371\362\227\065\222\066\106\016\207\225\215\271\071\132\351
\273\337\320\376\310\007\101\074\273\125\157\203\243\152\373\142
\260\201\211\002\160\175\110\305\112\343\351\042\124\042\115\223
\273\102\014\257\167\234\043\246\175\327\141\021\316\145\307\370
\177\376\365\362\251\243\102\060\100\060\035\006\003\125\035\016
\004\026\004\024\373\132\110\320\200\040\100\362\250\351\000\007
\151\031\167\247\346\303\364\317\060\016\006\003\125\035\017\001
\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
\001\377\004\005\060\003\001\001\377\060\012\006\010\052\206\110
\316\075\004\003\003\003\150\000\060\145\002\061\000\264\330\057
\002\211\375\266\114\142\272\103\116\023\204\162\265\256\335\034
\336\326\265\334\126\217\130\100\132\055\336\040\114\042\203\312
\223\250\176\356\022\100\307\326\207\117\370\337\205\002\060\034
\024\144\344\174\226\203\021\234\260\321\132\141\113\246\017\111
\323\000\374\241\374\344\245\377\177\255\327\060\320\307\167\177
\276\201\007\125\060\120\040\024\365\127\070\012\250\061\121
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "emSign ECC Root CA - C3"
# Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
# Serial Number:7b:71:b6:82:56:b8:12:7c:9c:a8
# Subject: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US
# Not Valid Before: Sun Feb 18 18:30:00 2018
# Not Valid After : Wed Feb 18 18:30:00 2043
# Fingerprint (SHA-256): BC:4D:80:9B:15:18:9D:78:DB:3E:1D:8C:F4:F9:72:6A:79:5D:A1:64:3C:A5:F1:35:8E:1D:DB:0E:DC:0D:7E:B3
# Fingerprint (SHA1): B6:AF:43:C2:9B:81:53:7D:F6:EF:6B:C3:1F:1F:60:15:0C:EE:48:66
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "emSign ECC Root CA - C3"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\266\257\103\302\233\201\123\175\366\357\153\303\037\037\140\025
\014\356\110\146
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\076\123\263\243\201\356\327\020\370\323\260\035\027\222\365\325
END
CKA_ISSUER MULTILINE_OCTAL
\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\023\060\021\006\003\125\004\013\023\012\145\155\123\151\147\156
\040\120\113\111\061\024\060\022\006\003\125\004\012\023\013\145
\115\165\144\150\162\141\040\111\156\143\061\040\060\036\006\003
\125\004\003\023\027\145\155\123\151\147\156\040\105\103\103\040
\122\157\157\164\040\103\101\040\055\040\103\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\012\173\161\266\202\126\270\022\174\234\250
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Hongkong Post Root CA 3"
#
# Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
# Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
# Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
# Not Valid Before: Sat Jun 03 02:29:46 2017
# Not Valid After : Tue Jun 03 02:29:46 2042
# Fingerprint (SHA-256): 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
# Fingerprint (SHA1): 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Hongkong Post Root CA 3"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
\063
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\010\026\137\212\114\245\354\000\311\223\100\337\304\306
\256\043\270\034\132\244
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\317\060\202\003\267\240\003\002\001\002\002\024\010
\026\137\212\114\245\354\000\311\223\100\337\304\306\256\043\270
\034\132\244\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\060\157\061\013\060\011\006\003\125\004\006\023\002\110
\113\061\022\060\020\006\003\125\004\010\023\011\110\157\156\147
\040\113\157\156\147\061\022\060\020\006\003\125\004\007\023\011
\110\157\156\147\040\113\157\156\147\061\026\060\024\006\003\125
\004\012\023\015\110\157\156\147\153\157\156\147\040\120\157\163
\164\061\040\060\036\006\003\125\004\003\023\027\110\157\156\147
\153\157\156\147\040\120\157\163\164\040\122\157\157\164\040\103
\101\040\063\060\036\027\015\061\067\060\066\060\063\060\062\062
\071\064\066\132\027\015\064\062\060\066\060\063\060\062\062\071
\064\066\132\060\157\061\013\060\011\006\003\125\004\006\023\002
\110\113\061\022\060\020\006\003\125\004\010\023\011\110\157\156
\147\040\113\157\156\147\061\022\060\020\006\003\125\004\007\023
\011\110\157\156\147\040\113\157\156\147\061\026\060\024\006\003
\125\004\012\023\015\110\157\156\147\153\157\156\147\040\120\157
\163\164\061\040\060\036\006\003\125\004\003\023\027\110\157\156
\147\153\157\156\147\040\120\157\163\164\040\122\157\157\164\040
\103\101\040\063\060\202\002\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
\002\202\002\001\000\263\210\327\352\316\017\040\116\276\346\326
\003\155\356\131\374\302\127\337\051\150\241\203\016\076\150\307
\150\130\234\034\140\113\211\103\014\271\324\025\262\356\301\116
\165\351\265\247\357\345\351\065\231\344\314\034\347\113\137\215
\063\060\040\063\123\331\246\273\325\076\023\216\351\037\207\111
\255\120\055\120\312\030\276\001\130\242\023\160\226\273\211\210
\126\200\134\370\275\054\074\341\114\127\210\273\323\271\225\357
\313\307\366\332\061\164\050\246\346\124\211\365\101\061\312\345
\046\032\315\202\340\160\332\073\051\273\325\003\365\231\272\125
\365\144\321\140\016\263\211\111\270\212\057\005\322\204\105\050
\174\217\150\120\022\170\374\013\265\123\313\302\230\034\204\243
\236\260\276\043\244\332\334\310\053\036\332\156\105\036\211\230
\332\371\000\056\006\351\014\073\160\325\120\045\210\231\313\315
\163\140\367\325\377\065\147\305\241\274\136\253\315\112\270\105
\353\310\150\036\015\015\024\106\022\343\322\144\142\212\102\230
\274\264\306\010\010\370\375\250\114\144\234\166\001\275\057\251
\154\063\017\330\077\050\270\074\151\001\102\206\176\151\301\311
\006\312\345\172\106\145\351\302\326\120\101\056\077\267\344\355
\154\327\277\046\001\021\242\026\051\112\153\064\006\220\354\023
\322\266\373\152\166\322\074\355\360\326\055\335\341\025\354\243
\233\057\054\311\076\053\344\151\073\377\162\045\261\066\206\133
\307\177\153\213\125\033\112\305\040\141\075\256\313\120\341\010
\072\276\260\217\143\101\123\060\010\131\074\230\035\167\272\143
\221\172\312\020\120\140\277\360\327\274\225\207\217\227\305\376
\227\152\001\224\243\174\133\205\035\052\071\072\320\124\241\321
\071\161\235\375\041\371\265\173\360\342\340\002\217\156\226\044
\045\054\240\036\054\250\304\211\247\357\355\231\006\057\266\012
\114\117\333\242\314\067\032\257\107\205\055\212\137\304\064\064
\114\000\375\030\223\147\023\321\067\346\110\264\213\006\305\127
\173\031\206\012\171\313\000\311\122\257\102\377\067\217\341\243
\036\172\075\120\253\143\006\347\025\265\077\266\105\067\224\067
\261\176\362\110\303\177\305\165\376\227\215\105\217\032\247\032
\162\050\032\100\017\002\003\001\000\001\243\143\060\141\060\017
\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060
\037\006\003\125\035\043\004\030\060\026\200\024\027\235\315\036
\213\326\071\053\160\323\134\324\240\270\037\260\000\374\305\141
\060\035\006\003\125\035\016\004\026\004\024\027\235\315\036\213
\326\071\053\160\323\134\324\240\270\037\260\000\374\305\141\060
\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
\002\001\000\126\325\173\156\346\042\001\322\102\233\030\325\016
\327\146\043\134\343\376\240\307\222\322\351\224\255\113\242\306
\354\022\174\164\325\110\322\131\024\231\300\353\271\321\353\364
\110\060\133\255\247\127\163\231\251\323\345\267\321\056\131\044
\130\334\150\056\056\142\330\152\344\160\013\055\040\120\040\244
\062\225\321\000\230\273\323\375\367\062\362\111\256\306\172\340
\107\276\156\316\313\243\162\072\055\151\135\313\310\350\105\071
\324\372\102\301\021\114\167\135\222\373\152\377\130\104\345\353
\201\236\257\240\231\255\276\251\001\146\313\070\035\074\337\103
\037\364\115\156\264\272\027\106\374\175\375\207\201\171\152\015
\063\017\372\057\370\024\271\200\263\135\115\252\227\341\371\344
\030\305\370\325\070\214\046\074\375\362\050\342\356\132\111\210
\054\337\171\075\216\236\220\074\275\101\112\072\335\133\366\232
\264\316\077\045\060\177\062\175\242\003\224\320\334\172\241\122
\336\156\223\215\030\046\375\125\254\275\217\233\322\317\257\347
\206\054\313\037\011\157\243\157\251\204\324\163\277\115\241\164
\033\116\043\140\362\314\016\252\177\244\234\114\045\250\262\146
\073\070\377\331\224\060\366\162\204\276\150\125\020\017\306\163
\054\026\151\223\007\376\261\105\355\273\242\125\152\260\332\265
\112\002\045\047\205\327\267\267\206\104\026\211\154\200\053\076
\227\251\234\325\176\125\114\306\336\105\020\034\352\351\073\237
\003\123\356\356\172\001\002\026\170\324\350\302\276\106\166\210
\023\077\042\273\110\022\035\122\000\264\002\176\041\032\036\234
\045\364\363\075\136\036\322\034\371\263\055\266\367\067\134\306
\313\041\116\260\367\231\107\030\205\301\053\272\125\256\006\352
\320\007\262\334\253\320\202\226\165\316\322\120\376\231\347\317
\057\237\347\166\321\141\052\373\041\273\061\320\252\237\107\244
\262\042\312\026\072\120\127\304\133\103\147\305\145\142\003\111
\001\353\103\331\330\370\236\255\317\261\143\016\105\364\240\132
\054\233\055\305\246\300\255\250\107\364\047\114\070\015\056\033
\111\073\122\364\350\210\203\053\124\050\324\362\065\122\264\062
\203\142\151\144\014\221\234\237\227\352\164\026\375\037\021\006
\232\233\364
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "Hongkong Post Root CA 3"
# Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
# Serial Number:08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
# Subject: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK
# Not Valid Before: Sat Jun 03 02:29:46 2017
# Not Valid After : Tue Jun 03 02:29:46 2042
# Fingerprint (SHA-256): 5A:2F:C0:3F:0C:83:B0:90:BB:FA:40:60:4B:09:88:44:6C:76:36:18:3D:F9:84:6E:17:10:1A:44:7F:B8:EF:D6
# Fingerprint (SHA1): 58:A2:D0:EC:20:52:81:5B:C1:F3:F8:64:02:24:4E:C2:8E:02:4B:02
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Hongkong Post Root CA 3"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\130\242\320\354\040\122\201\133\301\363\370\144\002\044\116\302
\216\002\113\002
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\021\374\237\275\163\060\002\212\375\077\363\130\271\313\040\360
END
CKA_ISSUER MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\110\113\061
\022\060\020\006\003\125\004\010\023\011\110\157\156\147\040\113
\157\156\147\061\022\060\020\006\003\125\004\007\023\011\110\157
\156\147\040\113\157\156\147\061\026\060\024\006\003\125\004\012
\023\015\110\157\156\147\153\157\156\147\040\120\157\163\164\061
\040\060\036\006\003\125\004\003\023\027\110\157\156\147\153\157
\156\147\040\120\157\163\164\040\122\157\157\164\040\103\101\040
\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\010\026\137\212\114\245\354\000\311\223\100\337\304\306
\256\043\270\034\132\244
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

Просмотреть файл

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 30
#define NSS_BUILTINS_LIBRARY_VERSION "2.30"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 32
#define NSS_BUILTINS_LIBRARY_VERSION "2.32"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

Просмотреть файл

@ -690,15 +690,16 @@ typedef struct SSLAeadContextStr SSLAeadContext;
PK11SymKey * *_keyp), \
(version, cipherSuite, salt, ikm, keyp))
#define SSL_HkdfDeriveSecret(version, cipherSuite, prk, \
label, labelLen, keyp) \
SSL_EXPERIMENTAL_API("SSL_HkdfDeriveSecret", \
(PRUint16 _version, PRUint16 _cipherSuite, \
PK11SymKey * _prk, \
const char *_label, unsigned int _labelLen, \
PK11SymKey **_keyp), \
(version, cipherSuite, prk, \
label, labelLen, keyp))
#define SSL_HkdfExpandLabel(version, cipherSuite, prk, \
hsHash, hsHashLen, label, labelLen, keyp) \
SSL_EXPERIMENTAL_API("SSL_HkdfExpandLabel", \
(PRUint16 _version, PRUint16 _cipherSuite, \
PK11SymKey * _prk, \
const PRUint8 *_hsHash, unsigned int _hsHashLen, \
const char *_label, unsigned int _labelLen, \
PK11SymKey **_keyp), \
(version, cipherSuite, prk, \
hsHash, hsHashLen, label, labelLen, keyp))
/* Deprecated experimental APIs */
#define SSL_UseAltServerHelloType(fd, enable) SSL_DEPRECATED_EXPERIMENTAL_API

Просмотреть файл

@ -1775,9 +1775,10 @@ SECStatus SSLExp_AeadDecrypt(const SSLAeadContext *ctx, PRUint64 counter,
SECStatus SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite,
PK11SymKey *salt, PK11SymKey *ikm, PK11SymKey **keyp);
SECStatus SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
const char *label, unsigned int labelLen,
PK11SymKey **key);
SECStatus SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
const PRUint8 *hsHash, unsigned int hsHashLen,
const char *label, unsigned int labelLen,
PK11SymKey **key);
SEC_END_PROTOS

Просмотреть файл

@ -226,9 +226,10 @@ SSLExp_HkdfExtract(PRUint16 version, PRUint16 cipherSuite,
}
SECStatus
SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
const char *label, unsigned int labelLen,
PK11SymKey **keyp)
SSLExp_HkdfExpandLabel(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
const PRUint8 *hsHash, unsigned int hsHashLen,
const char *label, unsigned int labelLen,
PK11SymKey **keyp)
{
if (prk == NULL || keyp == NULL ||
label == NULL || labelLen == 0) {
@ -243,7 +244,7 @@ SSLExp_HkdfDeriveSecret(PRUint16 version, PRUint16 cipherSuite, PK11SymKey *prk,
if (rv != SECSuccess) {
return SECFailure; /* Code already set. */
}
return tls13_HkdfExpandLabel(prk, hash, NULL, 0, label, labelLen,
return tls13_HkdfExpandLabel(prk, hash, hsHash, hsHashLen, label, labelLen,
tls13_GetHkdfMechanismForHash(hash),
tls13_GetHashSizeForHash(hash), keyp);
}

Просмотреть файл

@ -4053,7 +4053,7 @@ struct {
EXP(HelloRetryRequestCallback),
EXP(InstallExtensionHooks),
EXP(HkdfExtract),
EXP(HkdfDeriveSecret),
EXP(HkdfExpandLabel),
EXP(KeyUpdate),
EXP(MakeAead),
EXP(RecordLayerData),

Просмотреть файл

@ -203,6 +203,7 @@
'gtests/mozpkix_gtest/mozpkix_gtest.gyp:mozpkix_gtest',
'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
'gtests/smime_gtest/smime_gtest.gyp:smime_gtest',
'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
'gtests/util_gtest/util_gtest.gyp:util_gtest',

Просмотреть файл

@ -87,7 +87,7 @@ gtest_cleanup()
}
################## main #################################################
GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest}"
GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}"
gtest_init "$0"
gtest_start
gtest_cleanup

Просмотреть файл

@ -1225,6 +1225,51 @@ ssl_scheme()
html "</TABLE><BR>"
}
############################ ssl_scheme_stress ##########################
# local shell function to test strsclnt and selfserv handling of signature schemes
#########################################################################
ssl_scheme_stress()
{
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
return 0
fi
html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
NO_ECC_CERTS=1
schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
for sscheme in "${schemes[@]}"; do
for cscheme in "${schemes[@]}"; do
testname="ssl_scheme server='$sscheme' client='$cscheme'"
echo "${testname}"
start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
echo "strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE}"
${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} ${CLIENT_OPTIONS} \
-d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} < ${REQUEST_FILE} 2>&1
ret=$?
# If both schemes include just one option and those options don't
# match, then the test should fail; otherwise, assume that it works.
if [ "${cscheme#*,}" = "$cscheme" -a \
"${sscheme#*,}" = "$sscheme" -a \
"$cscheme" != "$sscheme" ]; then
expected=1
else
expected=0
fi
html_msg $ret $expected "${testname}" \
"produced a returncode of $ret, expected is $expected"
kill_selfserv
done
done
NO_ECC_CERTS=0
html "</TABLE><BR>"
}
############################## ssl_cleanup #############################
# local shell function to finish this script (no exit since it might be
# sourced)
@ -1267,6 +1312,7 @@ ssl_run()
;;
"scheme")
ssl_scheme
ssl_scheme_stress
;;
esac
done