Bug 1577822 - land NSS NSS_3_47_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs

2019-10-15  J.C. Jones  <jjones@mozilla.com>

	* cmd/addbuiltin/addbuiltin.c:
	Bug 1465613 - Fixup clang format a=bustage
	[f657d65428c6] [NSS_3_47_BETA2]

2019-10-11  Marcus Burghardt  <mburghardt@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsmime3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
	cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_gtest.gyp,
	gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
	lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
	lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
	lib/ckfw/builtins/testlib/builtins-testlib.gyp,
	lib/ckfw/builtins/testlib/certdata-testlib.txt,
	lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
	/nssckbi-testlib.rc,
	lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
	lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
	lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
	Bug 1465613 - Created two new fields for scheduled distrust from
	builtins and updated support commands. r=jcj,kjacobs,mt

	Added two new fields do scheduled distrust of CAs in
	nssckbi/builtins. Also, created a testlib to validate these fields
	with gtests.

	[52024949df95]

2019-10-14  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/tls13con.c:
	Bug 1588557 - Fix debug statement, r=jcj

	[0f563a2571c3]

2019-10-15  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
	bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
	mozilla::pkix::BackCert r=jcj

	According to RFC 5280, the definitions of issuerUniqueID and
	subjectUniqueID in TBSCertificate are as follows:

	 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
	subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	where UniqueIdentifier is a BIT STRING.

	IMPLICIT tags replace the tag of the underlying type. For these
	fields, there is no specified class (just a tag number within the
	class), and the underlying type of BIT STRING is "primitive" (i.e.
	not constructed). Thus, the tags should be of the form CONTEXT
	SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
	respectively.

	When originally implemented, mozilla::pkix incorrectly required that
	the CONSTRUCTED bit also be set for these fields. Consequently, the
	library would reject any certificate that actually contained these
	fields. Evidently such certificates are rare.

	[c50f933d37a5]

2019-10-14  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
	r=kjacobs,jcj
	[474d62c9d0db]

2019-10-11  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
	[f60dbafbc182]

Differential Revision: https://phabricator.services.mozilla.com/D49365

--HG--
extra : moz-landing-system : lando

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_47_BETA1
+NSS_3_47_BETA2

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -2,3 +2,32 @@
 
   'function CERTCertList* PK11_GetCertsMatchingPrivateKey(SECKEYPrivateKey*)'    {PK11_GetCertsMatchingPrivateKey@@NSS_3.47}
 
+3 functions with some indirect sub-type change:
+
+  [C]'function SECStatus CERT_AddCertToListHead(CERTCertList*, CERTCertificate*)' at certdb.c:2631:1 has some indirect sub-type changes:
+    parameter 2 of type 'CERTCertificate*' has sub-type changes:
+      in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
+        underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
+          type size changed from 6016 to 6080 (in bits)
+          1 data member insertion:
+            'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
+          no data member changes (2 filtered);
+
+  [C]'function SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle*, CERTCertificate*, PRTime, const SECItem*, void*)' at ocsp.c:5102:1 has some indirect sub-type changes:
+    parameter 2 of type 'CERTCertificate*' has sub-type changes:
+      in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
+        underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
+          type size changed from 6016 to 6080 (in bits)
+          1 data member insertion:
+            'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
+          no data member change (1 filtered);
+
+  [C]'function CERTCertificateList* CERT_CertChainFromCert(CERTCertificate*, SECCertUsage, PRBool)' at certhigh.c:1030:1 has some indirect sub-type changes:
+    parameter 1 of type 'CERTCertificate*' has sub-type changes:
+      in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
+        underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
+          type size changed from 6016 to 6080 (in bits)
+          1 data member insertion:
+            'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
+          no data member changes (2 filtered);
+

security/nss/automation/abi-check/expected-report-libsmime3.so.txt

@@ -0,0 +1,11 @@
+1 function with some indirect sub-type change:
+
+  [C]'function CERTCertificate* CERT_ConvertAndDecodeCertificate(char*)' at certread.c:219:1 has some indirect sub-type changes:
+    return type changed:
+      in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
+        underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
+          type size changed from 6016 to 6080 (in bits)
+          1 data member insertion:
+            'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
+
+

security/nss/automation/abi-check/expected-report-libssl3.so.txt

@@ -0,0 +1,10 @@
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus NSS_CmpCertChainWCANames(CERTCertificate*, CERTDistNames*)' at cmpcert.c:25:1 has some indirect sub-type changes:
+    parameter 1 of type 'CERTCertificate*' has sub-type changes:
+      in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
+        underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
+          type size changed from 6016 to 6080 (in bits)
+          1 data member insertion:
+            'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
+

security/nss/cmd/addbuiltin/addbuiltin.c

@@ -230,6 +230,8 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
             hasPositiveTrust(trust->objectSigningFlags)) {
             printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
         }
+        printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
+        printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
     }
 
     if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
@@ -306,19 +308,21 @@ printheader()
            "#\n"
            "#    Certificates\n"
            "#\n"
-           "#  -- Attribute --          -- type --              -- value --\n"
-           "#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE\n"
-           "#  CKA_TOKEN                CK_BBOOL                CK_TRUE\n"
-           "#  CKA_PRIVATE              CK_BBOOL                CK_FALSE\n"
-           "#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE\n"
-           "#  CKA_LABEL                UTF8                    (varies)\n"
-           "#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509\n"
-           "#  CKA_SUBJECT              DER+base64              (varies)\n"
-           "#  CKA_ID                   byte array              (varies)\n"
-           "#  CKA_ISSUER               DER+base64              (varies)\n"
-           "#  CKA_SERIAL_NUMBER        DER+base64              (varies)\n"
-           "#  CKA_VALUE                DER+base64              (varies)\n"
-           "#  CKA_NSS_EMAIL            ASCII7                  (unused here)\n"
+           "#  -- Attribute --               -- type --          -- value --\n"
+           "#  CKA_CLASS                     CK_OBJECT_CLASS     CKO_CERTIFICATE\n"
+           "#  CKA_TOKEN                     CK_BBOOL            CK_TRUE\n"
+           "#  CKA_PRIVATE                   CK_BBOOL            CK_FALSE\n"
+           "#  CKA_MODIFIABLE                CK_BBOOL            CK_FALSE\n"
+           "#  CKA_LABEL                     UTF8                (varies)\n"
+           "#  CKA_CERTIFICATE_TYPE          CK_CERTIFICATE_TYPE CKC_X_509\n"
+           "#  CKA_SUBJECT                   DER+base64          (varies)\n"
+           "#  CKA_ID                        byte array          (varies)\n"
+           "#  CKA_ISSUER                    DER+base64          (varies)\n"
+           "#  CKA_SERIAL_NUMBER             DER+base64          (varies)\n"
+           "#  CKA_VALUE                     DER+base64          (varies)\n"
+           "#  CKA_NSS_EMAIL                 ASCII7              (unused here)\n"
+           "#  CKA_NSS_SERVER_DISTRUST_AFTER DER+base64          (varies)\n"
+           "#  CKA_NSS_EMAIL_DISTRUST_AFTER  DER+base64          (varies)\n"
            "#\n"
            "#    Trust\n"
            "#\n"
@@ -392,6 +396,12 @@ Usage(char *progName)
     fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
     fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
     fprintf(stderr, "%-15s     (pipe through atob if the cert is b64-encoded)\n", "");
+    fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp");
+    fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", "");
+    fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName);
+    fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", "");
+    fprintf(stderr, "%-15s since unix epoch.\n", "");
+    fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", "");
     exit(-1);
 }
 
@@ -403,20 +413,21 @@ enum {
     opt_ExcludeCert,
     opt_ExcludeHash,
     opt_DistrustCRL,
-    opt_CRLEnry
+    opt_CRLEntry,
+    opt_ConvertDate
 };
 
-static secuCommandFlag addbuiltin_options[] =
-    {
-      { /* opt_Input         */ 'i', PR_TRUE, 0, PR_FALSE },
-      { /* opt_Nickname      */ 'n', PR_TRUE, 0, PR_FALSE },
-      { /* opt_Trust         */ 't', PR_TRUE, 0, PR_FALSE },
-      { /* opt_Distrust      */ 'D', PR_FALSE, 0, PR_FALSE },
-      { /* opt_ExcludeCert   */ 'c', PR_FALSE, 0, PR_FALSE },
-      { /* opt_ExcludeHash   */ 'h', PR_FALSE, 0, PR_FALSE },
-      { /* opt_DistrustCRL   */ 'C', PR_FALSE, 0, PR_FALSE },
-      { /* opt_CRLEnry       */ 'e', PR_TRUE, 0, PR_FALSE },
-    };
+static secuCommandFlag addbuiltin_options[] = {
+    { /* opt_Input         */ 'i', PR_TRUE, 0, PR_FALSE },
+    { /* opt_Nickname      */ 'n', PR_TRUE, 0, PR_FALSE },
+    { /* opt_Trust         */ 't', PR_TRUE, 0, PR_FALSE },
+    { /* opt_Distrust      */ 'D', PR_FALSE, 0, PR_FALSE },
+    { /* opt_ExcludeCert   */ 'c', PR_FALSE, 0, PR_FALSE },
+    { /* opt_ExcludeHash   */ 'h', PR_FALSE, 0, PR_FALSE },
+    { /* opt_DistrustCRL   */ 'C', PR_FALSE, 0, PR_FALSE },
+    { /* opt_CRLEntry      */ 'e', PR_TRUE, 0, PR_FALSE },
+    { /* opt_ConvertDate   */ 'd', PR_TRUE, 0, PR_FALSE },
+};
 
 int
 main(int argc, char **argv)
@@ -444,6 +455,30 @@ main(int argc, char **argv)
     if (rv != SECSuccess)
         Usage(progName);
 
+    if (addbuiltin.options[opt_ConvertDate].activated) {
+        char *endPtr;
+        PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC;
+        if (*endPtr != '\0' && distrustTimestamp > 0) {
+            Usage(progName);
+            exit(1);
+        }
+        SECItem encTime;
+        DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp);
+        SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0);
+        printf("Locate the entry of the desired certificate in certdata.txt\n"
+               "Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"
+               "And override with the following respective entry:\n\n");
+        SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0);
+        printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n");
+        dumpbytes(encTime.data, encTime.len);
+        printf("END\n");
+        SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0);
+        printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n");
+        dumpbytes(encTime.data, encTime.len);
+        printf("END\n");
+        exit(0);
+    }
+
     if (addbuiltin.options[opt_Trust].activated)
         ++mutuallyExclusiveOpts;
     if (addbuiltin.options[opt_Distrust].activated)
@@ -458,12 +493,12 @@ main(int argc, char **argv)
     }
 
     if (addbuiltin.options[opt_DistrustCRL].activated) {
-        if (!addbuiltin.options[opt_CRLEnry].activated) {
+        if (!addbuiltin.options[opt_CRLEntry].activated) {
             fprintf(stderr, "%s: you must specify the CRL entry number.\n",
                     progName);
             Usage(progName);
         } else {
-            crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
+            crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg);
             if (crlentry < 1) {
                 fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
                         progName);

security/nss/cmd/lib/secutil.c

@@ -1108,36 +1108,33 @@ typedef struct secuPBEParamsStr {
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 
 /* SECOID_PKCS5_PBKDF2 */
-const SEC_ASN1Template secuKDF2Params[] =
-    {
-      { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-      { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-      { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-      { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
-      { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-      { 0 }
-    };
+const SEC_ASN1Template secuKDF2Params[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
 
 /* PKCS5v1 & PKCS12 */
-const SEC_ASN1Template secuPBEParamsTemp[] =
-    {
-      { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-      { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
-      { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
-      { 0 }
-    };
+const SEC_ASN1Template secuPBEParamsTemp[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
+    { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
+    { 0 }
+};
 
 /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
-const SEC_ASN1Template secuPBEV2Params[] =
-    {
-      { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
-      { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-      { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
-        SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-      { 0 }
-    };
+const SEC_ASN1Template secuPBEV2Params[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { 0 }
+};
 
 void
 secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
@@ -2300,8 +2297,9 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
     return rv;
 }
 
-int /* sometimes a PRErrorCode, other times a SECStatus.  Sigh. */
-    SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
+/* sometimes a PRErrorCode, other times a SECStatus.  Sigh. */
+int
+SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
 {
     PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTCertificateRequest *cr;
@@ -3251,6 +3249,26 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
                              "Certificate Trust Flags", 1);
     }
 
+    /* The distrust fields are hard-coded in nssckbi and read-only.
+     * If verifying some cert, with vfychain, for instance, the certificate may
+     * not have a defined slot if not imported. */
+    if (cert->slot != NULL && cert->distrust != NULL) {
+        const unsigned int kDistrustFieldSize = 13;
+        fprintf(stdout, "\n");
+        SECU_Indent(stdout, 1);
+        fprintf(stdout, "%s:\n", "Certificate Distrust Dates");
+        if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) {
+            SECU_PrintTimeChoice(stdout,
+                                 &cert->distrust->serverDistrustAfter,
+                                 "Server Distrust After", 2);
+        }
+        if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) {
+            SECU_PrintTimeChoice(stdout,
+                                 &cert->distrust->emailDistrustAfter,
+                                 "E-mail Distrust After", 2);
+        }
+    }
+
     printf("\n");
 
     return (SECSuccess);

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp

@@ -1224,3 +1224,53 @@ TEST_F(pkixder_universal_types_tests, OID)
 
   ASSERT_EQ(Success, OID(reader, expectedOID));
 }
+
+TEST_F(pkixder_universal_types_tests, SkipOptionalImplicitPrimitiveTag)
+{
+  const uint8_t DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1[] = {
+    0x81,
+    0x04,
+      0x00,
+      0x0A,
+      0x0B,
+      0x0C,
+  };
+  Input input(DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1);
+  Reader reader(input);
+
+  ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 1));
+  ASSERT_TRUE(reader.AtEnd());
+}
+
+TEST_F(pkixder_universal_types_tests, SkipOptionalImplicitPrimitiveTagMismatch)
+{
+  const uint8_t DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1[] = {
+    0x81,
+    0x04,
+      0x00,
+      0x0A,
+      0x0B,
+      0x0C,
+  };
+  Input input(DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1);
+  Reader reader(input);
+
+  ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 2));
+  ASSERT_FALSE(reader.AtEnd());
+}
+
+TEST_F(pkixder_universal_types_tests, NoSkipOptionalImplicitConstructedTag)
+{
+  const uint8_t DER_IMPLICIT_SEQUENCE_WITH_CLASS_NUMBER_1[] = {
+    0xA1,
+    0x03,
+      0x05,
+      0x01,
+      0x00,
+  };
+  Input input(DER_IMPLICIT_SEQUENCE_WITH_CLASS_NUMBER_1);
+  Reader reader(input);
+
+  ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 1));
+  ASSERT_FALSE(reader.AtEnd());
+}

security/nss/gtests/softoken_gtest/manifest.mn

@@ -6,13 +6,22 @@ CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
+DEFINES += -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" -DDLL_PREFIX=\"$(DLL_PREFIX)\"
+
+include $(CORE_DEPTH)/coreconf/arch.mk
+ifneq ($(OS_ARCH),WINNT)
+DB_TESTS = \
+	softoken_nssckbi_testlib_gtest.cc
+endif
+
 CPPSRCS = \
 	softoken_gtest.cc \
+	$(DB_TESTS) \
 	$(NULL)
 
 INCLUDES += \
 	-I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-  -I$(CORE_DEPTH)/gtests/common \
+	-I$(CORE_DEPTH)/gtests/common \
 	-I$(CORE_DEPTH)/cpputil \
 	$(NULL)
 

security/nss/gtests/softoken_gtest/softoken_gtest.gyp

@@ -12,6 +12,7 @@
       'type': 'executable',
       'sources': [
         'softoken_gtest.cc',
+        'softoken_nssckbi_testlib_gtest.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
@@ -44,6 +45,10 @@
   'target_defaults': {
     'include_dirs': [
       '../../lib/util'
+    ],
+    'defines': [
+      'DLL_PREFIX=\"<(dll_prefix)\"',
+      'DLL_SUFFIX=\"<(dll_suffix)\"'
     ]
   },
   'variables': {

security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc

@@ -0,0 +1,124 @@
+#include "cert.h"
+#include "certdb.h"
+#include "nspr.h"
+#include "nss.h"
+#include "pk11pub.h"
+#include "secerr.h"
+
+#include "nss_scoped_ptrs.h"
+#include "util.h"
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+class SoftokenBuiltinsTest : public ::testing::Test {
+ protected:
+  SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {}
+  SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {}
+
+  virtual void SetUp() {
+    std::string nss_init_arg("sql:");
+    nss_init_arg.append(nss_db_dir_.GetUTF8Path());
+    ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "",
+                                         SECMOD_DB, NSS_INIT_NOROOTINIT));
+  }
+
+  virtual void TearDown() {
+    ASSERT_EQ(SECSuccess, NSS_Shutdown());
+    const std::string &nss_db_dir_path = nss_db_dir_.GetPath();
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str()));
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str()));
+    ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str()));
+  }
+
+  virtual void LoadModule() {
+    ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+    ASSERT_TRUE(slot);
+    EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+    SECStatus result = SECMOD_AddNewModule(
+        "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0);
+    ASSERT_EQ(result, SECSuccess);
+  }
+
+  ScopedUniqueDirectory nss_db_dir_;
+};
+
+// The next tests in this class are used to test the Distrust Fields.
+// More details about these fields in lib/ckfw/builtins/README.
+TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - no_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
+  ASSERT_FALSE(cert->distrust);
+}
+
+TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - ok_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  const char *kExpectedDERValueServer = "200617000000Z";
+  const char *kExpectedDERValueEmail = "071014085320Z";
+  // When a valid timestamp is encoded, the result length is exactly 13.
+  const unsigned int kDistrustFieldSize = 13;
+
+  ASSERT_TRUE(cert->distrust);
+  ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len);
+  ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data);
+  EXPECT_TRUE(!memcmp(kExpectedDERValueServer,
+                      cert->distrust->serverDistrustAfter.data,
+                      kDistrustFieldSize));
+
+  ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len);
+  ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data);
+  EXPECT_TRUE(!memcmp(kExpectedDERValueEmail,
+                      cert->distrust->emailDistrustAfter.data,
+                      kDistrustFieldSize));
+}
+
+TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) {
+  const char *kCertNickname =
+      "Builtin Object Token:Distrust Fields Test - err_distrust";
+  LoadModule();
+
+  CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
+  ASSERT_TRUE(cert_handle);
+  ScopedCERTCertificate cert(
+      CERT_FindCertByNickname(cert_handle, kCertNickname));
+  ASSERT_TRUE(cert);
+
+  // The field should never be set to TRUE in production, we are just
+  // testing if this field is readable, even if set to TRUE.
+  EXPECT_EQ(PR_TRUE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
+  // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE
+  // Here, there is an OCTAL value, but with unexpected content (1 digit less).
+  EXPECT_EQ(PR_FALSE,
+            PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
+                                 CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
+  ASSERT_FALSE(cert->distrust);
+}
+
+}  // namespace nss_test

security/nss/lib/certdb/certdb.c

@@ -2889,15 +2889,10 @@ void
 CERT_UnlockCertRefCount(CERTCertificate *cert)
 {
     PORT_Assert(certRefCountLock != NULL);
-
-#ifdef DEBUG
-    {
-        PRStatus prstat = PZ_Unlock(certRefCountLock);
+    PRStatus prstat = PZ_Unlock(certRefCountLock);
+    if (prstat != PR_SUCCESS) {
         PORT_Assert(prstat == PR_SUCCESS);
     }
-#else
-    PZ_Unlock(certRefCountLock);
-#endif
 }
 
 static PZLock *certTrustLock = NULL;
@@ -3001,15 +2996,10 @@ void
 CERT_UnlockCertTrust(const CERTCertificate *cert)
 {
     PORT_Assert(certTrustLock != NULL);
-
-#ifdef DEBUG
-    {
-        PRStatus prstat = PZ_Unlock(certTrustLock);
+    PRStatus prstat = PZ_Unlock(certTrustLock);
+    if (prstat != PR_SUCCESS) {
         PORT_Assert(prstat == PR_SUCCESS);
     }
-#else
-    PZ_Unlock(certTrustLock);
-#endif
 }
 
 /*
@@ -3019,14 +3009,10 @@ void
 CERT_UnlockCertTempPerm(const CERTCertificate *cert)
 {
     PORT_Assert(certTempPermLock != NULL);
-#ifdef DEBUG
-    {
-        PRStatus prstat = PZ_Unlock(certTempPermLock);
+    PRStatus prstat = PZ_Unlock(certTempPermLock);
+    if (prstat != PR_SUCCESS) {
         PORT_Assert(prstat == PR_SUCCESS);
     }
-#else
-    (void)PZ_Unlock(certTempPermLock);
-#endif
 }
 
 /*

security/nss/lib/certdb/certt.h

@@ -35,6 +35,7 @@ typedef struct CERTCertListStr CERTCertList;
 typedef struct CERTCertListNodeStr CERTCertListNode;
 typedef struct CERTCertNicknamesStr CERTCertNicknames;
 typedef struct CERTCertTrustStr CERTCertTrust;
+typedef struct CERTCertDistrustStr CERTCertDistrust;
 typedef struct CERTCertificateStr CERTCertificate;
 typedef struct CERTCertificateListStr CERTCertificateList;
 typedef struct CERTCertificateRequestStr CERTCertificateRequest;
@@ -140,6 +141,18 @@ struct CERTCertTrustStr {
     unsigned int objectSigningFlags;
 };
 
+/*
+ * Distrust dates for specific certificate usages.
+ * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
+ * compatible with the format of certdata.txt, other date fields in certs and
+ * existing functions to read these dates. Clients should check the distrust
+ * date in certificates to avoid trusting a CA for service they have ceased to
+ * support */
+struct CERTCertDistrustStr {
+    SECItem serverDistrustAfter;
+    SECItem emailDistrustAfter;
+};
+
 /*
  * defined the types of trust that exist
  */
@@ -279,6 +292,8 @@ struct CERTCertificateStr {
     PK11SlotInfo *slot;        /*if this cert came of a token, which is it*/
     CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
     PRBool ownSlot;            /*true if the cert owns the slot reference */
+    /* These fields are used in nssckbi/builtins CAs. */
+    CERTCertDistrust *distrust;
 };
 #define SEC_CERTIFICATE_VERSION_1 0 /* default created */
 #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */

security/nss/lib/ckfw/builtins/README

@@ -22,7 +22,8 @@ variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows).
 argument to the -n option should be replaced by the nickname of the root
 certificate.
 
-    % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt
+    % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der \
+    >> certdata.txt
 
 4. Edit nssckbi.h to bump the version of the module.
 
@@ -43,3 +44,63 @@ II. Removing a Builtin Root CA Certificate
 
 5. After you verify that the new nssckbi module is correct, check in
 certdata.txt and nssckbi.h.
+
+III. Scheduling a Distrust date for Server/TLS or Email certificates issued
+by a CA
+
+For each Builtin Root CA Certificate we have the Trust Bits to know what kind
+of certificates issued by this CA are trusted: Server/TLS, E-mail or S/MIME.
+Sometimes a CA discontinues support for a particular kind of certificate,
+but will still issue other kinds. For instance, they might cease support for
+email certificates but continue to provide server certificates. In this
+scenario, we have to disable the Trust Bit for this kind of certificate when
+the last issued certificate expires.
+Between the last expired certificate date and the change and propagation of
+this respective Trust Bit, could have a undesired gap.
+
+So, in these situations we can set a Distrust Date for this Builtin Root CA
+Certificate. Clients should check the distrust date in certificates to avoid
+trusting a CA for service they have ceased to support.
+
+A distrust date is a timestamp in unix epoch, encoded in DER format and saved
+in certdata.txt. These fields are defined at the "Certificate" entries of
+certdata.txt, in a MULTILINE_OCTAL format. By default, for readability purpose,
+these fields are set as a boolean CK_FALSE and will be ignored when read.
+
+1. Create the timestamp for the desired distrust date. An easy and practical way
+to do this is using the date command.
+    % date -d "2019-07-01 00:00:00 UTC" +%s
+    The result should be something like: 1561939200
+
+2. Then, run the addbuiltin -d to verify the timestamp and do the right
+conversions.
+   The -d option takes the timestamp as an argument, which is interpreted as
+   seconds since unix epoch. The addbuiltin command will show the result in the
+   stdout, as it should be inserted in certdata.txt.
+   % addbuiltin -d 1561939200
+   The result should be something like this:
+
+   The timestamp represents this date: Mon Jul 01 00:00:00 2019
+   Locate the entry of the desired certificate in certdata.txt
+   Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE
+   And override with the following respective entry:
+
+   # For Server Distrust After: Mon Jul 01 00:00:00 2019
+   CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+   \061\071\060\067\060\061\060\060\060\060\060\060\132
+   END
+   # For Email Distrust After: Mon Jul 01 00:00:00 2019
+   CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+   \061\071\060\067\060\061\060\060\060\060\060\060\132
+   END
+
+3. Edit the certdata.txt, overriding the desired entry for the desired CA, as
+the instructions generated by the previous command.
+
+4. If necessary, increment the version counter
+NSS_BUILTINS_LIBRARY_VERSION_MINOR in nssckbi.h.
+
+5. Build the nssckbi module.
+
+6. A good way to test is with certutil:
+    % certutil -L -d $DBDIR -n "Builtin Object Token:<nickname>"

security/nss/lib/ckfw/builtins/manifest.mn

@@ -5,6 +5,8 @@
 
 CORE_DEPTH = ../../..
 
+DIRS = testlib
+
 MODULE = nss
 MAPFILE = $(OBJDIR)/nssckbi.def
 

security/nss/lib/ckfw/builtins/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 36
-#define NSS_BUILTINS_LIBRARY_VERSION "2.36"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 38
+#define NSS_BUILTINS_LIBRARY_VERSION "2.38"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

security/nss/lib/ckfw/builtins/testlib/Makefile

@@ -0,0 +1,52 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+EXTRA_LIBS =                                       \
+	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX)    \
+	$(NULL)
+
+# If the OS_TARGET is WIN%, the path of shared libs could be different.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+# If using GCC, just inform the name of the libs.
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS +=  \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4            \
+	-lplds4           \
+	-lnspr4           \
+	$(NULL)
+else # NS_USE_GCC - If not using GCC, inform the absolute path.
+EXTRA_SHARED_LIBS += 				\
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib  \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+endif # NS_USE_GCC
+else # OS_TARGET != WIN
+EXTRA_SHARED_LIBS +=  \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4            \
+	-lplds4           \
+	-lnspr4           \
+	$(NULL)
+endif # OS_TARGET
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+CFLAGS += -I$(CORE_DEPTH)/lib/ckfw/builtins
+
+# Generate certdata-testlib.c.
+ifndef NSS_CERTDATA-TESTLIB_TXT
+NSS_CERTDATA-TESTLIB_TXT = certdata-testlib.txt
+endif
+
+$(OBJDIR)/certdata-testlib.c: $(NSS_CERTDATA-TESTLIB_TXT)
+	@$(MAKE_OBJDIR)
+	$(PERL) ../certdata.perl $(NSS_CERTDATA-TESTLIB_TXT) $@

security/nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp

@@ -0,0 +1,64 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'nssckbi-testlib',
+      'type': 'shared_library',
+      'sources': [
+        '../anchor.c',
+        '../bfind.c',
+        '../binst.c',
+        '../bobject.c',
+        '../bsession.c',
+        '../bslot.c',
+        '../btoken.c',
+        '../ckbiver.c',
+        '../constants.c',
+        '<(certdata-testlib_c)',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/lib/ckfw/ckfw.gyp:nssckfw',
+        '<(DEPTH)/lib/base/base.gyp:nssb'
+      ],
+      'actions': [
+        {
+          'msvs_cygwin_shell': 0,
+          'action': [
+            'python',
+            '../certdata.py',
+            'certdata-testlib.txt',
+            '<@(_outputs)',
+          ],
+          'inputs': [
+            '../certdata.py',
+            '../certdata.perl',
+            'certdata-testlib.txt'
+          ],
+          'outputs': [
+            '<(certdata-testlib_c)'
+          ],
+          'action_name': 'generate_certdata-testlib_c'
+        }
+      ],
+      'variables': {
+        'mapfile': '../nssckbi.def',
+        'certdata-testlib_c': '<(INTERMEDIATE_DIR)/certdata-testlib.c',
+      }
+    }
+  ],
+  'target_defaults': {
+    'include_dirs': [
+      '.',
+      '..'
+    ]
+  },
+  'variables': {
+    'module': 'nss',
+  }
+}

security/nss/lib/ckfw/builtins/testlib/certdata-testlib.txt

@@ -0,0 +1,479 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# certdata-testlib.txt
+#
+# To safely test the Distrust Fields it was generated a testlib called:
+# DLL_PREFIX+nssckbi-testlib+DLL_SUFFIX
+# Example: libnssckbi-testlib.so, for Linux.
+#
+# This testlib is populated with three expired and self-signed certificates, as
+# defined in this file. The only purpose of this testlib is to provide content
+# to gtests defined in softoken_nssckbi_testlib_gtest.cc.
+#
+# The certificate and private key used here are stored in this same folder,
+# in txt files named like: "testcert_<name>.txt".
+#
+# We have three certificates here:
+# 1 - no_distrust:
+#   - Both distrust fields are set with CK_FALSE, the default.
+#
+# 2 - ok_distrust:
+#   - Each distrust field is set with a different and valid date.
+#
+# 3 - err_distrust:
+#   - The server/tls distrust field is set with CK_TRUE. These fields must be
+#     CK_FALSE when no schedule is set. Otherwise, must hold a valid encoded
+      timestamp.
+#   - The email distrust field is set with an incomplete and invalid encoded
+#     timestamp.
+#
+# These fields are filled when the cert is loaded and cannot be changed.
+#
+BEGINDATA
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Test with Invalid NSS Builtin Trusted Roots"
+
+#
+# Certificate "Distrust Fields Test - no_distrust"
+#
+# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
+# Serial Number:73:f8:bc:37:a3:4a:5f:26:13:64:dc:4e:c6:58:4e:94:2a:24:22:b1
+# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
+# Not Valid Before: Tue Jul 16 06:32:42 2019
+# Not Valid After : Fri Jul 26 06:32:42 2019
+# Fingerprint (SHA-256): 53:AD:AE:B1:D4:D8:B6:34:59:60:26:FA:0D:56:B0:98:0A:E0:8D:E3:90:E5:13:FA:E9:BE:EA:5D:D5:E6:79:02
+# Fingerprint (SHA1): 11:80:28:5A:A4:79:45:A2:AB:2F:A3:27:28:6A:CA:DB:0F:D7:30:FC
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust Fields Test - no_distrust"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
+\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060
+\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
+\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
+\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
+\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
+\003\125\004\006\023\002\104\105
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
+\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060
+\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
+\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
+\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
+\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
+\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\163\370\274\067\243\112\137\046\023\144\334\116\306\130
+\116\224\052\044\042\261
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\255\060\202\002\225\240\003\002\001\002\002\024\163
+\370\274\067\243\112\137\046\023\144\334\116\306\130\116\224\052
+\044\042\261\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\146\061\031\060\027\006\003\125\004\003\014\020\124
+\105\123\124\040\156\157\137\144\151\163\164\162\165\163\164\061
+\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060
+\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061
+\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015
+\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060
+\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061\071
+\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071\060
+\067\062\066\060\066\063\062\064\062\132\060\146\061\031\060\027
+\006\003\125\004\003\014\020\124\105\123\124\040\156\157\137\144
+\151\163\164\162\165\163\164\061\014\060\012\006\003\125\004\013
+\014\003\116\123\123\061\020\060\016\006\003\125\004\013\014\007
+\115\157\172\151\154\154\141\061\015\060\013\006\003\125\004\007
+\014\004\124\105\123\124\061\015\060\013\006\003\125\004\010\014
+\004\124\105\123\124\061\013\060\011\006\003\125\004\006\023\002
+\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\307\367\273\061\133\151\242\334\233\052\044\123\006
+\275\040\214\266\303\135\365\220\104\106\076\100\144\062\366\325
+\270\307\223\230\002\227\150\304\102\146\246\167\113\324\031\136
+\132\140\006\247\062\145\074\257\115\330\256\244\325\003\176\203
+\375\332\345\365\140\163\173\230\224\122\135\144\176\075\151\012
+\275\044\307\317\343\126\332\221\240\171\141\372\107\137\210\362
+\020\231\212\120\103\051\010\233\357\005\201\350\375\202\104\106
+\072\270\323\151\164\013\201\355\004\304\002\017\042\071\022\072
+\223\061\266\353\220\057\130\221\255\024\166\125\241\212\054\132
+\056\120\222\072\332\275\356\037\232\026\344\336\043\052\074\112
+\006\246\100\266\254\065\301\167\276\170\027\127\054\302\254\146
+\171\327\314\305\264\077\044\101\347\105\337\267\051\110\041\113
+\302\043\214\036\015\357\330\167\037\204\353\362\021\232\254\220
+\271\171\170\306\077\016\353\045\376\171\154\125\323\326\363\136
+\230\333\160\242\231\016\300\041\221\045\262\053\035\243\351\363
+\233\013\073\002\233\030\152\324\132\270\203\240\163\167\272\142
+\052\326\053\002\003\001\000\001\243\123\060\121\060\035\006\003
+\125\035\016\004\026\004\024\272\015\343\222\236\200\244\163\217
+\005\277\352\147\036\243\071\077\241\274\346\060\037\006\003\125
+\035\043\004\030\060\026\200\024\272\015\343\222\236\200\244\163
+\217\005\277\352\147\036\243\071\077\241\274\346\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001
+\000\251\350\344\354\346\066\155\375\144\242\257\175\265\332\166
+\233\334\141\326\230\160\122\303\221\002\257\313\252\330\003\330
+\012\133\050\343\171\110\243\115\314\026\275\006\005\200\222\147
+\166\250\275\323\024\367\317\255\034\264\240\003\114\023\044\171
+\126\011\012\104\256\306\327\034\376\136\323\056\035\222\041\031
+\350\372\052\242\025\362\236\176\232\002\300\010\013\127\256\314
+\315\042\132\030\333\064\245\203\174\212\065\250\364\025\070\167
+\177\312\033\301\377\273\046\215\340\007\204\260\210\056\275\351
+\353\127\053\050\165\322\146\223\064\324\233\152\112\152\000\314
+\360\205\057\172\037\061\066\104\312\324\362\156\265\114\130\241
+\262\333\056\212\044\264\023\314\144\062\172\151\167\007\273\104
+\253\173\054\025\073\174\027\167\176\362\037\232\067\073\220\257
+\257\001\013\125\156\350\234\207\261\370\301\143\106\131\062\146
+\041\227\107\340\262\042\034\030\043\336\257\115\027\250\024\171
+\121\210\336\232\174\052\134\002\100\014\225\336\224\017\177\015
+\354\253\245\347\057\340\214\070\003\375\266\023\017\001\373\236
+\030
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "Distrust Fields Test - no_distrust"
+# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
+# Serial Number:73:f8:bc:37:a3:4a:5f:26:13:64:dc:4e:c6:58:4e:94:2a:24:22:b1
+# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
+# Not Valid Before: Tue Jul 16 06:32:42 2019
+# Not Valid After : Fri Jul 26 06:32:42 2019
+# Fingerprint (SHA-256): 53:AD:AE:B1:D4:D8:B6:34:59:60:26:FA:0D:56:B0:98:0A:E0:8D:E3:90:E5:13:FA:E9:BE:EA:5D:D5:E6:79:02
+# Fingerprint (SHA1): 11:80:28:5A:A4:79:45:A2:AB:2F:A3:27:28:6A:CA:DB:0F:D7:30:FC
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust Fields Test - no_distrust"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\021\200\050\132\244\171\105\242\253\057\243\047\050\152\312\333
+\017\327\060\374
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\130\367\262\151\111\255\236\234\203\221\335\036\366\326\325\026
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
+\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060
+\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
+\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
+\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
+\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
+\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\163\370\274\067\243\112\137\046\023\144\334\116\306\130
+\116\224\052\044\042\261
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Distrust Fields Test - ok_distrust"
+#
+# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
+# Serial Number:3a:44:dc:9d:54:3f:5f:aa:b8:26:4f:1d:f8:5a:47:36:29:3a:1b:bc
+# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
+# Not Valid Before: Tue Jul 16 06:32:42 2019
+# Not Valid After : Fri Jul 26 06:32:42 2019
+# Fingerprint (SHA-256): BA:43:4C:9D:21:8E:E7:15:8E:4D:11:7E:5B:4B:EF:57:D3:01:6C:D7:E5:6B:7B:6C:85:62:35:44:44:59:FE:5B
+# Fingerprint (SHA1): F6:4F:33:50:3D:DB:1C:3D:BE:BE:79:9F:D6:B6:21:3A:AA:D1:55:4F
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust Fields Test - ok_distrust"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
+\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060
+\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
+\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
+\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
+\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
+\003\125\004\006\023\002\104\105
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
+\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060
+\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
+\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
+\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
+\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
+\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\072\104\334\235\124\077\137\252\270\046\117\035\370\132
+\107\066\051\072\033\274
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\255\060\202\002\225\240\003\002\001\002\002\024\072
+\104\334\235\124\077\137\252\270\046\117\035\370\132\107\066\051
+\072\033\274\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\146\061\031\060\027\006\003\125\004\003\014\020\124
+\105\123\124\040\157\153\137\144\151\163\164\162\165\163\164\061
+\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060
+\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061
+\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015
+\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060
+\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061\071
+\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071\060
+\067\062\066\060\066\063\062\064\062\132\060\146\061\031\060\027
+\006\003\125\004\003\014\020\124\105\123\124\040\157\153\137\144
+\151\163\164\162\165\163\164\061\014\060\012\006\003\125\004\013
+\014\003\116\123\123\061\020\060\016\006\003\125\004\013\014\007
+\115\157\172\151\154\154\141\061\015\060\013\006\003\125\004\007
+\014\004\124\105\123\124\061\015\060\013\006\003\125\004\010\014
+\004\124\105\123\124\061\013\060\011\006\003\125\004\006\023\002
+\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\272\036\174\330\225\102\315\034\063\337\145\114\060
+\061\036\024\065\051\216\357\013\150\107\361\256\217\363\066\326
+\124\247\034\227\202\315\151\263\237\125\340\377\047\125\050\016
+\152\210\355\141\202\062\263\233\300\152\220\356\200\026\124\001
+\163\305\024\357\315\374\220\267\370\170\316\022\056\216\161\145
+\341\324\121\271\026\306\026\250\121\201\107\254\231\142\046\012
+\043\260\242\356\051\303\206\277\341\377\304\117\066\373\340\073
+\143\076\347\363\157\130\317\271\165\333\127\015\316\267\117\055
+\232\240\271\116\250\160\364\271\224\203\215\137\267\066\271\377
+\177\014\337\033\326\312\374\320\247\053\107\345\355\127\067\007
+\322\220\200\376\053\266\132\044\160\266\154\062\265\375\262\176
+\362\362\257\031\364\147\251\071\337\331\146\057\005\222\377\360
+\001\247\252\155\106\035\235\065\222\346\351\301\204\335\344\012
+\361\366\061\044\030\103\331\116\113\137\121\036\253\042\314\260
+\005\231\251\002\102\002\161\071\337\330\304\150\215\220\164\346
+\170\245\366\360\237\353\362\113\203\362\277\320\074\064\364\022
+\031\105\025\002\003\001\000\001\243\123\060\121\060\035\006\003
+\125\035\016\004\026\004\024\034\100\252\220\333\317\113\002\023
+\153\030\071\246\014\327\332\262\164\374\075\060\037\006\003\125
+\035\043\004\030\060\026\200\024\034\100\252\220\333\317\113\002
+\023\153\030\071\246\014\327\332\262\164\374\075\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001
+\000\042\041\036\227\272\132\106\356\112\272\302\204\014\360\134
+\331\034\364\137\063\334\045\076\321\034\117\361\311\254\177\017
+\236\076\121\327\155\046\347\241\205\367\254\061\211\276\011\117
+\057\364\175\370\016\226\062\004\211\153\047\356\343\064\350\250
+\231\007\041\164\014\374\216\235\206\203\156\310\013\360\342\237
+\103\025\274\237\325\106\321\163\123\036\363\051\136\074\205\102
+\270\127\146\303\060\022\057\104\073\102\030\325\123\376\037\106
+\143\113\011\164\167\374\075\327\362\002\265\127\234\367\302\114
+\371\374\251\106\221\343\004\047\227\125\316\024\046\366\370\207
+\077\025\236\122\116\020\241\072\211\140\100\043\010\105\105\351
+\304\130\373\313\345\272\232\334\230\011\013\335\261\230\202\353
+\155\003\353\233\152\241\212\064\246\152\300\246\356\357\106\071
+\347\211\144\275\212\014\035\247\112\221\131\070\230\122\367\317
+\134\060\254\155\061\234\364\077\161\256\236\175\077\242\240\353
+\161\360\355\362\337\215\172\055\123\332\352\264\026\124\012\363
+\040\124\052\027\300\076\174\012\272\370\377\264\170\150\343\226
+\105
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+# For Server Distrust After: Wed Jun 17 00:00:00 2020
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\062\060\060\066\061\067\060\060\060\060\060\060\132
+END
+# For Email Distrust After: Sun Oct 14 08:53:20 2007
+CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+\060\067\061\060\061\064\060\070\065\063\062\060\132
+END
+
+# Trust for "Distrust Fields Test - ok_distrust"
+# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
+# Serial Number:3a:44:dc:9d:54:3f:5f:aa:b8:26:4f:1d:f8:5a:47:36:29:3a:1b:bc
+# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
+# Not Valid Before: Tue Jul 16 06:32:42 2019
+# Not Valid After : Fri Jul 26 06:32:42 2019
+# Fingerprint (SHA-256): BA:43:4C:9D:21:8E:E7:15:8E:4D:11:7E:5B:4B:EF:57:D3:01:6C:D7:E5:6B:7B:6C:85:62:35:44:44:59:FE:5B
+# Fingerprint (SHA1): F6:4F:33:50:3D:DB:1C:3D:BE:BE:79:9F:D6:B6:21:3A:AA:D1:55:4F
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust Fields Test - ok_distrust"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\366\117\063\120\075\333\034\075\276\276\171\237\326\266\041\072
+\252\321\125\117
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\045\304\210\204\375\245\150\220\305\310\325\205\077\365\302\146
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
+\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060
+\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
+\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
+\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
+\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
+\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\072\104\334\235\124\077\137\252\270\046\117\035\370\132
+\107\066\051\072\033\274
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Distrust Fields Test - err_distrust"
+#
+# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
+# Serial Number:60:fe:b3:a1:c8:c1:30:fc:02:f0:90:9b:6b:b7:08:5e:78:e5:fb:dc
+# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
+# Not Valid Before: Tue Jul 16 06:32:42 2019
+# Not Valid After : Fri Jul 26 06:32:42 2019
+# Fingerprint (SHA-256): E0:80:A0:7E:D7:53:52:FB:71:B5:05:03:80:C3:DB:92:C7:90:3D:26:3F:26:D5:BF:E5:87:FC:7C:46:EC:F6:35
+# Fingerprint (SHA1): D4:54:DB:63:51:FB:68:61:DA:CD:61:D9:1B:F8:51:EB:CE:34:41:3D
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust Fields Test - err_distrust"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123
+\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014
+\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016
+\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015
+\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060
+\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011
+\006\003\125\004\006\023\002\104\105
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123
+\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014
+\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016
+\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015
+\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060
+\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011
+\006\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\140\376\263\241\310\301\060\374\002\360\220\233\153\267
+\010\136\170\345\373\334
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\257\060\202\002\227\240\003\002\001\002\002\024\140
+\376\263\241\310\301\060\374\002\360\220\233\153\267\010\136\170
+\345\373\334\060\015\006\011\052\206\110\206\367\015\001\001\013
+\005\000\060\147\061\032\060\030\006\003\125\004\003\014\021\124
+\105\123\124\040\145\162\162\137\144\151\163\164\162\165\163\164
+\061\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020
+\060\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141
+\061\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061
+\015\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013
+\060\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061
+\071\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071
+\060\067\062\066\060\066\063\062\064\062\132\060\147\061\032\060
+\030\006\003\125\004\003\014\021\124\105\123\124\040\145\162\162
+\137\144\151\163\164\162\165\163\164\061\014\060\012\006\003\125
+\004\013\014\003\116\123\123\061\020\060\016\006\003\125\004\013
+\014\007\115\157\172\151\154\154\141\061\015\060\013\006\003\125
+\004\007\014\004\124\105\123\124\061\015\060\013\006\003\125\004
+\010\014\004\124\105\123\124\061\013\060\011\006\003\125\004\006
+\023\002\104\105\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\321\114\327\160\070\075\364\033\323\322\310
+\337\270\071\333\312\356\066\304\105\170\071\227\203\335\012\013
+\107\004\165\264\325\014\054\103\051\007\017\224\166\330\057\051
+\342\232\254\326\232\070\331\265\140\205\234\202\074\320\375\103
+\303\343\216\056\215\317\155\142\311\354\245\047\050\257\046\365
+\156\124\272\245\172\016\122\145\054\326\357\136\112\364\352\012
+\360\112\207\363\316\036\254\155\214\216\362\261\021\270\016\171
+\011\323\105\072\206\344\141\267\256\065\367\315\022\225\133\165
+\351\066\167\326\262\122\370\233\222\107\067\307\272\145\242\157
+\377\054\262\175\172\161\140\032\335\161\323\037\307\261\315\245
+\377\044\110\201\124\142\337\146\162\032\344\366\101\235\252\263
+\226\153\343\046\300\231\240\025\241\031\202\232\374\221\176\240
+\061\234\071\330\116\171\150\046\307\102\160\104\377\320\147\263
+\165\312\377\246\235\175\001\063\246\003\273\247\254\123\321\063
+\373\316\220\012\056\200\314\354\341\037\065\370\112\322\065\346
+\363\067\023\034\365\011\267\320\247\227\332\276\175\246\060\010
+\117\253\217\234\337\002\003\001\000\001\243\123\060\121\060\035
+\006\003\125\035\016\004\026\004\024\121\202\330\003\344\310\170
+\002\314\331\364\031\015\224\214\027\241\373\266\000\060\037\006
+\003\125\035\043\004\030\060\026\200\024\121\202\330\003\344\310
+\170\002\314\331\364\031\015\224\214\027\241\373\266\000\060\017
+\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
+\001\001\000\162\225\235\140\215\374\232\051\167\366\325\002\006
+\370\057\245\115\123\201\060\371\363\301\340\132\123\100\026\372
+\012\277\245\017\030\047\005\244\057\243\057\374\331\317\063\177
+\117\204\065\314\313\046\140\345\151\256\107\160\253\027\022\137
+\271\022\310\365\273\273\171\346\123\224\215\004\035\032\365\243
+\047\030\246\342\022\121\155\315\117\320\244\313\240\061\136\030
+\310\005\112\006\244\176\042\054\235\221\145\123\156\276\001\163
+\043\233\071\147\143\031\377\035\031\223\224\176\025\065\225\052
+\015\357\036\360\306\152\056\171\341\071\151\330\064\110\100\172
+\126\160\243\166\277\133\102\210\341\032\203\002\003\042\073\252
+\116\376\043\112\377\337\231\301\314\227\016\111\106\131\260\045
+\315\266\000\015\337\301\213\276\141\250\344\261\152\024\350\361
+\246\301\242\066\335\330\263\373\230\211\320\047\235\266\254\347
+\371\101\126\046\111\001\250\373\233\031\371\304\374\167\271\144
+\025\277\276\355\216\067\024\012\121\231\256\205\335\264\207\047
+\231\317\306\103\273\262\234\240\153\152\063\071\151\254\113\314
+\336\067\230
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_TRUE
+# For Email Distrust After: Sun Oct 14 08:53:20 2007 # Missing \132 at end
+CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+\060\067\061\060\061\064\060\070\065\063\062\060
+END
+
+# Trust for "Distrust Fields Test - err_distrust"
+# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
+# Serial Number:60:fe:b3:a1:c8:c1:30:fc:02:f0:90:9b:6b:b7:08:5e:78:e5:fb:dc
+# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
+# Not Valid Before: Tue Jul 16 06:32:42 2019
+# Not Valid After : Fri Jul 26 06:32:42 2019
+# Fingerprint (SHA-256): E0:80:A0:7E:D7:53:52:FB:71:B5:05:03:80:C3:DB:92:C7:90:3D:26:3F:26:D5:BF:E5:87:FC:7C:46:EC:F6:35
+# Fingerprint (SHA1): D4:54:DB:63:51:FB:68:61:DA:CD:61:D9:1B:F8:51:EB:CE:34:41:3D
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Distrust Fields Test - err_distrust"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\324\124\333\143\121\373\150\141\332\315\141\331\033\370\121\353
+\316\064\101\075
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\105\150\314\050\103\366\315\141\322\277\363\133\217\305\124\273
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123
+\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014
+\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016
+\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015
+\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060
+\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011
+\006\003\125\004\006\023\002\104\105
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\024\140\376\263\241\310\301\060\374\002\360\220\233\153\267
+\010\136\170\345\373\334
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

security/nss/lib/ckfw/builtins/testlib/config.mk

@@ -0,0 +1,38 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+	SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+	RES = $(OBJDIR)/$(LIBRARY_NAME).res
+	RESNAME = $(LIBRARY_NAME).rc
+endif
+
+ifdef BUILD_IDG
+	DEFINES += -DNSSDEBUG
+endif
+
+# Needed for compilation of $(OBJDIR)/certdata.c
+INCLUDES += -I.
+
+#
+# To create a loadable module on Darwin, we must use -bundle.
+#
+ifeq ($(OS_TARGET),Darwin)
+DSO_LDOPTS = -bundle
+endif
+
+ifdef USE_GCOV
+DSO_LDOPTS += --coverage
+endif

security/nss/lib/ckfw/builtins/testlib/manifest.mn

@@ -0,0 +1,25 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+
+CSRCS =			\
+	../anchor.c		\
+	../bfind.c		\
+	../binst.c		\
+	../bobject.c		\
+	../bsession.c		\
+	../bslot.c		\
+	../btoken.c		\
+	../ckbiver.c		\
+	../constants.c		\
+	certdata-testlib.c	\
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nssckbi-testlib

security/nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc

@@ -0,0 +1,52 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "../nssckbi.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nssckbi-testlib"
+#define MY_FILEDESCRIPTION "A Test of NSS Builtin Trusted Roots (testlib)"
+#define MY_FILEFLAGS_1 0x0L
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0
+ PRODUCTVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_1
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Mozilla Foundation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION "\0"
+            VALUE "FileVersion", NSS_BUILTINS_LIBRARY_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_BUILTINS_LIBRARY_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END

security/nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt

@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIUYP6zocjBMPwC8JCba7cIXnjl+9wwDQYJKoZIhvcNAQEL
+BQAwZzEaMBgGA1UEAwwRVEVTVCBlcnJfZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQ
+MA4GA1UECwwHTW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDEL
+MAkGA1UEBhMCREUwHhcNMTkwNzE2MDYzMjQyWhcNMTkwNzI2MDYzMjQyWjBnMRow
+GAYDVQQDDBFURVNUIGVycl9kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAwDgYDVQQL
+DAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQswCQYDVQQG
+EwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFM13A4PfQb09LI
+37g528ruNsRFeDmXg90KC0cEdbTVDCxDKQcPlHbYLynimqzWmjjZtWCFnII80P1D
+w+OOLo3PbWLJ7KUnKK8m9W5UuqV6DlJlLNbvXkr06grwSofzzh6sbYyO8rERuA55
+CdNFOobkYbeuNffNEpVbdek2d9ayUvibkkc3x7plom//LLJ9enFgGt1x0x/Hsc2l
+/yRIgVRi32ZyGuT2QZ2qs5Zr4ybAmaAVoRmCmvyRfqAxnDnYTnloJsdCcET/0Gez
+dcr/pp19ATOmA7unrFPRM/vOkAougMzs4R81+ErSNebzNxMc9Qm30KeX2r59pjAI
+T6uPnN8CAwEAAaNTMFEwHQYDVR0OBBYEFFGC2APkyHgCzNn0GQ2UjBeh+7YAMB8G
+A1UdIwQYMBaAFFGC2APkyHgCzNn0GQ2UjBeh+7YAMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAHKVnWCN/Jopd/bVAgb4L6VNU4Ew+fPB4FpTQBb6
+Cr+lDxgnBaQvoy/82c8zf0+ENczLJmDlaa5HcKsXEl+5Esj1u7t55lOUjQQdGvWj
+Jxim4hJRbc1P0KTLoDFeGMgFSgakfiIsnZFlU26+AXMjmzlnYxn/HRmTlH4VNZUq
+De8e8MZqLnnhOWnYNEhAelZwo3a/W0KI4RqDAgMiO6pO/iNK/9+ZwcyXDklGWbAl
+zbYADd/Bi75hqOSxahTo8abBojbd2LP7mInQJ522rOf5QVYmSQGo+5sZ+cT8d7lk
+Fb++7Y43FApRma6F3bSHJ5nPxkO7spyga2ozOWmsS8zeN5g=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRTNdwOD30G9PS
+yN+4OdvK7jbERXg5l4PdCgtHBHW01QwsQykHD5R22C8p4pqs1po42bVghZyCPND9
+Q8Pjji6Nz21iyeylJyivJvVuVLqleg5SZSzW715K9OoK8EqH884erG2MjvKxEbgO
+eQnTRTqG5GG3rjX3zRKVW3XpNnfWslL4m5JHN8e6ZaJv/yyyfXpxYBrdcdMfx7HN
+pf8kSIFUYt9mchrk9kGdqrOWa+MmwJmgFaEZgpr8kX6gMZw52E55aCbHQnBE/9Bn
+s3XK/6adfQEzpgO7p6xT0TP7zpAKLoDM7OEfNfhK0jXm8zcTHPUJt9Cnl9q+faYw
+CE+rj5zfAgMBAAECggEAfgyGDtqATTxZFK/PNFb8DLnsF8YywpSCYKOE6S9BaDeK
+jjmgQtVaNzy5IsOLHZ5c4PIUbt3oxPK1dmHSXoApf1Q173HmaAwuT1XqJ5k1kyTv
+7SVrnMIqCoB3V0Eh0cC+GPEFRMpuVL90FptElI0z0ztFsmZjsCo8D+E2IM6h25UQ
+MiZmJNb2qk+64Ef9yiKyUBA15y7zBUOIsRMDQlREpHA0T6N2YC1b98r73RHYHc8O
++rQixX4ZtB0gl97nKdOjEX9ECfwd5nUXVUFNMthozYMy2VmpU9eH3zP33vcZNvaD
+5GX2lvSkWLXEb6Zc/yWdBPrijSVeD+qwZ6tDBPgskQKBgQD4EbzuiFLEoFE/IdCD
+zP1cj28kmUU6oQJDk2TNlsQ3q6jbSoMCXqEfVF9RFcTkvCnV1GkrwjoM8vhYaL+x
+OCGRIvOqzsDwvyd3lbsDM3pVw6j64zRjR1JkdOK23sCj10cVEYYqDozVHILPYmEL
+hEEYk7FqfPY1uqKL6zGnWhX81wKBgQDX/c6i8kOJjO7YWoG4Z2hPUJJCM/q3Ws1b
+XK2m6qddYPV5zOv2geknAC71WqOgVnLM/pNrPpd2p1kMjRPqKKUL0z7XONp8+6ii
+9EB+CEwUB/1kA/GFl5sAcOv9uGqMrXeWoAzeoyeBE/MscfANY0tROfvXvpYhYl3S
+SlCfy0UXOQKBgFfKJzufQPNW7QnTlLBgJjXQiPvBxi82dc+mZOEg/vXYqRxaJTz8
+cjbdLBJNCu4L7R5AWqviw5p7jgnzoAs+mxp67RLAsqVAcN4wPgum9x9M7AtFxu9v
+eSgV+XnQIQqakAxTtFBD7/Enct+jqEZkGolxEzNlX9ip4QZ1SJA6IFfnAoGBAJLN
+F6faXxrbJe74vNgXuGbIDVBfwdTjK1YgTIp5TF2EK/On2uzFaTEvx7rM6w9sEkTP
+9mRau1lS7oxASrvI+jxqTHi9VIrEBN8UgcznWMX4lDlpELvKyffnyA2/TPPmZrSC
+fZzIaW4qoAmiOxTuWt+POGNvTtzL3ZazGc8xufjJAoGAbDCQGFIEo4DVOVEgI1sM
+rmK9sOBjHO1306HL/gKqJo/CVSwLpwjErCLr1w0LUGG8SRup3VyZSTJTh15F3Pfk
++N6nVrhCTag6vF/E3/VTZ3BwgvOLT3XqUTprntQUPXA+Dk+Fdem4dgHvknRDwz99
+APZYdtb09hSETdUJmgd376g=
+-----END PRIVATE KEY-----

security/nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt

@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIUc/i8N6NKXyYTZNxOxlhOlCokIrEwDQYJKoZIhvcNAQEL
+BQAwZjEZMBcGA1UEAwwQVEVTVCBub19kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAw
+DgYDVQQLDAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQsw
+CQYDVQQGEwJERTAeFw0xOTA3MTYwNjMyNDJaFw0xOTA3MjYwNjMyNDJaMGYxGTAX
+BgNVBAMMEFRFU1Qgbm9fZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQMA4GA1UECwwH
+TW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDELMAkGA1UEBhMC
+REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH97sxW2mi3JsqJFMG
+vSCMtsNd9ZBERj5AZDL21bjHk5gCl2jEQmamd0vUGV5aYAanMmU8r03YrqTVA36D
+/drl9WBze5iUUl1kfj1pCr0kx8/jVtqRoHlh+kdfiPIQmYpQQykIm+8Fgej9gkRG
+OrjTaXQLge0ExAIPIjkSOpMxtuuQL1iRrRR2VaGKLFouUJI62r3uH5oW5N4jKjxK
+BqZAtqw1wXe+eBdXLMKsZnnXzMW0PyRB50XftylIIUvCI4weDe/Ydx+E6/IRmqyQ
+uXl4xj8O6yX+eWxV09bzXpjbcKKZDsAhkSWyKx2j6fObCzsCmxhq1Fq4g6Bzd7pi
+KtYrAgMBAAGjUzBRMB0GA1UdDgQWBBS6DeOSnoCkc48Fv+pnHqM5P6G85jAfBgNV
+HSMEGDAWgBS6DeOSnoCkc48Fv+pnHqM5P6G85jAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQCp6OTs5jZt/WSir3212nab3GHWmHBSw5ECr8uq2APY
+Clso43lIo03MFr0GBYCSZ3aovdMU98+tHLSgA0wTJHlWCQpErsbXHP5e0y4dkiEZ
+6PoqohXynn6aAsAIC1euzM0iWhjbNKWDfIo1qPQVOHd/yhvB/7smjeAHhLCILr3p
+61crKHXSZpM01JtqSmoAzPCFL3ofMTZEytTybrVMWKGy2y6KJLQTzGQyeml3B7tE
+q3ssFTt8F3d+8h+aNzuQr68BC1Vu6JyHsfjBY0ZZMmYhl0fgsiIcGCPer00XqBR5
+UYjemnwqXAJADJXelA9/Deyrpecv4Iw4A/22Ew8B+54Y
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDH97sxW2mi3Jsq
+JFMGvSCMtsNd9ZBERj5AZDL21bjHk5gCl2jEQmamd0vUGV5aYAanMmU8r03YrqTV
+A36D/drl9WBze5iUUl1kfj1pCr0kx8/jVtqRoHlh+kdfiPIQmYpQQykIm+8Fgej9
+gkRGOrjTaXQLge0ExAIPIjkSOpMxtuuQL1iRrRR2VaGKLFouUJI62r3uH5oW5N4j
+KjxKBqZAtqw1wXe+eBdXLMKsZnnXzMW0PyRB50XftylIIUvCI4weDe/Ydx+E6/IR
+mqyQuXl4xj8O6yX+eWxV09bzXpjbcKKZDsAhkSWyKx2j6fObCzsCmxhq1Fq4g6Bz
+d7piKtYrAgMBAAECggEALCE4t3DEBEQJHii8Be2xBDzFKrQprVePH2i9conB6JFi
+55eAcGdy/eOv4VPj5a/xZ+6QNu89D8ei6ruFrR1VtJANRA8PohP3NllBti+/hCFw
+eGxPefnfL8cq/yNawF0SEBpyMMsw2ZdM0r1v0cvdxBIuoOeAZh/XkH1t+N7iYwLm
+Kbkfzp7qVPDxghavODEX2GnWptNONomglHj/DcQtpCJfff9SgqtG8j9M+YX2mzfb
+yoPy3scOvknfGqMlCtz5ilGHMXACq1JqzPfAz2FPVSB5ROHLQyt8PQQVfp8QSrkk
+4LTqR7Z0H5NRxj35sfJn1C1J/wFw3bkmy5CxgyCtwQKBgQDyYl3yIlm6U9i4c7b8
+3aNzsdDcbRYi+Dvvi59QVNqf03Fct+PP2ThBTbpw0TTsWh947PJli1JUnLamGpeO
+3ZUnpEFctXFWInX0ghsATc0zdxjWeX6VoIf+9tSqO5yCmqtZxslZUXTcvDi1XAK7
+1FPsrHvsiFzD2b3b930MpT7qoQKBgQDTM2N0NdJ1hQneOBp3wvrAlzRXxBYsaM83
+O32ek3ZFVAwpqNPt6w8PjcCRq0ej8w6v4EeR1Hqc4Mol0TnzTbIoYMB+eyqsGjTi
+7rL0Z9f+dDzGNlGssCplu72oHLF8TJq9aoh36wUMH8hc473M2ZCrjcUAudrWYEkc
+0GIr0hZ5SwKBgHi6XDbVu0Ger8y3/kYXE2n2AKU6RJNod1oKfnDhwv9mrwlSossN
+VALa92loGuc6wIBX7Sh866YvZJ55klHbtoZHPzMxQOF5Sq1d/Jr7JaFjyeBSJaXb
+jsGFKkocZQl8hqqx4+p0MzQbIFfdG5N439B73UHkbegzVWjx7bxVtm/hAoGBAMl5
+kVuP6JhRdKt3i9BJwZmt5LIBDkIJLfv7lYeMFtxmJEAtnRavESv+RwDviyUcvhsL
+clrsfpdfXZgb8xNmQBmCyr8d0gRh76e4nCDJW2STEFLqCJobaCaqpW9VB/+SuF8P
+3OXA3ozFWQc7/pkHx5nQYWmi4t909Oo25B/3h5bnAoGBAIzm30BPZpMLyGvPCFIJ
+O2Rycvb4bDUU0J8cAVnvsAP6POWBYD0H6rHioZnRz6V3ZBibg+jvzXBiRAqm4n2e
+yRduP/3m6a3BKhYyplZEV1cUCnnUvQtusWiv61E/mDnPGco3sljUfCbvo1h1Juuq
+io2guvIg0tE5WSQr9spqy+o8
+-----END PRIVATE KEY-----

security/nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt

@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDrTCCApWgAwIBAgIUOkTcnVQ/X6q4Jk8d+FpHNik6G7wwDQYJKoZIhvcNAQEL
+BQAwZjEZMBcGA1UEAwwQVEVTVCBva19kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAw
+DgYDVQQLDAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQsw
+CQYDVQQGEwJERTAeFw0xOTA3MTYwNjMyNDJaFw0xOTA3MjYwNjMyNDJaMGYxGTAX
+BgNVBAMMEFRFU1Qgb2tfZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQMA4GA1UECwwH
+TW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDELMAkGA1UEBhMC
+REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6HnzYlULNHDPfZUww
+MR4UNSmO7wtoR/Guj/M21lSnHJeCzWmzn1Xg/ydVKA5qiO1hgjKzm8BqkO6AFlQB
+c8UU7838kLf4eM4SLo5xZeHUUbkWxhaoUYFHrJliJgojsKLuKcOGv+H/xE82++A7
+Yz7n829Yz7l121cNzrdPLZqguU6ocPS5lIONX7c2uf9/DN8b1sr80KcrR+XtVzcH
+0pCA/iu2WiRwtmwytf2yfvLyrxn0Z6k539lmLwWS//ABp6ptRh2dNZLm6cGE3eQK
+8fYxJBhD2U5LX1EeqyLMsAWZqQJCAnE539jEaI2QdOZ4pfbwn+vyS4Pyv9A8NPQS
+GUUVAgMBAAGjUzBRMB0GA1UdDgQWBBQcQKqQ289LAhNrGDmmDNfasnT8PTAfBgNV
+HSMEGDAWgBQcQKqQ289LAhNrGDmmDNfasnT8PTAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQAiIR6XulpG7kq6woQM8FzZHPRfM9wlPtEcT/HJrH8P
+nj5R120m56GF96wxib4JTy/0ffgOljIEiWsn7uM06KiZByF0DPyOnYaDbsgL8OKf
+QxW8n9VG0XNTHvMpXjyFQrhXZsMwEi9EO0IY1VP+H0ZjSwl0d/w91/ICtVec98JM
++fypRpHjBCeXVc4UJvb4hz8VnlJOEKE6iWBAIwhFRenEWPvL5bqa3JgJC92xmILr
+bQPrm2qhijSmasCm7u9GOeeJZL2KDB2nSpFZOJhS989cMKxtMZz0P3Gunn0/oqDr
+cfDt8t+Nei1T2uq0FlQK8yBUKhfAPnwKuvj/tHho45ZF
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6HnzYlULNHDPf
+ZUwwMR4UNSmO7wtoR/Guj/M21lSnHJeCzWmzn1Xg/ydVKA5qiO1hgjKzm8BqkO6A
+FlQBc8UU7838kLf4eM4SLo5xZeHUUbkWxhaoUYFHrJliJgojsKLuKcOGv+H/xE82
+++A7Yz7n829Yz7l121cNzrdPLZqguU6ocPS5lIONX7c2uf9/DN8b1sr80KcrR+Xt
+VzcH0pCA/iu2WiRwtmwytf2yfvLyrxn0Z6k539lmLwWS//ABp6ptRh2dNZLm6cGE
+3eQK8fYxJBhD2U5LX1EeqyLMsAWZqQJCAnE539jEaI2QdOZ4pfbwn+vyS4Pyv9A8
+NPQSGUUVAgMBAAECggEATZbSIxQucgV01oeLOHfxeykidxTOY53CcixOjyjQx43S
+19O8YgZlrdOQ2R5GzEDi/QhjDJ88mvBqjPlB8g0KNw01iTnnh+0Ms2W3Oizn9TRQ
+fd78qRS5WWDp3JHRHknP0ouUmIM7uv1irKBaPUfFfLruS07lmO1koDvyDU8MrD1+
+Lr9i/7DOxpMFRTP4OBs4J22M1jdaVV7RM5/ZxHezSEJx8lpYvsBSHYYrViWx+TvL
+BQabnfntg4YbVoB+5f7kOA0f0a/WdF1q4yursLvPFb3F+w271s11PYnXp8G7Axe7
+ylcojRhvb1bque2WP7Wz3L0kCosxPkaH7W2RfHZX7QKBgQDgI7Xuo+2hnOkPZxNd
+EuA2+1gKmRnd9Gx+gBvSOxgy+bIirddWpUoSQE1cZiJu0ylERVBMXJzMi5uT1/nR
+OP9HVUY/pYDEtuHRHyF60sp8+qTiV0PxACuaYGmUSO22+p9yp0mfVNl+AkQlLbam
+pmQG3OWb7Zqpef7+v7fnccPwFwKBgQDUkz1OyUwB1Nx0GtzAiYuoVh0Oe2GM8tHI
+8kSXbFyXh5ly75Cm5gPR6dxLsLSOZxzGZMfXm13MFWVARQJgudFJFTtqRufJZcnS
+ie/OpY35eYqKqzYIwt+4U6biCLK3q77dH1Psgz0ghoH6DfDkl2eQDF9LLUxvrS5Q
+r36bBezjswKBgEAMFEWv1Ax1UOeU1aSn6yfq5HqKyyhwWrw/ETQerMiML0nXkQvy
+SVszwqdfjAFNF6Kph8t6P1f3oKo7cehGODQC+wLe4Q/VDmv6UE/Pggr6eDkxJHnu
+SYdge2ri+AJsVTmm8dO0pD1smlphWKsAKt8HKhlHaQV6ldHnqL5a9NlbAoGAK6zI
+xtwy4plyZeRzAJgB+qcetzAAXe4xzgCAuT/JUlTI4UV5SeEuXb2XxnFa13s1/UkN
+ii3guqKWt/q1v1vONR7Io1BIJSflrH0sqR94qQ4gudbtdiVbw8pkGkLBPV1rDJF4
+M7rPH1SjddXRbZXx8DWqio6XCsbhIjC8aWtxPWMCgYAClC2GhicT+Jiv5Y8gT/hc
+/DJjhQTtV1mMqek69XJ6Xsc6wEkFSXpUr8/3XoP8Sj/xrEluTJYgt/DTVbXAvLcv
+XCaERRdrpBHspFrD9lcOZRjS17QTVAzH8bt3+YidqvDnn/2Xch49hcUJTFEx7Km+
+r4Tw2QmALNeNDgRlkMJYCQ==
+-----END PRIVATE KEY-----

security/nss/lib/ckfw/manifest.mn

@@ -5,7 +5,7 @@
 
 CORE_DEPTH = ../..
 
-DIRS = builtins 
+DIRS = builtins
 
 PRIVATE_EXPORTS = \
 	ck.h		  \

security/nss/lib/mozpkix/include/pkix/pkixder.h

@@ -114,6 +114,17 @@ inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) {
   return ExpectTagAndGetValue(input, tag, ignoredValue);
 }
 
+// This skips IMPLICIT OPTIONAL tags that are "primitive" (not constructed),
+// given the number in the class of the tag (i.e. the number in the brackets in
+// `issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL`).
+inline Result SkipOptionalImplicitPrimitiveTag(Reader& input,
+                                               uint8_t numberInClass) {
+  if (input.Peek(CONTEXT_SPECIFIC | numberInClass)) {
+    return ExpectTagAndSkipValue(input, CONTEXT_SPECIFIC | numberInClass);
+  }
+  return Success;
+}
+
 // Like ExpectTagAndGetValue, except the output Input will contain the
 // encoded tag and length along with the value.
 inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag,

security/nss/lib/mozpkix/lib/pkixcert.cpp

@@ -105,29 +105,24 @@ BackCert::Init()
     return rv;
   }
 
-  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
-
   // According to RFC 5280, all fields below this line are forbidden for
   // certificate versions less than v3.  However, for compatibility reasons,
   // we parse v1/v2 certificates in the same way as v3 certificates.  So if
   // these fields appear in a v1 certificate, they will be used.
 
   // Ignore issuerUniqueID if present.
-  if (tbsCertificate.Peek(CSC | 1)) {
-    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
-    if (rv != Success) {
-      return rv;
-    }
+  rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 1);
+  if (rv != Success) {
+    return rv;
   }
 
   // Ignore subjectUniqueID if present.
-  if (tbsCertificate.Peek(CSC | 2)) {
-    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
-    if (rv != Success) {
-      return rv;
-    }
+  rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 2);
+  if (rv != Success) {
+    return rv;
   }
 
+  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
   rv = der::OptionalExtensions(
          tbsCertificate, CSC | 3,
          [this](Reader& extnID, const Input& extnValue, bool critical,

security/nss/lib/nss/nss.def

@@ -39,8 +39,8 @@ CERT_FreeDistNames;
 CERT_FreeNicknames;
 CERT_GetAVATag;
 CERT_GetCertEmailAddress;
-CERT_GetCertNicknames;
 CERT_GetCertIssuerAndSN;
+CERT_GetCertNicknames;
 CERT_GetCertTrust;
 CERT_GetCertUid;
 CERT_GetCommonName;

security/nss/lib/pki/pki3hack.c

@@ -825,6 +825,36 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
             cc->trust = trust;
             CERT_UnlockCertTrust(cc);
         }
+        /* Read the distrust fields from a nssckbi/builtins certificate and
+         * fill the fields in CERTCertificate structure when any valid date
+         * is found. */
+        if (PK11_IsReadOnly(cc->slot) && PK11_HasRootCerts(cc->slot)) {
+            /* The values are hard-coded and readonly. Read just once. */
+            if (cc->distrust == NULL) {
+                CERTCertDistrust distrustModel;
+                SECItem model = { siUTCTime, NULL, 0 };
+                distrustModel.serverDistrustAfter = model;
+                distrustModel.emailDistrustAfter = model;
+                SECStatus rServer = PK11_ReadAttribute(
+                    cc->slot, cc->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER,
+                    cc->arena, &distrustModel.serverDistrustAfter);
+                SECStatus rEmail = PK11_ReadAttribute(
+                    cc->slot, cc->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER,
+                    cc->arena, &distrustModel.emailDistrustAfter);
+                /* Only allocate the Distrust structure if a valid date is found.
+                 * The result length of a encoded valid timestamp is exactly 13 */
+                const unsigned int kDistrustFieldSize = 13;
+                if ((rServer == SECSuccess && rEmail == SECSuccess) &&
+                    (distrustModel.serverDistrustAfter.len == kDistrustFieldSize ||
+                     distrustModel.emailDistrustAfter.len == kDistrustFieldSize)) {
+                    CERTCertDistrust *tmpPtr = PORT_ArenaAlloc(
+                        cc->arena, sizeof(CERTCertDistrust));
+                    PORT_Memcpy(tmpPtr, &distrustModel,
+                                sizeof(CERTCertDistrust));
+                    cc->distrust = tmpPtr;
+                }
+            }
+        }
     }
     if (instance) {
         nssCryptokiObject_Destroy(instance);

security/nss/lib/softoken/pkcs11c.c

@@ -1605,6 +1605,67 @@ NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
     return CKR_OK;
 }
 
+/* Fromssl3con.c: Constant-time helper macro that copies the MSB of x to all
+ * other bits. */
+#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1)))
+/* From ssl3con.c: SECStatusToMask returns, in constant time, a mask value of
+ * all ones if rv == SECSuccess.  Otherwise it returns zero. */
+static unsigned int
+SECStatusToMask(SECStatus rv)
+{
+    unsigned int good;
+    /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
+     * in the MSB being set to one iff it was zero before. */
+    good = rv ^ SECSuccess;
+    good--;
+    return DUPLICATE_MSB_TO_ALL(good);
+}
+/* Constant-time helper macro that selects l or r depending on all-1 or all-0
+ * mask m */
+#define CT_SEL(m, l, r) (((m) & (l)) | (~(m) & (r)))
+/* Constant-time helper macro that returns all-1s if x is not 0; and all-0s
+ * otherwise. */
+#define CT_NOT_ZERO(x) (DUPLICATE_MSB_TO_ALL(((x) | (0 - x))))
+
+/* sftk_CheckCBCPadding checks that the padding validity and return the pad length. */
+static CK_RV
+sftk_CheckCBCPadding(CK_BYTE_PTR pLastPart,
+                     unsigned int blockSize, unsigned int *outPadSize)
+{
+    PORT_Assert(outPadSize);
+
+    unsigned int padSize = (unsigned int)pLastPart[blockSize - 1];
+
+    /* If padSize <= blockSize, set goodPad to all-1s and all-0s otherwise.*/
+    unsigned int goodPad = DUPLICATE_MSB_TO_ALL(~(blockSize - padSize));
+    /* padSize should not be 0 */
+    goodPad &= CT_NOT_ZERO(padSize);
+
+    unsigned int i;
+    for (i = 0; i < blockSize; i++) {
+        /* If i < padSize, set loopMask to all-1s and all-0s otherwise.*/
+        unsigned int loopMask = DUPLICATE_MSB_TO_ALL(~(padSize - 1 - i));
+        /* Get the padding value (should be padSize) from buffer */
+        unsigned int padVal = pLastPart[blockSize - 1 - i];
+        /* Update goodPad only if i < padSize */
+        goodPad &= CT_SEL(loopMask, ~(padVal ^ padSize), goodPad);
+    }
+
+    /* If any of the final padding bytes had the wrong value, one or more
+     * of the lower eight bits of |goodPad| will be cleared. We AND the
+     * bottom 8 bits together and duplicate the result to all the bits. */
+    goodPad &= goodPad >> 4;
+    goodPad &= goodPad >> 2;
+    goodPad &= goodPad >> 1;
+    goodPad <<= sizeof(goodPad) * 8 - 1;
+    goodPad = DUPLICATE_MSB_TO_ALL(goodPad);
+
+    /* Set outPadSize to padSize or 0 */
+    *outPadSize = CT_SEL(goodPad, padSize, 0);
+    /* Return OK if the pad is valid */
+    return CT_SEL(goodPad, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
+}
+
 /* NSC_DecryptFinal finishes a multiple-part decryption operation. */
 CK_RV
 NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
@@ -1643,24 +1704,10 @@ NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
             if (rv != SECSuccess) {
                 crv = sftk_MapDecryptError(PORT_GetError());
             } else {
-                unsigned int padSize =
-                    (unsigned int)pLastPart[context->blockSize - 1];
-                if ((padSize > context->blockSize) || (padSize == 0)) {
-                    crv = CKR_ENCRYPTED_DATA_INVALID;
-                } else {
-                    unsigned int i;
-                    unsigned int badPadding = 0; /* used as a boolean */
-                    for (i = 0; i < padSize; i++) {
-                        badPadding |=
-                            (unsigned int)pLastPart[context->blockSize - 1 - i] ^
-                            padSize;
-                    }
-                    if (badPadding) {
-                        crv = CKR_ENCRYPTED_DATA_INVALID;
-                    } else {
-                        *pulLastPartLen = outlen - padSize;
-                    }
-                }
+                unsigned int padSize = 0;
+                crv = sftk_CheckCBCPadding(pLastPart, context->blockSize, &padSize);
+                /* Update pulLastPartLen, in constant time, if crv is success */
+                *pulLastPartLen = CT_SEL(SECStatusToMask(crv), outlen - padSize, *pulLastPartLen);
             }
         }
     }
@@ -1722,21 +1769,9 @@ NSC_Decrypt(CK_SESSION_HANDLE hSession,
     /* XXX need to do MUCH better error mapping than this. */
     crv = (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError());
     if (rv == SECSuccess && context->doPad) {
-        unsigned int padding = pData[outlen - 1];
-        if (padding > context->blockSize || !padding) {
-            crv = CKR_ENCRYPTED_DATA_INVALID;
-        } else {
-            unsigned int i;
-            unsigned int badPadding = 0; /* used as a boolean */
-            for (i = 0; i < padding; i++) {
-                badPadding |= (unsigned int)pData[outlen - 1 - i] ^ padding;
-            }
-            if (badPadding) {
-                crv = CKR_ENCRYPTED_DATA_INVALID;
-            } else {
-                outlen -= padding;
-            }
-        }
+        unsigned int padSize = 0;
+        crv = sftk_CheckCBCPadding(pData, context->blockSize, &padSize);
+        outlen -= padSize;
     }
     sftk_TerminateOp(session, SFTK_DECRYPT, context);
 done:

security/nss/lib/softoken/sdb.c

@@ -159,7 +159,7 @@ static const CK_ATTRIBUTE_TYPE known_attributes[] = {
     CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
     CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
     CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS,
-    CKA_PUBLIC_KEY_INFO
+    CKA_PUBLIC_KEY_INFO, CKA_NSS_SERVER_DISTRUST_AFTER, CKA_NSS_EMAIL_DISTRUST_AFTER
 };
 
 static int known_attributes_size = sizeof(known_attributes) /

security/nss/lib/ssl/tls13con.c

@@ -914,7 +914,7 @@ SECStatus
 tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length)
 {
     if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) {
-        SSL_TRC(3, ("%d: TLS13[%d]: %s successfully decrypted handshake after"
+        SSL_TRC(3, ("%d: TLS13[%d]: successfully decrypted handshake after "
                     "failed 0-RTT",
                     SSL_GETPID(), ss->fd));
         ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none;

security/nss/lib/util/pkcs11n.h

@@ -94,6 +94,8 @@
 #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
 
 #define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34)
+#define CKA_NSS_SERVER_DISTRUST_AFTER (CKA_NSS + 35)
+#define CKA_NSS_EMAIL_DISTRUST_AFTER (CKA_NSS + 36)
 
 /*
  * Trust attributes:

security/nss/nss.gyp

@@ -218,6 +218,7 @@
             'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
+            'lib/ckfw/builtins/testlib/builtins-testlib.gyp:nssckbi-testlib',
           ],
           'conditions': [
             [ 'OS=="linux"', {

security/nss/tests/cert/cert.sh

@@ -50,7 +50,7 @@ cert_init()
 
   LIBDIR="${DIST}/${OBJDIR}/lib"
 
-  ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
+  ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi.* | head -1`
   if [ ! "${ROOTCERTSFILE}" ] ; then
       html_failed "Looking for root certs module." 
       cert_log "ERROR: Root certs module not found."