diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index fe3a2a4c11c3..def356f82fad 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_47_BETA1 \ No newline at end of file +NSS_3_47_BETA2 \ No newline at end of file diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt index c384ba3d93b5..ee06510f1bb9 100644 --- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -2,3 +2,32 @@ 'function CERTCertList* PK11_GetCertsMatchingPrivateKey(SECKEYPrivateKey*)' {PK11_GetCertsMatchingPrivateKey@@NSS_3.47} +3 functions with some indirect sub-type change: + + [C]'function SECStatus CERT_AddCertToListHead(CERTCertList*, CERTCertificate*)' at certdb.c:2631:1 has some indirect sub-type changes: + parameter 2 of type 'CERTCertificate*' has sub-type changes: + in pointed to type 'typedef CERTCertificate' at certt.h:39:1: + underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed: + type size changed from 6016 to 6080 (in bits) + 1 data member insertion: + 'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1 + no data member changes (2 filtered); + + [C]'function SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle*, CERTCertificate*, PRTime, const SECItem*, void*)' at ocsp.c:5102:1 has some indirect sub-type changes: + parameter 2 of type 'CERTCertificate*' has sub-type changes: + in pointed to type 'typedef CERTCertificate' at certt.h:39:1: + underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed: + type size changed from 6016 to 6080 (in bits) + 1 data member insertion: + 'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1 + no data member change (1 filtered); + + [C]'function CERTCertificateList* CERT_CertChainFromCert(CERTCertificate*, SECCertUsage, PRBool)' at certhigh.c:1030:1 has some indirect sub-type changes: + parameter 1 of type 'CERTCertificate*' has sub-type changes: + in pointed to type 'typedef CERTCertificate' at certt.h:39:1: + underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed: + type size changed from 6016 to 6080 (in bits) + 1 data member insertion: + 'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1 + no data member changes (2 filtered); + diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt index e69de29bb2d1..b57a98a6dbb5 100644 --- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt @@ -0,0 +1,11 @@ +1 function with some indirect sub-type change: + + [C]'function CERTCertificate* CERT_ConvertAndDecodeCertificate(char*)' at certread.c:219:1 has some indirect sub-type changes: + return type changed: + in pointed to type 'typedef CERTCertificate' at certt.h:39:1: + underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed: + type size changed from 6016 to 6080 (in bits) + 1 data member insertion: + 'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1 + + diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt index e69de29bb2d1..2c3aff4eb1c0 100644 --- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt @@ -0,0 +1,10 @@ +1 function with some indirect sub-type change: + + [C]'function SECStatus NSS_CmpCertChainWCANames(CERTCertificate*, CERTDistNames*)' at cmpcert.c:25:1 has some indirect sub-type changes: + parameter 1 of type 'CERTCertificate*' has sub-type changes: + in pointed to type 'typedef CERTCertificate' at certt.h:39:1: + underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed: + type size changed from 6016 to 6080 (in bits) + 1 data member insertion: + 'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1 + diff --git a/security/nss/cmd/addbuiltin/addbuiltin.c b/security/nss/cmd/addbuiltin/addbuiltin.c index 8316720391e6..5655888726dd 100644 --- a/security/nss/cmd/addbuiltin/addbuiltin.c +++ b/security/nss/cmd/addbuiltin/addbuiltin.c @@ -230,6 +230,8 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, hasPositiveTrust(trust->objectSigningFlags)) { printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n"); } + printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"); + printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"); } if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == @@ -306,19 +308,21 @@ printheader() "#\n" "# Certificates\n" "#\n" - "# -- Attribute -- -- type -- -- value --\n" - "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" - "# CKA_TOKEN CK_BBOOL CK_TRUE\n" - "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" - "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" - "# CKA_LABEL UTF8 (varies)\n" - "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" - "# CKA_SUBJECT DER+base64 (varies)\n" - "# CKA_ID byte array (varies)\n" - "# CKA_ISSUER DER+base64 (varies)\n" - "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" - "# CKA_VALUE DER+base64 (varies)\n" - "# CKA_NSS_EMAIL ASCII7 (unused here)\n" + "# -- Attribute -- -- type -- -- value --\n" + "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" + "# CKA_TOKEN CK_BBOOL CK_TRUE\n" + "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" + "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" + "# CKA_LABEL UTF8 (varies)\n" + "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" + "# CKA_SUBJECT DER+base64 (varies)\n" + "# CKA_ID byte array (varies)\n" + "# CKA_ISSUER DER+base64 (varies)\n" + "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" + "# CKA_VALUE DER+base64 (varies)\n" + "# CKA_NSS_EMAIL ASCII7 (unused here)\n" + "# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies)\n" + "# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies)\n" "#\n" "# Trust\n" "#\n" @@ -392,6 +396,12 @@ Usage(char *progName) fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e"); fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file"); fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", ""); + fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp"); + fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", ""); + fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName); + fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", ""); + fprintf(stderr, "%-15s since unix epoch.\n", ""); + fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", ""); exit(-1); } @@ -403,20 +413,21 @@ enum { opt_ExcludeCert, opt_ExcludeHash, opt_DistrustCRL, - opt_CRLEnry + opt_CRLEntry, + opt_ConvertDate }; -static secuCommandFlag addbuiltin_options[] = - { - { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, - { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, - { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, - { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, - { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, - { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, - { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, - { /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE }, - }; +static secuCommandFlag addbuiltin_options[] = { + { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, + { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, + { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, + { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, + { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, + { /* opt_CRLEntry */ 'e', PR_TRUE, 0, PR_FALSE }, + { /* opt_ConvertDate */ 'd', PR_TRUE, 0, PR_FALSE }, +}; int main(int argc, char **argv) @@ -444,6 +455,30 @@ main(int argc, char **argv) if (rv != SECSuccess) Usage(progName); + if (addbuiltin.options[opt_ConvertDate].activated) { + char *endPtr; + PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC; + if (*endPtr != '\0' && distrustTimestamp > 0) { + Usage(progName); + exit(1); + } + SECItem encTime; + DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp); + SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0); + printf("Locate the entry of the desired certificate in certdata.txt\n" + "Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n" + "And override with the following respective entry:\n\n"); + SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0); + printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n"); + dumpbytes(encTime.data, encTime.len); + printf("END\n"); + SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0); + printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n"); + dumpbytes(encTime.data, encTime.len); + printf("END\n"); + exit(0); + } + if (addbuiltin.options[opt_Trust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_Distrust].activated) @@ -458,12 +493,12 @@ main(int argc, char **argv) } if (addbuiltin.options[opt_DistrustCRL].activated) { - if (!addbuiltin.options[opt_CRLEnry].activated) { + if (!addbuiltin.options[opt_CRLEntry].activated) { fprintf(stderr, "%s: you must specify the CRL entry number.\n", progName); Usage(progName); } else { - crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); + crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg); if (crlentry < 1) { fprintf(stderr, "%s: The CRL entry number must be > 0.\n", progName); diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index aafde9b5fc15..703845e98476 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -1108,36 +1108,33 @@ typedef struct secuPBEParamsStr { SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* SECOID_PKCS5_PBKDF2 */ -const SEC_ASN1Template secuKDF2Params[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, - { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } - }; +const SEC_ASN1Template secuKDF2Params[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; /* PKCS5v1 & PKCS12 */ -const SEC_ASN1Template secuPBEParamsTemp[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, - { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, - { 0 } - }; +const SEC_ASN1Template secuPBEParamsTemp[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { 0 } +}; /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */ -const SEC_ASN1Template secuPBEV2Params[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } - }; +const SEC_ASN1Template secuPBEV2Params[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; void secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) @@ -2300,8 +2297,9 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) return rv; } -int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ - SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) +/* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ +int +SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCertificateRequest *cr; @@ -3251,6 +3249,26 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, "Certificate Trust Flags", 1); } + /* The distrust fields are hard-coded in nssckbi and read-only. + * If verifying some cert, with vfychain, for instance, the certificate may + * not have a defined slot if not imported. */ + if (cert->slot != NULL && cert->distrust != NULL) { + const unsigned int kDistrustFieldSize = 13; + fprintf(stdout, "\n"); + SECU_Indent(stdout, 1); + fprintf(stdout, "%s:\n", "Certificate Distrust Dates"); + if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) { + SECU_PrintTimeChoice(stdout, + &cert->distrust->serverDistrustAfter, + "Server Distrust After", 2); + } + if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) { + SECU_PrintTimeChoice(stdout, + &cert->distrust->emailDistrustAfter, + "E-mail Distrust After", 2); + } + } + printf("\n"); return (SECSuccess); diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp index 260c735ece92..0dc8555d991d 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp @@ -1224,3 +1224,53 @@ TEST_F(pkixder_universal_types_tests, OID) ASSERT_EQ(Success, OID(reader, expectedOID)); } + +TEST_F(pkixder_universal_types_tests, SkipOptionalImplicitPrimitiveTag) +{ + const uint8_t DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1[] = { + 0x81, + 0x04, + 0x00, + 0x0A, + 0x0B, + 0x0C, + }; + Input input(DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1); + Reader reader(input); + + ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 1)); + ASSERT_TRUE(reader.AtEnd()); +} + +TEST_F(pkixder_universal_types_tests, SkipOptionalImplicitPrimitiveTagMismatch) +{ + const uint8_t DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1[] = { + 0x81, + 0x04, + 0x00, + 0x0A, + 0x0B, + 0x0C, + }; + Input input(DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1); + Reader reader(input); + + ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 2)); + ASSERT_FALSE(reader.AtEnd()); +} + +TEST_F(pkixder_universal_types_tests, NoSkipOptionalImplicitConstructedTag) +{ + const uint8_t DER_IMPLICIT_SEQUENCE_WITH_CLASS_NUMBER_1[] = { + 0xA1, + 0x03, + 0x05, + 0x01, + 0x00, + }; + Input input(DER_IMPLICIT_SEQUENCE_WITH_CLASS_NUMBER_1); + Reader reader(input); + + ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 1)); + ASSERT_FALSE(reader.AtEnd()); +} diff --git a/security/nss/gtests/softoken_gtest/manifest.mn b/security/nss/gtests/softoken_gtest/manifest.mn index 0e998adf4c15..8a533c56b35a 100644 --- a/security/nss/gtests/softoken_gtest/manifest.mn +++ b/security/nss/gtests/softoken_gtest/manifest.mn @@ -6,13 +6,22 @@ CORE_DEPTH = ../.. DEPTH = ../.. MODULE = nss +DEFINES += -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" -DDLL_PREFIX=\"$(DLL_PREFIX)\" + +include $(CORE_DEPTH)/coreconf/arch.mk +ifneq ($(OS_ARCH),WINNT) +DB_TESTS = \ + softoken_nssckbi_testlib_gtest.cc +endif + CPPSRCS = \ softoken_gtest.cc \ + $(DB_TESTS) \ $(NULL) INCLUDES += \ -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ - -I$(CORE_DEPTH)/gtests/common \ + -I$(CORE_DEPTH)/gtests/common \ -I$(CORE_DEPTH)/cpputil \ $(NULL) diff --git a/security/nss/gtests/softoken_gtest/softoken_gtest.gyp b/security/nss/gtests/softoken_gtest/softoken_gtest.gyp index 8deb2006ba7f..3d9b8dba939c 100644 --- a/security/nss/gtests/softoken_gtest/softoken_gtest.gyp +++ b/security/nss/gtests/softoken_gtest/softoken_gtest.gyp @@ -12,6 +12,7 @@ 'type': 'executable', 'sources': [ 'softoken_gtest.cc', + 'softoken_nssckbi_testlib_gtest.cc', ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', @@ -44,6 +45,10 @@ 'target_defaults': { 'include_dirs': [ '../../lib/util' + ], + 'defines': [ + 'DLL_PREFIX=\"<(dll_prefix)\"', + 'DLL_SUFFIX=\"<(dll_suffix)\"' ] }, 'variables': { diff --git a/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc b/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc new file mode 100644 index 000000000000..e7d6bc28b510 --- /dev/null +++ b/security/nss/gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc @@ -0,0 +1,124 @@ +#include "cert.h" +#include "certdb.h" +#include "nspr.h" +#include "nss.h" +#include "pk11pub.h" +#include "secerr.h" + +#include "nss_scoped_ptrs.h" +#include "util.h" + +#define GTEST_HAS_RTTI 0 +#include "gtest/gtest.h" + +namespace nss_test { + +class SoftokenBuiltinsTest : public ::testing::Test { + protected: + SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {} + SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {} + + virtual void SetUp() { + std::string nss_init_arg("sql:"); + nss_init_arg.append(nss_db_dir_.GetUTF8Path()); + ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "", + SECMOD_DB, NSS_INIT_NOROOTINIT)); + } + + virtual void TearDown() { + ASSERT_EQ(SECSuccess, NSS_Shutdown()); + const std::string &nss_db_dir_path = nss_db_dir_.GetPath(); + ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str())); + ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str())); + ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str())); + } + + virtual void LoadModule() { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr)); + SECStatus result = SECMOD_AddNewModule( + "Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0); + ASSERT_EQ(result, SECSuccess); + } + + ScopedUniqueDirectory nss_db_dir_; +}; + +// The next tests in this class are used to test the Distrust Fields. +// More details about these fields in lib/ckfw/builtins/README. +TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) { + const char *kCertNickname = + "Builtin Object Token:Distrust Fields Test - no_distrust"; + LoadModule(); + + CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); + ASSERT_TRUE(cert_handle); + ScopedCERTCertificate cert( + CERT_FindCertByNickname(cert_handle, kCertNickname)); + ASSERT_TRUE(cert); + + EXPECT_EQ(PR_FALSE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE)); + EXPECT_EQ(PR_FALSE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); + ASSERT_FALSE(cert->distrust); +} + +TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) { + const char *kCertNickname = + "Builtin Object Token:Distrust Fields Test - ok_distrust"; + LoadModule(); + + CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); + ASSERT_TRUE(cert_handle); + ScopedCERTCertificate cert( + CERT_FindCertByNickname(cert_handle, kCertNickname)); + ASSERT_TRUE(cert); + + const char *kExpectedDERValueServer = "200617000000Z"; + const char *kExpectedDERValueEmail = "071014085320Z"; + // When a valid timestamp is encoded, the result length is exactly 13. + const unsigned int kDistrustFieldSize = 13; + + ASSERT_TRUE(cert->distrust); + ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len); + ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data); + EXPECT_TRUE(!memcmp(kExpectedDERValueServer, + cert->distrust->serverDistrustAfter.data, + kDistrustFieldSize)); + + ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len); + ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data); + EXPECT_TRUE(!memcmp(kExpectedDERValueEmail, + cert->distrust->emailDistrustAfter.data, + kDistrustFieldSize)); +} + +TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) { + const char *kCertNickname = + "Builtin Object Token:Distrust Fields Test - err_distrust"; + LoadModule(); + + CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB(); + ASSERT_TRUE(cert_handle); + ScopedCERTCertificate cert( + CERT_FindCertByNickname(cert_handle, kCertNickname)); + ASSERT_TRUE(cert); + + // The field should never be set to TRUE in production, we are just + // testing if this field is readable, even if set to TRUE. + EXPECT_EQ(PR_TRUE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE)); + // If something other than CK_BBOOL CK_TRUE, it will be considered FALSE + // Here, there is an OCTAL value, but with unexpected content (1 digit less). + EXPECT_EQ(PR_FALSE, + PK11_HasAttributeSet(cert->slot, cert->pkcs11ID, + CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE)); + ASSERT_FALSE(cert->distrust); +} + +} // namespace nss_test diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index d5ce411568ce..4eb6e89ec49e 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -2889,15 +2889,10 @@ void CERT_UnlockCertRefCount(CERTCertificate *cert) { PORT_Assert(certRefCountLock != NULL); - -#ifdef DEBUG - { - PRStatus prstat = PZ_Unlock(certRefCountLock); + PRStatus prstat = PZ_Unlock(certRefCountLock); + if (prstat != PR_SUCCESS) { PORT_Assert(prstat == PR_SUCCESS); } -#else - PZ_Unlock(certRefCountLock); -#endif } static PZLock *certTrustLock = NULL; @@ -3001,15 +2996,10 @@ void CERT_UnlockCertTrust(const CERTCertificate *cert) { PORT_Assert(certTrustLock != NULL); - -#ifdef DEBUG - { - PRStatus prstat = PZ_Unlock(certTrustLock); + PRStatus prstat = PZ_Unlock(certTrustLock); + if (prstat != PR_SUCCESS) { PORT_Assert(prstat == PR_SUCCESS); } -#else - PZ_Unlock(certTrustLock); -#endif } /* @@ -3019,14 +3009,10 @@ void CERT_UnlockCertTempPerm(const CERTCertificate *cert) { PORT_Assert(certTempPermLock != NULL); -#ifdef DEBUG - { - PRStatus prstat = PZ_Unlock(certTempPermLock); + PRStatus prstat = PZ_Unlock(certTempPermLock); + if (prstat != PR_SUCCESS) { PORT_Assert(prstat == PR_SUCCESS); } -#else - (void)PZ_Unlock(certTempPermLock); -#endif } /* diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h index 32f6377efbbd..aae1184a84d9 100644 --- a/security/nss/lib/certdb/certt.h +++ b/security/nss/lib/certdb/certt.h @@ -35,6 +35,7 @@ typedef struct CERTCertListStr CERTCertList; typedef struct CERTCertListNodeStr CERTCertListNode; typedef struct CERTCertNicknamesStr CERTCertNicknames; typedef struct CERTCertTrustStr CERTCertTrust; +typedef struct CERTCertDistrustStr CERTCertDistrust; typedef struct CERTCertificateStr CERTCertificate; typedef struct CERTCertificateListStr CERTCertificateList; typedef struct CERTCertificateRequestStr CERTCertificateRequest; @@ -140,6 +141,18 @@ struct CERTCertTrustStr { unsigned int objectSigningFlags; }; +/* + * Distrust dates for specific certificate usages. + * These dates are hardcoded in nssckbi/builtins. They are DER encoded to be + * compatible with the format of certdata.txt, other date fields in certs and + * existing functions to read these dates. Clients should check the distrust + * date in certificates to avoid trusting a CA for service they have ceased to + * support */ +struct CERTCertDistrustStr { + SECItem serverDistrustAfter; + SECItem emailDistrustAfter; +}; + /* * defined the types of trust that exist */ @@ -279,6 +292,8 @@ struct CERTCertificateStr { PK11SlotInfo *slot; /*if this cert came of a token, which is it*/ CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */ PRBool ownSlot; /*true if the cert owns the slot reference */ + /* These fields are used in nssckbi/builtins CAs. */ + CERTCertDistrust *distrust; }; #define SEC_CERTIFICATE_VERSION_1 0 /* default created */ #define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ diff --git a/security/nss/lib/ckfw/builtins/README b/security/nss/lib/ckfw/builtins/README index fc0393c38329..11f5c2c9a788 100644 --- a/security/nss/lib/ckfw/builtins/README +++ b/security/nss/lib/ckfw/builtins/README @@ -22,7 +22,8 @@ variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows). argument to the -n option should be replaced by the nickname of the root certificate. - % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt + % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der \ + >> certdata.txt 4. Edit nssckbi.h to bump the version of the module. @@ -43,3 +44,63 @@ II. Removing a Builtin Root CA Certificate 5. After you verify that the new nssckbi module is correct, check in certdata.txt and nssckbi.h. + +III. Scheduling a Distrust date for Server/TLS or Email certificates issued +by a CA + +For each Builtin Root CA Certificate we have the Trust Bits to know what kind +of certificates issued by this CA are trusted: Server/TLS, E-mail or S/MIME. +Sometimes a CA discontinues support for a particular kind of certificate, +but will still issue other kinds. For instance, they might cease support for +email certificates but continue to provide server certificates. In this +scenario, we have to disable the Trust Bit for this kind of certificate when +the last issued certificate expires. +Between the last expired certificate date and the change and propagation of +this respective Trust Bit, could have a undesired gap. + +So, in these situations we can set a Distrust Date for this Builtin Root CA +Certificate. Clients should check the distrust date in certificates to avoid +trusting a CA for service they have ceased to support. + +A distrust date is a timestamp in unix epoch, encoded in DER format and saved +in certdata.txt. These fields are defined at the "Certificate" entries of +certdata.txt, in a MULTILINE_OCTAL format. By default, for readability purpose, +these fields are set as a boolean CK_FALSE and will be ignored when read. + +1. Create the timestamp for the desired distrust date. An easy and practical way +to do this is using the date command. + % date -d "2019-07-01 00:00:00 UTC" +%s + The result should be something like: 1561939200 + +2. Then, run the addbuiltin -d to verify the timestamp and do the right +conversions. + The -d option takes the timestamp as an argument, which is interpreted as + seconds since unix epoch. The addbuiltin command will show the result in the + stdout, as it should be inserted in certdata.txt. + % addbuiltin -d 1561939200 + The result should be something like this: + + The timestamp represents this date: Mon Jul 01 00:00:00 2019 + Locate the entry of the desired certificate in certdata.txt + Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE + And override with the following respective entry: + + # For Server Distrust After: Mon Jul 01 00:00:00 2019 + CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL + \061\071\060\067\060\061\060\060\060\060\060\060\132 + END + # For Email Distrust After: Mon Jul 01 00:00:00 2019 + CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL + \061\071\060\067\060\061\060\060\060\060\060\060\132 + END + +3. Edit the certdata.txt, overriding the desired entry for the desired CA, as +the instructions generated by the previous command. + +4. If necessary, increment the version counter +NSS_BUILTINS_LIBRARY_VERSION_MINOR in nssckbi.h. + +5. Build the nssckbi module. + +6. A good way to test is with certutil: + % certutil -L -d $DBDIR -n "Builtin Object Token:" diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index c49052c710d2..3a44db293df2 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -13,19 +13,21 @@ # # Certificates # -# -- Attribute -- -- type -- -- value -- -# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -# CKA_TOKEN CK_BBOOL CK_TRUE -# CKA_PRIVATE CK_BBOOL CK_FALSE -# CKA_MODIFIABLE CK_BBOOL CK_FALSE -# CKA_LABEL UTF8 (varies) -# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -# CKA_SUBJECT DER+base64 (varies) -# CKA_ID byte array (varies) -# CKA_ISSUER DER+base64 (varies) -# CKA_SERIAL_NUMBER DER+base64 (varies) -# CKA_VALUE DER+base64 (varies) -# CKA_NSS_EMAIL ASCII7 (unused here) +# -- Attribute -- -- type -- -- value -- +# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +# CKA_TOKEN CK_BBOOL CK_TRUE +# CKA_PRIVATE CK_BBOOL CK_FALSE +# CKA_MODIFIABLE CK_BBOOL CK_FALSE +# CKA_LABEL UTF8 (varies) +# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +# CKA_SUBJECT DER+base64 (varies) +# CKA_ID byte array (varies) +# CKA_ISSUER DER+base64 (varies) +# CKA_SERIAL_NUMBER DER+base64 (varies) +# CKA_VALUE DER+base64 (varies) +# CKA_NSS_EMAIL ASCII7 (unused here) +# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies) +# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies) # # Trust # @@ -164,6 +166,8 @@ CKA_VALUE MULTILINE_OCTAL \125\342\374\110\311\051\046\151\340 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GlobalSign Root CA" # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE @@ -298,6 +302,8 @@ CKA_VALUE MULTILINE_OCTAL \152\374\176\102\070\100\144\022\367\236\201\341\223\056 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GlobalSign Root CA - R2" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 @@ -454,6 +460,8 @@ CKA_VALUE MULTILINE_OCTAL \113\336\006\226\161\054\362\333\266\037\244\357\077\356 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -619,6 +627,8 @@ CKA_VALUE MULTILINE_OCTAL \311\130\020\371\252\357\132\266\317\113\113\337\052 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -784,6 +794,8 @@ CKA_VALUE MULTILINE_OCTAL \153\271\012\172\116\117\113\204\356\113\361\175\335\021 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -1059,6 +1071,8 @@ CKA_VALUE MULTILINE_OCTAL \174\136\232\166\351\131\220\305\174\203\065\021\145\121 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust.net Premium 2048 Secure Server CA" # Issuer: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net @@ -1197,6 +1211,8 @@ CKA_VALUE MULTILINE_OCTAL \347\201\035\031\303\044\102\352\143\071\251 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Baltimore CyberTrust Root" # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE @@ -1341,6 +1357,8 @@ CKA_VALUE MULTILINE_OCTAL \065\341\035\026\034\320\274\053\216\326\161\331 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "AddTrust Low-Value Services Root" # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE @@ -1490,6 +1508,8 @@ CKA_VALUE MULTILINE_OCTAL \027\132\173\320\274\307\217\116\206\004 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "AddTrust External Root" # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE @@ -1654,6 +1674,8 @@ CKA_VALUE MULTILINE_OCTAL \036\177\132\264\074 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Entrust Root Certification Authority" # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US @@ -1788,6 +1810,8 @@ CKA_VALUE MULTILINE_OCTAL \302\005\146\200\241\313\346\063 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GeoTrust Global CA" # Issuer: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US @@ -1948,6 +1972,8 @@ CKA_VALUE MULTILINE_OCTAL \244\346\216\330\371\051\110\212\316\163\376\054 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GeoTrust Universal CA" # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US @@ -2108,6 +2134,8 @@ CKA_VALUE MULTILINE_OCTAL \362\034\054\176\256\002\026\322\126\320\057\127\123\107\350\222 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GeoTrust Universal CA 2" # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US @@ -2228,6 +2256,8 @@ CKA_VALUE MULTILINE_OCTAL \350\140\052\233\205\112\100\363\153\212\044\354\006\026\054\163 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Certum Root CA" # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL @@ -2374,6 +2404,8 @@ CKA_VALUE MULTILINE_OCTAL \225\351\066\226\230\156 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Comodo AAA Services root" # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -2552,6 +2584,8 @@ CKA_VALUE MULTILINE_OCTAL \112\164\066\371 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "QuoVadis Root CA" # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM @@ -2721,6 +2755,8 @@ CKA_VALUE MULTILINE_OCTAL \020\005\145\325\202\020\352\302\061\315\056 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "QuoVadis Root CA 2" # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM @@ -2901,6 +2937,8 @@ CKA_VALUE MULTILINE_OCTAL \332 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "QuoVadis Root CA 3" # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM @@ -3030,6 +3068,8 @@ CKA_VALUE MULTILINE_OCTAL \057\317\246\356\311\160\042\024\275\375\276\154\013\003 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Security Communication Root CA" # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP @@ -3153,6 +3193,8 @@ CKA_VALUE MULTILINE_OCTAL \160\254\337\114 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Sonera Class 2 Root CA" # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI @@ -3310,6 +3352,8 @@ CKA_VALUE MULTILINE_OCTAL \334 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Camerfirma Chambers of Commerce Root" # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -3470,6 +3514,8 @@ CKA_VALUE MULTILINE_OCTAL \166\135\165\220\032\365\046\217\360 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Camerfirma Global Chambersign Root" # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU @@ -3623,6 +3669,8 @@ CKA_VALUE MULTILINE_OCTAL \264\003\045\274 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "XRamp Global CA Root" # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US @@ -3770,6 +3818,8 @@ CKA_VALUE MULTILINE_OCTAL \177\333\275\237 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Go Daddy Class 2 CA" # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US @@ -3915,6 +3965,8 @@ CKA_VALUE MULTILINE_OCTAL \037\027\224 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Starfield Class 2 CA" # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US @@ -4079,6 +4131,8 @@ CKA_VALUE MULTILINE_OCTAL \245\206\054\174\364\022 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Taiwan GRCA" # Issuer: O=Government Root Certification Authority,C=TW @@ -4218,6 +4272,8 @@ CKA_VALUE MULTILINE_OCTAL \346\120\262\247\372\012\105\057\242\360\362 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "DigiCert Assured ID Root CA" # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -4359,6 +4415,8 @@ CKA_VALUE MULTILINE_OCTAL \225\155\336 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "DigiCert Global Root CA" # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -4501,6 +4559,8 @@ CKA_VALUE MULTILINE_OCTAL \370\351\056\023\243\167\350\037\112 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "DigiCert High Assurance EV Root CA" # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -4631,6 +4691,8 @@ CKA_VALUE MULTILINE_OCTAL \013\004\216\007\333\051\266\012\356\235\202\065\065\020 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "DST Root CA X3" # Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. @@ -4798,6 +4860,8 @@ CKA_VALUE MULTILINE_OCTAL \205\206\171\145\322 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "SwissSign Platinum CA - G2" # Issuer: CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CH @@ -4963,6 +5027,8 @@ CKA_VALUE MULTILINE_OCTAL \111\044\133\311\260\320\127\301\372\076\172\341\227\311 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "SwissSign Gold CA - G2" # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH @@ -5129,6 +5195,8 @@ CKA_VALUE MULTILINE_OCTAL \156 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "SwissSign Silver CA - G2" # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH @@ -5261,6 +5329,8 @@ CKA_VALUE MULTILINE_OCTAL \253\022\350\263\336\132\345\240\174\350\017\042\035\132\351\131 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GeoTrust Primary Certification Authority" # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US @@ -5416,6 +5486,8 @@ CKA_VALUE MULTILINE_OCTAL \215\126\214\150 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "thawte Primary Root CA" # Issuer: CN=thawte Primary Root CA,OU="(c) 2006 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US @@ -5591,6 +5663,8 @@ CKA_VALUE MULTILINE_OCTAL \254\021\326\250\355\143\152 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -5734,6 +5808,8 @@ CKA_VALUE MULTILINE_OCTAL \113\035\236\054\302\270\150\274\355\002\356\061 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "SecureTrust CA" # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US @@ -5869,6 +5945,8 @@ CKA_VALUE MULTILINE_OCTAL \117\043\037\332\154\254\037\104\341\335\043\170\121\133\307\026 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Secure Global CA" # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US @@ -6019,6 +6097,8 @@ CKA_VALUE MULTILINE_OCTAL \145 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "COMODO Certification Authority" # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -6165,6 +6245,8 @@ CKA_VALUE MULTILINE_OCTAL \244\140\114\260\125\240\240\173\127\262 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Network Solutions Certificate Authority" # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US @@ -6291,6 +6373,8 @@ CKA_VALUE MULTILINE_OCTAL \334\335\363\377\035\054\072\026\127\331\222\071\326 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "COMODO ECC Certification Authority" # Issuer: CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -6442,6 +6526,8 @@ CKA_VALUE MULTILINE_OCTAL \374\276\337\012\015 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "OISTE WISeKey Global Root GA CA" # Issuer: CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH @@ -6577,6 +6663,8 @@ CKA_VALUE MULTILINE_OCTAL \300\226\130\057\352\273\106\327\273\344\331\056 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Certigna" # Issuer: CN=Certigna,O=Dhimyotis,C=FR @@ -6706,6 +6794,8 @@ CKA_VALUE MULTILINE_OCTAL \246\210\070\316\125 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Cybertrust Global Root" # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc" @@ -6873,6 +6963,8 @@ CKA_VALUE MULTILINE_OCTAL \201\370\021\234 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "ePKI Root Certification Authority" # Issuer: OU=ePKI Root Certification Authority,O="Chunghwa Telecom Co., Ltd.",C=TW @@ -6998,6 +7090,8 @@ CKA_VALUE MULTILINE_OCTAL \366\356\260\132\116\111\104\124\130\137\102\203 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "certSIGN ROOT CA" # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO @@ -7146,6 +7240,8 @@ CKA_VALUE MULTILINE_OCTAL \021\055 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GeoTrust Primary Certification Authority - G3" # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US @@ -7275,6 +7371,8 @@ CKA_VALUE MULTILINE_OCTAL \367\130\077\056\162\002\127\243\217\241\024\056 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "thawte Primary Root CA - G2" # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US @@ -7435,6 +7533,8 @@ CKA_VALUE MULTILINE_OCTAL \061\324\100\032\142\064\066\077\065\001\256\254\143\240 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "thawte Primary Root CA - G3" # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US @@ -7571,6 +7671,8 @@ CKA_VALUE MULTILINE_OCTAL \017\212 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GeoTrust Primary Certification Authority - G2" # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US @@ -7741,6 +7843,8 @@ CKA_VALUE MULTILINE_OCTAL \354\315\202\141\361\070\346\117\227\230\052\132\215 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "VeriSign Universal Root Certification Authority" # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -7896,6 +8000,8 @@ CKA_VALUE MULTILINE_OCTAL \055\247\330\206\052\335\056\020 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US @@ -8056,6 +8162,8 @@ CKA_VALUE MULTILINE_OCTAL \330\316\304\143\165\077\131\107\261 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "NetLock Arany (Class Gold) Főtanúsítvány" # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU @@ -8230,6 +8338,8 @@ CKA_VALUE MULTILINE_OCTAL \370\161\012\334\271\374\175\062\140\346\353\257\212\001 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Staat der Nederlanden Root CA - G2" # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL @@ -8356,6 +8466,8 @@ CKA_VALUE MULTILINE_OCTAL \002\153\331\132 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Hongkong Post Root CA 1" # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK @@ -8487,6 +8599,8 @@ CKA_VALUE MULTILINE_OCTAL \362 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "SecureSign RootCA11" # Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP @@ -8634,6 +8748,8 @@ CKA_VALUE MULTILINE_OCTAL \202\042\055\172\124\253\160\303\175\042\145\202\160\226 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Microsec e-Szigno Root CA 2009" # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU @@ -8766,6 +8882,8 @@ CKA_VALUE MULTILINE_OCTAL \130\077\137 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "GlobalSign Root CA - R3" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 @@ -8939,6 +9057,8 @@ CKA_VALUE MULTILINE_OCTAL \156\117\022\176\012\074\235\225 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES @@ -9108,6 +9228,8 @@ CKA_VALUE MULTILINE_OCTAL \333\374\046\210\307 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Izenpe.com" # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES @@ -9313,6 +9435,8 @@ CKA_VALUE MULTILINE_OCTAL \167\110\320 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Chambers of Commerce Root - 2008" # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU @@ -9522,6 +9646,8 @@ CKA_VALUE MULTILINE_OCTAL \351\233\256\325\124\300\164\200\321\013\102\237\301 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Global Chambersign Root - 2008" # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU @@ -9670,6 +9796,8 @@ CKA_VALUE MULTILINE_OCTAL \342\342\104\276\134\367\352\034\365 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Go Daddy Root Certificate Authority - G2" # Issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -9820,6 +9948,8 @@ CKA_VALUE MULTILINE_OCTAL \364 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Starfield Root Certificate Authority - G2" # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -9972,6 +10102,8 @@ CKA_VALUE MULTILINE_OCTAL \261\050\272 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Starfield Services Root Certificate Authority - G2" # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US @@ -10103,6 +10235,8 @@ CKA_VALUE MULTILINE_OCTAL \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "AffirmTrust Commercial" # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US @@ -10229,6 +10363,8 @@ CKA_VALUE MULTILINE_OCTAL \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "AffirmTrust Networking" # Issuer: CN=AffirmTrust Networking,O=AffirmTrust,C=US @@ -10387,6 +10523,8 @@ CKA_VALUE MULTILINE_OCTAL \051\340\266\270\011\150\031\034\030\103 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "AffirmTrust Premium" # Issuer: CN=AffirmTrust Premium,O=AffirmTrust,C=US @@ -10493,6 +10631,8 @@ CKA_VALUE MULTILINE_OCTAL \214\171 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "AffirmTrust Premium ECC" # Issuer: CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US @@ -10632,6 +10772,8 @@ CKA_VALUE MULTILINE_OCTAL \326\267\064\365\176\316\071\232\331\070\361\121\367\117\054 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Certum Trusted Network CA" # Issuer: CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL @@ -10768,6 +10910,8 @@ CKA_VALUE MULTILINE_OCTAL \274\060\376\173\016\063\220\373\355\322\024\221\037\007\257 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "TWCA Root Certification Authority" # Issuer: CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW @@ -11251,6 +11395,8 @@ CKA_VALUE MULTILINE_OCTAL \201\050\174\247\175\047\353\000\256\215\067 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Security Communication RootCA2" # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP @@ -11434,6 +11580,8 @@ CKA_VALUE MULTILINE_OCTAL \371\210\075\176\270\157\156\003\344\102 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "EC-ACC" # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES @@ -11597,6 +11745,8 @@ CKA_VALUE MULTILINE_OCTAL \113\321\047\327\270 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for Certificate "Hellenic Academic and Research Institutions RootCA 2011" # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR @@ -11833,6 +11983,8 @@ CKA_VALUE MULTILINE_OCTAL \216\362\024\212\314\351\265\174\373\154\235\014\245\341\226 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Actalis Authentication Root CA" # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT @@ -11964,6 +12116,8 @@ CKA_VALUE MULTILINE_OCTAL \145\353\127\331\363\127\226\273\110\315\201 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Trustis FPS Root CA" # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB @@ -12124,6 +12278,8 @@ CKA_VALUE MULTILINE_OCTAL \327\201\011\361\311\307\046\015\254\230\026\126\240 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Buypass Class 2 Root CA" # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO @@ -12283,6 +12439,8 @@ CKA_VALUE MULTILINE_OCTAL \061\356\006\274\163\277\023\142\012\237\307\271\227 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Buypass Class 3 Root CA" # Issuer: CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO @@ -12425,6 +12583,8 @@ CKA_VALUE MULTILINE_OCTAL \116\223\303\244\124\024\133 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "T-TeleSec GlobalRoot Class 3" # Issuer: CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE @@ -12574,6 +12734,8 @@ CKA_VALUE MULTILINE_OCTAL \307\314\165\301\226\305\235 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "EE Certification Centre Root CA" # Issuer: E=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE @@ -12787,6 +12949,8 @@ CKA_VALUE MULTILINE_OCTAL \164\145\327\134\376\243\342 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "D-TRUST Root Class 3 CA 2 2009" # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE @@ -12931,6 +13095,8 @@ CKA_VALUE MULTILINE_OCTAL \352\237\026\361\054\124\265 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "D-TRUST Root Class 3 CA 2 EV 2009" # Issuer: CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE @@ -13094,6 +13260,8 @@ CKA_VALUE MULTILINE_OCTAL \363\154\033\165\106\243\345\112\027\351\244\327\013 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "CA Disig Root R2" # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK @@ -13294,6 +13462,8 @@ CKA_VALUE MULTILINE_OCTAL \125\064\106\052\213\206\073 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "ACCVRAIZ1" # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 @@ -13454,6 +13624,8 @@ CKA_VALUE MULTILINE_OCTAL \053\006\320\004\315 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "TWCA Global Root CA" # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW @@ -13611,6 +13783,8 @@ CKA_VALUE MULTILINE_OCTAL \245\240\314\277\323\366\165\244\165\226\155\126 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "TeliaSonera Root CA v1" # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera @@ -13799,6 +13973,8 @@ CKA_VALUE MULTILINE_OCTAL \243\253\157\134\035\266\176\350\263\202\064\355\006\134\044 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "E-Tugra Certification Authority" # Issuer: CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu..ra EBG Bili..im Teknolojileri ve Hizmetleri A....,L=Ankara,C=TR @@ -13948,6 +14124,8 @@ CKA_VALUE MULTILINE_OCTAL \005\047\216\023\241\156\302 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "T-TeleSec GlobalRoot Class 2" # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE @@ -14079,6 +14257,8 @@ CKA_VALUE MULTILINE_OCTAL \035\362\376\011\021\260\360\207\173\247\235 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Atos TrustedRoot 2011" # Issuer: C=DE,O=Atos,CN=Atos TrustedRoot 2011 @@ -14239,6 +14419,8 @@ CKA_VALUE MULTILINE_OCTAL \063\140\345\303 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "QuoVadis Root CA 1 G3" # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM @@ -14401,6 +14583,8 @@ CKA_VALUE MULTILINE_OCTAL \203\336\177\214 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "QuoVadis Root CA 2 G3" # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM @@ -14563,6 +14747,8 @@ CKA_VALUE MULTILINE_OCTAL \130\371\230\364 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "QuoVadis Root CA 3 G3" # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM @@ -14700,6 +14886,8 @@ CKA_VALUE MULTILINE_OCTAL \042\023\163\154\317\046\365\212\051\347 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "DigiCert Assured ID Root G2" # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -14818,6 +15006,8 @@ CKA_VALUE MULTILINE_OCTAL \352\226\143\152\145\105\222\225\001\264 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "DigiCert Assured ID Root G3" # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -14957,6 +15147,8 @@ CKA_VALUE MULTILINE_OCTAL \062\266 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "DigiCert Global Root G2" # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -15075,6 +15267,8 @@ CKA_VALUE MULTILINE_OCTAL \263\047\027 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "DigiCert Global Root G3" # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -15246,6 +15440,8 @@ CKA_VALUE MULTILINE_OCTAL \317\363\146\176 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "DigiCert Trusted Root G4" # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US @@ -15425,6 +15621,8 @@ CKA_VALUE MULTILINE_OCTAL \065\123\205\006\112\135\237\255\273\033\137\164 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "COMODO RSA Certification Authority" # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB @@ -15607,6 +15805,8 @@ CKA_VALUE MULTILINE_OCTAL \250\375 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "USERTrust RSA Certification Authority" # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US @@ -15736,6 +15936,8 @@ CKA_VALUE MULTILINE_OCTAL \127\152\030 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "USERTrust ECC Certification Authority" # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US @@ -15848,6 +16050,8 @@ CKA_VALUE MULTILINE_OCTAL \173\013\370\237\204 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GlobalSign ECC Root CA - R4" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4 @@ -15961,6 +16165,8 @@ CKA_VALUE MULTILINE_OCTAL \220\067 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GlobalSign ECC Root CA - R5" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5 @@ -16126,6 +16332,8 @@ CKA_VALUE MULTILINE_OCTAL \367\200\173\041\147\047\060\131 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Staat der Nederlanden Root CA - G3" # Issuer: CN=Staat der Nederlanden Root CA - G3,O=Staat der Nederlanden,C=NL @@ -16290,6 +16498,8 @@ CKA_VALUE MULTILINE_OCTAL \356\354\327\056 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Staat der Nederlanden EV Root CA" # Issuer: CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL @@ -16452,6 +16662,8 @@ CKA_VALUE MULTILINE_OCTAL \272\204\156\207 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "IdenTrust Commercial Root CA 1" # Issuer: CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US @@ -16614,6 +16826,8 @@ CKA_VALUE MULTILINE_OCTAL \267\254\266\255\267\312\076\001\357\234 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "IdenTrust Public Sector Root CA 1" # Issuer: CN=IdenTrust Public Sector Root CA 1,O=IdenTrust,C=US @@ -16773,6 +16987,8 @@ CKA_VALUE MULTILINE_OCTAL \105\366 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust Root Certification Authority - G2" # Issuer: CN=Entrust Root Certification Authority - G2,OU="(c) 2009 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -16918,6 +17134,8 @@ CKA_VALUE MULTILINE_OCTAL \231\267\046\101\133\045\140\256\320\110\032\356\006 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust Root Certification Authority - EC1" # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US @@ -17091,6 +17309,8 @@ CKA_VALUE MULTILINE_OCTAL \056 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "CFCA EV ROOT" # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN @@ -17230,6 +17450,8 @@ CKA_VALUE MULTILINE_OCTAL \065\255\201\307\116\161\272\210\023 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "OISTE WISeKey Global Root GB CA" # Issuer: CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH @@ -17365,6 +17587,8 @@ CKA_VALUE MULTILINE_OCTAL \326\040\036\343\163\267 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "SZAFIR ROOT CA2" # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL @@ -17543,6 +17767,8 @@ CKA_VALUE MULTILINE_OCTAL \016\265\271\276\044\217 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Certum Trusted Network CA 2" # Issuer: CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL @@ -17730,6 +17956,8 @@ CKA_VALUE MULTILINE_OCTAL \276\157\152\247\365\054\102\355\062\255\266\041\236\276\274 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Hellenic Academic and Research Institutions RootCA 2015" # Issuer: CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR @@ -17866,6 +18094,8 @@ CKA_VALUE MULTILINE_OCTAL \342\174\352\002\130\042\221 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Hellenic Academic and Research Institutions ECC RootCA 2015" # Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR @@ -18035,6 +18265,8 @@ CKA_VALUE MULTILINE_OCTAL \376\216\036\127\242\315\100\235\176\142\042\332\336\030\047 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "ISRG Root X1" # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US @@ -18198,6 +18430,8 @@ CKA_VALUE MULTILINE_OCTAL \072\117\110\366\213\266\263 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "AC RAIZ FNMT-RCM" # Issuer: OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES @@ -18323,6 +18557,8 @@ CKA_VALUE MULTILINE_OCTAL \304\220\276\361\271 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Amazon Root CA 1" # Issuer: CN=Amazon Root CA 1,O=Amazon,C=US @@ -18480,6 +18716,8 @@ CKA_VALUE MULTILINE_OCTAL \340\373\011\140\154 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Amazon Root CA 2" # Issuer: CN=Amazon Root CA 2,O=Amazon,C=US @@ -18580,6 +18818,8 @@ CKA_VALUE MULTILINE_OCTAL \143\044\110\034\337\060\175\325\150\073 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Amazon Root CA 3" # Issuer: CN=Amazon Root CA 3,O=Amazon,C=US @@ -18684,6 +18924,8 @@ CKA_VALUE MULTILINE_OCTAL \012\166\324\245\274\020 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Amazon Root CA 4" # Issuer: CN=Amazon Root CA 4,O=Amazon,C=US @@ -18851,6 +19093,8 @@ CKA_VALUE MULTILINE_OCTAL \045\307\043\200\203\012\353 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "LuxTrust Global Root 2" # Issuer: CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU @@ -19000,6 +19244,8 @@ CKA_VALUE MULTILINE_OCTAL \322\063\340\377\275\321\124\071\051\017 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Symantec Class 1 Public Primary Certification Authority - G6" # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -19154,6 +19400,8 @@ CKA_VALUE MULTILINE_OCTAL \157\374\132\344\202\125\131\257\061\251 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Symantec Class 2 Public Primary Certification Authority - G6" # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G6,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -19287,6 +19535,8 @@ CKA_VALUE MULTILINE_OCTAL \362\014\105\111\071\277\231\004\034\323\020\240 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Symantec Class 1 Public Primary Certification Authority - G4" # Issuer: CN=Symantec Class 1 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -19420,6 +19670,8 @@ CKA_VALUE MULTILINE_OCTAL \051\246\330\107\331\240\226\030\333\362\105\263 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Symantec Class 2 Public Primary Certification Authority - G4" # Issuer: CN=Symantec Class 2 Public Primary Certification Authority - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US @@ -19565,6 +19817,8 @@ CKA_VALUE MULTILINE_OCTAL \137\134 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "D-TRUST Root CA 3 2013" # Issuer: CN=D-TRUST Root CA 3 2013,O=D-Trust GmbH,C=DE @@ -19727,6 +19981,8 @@ CKA_VALUE MULTILINE_OCTAL \237\042\136\242\017\241\343 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" # Issuer: CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR @@ -19902,6 +20158,8 @@ CKA_VALUE MULTILINE_OCTAL \250\267\101\154\007\335\275\074\206\227\057\322 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GDCA TrustAUTH R5 ROOT" # Issuer: CN=GDCA TrustAUTH R5 ROOT,O="GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.",C=CN @@ -20057,6 +20315,8 @@ CKA_VALUE MULTILINE_OCTAL \132\171\054\031 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "TrustCor RootCert CA-1" # Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA @@ -20248,6 +20508,8 @@ CKA_VALUE MULTILINE_OCTAL \326\354\011 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "TrustCor RootCert CA-2" # Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA @@ -20404,6 +20666,8 @@ CKA_VALUE MULTILINE_OCTAL \264\237\327\346 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "TrustCor ECA-1" # Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA @@ -20583,6 +20847,8 @@ CKA_VALUE MULTILINE_OCTAL \271 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "SSL.com Root Certification Authority RSA" # Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -20707,6 +20973,8 @@ CKA_VALUE MULTILINE_OCTAL \145 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "SSL.com Root Certification Authority ECC" # Issuer: CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -20886,6 +21154,8 @@ CKA_VALUE MULTILINE_OCTAL \040\022\215\264\254\127\261\105\143\241\254\166\251\302\373 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "SSL.com EV Root Certification Authority RSA R2" # Issuer: CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -21013,6 +21283,8 @@ CKA_VALUE MULTILINE_OCTAL \371\007\340\142\232\214\134\112 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "SSL.com EV Root Certification Authority ECC" # Issuer: CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US @@ -21179,6 +21451,8 @@ CKA_VALUE MULTILINE_OCTAL \147\203\005\132\311\244\020 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GlobalSign Root CA - R6" # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 @@ -21296,6 +21570,8 @@ CKA_VALUE MULTILINE_OCTAL \242\355\357\173\260\200\117\130\017\113\123\071\275 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "OISTE WISeKey Global Root GC CA" # Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH @@ -21459,6 +21735,8 @@ CKA_VALUE MULTILINE_OCTAL \361\306\143\107\125\034\272\245\010\121\165\246\110\045 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GTS Root R1" # Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US @@ -21620,6 +21898,8 @@ CKA_VALUE MULTILINE_OCTAL \267\375\054\010\122\117\202\335\243\360\324\206\011\002 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GTS Root R2" # Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US @@ -21728,6 +22008,8 @@ CKA_VALUE MULTILINE_OCTAL \232\051\252\226\323\203\043\311\244\173\141\263\314\002\350\135 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GTS Root R3" # Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US @@ -21836,6 +22118,8 @@ CKA_VALUE MULTILINE_OCTAL \161\314\362\260\115\326\376\231\310\224\251\165\242\343 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "GTS Root R4" # Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US @@ -21994,6 +22278,8 @@ CKA_VALUE MULTILINE_OCTAL \120\037\212\373\006\365\302\031\360\320 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "UCA Global G2 Root" # Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN @@ -22154,6 +22440,8 @@ CKA_VALUE MULTILINE_OCTAL \177\275\145\040\262\311\301\053\166\030\166\237\126\261 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "UCA Extended Validation Root" # Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN @@ -22333,6 +22621,8 @@ CKA_VALUE MULTILINE_OCTAL \045\124\377\242\332\117\212\141\071\136\256\075\112\214\275 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Certigna Root CA" # Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR @@ -22470,6 +22760,8 @@ CKA_VALUE MULTILINE_OCTAL \210\336\272\314\037\200\176\112 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "emSign Root CA - G1" # Issuer: CN=emSign Root CA - G1,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN @@ -22587,6 +22879,8 @@ CKA_VALUE MULTILINE_OCTAL \054\243 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "emSign ECC Root CA - G3" # Issuer: CN=emSign ECC Root CA - G3,O=eMudhra Technologies Limited,OU=emSign PKI,C=IN @@ -22720,6 +23014,8 @@ CKA_VALUE MULTILINE_OCTAL \361\337\312\276\203\015\102 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "emSign Root CA - C1" # Issuer: CN=emSign Root CA - C1,O=eMudhra Inc,OU=emSign PKI,C=US @@ -22831,6 +23127,8 @@ CKA_VALUE MULTILINE_OCTAL \276\201\007\125\060\120\040\024\365\127\070\012\250\061\121 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "emSign ECC Root CA - C3" # Issuer: CN=emSign ECC Root CA - C3,O=eMudhra Inc,OU=emSign PKI,C=US @@ -23006,6 +23304,8 @@ CKA_VALUE MULTILINE_OCTAL \232\233\364 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Hongkong Post Root CA 3" # Issuer: CN=Hongkong Post Root CA 3,O=Hongkong Post,L=Hong Kong,ST=Hong Kong,C=HK diff --git a/security/nss/lib/ckfw/builtins/manifest.mn b/security/nss/lib/ckfw/builtins/manifest.mn index 7ac64bf0d2ac..5e6740f8937d 100644 --- a/security/nss/lib/ckfw/builtins/manifest.mn +++ b/security/nss/lib/ckfw/builtins/manifest.mn @@ -5,6 +5,8 @@ CORE_DEPTH = ../../.. +DIRS = testlib + MODULE = nss MAPFILE = $(OBJDIR)/nssckbi.def diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h index 80ee118fb64d..d16d94b6be41 100644 --- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 36 -#define NSS_BUILTINS_LIBRARY_VERSION "2.36" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 38 +#define NSS_BUILTINS_LIBRARY_VERSION "2.38" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/security/nss/lib/ckfw/builtins/testlib/Makefile b/security/nss/lib/ckfw/builtins/testlib/Makefile new file mode 100644 index 000000000000..0d85e2fdc49e --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/Makefile @@ -0,0 +1,52 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +include manifest.mn +include $(CORE_DEPTH)/coreconf/config.mk +include config.mk + +EXTRA_LIBS = \ + $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ + $(NULL) + +# If the OS_TARGET is WIN%, the path of shared libs could be different. +ifeq (,$(filter-out WIN%,$(OS_TARGET))) +# If using GCC, just inform the name of the libs. +ifdef NS_USE_GCC +EXTRA_SHARED_LIBS += \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +else # NS_USE_GCC - If not using GCC, inform the absolute path. +EXTRA_SHARED_LIBS += \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ + $(NULL) +endif # NS_USE_GCC +else # OS_TARGET != WIN +EXTRA_SHARED_LIBS += \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +endif # OS_TARGET + +include $(CORE_DEPTH)/coreconf/rules.mk + +CFLAGS += -I$(CORE_DEPTH)/lib/ckfw/builtins + +# Generate certdata-testlib.c. +ifndef NSS_CERTDATA-TESTLIB_TXT +NSS_CERTDATA-TESTLIB_TXT = certdata-testlib.txt +endif + +$(OBJDIR)/certdata-testlib.c: $(NSS_CERTDATA-TESTLIB_TXT) + @$(MAKE_OBJDIR) + $(PERL) ../certdata.perl $(NSS_CERTDATA-TESTLIB_TXT) $@ diff --git a/security/nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp b/security/nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp new file mode 100644 index 000000000000..5437063241ac --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp @@ -0,0 +1,64 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'nssckbi-testlib', + 'type': 'shared_library', + 'sources': [ + '../anchor.c', + '../bfind.c', + '../binst.c', + '../bobject.c', + '../bsession.c', + '../bslot.c', + '../btoken.c', + '../ckbiver.c', + '../constants.c', + '<(certdata-testlib_c)', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/ckfw/ckfw.gyp:nssckfw', + '<(DEPTH)/lib/base/base.gyp:nssb' + ], + 'actions': [ + { + 'msvs_cygwin_shell': 0, + 'action': [ + 'python', + '../certdata.py', + 'certdata-testlib.txt', + '<@(_outputs)', + ], + 'inputs': [ + '../certdata.py', + '../certdata.perl', + 'certdata-testlib.txt' + ], + 'outputs': [ + '<(certdata-testlib_c)' + ], + 'action_name': 'generate_certdata-testlib_c' + } + ], + 'variables': { + 'mapfile': '../nssckbi.def', + 'certdata-testlib_c': '<(INTERMEDIATE_DIR)/certdata-testlib.c', + } + } + ], + 'target_defaults': { + 'include_dirs': [ + '.', + '..' + ] + }, + 'variables': { + 'module': 'nss', + } +} diff --git a/security/nss/lib/ckfw/builtins/testlib/certdata-testlib.txt b/security/nss/lib/ckfw/builtins/testlib/certdata-testlib.txt new file mode 100644 index 000000000000..f4e61961f70a --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/certdata-testlib.txt @@ -0,0 +1,479 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# certdata-testlib.txt +# +# To safely test the Distrust Fields it was generated a testlib called: +# DLL_PREFIX+nssckbi-testlib+DLL_SUFFIX +# Example: libnssckbi-testlib.so, for Linux. +# +# This testlib is populated with three expired and self-signed certificates, as +# defined in this file. The only purpose of this testlib is to provide content +# to gtests defined in softoken_nssckbi_testlib_gtest.cc. +# +# The certificate and private key used here are stored in this same folder, +# in txt files named like: "testcert_.txt". +# +# We have three certificates here: +# 1 - no_distrust: +# - Both distrust fields are set with CK_FALSE, the default. +# +# 2 - ok_distrust: +# - Each distrust field is set with a different and valid date. +# +# 3 - err_distrust: +# - The server/tls distrust field is set with CK_TRUE. These fields must be +# CK_FALSE when no schedule is set. Otherwise, must hold a valid encoded + timestamp. +# - The email distrust field is set with an incomplete and invalid encoded +# timestamp. +# +# These fields are filled when the cert is loaded and cannot be changed. +# +BEGINDATA +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Test with Invalid NSS Builtin Trusted Roots" + +# +# Certificate "Distrust Fields Test - no_distrust" +# +# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust +# Serial Number:73:f8:bc:37:a3:4a:5f:26:13:64:dc:4e:c6:58:4e:94:2a:24:22:b1 +# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust +# Not Valid Before: Tue Jul 16 06:32:42 2019 +# Not Valid After : Fri Jul 26 06:32:42 2019 +# Fingerprint (SHA-256): 53:AD:AE:B1:D4:D8:B6:34:59:60:26:FA:0D:56:B0:98:0A:E0:8D:E3:90:E5:13:FA:E9:BE:EA:5D:D5:E6:79:02 +# Fingerprint (SHA1): 11:80:28:5A:A4:79:45:A2:AB:2F:A3:27:28:6A:CA:DB:0F:D7:30:FC +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrust Fields Test - no_distrust" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123 +\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060 +\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006 +\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060 +\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013 +\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006 +\003\125\004\006\023\002\104\105 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123 +\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060 +\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006 +\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060 +\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013 +\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006 +\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\163\370\274\067\243\112\137\046\023\144\334\116\306\130 +\116\224\052\044\042\261 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\003\255\060\202\002\225\240\003\002\001\002\002\024\163 +\370\274\067\243\112\137\046\023\144\334\116\306\130\116\224\052 +\044\042\261\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\060\146\061\031\060\027\006\003\125\004\003\014\020\124 +\105\123\124\040\156\157\137\144\151\163\164\162\165\163\164\061 +\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060 +\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061 +\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015 +\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060 +\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061\071 +\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071\060 +\067\062\066\060\066\063\062\064\062\132\060\146\061\031\060\027 +\006\003\125\004\003\014\020\124\105\123\124\040\156\157\137\144 +\151\163\164\162\165\163\164\061\014\060\012\006\003\125\004\013 +\014\003\116\123\123\061\020\060\016\006\003\125\004\013\014\007 +\115\157\172\151\154\154\141\061\015\060\013\006\003\125\004\007 +\014\004\124\105\123\124\061\015\060\013\006\003\125\004\010\014 +\004\124\105\123\124\061\013\060\011\006\003\125\004\006\023\002 +\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202 +\001\001\000\307\367\273\061\133\151\242\334\233\052\044\123\006 +\275\040\214\266\303\135\365\220\104\106\076\100\144\062\366\325 +\270\307\223\230\002\227\150\304\102\146\246\167\113\324\031\136 +\132\140\006\247\062\145\074\257\115\330\256\244\325\003\176\203 +\375\332\345\365\140\163\173\230\224\122\135\144\176\075\151\012 +\275\044\307\317\343\126\332\221\240\171\141\372\107\137\210\362 +\020\231\212\120\103\051\010\233\357\005\201\350\375\202\104\106 +\072\270\323\151\164\013\201\355\004\304\002\017\042\071\022\072 +\223\061\266\353\220\057\130\221\255\024\166\125\241\212\054\132 +\056\120\222\072\332\275\356\037\232\026\344\336\043\052\074\112 +\006\246\100\266\254\065\301\167\276\170\027\127\054\302\254\146 +\171\327\314\305\264\077\044\101\347\105\337\267\051\110\041\113 +\302\043\214\036\015\357\330\167\037\204\353\362\021\232\254\220 +\271\171\170\306\077\016\353\045\376\171\154\125\323\326\363\136 +\230\333\160\242\231\016\300\041\221\045\262\053\035\243\351\363 +\233\013\073\002\233\030\152\324\132\270\203\240\163\167\272\142 +\052\326\053\002\003\001\000\001\243\123\060\121\060\035\006\003 +\125\035\016\004\026\004\024\272\015\343\222\236\200\244\163\217 +\005\277\352\147\036\243\071\077\241\274\346\060\037\006\003\125 +\035\043\004\030\060\026\200\024\272\015\343\222\236\200\244\163 +\217\005\277\352\147\036\243\071\077\241\274\346\060\017\006\003 +\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006 +\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001 +\000\251\350\344\354\346\066\155\375\144\242\257\175\265\332\166 +\233\334\141\326\230\160\122\303\221\002\257\313\252\330\003\330 +\012\133\050\343\171\110\243\115\314\026\275\006\005\200\222\147 +\166\250\275\323\024\367\317\255\034\264\240\003\114\023\044\171 +\126\011\012\104\256\306\327\034\376\136\323\056\035\222\041\031 +\350\372\052\242\025\362\236\176\232\002\300\010\013\127\256\314 +\315\042\132\030\333\064\245\203\174\212\065\250\364\025\070\167 +\177\312\033\301\377\273\046\215\340\007\204\260\210\056\275\351 +\353\127\053\050\165\322\146\223\064\324\233\152\112\152\000\314 +\360\205\057\172\037\061\066\104\312\324\362\156\265\114\130\241 +\262\333\056\212\044\264\023\314\144\062\172\151\167\007\273\104 +\253\173\054\025\073\174\027\167\176\362\037\232\067\073\220\257 +\257\001\013\125\156\350\234\207\261\370\301\143\106\131\062\146 +\041\227\107\340\262\042\034\030\043\336\257\115\027\250\024\171 +\121\210\336\232\174\052\134\002\100\014\225\336\224\017\177\015 +\354\253\245\347\057\340\214\070\003\375\266\023\017\001\373\236 +\030 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "Distrust Fields Test - no_distrust" +# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust +# Serial Number:73:f8:bc:37:a3:4a:5f:26:13:64:dc:4e:c6:58:4e:94:2a:24:22:b1 +# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust +# Not Valid Before: Tue Jul 16 06:32:42 2019 +# Not Valid After : Fri Jul 26 06:32:42 2019 +# Fingerprint (SHA-256): 53:AD:AE:B1:D4:D8:B6:34:59:60:26:FA:0D:56:B0:98:0A:E0:8D:E3:90:E5:13:FA:E9:BE:EA:5D:D5:E6:79:02 +# Fingerprint (SHA1): 11:80:28:5A:A4:79:45:A2:AB:2F:A3:27:28:6A:CA:DB:0F:D7:30:FC +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrust Fields Test - no_distrust" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\021\200\050\132\244\171\105\242\253\057\243\047\050\152\312\333 +\017\327\060\374 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\130\367\262\151\111\255\236\234\203\221\335\036\366\326\325\026 +END +CKA_ISSUER MULTILINE_OCTAL +\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123 +\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060 +\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006 +\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060 +\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013 +\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006 +\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\163\370\274\067\243\112\137\046\023\144\334\116\306\130 +\116\224\052\044\042\261 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "Distrust Fields Test - ok_distrust" +# +# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust +# Serial Number:3a:44:dc:9d:54:3f:5f:aa:b8:26:4f:1d:f8:5a:47:36:29:3a:1b:bc +# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust +# Not Valid Before: Tue Jul 16 06:32:42 2019 +# Not Valid After : Fri Jul 26 06:32:42 2019 +# Fingerprint (SHA-256): BA:43:4C:9D:21:8E:E7:15:8E:4D:11:7E:5B:4B:EF:57:D3:01:6C:D7:E5:6B:7B:6C:85:62:35:44:44:59:FE:5B +# Fingerprint (SHA1): F6:4F:33:50:3D:DB:1C:3D:BE:BE:79:9F:D6:B6:21:3A:AA:D1:55:4F +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrust Fields Test - ok_distrust" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123 +\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060 +\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006 +\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060 +\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013 +\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006 +\003\125\004\006\023\002\104\105 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123 +\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060 +\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006 +\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060 +\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013 +\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006 +\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\072\104\334\235\124\077\137\252\270\046\117\035\370\132 +\107\066\051\072\033\274 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\003\255\060\202\002\225\240\003\002\001\002\002\024\072 +\104\334\235\124\077\137\252\270\046\117\035\370\132\107\066\051 +\072\033\274\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\060\146\061\031\060\027\006\003\125\004\003\014\020\124 +\105\123\124\040\157\153\137\144\151\163\164\162\165\163\164\061 +\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060 +\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061 +\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015 +\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060 +\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061\071 +\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071\060 +\067\062\066\060\066\063\062\064\062\132\060\146\061\031\060\027 +\006\003\125\004\003\014\020\124\105\123\124\040\157\153\137\144 +\151\163\164\162\165\163\164\061\014\060\012\006\003\125\004\013 +\014\003\116\123\123\061\020\060\016\006\003\125\004\013\014\007 +\115\157\172\151\154\154\141\061\015\060\013\006\003\125\004\007 +\014\004\124\105\123\124\061\015\060\013\006\003\125\004\010\014 +\004\124\105\123\124\061\013\060\011\006\003\125\004\006\023\002 +\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202 +\001\001\000\272\036\174\330\225\102\315\034\063\337\145\114\060 +\061\036\024\065\051\216\357\013\150\107\361\256\217\363\066\326 +\124\247\034\227\202\315\151\263\237\125\340\377\047\125\050\016 +\152\210\355\141\202\062\263\233\300\152\220\356\200\026\124\001 +\163\305\024\357\315\374\220\267\370\170\316\022\056\216\161\145 +\341\324\121\271\026\306\026\250\121\201\107\254\231\142\046\012 +\043\260\242\356\051\303\206\277\341\377\304\117\066\373\340\073 +\143\076\347\363\157\130\317\271\165\333\127\015\316\267\117\055 +\232\240\271\116\250\160\364\271\224\203\215\137\267\066\271\377 +\177\014\337\033\326\312\374\320\247\053\107\345\355\127\067\007 +\322\220\200\376\053\266\132\044\160\266\154\062\265\375\262\176 +\362\362\257\031\364\147\251\071\337\331\146\057\005\222\377\360 +\001\247\252\155\106\035\235\065\222\346\351\301\204\335\344\012 +\361\366\061\044\030\103\331\116\113\137\121\036\253\042\314\260 +\005\231\251\002\102\002\161\071\337\330\304\150\215\220\164\346 +\170\245\366\360\237\353\362\113\203\362\277\320\074\064\364\022 +\031\105\025\002\003\001\000\001\243\123\060\121\060\035\006\003 +\125\035\016\004\026\004\024\034\100\252\220\333\317\113\002\023 +\153\030\071\246\014\327\332\262\164\374\075\060\037\006\003\125 +\035\043\004\030\060\026\200\024\034\100\252\220\333\317\113\002 +\023\153\030\071\246\014\327\332\262\164\374\075\060\017\006\003 +\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006 +\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001 +\000\042\041\036\227\272\132\106\356\112\272\302\204\014\360\134 +\331\034\364\137\063\334\045\076\321\034\117\361\311\254\177\017 +\236\076\121\327\155\046\347\241\205\367\254\061\211\276\011\117 +\057\364\175\370\016\226\062\004\211\153\047\356\343\064\350\250 +\231\007\041\164\014\374\216\235\206\203\156\310\013\360\342\237 +\103\025\274\237\325\106\321\163\123\036\363\051\136\074\205\102 +\270\127\146\303\060\022\057\104\073\102\030\325\123\376\037\106 +\143\113\011\164\167\374\075\327\362\002\265\127\234\367\302\114 +\371\374\251\106\221\343\004\047\227\125\316\024\046\366\370\207 +\077\025\236\122\116\020\241\072\211\140\100\043\010\105\105\351 +\304\130\373\313\345\272\232\334\230\011\013\335\261\230\202\353 +\155\003\353\233\152\241\212\064\246\152\300\246\356\357\106\071 +\347\211\144\275\212\014\035\247\112\221\131\070\230\122\367\317 +\134\060\254\155\061\234\364\077\161\256\236\175\077\242\240\353 +\161\360\355\362\337\215\172\055\123\332\352\264\026\124\012\363 +\040\124\052\027\300\076\174\012\272\370\377\264\170\150\343\226 +\105 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +# For Server Distrust After: Wed Jun 17 00:00:00 2020 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\060\060\066\061\067\060\060\060\060\060\060\132 +END +# For Email Distrust After: Sun Oct 14 08:53:20 2007 +CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL +\060\067\061\060\061\064\060\070\065\063\062\060\132 +END + +# Trust for "Distrust Fields Test - ok_distrust" +# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust +# Serial Number:3a:44:dc:9d:54:3f:5f:aa:b8:26:4f:1d:f8:5a:47:36:29:3a:1b:bc +# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust +# Not Valid Before: Tue Jul 16 06:32:42 2019 +# Not Valid After : Fri Jul 26 06:32:42 2019 +# Fingerprint (SHA-256): BA:43:4C:9D:21:8E:E7:15:8E:4D:11:7E:5B:4B:EF:57:D3:01:6C:D7:E5:6B:7B:6C:85:62:35:44:44:59:FE:5B +# Fingerprint (SHA1): F6:4F:33:50:3D:DB:1C:3D:BE:BE:79:9F:D6:B6:21:3A:AA:D1:55:4F +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrust Fields Test - ok_distrust" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\366\117\063\120\075\333\034\075\276\276\171\237\326\266\041\072 +\252\321\125\117 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\045\304\210\204\375\245\150\220\305\310\325\205\077\365\302\146 +END +CKA_ISSUER MULTILINE_OCTAL +\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123 +\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060 +\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006 +\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060 +\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013 +\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006 +\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\072\104\334\235\124\077\137\252\270\046\117\035\370\132 +\107\066\051\072\033\274 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "Distrust Fields Test - err_distrust" +# +# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust +# Serial Number:60:fe:b3:a1:c8:c1:30:fc:02:f0:90:9b:6b:b7:08:5e:78:e5:fb:dc +# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust +# Not Valid Before: Tue Jul 16 06:32:42 2019 +# Not Valid After : Fri Jul 26 06:32:42 2019 +# Fingerprint (SHA-256): E0:80:A0:7E:D7:53:52:FB:71:B5:05:03:80:C3:DB:92:C7:90:3D:26:3F:26:D5:BF:E5:87:FC:7C:46:EC:F6:35 +# Fingerprint (SHA1): D4:54:DB:63:51:FB:68:61:DA:CD:61:D9:1B:F8:51:EB:CE:34:41:3D +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrust Fields Test - err_distrust" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123 +\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014 +\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016 +\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015 +\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060 +\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011 +\006\003\125\004\006\023\002\104\105 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123 +\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014 +\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016 +\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015 +\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060 +\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011 +\006\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\140\376\263\241\310\301\060\374\002\360\220\233\153\267 +\010\136\170\345\373\334 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\003\257\060\202\002\227\240\003\002\001\002\002\024\140 +\376\263\241\310\301\060\374\002\360\220\233\153\267\010\136\170 +\345\373\334\060\015\006\011\052\206\110\206\367\015\001\001\013 +\005\000\060\147\061\032\060\030\006\003\125\004\003\014\021\124 +\105\123\124\040\145\162\162\137\144\151\163\164\162\165\163\164 +\061\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020 +\060\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141 +\061\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061 +\015\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013 +\060\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061 +\071\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071 +\060\067\062\066\060\066\063\062\064\062\132\060\147\061\032\060 +\030\006\003\125\004\003\014\021\124\105\123\124\040\145\162\162 +\137\144\151\163\164\162\165\163\164\061\014\060\012\006\003\125 +\004\013\014\003\116\123\123\061\020\060\016\006\003\125\004\013 +\014\007\115\157\172\151\154\154\141\061\015\060\013\006\003\125 +\004\007\014\004\124\105\123\124\061\015\060\013\006\003\125\004 +\010\014\004\124\105\123\124\061\013\060\011\006\003\125\004\006 +\023\002\104\105\060\202\001\042\060\015\006\011\052\206\110\206 +\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012 +\002\202\001\001\000\321\114\327\160\070\075\364\033\323\322\310 +\337\270\071\333\312\356\066\304\105\170\071\227\203\335\012\013 +\107\004\165\264\325\014\054\103\051\007\017\224\166\330\057\051 +\342\232\254\326\232\070\331\265\140\205\234\202\074\320\375\103 +\303\343\216\056\215\317\155\142\311\354\245\047\050\257\046\365 +\156\124\272\245\172\016\122\145\054\326\357\136\112\364\352\012 +\360\112\207\363\316\036\254\155\214\216\362\261\021\270\016\171 +\011\323\105\072\206\344\141\267\256\065\367\315\022\225\133\165 +\351\066\167\326\262\122\370\233\222\107\067\307\272\145\242\157 +\377\054\262\175\172\161\140\032\335\161\323\037\307\261\315\245 +\377\044\110\201\124\142\337\146\162\032\344\366\101\235\252\263 +\226\153\343\046\300\231\240\025\241\031\202\232\374\221\176\240 +\061\234\071\330\116\171\150\046\307\102\160\104\377\320\147\263 +\165\312\377\246\235\175\001\063\246\003\273\247\254\123\321\063 +\373\316\220\012\056\200\314\354\341\037\065\370\112\322\065\346 +\363\067\023\034\365\011\267\320\247\227\332\276\175\246\060\010 +\117\253\217\234\337\002\003\001\000\001\243\123\060\121\060\035 +\006\003\125\035\016\004\026\004\024\121\202\330\003\344\310\170 +\002\314\331\364\031\015\224\214\027\241\373\266\000\060\037\006 +\003\125\035\043\004\030\060\026\200\024\121\202\330\003\344\310 +\170\002\314\331\364\031\015\224\214\027\241\373\266\000\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202 +\001\001\000\162\225\235\140\215\374\232\051\167\366\325\002\006 +\370\057\245\115\123\201\060\371\363\301\340\132\123\100\026\372 +\012\277\245\017\030\047\005\244\057\243\057\374\331\317\063\177 +\117\204\065\314\313\046\140\345\151\256\107\160\253\027\022\137 +\271\022\310\365\273\273\171\346\123\224\215\004\035\032\365\243 +\047\030\246\342\022\121\155\315\117\320\244\313\240\061\136\030 +\310\005\112\006\244\176\042\054\235\221\145\123\156\276\001\163 +\043\233\071\147\143\031\377\035\031\223\224\176\025\065\225\052 +\015\357\036\360\306\152\056\171\341\071\151\330\064\110\100\172 +\126\160\243\166\277\133\102\210\341\032\203\002\003\042\073\252 +\116\376\043\112\377\337\231\301\314\227\016\111\106\131\260\045 +\315\266\000\015\337\301\213\276\141\250\344\261\152\024\350\361 +\246\301\242\066\335\330\263\373\230\211\320\047\235\266\254\347 +\371\101\126\046\111\001\250\373\233\031\371\304\374\167\271\144 +\025\277\276\355\216\067\024\012\121\231\256\205\335\264\207\047 +\231\317\306\103\273\262\234\240\153\152\063\071\151\254\113\314 +\336\067\230 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_TRUE +# For Email Distrust After: Sun Oct 14 08:53:20 2007 # Missing \132 at end +CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL +\060\067\061\060\061\064\060\070\065\063\062\060 +END + +# Trust for "Distrust Fields Test - err_distrust" +# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust +# Serial Number:60:fe:b3:a1:c8:c1:30:fc:02:f0:90:9b:6b:b7:08:5e:78:e5:fb:dc +# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust +# Not Valid Before: Tue Jul 16 06:32:42 2019 +# Not Valid After : Fri Jul 26 06:32:42 2019 +# Fingerprint (SHA-256): E0:80:A0:7E:D7:53:52:FB:71:B5:05:03:80:C3:DB:92:C7:90:3D:26:3F:26:D5:BF:E5:87:FC:7C:46:EC:F6:35 +# Fingerprint (SHA1): D4:54:DB:63:51:FB:68:61:DA:CD:61:D9:1B:F8:51:EB:CE:34:41:3D +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrust Fields Test - err_distrust" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\324\124\333\143\121\373\150\141\332\315\141\331\033\370\121\353 +\316\064\101\075 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\105\150\314\050\103\366\315\141\322\277\363\133\217\305\124\273 +END +CKA_ISSUER MULTILINE_OCTAL +\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123 +\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014 +\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016 +\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015 +\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060 +\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011 +\006\003\125\004\006\023\002\104\105 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\024\140\376\263\241\310\301\060\374\002\360\220\233\153\267 +\010\136\170\345\373\334 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/security/nss/lib/ckfw/builtins/testlib/config.mk b/security/nss/lib/ckfw/builtins/testlib/config.mk new file mode 100644 index 000000000000..39a39dae9bfc --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/config.mk @@ -0,0 +1,38 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# Override TARGETS variable so that only shared libraries +# are specifed as dependencies within rules.mk. +# + +TARGETS = $(SHARED_LIBRARY) +LIBRARY = +IMPORT_LIBRARY = +PROGRAM = + +ifeq (,$(filter-out WIN%,$(OS_TARGET))) + SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX) + RES = $(OBJDIR)/$(LIBRARY_NAME).res + RESNAME = $(LIBRARY_NAME).rc +endif + +ifdef BUILD_IDG + DEFINES += -DNSSDEBUG +endif + +# Needed for compilation of $(OBJDIR)/certdata.c +INCLUDES += -I. + +# +# To create a loadable module on Darwin, we must use -bundle. +# +ifeq ($(OS_TARGET),Darwin) +DSO_LDOPTS = -bundle +endif + +ifdef USE_GCOV +DSO_LDOPTS += --coverage +endif diff --git a/security/nss/lib/ckfw/builtins/testlib/manifest.mn b/security/nss/lib/ckfw/builtins/testlib/manifest.mn new file mode 100644 index 000000000000..4500a903eb63 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/manifest.mn @@ -0,0 +1,25 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CORE_DEPTH = ../../../.. + +MODULE = nss + +CSRCS = \ + ../anchor.c \ + ../bfind.c \ + ../binst.c \ + ../bobject.c \ + ../bsession.c \ + ../bslot.c \ + ../btoken.c \ + ../ckbiver.c \ + ../constants.c \ + certdata-testlib.c \ + $(NULL) + +REQUIRES = nspr + +LIBRARY_NAME = nssckbi-testlib diff --git a/security/nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc b/security/nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc new file mode 100644 index 000000000000..260cc5ae0c5e --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc @@ -0,0 +1,52 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "../nssckbi.h" +#include + +#define MY_LIBNAME "nssckbi-testlib" +#define MY_FILEDESCRIPTION "A Test of NSS Builtin Trusted Roots (testlib)" +#define MY_FILEFLAGS_1 0x0L + +#ifdef WINNT +#define MY_FILEOS VOS_NT_WINDOWS32 +#else +#define MY_FILEOS VOS__WINDOWS32 +#endif + +#define MY_INTERNAL_NAME MY_LIBNAME + +///////////////////////////////////////////////////////////////////////////// +// +// Version-information resource +// + +VS_VERSION_INFO VERSIONINFO + FILEVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0 + PRODUCTVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0 + FILEFLAGSMASK VS_FFI_FILEFLAGSMASK + FILEFLAGS MY_FILEFLAGS_1 + FILEOS MY_FILEOS + FILETYPE VFT_DLL + FILESUBTYPE 0x0L // not used + +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904B0" // Lang=US English, CharSet=Unicode + BEGIN + VALUE "CompanyName", "Mozilla Foundation\0" + VALUE "FileDescription", MY_FILEDESCRIPTION "\0" + VALUE "FileVersion", NSS_BUILTINS_LIBRARY_VERSION "\0" + VALUE "InternalName", MY_INTERNAL_NAME "\0" + VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0" + VALUE "ProductName", "Network Security Services\0" + VALUE "ProductVersion", NSS_BUILTINS_LIBRARY_VERSION "\0" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 1200 + END +END diff --git a/security/nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt b/security/nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt new file mode 100644 index 000000000000..3f0e1983f101 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt @@ -0,0 +1,50 @@ +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIUYP6zocjBMPwC8JCba7cIXnjl+9wwDQYJKoZIhvcNAQEL +BQAwZzEaMBgGA1UEAwwRVEVTVCBlcnJfZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQ +MA4GA1UECwwHTW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDEL +MAkGA1UEBhMCREUwHhcNMTkwNzE2MDYzMjQyWhcNMTkwNzI2MDYzMjQyWjBnMRow +GAYDVQQDDBFURVNUIGVycl9kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAwDgYDVQQL +DAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQswCQYDVQQG +EwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFM13A4PfQb09LI +37g528ruNsRFeDmXg90KC0cEdbTVDCxDKQcPlHbYLynimqzWmjjZtWCFnII80P1D +w+OOLo3PbWLJ7KUnKK8m9W5UuqV6DlJlLNbvXkr06grwSofzzh6sbYyO8rERuA55 +CdNFOobkYbeuNffNEpVbdek2d9ayUvibkkc3x7plom//LLJ9enFgGt1x0x/Hsc2l +/yRIgVRi32ZyGuT2QZ2qs5Zr4ybAmaAVoRmCmvyRfqAxnDnYTnloJsdCcET/0Gez +dcr/pp19ATOmA7unrFPRM/vOkAougMzs4R81+ErSNebzNxMc9Qm30KeX2r59pjAI +T6uPnN8CAwEAAaNTMFEwHQYDVR0OBBYEFFGC2APkyHgCzNn0GQ2UjBeh+7YAMB8G +A1UdIwQYMBaAFFGC2APkyHgCzNn0GQ2UjBeh+7YAMA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggEBAHKVnWCN/Jopd/bVAgb4L6VNU4Ew+fPB4FpTQBb6 +Cr+lDxgnBaQvoy/82c8zf0+ENczLJmDlaa5HcKsXEl+5Esj1u7t55lOUjQQdGvWj +Jxim4hJRbc1P0KTLoDFeGMgFSgakfiIsnZFlU26+AXMjmzlnYxn/HRmTlH4VNZUq +De8e8MZqLnnhOWnYNEhAelZwo3a/W0KI4RqDAgMiO6pO/iNK/9+ZwcyXDklGWbAl +zbYADd/Bi75hqOSxahTo8abBojbd2LP7mInQJ522rOf5QVYmSQGo+5sZ+cT8d7lk +Fb++7Y43FApRma6F3bSHJ5nPxkO7spyga2ozOWmsS8zeN5g= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRTNdwOD30G9PS +yN+4OdvK7jbERXg5l4PdCgtHBHW01QwsQykHD5R22C8p4pqs1po42bVghZyCPND9 +Q8Pjji6Nz21iyeylJyivJvVuVLqleg5SZSzW715K9OoK8EqH884erG2MjvKxEbgO +eQnTRTqG5GG3rjX3zRKVW3XpNnfWslL4m5JHN8e6ZaJv/yyyfXpxYBrdcdMfx7HN +pf8kSIFUYt9mchrk9kGdqrOWa+MmwJmgFaEZgpr8kX6gMZw52E55aCbHQnBE/9Bn +s3XK/6adfQEzpgO7p6xT0TP7zpAKLoDM7OEfNfhK0jXm8zcTHPUJt9Cnl9q+faYw +CE+rj5zfAgMBAAECggEAfgyGDtqATTxZFK/PNFb8DLnsF8YywpSCYKOE6S9BaDeK +jjmgQtVaNzy5IsOLHZ5c4PIUbt3oxPK1dmHSXoApf1Q173HmaAwuT1XqJ5k1kyTv +7SVrnMIqCoB3V0Eh0cC+GPEFRMpuVL90FptElI0z0ztFsmZjsCo8D+E2IM6h25UQ +MiZmJNb2qk+64Ef9yiKyUBA15y7zBUOIsRMDQlREpHA0T6N2YC1b98r73RHYHc8O ++rQixX4ZtB0gl97nKdOjEX9ECfwd5nUXVUFNMthozYMy2VmpU9eH3zP33vcZNvaD +5GX2lvSkWLXEb6Zc/yWdBPrijSVeD+qwZ6tDBPgskQKBgQD4EbzuiFLEoFE/IdCD +zP1cj28kmUU6oQJDk2TNlsQ3q6jbSoMCXqEfVF9RFcTkvCnV1GkrwjoM8vhYaL+x +OCGRIvOqzsDwvyd3lbsDM3pVw6j64zRjR1JkdOK23sCj10cVEYYqDozVHILPYmEL +hEEYk7FqfPY1uqKL6zGnWhX81wKBgQDX/c6i8kOJjO7YWoG4Z2hPUJJCM/q3Ws1b +XK2m6qddYPV5zOv2geknAC71WqOgVnLM/pNrPpd2p1kMjRPqKKUL0z7XONp8+6ii +9EB+CEwUB/1kA/GFl5sAcOv9uGqMrXeWoAzeoyeBE/MscfANY0tROfvXvpYhYl3S +SlCfy0UXOQKBgFfKJzufQPNW7QnTlLBgJjXQiPvBxi82dc+mZOEg/vXYqRxaJTz8 +cjbdLBJNCu4L7R5AWqviw5p7jgnzoAs+mxp67RLAsqVAcN4wPgum9x9M7AtFxu9v +eSgV+XnQIQqakAxTtFBD7/Enct+jqEZkGolxEzNlX9ip4QZ1SJA6IFfnAoGBAJLN +F6faXxrbJe74vNgXuGbIDVBfwdTjK1YgTIp5TF2EK/On2uzFaTEvx7rM6w9sEkTP +9mRau1lS7oxASrvI+jxqTHi9VIrEBN8UgcznWMX4lDlpELvKyffnyA2/TPPmZrSC +fZzIaW4qoAmiOxTuWt+POGNvTtzL3ZazGc8xufjJAoGAbDCQGFIEo4DVOVEgI1sM +rmK9sOBjHO1306HL/gKqJo/CVSwLpwjErCLr1w0LUGG8SRup3VyZSTJTh15F3Pfk ++N6nVrhCTag6vF/E3/VTZ3BwgvOLT3XqUTprntQUPXA+Dk+Fdem4dgHvknRDwz99 +APZYdtb09hSETdUJmgd376g= +-----END PRIVATE KEY----- diff --git a/security/nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt b/security/nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt new file mode 100644 index 000000000000..78a57c114bf8 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt @@ -0,0 +1,50 @@ +-----BEGIN CERTIFICATE----- +MIIDrTCCApWgAwIBAgIUc/i8N6NKXyYTZNxOxlhOlCokIrEwDQYJKoZIhvcNAQEL +BQAwZjEZMBcGA1UEAwwQVEVTVCBub19kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAw +DgYDVQQLDAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQsw +CQYDVQQGEwJERTAeFw0xOTA3MTYwNjMyNDJaFw0xOTA3MjYwNjMyNDJaMGYxGTAX +BgNVBAMMEFRFU1Qgbm9fZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQMA4GA1UECwwH +TW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDELMAkGA1UEBhMC +REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH97sxW2mi3JsqJFMG +vSCMtsNd9ZBERj5AZDL21bjHk5gCl2jEQmamd0vUGV5aYAanMmU8r03YrqTVA36D +/drl9WBze5iUUl1kfj1pCr0kx8/jVtqRoHlh+kdfiPIQmYpQQykIm+8Fgej9gkRG +OrjTaXQLge0ExAIPIjkSOpMxtuuQL1iRrRR2VaGKLFouUJI62r3uH5oW5N4jKjxK +BqZAtqw1wXe+eBdXLMKsZnnXzMW0PyRB50XftylIIUvCI4weDe/Ydx+E6/IRmqyQ +uXl4xj8O6yX+eWxV09bzXpjbcKKZDsAhkSWyKx2j6fObCzsCmxhq1Fq4g6Bzd7pi +KtYrAgMBAAGjUzBRMB0GA1UdDgQWBBS6DeOSnoCkc48Fv+pnHqM5P6G85jAfBgNV +HSMEGDAWgBS6DeOSnoCkc48Fv+pnHqM5P6G85jAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQCp6OTs5jZt/WSir3212nab3GHWmHBSw5ECr8uq2APY +Clso43lIo03MFr0GBYCSZ3aovdMU98+tHLSgA0wTJHlWCQpErsbXHP5e0y4dkiEZ +6PoqohXynn6aAsAIC1euzM0iWhjbNKWDfIo1qPQVOHd/yhvB/7smjeAHhLCILr3p +61crKHXSZpM01JtqSmoAzPCFL3ofMTZEytTybrVMWKGy2y6KJLQTzGQyeml3B7tE +q3ssFTt8F3d+8h+aNzuQr68BC1Vu6JyHsfjBY0ZZMmYhl0fgsiIcGCPer00XqBR5 +UYjemnwqXAJADJXelA9/Deyrpecv4Iw4A/22Ew8B+54Y +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDH97sxW2mi3Jsq +JFMGvSCMtsNd9ZBERj5AZDL21bjHk5gCl2jEQmamd0vUGV5aYAanMmU8r03YrqTV +A36D/drl9WBze5iUUl1kfj1pCr0kx8/jVtqRoHlh+kdfiPIQmYpQQykIm+8Fgej9 +gkRGOrjTaXQLge0ExAIPIjkSOpMxtuuQL1iRrRR2VaGKLFouUJI62r3uH5oW5N4j +KjxKBqZAtqw1wXe+eBdXLMKsZnnXzMW0PyRB50XftylIIUvCI4weDe/Ydx+E6/IR +mqyQuXl4xj8O6yX+eWxV09bzXpjbcKKZDsAhkSWyKx2j6fObCzsCmxhq1Fq4g6Bz +d7piKtYrAgMBAAECggEALCE4t3DEBEQJHii8Be2xBDzFKrQprVePH2i9conB6JFi +55eAcGdy/eOv4VPj5a/xZ+6QNu89D8ei6ruFrR1VtJANRA8PohP3NllBti+/hCFw +eGxPefnfL8cq/yNawF0SEBpyMMsw2ZdM0r1v0cvdxBIuoOeAZh/XkH1t+N7iYwLm +Kbkfzp7qVPDxghavODEX2GnWptNONomglHj/DcQtpCJfff9SgqtG8j9M+YX2mzfb +yoPy3scOvknfGqMlCtz5ilGHMXACq1JqzPfAz2FPVSB5ROHLQyt8PQQVfp8QSrkk +4LTqR7Z0H5NRxj35sfJn1C1J/wFw3bkmy5CxgyCtwQKBgQDyYl3yIlm6U9i4c7b8 +3aNzsdDcbRYi+Dvvi59QVNqf03Fct+PP2ThBTbpw0TTsWh947PJli1JUnLamGpeO +3ZUnpEFctXFWInX0ghsATc0zdxjWeX6VoIf+9tSqO5yCmqtZxslZUXTcvDi1XAK7 +1FPsrHvsiFzD2b3b930MpT7qoQKBgQDTM2N0NdJ1hQneOBp3wvrAlzRXxBYsaM83 +O32ek3ZFVAwpqNPt6w8PjcCRq0ej8w6v4EeR1Hqc4Mol0TnzTbIoYMB+eyqsGjTi +7rL0Z9f+dDzGNlGssCplu72oHLF8TJq9aoh36wUMH8hc473M2ZCrjcUAudrWYEkc +0GIr0hZ5SwKBgHi6XDbVu0Ger8y3/kYXE2n2AKU6RJNod1oKfnDhwv9mrwlSossN +VALa92loGuc6wIBX7Sh866YvZJ55klHbtoZHPzMxQOF5Sq1d/Jr7JaFjyeBSJaXb +jsGFKkocZQl8hqqx4+p0MzQbIFfdG5N439B73UHkbegzVWjx7bxVtm/hAoGBAMl5 +kVuP6JhRdKt3i9BJwZmt5LIBDkIJLfv7lYeMFtxmJEAtnRavESv+RwDviyUcvhsL +clrsfpdfXZgb8xNmQBmCyr8d0gRh76e4nCDJW2STEFLqCJobaCaqpW9VB/+SuF8P +3OXA3ozFWQc7/pkHx5nQYWmi4t909Oo25B/3h5bnAoGBAIzm30BPZpMLyGvPCFIJ +O2Rycvb4bDUU0J8cAVnvsAP6POWBYD0H6rHioZnRz6V3ZBibg+jvzXBiRAqm4n2e +yRduP/3m6a3BKhYyplZEV1cUCnnUvQtusWiv61E/mDnPGco3sljUfCbvo1h1Juuq +io2guvIg0tE5WSQr9spqy+o8 +-----END PRIVATE KEY----- diff --git a/security/nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt b/security/nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt new file mode 100644 index 000000000000..3aacc173d93b --- /dev/null +++ b/security/nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt @@ -0,0 +1,50 @@ +-----BEGIN CERTIFICATE----- +MIIDrTCCApWgAwIBAgIUOkTcnVQ/X6q4Jk8d+FpHNik6G7wwDQYJKoZIhvcNAQEL +BQAwZjEZMBcGA1UEAwwQVEVTVCBva19kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAw +DgYDVQQLDAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQsw +CQYDVQQGEwJERTAeFw0xOTA3MTYwNjMyNDJaFw0xOTA3MjYwNjMyNDJaMGYxGTAX +BgNVBAMMEFRFU1Qgb2tfZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQMA4GA1UECwwH +TW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDELMAkGA1UEBhMC +REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6HnzYlULNHDPfZUww +MR4UNSmO7wtoR/Guj/M21lSnHJeCzWmzn1Xg/ydVKA5qiO1hgjKzm8BqkO6AFlQB +c8UU7838kLf4eM4SLo5xZeHUUbkWxhaoUYFHrJliJgojsKLuKcOGv+H/xE82++A7 +Yz7n829Yz7l121cNzrdPLZqguU6ocPS5lIONX7c2uf9/DN8b1sr80KcrR+XtVzcH +0pCA/iu2WiRwtmwytf2yfvLyrxn0Z6k539lmLwWS//ABp6ptRh2dNZLm6cGE3eQK +8fYxJBhD2U5LX1EeqyLMsAWZqQJCAnE539jEaI2QdOZ4pfbwn+vyS4Pyv9A8NPQS +GUUVAgMBAAGjUzBRMB0GA1UdDgQWBBQcQKqQ289LAhNrGDmmDNfasnT8PTAfBgNV +HSMEGDAWgBQcQKqQ289LAhNrGDmmDNfasnT8PTAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQAiIR6XulpG7kq6woQM8FzZHPRfM9wlPtEcT/HJrH8P +nj5R120m56GF96wxib4JTy/0ffgOljIEiWsn7uM06KiZByF0DPyOnYaDbsgL8OKf +QxW8n9VG0XNTHvMpXjyFQrhXZsMwEi9EO0IY1VP+H0ZjSwl0d/w91/ICtVec98JM ++fypRpHjBCeXVc4UJvb4hz8VnlJOEKE6iWBAIwhFRenEWPvL5bqa3JgJC92xmILr +bQPrm2qhijSmasCm7u9GOeeJZL2KDB2nSpFZOJhS989cMKxtMZz0P3Gunn0/oqDr +cfDt8t+Nei1T2uq0FlQK8yBUKhfAPnwKuvj/tHho45ZF +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6HnzYlULNHDPf +ZUwwMR4UNSmO7wtoR/Guj/M21lSnHJeCzWmzn1Xg/ydVKA5qiO1hgjKzm8BqkO6A +FlQBc8UU7838kLf4eM4SLo5xZeHUUbkWxhaoUYFHrJliJgojsKLuKcOGv+H/xE82 +++A7Yz7n829Yz7l121cNzrdPLZqguU6ocPS5lIONX7c2uf9/DN8b1sr80KcrR+Xt +VzcH0pCA/iu2WiRwtmwytf2yfvLyrxn0Z6k539lmLwWS//ABp6ptRh2dNZLm6cGE +3eQK8fYxJBhD2U5LX1EeqyLMsAWZqQJCAnE539jEaI2QdOZ4pfbwn+vyS4Pyv9A8 +NPQSGUUVAgMBAAECggEATZbSIxQucgV01oeLOHfxeykidxTOY53CcixOjyjQx43S +19O8YgZlrdOQ2R5GzEDi/QhjDJ88mvBqjPlB8g0KNw01iTnnh+0Ms2W3Oizn9TRQ +fd78qRS5WWDp3JHRHknP0ouUmIM7uv1irKBaPUfFfLruS07lmO1koDvyDU8MrD1+ +Lr9i/7DOxpMFRTP4OBs4J22M1jdaVV7RM5/ZxHezSEJx8lpYvsBSHYYrViWx+TvL +BQabnfntg4YbVoB+5f7kOA0f0a/WdF1q4yursLvPFb3F+w271s11PYnXp8G7Axe7 +ylcojRhvb1bque2WP7Wz3L0kCosxPkaH7W2RfHZX7QKBgQDgI7Xuo+2hnOkPZxNd +EuA2+1gKmRnd9Gx+gBvSOxgy+bIirddWpUoSQE1cZiJu0ylERVBMXJzMi5uT1/nR +OP9HVUY/pYDEtuHRHyF60sp8+qTiV0PxACuaYGmUSO22+p9yp0mfVNl+AkQlLbam +pmQG3OWb7Zqpef7+v7fnccPwFwKBgQDUkz1OyUwB1Nx0GtzAiYuoVh0Oe2GM8tHI +8kSXbFyXh5ly75Cm5gPR6dxLsLSOZxzGZMfXm13MFWVARQJgudFJFTtqRufJZcnS +ie/OpY35eYqKqzYIwt+4U6biCLK3q77dH1Psgz0ghoH6DfDkl2eQDF9LLUxvrS5Q +r36bBezjswKBgEAMFEWv1Ax1UOeU1aSn6yfq5HqKyyhwWrw/ETQerMiML0nXkQvy +SVszwqdfjAFNF6Kph8t6P1f3oKo7cehGODQC+wLe4Q/VDmv6UE/Pggr6eDkxJHnu +SYdge2ri+AJsVTmm8dO0pD1smlphWKsAKt8HKhlHaQV6ldHnqL5a9NlbAoGAK6zI +xtwy4plyZeRzAJgB+qcetzAAXe4xzgCAuT/JUlTI4UV5SeEuXb2XxnFa13s1/UkN +ii3guqKWt/q1v1vONR7Io1BIJSflrH0sqR94qQ4gudbtdiVbw8pkGkLBPV1rDJF4 +M7rPH1SjddXRbZXx8DWqio6XCsbhIjC8aWtxPWMCgYAClC2GhicT+Jiv5Y8gT/hc +/DJjhQTtV1mMqek69XJ6Xsc6wEkFSXpUr8/3XoP8Sj/xrEluTJYgt/DTVbXAvLcv +XCaERRdrpBHspFrD9lcOZRjS17QTVAzH8bt3+YidqvDnn/2Xch49hcUJTFEx7Km+ +r4Tw2QmALNeNDgRlkMJYCQ== +-----END PRIVATE KEY----- diff --git a/security/nss/lib/ckfw/manifest.mn b/security/nss/lib/ckfw/manifest.mn index 20bebeb31757..4f798ad61b19 100644 --- a/security/nss/lib/ckfw/manifest.mn +++ b/security/nss/lib/ckfw/manifest.mn @@ -5,7 +5,7 @@ CORE_DEPTH = ../.. -DIRS = builtins +DIRS = builtins PRIVATE_EXPORTS = \ ck.h \ diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h index 3aae0ecf6960..379106ef4d09 100644 --- a/security/nss/lib/mozpkix/include/pkix/pkixder.h +++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h @@ -114,6 +114,17 @@ inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) { return ExpectTagAndGetValue(input, tag, ignoredValue); } +// This skips IMPLICIT OPTIONAL tags that are "primitive" (not constructed), +// given the number in the class of the tag (i.e. the number in the brackets in +// `issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL`). +inline Result SkipOptionalImplicitPrimitiveTag(Reader& input, + uint8_t numberInClass) { + if (input.Peek(CONTEXT_SPECIFIC | numberInClass)) { + return ExpectTagAndSkipValue(input, CONTEXT_SPECIFIC | numberInClass); + } + return Success; +} + // Like ExpectTagAndGetValue, except the output Input will contain the // encoded tag and length along with the value. inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag, diff --git a/security/nss/lib/mozpkix/lib/pkixcert.cpp b/security/nss/lib/mozpkix/lib/pkixcert.cpp index a304837382ab..7789bd57d0de 100644 --- a/security/nss/lib/mozpkix/lib/pkixcert.cpp +++ b/security/nss/lib/mozpkix/lib/pkixcert.cpp @@ -105,29 +105,24 @@ BackCert::Init() return rv; } - static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED; - // According to RFC 5280, all fields below this line are forbidden for // certificate versions less than v3. However, for compatibility reasons, // we parse v1/v2 certificates in the same way as v3 certificates. So if // these fields appear in a v1 certificate, they will be used. // Ignore issuerUniqueID if present. - if (tbsCertificate.Peek(CSC | 1)) { - rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1); - if (rv != Success) { - return rv; - } + rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 1); + if (rv != Success) { + return rv; } // Ignore subjectUniqueID if present. - if (tbsCertificate.Peek(CSC | 2)) { - rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2); - if (rv != Success) { - return rv; - } + rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 2); + if (rv != Success) { + return rv; } + static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED; rv = der::OptionalExtensions( tbsCertificate, CSC | 3, [this](Reader& extnID, const Input& extnValue, bool critical, diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index d3f7287ad5a2..41cce1cbe733 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -39,8 +39,8 @@ CERT_FreeDistNames; CERT_FreeNicknames; CERT_GetAVATag; CERT_GetCertEmailAddress; -CERT_GetCertNicknames; CERT_GetCertIssuerAndSN; +CERT_GetCertNicknames; CERT_GetCertTrust; CERT_GetCertUid; CERT_GetCommonName; diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index d718317463b0..29d2fb5a4022 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -825,6 +825,36 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced cc->trust = trust; CERT_UnlockCertTrust(cc); } + /* Read the distrust fields from a nssckbi/builtins certificate and + * fill the fields in CERTCertificate structure when any valid date + * is found. */ + if (PK11_IsReadOnly(cc->slot) && PK11_HasRootCerts(cc->slot)) { + /* The values are hard-coded and readonly. Read just once. */ + if (cc->distrust == NULL) { + CERTCertDistrust distrustModel; + SECItem model = { siUTCTime, NULL, 0 }; + distrustModel.serverDistrustAfter = model; + distrustModel.emailDistrustAfter = model; + SECStatus rServer = PK11_ReadAttribute( + cc->slot, cc->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER, + cc->arena, &distrustModel.serverDistrustAfter); + SECStatus rEmail = PK11_ReadAttribute( + cc->slot, cc->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER, + cc->arena, &distrustModel.emailDistrustAfter); + /* Only allocate the Distrust structure if a valid date is found. + * The result length of a encoded valid timestamp is exactly 13 */ + const unsigned int kDistrustFieldSize = 13; + if ((rServer == SECSuccess && rEmail == SECSuccess) && + (distrustModel.serverDistrustAfter.len == kDistrustFieldSize || + distrustModel.emailDistrustAfter.len == kDistrustFieldSize)) { + CERTCertDistrust *tmpPtr = PORT_ArenaAlloc( + cc->arena, sizeof(CERTCertDistrust)); + PORT_Memcpy(tmpPtr, &distrustModel, + sizeof(CERTCertDistrust)); + cc->distrust = tmpPtr; + } + } + } } if (instance) { nssCryptokiObject_Destroy(instance); diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 3686b7f2ba88..5647a53b1b7b 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -1605,6 +1605,67 @@ NSC_DecryptUpdate(CK_SESSION_HANDLE hSession, return CKR_OK; } +/* Fromssl3con.c: Constant-time helper macro that copies the MSB of x to all + * other bits. */ +#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1))) +/* From ssl3con.c: SECStatusToMask returns, in constant time, a mask value of + * all ones if rv == SECSuccess. Otherwise it returns zero. */ +static unsigned int +SECStatusToMask(SECStatus rv) +{ + unsigned int good; + /* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results + * in the MSB being set to one iff it was zero before. */ + good = rv ^ SECSuccess; + good--; + return DUPLICATE_MSB_TO_ALL(good); +} +/* Constant-time helper macro that selects l or r depending on all-1 or all-0 + * mask m */ +#define CT_SEL(m, l, r) (((m) & (l)) | (~(m) & (r))) +/* Constant-time helper macro that returns all-1s if x is not 0; and all-0s + * otherwise. */ +#define CT_NOT_ZERO(x) (DUPLICATE_MSB_TO_ALL(((x) | (0 - x)))) + +/* sftk_CheckCBCPadding checks that the padding validity and return the pad length. */ +static CK_RV +sftk_CheckCBCPadding(CK_BYTE_PTR pLastPart, + unsigned int blockSize, unsigned int *outPadSize) +{ + PORT_Assert(outPadSize); + + unsigned int padSize = (unsigned int)pLastPart[blockSize - 1]; + + /* If padSize <= blockSize, set goodPad to all-1s and all-0s otherwise.*/ + unsigned int goodPad = DUPLICATE_MSB_TO_ALL(~(blockSize - padSize)); + /* padSize should not be 0 */ + goodPad &= CT_NOT_ZERO(padSize); + + unsigned int i; + for (i = 0; i < blockSize; i++) { + /* If i < padSize, set loopMask to all-1s and all-0s otherwise.*/ + unsigned int loopMask = DUPLICATE_MSB_TO_ALL(~(padSize - 1 - i)); + /* Get the padding value (should be padSize) from buffer */ + unsigned int padVal = pLastPart[blockSize - 1 - i]; + /* Update goodPad only if i < padSize */ + goodPad &= CT_SEL(loopMask, ~(padVal ^ padSize), goodPad); + } + + /* If any of the final padding bytes had the wrong value, one or more + * of the lower eight bits of |goodPad| will be cleared. We AND the + * bottom 8 bits together and duplicate the result to all the bits. */ + goodPad &= goodPad >> 4; + goodPad &= goodPad >> 2; + goodPad &= goodPad >> 1; + goodPad <<= sizeof(goodPad) * 8 - 1; + goodPad = DUPLICATE_MSB_TO_ALL(goodPad); + + /* Set outPadSize to padSize or 0 */ + *outPadSize = CT_SEL(goodPad, padSize, 0); + /* Return OK if the pad is valid */ + return CT_SEL(goodPad, CKR_OK, CKR_ENCRYPTED_DATA_INVALID); +} + /* NSC_DecryptFinal finishes a multiple-part decryption operation. */ CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession, @@ -1643,24 +1704,10 @@ NSC_DecryptFinal(CK_SESSION_HANDLE hSession, if (rv != SECSuccess) { crv = sftk_MapDecryptError(PORT_GetError()); } else { - unsigned int padSize = - (unsigned int)pLastPart[context->blockSize - 1]; - if ((padSize > context->blockSize) || (padSize == 0)) { - crv = CKR_ENCRYPTED_DATA_INVALID; - } else { - unsigned int i; - unsigned int badPadding = 0; /* used as a boolean */ - for (i = 0; i < padSize; i++) { - badPadding |= - (unsigned int)pLastPart[context->blockSize - 1 - i] ^ - padSize; - } - if (badPadding) { - crv = CKR_ENCRYPTED_DATA_INVALID; - } else { - *pulLastPartLen = outlen - padSize; - } - } + unsigned int padSize = 0; + crv = sftk_CheckCBCPadding(pLastPart, context->blockSize, &padSize); + /* Update pulLastPartLen, in constant time, if crv is success */ + *pulLastPartLen = CT_SEL(SECStatusToMask(crv), outlen - padSize, *pulLastPartLen); } } } @@ -1722,21 +1769,9 @@ NSC_Decrypt(CK_SESSION_HANDLE hSession, /* XXX need to do MUCH better error mapping than this. */ crv = (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError()); if (rv == SECSuccess && context->doPad) { - unsigned int padding = pData[outlen - 1]; - if (padding > context->blockSize || !padding) { - crv = CKR_ENCRYPTED_DATA_INVALID; - } else { - unsigned int i; - unsigned int badPadding = 0; /* used as a boolean */ - for (i = 0; i < padding; i++) { - badPadding |= (unsigned int)pData[outlen - 1 - i] ^ padding; - } - if (badPadding) { - crv = CKR_ENCRYPTED_DATA_INVALID; - } else { - outlen -= padding; - } - } + unsigned int padSize = 0; + crv = sftk_CheckCBCPadding(pData, context->blockSize, &padSize); + outlen -= padSize; } sftk_TerminateOp(session, SFTK_DECRYPT, context); done: diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c index b7d4edc05ebb..c844761001d9 100644 --- a/security/nss/lib/softoken/sdb.c +++ b/security/nss/lib/softoken/sdb.c @@ -159,7 +159,7 @@ static const CK_ATTRIBUTE_TYPE known_attributes[] = { CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING, CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS, - CKA_PUBLIC_KEY_INFO + CKA_PUBLIC_KEY_INFO, CKA_NSS_SERVER_DISTRUST_AFTER, CKA_NSS_EMAIL_DISTRUST_AFTER }; static int known_attributes_size = sizeof(known_attributes) / diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c index a587e38905fb..c24684150622 100644 --- a/security/nss/lib/ssl/tls13con.c +++ b/security/nss/lib/ssl/tls13con.c @@ -914,7 +914,7 @@ SECStatus tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length) { if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) { - SSL_TRC(3, ("%d: TLS13[%d]: %s successfully decrypted handshake after" + SSL_TRC(3, ("%d: TLS13[%d]: successfully decrypted handshake after " "failed 0-RTT", SSL_GETPID(), ss->fd)); ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none; diff --git a/security/nss/lib/util/pkcs11n.h b/security/nss/lib/util/pkcs11n.h index 1d31123183e9..7fbfb780c292 100644 --- a/security/nss/lib/util/pkcs11n.h +++ b/security/nss/lib/util/pkcs11n.h @@ -94,6 +94,8 @@ #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) #define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34) +#define CKA_NSS_SERVER_DISTRUST_AFTER (CKA_NSS + 35) +#define CKA_NSS_EMAIL_DISTRUST_AFTER (CKA_NSS + 36) /* * Trust attributes: diff --git a/security/nss/nss.gyp b/security/nss/nss.gyp index da7fa301babc..3a92df12d38a 100644 --- a/security/nss/nss.gyp +++ b/security/nss/nss.gyp @@ -218,6 +218,7 @@ 'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest', 'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest', 'gtests/util_gtest/util_gtest.gyp:util_gtest', + 'lib/ckfw/builtins/testlib/builtins-testlib.gyp:nssckbi-testlib', ], 'conditions': [ [ 'OS=="linux"', { diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 616043cff16b..84edb59f11b0 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -50,7 +50,7 @@ cert_init() LIBDIR="${DIST}/${OBJDIR}/lib" - ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1` + ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi.* | head -1` if [ ! "${ROOTCERTSFILE}" ] ; then html_failed "Looking for root certs module." cert_log "ERROR: Root certs module not found."