зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1460617 - land NSS 3d3e34bb7517 UPGRADE_NSS_RELEASE, r=me
--HG-- extra : rebase_source : 45b9c45b31b55dc1f5fcc043336b2ddc386f740c extra : histedit_source : 221357b0e59b2a82786cc83d6b980062ec2b7ce9
This commit is contained in:
Родитель
54c29475e9
Коммит
7eaf562442
|
@ -1 +1 @@
|
|||
328d235fc7ee
|
||||
3d3e34bb7517
|
||||
|
|
|
@ -36,6 +36,8 @@
|
|||
#include "certdb.h"
|
||||
#include "nss.h"
|
||||
#include "certutil.h"
|
||||
#include "basicutil.h"
|
||||
#include "ssl.h"
|
||||
|
||||
#define MIN_KEY_BITS 512
|
||||
/* MAX_KEY_BITS should agree with RSA_MAX_MODULUS_BITS in freebl */
|
||||
|
@ -447,7 +449,8 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
|
|||
}
|
||||
|
||||
static SECStatus
|
||||
DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
|
||||
DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii,
|
||||
PRBool simpleSelfSigned)
|
||||
{
|
||||
CERTCertificate *the_cert;
|
||||
CERTCertificateList *chain;
|
||||
|
@ -458,6 +461,14 @@ DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
|
|||
SECU_PrintError(progName, "Could not find: %s\n", name);
|
||||
return SECFailure;
|
||||
}
|
||||
if (simpleSelfSigned &&
|
||||
SECEqual == SECITEM_CompareItem(&the_cert->derIssuer,
|
||||
&the_cert->derSubject)) {
|
||||
printf("\"%s\" [%s]\n\n", the_cert->nickname, the_cert->subjectName);
|
||||
CERT_DestroyCertificate(the_cert);
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE);
|
||||
CERT_DestroyCertificate(the_cert);
|
||||
if (!chain) {
|
||||
|
@ -1115,7 +1126,9 @@ PrintSyntax()
|
|||
FPS "\t%s --build-flags\n", progName);
|
||||
FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
|
||||
progName);
|
||||
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
|
||||
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n"
|
||||
"\t\t [--simple-self-signed]\n",
|
||||
progName);
|
||||
FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n"
|
||||
"\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n"
|
||||
"\t\t [-g key-size] [-Z hashAlg]\n",
|
||||
|
@ -1542,6 +1555,8 @@ luO(enum usage_level ul, const char *command)
|
|||
" -P dbprefix");
|
||||
FPS "%-20s force the database to open R/W\n",
|
||||
" -X");
|
||||
FPS "%-20s don't search for a chain if issuer name equals subject name\n",
|
||||
" --simple-self-signed");
|
||||
FPS "\n");
|
||||
}
|
||||
|
||||
|
@ -1560,7 +1575,7 @@ luR(enum usage_level ul, const char *command)
|
|||
" -o output-req");
|
||||
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
|
||||
" -k key-type-or-id");
|
||||
FPS "%-20s or nickname of the cert key to use \n",
|
||||
FPS "%-20s or nickname of the cert key to use, or key id obtained using -K\n",
|
||||
"");
|
||||
FPS "%-20s Name of token in which to generate key (default is internal)\n",
|
||||
" -h token-name");
|
||||
|
@ -2498,6 +2513,7 @@ enum certutilOpts {
|
|||
opt_NewNickname,
|
||||
opt_Pss,
|
||||
opt_PssSign,
|
||||
opt_SimpleSelfSigned,
|
||||
opt_Help
|
||||
};
|
||||
|
||||
|
@ -2622,6 +2638,8 @@ static const secuCommandFlag options_init[] =
|
|||
"pss" },
|
||||
{ /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE,
|
||||
"pss-sign" },
|
||||
{ /* opt_SimpleSelfSigned */ 0, PR_FALSE, 0, PR_FALSE,
|
||||
"simple-self-signed" },
|
||||
};
|
||||
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
|
||||
|
||||
|
@ -3122,6 +3140,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
}
|
||||
initialized = PR_TRUE;
|
||||
SECU_RegisterDynamicOids();
|
||||
/* Ensure the SSL error code table has been registered. Bug 1460284. */
|
||||
SSL_OptionSetDefault(-1, 0);
|
||||
}
|
||||
certHandle = CERT_GetDefaultCertDB();
|
||||
|
||||
|
@ -3348,7 +3368,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
}
|
||||
if (certutil.commands[cmd_DumpChain].activated) {
|
||||
rv = DumpChain(certHandle, name,
|
||||
certutil.options[opt_ASCIIForIO].activated);
|
||||
certutil.options[opt_ASCIIForIO].activated,
|
||||
certutil.options[opt_SimpleSelfSigned].activated);
|
||||
goto shutdown;
|
||||
}
|
||||
/* XXX needs work */
|
||||
|
@ -3442,37 +3463,80 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource);
|
||||
if (!keycert) {
|
||||
keycert = PK11_FindCertFromNickname(keysource, NULL);
|
||||
if (!keycert) {
|
||||
SECU_PrintError(progName,
|
||||
"%s is neither a key-type nor a nickname", keysource);
|
||||
}
|
||||
|
||||
if (keycert) {
|
||||
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
|
||||
} else {
|
||||
PLArenaPool *arena = NULL;
|
||||
SECItem keyidItem = { 0 };
|
||||
char *keysourcePtr = keysource;
|
||||
/* Interpret keysource as CKA_ID */
|
||||
if (PK11_NeedLogin(slot)) {
|
||||
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "could not authenticate to token %s.",
|
||||
PK11_GetTokenName(slot));
|
||||
return SECFailure;
|
||||
}
|
||||
}
|
||||
if (0 == PL_strncasecmp("0x", keysource, 2)) {
|
||||
keysourcePtr = keysource + 2; // skip leading "0x"
|
||||
}
|
||||
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
if (!arena) {
|
||||
SECU_PrintError(progName, "unable to allocate arena");
|
||||
return SECFailure;
|
||||
}
|
||||
if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
|
||||
privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
|
||||
}
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
|
||||
if (privkey)
|
||||
pubkey = CERT_ExtractPublicKey(keycert);
|
||||
|
||||
if (!privkey) {
|
||||
SECU_PrintError(
|
||||
progName,
|
||||
"%s is neither a key-type nor a nickname nor a key-id", keysource);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
pubkey = SECKEY_ConvertToPublicKey(privkey);
|
||||
if (!pubkey) {
|
||||
SECU_PrintError(progName,
|
||||
"Could not get keys from cert %s", keysource);
|
||||
if (keycert) {
|
||||
CERT_DestroyCertificate(keycert);
|
||||
}
|
||||
rv = SECFailure;
|
||||
CERT_DestroyCertificate(keycert);
|
||||
goto shutdown;
|
||||
}
|
||||
keytype = privkey->keyType;
|
||||
|
||||
/* On CertReq for renewal if no subject has been
|
||||
* specified obtain it from the certificate.
|
||||
*/
|
||||
if (certutil.commands[cmd_CertReq].activated && !subject) {
|
||||
subject = CERT_AsciiToName(keycert->subjectName);
|
||||
if (!subject) {
|
||||
SECU_PrintError(progName,
|
||||
"Could not get subject from certificate %s", keysource);
|
||||
CERT_DestroyCertificate(keycert);
|
||||
if (keycert) {
|
||||
subject = CERT_AsciiToName(keycert->subjectName);
|
||||
if (!subject) {
|
||||
SECU_PrintError(
|
||||
progName,
|
||||
"Could not get subject from certificate %s",
|
||||
keysource);
|
||||
CERT_DestroyCertificate(keycert);
|
||||
rv = SECFailure;
|
||||
goto shutdown;
|
||||
}
|
||||
} else {
|
||||
SECU_PrintError(progName, "Subject name not provided");
|
||||
rv = SECFailure;
|
||||
goto shutdown;
|
||||
}
|
||||
}
|
||||
CERT_DestroyCertificate(keycert);
|
||||
if (keycert) {
|
||||
CERT_DestroyCertificate(keycert);
|
||||
}
|
||||
} else {
|
||||
privkey =
|
||||
CERTUTIL_GeneratePrivateKey(keytype, slot, keysize,
|
||||
|
@ -3535,6 +3599,14 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
}
|
||||
}
|
||||
|
||||
if (certutil.options[opt_SimpleSelfSigned].activated &&
|
||||
!certutil.commands[cmd_DumpChain].activated) {
|
||||
PR_fprintf(PR_STDERR,
|
||||
"%s -%c: --simple-self-signed only works with -O.\n",
|
||||
progName, commandToRun);
|
||||
return 255;
|
||||
}
|
||||
|
||||
/* If we need a list of extensions convert the flags into list format */
|
||||
if (certutil.commands[cmd_CertReq].activated ||
|
||||
certutil.commands[cmd_CreateAndAddCert].activated ||
|
||||
|
|
|
@ -10,4 +10,3 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
@ -535,12 +535,16 @@ ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
|
|||
# All intel architectures get the 64 bit version
|
||||
# With custom uint128 if necessary (faster than generic 32 bit version).
|
||||
ECL_SRCS += curve25519_64.c
|
||||
VERIFIED_SRCS += Hacl_Curve25519.c FStar.c
|
||||
VERIFIED_SRCS += Hacl_Curve25519.c
|
||||
else
|
||||
# All non intel architectures get the generic 32 bit implementation (slow!)
|
||||
ECL_SRCS += curve25519_32.c
|
||||
endif
|
||||
|
||||
ifndef HAVE_INT128_SUPPORT
|
||||
VERIFIED_SRCS += FStar.c
|
||||
endif
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
|
|
@ -277,18 +277,10 @@
|
|||
'MP_IS_LITTLE_ENDIAN',
|
||||
],
|
||||
}],
|
||||
[ 'OS!="win"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'defines': [
|
||||
# The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
'HAVE_INT128_SUPPORT',
|
||||
],
|
||||
}, {
|
||||
'defines': [
|
||||
'KRML_NOUINT128',
|
||||
],
|
||||
}],
|
||||
[ 'have_int128_support==1', {
|
||||
'defines': [
|
||||
# The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
'HAVE_INT128_SUPPORT',
|
||||
],
|
||||
}, {
|
||||
'defines': [
|
||||
|
@ -350,5 +342,18 @@
|
|||
},
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'conditions': [
|
||||
[ 'OS!="win"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'have_int128_support%': 1,
|
||||
}, {
|
||||
'have_int128_support%': 0,
|
||||
}],
|
||||
],
|
||||
}, {
|
||||
'have_int128_support%': 0,
|
||||
}],
|
||||
],
|
||||
}
|
||||
}
|
||||
|
|
|
@ -60,7 +60,6 @@
|
|||
'shvfy.c',
|
||||
'sysrand.c',
|
||||
'tlsprfalg.c',
|
||||
'verified/FStar.c',
|
||||
],
|
||||
'conditions': [
|
||||
[ 'OS=="linux" or OS=="android"', {
|
||||
|
@ -220,6 +219,9 @@
|
|||
}],
|
||||
],
|
||||
}],
|
||||
[ 'have_int128_support==0', {
|
||||
'sources': [ 'verified/FStar.c' ],
|
||||
}],
|
||||
],
|
||||
'ldflags': [
|
||||
'-Wl,-Bsymbolic'
|
||||
|
|
|
@ -32,7 +32,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
|||
size_t fileBytes = 0;
|
||||
unsigned char *buffer = dest;
|
||||
|
||||
#if defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25)))
|
||||
#if defined(__OpenBSD__) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
|
||||
int result;
|
||||
|
||||
while (fileBytes < maxLen) {
|
||||
|
|
|
@ -2475,6 +2475,31 @@ EOF
|
|||
RETEXPECTED=0
|
||||
}
|
||||
|
||||
cert_test_orphan_key_reuse()
|
||||
{
|
||||
CU_ACTION="Create orphan key in serverdir"
|
||||
certu -G -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
|
||||
# Let's get the key ID of the first orphan key.
|
||||
# The output of certutil -K (list keys) isn't well formatted.
|
||||
# The initial <key-number> part may or may not contain white space, which
|
||||
# makes the use of awk to filter the column unreliable.
|
||||
# To fix that, we remove the initial <number> field using sed, then select the
|
||||
# column that contains the key ID.
|
||||
ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
|
||||
sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
|
||||
CU_ACTION="Create cert request for orphan key"
|
||||
certu -R -f "${R_PWFILE}" -k ${ORPHAN} -s "CN=orphan" -d ${PROFILEDIR} \
|
||||
-o ${SERVERDIR}/orphan.req
|
||||
# Ensure that creating the request really works by listing it, and check
|
||||
# if listing was successful.
|
||||
${BINDIR}/pp -t certificate-request -i ${SERVERDIR}/orphan.req
|
||||
RET=$?
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
html_failed "Listing cert request for orphan key ($RET)"
|
||||
cert_log "ERROR: Listing cert request for orphan key failed $RET"
|
||||
fi
|
||||
}
|
||||
|
||||
############################## cert_cleanup ############################
|
||||
# local shell function to finish this script (no exit since it might be
|
||||
# sourced)
|
||||
|
@ -2494,6 +2519,7 @@ cert_all_CA
|
|||
cert_test_implicit_db_init
|
||||
cert_extended_ssl
|
||||
cert_ssl
|
||||
cert_test_orphan_key_reuse
|
||||
cert_smime_client
|
||||
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
|
||||
if [ $IS_FIPS_DISABLED -ne 0 ]; then
|
||||
|
|
Загрузка…
Ссылка в новой задаче