Backed out changeset 3eb63c112f5a (Bug 1577822) for breaking WebAuthn mochitests UPGRADE_NSS_RELEASE

Differential Revision: https://phabricator.services.mozilla.com/D49374

--HG--
extra : moz-landing-system : lando
This commit is contained in:
J.C. Jones 2019-10-16 04:36:58 +00:00
Родитель e3328f020c
Коммит 962e9e53a9
37 изменённых файлов: 143 добавлений и 1733 удалений

Просмотреть файл

@ -1 +1 @@
NSS_3_47_BETA2
NSS_3_47_BETA1

Просмотреть файл

@ -2,32 +2,3 @@
'function CERTCertList* PK11_GetCertsMatchingPrivateKey(SECKEYPrivateKey*)' {PK11_GetCertsMatchingPrivateKey@@NSS_3.47}
3 functions with some indirect sub-type change:
[C]'function SECStatus CERT_AddCertToListHead(CERTCertList*, CERTCertificate*)' at certdb.c:2631:1 has some indirect sub-type changes:
parameter 2 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
no data member changes (2 filtered);
[C]'function SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle*, CERTCertificate*, PRTime, const SECItem*, void*)' at ocsp.c:5102:1 has some indirect sub-type changes:
parameter 2 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
no data member change (1 filtered);
[C]'function CERTCertificateList* CERT_CertChainFromCert(CERTCertificate*, SECCertUsage, PRBool)' at certhigh.c:1030:1 has some indirect sub-type changes:
parameter 1 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1
no data member changes (2 filtered);

Просмотреть файл

@ -1,11 +0,0 @@
1 function with some indirect sub-type change:
[C]'function CERTCertificate* CERT_ConvertAndDecodeCertificate(char*)' at certread.c:219:1 has some indirect sub-type changes:
return type changed:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1

Просмотреть файл

@ -1,10 +0,0 @@
1 function with some indirect sub-type change:
[C]'function SECStatus NSS_CmpCertChainWCANames(CERTCertificate*, CERTDistNames*)' at cmpcert.c:25:1 has some indirect sub-type changes:
parameter 1 of type 'CERTCertificate*' has sub-type changes:
in pointed to type 'typedef CERTCertificate' at certt.h:39:1:
underlying type 'struct CERTCertificateStr' at certt.h:189:1 changed:
type size changed from 6016 to 6080 (in bits)
1 data member insertion:
'CERTCertDistrust* CERTCertificateStr::distrust', at offset 6016 (in bits) at certt.h:296:1

Просмотреть файл

@ -230,8 +230,6 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust,
hasPositiveTrust(trust->objectSigningFlags)) {
printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n");
}
printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n");
}
if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) ==
@ -308,21 +306,19 @@ printheader()
"#\n"
"# Certificates\n"
"#\n"
"# -- Attribute -- -- type -- -- value --\n"
"# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"
"# CKA_TOKEN CK_BBOOL CK_TRUE\n"
"# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
"# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
"# CKA_LABEL UTF8 (varies)\n"
"# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"
"# CKA_SUBJECT DER+base64 (varies)\n"
"# CKA_ID byte array (varies)\n"
"# CKA_ISSUER DER+base64 (varies)\n"
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
"# CKA_VALUE DER+base64 (varies)\n"
"# CKA_NSS_EMAIL ASCII7 (unused here)\n"
"# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies)\n"
"# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies)\n"
"# -- Attribute -- -- type -- -- value --\n"
"# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n"
"# CKA_TOKEN CK_BBOOL CK_TRUE\n"
"# CKA_PRIVATE CK_BBOOL CK_FALSE\n"
"# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n"
"# CKA_LABEL UTF8 (varies)\n"
"# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n"
"# CKA_SUBJECT DER+base64 (varies)\n"
"# CKA_ID byte array (varies)\n"
"# CKA_ISSUER DER+base64 (varies)\n"
"# CKA_SERIAL_NUMBER DER+base64 (varies)\n"
"# CKA_VALUE DER+base64 (varies)\n"
"# CKA_NSS_EMAIL ASCII7 (unused here)\n"
"#\n"
"# Trust\n"
"#\n"
@ -396,12 +392,6 @@ Usage(char *progName)
fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e");
fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file");
fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", "");
fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp");
fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", "");
fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName);
fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", "");
fprintf(stderr, "%-15s since unix epoch.\n", "");
fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", "");
exit(-1);
}
@ -413,21 +403,20 @@ enum {
opt_ExcludeCert,
opt_ExcludeHash,
opt_DistrustCRL,
opt_CRLEntry,
opt_ConvertDate
opt_CRLEnry
};
static secuCommandFlag addbuiltin_options[] = {
{ /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
{ /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE },
{ /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE },
{ /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE },
{ /* opt_CRLEntry */ 'e', PR_TRUE, 0, PR_FALSE },
{ /* opt_ConvertDate */ 'd', PR_TRUE, 0, PR_FALSE },
};
static secuCommandFlag addbuiltin_options[] =
{
{ /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
{ /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE },
{ /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE },
{ /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE },
{ /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE },
{ /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE },
};
int
main(int argc, char **argv)
@ -455,30 +444,6 @@ main(int argc, char **argv)
if (rv != SECSuccess)
Usage(progName);
if (addbuiltin.options[opt_ConvertDate].activated) {
char *endPtr;
PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC;
if (*endPtr != '\0' && distrustTimestamp > 0) {
Usage(progName);
exit(1);
}
SECItem encTime;
DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp);
SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0);
printf("Locate the entry of the desired certificate in certdata.txt\n"
"Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"
"And override with the following respective entry:\n\n");
SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0);
printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n");
dumpbytes(encTime.data, encTime.len);
printf("END\n");
SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0);
printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n");
dumpbytes(encTime.data, encTime.len);
printf("END\n");
exit(0);
}
if (addbuiltin.options[opt_Trust].activated)
++mutuallyExclusiveOpts;
if (addbuiltin.options[opt_Distrust].activated)
@ -493,12 +458,12 @@ main(int argc, char **argv)
}
if (addbuiltin.options[opt_DistrustCRL].activated) {
if (!addbuiltin.options[opt_CRLEntry].activated) {
if (!addbuiltin.options[opt_CRLEnry].activated) {
fprintf(stderr, "%s: you must specify the CRL entry number.\n",
progName);
Usage(progName);
} else {
crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg);
crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
if (crlentry < 1) {
fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
progName);

Просмотреть файл

@ -1108,33 +1108,36 @@ typedef struct secuPBEParamsStr {
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
/* SECOID_PKCS5_PBKDF2 */
const SEC_ASN1Template secuKDF2Params[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};
const SEC_ASN1Template secuKDF2Params[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};
/* PKCS5v1 & PKCS12 */
const SEC_ASN1Template secuPBEParamsTemp[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ 0 }
};
const SEC_ASN1Template secuPBEParamsTemp[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) },
{ SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) },
{ 0 }
};
/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */
const SEC_ASN1Template secuPBEV2Params[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};
const SEC_ASN1Template secuPBEV2Params[] =
{
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ 0 }
};
void
secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
@ -2297,9 +2300,8 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level)
return rv;
}
/* sometimes a PRErrorCode, other times a SECStatus. Sigh. */
int
SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */
SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level)
{
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
CERTCertificateRequest *cr;
@ -3249,26 +3251,6 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
"Certificate Trust Flags", 1);
}
/* The distrust fields are hard-coded in nssckbi and read-only.
* If verifying some cert, with vfychain, for instance, the certificate may
* not have a defined slot if not imported. */
if (cert->slot != NULL && cert->distrust != NULL) {
const unsigned int kDistrustFieldSize = 13;
fprintf(stdout, "\n");
SECU_Indent(stdout, 1);
fprintf(stdout, "%s:\n", "Certificate Distrust Dates");
if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) {
SECU_PrintTimeChoice(stdout,
&cert->distrust->serverDistrustAfter,
"Server Distrust After", 2);
}
if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) {
SECU_PrintTimeChoice(stdout,
&cert->distrust->emailDistrustAfter,
"E-mail Distrust After", 2);
}
}
printf("\n");
return (SECSuccess);

Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

Просмотреть файл

@ -1224,53 +1224,3 @@ TEST_F(pkixder_universal_types_tests, OID)
ASSERT_EQ(Success, OID(reader, expectedOID));
}
TEST_F(pkixder_universal_types_tests, SkipOptionalImplicitPrimitiveTag)
{
const uint8_t DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1[] = {
0x81,
0x04,
0x00,
0x0A,
0x0B,
0x0C,
};
Input input(DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1);
Reader reader(input);
ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 1));
ASSERT_TRUE(reader.AtEnd());
}
TEST_F(pkixder_universal_types_tests, SkipOptionalImplicitPrimitiveTagMismatch)
{
const uint8_t DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1[] = {
0x81,
0x04,
0x00,
0x0A,
0x0B,
0x0C,
};
Input input(DER_IMPLICIT_BIT_STRING_WITH_CLASS_NUMBER_1);
Reader reader(input);
ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 2));
ASSERT_FALSE(reader.AtEnd());
}
TEST_F(pkixder_universal_types_tests, NoSkipOptionalImplicitConstructedTag)
{
const uint8_t DER_IMPLICIT_SEQUENCE_WITH_CLASS_NUMBER_1[] = {
0xA1,
0x03,
0x05,
0x01,
0x00,
};
Input input(DER_IMPLICIT_SEQUENCE_WITH_CLASS_NUMBER_1);
Reader reader(input);
ASSERT_EQ(Success, SkipOptionalImplicitPrimitiveTag(reader, 1));
ASSERT_FALSE(reader.AtEnd());
}

Просмотреть файл

@ -6,22 +6,13 @@ CORE_DEPTH = ../..
DEPTH = ../..
MODULE = nss
DEFINES += -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" -DDLL_PREFIX=\"$(DLL_PREFIX)\"
include $(CORE_DEPTH)/coreconf/arch.mk
ifneq ($(OS_ARCH),WINNT)
DB_TESTS = \
softoken_nssckbi_testlib_gtest.cc
endif
CPPSRCS = \
softoken_gtest.cc \
$(DB_TESTS) \
$(NULL)
INCLUDES += \
-I$(CORE_DEPTH)/gtests/google_test/gtest/include \
-I$(CORE_DEPTH)/gtests/common \
-I$(CORE_DEPTH)/gtests/common \
-I$(CORE_DEPTH)/cpputil \
$(NULL)

Просмотреть файл

@ -12,7 +12,6 @@
'type': 'executable',
'sources': [
'softoken_gtest.cc',
'softoken_nssckbi_testlib_gtest.cc',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
@ -45,10 +44,6 @@
'target_defaults': {
'include_dirs': [
'../../lib/util'
],
'defines': [
'DLL_PREFIX=\"<(dll_prefix)\"',
'DLL_SUFFIX=\"<(dll_suffix)\"'
]
},
'variables': {

Просмотреть файл

@ -1,124 +0,0 @@
#include "cert.h"
#include "certdb.h"
#include "nspr.h"
#include "nss.h"
#include "pk11pub.h"
#include "secerr.h"
#include "nss_scoped_ptrs.h"
#include "util.h"
#define GTEST_HAS_RTTI 0
#include "gtest/gtest.h"
namespace nss_test {
class SoftokenBuiltinsTest : public ::testing::Test {
protected:
SoftokenBuiltinsTest() : nss_db_dir_("SoftokenBuiltinsTest.d-") {}
SoftokenBuiltinsTest(const std::string &prefix) : nss_db_dir_(prefix) {}
virtual void SetUp() {
std::string nss_init_arg("sql:");
nss_init_arg.append(nss_db_dir_.GetUTF8Path());
ASSERT_EQ(SECSuccess, NSS_Initialize(nss_init_arg.c_str(), "", "",
SECMOD_DB, NSS_INIT_NOROOTINIT));
}
virtual void TearDown() {
ASSERT_EQ(SECSuccess, NSS_Shutdown());
const std::string &nss_db_dir_path = nss_db_dir_.GetPath();
ASSERT_EQ(0, unlink((nss_db_dir_path + "/cert9.db").c_str()));
ASSERT_EQ(0, unlink((nss_db_dir_path + "/key4.db").c_str()));
ASSERT_EQ(0, unlink((nss_db_dir_path + "/pkcs11.txt").c_str()));
}
virtual void LoadModule() {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
SECStatus result = SECMOD_AddNewModule(
"Builtins-testlib", DLL_PREFIX "nssckbi-testlib." DLL_SUFFIX, 0, 0);
ASSERT_EQ(result, SECSuccess);
}
ScopedUniqueDirectory nss_db_dir_;
};
// The next tests in this class are used to test the Distrust Fields.
// More details about these fields in lib/ckfw/builtins/README.
TEST_F(SoftokenBuiltinsTest, CheckNoDistrustFields) {
const char *kCertNickname =
"Builtin Object Token:Distrust Fields Test - no_distrust";
LoadModule();
CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
ASSERT_TRUE(cert_handle);
ScopedCERTCertificate cert(
CERT_FindCertByNickname(cert_handle, kCertNickname));
ASSERT_TRUE(cert);
EXPECT_EQ(PR_FALSE,
PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
EXPECT_EQ(PR_FALSE,
PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
ASSERT_FALSE(cert->distrust);
}
TEST_F(SoftokenBuiltinsTest, CheckOkDistrustFields) {
const char *kCertNickname =
"Builtin Object Token:Distrust Fields Test - ok_distrust";
LoadModule();
CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
ASSERT_TRUE(cert_handle);
ScopedCERTCertificate cert(
CERT_FindCertByNickname(cert_handle, kCertNickname));
ASSERT_TRUE(cert);
const char *kExpectedDERValueServer = "200617000000Z";
const char *kExpectedDERValueEmail = "071014085320Z";
// When a valid timestamp is encoded, the result length is exactly 13.
const unsigned int kDistrustFieldSize = 13;
ASSERT_TRUE(cert->distrust);
ASSERT_EQ(kDistrustFieldSize, cert->distrust->serverDistrustAfter.len);
ASSERT_NE(nullptr, cert->distrust->serverDistrustAfter.data);
EXPECT_TRUE(!memcmp(kExpectedDERValueServer,
cert->distrust->serverDistrustAfter.data,
kDistrustFieldSize));
ASSERT_EQ(kDistrustFieldSize, cert->distrust->emailDistrustAfter.len);
ASSERT_NE(nullptr, cert->distrust->emailDistrustAfter.data);
EXPECT_TRUE(!memcmp(kExpectedDERValueEmail,
cert->distrust->emailDistrustAfter.data,
kDistrustFieldSize));
}
TEST_F(SoftokenBuiltinsTest, CheckInvalidDistrustFields) {
const char *kCertNickname =
"Builtin Object Token:Distrust Fields Test - err_distrust";
LoadModule();
CERTCertDBHandle *cert_handle = CERT_GetDefaultCertDB();
ASSERT_TRUE(cert_handle);
ScopedCERTCertificate cert(
CERT_FindCertByNickname(cert_handle, kCertNickname));
ASSERT_TRUE(cert);
// The field should never be set to TRUE in production, we are just
// testing if this field is readable, even if set to TRUE.
EXPECT_EQ(PR_TRUE,
PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
CKA_NSS_SERVER_DISTRUST_AFTER, PR_FALSE));
// If something other than CK_BBOOL CK_TRUE, it will be considered FALSE
// Here, there is an OCTAL value, but with unexpected content (1 digit less).
EXPECT_EQ(PR_FALSE,
PK11_HasAttributeSet(cert->slot, cert->pkcs11ID,
CKA_NSS_EMAIL_DISTRUST_AFTER, PR_FALSE));
ASSERT_FALSE(cert->distrust);
}
} // namespace nss_test

Просмотреть файл

@ -2889,10 +2889,15 @@ void
CERT_UnlockCertRefCount(CERTCertificate *cert)
{
PORT_Assert(certRefCountLock != NULL);
PRStatus prstat = PZ_Unlock(certRefCountLock);
if (prstat != PR_SUCCESS) {
#ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certRefCountLock);
PORT_Assert(prstat == PR_SUCCESS);
}
#else
PZ_Unlock(certRefCountLock);
#endif
}
static PZLock *certTrustLock = NULL;
@ -2996,10 +3001,15 @@ void
CERT_UnlockCertTrust(const CERTCertificate *cert)
{
PORT_Assert(certTrustLock != NULL);
PRStatus prstat = PZ_Unlock(certTrustLock);
if (prstat != PR_SUCCESS) {
#ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certTrustLock);
PORT_Assert(prstat == PR_SUCCESS);
}
#else
PZ_Unlock(certTrustLock);
#endif
}
/*
@ -3009,10 +3019,14 @@ void
CERT_UnlockCertTempPerm(const CERTCertificate *cert)
{
PORT_Assert(certTempPermLock != NULL);
PRStatus prstat = PZ_Unlock(certTempPermLock);
if (prstat != PR_SUCCESS) {
#ifdef DEBUG
{
PRStatus prstat = PZ_Unlock(certTempPermLock);
PORT_Assert(prstat == PR_SUCCESS);
}
#else
(void)PZ_Unlock(certTempPermLock);
#endif
}
/*

Просмотреть файл

@ -35,7 +35,6 @@ typedef struct CERTCertListStr CERTCertList;
typedef struct CERTCertListNodeStr CERTCertListNode;
typedef struct CERTCertNicknamesStr CERTCertNicknames;
typedef struct CERTCertTrustStr CERTCertTrust;
typedef struct CERTCertDistrustStr CERTCertDistrust;
typedef struct CERTCertificateStr CERTCertificate;
typedef struct CERTCertificateListStr CERTCertificateList;
typedef struct CERTCertificateRequestStr CERTCertificateRequest;
@ -141,18 +140,6 @@ struct CERTCertTrustStr {
unsigned int objectSigningFlags;
};
/*
* Distrust dates for specific certificate usages.
* These dates are hardcoded in nssckbi/builtins. They are DER encoded to be
* compatible with the format of certdata.txt, other date fields in certs and
* existing functions to read these dates. Clients should check the distrust
* date in certificates to avoid trusting a CA for service they have ceased to
* support */
struct CERTCertDistrustStr {
SECItem serverDistrustAfter;
SECItem emailDistrustAfter;
};
/*
* defined the types of trust that exist
*/
@ -292,8 +279,6 @@ struct CERTCertificateStr {
PK11SlotInfo *slot; /*if this cert came of a token, which is it*/
CK_OBJECT_HANDLE pkcs11ID; /*and which object on that token is it */
PRBool ownSlot; /*true if the cert owns the slot reference */
/* These fields are used in nssckbi/builtins CAs. */
CERTCertDistrust *distrust;
};
#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */

Просмотреть файл

@ -22,8 +22,7 @@ variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows).
argument to the -n option should be replaced by the nickname of the root
certificate.
% addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der \
>> certdata.txt
% addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der >> certdata.txt
4. Edit nssckbi.h to bump the version of the module.
@ -44,63 +43,3 @@ II. Removing a Builtin Root CA Certificate
5. After you verify that the new nssckbi module is correct, check in
certdata.txt and nssckbi.h.
III. Scheduling a Distrust date for Server/TLS or Email certificates issued
by a CA
For each Builtin Root CA Certificate we have the Trust Bits to know what kind
of certificates issued by this CA are trusted: Server/TLS, E-mail or S/MIME.
Sometimes a CA discontinues support for a particular kind of certificate,
but will still issue other kinds. For instance, they might cease support for
email certificates but continue to provide server certificates. In this
scenario, we have to disable the Trust Bit for this kind of certificate when
the last issued certificate expires.
Between the last expired certificate date and the change and propagation of
this respective Trust Bit, could have a undesired gap.
So, in these situations we can set a Distrust Date for this Builtin Root CA
Certificate. Clients should check the distrust date in certificates to avoid
trusting a CA for service they have ceased to support.
A distrust date is a timestamp in unix epoch, encoded in DER format and saved
in certdata.txt. These fields are defined at the "Certificate" entries of
certdata.txt, in a MULTILINE_OCTAL format. By default, for readability purpose,
these fields are set as a boolean CK_FALSE and will be ignored when read.
1. Create the timestamp for the desired distrust date. An easy and practical way
to do this is using the date command.
% date -d "2019-07-01 00:00:00 UTC" +%s
The result should be something like: 1561939200
2. Then, run the addbuiltin -d to verify the timestamp and do the right
conversions.
The -d option takes the timestamp as an argument, which is interpreted as
seconds since unix epoch. The addbuiltin command will show the result in the
stdout, as it should be inserted in certdata.txt.
% addbuiltin -d 1561939200
The result should be something like this:
The timestamp represents this date: Mon Jul 01 00:00:00 2019
Locate the entry of the desired certificate in certdata.txt
Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE
And override with the following respective entry:
# For Server Distrust After: Mon Jul 01 00:00:00 2019
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\061\071\060\067\060\061\060\060\060\060\060\060\132
END
# For Email Distrust After: Mon Jul 01 00:00:00 2019
CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
\061\071\060\067\060\061\060\060\060\060\060\060\132
END
3. Edit the certdata.txt, overriding the desired entry for the desired CA, as
the instructions generated by the previous command.
4. If necessary, increment the version counter
NSS_BUILTINS_LIBRARY_VERSION_MINOR in nssckbi.h.
5. Build the nssckbi module.
6. A good way to test is with certutil:
% certutil -L -d $DBDIR -n "Builtin Object Token:<nickname>"

Разница между файлами не показана из-за своего большого размера Загрузить разницу

Просмотреть файл

@ -5,8 +5,6 @@
CORE_DEPTH = ../../..
DIRS = testlib
MODULE = nss
MAPFILE = $(OBJDIR)/nssckbi.def

Просмотреть файл

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 38
#define NSS_BUILTINS_LIBRARY_VERSION "2.38"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 36
#define NSS_BUILTINS_LIBRARY_VERSION "2.36"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

Просмотреть файл

@ -1,52 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
include manifest.mn
include $(CORE_DEPTH)/coreconf/config.mk
include config.mk
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
$(NULL)
# If the OS_TARGET is WIN%, the path of shared libs could be different.
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
# If using GCC, just inform the name of the libs.
ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
$(NULL)
else # NS_USE_GCC - If not using GCC, inform the absolute path.
EXTRA_SHARED_LIBS += \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
$(NULL)
endif # NS_USE_GCC
else # OS_TARGET != WIN
EXTRA_SHARED_LIBS += \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
$(NULL)
endif # OS_TARGET
include $(CORE_DEPTH)/coreconf/rules.mk
CFLAGS += -I$(CORE_DEPTH)/lib/ckfw/builtins
# Generate certdata-testlib.c.
ifndef NSS_CERTDATA-TESTLIB_TXT
NSS_CERTDATA-TESTLIB_TXT = certdata-testlib.txt
endif
$(OBJDIR)/certdata-testlib.c: $(NSS_CERTDATA-TESTLIB_TXT)
@$(MAKE_OBJDIR)
$(PERL) ../certdata.perl $(NSS_CERTDATA-TESTLIB_TXT) $@

Просмотреть файл

@ -1,64 +0,0 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
{
'includes': [
'../../../../coreconf/config.gypi'
],
'targets': [
{
'target_name': 'nssckbi-testlib',
'type': 'shared_library',
'sources': [
'../anchor.c',
'../bfind.c',
'../binst.c',
'../bobject.c',
'../bsession.c',
'../bslot.c',
'../btoken.c',
'../ckbiver.c',
'../constants.c',
'<(certdata-testlib_c)',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/lib/ckfw/ckfw.gyp:nssckfw',
'<(DEPTH)/lib/base/base.gyp:nssb'
],
'actions': [
{
'msvs_cygwin_shell': 0,
'action': [
'python',
'../certdata.py',
'certdata-testlib.txt',
'<@(_outputs)',
],
'inputs': [
'../certdata.py',
'../certdata.perl',
'certdata-testlib.txt'
],
'outputs': [
'<(certdata-testlib_c)'
],
'action_name': 'generate_certdata-testlib_c'
}
],
'variables': {
'mapfile': '../nssckbi.def',
'certdata-testlib_c': '<(INTERMEDIATE_DIR)/certdata-testlib.c',
}
}
],
'target_defaults': {
'include_dirs': [
'.',
'..'
]
},
'variables': {
'module': 'nss',
}
}

Просмотреть файл

@ -1,479 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# certdata-testlib.txt
#
# To safely test the Distrust Fields it was generated a testlib called:
# DLL_PREFIX+nssckbi-testlib+DLL_SUFFIX
# Example: libnssckbi-testlib.so, for Linux.
#
# This testlib is populated with three expired and self-signed certificates, as
# defined in this file. The only purpose of this testlib is to provide content
# to gtests defined in softoken_nssckbi_testlib_gtest.cc.
#
# The certificate and private key used here are stored in this same folder,
# in txt files named like: "testcert_<name>.txt".
#
# We have three certificates here:
# 1 - no_distrust:
# - Both distrust fields are set with CK_FALSE, the default.
#
# 2 - ok_distrust:
# - Each distrust field is set with a different and valid date.
#
# 3 - err_distrust:
# - The server/tls distrust field is set with CK_TRUE. These fields must be
# CK_FALSE when no schedule is set. Otherwise, must hold a valid encoded
timestamp.
# - The email distrust field is set with an incomplete and invalid encoded
# timestamp.
#
# These fields are filled when the cert is loaded and cannot be changed.
#
BEGINDATA
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Test with Invalid NSS Builtin Trusted Roots"
#
# Certificate "Distrust Fields Test - no_distrust"
#
# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
# Serial Number:73:f8:bc:37:a3:4a:5f:26:13:64:dc:4e:c6:58:4e:94:2a:24:22:b1
# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
# Not Valid Before: Tue Jul 16 06:32:42 2019
# Not Valid After : Fri Jul 26 06:32:42 2019
# Fingerprint (SHA-256): 53:AD:AE:B1:D4:D8:B6:34:59:60:26:FA:0D:56:B0:98:0A:E0:8D:E3:90:E5:13:FA:E9:BE:EA:5D:D5:E6:79:02
# Fingerprint (SHA1): 11:80:28:5A:A4:79:45:A2:AB:2F:A3:27:28:6A:CA:DB:0F:D7:30:FC
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrust Fields Test - no_distrust"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060
\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
\003\125\004\006\023\002\104\105
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060
\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
\003\125\004\006\023\002\104\105
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\163\370\274\067\243\112\137\046\023\144\334\116\306\130
\116\224\052\044\042\261
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\255\060\202\002\225\240\003\002\001\002\002\024\163
\370\274\067\243\112\137\046\023\144\334\116\306\130\116\224\052
\044\042\261\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\060\146\061\031\060\027\006\003\125\004\003\014\020\124
\105\123\124\040\156\157\137\144\151\163\164\162\165\163\164\061
\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060
\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061
\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015
\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060
\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061\071
\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071\060
\067\062\066\060\066\063\062\064\062\132\060\146\061\031\060\027
\006\003\125\004\003\014\020\124\105\123\124\040\156\157\137\144
\151\163\164\162\165\163\164\061\014\060\012\006\003\125\004\013
\014\003\116\123\123\061\020\060\016\006\003\125\004\013\014\007
\115\157\172\151\154\154\141\061\015\060\013\006\003\125\004\007
\014\004\124\105\123\124\061\015\060\013\006\003\125\004\010\014
\004\124\105\123\124\061\013\060\011\006\003\125\004\006\023\002
\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015
\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
\001\001\000\307\367\273\061\133\151\242\334\233\052\044\123\006
\275\040\214\266\303\135\365\220\104\106\076\100\144\062\366\325
\270\307\223\230\002\227\150\304\102\146\246\167\113\324\031\136
\132\140\006\247\062\145\074\257\115\330\256\244\325\003\176\203
\375\332\345\365\140\163\173\230\224\122\135\144\176\075\151\012
\275\044\307\317\343\126\332\221\240\171\141\372\107\137\210\362
\020\231\212\120\103\051\010\233\357\005\201\350\375\202\104\106
\072\270\323\151\164\013\201\355\004\304\002\017\042\071\022\072
\223\061\266\353\220\057\130\221\255\024\166\125\241\212\054\132
\056\120\222\072\332\275\356\037\232\026\344\336\043\052\074\112
\006\246\100\266\254\065\301\167\276\170\027\127\054\302\254\146
\171\327\314\305\264\077\044\101\347\105\337\267\051\110\041\113
\302\043\214\036\015\357\330\167\037\204\353\362\021\232\254\220
\271\171\170\306\077\016\353\045\376\171\154\125\323\326\363\136
\230\333\160\242\231\016\300\041\221\045\262\053\035\243\351\363
\233\013\073\002\233\030\152\324\132\270\203\240\163\167\272\142
\052\326\053\002\003\001\000\001\243\123\060\121\060\035\006\003
\125\035\016\004\026\004\024\272\015\343\222\236\200\244\163\217
\005\277\352\147\036\243\071\077\241\274\346\060\037\006\003\125
\035\043\004\030\060\026\200\024\272\015\343\222\236\200\244\163
\217\005\277\352\147\036\243\071\077\241\274\346\060\017\006\003
\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001
\000\251\350\344\354\346\066\155\375\144\242\257\175\265\332\166
\233\334\141\326\230\160\122\303\221\002\257\313\252\330\003\330
\012\133\050\343\171\110\243\115\314\026\275\006\005\200\222\147
\166\250\275\323\024\367\317\255\034\264\240\003\114\023\044\171
\126\011\012\104\256\306\327\034\376\136\323\056\035\222\041\031
\350\372\052\242\025\362\236\176\232\002\300\010\013\127\256\314
\315\042\132\030\333\064\245\203\174\212\065\250\364\025\070\167
\177\312\033\301\377\273\046\215\340\007\204\260\210\056\275\351
\353\127\053\050\165\322\146\223\064\324\233\152\112\152\000\314
\360\205\057\172\037\061\066\104\312\324\362\156\265\114\130\241
\262\333\056\212\044\264\023\314\144\062\172\151\167\007\273\104
\253\173\054\025\073\174\027\167\176\362\037\232\067\073\220\257
\257\001\013\125\156\350\234\207\261\370\301\143\106\131\062\146
\041\227\107\340\262\042\034\030\043\336\257\115\027\250\024\171
\121\210\336\232\174\052\134\002\100\014\225\336\224\017\177\015
\354\253\245\347\057\340\214\070\003\375\266\023\017\001\373\236
\030
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Distrust Fields Test - no_distrust"
# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
# Serial Number:73:f8:bc:37:a3:4a:5f:26:13:64:dc:4e:c6:58:4e:94:2a:24:22:b1
# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST no_distrust
# Not Valid Before: Tue Jul 16 06:32:42 2019
# Not Valid After : Fri Jul 26 06:32:42 2019
# Fingerprint (SHA-256): 53:AD:AE:B1:D4:D8:B6:34:59:60:26:FA:0D:56:B0:98:0A:E0:8D:E3:90:E5:13:FA:E9:BE:EA:5D:D5:E6:79:02
# Fingerprint (SHA1): 11:80:28:5A:A4:79:45:A2:AB:2F:A3:27:28:6A:CA:DB:0F:D7:30:FC
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrust Fields Test - no_distrust"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\021\200\050\132\244\171\105\242\253\057\243\047\050\152\312\333
\017\327\060\374
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\130\367\262\151\111\255\236\234\203\221\335\036\366\326\325\026
END
CKA_ISSUER MULTILINE_OCTAL
\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
\124\040\156\157\137\144\151\163\164\162\165\163\164\061\014\060
\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
\003\125\004\006\023\002\104\105
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\163\370\274\067\243\112\137\046\023\144\334\116\306\130
\116\224\052\044\042\261
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Distrust Fields Test - ok_distrust"
#
# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
# Serial Number:3a:44:dc:9d:54:3f:5f:aa:b8:26:4f:1d:f8:5a:47:36:29:3a:1b:bc
# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
# Not Valid Before: Tue Jul 16 06:32:42 2019
# Not Valid After : Fri Jul 26 06:32:42 2019
# Fingerprint (SHA-256): BA:43:4C:9D:21:8E:E7:15:8E:4D:11:7E:5B:4B:EF:57:D3:01:6C:D7:E5:6B:7B:6C:85:62:35:44:44:59:FE:5B
# Fingerprint (SHA1): F6:4F:33:50:3D:DB:1C:3D:BE:BE:79:9F:D6:B6:21:3A:AA:D1:55:4F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrust Fields Test - ok_distrust"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060
\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
\003\125\004\006\023\002\104\105
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060
\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
\003\125\004\006\023\002\104\105
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\072\104\334\235\124\077\137\252\270\046\117\035\370\132
\107\066\051\072\033\274
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\255\060\202\002\225\240\003\002\001\002\002\024\072
\104\334\235\124\077\137\252\270\046\117\035\370\132\107\066\051
\072\033\274\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\060\146\061\031\060\027\006\003\125\004\003\014\020\124
\105\123\124\040\157\153\137\144\151\163\164\162\165\163\164\061
\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060
\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061
\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015
\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060
\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061\071
\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071\060
\067\062\066\060\066\063\062\064\062\132\060\146\061\031\060\027
\006\003\125\004\003\014\020\124\105\123\124\040\157\153\137\144
\151\163\164\162\165\163\164\061\014\060\012\006\003\125\004\013
\014\003\116\123\123\061\020\060\016\006\003\125\004\013\014\007
\115\157\172\151\154\154\141\061\015\060\013\006\003\125\004\007
\014\004\124\105\123\124\061\015\060\013\006\003\125\004\010\014
\004\124\105\123\124\061\013\060\011\006\003\125\004\006\023\002
\104\105\060\202\001\042\060\015\006\011\052\206\110\206\367\015
\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
\001\001\000\272\036\174\330\225\102\315\034\063\337\145\114\060
\061\036\024\065\051\216\357\013\150\107\361\256\217\363\066\326
\124\247\034\227\202\315\151\263\237\125\340\377\047\125\050\016
\152\210\355\141\202\062\263\233\300\152\220\356\200\026\124\001
\163\305\024\357\315\374\220\267\370\170\316\022\056\216\161\145
\341\324\121\271\026\306\026\250\121\201\107\254\231\142\046\012
\043\260\242\356\051\303\206\277\341\377\304\117\066\373\340\073
\143\076\347\363\157\130\317\271\165\333\127\015\316\267\117\055
\232\240\271\116\250\160\364\271\224\203\215\137\267\066\271\377
\177\014\337\033\326\312\374\320\247\053\107\345\355\127\067\007
\322\220\200\376\053\266\132\044\160\266\154\062\265\375\262\176
\362\362\257\031\364\147\251\071\337\331\146\057\005\222\377\360
\001\247\252\155\106\035\235\065\222\346\351\301\204\335\344\012
\361\366\061\044\030\103\331\116\113\137\121\036\253\042\314\260
\005\231\251\002\102\002\161\071\337\330\304\150\215\220\164\346
\170\245\366\360\237\353\362\113\203\362\277\320\074\064\364\022
\031\105\025\002\003\001\000\001\243\123\060\121\060\035\006\003
\125\035\016\004\026\004\024\034\100\252\220\333\317\113\002\023
\153\030\071\246\014\327\332\262\164\374\075\060\037\006\003\125
\035\043\004\030\060\026\200\024\034\100\252\220\333\317\113\002
\023\153\030\071\246\014\327\332\262\164\374\075\060\017\006\003
\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
\011\052\206\110\206\367\015\001\001\013\005\000\003\202\001\001
\000\042\041\036\227\272\132\106\356\112\272\302\204\014\360\134
\331\034\364\137\063\334\045\076\321\034\117\361\311\254\177\017
\236\076\121\327\155\046\347\241\205\367\254\061\211\276\011\117
\057\364\175\370\016\226\062\004\211\153\047\356\343\064\350\250
\231\007\041\164\014\374\216\235\206\203\156\310\013\360\342\237
\103\025\274\237\325\106\321\163\123\036\363\051\136\074\205\102
\270\127\146\303\060\022\057\104\073\102\030\325\123\376\037\106
\143\113\011\164\167\374\075\327\362\002\265\127\234\367\302\114
\371\374\251\106\221\343\004\047\227\125\316\024\046\366\370\207
\077\025\236\122\116\020\241\072\211\140\100\043\010\105\105\351
\304\130\373\313\345\272\232\334\230\011\013\335\261\230\202\353
\155\003\353\233\152\241\212\064\246\152\300\246\356\357\106\071
\347\211\144\275\212\014\035\247\112\221\131\070\230\122\367\317
\134\060\254\155\061\234\364\077\161\256\236\175\077\242\240\353
\161\360\355\362\337\215\172\055\123\332\352\264\026\124\012\363
\040\124\052\027\300\076\174\012\272\370\377\264\170\150\343\226
\105
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# For Server Distrust After: Wed Jun 17 00:00:00 2020
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\060\060\066\061\067\060\060\060\060\060\060\132
END
# For Email Distrust After: Sun Oct 14 08:53:20 2007
CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
\060\067\061\060\061\064\060\070\065\063\062\060\132
END
# Trust for "Distrust Fields Test - ok_distrust"
# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
# Serial Number:3a:44:dc:9d:54:3f:5f:aa:b8:26:4f:1d:f8:5a:47:36:29:3a:1b:bc
# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST ok_distrust
# Not Valid Before: Tue Jul 16 06:32:42 2019
# Not Valid After : Fri Jul 26 06:32:42 2019
# Fingerprint (SHA-256): BA:43:4C:9D:21:8E:E7:15:8E:4D:11:7E:5B:4B:EF:57:D3:01:6C:D7:E5:6B:7B:6C:85:62:35:44:44:59:FE:5B
# Fingerprint (SHA1): F6:4F:33:50:3D:DB:1C:3D:BE:BE:79:9F:D6:B6:21:3A:AA:D1:55:4F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrust Fields Test - ok_distrust"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\366\117\063\120\075\333\034\075\276\276\171\237\326\266\041\072
\252\321\125\117
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\045\304\210\204\375\245\150\220\305\310\325\205\077\365\302\146
END
CKA_ISSUER MULTILINE_OCTAL
\060\146\061\031\060\027\006\003\125\004\003\014\020\124\105\123
\124\040\157\153\137\144\151\163\164\162\165\163\164\061\014\060
\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016\006
\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015\060
\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060\013
\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011\006
\003\125\004\006\023\002\104\105
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\072\104\334\235\124\077\137\252\270\046\117\035\370\132
\107\066\051\072\033\274
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Distrust Fields Test - err_distrust"
#
# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
# Serial Number:60:fe:b3:a1:c8:c1:30:fc:02:f0:90:9b:6b:b7:08:5e:78:e5:fb:dc
# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
# Not Valid Before: Tue Jul 16 06:32:42 2019
# Not Valid After : Fri Jul 26 06:32:42 2019
# Fingerprint (SHA-256): E0:80:A0:7E:D7:53:52:FB:71:B5:05:03:80:C3:DB:92:C7:90:3D:26:3F:26:D5:BF:E5:87:FC:7C:46:EC:F6:35
# Fingerprint (SHA1): D4:54:DB:63:51:FB:68:61:DA:CD:61:D9:1B:F8:51:EB:CE:34:41:3D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrust Fields Test - err_distrust"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123
\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014
\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016
\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015
\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060
\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011
\006\003\125\004\006\023\002\104\105
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123
\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014
\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016
\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015
\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060
\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011
\006\003\125\004\006\023\002\104\105
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\140\376\263\241\310\301\060\374\002\360\220\233\153\267
\010\136\170\345\373\334
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\257\060\202\002\227\240\003\002\001\002\002\024\140
\376\263\241\310\301\060\374\002\360\220\233\153\267\010\136\170
\345\373\334\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\060\147\061\032\060\030\006\003\125\004\003\014\021\124
\105\123\124\040\145\162\162\137\144\151\163\164\162\165\163\164
\061\014\060\012\006\003\125\004\013\014\003\116\123\123\061\020
\060\016\006\003\125\004\013\014\007\115\157\172\151\154\154\141
\061\015\060\013\006\003\125\004\007\014\004\124\105\123\124\061
\015\060\013\006\003\125\004\010\014\004\124\105\123\124\061\013
\060\011\006\003\125\004\006\023\002\104\105\060\036\027\015\061
\071\060\067\061\066\060\066\063\062\064\062\132\027\015\061\071
\060\067\062\066\060\066\063\062\064\062\132\060\147\061\032\060
\030\006\003\125\004\003\014\021\124\105\123\124\040\145\162\162
\137\144\151\163\164\162\165\163\164\061\014\060\012\006\003\125
\004\013\014\003\116\123\123\061\020\060\016\006\003\125\004\013
\014\007\115\157\172\151\154\154\141\061\015\060\013\006\003\125
\004\007\014\004\124\105\123\124\061\015\060\013\006\003\125\004
\010\014\004\124\105\123\124\061\013\060\011\006\003\125\004\006
\023\002\104\105\060\202\001\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
\002\202\001\001\000\321\114\327\160\070\075\364\033\323\322\310
\337\270\071\333\312\356\066\304\105\170\071\227\203\335\012\013
\107\004\165\264\325\014\054\103\051\007\017\224\166\330\057\051
\342\232\254\326\232\070\331\265\140\205\234\202\074\320\375\103
\303\343\216\056\215\317\155\142\311\354\245\047\050\257\046\365
\156\124\272\245\172\016\122\145\054\326\357\136\112\364\352\012
\360\112\207\363\316\036\254\155\214\216\362\261\021\270\016\171
\011\323\105\072\206\344\141\267\256\065\367\315\022\225\133\165
\351\066\167\326\262\122\370\233\222\107\067\307\272\145\242\157
\377\054\262\175\172\161\140\032\335\161\323\037\307\261\315\245
\377\044\110\201\124\142\337\146\162\032\344\366\101\235\252\263
\226\153\343\046\300\231\240\025\241\031\202\232\374\221\176\240
\061\234\071\330\116\171\150\046\307\102\160\104\377\320\147\263
\165\312\377\246\235\175\001\063\246\003\273\247\254\123\321\063
\373\316\220\012\056\200\314\354\341\037\065\370\112\322\065\346
\363\067\023\034\365\011\267\320\247\227\332\276\175\246\060\010
\117\253\217\234\337\002\003\001\000\001\243\123\060\121\060\035
\006\003\125\035\016\004\026\004\024\121\202\330\003\344\310\170
\002\314\331\364\031\015\224\214\027\241\373\266\000\060\037\006
\003\125\035\043\004\030\060\026\200\024\121\202\330\003\344\310
\170\002\314\331\364\031\015\224\214\027\241\373\266\000\060\017
\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
\001\001\000\162\225\235\140\215\374\232\051\167\366\325\002\006
\370\057\245\115\123\201\060\371\363\301\340\132\123\100\026\372
\012\277\245\017\030\047\005\244\057\243\057\374\331\317\063\177
\117\204\065\314\313\046\140\345\151\256\107\160\253\027\022\137
\271\022\310\365\273\273\171\346\123\224\215\004\035\032\365\243
\047\030\246\342\022\121\155\315\117\320\244\313\240\061\136\030
\310\005\112\006\244\176\042\054\235\221\145\123\156\276\001\163
\043\233\071\147\143\031\377\035\031\223\224\176\025\065\225\052
\015\357\036\360\306\152\056\171\341\071\151\330\064\110\100\172
\126\160\243\166\277\133\102\210\341\032\203\002\003\042\073\252
\116\376\043\112\377\337\231\301\314\227\016\111\106\131\260\045
\315\266\000\015\337\301\213\276\141\250\344\261\152\024\350\361
\246\301\242\066\335\330\263\373\230\211\320\047\235\266\254\347
\371\101\126\046\111\001\250\373\233\031\371\304\374\167\271\144
\025\277\276\355\216\067\024\012\121\231\256\205\335\264\207\047
\231\317\306\103\273\262\234\240\153\152\063\071\151\254\113\314
\336\067\230
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_TRUE
# For Email Distrust After: Sun Oct 14 08:53:20 2007 # Missing \132 at end
CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
\060\067\061\060\061\064\060\070\065\063\062\060
END
# Trust for "Distrust Fields Test - err_distrust"
# Issuer: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
# Serial Number:60:fe:b3:a1:c8:c1:30:fc:02:f0:90:9b:6b:b7:08:5e:78:e5:fb:dc
# Subject: C=DE,ST=TEST,L=TEST,OU=Mozilla,OU=NSS,CN=TEST err_distrust
# Not Valid Before: Tue Jul 16 06:32:42 2019
# Not Valid After : Fri Jul 26 06:32:42 2019
# Fingerprint (SHA-256): E0:80:A0:7E:D7:53:52:FB:71:B5:05:03:80:C3:DB:92:C7:90:3D:26:3F:26:D5:BF:E5:87:FC:7C:46:EC:F6:35
# Fingerprint (SHA1): D4:54:DB:63:51:FB:68:61:DA:CD:61:D9:1B:F8:51:EB:CE:34:41:3D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrust Fields Test - err_distrust"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\324\124\333\143\121\373\150\141\332\315\141\331\033\370\121\353
\316\064\101\075
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\105\150\314\050\103\366\315\141\322\277\363\133\217\305\124\273
END
CKA_ISSUER MULTILINE_OCTAL
\060\147\061\032\060\030\006\003\125\004\003\014\021\124\105\123
\124\040\145\162\162\137\144\151\163\164\162\165\163\164\061\014
\060\012\006\003\125\004\013\014\003\116\123\123\061\020\060\016
\006\003\125\004\013\014\007\115\157\172\151\154\154\141\061\015
\060\013\006\003\125\004\007\014\004\124\105\123\124\061\015\060
\013\006\003\125\004\010\014\004\124\105\123\124\061\013\060\011
\006\003\125\004\006\023\002\104\105
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\140\376\263\241\310\301\060\374\002\360\220\233\153\267
\010\136\170\345\373\334
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

Просмотреть файл

@ -1,38 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Override TARGETS variable so that only shared libraries
# are specifed as dependencies within rules.mk.
#
TARGETS = $(SHARED_LIBRARY)
LIBRARY =
IMPORT_LIBRARY =
PROGRAM =
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
RES = $(OBJDIR)/$(LIBRARY_NAME).res
RESNAME = $(LIBRARY_NAME).rc
endif
ifdef BUILD_IDG
DEFINES += -DNSSDEBUG
endif
# Needed for compilation of $(OBJDIR)/certdata.c
INCLUDES += -I.
#
# To create a loadable module on Darwin, we must use -bundle.
#
ifeq ($(OS_TARGET),Darwin)
DSO_LDOPTS = -bundle
endif
ifdef USE_GCOV
DSO_LDOPTS += --coverage
endif

Просмотреть файл

@ -1,25 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../../../..
MODULE = nss
CSRCS = \
../anchor.c \
../bfind.c \
../binst.c \
../bobject.c \
../bsession.c \
../bslot.c \
../btoken.c \
../ckbiver.c \
../constants.c \
certdata-testlib.c \
$(NULL)
REQUIRES = nspr
LIBRARY_NAME = nssckbi-testlib

Просмотреть файл

@ -1,52 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "../nssckbi.h"
#include <winver.h>
#define MY_LIBNAME "nssckbi-testlib"
#define MY_FILEDESCRIPTION "A Test of NSS Builtin Trusted Roots (testlib)"
#define MY_FILEFLAGS_1 0x0L
#ifdef WINNT
#define MY_FILEOS VOS_NT_WINDOWS32
#else
#define MY_FILEOS VOS__WINDOWS32
#endif
#define MY_INTERNAL_NAME MY_LIBNAME
/////////////////////////////////////////////////////////////////////////////
//
// Version-information resource
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0
PRODUCTVERSION NSS_BUILTINS_LIBRARY_VERSION_MAJOR,NSS_BUILTINS_LIBRARY_VERSION_MINOR,0,0
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
FILEFLAGS MY_FILEFLAGS_1
FILEOS MY_FILEOS
FILETYPE VFT_DLL
FILESUBTYPE 0x0L // not used
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904B0" // Lang=US English, CharSet=Unicode
BEGIN
VALUE "CompanyName", "Mozilla Foundation\0"
VALUE "FileDescription", MY_FILEDESCRIPTION "\0"
VALUE "FileVersion", NSS_BUILTINS_LIBRARY_VERSION "\0"
VALUE "InternalName", MY_INTERNAL_NAME "\0"
VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
VALUE "ProductName", "Network Security Services\0"
VALUE "ProductVersion", NSS_BUILTINS_LIBRARY_VERSION "\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x409, 1200
END
END

Просмотреть файл

@ -1,50 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIUYP6zocjBMPwC8JCba7cIXnjl+9wwDQYJKoZIhvcNAQEL
BQAwZzEaMBgGA1UEAwwRVEVTVCBlcnJfZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQ
MA4GA1UECwwHTW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDEL
MAkGA1UEBhMCREUwHhcNMTkwNzE2MDYzMjQyWhcNMTkwNzI2MDYzMjQyWjBnMRow
GAYDVQQDDBFURVNUIGVycl9kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAwDgYDVQQL
DAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQswCQYDVQQG
EwJERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFM13A4PfQb09LI
37g528ruNsRFeDmXg90KC0cEdbTVDCxDKQcPlHbYLynimqzWmjjZtWCFnII80P1D
w+OOLo3PbWLJ7KUnKK8m9W5UuqV6DlJlLNbvXkr06grwSofzzh6sbYyO8rERuA55
CdNFOobkYbeuNffNEpVbdek2d9ayUvibkkc3x7plom//LLJ9enFgGt1x0x/Hsc2l
/yRIgVRi32ZyGuT2QZ2qs5Zr4ybAmaAVoRmCmvyRfqAxnDnYTnloJsdCcET/0Gez
dcr/pp19ATOmA7unrFPRM/vOkAougMzs4R81+ErSNebzNxMc9Qm30KeX2r59pjAI
T6uPnN8CAwEAAaNTMFEwHQYDVR0OBBYEFFGC2APkyHgCzNn0GQ2UjBeh+7YAMB8G
A1UdIwQYMBaAFFGC2APkyHgCzNn0GQ2UjBeh+7YAMA8GA1UdEwEB/wQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAHKVnWCN/Jopd/bVAgb4L6VNU4Ew+fPB4FpTQBb6
Cr+lDxgnBaQvoy/82c8zf0+ENczLJmDlaa5HcKsXEl+5Esj1u7t55lOUjQQdGvWj
Jxim4hJRbc1P0KTLoDFeGMgFSgakfiIsnZFlU26+AXMjmzlnYxn/HRmTlH4VNZUq
De8e8MZqLnnhOWnYNEhAelZwo3a/W0KI4RqDAgMiO6pO/iNK/9+ZwcyXDklGWbAl
zbYADd/Bi75hqOSxahTo8abBojbd2LP7mInQJ522rOf5QVYmSQGo+5sZ+cT8d7lk
Fb++7Y43FApRma6F3bSHJ5nPxkO7spyga2ozOWmsS8zeN5g=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDRTNdwOD30G9PS
yN+4OdvK7jbERXg5l4PdCgtHBHW01QwsQykHD5R22C8p4pqs1po42bVghZyCPND9
Q8Pjji6Nz21iyeylJyivJvVuVLqleg5SZSzW715K9OoK8EqH884erG2MjvKxEbgO
eQnTRTqG5GG3rjX3zRKVW3XpNnfWslL4m5JHN8e6ZaJv/yyyfXpxYBrdcdMfx7HN
pf8kSIFUYt9mchrk9kGdqrOWa+MmwJmgFaEZgpr8kX6gMZw52E55aCbHQnBE/9Bn
s3XK/6adfQEzpgO7p6xT0TP7zpAKLoDM7OEfNfhK0jXm8zcTHPUJt9Cnl9q+faYw
CE+rj5zfAgMBAAECggEAfgyGDtqATTxZFK/PNFb8DLnsF8YywpSCYKOE6S9BaDeK
jjmgQtVaNzy5IsOLHZ5c4PIUbt3oxPK1dmHSXoApf1Q173HmaAwuT1XqJ5k1kyTv
7SVrnMIqCoB3V0Eh0cC+GPEFRMpuVL90FptElI0z0ztFsmZjsCo8D+E2IM6h25UQ
MiZmJNb2qk+64Ef9yiKyUBA15y7zBUOIsRMDQlREpHA0T6N2YC1b98r73RHYHc8O
+rQixX4ZtB0gl97nKdOjEX9ECfwd5nUXVUFNMthozYMy2VmpU9eH3zP33vcZNvaD
5GX2lvSkWLXEb6Zc/yWdBPrijSVeD+qwZ6tDBPgskQKBgQD4EbzuiFLEoFE/IdCD
zP1cj28kmUU6oQJDk2TNlsQ3q6jbSoMCXqEfVF9RFcTkvCnV1GkrwjoM8vhYaL+x
OCGRIvOqzsDwvyd3lbsDM3pVw6j64zRjR1JkdOK23sCj10cVEYYqDozVHILPYmEL
hEEYk7FqfPY1uqKL6zGnWhX81wKBgQDX/c6i8kOJjO7YWoG4Z2hPUJJCM/q3Ws1b
XK2m6qddYPV5zOv2geknAC71WqOgVnLM/pNrPpd2p1kMjRPqKKUL0z7XONp8+6ii
9EB+CEwUB/1kA/GFl5sAcOv9uGqMrXeWoAzeoyeBE/MscfANY0tROfvXvpYhYl3S
SlCfy0UXOQKBgFfKJzufQPNW7QnTlLBgJjXQiPvBxi82dc+mZOEg/vXYqRxaJTz8
cjbdLBJNCu4L7R5AWqviw5p7jgnzoAs+mxp67RLAsqVAcN4wPgum9x9M7AtFxu9v
eSgV+XnQIQqakAxTtFBD7/Enct+jqEZkGolxEzNlX9ip4QZ1SJA6IFfnAoGBAJLN
F6faXxrbJe74vNgXuGbIDVBfwdTjK1YgTIp5TF2EK/On2uzFaTEvx7rM6w9sEkTP
9mRau1lS7oxASrvI+jxqTHi9VIrEBN8UgcznWMX4lDlpELvKyffnyA2/TPPmZrSC
fZzIaW4qoAmiOxTuWt+POGNvTtzL3ZazGc8xufjJAoGAbDCQGFIEo4DVOVEgI1sM
rmK9sOBjHO1306HL/gKqJo/CVSwLpwjErCLr1w0LUGG8SRup3VyZSTJTh15F3Pfk
+N6nVrhCTag6vF/E3/VTZ3BwgvOLT3XqUTprntQUPXA+Dk+Fdem4dgHvknRDwz99
APZYdtb09hSETdUJmgd376g=
-----END PRIVATE KEY-----

Просмотреть файл

@ -1,50 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIUc/i8N6NKXyYTZNxOxlhOlCokIrEwDQYJKoZIhvcNAQEL
BQAwZjEZMBcGA1UEAwwQVEVTVCBub19kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAw
DgYDVQQLDAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQsw
CQYDVQQGEwJERTAeFw0xOTA3MTYwNjMyNDJaFw0xOTA3MjYwNjMyNDJaMGYxGTAX
BgNVBAMMEFRFU1Qgbm9fZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQMA4GA1UECwwH
TW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDELMAkGA1UEBhMC
REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH97sxW2mi3JsqJFMG
vSCMtsNd9ZBERj5AZDL21bjHk5gCl2jEQmamd0vUGV5aYAanMmU8r03YrqTVA36D
/drl9WBze5iUUl1kfj1pCr0kx8/jVtqRoHlh+kdfiPIQmYpQQykIm+8Fgej9gkRG
OrjTaXQLge0ExAIPIjkSOpMxtuuQL1iRrRR2VaGKLFouUJI62r3uH5oW5N4jKjxK
BqZAtqw1wXe+eBdXLMKsZnnXzMW0PyRB50XftylIIUvCI4weDe/Ydx+E6/IRmqyQ
uXl4xj8O6yX+eWxV09bzXpjbcKKZDsAhkSWyKx2j6fObCzsCmxhq1Fq4g6Bzd7pi
KtYrAgMBAAGjUzBRMB0GA1UdDgQWBBS6DeOSnoCkc48Fv+pnHqM5P6G85jAfBgNV
HSMEGDAWgBS6DeOSnoCkc48Fv+pnHqM5P6G85jAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQCp6OTs5jZt/WSir3212nab3GHWmHBSw5ECr8uq2APY
Clso43lIo03MFr0GBYCSZ3aovdMU98+tHLSgA0wTJHlWCQpErsbXHP5e0y4dkiEZ
6PoqohXynn6aAsAIC1euzM0iWhjbNKWDfIo1qPQVOHd/yhvB/7smjeAHhLCILr3p
61crKHXSZpM01JtqSmoAzPCFL3ofMTZEytTybrVMWKGy2y6KJLQTzGQyeml3B7tE
q3ssFTt8F3d+8h+aNzuQr68BC1Vu6JyHsfjBY0ZZMmYhl0fgsiIcGCPer00XqBR5
UYjemnwqXAJADJXelA9/Deyrpecv4Iw4A/22Ew8B+54Y
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDH97sxW2mi3Jsq
JFMGvSCMtsNd9ZBERj5AZDL21bjHk5gCl2jEQmamd0vUGV5aYAanMmU8r03YrqTV
A36D/drl9WBze5iUUl1kfj1pCr0kx8/jVtqRoHlh+kdfiPIQmYpQQykIm+8Fgej9
gkRGOrjTaXQLge0ExAIPIjkSOpMxtuuQL1iRrRR2VaGKLFouUJI62r3uH5oW5N4j
KjxKBqZAtqw1wXe+eBdXLMKsZnnXzMW0PyRB50XftylIIUvCI4weDe/Ydx+E6/IR
mqyQuXl4xj8O6yX+eWxV09bzXpjbcKKZDsAhkSWyKx2j6fObCzsCmxhq1Fq4g6Bz
d7piKtYrAgMBAAECggEALCE4t3DEBEQJHii8Be2xBDzFKrQprVePH2i9conB6JFi
55eAcGdy/eOv4VPj5a/xZ+6QNu89D8ei6ruFrR1VtJANRA8PohP3NllBti+/hCFw
eGxPefnfL8cq/yNawF0SEBpyMMsw2ZdM0r1v0cvdxBIuoOeAZh/XkH1t+N7iYwLm
Kbkfzp7qVPDxghavODEX2GnWptNONomglHj/DcQtpCJfff9SgqtG8j9M+YX2mzfb
yoPy3scOvknfGqMlCtz5ilGHMXACq1JqzPfAz2FPVSB5ROHLQyt8PQQVfp8QSrkk
4LTqR7Z0H5NRxj35sfJn1C1J/wFw3bkmy5CxgyCtwQKBgQDyYl3yIlm6U9i4c7b8
3aNzsdDcbRYi+Dvvi59QVNqf03Fct+PP2ThBTbpw0TTsWh947PJli1JUnLamGpeO
3ZUnpEFctXFWInX0ghsATc0zdxjWeX6VoIf+9tSqO5yCmqtZxslZUXTcvDi1XAK7
1FPsrHvsiFzD2b3b930MpT7qoQKBgQDTM2N0NdJ1hQneOBp3wvrAlzRXxBYsaM83
O32ek3ZFVAwpqNPt6w8PjcCRq0ej8w6v4EeR1Hqc4Mol0TnzTbIoYMB+eyqsGjTi
7rL0Z9f+dDzGNlGssCplu72oHLF8TJq9aoh36wUMH8hc473M2ZCrjcUAudrWYEkc
0GIr0hZ5SwKBgHi6XDbVu0Ger8y3/kYXE2n2AKU6RJNod1oKfnDhwv9mrwlSossN
VALa92loGuc6wIBX7Sh866YvZJ55klHbtoZHPzMxQOF5Sq1d/Jr7JaFjyeBSJaXb
jsGFKkocZQl8hqqx4+p0MzQbIFfdG5N439B73UHkbegzVWjx7bxVtm/hAoGBAMl5
kVuP6JhRdKt3i9BJwZmt5LIBDkIJLfv7lYeMFtxmJEAtnRavESv+RwDviyUcvhsL
clrsfpdfXZgb8xNmQBmCyr8d0gRh76e4nCDJW2STEFLqCJobaCaqpW9VB/+SuF8P
3OXA3ozFWQc7/pkHx5nQYWmi4t909Oo25B/3h5bnAoGBAIzm30BPZpMLyGvPCFIJ
O2Rycvb4bDUU0J8cAVnvsAP6POWBYD0H6rHioZnRz6V3ZBibg+jvzXBiRAqm4n2e
yRduP/3m6a3BKhYyplZEV1cUCnnUvQtusWiv61E/mDnPGco3sljUfCbvo1h1Juuq
io2guvIg0tE5WSQr9spqy+o8
-----END PRIVATE KEY-----

Просмотреть файл

@ -1,50 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIUOkTcnVQ/X6q4Jk8d+FpHNik6G7wwDQYJKoZIhvcNAQEL
BQAwZjEZMBcGA1UEAwwQVEVTVCBva19kaXN0cnVzdDEMMAoGA1UECwwDTlNTMRAw
DgYDVQQLDAdNb3ppbGxhMQ0wCwYDVQQHDARURVNUMQ0wCwYDVQQIDARURVNUMQsw
CQYDVQQGEwJERTAeFw0xOTA3MTYwNjMyNDJaFw0xOTA3MjYwNjMyNDJaMGYxGTAX
BgNVBAMMEFRFU1Qgb2tfZGlzdHJ1c3QxDDAKBgNVBAsMA05TUzEQMA4GA1UECwwH
TW96aWxsYTENMAsGA1UEBwwEVEVTVDENMAsGA1UECAwEVEVTVDELMAkGA1UEBhMC
REUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6HnzYlULNHDPfZUww
MR4UNSmO7wtoR/Guj/M21lSnHJeCzWmzn1Xg/ydVKA5qiO1hgjKzm8BqkO6AFlQB
c8UU7838kLf4eM4SLo5xZeHUUbkWxhaoUYFHrJliJgojsKLuKcOGv+H/xE82++A7
Yz7n829Yz7l121cNzrdPLZqguU6ocPS5lIONX7c2uf9/DN8b1sr80KcrR+XtVzcH
0pCA/iu2WiRwtmwytf2yfvLyrxn0Z6k539lmLwWS//ABp6ptRh2dNZLm6cGE3eQK
8fYxJBhD2U5LX1EeqyLMsAWZqQJCAnE539jEaI2QdOZ4pfbwn+vyS4Pyv9A8NPQS
GUUVAgMBAAGjUzBRMB0GA1UdDgQWBBQcQKqQ289LAhNrGDmmDNfasnT8PTAfBgNV
HSMEGDAWgBQcQKqQ289LAhNrGDmmDNfasnT8PTAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQAiIR6XulpG7kq6woQM8FzZHPRfM9wlPtEcT/HJrH8P
nj5R120m56GF96wxib4JTy/0ffgOljIEiWsn7uM06KiZByF0DPyOnYaDbsgL8OKf
QxW8n9VG0XNTHvMpXjyFQrhXZsMwEi9EO0IY1VP+H0ZjSwl0d/w91/ICtVec98JM
+fypRpHjBCeXVc4UJvb4hz8VnlJOEKE6iWBAIwhFRenEWPvL5bqa3JgJC92xmILr
bQPrm2qhijSmasCm7u9GOeeJZL2KDB2nSpFZOJhS989cMKxtMZz0P3Gunn0/oqDr
cfDt8t+Nei1T2uq0FlQK8yBUKhfAPnwKuvj/tHho45ZF
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6HnzYlULNHDPf
ZUwwMR4UNSmO7wtoR/Guj/M21lSnHJeCzWmzn1Xg/ydVKA5qiO1hgjKzm8BqkO6A
FlQBc8UU7838kLf4eM4SLo5xZeHUUbkWxhaoUYFHrJliJgojsKLuKcOGv+H/xE82
++A7Yz7n829Yz7l121cNzrdPLZqguU6ocPS5lIONX7c2uf9/DN8b1sr80KcrR+Xt
VzcH0pCA/iu2WiRwtmwytf2yfvLyrxn0Z6k539lmLwWS//ABp6ptRh2dNZLm6cGE
3eQK8fYxJBhD2U5LX1EeqyLMsAWZqQJCAnE539jEaI2QdOZ4pfbwn+vyS4Pyv9A8
NPQSGUUVAgMBAAECggEATZbSIxQucgV01oeLOHfxeykidxTOY53CcixOjyjQx43S
19O8YgZlrdOQ2R5GzEDi/QhjDJ88mvBqjPlB8g0KNw01iTnnh+0Ms2W3Oizn9TRQ
fd78qRS5WWDp3JHRHknP0ouUmIM7uv1irKBaPUfFfLruS07lmO1koDvyDU8MrD1+
Lr9i/7DOxpMFRTP4OBs4J22M1jdaVV7RM5/ZxHezSEJx8lpYvsBSHYYrViWx+TvL
BQabnfntg4YbVoB+5f7kOA0f0a/WdF1q4yursLvPFb3F+w271s11PYnXp8G7Axe7
ylcojRhvb1bque2WP7Wz3L0kCosxPkaH7W2RfHZX7QKBgQDgI7Xuo+2hnOkPZxNd
EuA2+1gKmRnd9Gx+gBvSOxgy+bIirddWpUoSQE1cZiJu0ylERVBMXJzMi5uT1/nR
OP9HVUY/pYDEtuHRHyF60sp8+qTiV0PxACuaYGmUSO22+p9yp0mfVNl+AkQlLbam
pmQG3OWb7Zqpef7+v7fnccPwFwKBgQDUkz1OyUwB1Nx0GtzAiYuoVh0Oe2GM8tHI
8kSXbFyXh5ly75Cm5gPR6dxLsLSOZxzGZMfXm13MFWVARQJgudFJFTtqRufJZcnS
ie/OpY35eYqKqzYIwt+4U6biCLK3q77dH1Psgz0ghoH6DfDkl2eQDF9LLUxvrS5Q
r36bBezjswKBgEAMFEWv1Ax1UOeU1aSn6yfq5HqKyyhwWrw/ETQerMiML0nXkQvy
SVszwqdfjAFNF6Kph8t6P1f3oKo7cehGODQC+wLe4Q/VDmv6UE/Pggr6eDkxJHnu
SYdge2ri+AJsVTmm8dO0pD1smlphWKsAKt8HKhlHaQV6ldHnqL5a9NlbAoGAK6zI
xtwy4plyZeRzAJgB+qcetzAAXe4xzgCAuT/JUlTI4UV5SeEuXb2XxnFa13s1/UkN
ii3guqKWt/q1v1vONR7Io1BIJSflrH0sqR94qQ4gudbtdiVbw8pkGkLBPV1rDJF4
M7rPH1SjddXRbZXx8DWqio6XCsbhIjC8aWtxPWMCgYAClC2GhicT+Jiv5Y8gT/hc
/DJjhQTtV1mMqek69XJ6Xsc6wEkFSXpUr8/3XoP8Sj/xrEluTJYgt/DTVbXAvLcv
XCaERRdrpBHspFrD9lcOZRjS17QTVAzH8bt3+YidqvDnn/2Xch49hcUJTFEx7Km+
r4Tw2QmALNeNDgRlkMJYCQ==
-----END PRIVATE KEY-----

Просмотреть файл

@ -5,7 +5,7 @@
CORE_DEPTH = ../..
DIRS = builtins
DIRS = builtins
PRIVATE_EXPORTS = \
ck.h \

Просмотреть файл

@ -114,17 +114,6 @@ inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) {
return ExpectTagAndGetValue(input, tag, ignoredValue);
}
// This skips IMPLICIT OPTIONAL tags that are "primitive" (not constructed),
// given the number in the class of the tag (i.e. the number in the brackets in
// `issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL`).
inline Result SkipOptionalImplicitPrimitiveTag(Reader& input,
uint8_t numberInClass) {
if (input.Peek(CONTEXT_SPECIFIC | numberInClass)) {
return ExpectTagAndSkipValue(input, CONTEXT_SPECIFIC | numberInClass);
}
return Success;
}
// Like ExpectTagAndGetValue, except the output Input will contain the
// encoded tag and length along with the value.
inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag,

Просмотреть файл

@ -105,24 +105,29 @@ BackCert::Init()
return rv;
}
static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
// According to RFC 5280, all fields below this line are forbidden for
// certificate versions less than v3. However, for compatibility reasons,
// we parse v1/v2 certificates in the same way as v3 certificates. So if
// these fields appear in a v1 certificate, they will be used.
// Ignore issuerUniqueID if present.
rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 1);
if (rv != Success) {
return rv;
if (tbsCertificate.Peek(CSC | 1)) {
rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
if (rv != Success) {
return rv;
}
}
// Ignore subjectUniqueID if present.
rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 2);
if (rv != Success) {
return rv;
if (tbsCertificate.Peek(CSC | 2)) {
rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
if (rv != Success) {
return rv;
}
}
static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
rv = der::OptionalExtensions(
tbsCertificate, CSC | 3,
[this](Reader& extnID, const Input& extnValue, bool critical,

Просмотреть файл

@ -39,8 +39,8 @@ CERT_FreeDistNames;
CERT_FreeNicknames;
CERT_GetAVATag;
CERT_GetCertEmailAddress;
CERT_GetCertIssuerAndSN;
CERT_GetCertNicknames;
CERT_GetCertIssuerAndSN;
CERT_GetCertTrust;
CERT_GetCertUid;
CERT_GetCommonName;

Просмотреть файл

@ -825,36 +825,6 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
cc->trust = trust;
CERT_UnlockCertTrust(cc);
}
/* Read the distrust fields from a nssckbi/builtins certificate and
* fill the fields in CERTCertificate structure when any valid date
* is found. */
if (PK11_IsReadOnly(cc->slot) && PK11_HasRootCerts(cc->slot)) {
/* The values are hard-coded and readonly. Read just once. */
if (cc->distrust == NULL) {
CERTCertDistrust distrustModel;
SECItem model = { siUTCTime, NULL, 0 };
distrustModel.serverDistrustAfter = model;
distrustModel.emailDistrustAfter = model;
SECStatus rServer = PK11_ReadAttribute(
cc->slot, cc->pkcs11ID, CKA_NSS_SERVER_DISTRUST_AFTER,
cc->arena, &distrustModel.serverDistrustAfter);
SECStatus rEmail = PK11_ReadAttribute(
cc->slot, cc->pkcs11ID, CKA_NSS_EMAIL_DISTRUST_AFTER,
cc->arena, &distrustModel.emailDistrustAfter);
/* Only allocate the Distrust structure if a valid date is found.
* The result length of a encoded valid timestamp is exactly 13 */
const unsigned int kDistrustFieldSize = 13;
if ((rServer == SECSuccess && rEmail == SECSuccess) &&
(distrustModel.serverDistrustAfter.len == kDistrustFieldSize ||
distrustModel.emailDistrustAfter.len == kDistrustFieldSize)) {
CERTCertDistrust *tmpPtr = PORT_ArenaAlloc(
cc->arena, sizeof(CERTCertDistrust));
PORT_Memcpy(tmpPtr, &distrustModel,
sizeof(CERTCertDistrust));
cc->distrust = tmpPtr;
}
}
}
}
if (instance) {
nssCryptokiObject_Destroy(instance);

Просмотреть файл

@ -1605,67 +1605,6 @@ NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
return CKR_OK;
}
/* Fromssl3con.c: Constant-time helper macro that copies the MSB of x to all
* other bits. */
#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1)))
/* From ssl3con.c: SECStatusToMask returns, in constant time, a mask value of
* all ones if rv == SECSuccess. Otherwise it returns zero. */
static unsigned int
SECStatusToMask(SECStatus rv)
{
unsigned int good;
/* rv ^ SECSuccess is zero iff rv == SECSuccess. Subtracting one results
* in the MSB being set to one iff it was zero before. */
good = rv ^ SECSuccess;
good--;
return DUPLICATE_MSB_TO_ALL(good);
}
/* Constant-time helper macro that selects l or r depending on all-1 or all-0
* mask m */
#define CT_SEL(m, l, r) (((m) & (l)) | (~(m) & (r)))
/* Constant-time helper macro that returns all-1s if x is not 0; and all-0s
* otherwise. */
#define CT_NOT_ZERO(x) (DUPLICATE_MSB_TO_ALL(((x) | (0 - x))))
/* sftk_CheckCBCPadding checks that the padding validity and return the pad length. */
static CK_RV
sftk_CheckCBCPadding(CK_BYTE_PTR pLastPart,
unsigned int blockSize, unsigned int *outPadSize)
{
PORT_Assert(outPadSize);
unsigned int padSize = (unsigned int)pLastPart[blockSize - 1];
/* If padSize <= blockSize, set goodPad to all-1s and all-0s otherwise.*/
unsigned int goodPad = DUPLICATE_MSB_TO_ALL(~(blockSize - padSize));
/* padSize should not be 0 */
goodPad &= CT_NOT_ZERO(padSize);
unsigned int i;
for (i = 0; i < blockSize; i++) {
/* If i < padSize, set loopMask to all-1s and all-0s otherwise.*/
unsigned int loopMask = DUPLICATE_MSB_TO_ALL(~(padSize - 1 - i));
/* Get the padding value (should be padSize) from buffer */
unsigned int padVal = pLastPart[blockSize - 1 - i];
/* Update goodPad only if i < padSize */
goodPad &= CT_SEL(loopMask, ~(padVal ^ padSize), goodPad);
}
/* If any of the final padding bytes had the wrong value, one or more
* of the lower eight bits of |goodPad| will be cleared. We AND the
* bottom 8 bits together and duplicate the result to all the bits. */
goodPad &= goodPad >> 4;
goodPad &= goodPad >> 2;
goodPad &= goodPad >> 1;
goodPad <<= sizeof(goodPad) * 8 - 1;
goodPad = DUPLICATE_MSB_TO_ALL(goodPad);
/* Set outPadSize to padSize or 0 */
*outPadSize = CT_SEL(goodPad, padSize, 0);
/* Return OK if the pad is valid */
return CT_SEL(goodPad, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
}
/* NSC_DecryptFinal finishes a multiple-part decryption operation. */
CK_RV
NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
@ -1704,10 +1643,24 @@ NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
if (rv != SECSuccess) {
crv = sftk_MapDecryptError(PORT_GetError());
} else {
unsigned int padSize = 0;
crv = sftk_CheckCBCPadding(pLastPart, context->blockSize, &padSize);
/* Update pulLastPartLen, in constant time, if crv is success */
*pulLastPartLen = CT_SEL(SECStatusToMask(crv), outlen - padSize, *pulLastPartLen);
unsigned int padSize =
(unsigned int)pLastPart[context->blockSize - 1];
if ((padSize > context->blockSize) || (padSize == 0)) {
crv = CKR_ENCRYPTED_DATA_INVALID;
} else {
unsigned int i;
unsigned int badPadding = 0; /* used as a boolean */
for (i = 0; i < padSize; i++) {
badPadding |=
(unsigned int)pLastPart[context->blockSize - 1 - i] ^
padSize;
}
if (badPadding) {
crv = CKR_ENCRYPTED_DATA_INVALID;
} else {
*pulLastPartLen = outlen - padSize;
}
}
}
}
}
@ -1769,9 +1722,21 @@ NSC_Decrypt(CK_SESSION_HANDLE hSession,
/* XXX need to do MUCH better error mapping than this. */
crv = (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError());
if (rv == SECSuccess && context->doPad) {
unsigned int padSize = 0;
crv = sftk_CheckCBCPadding(pData, context->blockSize, &padSize);
outlen -= padSize;
unsigned int padding = pData[outlen - 1];
if (padding > context->blockSize || !padding) {
crv = CKR_ENCRYPTED_DATA_INVALID;
} else {
unsigned int i;
unsigned int badPadding = 0; /* used as a boolean */
for (i = 0; i < padding; i++) {
badPadding |= (unsigned int)pData[outlen - 1 - i] ^ padding;
}
if (badPadding) {
crv = CKR_ENCRYPTED_DATA_INVALID;
} else {
outlen -= padding;
}
}
}
sftk_TerminateOp(session, SFTK_DECRYPT, context);
done:

Просмотреть файл

@ -159,7 +159,7 @@ static const CK_ATTRIBUTE_TYPE known_attributes[] = {
CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
CKA_NETSCAPE_DB, CKA_NETSCAPE_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS,
CKA_PUBLIC_KEY_INFO, CKA_NSS_SERVER_DISTRUST_AFTER, CKA_NSS_EMAIL_DISTRUST_AFTER
CKA_PUBLIC_KEY_INFO
};
static int known_attributes_size = sizeof(known_attributes) /

Просмотреть файл

@ -914,7 +914,7 @@ SECStatus
tls13_HandlePostHelloHandshakeMessage(sslSocket *ss, PRUint8 *b, PRUint32 length)
{
if (ss->sec.isServer && ss->ssl3.hs.zeroRttIgnore != ssl_0rtt_ignore_none) {
SSL_TRC(3, ("%d: TLS13[%d]: successfully decrypted handshake after "
SSL_TRC(3, ("%d: TLS13[%d]: %s successfully decrypted handshake after"
"failed 0-RTT",
SSL_GETPID(), ss->fd));
ss->ssl3.hs.zeroRttIgnore = ssl_0rtt_ignore_none;

Просмотреть файл

@ -94,8 +94,6 @@
#define CKA_NSS_JPAKE_X2S (CKA_NSS + 33)
#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34)
#define CKA_NSS_SERVER_DISTRUST_AFTER (CKA_NSS + 35)
#define CKA_NSS_EMAIL_DISTRUST_AFTER (CKA_NSS + 36)
/*
* Trust attributes:

Просмотреть файл

@ -218,7 +218,6 @@
'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
'gtests/util_gtest/util_gtest.gyp:util_gtest',
'lib/ckfw/builtins/testlib/builtins-testlib.gyp:nssckbi-testlib',
],
'conditions': [
[ 'OS=="linux"', {

Просмотреть файл

@ -50,7 +50,7 @@ cert_init()
LIBDIR="${DIST}/${OBJDIR}/lib"
ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi.* | head -1`
ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
if [ ! "${ROOTCERTSFILE}" ] ; then
html_failed "Looking for root certs module."
cert_log "ERROR: Root certs module not found."