mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1470914, NSS 3.39 beta revision 4a086733554e UPGRADE_NSS_RELEASE r=me

This commit is contained in:
Kai Engert 2018-07-25 15:17:58 +02:00
Родитель 69211f9f5e
Коммит b8bea43ef3
40 изменённых файлов: 1062 добавлений и 197 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
security/nss.symbols
Просмотреть файл

@ -110,6 +110,7 @@ CERT_GenTime2FormattedAscii_Util
CERT_GetCertChainFromCert
CERT_GetCertEmailAddress
CERT_GetCertificateRequestExtensions
CERT_GetCertKeyType
CERT_GetCertTimes
CERT_GetCertTrust
CERT_GetCommonName
@ -277,6 +278,7 @@ NSSSSL_GetVersion
#ifdef XP_WIN
_NSSUTIL_Access
#endif
NSSUTIL_AddNSSFlagToModuleSpec
NSSUTIL_ArgDecodeNumber
NSSUTIL_ArgFetchValue
NSSUTIL_ArgGetLabel
@ -374,6 +376,7 @@ PK11_GetNextSymKey
PK11_GetPadMechanism
PK11_GetPrivateKeyNickname
PK11_GetPrivateModulusLen
PK11_GetSlotFromPrivateKey
PK11_GetSlotID
PK11_GetSlotInfo
PK11_GetSlotName

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
53c2ee896c57
4a086733554e

5
security/nss/automation/abi-check/expected-report-libnss3.so.txt
Просмотреть файл

@ -0,0 +1,5 @@
1 Added function:
'function KeyType CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo*)' {CERT_GetCertKeyType@@NSS_3.39}

5
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
Просмотреть файл

@ -0,0 +1,5 @@
1 Added function:
'function char* NSSUTIL_AddNSSFlagToModuleSpec(char*, char*)' {NSSUTIL_AddNSSFlagToModuleSpec@@NSSUTIL_3.39}

2
security/nss/automation/release/nspr-version.txt
Просмотреть файл

@ -1,4 +1,4 @@
4.19
4.20
# The first line of this file must contain the human readable NSPR
# version number, which is the minimum required version of NSPR

3
security/nss/automation/taskcluster/graph/src/extend.js
Просмотреть файл

@ -928,6 +928,9 @@ function scheduleTests(task_build, task_cert, test_base) {
queue.scheduleTask(merge(no_cert_base, {
name: "SDR tests", symbol: "SDR", tests: "sdr"
}));
queue.scheduleTask(merge(no_cert_base, {
name: "Policy tests", symbol: "Policy", tests: "policy"
}));
// Schedule tests that need certificates.
let cert_base = merge(test_base, {parent: task_cert});

2
security/nss/automation/taskcluster/graph/src/try_syntax.js
Просмотреть файл

@ -37,7 +37,7 @@ function parseOptions(opts) {
let aliases = {"gtests": "gtest"};
let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
"gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
"ssl", "mpi", "scert", "spki"];
"ssl", "mpi", "scert", "spki", "policy"];
let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
return aliases[t] || t;
}), allUnitTests);

172
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -856,41 +856,59 @@ SECItemToHex(const SECItem *item, char *dst)
}
static const char *const keyTypeName[] = {
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss"
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss", "rsaOaep"
};
#define MAX_CKA_ID_BIN_LEN 20
#define MAX_CKA_ID_STR_LEN 40
/* output human readable key ID in buffer, which should have at least
* MAX_CKA_ID_STR_LEN + 3 octets (quotations and a null terminator) */
static void
formatPrivateKeyID(SECKEYPrivateKey *privkey, char *buffer)
{
SECItem *ckaID;
ckaID = PK11_GetLowLevelKeyIDForPrivateKey(privkey);
if (!ckaID) {
strcpy(buffer, "(no CKA_ID)");
} else if (ItemIsPrintableASCII(ckaID)) {
int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
buffer[0] = '"';
memcpy(buffer + 1, ckaID->data, len);
buffer[1 + len] = '"';
buffer[2 + len] = '\0';
} else {
/* print ckaid in hex */
SECItem idItem = *ckaID;
if (idItem.len > MAX_CKA_ID_BIN_LEN)
idItem.len = MAX_CKA_ID_BIN_LEN;
SECItemToHex(&idItem, buffer);
}
SECITEM_ZfreeItem(ckaID, PR_TRUE);
}
/* print key number, key ID (in hex or ASCII), key label (nickname) */
static SECStatus
PrintKey(PRFileDesc *out, const char *nickName, int count,
SECKEYPrivateKey *key, void *pwarg)
{
SECItem *ckaID;
char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
CERTCertificate *cert;
KeyType keyType;
pwarg = NULL;
ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
if (!ckaID) {
strcpy(ckaIDbuf, "(no CKA_ID)");
} else if (ItemIsPrintableASCII(ckaID)) {
int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
ckaIDbuf[0] = '"';
memcpy(ckaIDbuf + 1, ckaID->data, len);
ckaIDbuf[1 + len] = '"';
ckaIDbuf[2 + len] = '\0';
} else {
/* print ckaid in hex */
SECItem idItem = *ckaID;
if (idItem.len > MAX_CKA_ID_BIN_LEN)
idItem.len = MAX_CKA_ID_BIN_LEN;
SECItemToHex(&idItem, ckaIDbuf);
}
formatPrivateKeyID(key, ckaIDbuf);
cert = PK11_GetCertFromPrivateKey(key);
if (cert) {
keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
CERT_DestroyCertificate(cert);
} else {
keyType = key->keyType;
}
PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count,
keyTypeName[key->keyType], ckaIDbuf, nickName);
SECITEM_ZfreeItem(ckaID, PR_TRUE);
keyTypeName[keyType], ckaIDbuf, nickName);
return SECSuccess;
}
@ -1002,7 +1020,7 @@ ListKeys(PK11SlotInfo *slot, const char *nickName, int index,
}
static SECStatus
DeleteKey(char *nickname, secuPWData *pwdata)
DeleteCertAndKey(char *nickname, secuPWData *pwdata)
{
SECStatus rv;
CERTCertificate *cert;
@ -1031,6 +1049,61 @@ DeleteKey(char *nickname, secuPWData *pwdata)
return rv;
}
static SECKEYPrivateKey *
findPrivateKeyByID(PK11SlotInfo *slot, const char *ckaID, secuPWData *pwarg)
{
PORTCheapArenaPool arena;
SECItem ckaIDItem = { 0 };
SECKEYPrivateKey *privkey = NULL;
SECStatus rv;
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return NULL;
}
}
if (0 == PL_strncasecmp("0x", ckaID, 2)) {
ckaID += 2; /* skip leading "0x" */
}
PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
if (SECU_HexString2SECItem(&arena.arena, &ckaIDItem, ckaID)) {
privkey = PK11_FindKeyByKeyID(slot, &ckaIDItem, pwarg);
}
PORT_DestroyCheapArena(&arena);
return privkey;
}
static SECStatus
DeleteKey(SECKEYPrivateKey *privkey, secuPWData *pwarg)
{
SECStatus rv;
PK11SlotInfo *slot;
slot = PK11_GetSlotFromPrivateKey(privkey);
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return SECFailure;
}
}
rv = PK11_DeleteTokenPrivateKey(privkey, PR_TRUE);
if (rv != SECSuccess) {
char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
formatPrivateKeyID(privkey, ckaIDbuf);
SECU_PrintError("problem deleting private key \"%s\"\n", ckaIDbuf);
}
PK11_FreeSlot(slot);
return rv;
}
/*
* L i s t M o d u l e s
*
@ -1100,7 +1173,9 @@ PrintSyntax()
"\t\t [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName);
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
FPS "\t%s -F -n cert-name [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
@ -1390,6 +1465,8 @@ luF(enum usage_level ul, const char *command)
return;
FPS "%-20s The nickname of the key to delete\n",
" -n cert-name");
FPS "%-20s The key id of the key to delete, obtained using -K\n",
" -k key-id");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
@ -2944,10 +3021,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
readOnly = !certutil.options[opt_RW].activated;
}
/* -A, -D, -F, -M, -S, -V, and all require -n */
/* -A, -D, -M, -S, -V, and all require -n */
if ((certutil.commands[cmd_AddCert].activated ||
certutil.commands[cmd_DeleteCert].activated ||
certutil.commands[cmd_DeleteKey].activated ||
certutil.commands[cmd_DumpChain].activated ||
certutil.commands[cmd_ModifyCertTrust].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
@ -3034,6 +3110,16 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255;
}
/* Delete needs a nickname or a key ID */
if (certutil.commands[cmd_DeleteKey].activated &&
!(certutil.options[opt_Nickname].activated || keysource)) {
PR_fprintf(PR_STDERR,
"%s -%c: specify a nickname (-n) or\n"
" a key ID (-k).\n",
commandToRun, progName);
return 255;
}
/* Upgrade/Merge needs a source database and a upgrade id. */
if (certutil.commands[cmd_UpgradeMerge].activated &&
!(certutil.options[opt_SourceDir].activated &&
@ -3396,7 +3482,19 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
/* Delete key (-F) */
if (certutil.commands[cmd_DeleteKey].activated) {
rv = DeleteKey(name, &pwdata);
if (certutil.options[opt_Nickname].activated) {
rv = DeleteCertAndKey(name, &pwdata);
} else {
privkey = findPrivateKeyByID(slot, keysource, &pwdata);
if (!privkey) {
SECU_PrintError(progName, "%s is not a key-id", keysource);
rv = SECFailure;
} else {
rv = DeleteKey(privkey, &pwdata);
/* already destroyed by PK11_DeleteTokenPrivateKey */
privkey = NULL;
}
}
goto shutdown;
}
/* Modify trust attribute for cert (-M) */
@ -3468,30 +3566,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (keycert) {
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
} else {
PLArenaPool *arena = NULL;
SECItem keyidItem = { 0 };
char *keysourcePtr = keysource;
/* Interpret keysource as CKA_ID */
if (PK11_NeedLogin(slot)) {
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
if (rv != SECSuccess) {
SECU_PrintError(progName, "could not authenticate to token %s.",
PK11_GetTokenName(slot));
return SECFailure;
}
}
if (0 == PL_strncasecmp("0x", keysource, 2)) {
keysourcePtr = keysource + 2; // skip leading "0x"
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
SECU_PrintError(progName, "unable to allocate arena");
return SECFailure;
}
if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
}
PORT_FreeArena(arena, PR_FALSE);
privkey = findPrivateKeyByID(slot, keysource, &pwdata);
}
if (!privkey) {

1
security/nss/cmd/manifest.mn
Просмотреть файл

@ -47,6 +47,7 @@ NSS_SRCDIRS = \
listsuites \
makepqg \
multinit \
nss-policy-check \
ocspclnt \
ocspresp \
oidcalc \

47
security/nss/cmd/nss-policy-check/Makefile Normal file
Просмотреть файл

@ -0,0 +1,47 @@
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#######################################################################
# (1) Include initial platform-independent assignments (MANDATORY). #
#######################################################################
include manifest.mn
#######################################################################
# (2) Include "global" configuration information. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/config.mk
#######################################################################
# (3) Include "component" configuration information. (OPTIONAL) #
#######################################################################
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../platlibs.mk
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #
#######################################################################
include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
include ../platrules.mk

15
security/nss/cmd/nss-policy-check/manifest.mn Normal file
Просмотреть файл

@ -0,0 +1,15 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../..
MODULE = nss
CSRCS = nss-policy-check.c
REQUIRES = seccmd
PROGRAM = nss-policy-check

206
security/nss/cmd/nss-policy-check/nss-policy-check.c Normal file
Просмотреть файл

@ -0,0 +1,206 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* This program can be used to check the validity of a NSS crypto policy
* configuration file, specified using a config= line.
*
* Exit codes:
* failure: 2
* warning: 1
* success: 0
*/
#include <limits.h>
#include <errno.h>
#include <stdio.h>
#include "utilparst.h"
#include "nss.h"
#include "secport.h"
#include "secutil.h"
#include "secmod.h"
#include "ssl.h"
#include "prenv.h"
const char *sWarn = "WARN";
const char *sInfo = "INFO";
void
get_tls_info(SSLProtocolVariant protocolVariant, const char *display)
{
SSLVersionRange vrange_supported, vrange_enabled;
unsigned num_enabled = 0;
PRBool failed = PR_FALSE;
/* We assume SSL v2 is inactive, and therefore SSL_VersionRangeGetDefault
* gives complete information. */
if ((SSL_VersionRangeGetSupported(protocolVariant, &vrange_supported) != SECSuccess) ||
(SSL_VersionRangeGetDefault(protocolVariant, &vrange_enabled) != SECSuccess) ||
!vrange_enabled.min ||
!vrange_enabled.max ||
vrange_enabled.max < vrange_supported.min ||
vrange_enabled.min > vrange_supported.max) {
failed = PR_TRUE;
} else {
if (vrange_enabled.min < vrange_supported.min) {
vrange_enabled.min = vrange_supported.min;
}
if (vrange_enabled.max > vrange_supported.max) {
vrange_enabled.max = vrange_supported.max;
}
if (vrange_enabled.min > vrange_enabled.max) {
failed = PR_TRUE;
}
}
if (failed) {
num_enabled = 0;
} else {
num_enabled = vrange_enabled.max - vrange_enabled.min + 1;
}
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s-VERSIONS: %u\n",
num_enabled ? sInfo : sWarn, display, num_enabled);
if (!num_enabled) {
PR_SetEnv("NSS_POLICY_WARN=1");
}
}
#ifndef PATH_MAX
#define PATH_MAX 1024
#endif
int
main(int argc, char **argv)
{
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i;
SECStatus rv;
SECMODModule *module = NULL;
char path[PATH_MAX];
const char *filename;
char moduleSpec[1024 + PATH_MAX];
unsigned num_enabled = 0;
int result = 0;
int fullPathLen;
if (argc != 2) {
fprintf(stderr, "Syntax: nss-policy-check <path-to-policy-file>\n");
result = 2;
goto loser_no_shutdown;
}
fullPathLen = strlen(argv[1]);
if (!fullPathLen || PR_Access(argv[1], PR_ACCESS_READ_OK) != PR_SUCCESS) {
fprintf(stderr, "Error: cannot read file %s\n", argv[1]);
result = 2;
goto loser_no_shutdown;
}
if (fullPathLen >= PATH_MAX) {
fprintf(stderr, "Error: filename parameter is too long\n");
result = 2;
goto loser_no_shutdown;
}
path[0] = 0;
filename = argv[1] + fullPathLen - 1;
while ((filename > argv[1]) && (*filename != NSSUTIL_PATH_SEPARATOR[0])) {
filename--;
}
if (filename == argv[1]) {
PORT_Strcpy(path, ".");
} else {
filename++; /* Go past the path separator. */
PORT_Strncat(path, argv[1], (filename - argv[1]));
}
PR_SetEnv("NSS_IGNORE_SYSTEM_POLICY=1");
rv = NSS_NoDB_Init(NULL);
if (rv != SECSuccess) {
fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(PR_GetError()));
result = 2;
goto loser_no_shutdown;
}
PR_SetEnv("NSS_POLICY_LOADED=0");
PR_SetEnv("NSS_POLICY_FAIL=0");
PR_SetEnv("NSS_POLICY_WARN=0");
sprintf(moduleSpec,
"name=\"Policy File\" "
"parameters=\"configdir='sql:%s' "
"secmod='%s' "
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical,printPolicyFeedback\"",
path, filename);
module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
if (!module || !module->loaded || atoi(PR_GetEnvSecure("NSS_POLICY_LOADED")) != 1) {
fprintf(stderr, "Error: failed to load policy file\n");
result = 2;
goto loser;
}
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
if (rv != SECSuccess) {
fprintf(stderr, "enable SSL_SECURITY failed: %s\n", PORT_ErrorToString(PR_GetError()));
result = 2;
goto loser;
}
for (i = 0; i < SSL_NumImplementedCiphers; i++) {
PRUint16 suite = cipherSuites[i];
PRBool enabled;
SSLCipherSuiteInfo info;
rv = SSL_CipherPrefGetDefault(suite, &enabled);
if (rv != SECSuccess) {
fprintf(stderr,
"SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
suite, i, PORT_ErrorToString(PR_GetError()));
continue;
}
rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
if (rv != SECSuccess) {
fprintf(stderr,
"SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
suite, i, PORT_ErrorToString(PR_GetError()));
continue;
}
if (enabled) {
++num_enabled;
fprintf(stderr, "NSS-POLICY-INFO: ciphersuite %s is enabled\n", info.cipherSuiteName);
}
}
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CIPHERSUITES: %u\n", num_enabled ? sInfo : sWarn, num_enabled);
if (!num_enabled) {
PR_SetEnv("NSS_POLICY_WARN=1");
}
get_tls_info(ssl_variant_stream, "TLS");
get_tls_info(ssl_variant_datagram, "DTLS");
if (atoi(PR_GetEnvSecure("NSS_POLICY_FAIL")) != 0) {
result = 2;
} else if (atoi(PR_GetEnvSecure("NSS_POLICY_WARN")) != 0) {
result = 1;
}
loser:
if (module) {
SECMOD_DestroyModule(module);
}
rv = NSS_Shutdown();
if (rv != SECSuccess) {
fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(PR_GetError()));
result = 2;
}
loser_no_shutdown:
if (result == 2) {
fprintf(stderr, "NSS-POLICY-FAIL\n");
} else if (result == 1) {
fprintf(stderr, "NSS-POLICY-WARN\n");
}
return result;
}

24
security/nss/cmd/nss-policy-check/nss-policy-check.gyp Normal file
Просмотреть файл

@ -0,0 +1,24 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
{
'includes': [
'../../coreconf/config.gypi',
'../../cmd/platlibs.gypi'
],
'targets': [
{
'target_name': 'nss-policy-check',
'type': 'executable',
'sources': [
'nss-policy-check.c'
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports'
]
}
],
'variables': {
'module': 'nss'
}
}

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

2
security/nss/doc/certutil.xml
Просмотреть файл

@ -84,7 +84,7 @@
<varlistentry>
<term>-F</term>
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
<option>-d</option> argument.
</para>
<para>

8
security/nss/doc/html/certutil.html
Просмотреть файл

@ -1,8 +1,8 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm140440587239488"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm45522631704896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument.
</p><p>
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.</p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113.

14
security/nss/doc/nroff/certutil.1
Просмотреть файл

@ -2,12 +2,12 @@
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 27 October 2017
.\" Date: 5 October 2017
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -92,15 +92,11 @@ Add an email certificate to the certificate database\&.
.PP
\-F
.RS 4
Delete a private key from a key database\&. Specify the key to delete with the \-n argument\&. Specify the database from which to delete the key with the
Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the
\fB\-d\fR
argument\&. Use the
\fB\-k\fR
argument to specify explicitly whether to delete a DSA, RSA, or ECC key\&. If you don\*(Aqt use the
\fB\-k\fR
argument, the option looks for an RSA key matching the specified nickname\&.
argument\&.
.sp
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using \-D\&. Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. You can display the public key with the command certutil \-K \-h tokenname\&.
Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&.
.RE
.PP
\-G

1
security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
Просмотреть файл

@ -160,6 +160,7 @@ TEST_F(PK11URITest, ParseRetrieveTest) {
TEST_F(PK11URITest, ParseFormatTest) {
TestParseFormat("pkcs11:", "pkcs11:");
TestParseFormat("PKCS11:", "pkcs11:");
TestParseFormat("pkcs11:token=aaa", "pkcs11:token=aaa");
TestParseFormat("pkcs11:token=aaa;manufacturer=bbb",
"pkcs11:token=aaa;manufacturer=bbb");

29
security/nss/lib/base/error.c
Просмотреть файл

@ -15,6 +15,10 @@
#include <limits.h> /* for UINT_MAX */
#include <string.h> /* for memmove */
#if defined(__MINGW32__)
#include <windows.h>
#endif
#define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
/*
@ -65,7 +69,32 @@ static const PRCallOnceType error_call_again;
static PRStatus
error_once_function(void)
{
/*
* This #ifdef function is redundant. It performs the same thing as the
* else case.
*
* However, the MinGW version looks up the function from nss3's export
* table, and on MinGW _that_ behaves differently than passing a
* function pointer in a different module because MinGW has
* -mnop-fun-dllimport specified, which generates function thunks for
* cross-module calls. And when a module (like nssckbi) gets unloaded,
* and you try to call into that thunk (which is now missing) you'll
* crash. So we do this bit of ugly to avoid that crash. Fortunately
* this is the only place we've had to do this.
*/
#if defined(__MINGW32__)
HMODULE nss3 = GetModuleHandleW(L"nss3");
if (nss3) {
FARPROC freePtr = GetProcAddress(nss3, "PR_Free");
if (freePtr) {
return PR_NewThreadPrivateIndex(&error_stack_index, freePtr);
}
}
return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
#else
return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
#endif
}
/*

4
security/nss/lib/freebl/mpi/mpi_arm.c
Просмотреть файл

@ -39,7 +39,7 @@ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
"2:\n"
"str r5, [%3]\n"
:
: "r"(a), "r"(a_len), "r"(b), "r"(c)
: "r"(a), "l"(a_len), "r"(b), "r"(c)
: "memory", "cc", "%r4", "%r5", "%r6");
}
@ -72,7 +72,7 @@ s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
"2:\n"
"str r5, [%3]\n"
:
: "r"(a), "r"(a_len), "r"(b), "r"(c)
: "r"(a), "l"(a_len), "r"(b), "r"(c)
: "memory", "cc", "%r4", "%r5", "%r6");
}

6
security/nss/lib/nss/nss.def
Просмотреть файл

@ -1133,3 +1133,9 @@ SEC_CreateSignatureAlgorithmParameters;
;+ local:
;+ *;
;+};
;+NSS_3.39 { # NSS 3.39 release
;+ global:
CERT_GetCertKeyType;
;+ local:
;+ *;
;+};

2
security/nss/lib/nss/nssinit.c
Просмотреть файл

@ -54,7 +54,7 @@ nss_mktemp(char *path)
#define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") + \
sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \
sizeof("optimizeSpace")
sizeof("optimizeSpace") + sizeof("printPolicyFeedback")
#define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
static char *

18
security/nss/lib/pk11wrap/pk11akey.c
Просмотреть файл

@ -804,30 +804,12 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
/* don't know? look it up */
if (keyType == nullKey) {
CK_KEY_TYPE pk11Type = CKK_RSA;
SECItem info;
pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
switch (pk11Type) {
case CKK_RSA:
keyType = rsaKey;
/* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info);
if (rv == SECSuccess) {
CERTSubjectPublicKeyInfo *spki;
spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info);
if (spki) {
SECOidTag tag;
tag = SECOID_GetAlgorithmTag(&spki->algorithm);
if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE)
keyType = rsaPssKey;
SECKEY_DestroySubjectPublicKeyInfo(spki);
}
SECITEM_FreeItem(&info, PR_FALSE);
}
break;
case CKK_DSA:
keyType = dsaKey;

2
security/nss/lib/pk11wrap/pk11cert.c
Просмотреть файл

@ -741,7 +741,7 @@ find_certs_from_nickname(const char *nickname, void *wincx)
char *delimit = NULL;
char *tokenName;
if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
if (!PORT_Strncasecmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
certs = find_certs_from_uri(nickname, wincx);
if (certs)
return certs;

265
security/nss/lib/pk11wrap/pk11pars.c
Просмотреть файл

@ -194,7 +194,7 @@ typedef struct {
* This table should be merged with the SECOID table.
*/
#define CIPHER_NAME(x) x, (sizeof(x) - 1)
static const oidValDef algOptList[] = {
static const oidValDef curveOptList[] = {
/* Curves */
{ CIPHER_NAME("PRIME192V1"), SEC_OID_ANSIX962_EC_PRIME192V1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
@ -316,7 +316,9 @@ static const oidValDef algOptList[] = {
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
};
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
@ -334,7 +336,9 @@ static const oidValDef algOptList[] = {
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("SHA512"), SEC_OID_SHA512,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
};
static const oidValDef macOptList[] = {
/* MACs */
{ CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL },
{ CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL },
@ -342,7 +346,9 @@ static const oidValDef algOptList[] = {
{ CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL },
{ CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL },
{ CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL },
};
static const oidValDef cipherOptList[] = {
/* Ciphers */
{ CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL },
{ CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL },
@ -362,7 +368,9 @@ static const oidValDef algOptList[] = {
{ CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL },
{ CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL },
{ CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL },
};
static const oidValDef kxOptList[] = {
/* Key exchange */
{ CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX },
@ -376,6 +384,20 @@ static const oidValDef algOptList[] = {
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
};
typedef struct {
const oidValDef *list;
PRUint32 entries;
const char *description;
} algListsDef;
static const algListsDef algOptLists[] = {
{ curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" },
{ hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" },
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC" },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" },
};
static const optionFreeDef sslOptList[] = {
/* Versions */
{ CIPHER_NAME("SSL2.0"), 0x002 },
@ -447,7 +469,8 @@ secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2,
}
static PRUint32
secmod_parsePolicyValue(const char *policyFlags, int policyLength)
secmod_parsePolicyValue(const char *policyFlags, int policyLength,
PRBool printPolicyFeedback)
{
const char *flag, *currentString;
PRUint32 flags = 0;
@ -456,6 +479,7 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
for (currentString = policyFlags; currentString &&
currentString < policyFlags + policyLength;) {
int length;
PRBool unknown = PR_TRUE;
flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
&currentString);
if (length == 0) {
@ -467,41 +491,49 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
if ((policy->name_size == length) &&
PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
flags |= policy->flag;
unknown = PR_FALSE;
break;
}
}
if (unknown && printPolicyFeedback) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
policyLength, policyFlags, length, flag);
}
}
return flags;
}
/* allow symbolic names for values. The only ones currently defines or
* SSL protocol versions. */
static PRInt32
secmod_getPolicyOptValue(const char *policyValue, int policyValueLength)
static SECStatus
secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
PRInt32 *result)
{
PRInt32 val = atoi(policyValue);
int i;
if ((val != 0) || (*policyValue == '0')) {
return val;
*result = val;
return SECSuccess;
}
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
if (policyValueLength == sslOptList[i].name_size &&
PORT_Strncasecmp(sslOptList[i].name, policyValue,
sslOptList[i].name_size) == 0) {
val = sslOptList[i].option;
break;
*result = sslOptList[i].option;
return SECSuccess;
}
}
return val;
return SECFailure;
}
static SECStatus
secmod_applyCryptoPolicy(const char *policyString,
PRBool allow)
secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
PRBool printPolicyFeedback)
{
const char *cipher, *currentString;
unsigned i;
unsigned i, j;
SECStatus rv = SECSuccess;
PRBool unknown;
@ -526,56 +558,63 @@ secmod_applyCryptoPolicy(const char *policyString,
/* disable or enable all options by default */
PRUint32 value = 0;
if (newValue) {
value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1);
value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1, printPolicyFeedback);
}
for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
PRUint32 enable, disable;
if (!newValue) {
value = algOptList[i].val;
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
for (j = 0; j < algOptList->entries; j++) {
PRUint32 enable, disable;
if (!newValue) {
value = algOptList->list[j].val;
}
if (allow) {
enable = value;
disable = 0;
} else {
enable = 0;
disable = value;
}
NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
}
if (allow) {
enable = value;
disable = 0;
} else {
enable = 0;
disable = value;
}
NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
}
continue;
}
for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
const oidValDef *algOpt = &algOptList[i];
unsigned name_size = algOpt->name_size;
PRBool newOption = PR_FALSE;
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
for (j = 0; j < algOptList->entries; j++) {
const oidValDef *algOpt = &algOptList->list[j];
unsigned name_size = algOpt->name_size;
PRBool newOption = PR_FALSE;
if ((length >= name_size) && (cipher[name_size] == '/')) {
newOption = PR_TRUE;
}
if ((newOption || algOpt->name_size == length) &&
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
PRUint32 value = algOpt->val;
PRUint32 enable, disable;
if (newOption) {
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
length - name_size - 1);
if ((length >= name_size) && (cipher[name_size] == '/')) {
newOption = PR_TRUE;
}
if (allow) {
enable = value;
disable = 0;
} else {
enable = 0;
disable = value;
if ((newOption || algOpt->name_size == length) &&
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
PRUint32 value = algOpt->val;
PRUint32 enable, disable;
if (newOption) {
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
length - name_size - 1,
printPolicyFeedback);
}
if (allow) {
enable = value;
disable = 0;
} else {
enable = 0;
disable = value;
}
rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
if (rv != SECSuccess) {
/* could not enable option */
/* NSS_SetAlgorithPolicy should have set the error code */
return SECFailure;
}
unknown = PR_FALSE;
break;
}
rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
if (rv != SECSuccess) {
/* could not enable option */
/* NSS_SetAlgorithPolicy should have set the error code */
return SECFailure;
}
unknown = PR_FALSE;
break;
}
}
if (!unknown) {
@ -588,9 +627,19 @@ secmod_applyCryptoPolicy(const char *policyString,
if ((length > name_size) && cipher[name_size] == '=' &&
PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) {
PRInt32 val = secmod_getPolicyOptValue(&cipher[name_size + 1],
length - name_size - 1);
PRInt32 val;
const char *policyValue = &cipher[name_size + 1];
int policyValueLength = length - name_size - 1;
rv = secmod_getPolicyOptValue(policyValue, policyValueLength,
&val);
if (rv != SECSuccess) {
if (printPolicyFeedback) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
length, cipher, policyValueLength, policyValue);
}
return SECFailure;
}
rv = NSS_OptionSet(freeOpt->option, val);
if (rv != SECSuccess) {
/* could not enable option */
@ -603,12 +652,83 @@ secmod_applyCryptoPolicy(const char *policyString,
break;
}
}
if (unknown && printPolicyFeedback) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
allow ? "allow" : "disallow", length, cipher);
}
}
return rv;
}
static void
secmod_sanityCheckCryptoPolicy(void)
{
unsigned i, j;
SECStatus rv = SECSuccess;
unsigned num_kx_enabled = 0;
unsigned num_ssl_enabled = 0;
unsigned num_sig_enabled = 0;
unsigned enabledCount[PR_ARRAY_SIZE(algOptLists)];
const char *sWarn = "WARN";
const char *sInfo = "INFO";
PRBool haveWarning = PR_FALSE;
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
enabledCount[i] = 0;
for (j = 0; j < algOptList->entries; j++) {
const oidValDef *algOpt = &algOptList->list[j];
PRUint32 value;
PRBool anyEnabled = PR_FALSE;
rv = NSS_GetAlgorithmPolicy(algOpt->oid, &value);
if (rv != SECSuccess) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL: internal failure with NSS_GetAlgorithmPolicy at %u\n", i);
return;
}
if ((algOpt->val & NSS_USE_ALG_IN_SSL_KX) && (value & NSS_USE_ALG_IN_SSL_KX)) {
++num_kx_enabled;
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for KX\n", algOpt->name);
}
if ((algOpt->val & NSS_USE_ALG_IN_SSL) && (value & NSS_USE_ALG_IN_SSL)) {
++num_ssl_enabled;
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
}
if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
++num_sig_enabled;
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
}
if (anyEnabled) {
++enabledCount[i];
}
}
}
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG-KX: %u\n", num_kx_enabled ? sInfo : sWarn, num_kx_enabled);
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG: %u\n", num_ssl_enabled ? sInfo : sWarn, num_ssl_enabled);
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CERT-SIG: %u\n", num_sig_enabled ? sInfo : sWarn, num_sig_enabled);
if (!num_kx_enabled || !num_ssl_enabled || !num_sig_enabled) {
haveWarning = PR_TRUE;
}
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]);
if (!enabledCount[i]) {
haveWarning = PR_TRUE;
}
}
if (haveWarning) {
PR_SetEnv("NSS_POLICY_WARN=1");
}
}
static SECStatus
secmod_parseCryptoPolicy(const char *policyConfig)
secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
{
char *disallow, *allow;
SECStatus rv;
@ -623,16 +743,26 @@ secmod_parseCryptoPolicy(const char *policyConfig)
return rv;
}
disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
rv = secmod_applyCryptoPolicy(disallow, PR_FALSE);
rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
if (disallow)
PORT_Free(disallow);
if (rv != SECSuccess) {
return rv;
}
allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
rv = secmod_applyCryptoPolicy(allow, PR_TRUE);
rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
if (allow)
PORT_Free(allow);
if (rv != SECSuccess) {
return rv;
}
if (printPolicyFeedback) {
/* This helps to distinguish configurations that don't contain any
* policy config= statement. */
PR_SetEnv("NSS_POLICY_LOADED=1");
fprintf(stderr, "NSS-POLICY-INFO: LOADED-SUCCESSFULLY\n");
secmod_sanityCheckCryptoPolicy();
}
return rv;
}
@ -649,11 +779,16 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
char *slotParams, *ciphers;
/* pk11pars.h still does not have const char * interfaces */
char *nssc = (char *)nss;
PRBool printPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nssc);
rv = secmod_parseCryptoPolicy(config);
rv = secmod_parseCryptoPolicy(config, printPolicyFeedback);
/* do not load the module if policy parsing fails */
if (rv != SECSuccess) {
if (printPolicyFeedback) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL: policy config parsing failed, not loading module %s\n", moduleName);
}
return NULL;
}
@ -1647,6 +1782,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
SECMODModule *module = NULL;
SECMODModule *oldModule = NULL;
SECStatus rv;
PRBool forwardPolicyFeedback = PR_FALSE;
/* initialize the underlying module structures */
SECMOD_Init();
@ -1659,6 +1795,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
}
module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config);
forwardPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nss);
if (library)
PORT_Free(library);
if (moduleName)
@ -1721,7 +1858,15 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
rv = SECFailure;
break;
}
child = SECMOD_LoadModule(*index, module, PR_TRUE);
if (!forwardPolicyFeedback) {
child = SECMOD_LoadModule(*index, module, PR_TRUE);
} else {
/* Add printPolicyFeedback to the nss flags */
char *specWithForwards =
NSSUTIL_AddNSSFlagToModuleSpec(*index, "printPolicyFeedback");
child = SECMOD_LoadModule(specWithForwards, module, PR_TRUE);
PORT_Free(specWithForwards);
}
if (!child)
break;
if (child->isCritical && !child->loaded) {

98
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -607,12 +607,32 @@ PK11_FindSlotsByNames(const char *dllName, const char *slotName,
return slotList;
}
PK11SlotInfo *
PK11_FindSlotByName(const char *name)
typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg);
static PRBool
pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg)
{
return PORT_Strcmp(slot->token_name, arg) == 0;
}
static PRBool
pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg)
{
return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0;
}
static PRBool
pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg)
{
return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg);
}
static PK11SlotInfo *
pk11_FindSlot(const void *arg, PK11SlotMatchFunc func)
{
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
SECMODModuleList *mlp;
SECMODModuleList *modules;
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
int i;
PK11SlotInfo *slot = NULL;
@ -620,10 +640,6 @@ PK11_FindSlotByName(const char *name)
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return slot;
}
if ((name == NULL) || (*name == 0)) {
return PK11_GetInternalKeySlot();
}
/* work through all the slots */
SECMOD_GetReadLock(moduleLock);
modules = SECMOD_GetDefaultModuleList();
@ -631,7 +647,7 @@ PK11_FindSlotByName(const char *name)
for (i = 0; i < mlp->module->slotCount; i++) {
PK11SlotInfo *tmpSlot = mlp->module->slots[i];
if (PK11_IsPresent(tmpSlot)) {
if (PORT_Strcmp(tmpSlot->token_name, name) == 0) {
if (func(tmpSlot, arg)) {
slot = PK11_ReferenceSlot(tmpSlot);
break;
}
@ -649,43 +665,41 @@ PK11_FindSlotByName(const char *name)
return slot;
}
static PK11SlotInfo *
pk11_FindSlotByTokenURI(const char *uriString)
{
PK11SlotInfo *slot = NULL;
PK11URI *uri;
uri = PK11URI_ParseURI(uriString);
if (!uri) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return slot;
}
slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI);
PK11URI_DestroyURI(uri);
return slot;
}
PK11SlotInfo *
PK11_FindSlotByName(const char *name)
{
if ((name == NULL) || (*name == 0)) {
return PK11_GetInternalKeySlot();
}
if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) {
return pk11_FindSlotByTokenURI(name);
}
return pk11_FindSlot(name, pk11_MatchSlotByTokenName);
}
PK11SlotInfo *
PK11_FindSlotBySerial(char *serial)
{
SECMODModuleList *mlp;
SECMODModuleList *modules;
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
int i;
PK11SlotInfo *slot = NULL;
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return slot;
}
/* work through all the slots */
SECMOD_GetReadLock(moduleLock);
modules = SECMOD_GetDefaultModuleList();
for (mlp = modules; mlp != NULL; mlp = mlp->next) {
for (i = 0; i < mlp->module->slotCount; i++) {
PK11SlotInfo *tmpSlot = mlp->module->slots[i];
if (PK11_IsPresent(tmpSlot)) {
if (PORT_Memcmp(tmpSlot->serial, serial,
sizeof(tmpSlot->serial)) == 0) {
slot = PK11_ReferenceSlot(tmpSlot);
break;
}
}
}
if (slot != NULL)
break;
}
SECMOD_ReleaseReadLock(moduleLock);
if (slot == NULL) {
PORT_SetError(SEC_ERROR_NO_TOKEN);
}
return slot;
return pk11_FindSlot(serial, pk11_MatchSlotBySerial);
}
/*

6
security/nss/lib/util/nssutil.def
Просмотреть файл

@ -328,3 +328,9 @@ SECITEM_MakeItem;
;+ local:
;+ *;
;+};
;+NSSUTIL_3.39 { # NSS Utilities 3.39 release
;+ global:
NSSUTIL_AddNSSFlagToModuleSpec;
;+ local:
;+ *;
;+};

2
security/nss/lib/util/pkcs11uri.c
Просмотреть файл

@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string)
const char *p = string;
SECStatus ret;
if (strncmp("pkcs11:", p, 7) != 0) {
if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) {
return NULL;
}
p += 7;

86
security/nss/lib/util/utilpars.c
Просмотреть файл

@ -913,6 +913,92 @@ NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters,
return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL);
}
/************************************************************************
* add a single flag to the Flags= section inside the spec's NSS= section */
char *
NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag)
{
const char *prefix = "flags=";
const size_t prefixLen = strlen(prefix);
char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL;
char *nss2 = NULL, *result = NULL;
SECStatus rv;
rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, &param, &nss, &conf);
if (rv != SECSuccess) {
return NULL;
}
if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) {
/* It's already there, nothing to do! */
PORT_Free(lib);
PORT_Free(name);
PORT_Free(param);
PORT_Free(nss);
PORT_Free(conf);
return PORT_Strdup(spec);
}
if (!nss || !strlen(nss)) {
nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1);
PORT_Strcpy(nss2, prefix);
PORT_Strcat(nss2, addFlag);
} else {
const char *iNss = nss;
PRBool alreadyAdded = PR_FALSE;
size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */
nss2 = PORT_Alloc(maxSize);
*nss2 = 0;
while (*iNss) {
iNss = NSSUTIL_ArgStrip(iNss);
if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) {
/* We found an existing Flags= section. */
char *oldFlags;
const char *valPtr;
int valSize;
valPtr = iNss + prefixLen;
oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize);
iNss = valPtr + valSize;
PORT_Strcat(nss2, prefix);
PORT_Strcat(nss2, oldFlags);
PORT_Strcat(nss2, ",");
PORT_Strcat(nss2, addFlag);
PORT_Strcat(nss2, " ");
PORT_Free(oldFlags);
alreadyAdded = PR_TRUE;
iNss = NSSUTIL_ArgStrip(iNss);
PORT_Strcat(nss2, iNss); /* remainder of input */
break;
} else {
/* Append this other name=value pair and continue. */
const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss);
PORT_Strncat(nss2, iNss, (startOfNext - iNss));
if (nss2[strlen(nss2) - 1] != ' ') {
PORT_Strcat(nss2, " ");
}
iNss = startOfNext;
}
iNss = NSSUTIL_ArgStrip(iNss);
}
if (!alreadyAdded) {
/* nss wasn't empty, and it didn't contain a Flags section. We can
* assume that other content from nss has already been added to
* nss2, which means we already have a trailing space separator. */
PORT_Strcat(nss2, prefix);
PORT_Strcat(nss2, addFlag);
}
}
result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf);
PORT_Free(lib);
PORT_Free(name);
PORT_Free(param);
PORT_Free(nss);
PORT_Free(nss2);
PORT_Free(conf);
return result;
}
#define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA"
/******************************************************************************
* Parse the cipher flags from the NSS parameter

1
security/nss/lib/util/utilpars.h
Просмотреть файл

@ -46,6 +46,7 @@ char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName,
char *parameters, char *NSS);
char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName,
char *parameters, char *NSS, char *config);
char *NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag);
void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers,
const char *cipherList);
char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,

2
security/nss/mach
Просмотреть файл

@ -247,7 +247,7 @@ def parse_arguments():
tests = [
"cipher", "lowhash", "chains", "cert", "dbtests", "tools", "fips",
"sdr", "crmf", "smime", "ssl", "ocsp", "merge", "pkits", "ec",
"gtests", "ssl_gtests", "bogo", "interop"
"gtests", "ssl_gtests", "bogo", "interop", "policy"
]
parser_test.add_argument(
'test', choices=tests, help="Available tests", action=testAction)

1
security/nss/nss.gyp
Просмотреть файл

@ -135,6 +135,7 @@
'cmd/listsuites/listsuites.gyp:listsuites',
'cmd/makepqg/makepqg.gyp:makepqg',
'cmd/multinit/multinit.gyp:multinit',
'cmd/nss-policy-check/nss-policy-check.gyp:nss-policy-check',
'cmd/ocspclnt/ocspclnt.gyp:ocspclnt',
'cmd/ocspresp/ocspresp.gyp:ocspresp',
'cmd/oidcalc/oidcalc.gyp:oidcalc',

2
security/nss/readme.md
Просмотреть файл

@ -97,7 +97,7 @@ e.g. `NSS_TESTS=ssl_gtests ./all.sh` or by changing into the according directory
and running the bash script there `cd ssl_gtests && ./ssl_gtests.sh`. The
following tests are available:
cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo
cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy
To make tests run faster it's recommended to set `NSS_CYCLES=standard` to run
only the standard cycle.

3
security/nss/tests/all.sh
Просмотреть файл

@ -37,6 +37,7 @@
# memleak.sh - memory leak testing (optional)
# ssl_gtests.sh- Gtest based unit tests for ssl
# gtests.sh - Gtest based unit tests for everything else
# policy.sh - Crypto Policy tests
# bogo.sh - Bogo interop tests (disabled by default)
# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
# interop.sh - Interoperability tests (disabled by default)
@ -300,7 +301,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
RUN_FIPS="fips"
fi
tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy"
# Don't run chains tests when we have a gyp build.
if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
tests="$tests chains"

Двоичные данные
security/nss/tests/cert/TestUser-rsa-pss-interop.p12 Normal file
Просмотреть файл

Двоичный файл не отображается.

63
security/nss/tests/cert/cert.sh
Просмотреть файл

@ -448,6 +448,27 @@ cert_add_cert()
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
echo "Importing RSA-PSS server certificate"
pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
# Let's get the key ID of the imported private key.
KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
NEWSERIAL=`expr ${CERTSERIAL} + 30000`
certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
-i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u"
certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${CERTNAME}-rsa-pss.cert" 2>&1
cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created"
return 0
}
@ -2103,6 +2124,23 @@ cert_test_implicit_db_init()
certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
}
cert_test_token_uri()
{
echo "$SCRIPTNAME: specify token with PKCS#11 URI"
CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`
CU_ACTION="List keys in NSS Certificate DB"
certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}
# This token shouldn't have any keys
CU_ACTION="List keys in NSS Builtin Objects"
RETEXPECTED=255
certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
RETEXPECTED=0
}
check_sign_algo()
{
certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
@ -2475,6 +2513,29 @@ EOF
RETEXPECTED=0
}
cert_test_orphan_key_delete()
{
CU_ACTION="Create orphan key in serverdir"
certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
# Let's get the key ID of the first orphan key.
# The output of certutil -K (list keys) isn't well formatted.
# The initial <key-number> part may or may not contain white space, which
# makes the use of awk to filter the column unreliable.
# To fix that, we remove the initial <number> field using sed, then select the
# column that contains the key ID.
ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
CU_ACTION="Delete orphan key"
certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR}
# Ensure that the key is removed
certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN}
RET=$?
if [ "$RET" -eq 0 ]; then
html_failed "Deleting orphan key ($RET)"
cert_log "ERROR: Deleting orphan key failed $RET"
fi
}
cert_test_orphan_key_reuse()
{
CU_ACTION="Create orphan key in serverdir"
@ -2519,6 +2580,7 @@ cert_all_CA
cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
cert_test_orphan_key_delete
cert_test_orphan_key_reuse
cert_smime_client
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
@ -2534,6 +2596,7 @@ cert_test_password
cert_test_distrust
cert_test_ocspresp
cert_test_rsapss
cert_test_token_uri
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
cert_crl_ssl

19
security/nss/tests/policy/crypto-policy.txt Normal file
Просмотреть файл

@ -0,0 +1,19 @@
# col 1: expected return value of nss-policy-check
# col 2: policy config statement, using _ instead of space
# col 3: an extended regular expression, expected to match the output
# col 4: description of the test
#
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions
1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions
1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions
1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions

58
security/nss/tests/policy/policy.sh Normal file
Просмотреть файл

@ -0,0 +1,58 @@
#! /bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
########################################################################
#
# mozilla/security/nss/tests/policy/policy.sh
#
# Script to test NSS crypto policy code
#
########################################################################
ignore_blank_lines()
{
LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1"
}
policy_run_tests()
{
html_head "CRYPTO-POLICY"
POLICY_INPUT=${QADIR}/policy/crypto-policy.txt
ignore_blank_lines ${POLICY_INPUT} | \
while read value policy match testname
do
echo "$SCRIPTNAME: running \"$testname\" ----------------------------"
policy=`echo ${policy} | sed -e 's;_; ;g'`
match=`echo ${match} | sed -e 's;_; ;g'`
POLICY_FILE="${TMP}/nss-policy"
echo "$SCRIPTNAME: policy: \"$policy\""
cat > "$POLICY_FILE" << ++EOF++
library=
name=Policy
NSS=flags=policyOnly,moduleDB
++EOF++
echo "config=\"${policy}\"" >> "$POLICY_FILE"
echo "" >> "$POLICY_FILE"
nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
html_msg $ret $value "\"${testname}\"" \
"produced a returncode of $ret, expected is $value"
egrep "${match}" ${TMP}/$HOST.tmp.$$
ret=$?
html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
done
}
policy_run_tests

74
security/nss/tests/ssl/ssl.sh
Просмотреть файл

@ -211,22 +211,27 @@ start_selfserv()
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
else
ECC_OPTIONS=""
fi
if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then
RSA_OPTIONS="-n ${HOSTADDR}"
else
RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
fi
echo "selfserv starting at `date`"
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
echo " -V ssl3:tls1.2 $verbose -H 1 &"
if [ ${fileout} -eq 1 ]; then
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
> ${SERVEROUTFILE} 2>&1 &
RET=$?
else
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
RET=$?
fi
@ -283,6 +288,13 @@ ssl_cov()
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
# RSA-PSS tests are handled in a separate function
case $testname in
*RSA-PSS)
continue
;;
esac
echo "$SCRIPTNAME: running $testname ----------------------------"
VMAX="ssl3"
if [ "$testmax" = "TLS10" ]; then
@ -313,6 +325,59 @@ ssl_cov()
html "</TABLE><BR>"
}
ssl_cov_rsa_pss()
{
#verbose="-v"
html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
sparam="$CIPHER_SUITES"
if [ "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT"
return 0
fi
RSA_PSS_CERT=1
NO_ECC_CERTS=1
start_selfserv # Launch the server
RSA_PSS_CERT=0
NO_ECC_CERTS=0
VMIN="tls1.2"
VMAX="tls1.2"
ignore_blank_lines ${SSLCOV} | \
while read ectype testmax param testname
do
case $testname in
*RSA-PSS)
;;
*)
continue
;;
esac
echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
-d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
html_msg $ret 0 "${testname}" \
"produced a returncode of $ret, expected is 0"
done
kill_selfserv
html "</TABLE><BR>"
}
############################## ssl_auth ################################
# local shell function to perform SSL Client Authentication tests
########################################################################
@ -1152,6 +1217,7 @@ ssl_run()
;;
"cov")
ssl_cov
ssl_cov_rsa_pss
;;
"auth")
ssl_auth

5
security/nss/tests/ssl/sslcov.txt
Просмотреть файл

@ -141,3 +141,8 @@
ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
#
# Test against server with RSA-PSS server certificate
#
ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS
ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS