From b8bea43ef3d7f13b28d8899b0174e3fbcb050c31 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Wed, 25 Jul 2018 15:17:58 +0200 Subject: [PATCH] Bug 1470914, NSS 3.39 beta revision 4a086733554e UPGRADE_NSS_RELEASE r=me --- security/nss.symbols | 3 + security/nss/TAG-INFO | 2 +- .../abi-check/expected-report-libnss3.so.txt | 5 + .../expected-report-libnssutil3.so.txt | 5 + .../nss/automation/release/nspr-version.txt | 2 +- .../taskcluster/graph/src/extend.js | 3 + .../taskcluster/graph/src/try_syntax.js | 2 +- security/nss/cmd/certutil/certutil.c | 172 ++++++++---- security/nss/cmd/manifest.mn | 1 + security/nss/cmd/nss-policy-check/Makefile | 47 ++++ security/nss/cmd/nss-policy-check/manifest.mn | 15 + .../cmd/nss-policy-check/nss-policy-check.c | 206 ++++++++++++++ .../cmd/nss-policy-check/nss-policy-check.gyp | 24 ++ security/nss/coreconf/coreconf.dep | 1 + security/nss/doc/certutil.xml | 2 +- security/nss/doc/html/certutil.html | 8 +- security/nss/doc/nroff/certutil.1 | 14 +- .../util_gtest/util_pkcs11uri_unittest.cc | 1 + security/nss/lib/base/error.c | 29 ++ security/nss/lib/freebl/mpi/mpi_arm.c | 4 +- security/nss/lib/nss/nss.def | 6 + security/nss/lib/nss/nssinit.c | 2 +- security/nss/lib/pk11wrap/pk11akey.c | 18 -- security/nss/lib/pk11wrap/pk11cert.c | 2 +- security/nss/lib/pk11wrap/pk11pars.c | 265 ++++++++++++++---- security/nss/lib/pk11wrap/pk11slot.c | 98 ++++--- security/nss/lib/util/nssutil.def | 6 + security/nss/lib/util/pkcs11uri.c | 2 +- security/nss/lib/util/utilpars.c | 86 ++++++ security/nss/lib/util/utilpars.h | 1 + security/nss/mach | 2 +- security/nss/nss.gyp | 1 + security/nss/readme.md | 2 +- security/nss/tests/all.sh | 3 +- .../tests/cert/TestUser-rsa-pss-interop.p12 | Bin 0 -> 2598 bytes security/nss/tests/cert/cert.sh | 63 +++++ security/nss/tests/policy/crypto-policy.txt | 19 ++ security/nss/tests/policy/policy.sh | 58 ++++ security/nss/tests/ssl/ssl.sh | 74 ++++- security/nss/tests/ssl/sslcov.txt | 5 + 40 files changed, 1062 insertions(+), 197 deletions(-) create mode 100644 security/nss/cmd/nss-policy-check/Makefile create mode 100644 security/nss/cmd/nss-policy-check/manifest.mn create mode 100644 security/nss/cmd/nss-policy-check/nss-policy-check.c create mode 100644 security/nss/cmd/nss-policy-check/nss-policy-check.gyp create mode 100644 security/nss/tests/cert/TestUser-rsa-pss-interop.p12 create mode 100644 security/nss/tests/policy/crypto-policy.txt create mode 100644 security/nss/tests/policy/policy.sh diff --git a/security/nss.symbols b/security/nss.symbols index 2c83f9703a30..cd181bef75f8 100644 --- a/security/nss.symbols +++ b/security/nss.symbols @@ -110,6 +110,7 @@ CERT_GenTime2FormattedAscii_Util CERT_GetCertChainFromCert CERT_GetCertEmailAddress CERT_GetCertificateRequestExtensions +CERT_GetCertKeyType CERT_GetCertTimes CERT_GetCertTrust CERT_GetCommonName @@ -277,6 +278,7 @@ NSSSSL_GetVersion #ifdef XP_WIN _NSSUTIL_Access #endif +NSSUTIL_AddNSSFlagToModuleSpec NSSUTIL_ArgDecodeNumber NSSUTIL_ArgFetchValue NSSUTIL_ArgGetLabel @@ -374,6 +376,7 @@ PK11_GetNextSymKey PK11_GetPadMechanism PK11_GetPrivateKeyNickname PK11_GetPrivateModulusLen +PK11_GetSlotFromPrivateKey PK11_GetSlotID PK11_GetSlotInfo PK11_GetSlotName diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 249533380fbb..b13863db9813 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -53c2ee896c57 +4a086733554e diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt index e69de29bb2d1..16b496424997 100644 --- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -0,0 +1,5 @@ + +1 Added function: + + 'function KeyType CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo*)' {CERT_GetCertKeyType@@NSS_3.39} + diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt index e69de29bb2d1..06d2389db498 100644 --- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -0,0 +1,5 @@ + +1 Added function: + + 'function char* NSSUTIL_AddNSSFlagToModuleSpec(char*, char*)' {NSSUTIL_AddNSSFlagToModuleSpec@@NSSUTIL_3.39} + diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt index 701680d2c83b..102def16d97e 100644 --- a/security/nss/automation/release/nspr-version.txt +++ b/security/nss/automation/release/nspr-version.txt @@ -1,4 +1,4 @@ -4.19 +4.20 # The first line of this file must contain the human readable NSPR # version number, which is the minimum required version of NSPR diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index 5305325c52fd..37e716d9b381 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -928,6 +928,9 @@ function scheduleTests(task_build, task_cert, test_base) { queue.scheduleTask(merge(no_cert_base, { name: "SDR tests", symbol: "SDR", tests: "sdr" })); + queue.scheduleTask(merge(no_cert_base, { + name: "Policy tests", symbol: "Policy", tests: "policy" + })); // Schedule tests that need certificates. let cert_base = merge(test_base, {parent: task_cert}); diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js index 214793bd5dd0..92cf9bb00bda 100644 --- a/security/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js @@ -37,7 +37,7 @@ function parseOptions(opts) { let aliases = {"gtests": "gtest"}; let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips", "gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools", - "ssl", "mpi", "scert", "spki"]; + "ssl", "mpi", "scert", "spki", "policy"]; let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => { return aliases[t] || t; }), allUnitTests); diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index dbb93c92200d..5ecf1e71a7bd 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -856,41 +856,59 @@ SECItemToHex(const SECItem *item, char *dst) } static const char *const keyTypeName[] = { - "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss" + "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss", "rsaOaep" }; #define MAX_CKA_ID_BIN_LEN 20 #define MAX_CKA_ID_STR_LEN 40 +/* output human readable key ID in buffer, which should have at least + * MAX_CKA_ID_STR_LEN + 3 octets (quotations and a null terminator) */ +static void +formatPrivateKeyID(SECKEYPrivateKey *privkey, char *buffer) +{ + SECItem *ckaID; + + ckaID = PK11_GetLowLevelKeyIDForPrivateKey(privkey); + if (!ckaID) { + strcpy(buffer, "(no CKA_ID)"); + } else if (ItemIsPrintableASCII(ckaID)) { + int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len); + buffer[0] = '"'; + memcpy(buffer + 1, ckaID->data, len); + buffer[1 + len] = '"'; + buffer[2 + len] = '\0'; + } else { + /* print ckaid in hex */ + SECItem idItem = *ckaID; + if (idItem.len > MAX_CKA_ID_BIN_LEN) + idItem.len = MAX_CKA_ID_BIN_LEN; + SECItemToHex(&idItem, buffer); + } + SECITEM_ZfreeItem(ckaID, PR_TRUE); +} + /* print key number, key ID (in hex or ASCII), key label (nickname) */ static SECStatus PrintKey(PRFileDesc *out, const char *nickName, int count, SECKEYPrivateKey *key, void *pwarg) { - SECItem *ckaID; char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4]; + CERTCertificate *cert; + KeyType keyType; pwarg = NULL; - ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key); - if (!ckaID) { - strcpy(ckaIDbuf, "(no CKA_ID)"); - } else if (ItemIsPrintableASCII(ckaID)) { - int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len); - ckaIDbuf[0] = '"'; - memcpy(ckaIDbuf + 1, ckaID->data, len); - ckaIDbuf[1 + len] = '"'; - ckaIDbuf[2 + len] = '\0'; - } else { - /* print ckaid in hex */ - SECItem idItem = *ckaID; - if (idItem.len > MAX_CKA_ID_BIN_LEN) - idItem.len = MAX_CKA_ID_BIN_LEN; - SECItemToHex(&idItem, ckaIDbuf); - } + formatPrivateKeyID(key, ckaIDbuf); + cert = PK11_GetCertFromPrivateKey(key); + if (cert) { + keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo); + CERT_DestroyCertificate(cert); + } else { + keyType = key->keyType; + } PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count, - keyTypeName[key->keyType], ckaIDbuf, nickName); - SECITEM_ZfreeItem(ckaID, PR_TRUE); + keyTypeName[keyType], ckaIDbuf, nickName); return SECSuccess; } @@ -1002,7 +1020,7 @@ ListKeys(PK11SlotInfo *slot, const char *nickName, int index, } static SECStatus -DeleteKey(char *nickname, secuPWData *pwdata) +DeleteCertAndKey(char *nickname, secuPWData *pwdata) { SECStatus rv; CERTCertificate *cert; @@ -1031,6 +1049,61 @@ DeleteKey(char *nickname, secuPWData *pwdata) return rv; } +static SECKEYPrivateKey * +findPrivateKeyByID(PK11SlotInfo *slot, const char *ckaID, secuPWData *pwarg) +{ + PORTCheapArenaPool arena; + SECItem ckaIDItem = { 0 }; + SECKEYPrivateKey *privkey = NULL; + SECStatus rv; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwarg); + if (rv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + return NULL; + } + } + + if (0 == PL_strncasecmp("0x", ckaID, 2)) { + ckaID += 2; /* skip leading "0x" */ + } + PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE); + if (SECU_HexString2SECItem(&arena.arena, &ckaIDItem, ckaID)) { + privkey = PK11_FindKeyByKeyID(slot, &ckaIDItem, pwarg); + } + PORT_DestroyCheapArena(&arena); + return privkey; +} + +static SECStatus +DeleteKey(SECKEYPrivateKey *privkey, secuPWData *pwarg) +{ + SECStatus rv; + PK11SlotInfo *slot; + + slot = PK11_GetSlotFromPrivateKey(privkey); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwarg); + if (rv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + return SECFailure; + } + } + + rv = PK11_DeleteTokenPrivateKey(privkey, PR_TRUE); + if (rv != SECSuccess) { + char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4]; + formatPrivateKeyID(privkey, ckaIDbuf); + SECU_PrintError("problem deleting private key \"%s\"\n", ckaIDbuf); + } + + PK11_FreeSlot(slot); + return rv; +} + /* * L i s t M o d u l e s * @@ -1100,7 +1173,9 @@ PrintSyntax() "\t\t [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", progName); - FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n", + FPS "\t%s -F -n cert-name [-d certdir] [-P dbprefix]\n", + progName); + FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); @@ -1390,6 +1465,8 @@ luF(enum usage_level ul, const char *command) return; FPS "%-20s The nickname of the key to delete\n", " -n cert-name"); + FPS "%-20s The key id of the key to delete, obtained using -K\n", + " -k key-id"); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "%-20s Cert & Key database prefix\n", @@ -2944,10 +3021,9 @@ certutil_main(int argc, char **argv, PRBool initialize) readOnly = !certutil.options[opt_RW].activated; } - /* -A, -D, -F, -M, -S, -V, and all require -n */ + /* -A, -D, -M, -S, -V, and all require -n */ if ((certutil.commands[cmd_AddCert].activated || certutil.commands[cmd_DeleteCert].activated || - certutil.commands[cmd_DeleteKey].activated || certutil.commands[cmd_DumpChain].activated || certutil.commands[cmd_ModifyCertTrust].activated || certutil.commands[cmd_CreateAndAddCert].activated || @@ -3034,6 +3110,16 @@ certutil_main(int argc, char **argv, PRBool initialize) return 255; } + /* Delete needs a nickname or a key ID */ + if (certutil.commands[cmd_DeleteKey].activated && + !(certutil.options[opt_Nickname].activated || keysource)) { + PR_fprintf(PR_STDERR, + "%s -%c: specify a nickname (-n) or\n" + " a key ID (-k).\n", + commandToRun, progName); + return 255; + } + /* Upgrade/Merge needs a source database and a upgrade id. */ if (certutil.commands[cmd_UpgradeMerge].activated && !(certutil.options[opt_SourceDir].activated && @@ -3396,7 +3482,19 @@ certutil_main(int argc, char **argv, PRBool initialize) } /* Delete key (-F) */ if (certutil.commands[cmd_DeleteKey].activated) { - rv = DeleteKey(name, &pwdata); + if (certutil.options[opt_Nickname].activated) { + rv = DeleteCertAndKey(name, &pwdata); + } else { + privkey = findPrivateKeyByID(slot, keysource, &pwdata); + if (!privkey) { + SECU_PrintError(progName, "%s is not a key-id", keysource); + rv = SECFailure; + } else { + rv = DeleteKey(privkey, &pwdata); + /* already destroyed by PK11_DeleteTokenPrivateKey */ + privkey = NULL; + } + } goto shutdown; } /* Modify trust attribute for cert (-M) */ @@ -3468,30 +3566,8 @@ certutil_main(int argc, char **argv, PRBool initialize) if (keycert) { privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata); } else { - PLArenaPool *arena = NULL; - SECItem keyidItem = { 0 }; - char *keysourcePtr = keysource; /* Interpret keysource as CKA_ID */ - if (PK11_NeedLogin(slot)) { - rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); - if (rv != SECSuccess) { - SECU_PrintError(progName, "could not authenticate to token %s.", - PK11_GetTokenName(slot)); - return SECFailure; - } - } - if (0 == PL_strncasecmp("0x", keysource, 2)) { - keysourcePtr = keysource + 2; // skip leading "0x" - } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (!arena) { - SECU_PrintError(progName, "unable to allocate arena"); - return SECFailure; - } - if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) { - privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata); - } - PORT_FreeArena(arena, PR_FALSE); + privkey = findPrivateKeyByID(slot, keysource, &pwdata); } if (!privkey) { diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn index 567c6bb9d953..be53d3c4eb63 100644 --- a/security/nss/cmd/manifest.mn +++ b/security/nss/cmd/manifest.mn @@ -47,6 +47,7 @@ NSS_SRCDIRS = \ listsuites \ makepqg \ multinit \ + nss-policy-check \ ocspclnt \ ocspresp \ oidcalc \ diff --git a/security/nss/cmd/nss-policy-check/Makefile b/security/nss/cmd/nss-policy-check/Makefile new file mode 100644 index 000000000000..6e1d4ecdfcf2 --- /dev/null +++ b/security/nss/cmd/nss-policy-check/Makefile @@ -0,0 +1,47 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/security/nss/cmd/nss-policy-check/manifest.mn b/security/nss/cmd/nss-policy-check/manifest.mn new file mode 100644 index 000000000000..8fb9abf00016 --- /dev/null +++ b/security/nss/cmd/nss-policy-check/manifest.mn @@ -0,0 +1,15 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CORE_DEPTH = ../.. + +MODULE = nss + +CSRCS = nss-policy-check.c + +REQUIRES = seccmd + +PROGRAM = nss-policy-check + diff --git a/security/nss/cmd/nss-policy-check/nss-policy-check.c b/security/nss/cmd/nss-policy-check/nss-policy-check.c new file mode 100644 index 000000000000..b83003874fb1 --- /dev/null +++ b/security/nss/cmd/nss-policy-check/nss-policy-check.c @@ -0,0 +1,206 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This program can be used to check the validity of a NSS crypto policy + * configuration file, specified using a config= line. + * + * Exit codes: + * failure: 2 + * warning: 1 + * success: 0 + */ + +#include +#include +#include +#include "utilparst.h" +#include "nss.h" +#include "secport.h" +#include "secutil.h" +#include "secmod.h" +#include "ssl.h" +#include "prenv.h" + +const char *sWarn = "WARN"; +const char *sInfo = "INFO"; + +void +get_tls_info(SSLProtocolVariant protocolVariant, const char *display) +{ + SSLVersionRange vrange_supported, vrange_enabled; + unsigned num_enabled = 0; + PRBool failed = PR_FALSE; + + /* We assume SSL v2 is inactive, and therefore SSL_VersionRangeGetDefault + * gives complete information. */ + if ((SSL_VersionRangeGetSupported(protocolVariant, &vrange_supported) != SECSuccess) || + (SSL_VersionRangeGetDefault(protocolVariant, &vrange_enabled) != SECSuccess) || + !vrange_enabled.min || + !vrange_enabled.max || + vrange_enabled.max < vrange_supported.min || + vrange_enabled.min > vrange_supported.max) { + failed = PR_TRUE; + } else { + if (vrange_enabled.min < vrange_supported.min) { + vrange_enabled.min = vrange_supported.min; + } + if (vrange_enabled.max > vrange_supported.max) { + vrange_enabled.max = vrange_supported.max; + } + if (vrange_enabled.min > vrange_enabled.max) { + failed = PR_TRUE; + } + } + if (failed) { + num_enabled = 0; + } else { + num_enabled = vrange_enabled.max - vrange_enabled.min + 1; + } + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s-VERSIONS: %u\n", + num_enabled ? sInfo : sWarn, display, num_enabled); + if (!num_enabled) { + PR_SetEnv("NSS_POLICY_WARN=1"); + } +} + +#ifndef PATH_MAX +#define PATH_MAX 1024 +#endif + +int +main(int argc, char **argv) +{ + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i; + SECStatus rv; + SECMODModule *module = NULL; + char path[PATH_MAX]; + const char *filename; + char moduleSpec[1024 + PATH_MAX]; + unsigned num_enabled = 0; + int result = 0; + int fullPathLen; + + if (argc != 2) { + fprintf(stderr, "Syntax: nss-policy-check \n"); + result = 2; + goto loser_no_shutdown; + } + + fullPathLen = strlen(argv[1]); + + if (!fullPathLen || PR_Access(argv[1], PR_ACCESS_READ_OK) != PR_SUCCESS) { + fprintf(stderr, "Error: cannot read file %s\n", argv[1]); + result = 2; + goto loser_no_shutdown; + } + + if (fullPathLen >= PATH_MAX) { + fprintf(stderr, "Error: filename parameter is too long\n"); + result = 2; + goto loser_no_shutdown; + } + + path[0] = 0; + filename = argv[1] + fullPathLen - 1; + while ((filename > argv[1]) && (*filename != NSSUTIL_PATH_SEPARATOR[0])) { + filename--; + } + + if (filename == argv[1]) { + PORT_Strcpy(path, "."); + } else { + filename++; /* Go past the path separator. */ + PORT_Strncat(path, argv[1], (filename - argv[1])); + } + + PR_SetEnv("NSS_IGNORE_SYSTEM_POLICY=1"); + rv = NSS_NoDB_Init(NULL); + if (rv != SECSuccess) { + fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(PR_GetError())); + result = 2; + goto loser_no_shutdown; + } + + PR_SetEnv("NSS_POLICY_LOADED=0"); + PR_SetEnv("NSS_POLICY_FAIL=0"); + PR_SetEnv("NSS_POLICY_WARN=0"); + + sprintf(moduleSpec, + "name=\"Policy File\" " + "parameters=\"configdir='sql:%s' " + "secmod='%s' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical,printPolicyFeedback\"", + path, filename); + + module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); + if (!module || !module->loaded || atoi(PR_GetEnvSecure("NSS_POLICY_LOADED")) != 1) { + fprintf(stderr, "Error: failed to load policy file\n"); + result = 2; + goto loser; + } + + rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); + if (rv != SECSuccess) { + fprintf(stderr, "enable SSL_SECURITY failed: %s\n", PORT_ErrorToString(PR_GetError())); + result = 2; + goto loser; + } + + for (i = 0; i < SSL_NumImplementedCiphers; i++) { + PRUint16 suite = cipherSuites[i]; + PRBool enabled; + SSLCipherSuiteInfo info; + + rv = SSL_CipherPrefGetDefault(suite, &enabled); + if (rv != SECSuccess) { + fprintf(stderr, + "SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n", + suite, i, PORT_ErrorToString(PR_GetError())); + continue; + } + rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info)); + if (rv != SECSuccess) { + fprintf(stderr, + "SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n", + suite, i, PORT_ErrorToString(PR_GetError())); + continue; + } + if (enabled) { + ++num_enabled; + fprintf(stderr, "NSS-POLICY-INFO: ciphersuite %s is enabled\n", info.cipherSuiteName); + } + } + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CIPHERSUITES: %u\n", num_enabled ? sInfo : sWarn, num_enabled); + if (!num_enabled) { + PR_SetEnv("NSS_POLICY_WARN=1"); + } + + get_tls_info(ssl_variant_stream, "TLS"); + get_tls_info(ssl_variant_datagram, "DTLS"); + + if (atoi(PR_GetEnvSecure("NSS_POLICY_FAIL")) != 0) { + result = 2; + } else if (atoi(PR_GetEnvSecure("NSS_POLICY_WARN")) != 0) { + result = 1; + } + +loser: + if (module) { + SECMOD_DestroyModule(module); + } + rv = NSS_Shutdown(); + if (rv != SECSuccess) { + fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(PR_GetError())); + result = 2; + } +loser_no_shutdown: + if (result == 2) { + fprintf(stderr, "NSS-POLICY-FAIL\n"); + } else if (result == 1) { + fprintf(stderr, "NSS-POLICY-WARN\n"); + } + return result; +} diff --git a/security/nss/cmd/nss-policy-check/nss-policy-check.gyp b/security/nss/cmd/nss-policy-check/nss-policy-check.gyp new file mode 100644 index 000000000000..877a5bc06e1c --- /dev/null +++ b/security/nss/cmd/nss-policy-check/nss-policy-check.gyp @@ -0,0 +1,24 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../../cmd/platlibs.gypi' + ], + 'targets': [ + { + 'target_name': 'nss-policy-check', + 'type': 'executable', + 'sources': [ + 'nss-policy-check.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'variables': { + 'module': 'nss' + } +} \ No newline at end of file diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/doc/certutil.xml b/security/nss/doc/certutil.xml index 4622c75e41d5..01dfd013bdb5 100644 --- a/security/nss/doc/certutil.xml +++ b/security/nss/doc/certutil.xml @@ -84,7 +84,7 @@ -F - Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the + Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the argument. diff --git a/security/nss/doc/html/certutil.html b/security/nss/doc/html/certutil.html index 902d1309a4ee..a4257b513be7 100644 --- a/security/nss/doc/html/certutil.html +++ b/security/nss/doc/html/certutil.html @@ -1,8 +1,8 @@ -CERTUTIL
CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 -

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the --d argument. Use the -k argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the -k argument, the option looks for an RSA key matching the specified nickname. +CERTUTIL

CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the +-d argument.

-When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname.

-G

Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.

-H

Display a list of the command options and arguments.

-K

List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

-L

List all the certificates, or display information about a named certificate, in a certificate database. +Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.

-G

Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.

-H

Display a list of the command options and arguments.

-K

List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

-L

List all the certificates, or display information about a named certificate, in a certificate database. Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.

-M

Modify a certificate's trust attributes using the values of the -t argument.

-N

Create new certificate and key databases.

-O

Print the certificate chain.

-R

Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. Use the -a argument to specify ASCII output.

-S

Create an individual certificate and add it to a certificate database.

-T

Reset the key database or token.

-U

List all available modules or print a single named module.

-V

Check the validity of a certificate and its attributes.

-W

Change the password to a key database.

--merge

Merge two databases into one.

--upgrade-merge

Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (cert8.db and key3.db) into the newer SQLite databases (cert9.db and key4.db).

Arguments

Arguments modify a command option and are usually lower case, numbers, or symbols.

-a

Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1 index 80a02fc2765b..4918329cda89 100644 --- a/security/nss/doc/nroff/certutil.1 +++ b/security/nss/doc/nroff/certutil.1 @@ -2,12 +2,12 @@ .\" Title: CERTUTIL .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets vsnapshot -.\" Date: 27 October 2017 +.\" Date: 5 October 2017 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools" +.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -92,15 +92,11 @@ Add an email certificate to the certificate database\&. .PP \-F .RS 4 -Delete a private key from a key database\&. Specify the key to delete with the \-n argument\&. Specify the database from which to delete the key with the +Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the \fB\-d\fR -argument\&. Use the -\fB\-k\fR -argument to specify explicitly whether to delete a DSA, RSA, or ECC key\&. If you don\*(Aqt use the -\fB\-k\fR -argument, the option looks for an RSA key matching the specified nickname\&. +argument\&. .sp -When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using \-D\&. Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. You can display the public key with the command certutil \-K \-h tokenname\&. +Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. .RE .PP \-G diff --git a/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc b/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc index 5f1d94acf232..680e2f4a2b00 100644 --- a/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc +++ b/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc @@ -160,6 +160,7 @@ TEST_F(PK11URITest, ParseRetrieveTest) { TEST_F(PK11URITest, ParseFormatTest) { TestParseFormat("pkcs11:", "pkcs11:"); + TestParseFormat("PKCS11:", "pkcs11:"); TestParseFormat("pkcs11:token=aaa", "pkcs11:token=aaa"); TestParseFormat("pkcs11:token=aaa;manufacturer=bbb", "pkcs11:token=aaa;manufacturer=bbb"); diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c index 95a76cf79968..2ef032933420 100644 --- a/security/nss/lib/base/error.c +++ b/security/nss/lib/base/error.c @@ -15,6 +15,10 @@ #include /* for UINT_MAX */ #include /* for memmove */ +#if defined(__MINGW32__) +#include +#endif + #define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */ /* @@ -65,7 +69,32 @@ static const PRCallOnceType error_call_again; static PRStatus error_once_function(void) { + +/* + * This #ifdef function is redundant. It performs the same thing as the + * else case. + * + * However, the MinGW version looks up the function from nss3's export + * table, and on MinGW _that_ behaves differently than passing a + * function pointer in a different module because MinGW has + * -mnop-fun-dllimport specified, which generates function thunks for + * cross-module calls. And when a module (like nssckbi) gets unloaded, + * and you try to call into that thunk (which is now missing) you'll + * crash. So we do this bit of ugly to avoid that crash. Fortunately + * this is the only place we've had to do this. + */ +#if defined(__MINGW32__) + HMODULE nss3 = GetModuleHandleW(L"nss3"); + if (nss3) { + FARPROC freePtr = GetProcAddress(nss3, "PR_Free"); + if (freePtr) { + return PR_NewThreadPrivateIndex(&error_stack_index, freePtr); + } + } return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free); +#else + return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free); +#endif } /* diff --git a/security/nss/lib/freebl/mpi/mpi_arm.c b/security/nss/lib/freebl/mpi/mpi_arm.c index b5139f28debe..521bb462a9a8 100644 --- a/security/nss/lib/freebl/mpi/mpi_arm.c +++ b/security/nss/lib/freebl/mpi/mpi_arm.c @@ -39,7 +39,7 @@ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) "2:\n" "str r5, [%3]\n" : - : "r"(a), "r"(a_len), "r"(b), "r"(c) + : "r"(a), "l"(a_len), "r"(b), "r"(c) : "memory", "cc", "%r4", "%r5", "%r6"); } @@ -72,7 +72,7 @@ s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) "2:\n" "str r5, [%3]\n" : - : "r"(a), "r"(a_len), "r"(b), "r"(c) + : "r"(a), "l"(a_len), "r"(b), "r"(c) : "memory", "cc", "%r4", "%r5", "%r6"); } diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 4f0ade4d0bed..8a9b3b030cf8 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -1133,3 +1133,9 @@ SEC_CreateSignatureAlgorithmParameters; ;+ local: ;+ *; ;+}; +;+NSS_3.39 { # NSS 3.39 release +;+ global: +CERT_GetCertKeyType; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index dd7806dec264..989572948c91 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -54,7 +54,7 @@ nss_mktemp(char *path) #define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") + \ sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \ - sizeof("optimizeSpace") + sizeof("optimizeSpace") + sizeof("printPolicyFeedback") #define NSS_DEFAULT_MOD_NAME "NSS Internal Module" static char * diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c index 346e473a96f1..c45901ec3961 100644 --- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -804,30 +804,12 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, /* don't know? look it up */ if (keyType == nullKey) { CK_KEY_TYPE pk11Type = CKK_RSA; - SECItem info; pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE); isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE); switch (pk11Type) { case CKK_RSA: keyType = rsaKey; - /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */ - rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info); - if (rv == SECSuccess) { - CERTSubjectPublicKeyInfo *spki; - - spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info); - if (spki) { - SECOidTag tag; - - tag = SECOID_GetAlgorithmTag(&spki->algorithm); - if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) - keyType = rsaPssKey; - SECKEY_DestroySubjectPublicKeyInfo(spki); - } - SECITEM_FreeItem(&info, PR_FALSE); - } - break; case CKK_DSA: keyType = dsaKey; diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index c1caf5e60ba7..66d6c40df693 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -741,7 +741,7 @@ find_certs_from_nickname(const char *nickname, void *wincx) char *delimit = NULL; char *tokenName; - if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) { + if (!PORT_Strncasecmp(nickname, "pkcs11:", strlen("pkcs11:"))) { certs = find_certs_from_uri(nickname, wincx); if (certs) return certs; diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c index 899a0809c3a2..db60f7c9dd7d 100644 --- a/security/nss/lib/pk11wrap/pk11pars.c +++ b/security/nss/lib/pk11wrap/pk11pars.c @@ -194,7 +194,7 @@ typedef struct { * This table should be merged with the SECOID table. */ #define CIPHER_NAME(x) x, (sizeof(x) - 1) -static const oidValDef algOptList[] = { +static const oidValDef curveOptList[] = { /* Curves */ { CIPHER_NAME("PRIME192V1"), SEC_OID_ANSIX962_EC_PRIME192V1, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, @@ -316,7 +316,9 @@ static const oidValDef algOptList[] = { NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, { CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, +}; +static const oidValDef hashOptList[] = { /* Hashes */ { CIPHER_NAME("MD2"), SEC_OID_MD2, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, @@ -334,7 +336,9 @@ static const oidValDef algOptList[] = { NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, { CIPHER_NAME("SHA512"), SEC_OID_SHA512, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, +}; +static const oidValDef macOptList[] = { /* MACs */ { CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL }, @@ -342,7 +346,9 @@ static const oidValDef algOptList[] = { { CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL }, +}; +static const oidValDef cipherOptList[] = { /* Ciphers */ { CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL }, @@ -362,7 +368,9 @@ static const oidValDef algOptList[] = { { CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL }, { CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL }, +}; +static const oidValDef kxOptList[] = { /* Key exchange */ { CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX }, { CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX }, @@ -376,6 +384,20 @@ static const oidValDef algOptList[] = { { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, }; +typedef struct { + const oidValDef *list; + PRUint32 entries; + const char *description; +} algListsDef; + +static const algListsDef algOptLists[] = { + { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" }, + { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" }, + { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" }, + { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" }, + { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" }, +}; + static const optionFreeDef sslOptList[] = { /* Versions */ { CIPHER_NAME("SSL2.0"), 0x002 }, @@ -447,7 +469,8 @@ secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2, } static PRUint32 -secmod_parsePolicyValue(const char *policyFlags, int policyLength) +secmod_parsePolicyValue(const char *policyFlags, int policyLength, + PRBool printPolicyFeedback) { const char *flag, *currentString; PRUint32 flags = 0; @@ -456,6 +479,7 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength) for (currentString = policyFlags; currentString && currentString < policyFlags + policyLength;) { int length; + PRBool unknown = PR_TRUE; flag = secmod_ArgGetSubValue(currentString, ',', ':', &length, ¤tString); if (length == 0) { @@ -467,41 +491,49 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength) if ((policy->name_size == length) && PORT_Strncasecmp(policy->name, flag, name_size) == 0) { flags |= policy->flag; + unknown = PR_FALSE; break; } } + if (unknown && printPolicyFeedback) { + PR_SetEnv("NSS_POLICY_FAIL=1"); + fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n", + policyLength, policyFlags, length, flag); + } } return flags; } /* allow symbolic names for values. The only ones currently defines or * SSL protocol versions. */ -static PRInt32 -secmod_getPolicyOptValue(const char *policyValue, int policyValueLength) +static SECStatus +secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, + PRInt32 *result) { PRInt32 val = atoi(policyValue); int i; if ((val != 0) || (*policyValue == '0')) { - return val; + *result = val; + return SECSuccess; } for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { if (policyValueLength == sslOptList[i].name_size && PORT_Strncasecmp(sslOptList[i].name, policyValue, sslOptList[i].name_size) == 0) { - val = sslOptList[i].option; - break; + *result = sslOptList[i].option; + return SECSuccess; } } - return val; + return SECFailure; } static SECStatus -secmod_applyCryptoPolicy(const char *policyString, - PRBool allow) +secmod_applyCryptoPolicy(const char *policyString, PRBool allow, + PRBool printPolicyFeedback) { const char *cipher, *currentString; - unsigned i; + unsigned i, j; SECStatus rv = SECSuccess; PRBool unknown; @@ -526,56 +558,63 @@ secmod_applyCryptoPolicy(const char *policyString, /* disable or enable all options by default */ PRUint32 value = 0; if (newValue) { - value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1); + value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1, printPolicyFeedback); } - for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) { - PRUint32 enable, disable; - if (!newValue) { - value = algOptList[i].val; + for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { + const algListsDef *algOptList = &algOptLists[i]; + for (j = 0; j < algOptList->entries; j++) { + PRUint32 enable, disable; + if (!newValue) { + value = algOptList->list[j].val; + } + if (allow) { + enable = value; + disable = 0; + } else { + enable = 0; + disable = value; + } + NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable); } - if (allow) { - enable = value; - disable = 0; - } else { - enable = 0; - disable = value; - } - NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable); } continue; } - for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) { - const oidValDef *algOpt = &algOptList[i]; - unsigned name_size = algOpt->name_size; - PRBool newOption = PR_FALSE; + for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { + const algListsDef *algOptList = &algOptLists[i]; + for (j = 0; j < algOptList->entries; j++) { + const oidValDef *algOpt = &algOptList->list[j]; + unsigned name_size = algOpt->name_size; + PRBool newOption = PR_FALSE; - if ((length >= name_size) && (cipher[name_size] == '/')) { - newOption = PR_TRUE; - } - if ((newOption || algOpt->name_size == length) && - PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) { - PRUint32 value = algOpt->val; - PRUint32 enable, disable; - if (newOption) { - value = secmod_parsePolicyValue(&cipher[name_size] + 1, - length - name_size - 1); + if ((length >= name_size) && (cipher[name_size] == '/')) { + newOption = PR_TRUE; } - if (allow) { - enable = value; - disable = 0; - } else { - enable = 0; - disable = value; + if ((newOption || algOpt->name_size == length) && + PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) { + PRUint32 value = algOpt->val; + PRUint32 enable, disable; + if (newOption) { + value = secmod_parsePolicyValue(&cipher[name_size] + 1, + length - name_size - 1, + printPolicyFeedback); + } + if (allow) { + enable = value; + disable = 0; + } else { + enable = 0; + disable = value; + } + rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable); + if (rv != SECSuccess) { + /* could not enable option */ + /* NSS_SetAlgorithPolicy should have set the error code */ + return SECFailure; + } + unknown = PR_FALSE; + break; } - rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable); - if (rv != SECSuccess) { - /* could not enable option */ - /* NSS_SetAlgorithPolicy should have set the error code */ - return SECFailure; - } - unknown = PR_FALSE; - break; } } if (!unknown) { @@ -588,9 +627,19 @@ secmod_applyCryptoPolicy(const char *policyString, if ((length > name_size) && cipher[name_size] == '=' && PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) { - PRInt32 val = secmod_getPolicyOptValue(&cipher[name_size + 1], - length - name_size - 1); - + PRInt32 val; + const char *policyValue = &cipher[name_size + 1]; + int policyValueLength = length - name_size - 1; + rv = secmod_getPolicyOptValue(policyValue, policyValueLength, + &val); + if (rv != SECSuccess) { + if (printPolicyFeedback) { + PR_SetEnv("NSS_POLICY_FAIL=1"); + fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n", + length, cipher, policyValueLength, policyValue); + } + return SECFailure; + } rv = NSS_OptionSet(freeOpt->option, val); if (rv != SECSuccess) { /* could not enable option */ @@ -603,12 +652,83 @@ secmod_applyCryptoPolicy(const char *policyString, break; } } + + if (unknown && printPolicyFeedback) { + PR_SetEnv("NSS_POLICY_FAIL=1"); + fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n", + allow ? "allow" : "disallow", length, cipher); + } } return rv; } +static void +secmod_sanityCheckCryptoPolicy(void) +{ + unsigned i, j; + SECStatus rv = SECSuccess; + unsigned num_kx_enabled = 0; + unsigned num_ssl_enabled = 0; + unsigned num_sig_enabled = 0; + unsigned enabledCount[PR_ARRAY_SIZE(algOptLists)]; + const char *sWarn = "WARN"; + const char *sInfo = "INFO"; + PRBool haveWarning = PR_FALSE; + + for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { + const algListsDef *algOptList = &algOptLists[i]; + enabledCount[i] = 0; + for (j = 0; j < algOptList->entries; j++) { + const oidValDef *algOpt = &algOptList->list[j]; + PRUint32 value; + PRBool anyEnabled = PR_FALSE; + rv = NSS_GetAlgorithmPolicy(algOpt->oid, &value); + if (rv != SECSuccess) { + PR_SetEnv("NSS_POLICY_FAIL=1"); + fprintf(stderr, "NSS-POLICY-FAIL: internal failure with NSS_GetAlgorithmPolicy at %u\n", i); + return; + } + + if ((algOpt->val & NSS_USE_ALG_IN_SSL_KX) && (value & NSS_USE_ALG_IN_SSL_KX)) { + ++num_kx_enabled; + anyEnabled = PR_TRUE; + fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for KX\n", algOpt->name); + } + if ((algOpt->val & NSS_USE_ALG_IN_SSL) && (value & NSS_USE_ALG_IN_SSL)) { + ++num_ssl_enabled; + anyEnabled = PR_TRUE; + fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name); + } + if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) { + ++num_sig_enabled; + anyEnabled = PR_TRUE; + fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name); + } + if (anyEnabled) { + ++enabledCount[i]; + } + } + } + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG-KX: %u\n", num_kx_enabled ? sInfo : sWarn, num_kx_enabled); + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG: %u\n", num_ssl_enabled ? sInfo : sWarn, num_ssl_enabled); + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CERT-SIG: %u\n", num_sig_enabled ? sInfo : sWarn, num_sig_enabled); + if (!num_kx_enabled || !num_ssl_enabled || !num_sig_enabled) { + haveWarning = PR_TRUE; + } + for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { + const algListsDef *algOptList = &algOptLists[i]; + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]); + if (!enabledCount[i]) { + haveWarning = PR_TRUE; + } + } + if (haveWarning) { + PR_SetEnv("NSS_POLICY_WARN=1"); + } +} + static SECStatus -secmod_parseCryptoPolicy(const char *policyConfig) +secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback) { char *disallow, *allow; SECStatus rv; @@ -623,16 +743,26 @@ secmod_parseCryptoPolicy(const char *policyConfig) return rv; } disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig); - rv = secmod_applyCryptoPolicy(disallow, PR_FALSE); + rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback); if (disallow) PORT_Free(disallow); if (rv != SECSuccess) { return rv; } allow = NSSUTIL_ArgGetParamValue("allow", policyConfig); - rv = secmod_applyCryptoPolicy(allow, PR_TRUE); + rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback); if (allow) PORT_Free(allow); + if (rv != SECSuccess) { + return rv; + } + if (printPolicyFeedback) { + /* This helps to distinguish configurations that don't contain any + * policy config= statement. */ + PR_SetEnv("NSS_POLICY_LOADED=1"); + fprintf(stderr, "NSS-POLICY-INFO: LOADED-SUCCESSFULLY\n"); + secmod_sanityCheckCryptoPolicy(); + } return rv; } @@ -649,11 +779,16 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName, char *slotParams, *ciphers; /* pk11pars.h still does not have const char * interfaces */ char *nssc = (char *)nss; + PRBool printPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nssc); - rv = secmod_parseCryptoPolicy(config); + rv = secmod_parseCryptoPolicy(config, printPolicyFeedback); /* do not load the module if policy parsing fails */ if (rv != SECSuccess) { + if (printPolicyFeedback) { + PR_SetEnv("NSS_POLICY_FAIL=1"); + fprintf(stderr, "NSS-POLICY-FAIL: policy config parsing failed, not loading module %s\n", moduleName); + } return NULL; } @@ -1647,6 +1782,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse) SECMODModule *module = NULL; SECMODModule *oldModule = NULL; SECStatus rv; + PRBool forwardPolicyFeedback = PR_FALSE; /* initialize the underlying module structures */ SECMOD_Init(); @@ -1659,6 +1795,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse) } module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config); + forwardPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nss); if (library) PORT_Free(library); if (moduleName) @@ -1721,7 +1858,15 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse) rv = SECFailure; break; } - child = SECMOD_LoadModule(*index, module, PR_TRUE); + if (!forwardPolicyFeedback) { + child = SECMOD_LoadModule(*index, module, PR_TRUE); + } else { + /* Add printPolicyFeedback to the nss flags */ + char *specWithForwards = + NSSUTIL_AddNSSFlagToModuleSpec(*index, "printPolicyFeedback"); + child = SECMOD_LoadModule(specWithForwards, module, PR_TRUE); + PORT_Free(specWithForwards); + } if (!child) break; if (child->isCritical && !child->loaded) { diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index c39abe17e626..ebe54d495642 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -607,12 +607,32 @@ PK11_FindSlotsByNames(const char *dllName, const char *slotName, return slotList; } -PK11SlotInfo * -PK11_FindSlotByName(const char *name) +typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg); + +static PRBool +pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg) { + return PORT_Strcmp(slot->token_name, arg) == 0; +} + +static PRBool +pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg) +{ + return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0; +} + +static PRBool +pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg) +{ + return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg); +} + +static PK11SlotInfo * +pk11_FindSlot(const void *arg, PK11SlotMatchFunc func) +{ + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); SECMODModuleList *mlp; SECMODModuleList *modules; - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PK11SlotInfo *slot = NULL; @@ -620,10 +640,6 @@ PK11_FindSlotByName(const char *name) PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return slot; } - if ((name == NULL) || (*name == 0)) { - return PK11_GetInternalKeySlot(); - } - /* work through all the slots */ SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); @@ -631,7 +647,7 @@ PK11_FindSlotByName(const char *name) for (i = 0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = mlp->module->slots[i]; if (PK11_IsPresent(tmpSlot)) { - if (PORT_Strcmp(tmpSlot->token_name, name) == 0) { + if (func(tmpSlot, arg)) { slot = PK11_ReferenceSlot(tmpSlot); break; } @@ -649,43 +665,41 @@ PK11_FindSlotByName(const char *name) return slot; } +static PK11SlotInfo * +pk11_FindSlotByTokenURI(const char *uriString) +{ + PK11SlotInfo *slot = NULL; + PK11URI *uri; + + uri = PK11URI_ParseURI(uriString); + if (!uri) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return slot; + } + + slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI); + PK11URI_DestroyURI(uri); + return slot; +} + +PK11SlotInfo * +PK11_FindSlotByName(const char *name) +{ + if ((name == NULL) || (*name == 0)) { + return PK11_GetInternalKeySlot(); + } + + if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) { + return pk11_FindSlotByTokenURI(name); + } + + return pk11_FindSlot(name, pk11_MatchSlotByTokenName); +} + PK11SlotInfo * PK11_FindSlotBySerial(char *serial) { - SECMODModuleList *mlp; - SECMODModuleList *modules; - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); - int i; - PK11SlotInfo *slot = NULL; - - if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return slot; - } - /* work through all the slots */ - SECMOD_GetReadLock(moduleLock); - modules = SECMOD_GetDefaultModuleList(); - for (mlp = modules; mlp != NULL; mlp = mlp->next) { - for (i = 0; i < mlp->module->slotCount; i++) { - PK11SlotInfo *tmpSlot = mlp->module->slots[i]; - if (PK11_IsPresent(tmpSlot)) { - if (PORT_Memcmp(tmpSlot->serial, serial, - sizeof(tmpSlot->serial)) == 0) { - slot = PK11_ReferenceSlot(tmpSlot); - break; - } - } - } - if (slot != NULL) - break; - } - SECMOD_ReleaseReadLock(moduleLock); - - if (slot == NULL) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - } - - return slot; + return pk11_FindSlot(serial, pk11_MatchSlotBySerial); } /* diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index 26e438ba6af2..8c233f7d361c 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -328,3 +328,9 @@ SECITEM_MakeItem; ;+ local: ;+ *; ;+}; +;+NSSUTIL_3.39 { # NSS Utilities 3.39 release +;+ global: +NSSUTIL_AddNSSFlagToModuleSpec; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/util/pkcs11uri.c b/security/nss/lib/util/pkcs11uri.c index 94b00171e9c4..c29521080b83 100644 --- a/security/nss/lib/util/pkcs11uri.c +++ b/security/nss/lib/util/pkcs11uri.c @@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string) const char *p = string; SECStatus ret; - if (strncmp("pkcs11:", p, 7) != 0) { + if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) { return NULL; } p += 7; diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c index e7435bfcc393..f9b807f7ed67 100644 --- a/security/nss/lib/util/utilpars.c +++ b/security/nss/lib/util/utilpars.c @@ -913,6 +913,92 @@ NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters, return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL); } +/************************************************************************ + * add a single flag to the Flags= section inside the spec's NSS= section */ +char * +NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag) +{ + const char *prefix = "flags="; + const size_t prefixLen = strlen(prefix); + char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL; + char *nss2 = NULL, *result = NULL; + SECStatus rv; + + rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, ¶m, &nss, &conf); + if (rv != SECSuccess) { + return NULL; + } + + if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) { + /* It's already there, nothing to do! */ + PORT_Free(lib); + PORT_Free(name); + PORT_Free(param); + PORT_Free(nss); + PORT_Free(conf); + return PORT_Strdup(spec); + } + + if (!nss || !strlen(nss)) { + nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1); + PORT_Strcpy(nss2, prefix); + PORT_Strcat(nss2, addFlag); + } else { + const char *iNss = nss; + PRBool alreadyAdded = PR_FALSE; + size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */ + nss2 = PORT_Alloc(maxSize); + *nss2 = 0; + while (*iNss) { + iNss = NSSUTIL_ArgStrip(iNss); + if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) { + /* We found an existing Flags= section. */ + char *oldFlags; + const char *valPtr; + int valSize; + valPtr = iNss + prefixLen; + oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize); + iNss = valPtr + valSize; + PORT_Strcat(nss2, prefix); + PORT_Strcat(nss2, oldFlags); + PORT_Strcat(nss2, ","); + PORT_Strcat(nss2, addFlag); + PORT_Strcat(nss2, " "); + PORT_Free(oldFlags); + alreadyAdded = PR_TRUE; + iNss = NSSUTIL_ArgStrip(iNss); + PORT_Strcat(nss2, iNss); /* remainder of input */ + break; + } else { + /* Append this other name=value pair and continue. */ + const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss); + PORT_Strncat(nss2, iNss, (startOfNext - iNss)); + if (nss2[strlen(nss2) - 1] != ' ') { + PORT_Strcat(nss2, " "); + } + iNss = startOfNext; + } + iNss = NSSUTIL_ArgStrip(iNss); + } + if (!alreadyAdded) { + /* nss wasn't empty, and it didn't contain a Flags section. We can + * assume that other content from nss has already been added to + * nss2, which means we already have a trailing space separator. */ + PORT_Strcat(nss2, prefix); + PORT_Strcat(nss2, addFlag); + } + } + + result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf); + PORT_Free(lib); + PORT_Free(name); + PORT_Free(param); + PORT_Free(nss); + PORT_Free(nss2); + PORT_Free(conf); + return result; +} + #define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA" /****************************************************************************** * Parse the cipher flags from the NSS parameter diff --git a/security/nss/lib/util/utilpars.h b/security/nss/lib/util/utilpars.h index 1b0b1ff1ceb6..289fdca97559 100644 --- a/security/nss/lib/util/utilpars.h +++ b/security/nss/lib/util/utilpars.h @@ -46,6 +46,7 @@ char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters, char *NSS); char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName, char *parameters, char *NSS, char *config); +char *NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag); void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers, const char *cipherList); char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal, diff --git a/security/nss/mach b/security/nss/mach index f9fbccd2346f..178cfeb741a3 100755 --- a/security/nss/mach +++ b/security/nss/mach @@ -247,7 +247,7 @@ def parse_arguments(): tests = [ "cipher", "lowhash", "chains", "cert", "dbtests", "tools", "fips", "sdr", "crmf", "smime", "ssl", "ocsp", "merge", "pkits", "ec", - "gtests", "ssl_gtests", "bogo", "interop" + "gtests", "ssl_gtests", "bogo", "interop", "policy" ] parser_test.add_argument( 'test', choices=tests, help="Available tests", action=testAction) diff --git a/security/nss/nss.gyp b/security/nss/nss.gyp index 36b0dd97447d..3ec33fd5c0ed 100644 --- a/security/nss/nss.gyp +++ b/security/nss/nss.gyp @@ -135,6 +135,7 @@ 'cmd/listsuites/listsuites.gyp:listsuites', 'cmd/makepqg/makepqg.gyp:makepqg', 'cmd/multinit/multinit.gyp:multinit', + 'cmd/nss-policy-check/nss-policy-check.gyp:nss-policy-check', 'cmd/ocspclnt/ocspclnt.gyp:ocspclnt', 'cmd/ocspresp/ocspresp.gyp:ocspresp', 'cmd/oidcalc/oidcalc.gyp:oidcalc', diff --git a/security/nss/readme.md b/security/nss/readme.md index 17b99e805cea..67eca19fb2e2 100644 --- a/security/nss/readme.md +++ b/security/nss/readme.md @@ -97,7 +97,7 @@ e.g. `NSS_TESTS=ssl_gtests ./all.sh` or by changing into the according directory and running the bash script there `cd ssl_gtests && ./ssl_gtests.sh`. The following tests are available: - cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo + cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy To make tests run faster it's recommended to set `NSS_CYCLES=standard` to run only the standard cycle. diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh index f8a777fb3b6a..bc2e1480363d 100755 --- a/security/nss/tests/all.sh +++ b/security/nss/tests/all.sh @@ -37,6 +37,7 @@ # memleak.sh - memory leak testing (optional) # ssl_gtests.sh- Gtest based unit tests for ssl # gtests.sh - Gtest based unit tests for everything else +# policy.sh - Crypto Policy tests # bogo.sh - Bogo interop tests (disabled by default) # https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md # interop.sh - Interoperability tests (disabled by default) @@ -300,7 +301,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then RUN_FIPS="fips" fi -tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests" +tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy" # Don't run chains tests when we have a gyp build. if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then tests="$tests chains" diff --git a/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 new file mode 100644 index 0000000000000000000000000000000000000000..f0e8d24d628769fcb94fce940d5822db2f9fd772 GIT binary patch literal 2598 zcmY+EXE+;*8pjhNM6KE*_Kp>^IH($Jt=5QD>lm?)8H!jTlxk_w)1XGEt+l1pu34w0 zs3>}ZV>GBOsT$?#^W1xT?}zvOKhOX7KJUjL9Lp$11EhsxA!}d=Eahg(Av2I3Sd4|t zg0K+cMLhw>f^Ppp;9@LD|Dw{N0Rk>U{TBhkp;e_#TF;Vd8q7<#(n;C!W)hK2!< zfCVu;Z+Yi1>TcMnVw-N;v11%Rs>rw1MG6+_jL4_Hw2aZ@DH%~o0gCE86 ze9GA(wv4);7@Ldt=A-}`-VMR}1OcxMe6&j=^*ef2Y6vJay?kKMOUv+_wZS{G-}Pfe z4Sf&EEfK0GEoRK0?uW!%a1BEoGz zkO=r9z+-2peKM%e2lW;cJ^S(Y{gW##d4dumdL#@@s%D#=F$*HA1#+0LnGS|g<@oPa zbUw$sXms@BZ4DY*X8c!DzedMb=!14ea2we@{|xyz>U|wZRS3|UoDT`G?Hy!GwjwXj zwth5BhGxnkB!(Z#$Gz;E7Ns@m*yratrKmO>ldn`ICl!#tr6 z3>aVJPmV8?bu_3vfF2Jk-$s1sv)s=F!Qzonn>{0i*+hDGPnSRb|@AvlusdNYE<@ab=!=e0Z z&;`}t-yN36Z?ZJ3Yy%^nh@;+S>K%s2_-Curv>p+y%Yu!*XdS<@BdkWEA55jG9SK&G zTkPGqxA--?smAl7)Xenq)~`Qy23?b+=$G=QIDkER0-?qE6#sy1T`He9JmyMFRZ{c^ z3D@6a9!&(S&uC@Vol+Oqit?`g#c9*H=*Q85SNsyBI+;b9U7t0W_nI@*C}(rK5oVhk z@v^j4%loV&kX74pH&5qvm+fnzx;Y$L5)(RiETDX=YqZqRzcM>QG|}F@HS4^lZ9ft+ zG#)9Ggbxu>3*!1aHmgk)uFlCvO--}TmwA>IRkK>|P&exBFhxB6P;yjDFV(l^u#jlPolQ2Cr@iitv_+-WEyP?VOxEiiWrz>%an z1MADrRX7yCXRV$&J-?p5QZ=z9>4KR}~GPY~y1-7PWRZ6|ABaA?r3*UUX5Y5v6*@gC}UF@;SLOz5g{-1UMVL`nm z7B>ad8So-J?@apNLYc=F-^klW$xT&f?f>Pl%!hWOxEi-{iw{f7)m{hA=JAuf?Cxf) z@ToiG-?2|>%vI`rTbPvEPB=@ngGpipxQSEgR|L3rz%kGce}sT?`yeDC)_YfFnR(iG zr8sVr-)Pt+=%{ZdwX&Xw?;Ez;S@dg5te>l$Er3pAUJ^GDW{wywrwMruzjBM82mxVTD025#{x ziEL72ghV@Z;<5>E>SCVtN%>pOajTY8RXOfcaC%gC{7jSUO*<2E<~^q87{^K}2Q$A1 zN-3Qm`3C>ucv_H40kBFuL_00mc7)#WwX1BGh_{t2c&O+Qcukvh1)2Jo(`Mriap`w@ z`$8uriT@NYh~DebgKp*{0l*bZ_@p9RO(PEZR9 z3V0sa?`L#u!TdNganySW^e9rYNi7-8@of3lP#+=lq-yPaS3(l?BK*%6T)w;HW&D6< z-8#F5e*&s-&`&Vw?9EjqaXGv%cf^x#Re?gDFF>d))_b+vsgb4(Yrvlp8HMSjs@)3B z2gs@{Tqd`bmICO%TJ3_01ihxR&|AoD_Cb*P%J}4bk*LSlNCN+X4yH_t+c__AYXrhV zPZ~EPUqv==mC|J%vR1K(Acc|@(oWZh5#0$(Cn>pEBd}>s=$=+B>NX|9?>f{?0XwS^ zf$Mgh_VFNyyZUZ9okq1*Skz$lJ~x5Cg)&IN{3V#;iN@9=;-q@ss*D|XFS-r?M9WxH z-3}%`UayStRY(UywEQdp#j?)4Ogao2<`%&u4Ze0s!DeZ{)PFBosNe_z19(s_VCVf3?KoSdIHy+FKqAZ8n_iU zHe@0Hv@moAZS7v%eDHo4-)S7->d69zw%pc7B(iV5tF|dI=zT5!$&*zmN)Ad6e#Ern zOz~v5!6=Td&I?NG3l$~9`-vGOp_LE?U_Tu*MtEApEqggaQDkCArT%P*t%%m3o$L7I z&uZq?%^lNFyx!3bd@84U<>i%id_fH>M!=0mX+$d8T%`Xf4W?%+#&qzgtG~jV9Qi;| zI6-kc1Q}QKG}sI=b4l47F8*IDLb#NH{yO4R zRuO^&5C9|~3=j^mz1TU^+P#S{i;j n0EiR!8AekSw<%IMcutvBz_ [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'` + + CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \ + -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request" + NEWSERIAL=`expr ${CERTSERIAL} + 30000` + certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u" + certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${CERTNAME}-rsa-pss.cert" 2>&1 + cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created" + return 0 } @@ -2103,6 +2124,23 @@ cert_test_implicit_db_init() certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" } +cert_test_token_uri() +{ + echo "$SCRIPTNAME: specify token with PKCS#11 URI" + + CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'` + BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'` + + CU_ACTION="List keys in NSS Certificate DB" + certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI} + + # This token shouldn't have any keys + CU_ACTION="List keys in NSS Builtin Objects" + RETEXPECTED=255 + certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI} + RETEXPECTED=0 +} + check_sign_algo() { certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ @@ -2475,6 +2513,29 @@ EOF RETEXPECTED=0 } +cert_test_orphan_key_delete() +{ + CU_ACTION="Create orphan key in serverdir" + certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR} + # Let's get the key ID of the first orphan key. + # The output of certutil -K (list keys) isn't well formatted. + # The initial part may or may not contain white space, which + # makes the use of awk to filter the column unreliable. + # To fix that, we remove the initial field using sed, then select the + # column that contains the key ID. + ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \ + sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'` + CU_ACTION="Delete orphan key" + certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR} + # Ensure that the key is removed + certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN} + RET=$? + if [ "$RET" -eq 0 ]; then + html_failed "Deleting orphan key ($RET)" + cert_log "ERROR: Deleting orphan key failed $RET" + fi +} + cert_test_orphan_key_reuse() { CU_ACTION="Create orphan key in serverdir" @@ -2519,6 +2580,7 @@ cert_all_CA cert_test_implicit_db_init cert_extended_ssl cert_ssl +cert_test_orphan_key_delete cert_test_orphan_key_reuse cert_smime_client IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` @@ -2534,6 +2596,7 @@ cert_test_password cert_test_distrust cert_test_ocspresp cert_test_rsapss +cert_test_token_uri if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then cert_crl_ssl diff --git a/security/nss/tests/policy/crypto-policy.txt b/security/nss/tests/policy/crypto-policy.txt new file mode 100644 index 000000000000..9a8c0cd1b51f --- /dev/null +++ b/security/nss/tests/policy/crypto-policy.txt @@ -0,0 +1,19 @@ +# col 1: expected return value of nss-policy-check +# col 2: policy config statement, using _ instead of space +# col 3: an extended regular expression, expected to match the output +# col 4: description of the test +# +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy +0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy +2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value +2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value +2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier +1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all +1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes +1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled +1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled +1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions +1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions +1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions +1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions diff --git a/security/nss/tests/policy/policy.sh b/security/nss/tests/policy/policy.sh new file mode 100644 index 000000000000..228c982a5af4 --- /dev/null +++ b/security/nss/tests/policy/policy.sh @@ -0,0 +1,58 @@ +#! /bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +######################################################################## +# +# mozilla/security/nss/tests/policy/policy.sh +# +# Script to test NSS crypto policy code +# +######################################################################## + +ignore_blank_lines() +{ + LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1" +} + +policy_run_tests() +{ + html_head "CRYPTO-POLICY" + + POLICY_INPUT=${QADIR}/policy/crypto-policy.txt + + ignore_blank_lines ${POLICY_INPUT} | \ + while read value policy match testname + do + echo "$SCRIPTNAME: running \"$testname\" ----------------------------" + policy=`echo ${policy} | sed -e 's;_; ;g'` + match=`echo ${match} | sed -e 's;_; ;g'` + POLICY_FILE="${TMP}/nss-policy" + + echo "$SCRIPTNAME: policy: \"$policy\"" + + cat > "$POLICY_FILE" << ++EOF++ +library= +name=Policy +NSS=flags=policyOnly,moduleDB +++EOF++ + echo "config=\"${policy}\"" >> "$POLICY_FILE" + echo "" >> "$POLICY_FILE" + + nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + + html_msg $ret $value "\"${testname}\"" \ + "produced a returncode of $ret, expected is $value" + + egrep "${match}" ${TMP}/$HOST.tmp.$$ + ret=$? + html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\"" + + done +} + +policy_run_tests diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 9a63bd9971ab..13e7b80b5db4 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -211,22 +211,27 @@ start_selfserv() echo "$SCRIPTNAME: $testname ----" fi sparam=`echo $sparam | sed -e 's;_; ;g'` - if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then + if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec" else ECC_OPTIONS="" fi + if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then + RSA_OPTIONS="-n ${HOSTADDR}" + else + RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss" + fi echo "selfserv starting at `date`" - echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\" + echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\" echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\" echo " -V ssl3:tls1.2 $verbose -H 1 &" if [ ${fileout} -eq 1 ]; then - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \ > ${SERVEROUTFILE} 2>&1 & RET=$? else - ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \ + ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 & RET=$? fi @@ -283,6 +288,13 @@ ssl_cov() echo "${testname}" | grep "EXPORT" > /dev/null EXP=$? + # RSA-PSS tests are handled in a separate function + case $testname in + *RSA-PSS) + continue + ;; + esac + echo "$SCRIPTNAME: running $testname ----------------------------" VMAX="ssl3" if [ "$testmax" = "TLS10" ]; then @@ -313,6 +325,59 @@ ssl_cov() html "
" } +ssl_cov_rsa_pss() +{ + #verbose="-v" + html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + + testname="" + sparam="$CIPHER_SUITES" + + if [ "$NORM_EXT" = "Extended Test" ] ; then + echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT" + return 0 + fi + + RSA_PSS_CERT=1 + NO_ECC_CERTS=1 + start_selfserv # Launch the server + RSA_PSS_CERT=0 + NO_ECC_CERTS=0 + + VMIN="tls1.2" + VMAX="tls1.2" + + ignore_blank_lines ${SSLCOV} | \ + while read ectype testmax param testname + do + case $testname in + *RSA-PSS) + ;; + *) + continue + ;; + esac + + echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" + + echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? + cat ${TMP}/$HOST.tmp.$$ + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + html_msg $ret 0 "${testname}" \ + "produced a returncode of $ret, expected is 0" + done + + kill_selfserv + html "
" +} + ############################## ssl_auth ################################ # local shell function to perform SSL Client Authentication tests ######################################################################## @@ -1152,6 +1217,7 @@ ssl_run() ;; "cov") ssl_cov + ssl_cov_rsa_pss ;; "auth") ssl_auth diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt index 1eb7f47def8e..93f247b9647e 100644 --- a/security/nss/tests/ssl/sslcov.txt +++ b/security/nss/tests/ssl/sslcov.txt @@ -141,3 +141,8 @@ ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +# +# Test against server with RSA-PSS server certificate +# + ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS + ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS