зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1470914, NSS 3.39 beta revision 4a086733554e UPGRADE_NSS_RELEASE r=me
This commit is contained in:
Родитель
69211f9f5e
Коммит
b8bea43ef3
|
@ -110,6 +110,7 @@ CERT_GenTime2FormattedAscii_Util
|
|||
CERT_GetCertChainFromCert
|
||||
CERT_GetCertEmailAddress
|
||||
CERT_GetCertificateRequestExtensions
|
||||
CERT_GetCertKeyType
|
||||
CERT_GetCertTimes
|
||||
CERT_GetCertTrust
|
||||
CERT_GetCommonName
|
||||
|
@ -277,6 +278,7 @@ NSSSSL_GetVersion
|
|||
#ifdef XP_WIN
|
||||
_NSSUTIL_Access
|
||||
#endif
|
||||
NSSUTIL_AddNSSFlagToModuleSpec
|
||||
NSSUTIL_ArgDecodeNumber
|
||||
NSSUTIL_ArgFetchValue
|
||||
NSSUTIL_ArgGetLabel
|
||||
|
@ -374,6 +376,7 @@ PK11_GetNextSymKey
|
|||
PK11_GetPadMechanism
|
||||
PK11_GetPrivateKeyNickname
|
||||
PK11_GetPrivateModulusLen
|
||||
PK11_GetSlotFromPrivateKey
|
||||
PK11_GetSlotID
|
||||
PK11_GetSlotInfo
|
||||
PK11_GetSlotName
|
||||
|
|
|
@ -1 +1 @@
|
|||
53c2ee896c57
|
||||
4a086733554e
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
|
||||
1 Added function:
|
||||
|
||||
'function KeyType CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo*)' {CERT_GetCertKeyType@@NSS_3.39}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
|
||||
1 Added function:
|
||||
|
||||
'function char* NSSUTIL_AddNSSFlagToModuleSpec(char*, char*)' {NSSUTIL_AddNSSFlagToModuleSpec@@NSSUTIL_3.39}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
4.19
|
||||
4.20
|
||||
|
||||
# The first line of this file must contain the human readable NSPR
|
||||
# version number, which is the minimum required version of NSPR
|
||||
|
|
|
@ -928,6 +928,9 @@ function scheduleTests(task_build, task_cert, test_base) {
|
|||
queue.scheduleTask(merge(no_cert_base, {
|
||||
name: "SDR tests", symbol: "SDR", tests: "sdr"
|
||||
}));
|
||||
queue.scheduleTask(merge(no_cert_base, {
|
||||
name: "Policy tests", symbol: "Policy", tests: "policy"
|
||||
}));
|
||||
|
||||
// Schedule tests that need certificates.
|
||||
let cert_base = merge(test_base, {parent: task_cert});
|
||||
|
|
|
@ -37,7 +37,7 @@ function parseOptions(opts) {
|
|||
let aliases = {"gtests": "gtest"};
|
||||
let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
|
||||
"gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
|
||||
"ssl", "mpi", "scert", "spki"];
|
||||
"ssl", "mpi", "scert", "spki", "policy"];
|
||||
let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
|
||||
return aliases[t] || t;
|
||||
}), allUnitTests);
|
||||
|
|
|
@ -856,41 +856,59 @@ SECItemToHex(const SECItem *item, char *dst)
|
|||
}
|
||||
|
||||
static const char *const keyTypeName[] = {
|
||||
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss"
|
||||
"null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss", "rsaOaep"
|
||||
};
|
||||
|
||||
#define MAX_CKA_ID_BIN_LEN 20
|
||||
#define MAX_CKA_ID_STR_LEN 40
|
||||
|
||||
/* output human readable key ID in buffer, which should have at least
|
||||
* MAX_CKA_ID_STR_LEN + 3 octets (quotations and a null terminator) */
|
||||
static void
|
||||
formatPrivateKeyID(SECKEYPrivateKey *privkey, char *buffer)
|
||||
{
|
||||
SECItem *ckaID;
|
||||
|
||||
ckaID = PK11_GetLowLevelKeyIDForPrivateKey(privkey);
|
||||
if (!ckaID) {
|
||||
strcpy(buffer, "(no CKA_ID)");
|
||||
} else if (ItemIsPrintableASCII(ckaID)) {
|
||||
int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
|
||||
buffer[0] = '"';
|
||||
memcpy(buffer + 1, ckaID->data, len);
|
||||
buffer[1 + len] = '"';
|
||||
buffer[2 + len] = '\0';
|
||||
} else {
|
||||
/* print ckaid in hex */
|
||||
SECItem idItem = *ckaID;
|
||||
if (idItem.len > MAX_CKA_ID_BIN_LEN)
|
||||
idItem.len = MAX_CKA_ID_BIN_LEN;
|
||||
SECItemToHex(&idItem, buffer);
|
||||
}
|
||||
SECITEM_ZfreeItem(ckaID, PR_TRUE);
|
||||
}
|
||||
|
||||
/* print key number, key ID (in hex or ASCII), key label (nickname) */
|
||||
static SECStatus
|
||||
PrintKey(PRFileDesc *out, const char *nickName, int count,
|
||||
SECKEYPrivateKey *key, void *pwarg)
|
||||
{
|
||||
SECItem *ckaID;
|
||||
char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
|
||||
CERTCertificate *cert;
|
||||
KeyType keyType;
|
||||
|
||||
pwarg = NULL;
|
||||
ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
|
||||
if (!ckaID) {
|
||||
strcpy(ckaIDbuf, "(no CKA_ID)");
|
||||
} else if (ItemIsPrintableASCII(ckaID)) {
|
||||
int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
|
||||
ckaIDbuf[0] = '"';
|
||||
memcpy(ckaIDbuf + 1, ckaID->data, len);
|
||||
ckaIDbuf[1 + len] = '"';
|
||||
ckaIDbuf[2 + len] = '\0';
|
||||
} else {
|
||||
/* print ckaid in hex */
|
||||
SECItem idItem = *ckaID;
|
||||
if (idItem.len > MAX_CKA_ID_BIN_LEN)
|
||||
idItem.len = MAX_CKA_ID_BIN_LEN;
|
||||
SECItemToHex(&idItem, ckaIDbuf);
|
||||
}
|
||||
|
||||
formatPrivateKeyID(key, ckaIDbuf);
|
||||
cert = PK11_GetCertFromPrivateKey(key);
|
||||
if (cert) {
|
||||
keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
|
||||
CERT_DestroyCertificate(cert);
|
||||
} else {
|
||||
keyType = key->keyType;
|
||||
}
|
||||
PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count,
|
||||
keyTypeName[key->keyType], ckaIDbuf, nickName);
|
||||
SECITEM_ZfreeItem(ckaID, PR_TRUE);
|
||||
keyTypeName[keyType], ckaIDbuf, nickName);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
|
@ -1002,7 +1020,7 @@ ListKeys(PK11SlotInfo *slot, const char *nickName, int index,
|
|||
}
|
||||
|
||||
static SECStatus
|
||||
DeleteKey(char *nickname, secuPWData *pwdata)
|
||||
DeleteCertAndKey(char *nickname, secuPWData *pwdata)
|
||||
{
|
||||
SECStatus rv;
|
||||
CERTCertificate *cert;
|
||||
|
@ -1031,6 +1049,61 @@ DeleteKey(char *nickname, secuPWData *pwdata)
|
|||
return rv;
|
||||
}
|
||||
|
||||
static SECKEYPrivateKey *
|
||||
findPrivateKeyByID(PK11SlotInfo *slot, const char *ckaID, secuPWData *pwarg)
|
||||
{
|
||||
PORTCheapArenaPool arena;
|
||||
SECItem ckaIDItem = { 0 };
|
||||
SECKEYPrivateKey *privkey = NULL;
|
||||
SECStatus rv;
|
||||
|
||||
if (PK11_NeedLogin(slot)) {
|
||||
rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "could not authenticate to token %s.",
|
||||
PK11_GetTokenName(slot));
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (0 == PL_strncasecmp("0x", ckaID, 2)) {
|
||||
ckaID += 2; /* skip leading "0x" */
|
||||
}
|
||||
PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
|
||||
if (SECU_HexString2SECItem(&arena.arena, &ckaIDItem, ckaID)) {
|
||||
privkey = PK11_FindKeyByKeyID(slot, &ckaIDItem, pwarg);
|
||||
}
|
||||
PORT_DestroyCheapArena(&arena);
|
||||
return privkey;
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
DeleteKey(SECKEYPrivateKey *privkey, secuPWData *pwarg)
|
||||
{
|
||||
SECStatus rv;
|
||||
PK11SlotInfo *slot;
|
||||
|
||||
slot = PK11_GetSlotFromPrivateKey(privkey);
|
||||
if (PK11_NeedLogin(slot)) {
|
||||
rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "could not authenticate to token %s.",
|
||||
PK11_GetTokenName(slot));
|
||||
return SECFailure;
|
||||
}
|
||||
}
|
||||
|
||||
rv = PK11_DeleteTokenPrivateKey(privkey, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
|
||||
formatPrivateKeyID(privkey, ckaIDbuf);
|
||||
SECU_PrintError("problem deleting private key \"%s\"\n", ckaIDbuf);
|
||||
}
|
||||
|
||||
PK11_FreeSlot(slot);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/*
|
||||
* L i s t M o d u l e s
|
||||
*
|
||||
|
@ -1100,7 +1173,9 @@ PrintSyntax()
|
|||
"\t\t [-d certdir] [-P dbprefix]\n", progName);
|
||||
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
|
||||
progName);
|
||||
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
|
||||
FPS "\t%s -F -n cert-name [-d certdir] [-P dbprefix]\n",
|
||||
progName);
|
||||
FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
|
||||
progName);
|
||||
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
|
||||
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
|
||||
|
@ -1390,6 +1465,8 @@ luF(enum usage_level ul, const char *command)
|
|||
return;
|
||||
FPS "%-20s The nickname of the key to delete\n",
|
||||
" -n cert-name");
|
||||
FPS "%-20s The key id of the key to delete, obtained using -K\n",
|
||||
" -k key-id");
|
||||
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
|
||||
" -d certdir");
|
||||
FPS "%-20s Cert & Key database prefix\n",
|
||||
|
@ -2944,10 +3021,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
readOnly = !certutil.options[opt_RW].activated;
|
||||
}
|
||||
|
||||
/* -A, -D, -F, -M, -S, -V, and all require -n */
|
||||
/* -A, -D, -M, -S, -V, and all require -n */
|
||||
if ((certutil.commands[cmd_AddCert].activated ||
|
||||
certutil.commands[cmd_DeleteCert].activated ||
|
||||
certutil.commands[cmd_DeleteKey].activated ||
|
||||
certutil.commands[cmd_DumpChain].activated ||
|
||||
certutil.commands[cmd_ModifyCertTrust].activated ||
|
||||
certutil.commands[cmd_CreateAndAddCert].activated ||
|
||||
|
@ -3034,6 +3110,16 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
return 255;
|
||||
}
|
||||
|
||||
/* Delete needs a nickname or a key ID */
|
||||
if (certutil.commands[cmd_DeleteKey].activated &&
|
||||
!(certutil.options[opt_Nickname].activated || keysource)) {
|
||||
PR_fprintf(PR_STDERR,
|
||||
"%s -%c: specify a nickname (-n) or\n"
|
||||
" a key ID (-k).\n",
|
||||
commandToRun, progName);
|
||||
return 255;
|
||||
}
|
||||
|
||||
/* Upgrade/Merge needs a source database and a upgrade id. */
|
||||
if (certutil.commands[cmd_UpgradeMerge].activated &&
|
||||
!(certutil.options[opt_SourceDir].activated &&
|
||||
|
@ -3396,7 +3482,19 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
}
|
||||
/* Delete key (-F) */
|
||||
if (certutil.commands[cmd_DeleteKey].activated) {
|
||||
rv = DeleteKey(name, &pwdata);
|
||||
if (certutil.options[opt_Nickname].activated) {
|
||||
rv = DeleteCertAndKey(name, &pwdata);
|
||||
} else {
|
||||
privkey = findPrivateKeyByID(slot, keysource, &pwdata);
|
||||
if (!privkey) {
|
||||
SECU_PrintError(progName, "%s is not a key-id", keysource);
|
||||
rv = SECFailure;
|
||||
} else {
|
||||
rv = DeleteKey(privkey, &pwdata);
|
||||
/* already destroyed by PK11_DeleteTokenPrivateKey */
|
||||
privkey = NULL;
|
||||
}
|
||||
}
|
||||
goto shutdown;
|
||||
}
|
||||
/* Modify trust attribute for cert (-M) */
|
||||
|
@ -3468,30 +3566,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
|
|||
if (keycert) {
|
||||
privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
|
||||
} else {
|
||||
PLArenaPool *arena = NULL;
|
||||
SECItem keyidItem = { 0 };
|
||||
char *keysourcePtr = keysource;
|
||||
/* Interpret keysource as CKA_ID */
|
||||
if (PK11_NeedLogin(slot)) {
|
||||
rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintError(progName, "could not authenticate to token %s.",
|
||||
PK11_GetTokenName(slot));
|
||||
return SECFailure;
|
||||
}
|
||||
}
|
||||
if (0 == PL_strncasecmp("0x", keysource, 2)) {
|
||||
keysourcePtr = keysource + 2; // skip leading "0x"
|
||||
}
|
||||
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
if (!arena) {
|
||||
SECU_PrintError(progName, "unable to allocate arena");
|
||||
return SECFailure;
|
||||
}
|
||||
if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
|
||||
privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
|
||||
}
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
privkey = findPrivateKeyByID(slot, keysource, &pwdata);
|
||||
}
|
||||
|
||||
if (!privkey) {
|
||||
|
|
|
@ -47,6 +47,7 @@ NSS_SRCDIRS = \
|
|||
listsuites \
|
||||
makepqg \
|
||||
multinit \
|
||||
nss-policy-check \
|
||||
ocspclnt \
|
||||
ocspresp \
|
||||
oidcalc \
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
#! gmake
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
#######################################################################
|
||||
# (1) Include initial platform-independent assignments (MANDATORY). #
|
||||
#######################################################################
|
||||
|
||||
include manifest.mn
|
||||
|
||||
#######################################################################
|
||||
# (2) Include "global" configuration information. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/config.mk
|
||||
|
||||
#######################################################################
|
||||
# (3) Include "component" configuration information. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
#######################################################################
|
||||
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
|
||||
#######################################################################
|
||||
|
||||
include ../platlibs.mk
|
||||
|
||||
#######################################################################
|
||||
# (5) Execute "global" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
|
||||
#######################################################################
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
#######################################################################
|
||||
|
||||
|
||||
include ../platrules.mk
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
CORE_DEPTH = ../..
|
||||
|
||||
MODULE = nss
|
||||
|
||||
CSRCS = nss-policy-check.c
|
||||
|
||||
REQUIRES = seccmd
|
||||
|
||||
PROGRAM = nss-policy-check
|
||||
|
|
@ -0,0 +1,206 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/* This program can be used to check the validity of a NSS crypto policy
|
||||
* configuration file, specified using a config= line.
|
||||
*
|
||||
* Exit codes:
|
||||
* failure: 2
|
||||
* warning: 1
|
||||
* success: 0
|
||||
*/
|
||||
|
||||
#include <limits.h>
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include "utilparst.h"
|
||||
#include "nss.h"
|
||||
#include "secport.h"
|
||||
#include "secutil.h"
|
||||
#include "secmod.h"
|
||||
#include "ssl.h"
|
||||
#include "prenv.h"
|
||||
|
||||
const char *sWarn = "WARN";
|
||||
const char *sInfo = "INFO";
|
||||
|
||||
void
|
||||
get_tls_info(SSLProtocolVariant protocolVariant, const char *display)
|
||||
{
|
||||
SSLVersionRange vrange_supported, vrange_enabled;
|
||||
unsigned num_enabled = 0;
|
||||
PRBool failed = PR_FALSE;
|
||||
|
||||
/* We assume SSL v2 is inactive, and therefore SSL_VersionRangeGetDefault
|
||||
* gives complete information. */
|
||||
if ((SSL_VersionRangeGetSupported(protocolVariant, &vrange_supported) != SECSuccess) ||
|
||||
(SSL_VersionRangeGetDefault(protocolVariant, &vrange_enabled) != SECSuccess) ||
|
||||
!vrange_enabled.min ||
|
||||
!vrange_enabled.max ||
|
||||
vrange_enabled.max < vrange_supported.min ||
|
||||
vrange_enabled.min > vrange_supported.max) {
|
||||
failed = PR_TRUE;
|
||||
} else {
|
||||
if (vrange_enabled.min < vrange_supported.min) {
|
||||
vrange_enabled.min = vrange_supported.min;
|
||||
}
|
||||
if (vrange_enabled.max > vrange_supported.max) {
|
||||
vrange_enabled.max = vrange_supported.max;
|
||||
}
|
||||
if (vrange_enabled.min > vrange_enabled.max) {
|
||||
failed = PR_TRUE;
|
||||
}
|
||||
}
|
||||
if (failed) {
|
||||
num_enabled = 0;
|
||||
} else {
|
||||
num_enabled = vrange_enabled.max - vrange_enabled.min + 1;
|
||||
}
|
||||
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s-VERSIONS: %u\n",
|
||||
num_enabled ? sInfo : sWarn, display, num_enabled);
|
||||
if (!num_enabled) {
|
||||
PR_SetEnv("NSS_POLICY_WARN=1");
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef PATH_MAX
|
||||
#define PATH_MAX 1024
|
||||
#endif
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
|
||||
int i;
|
||||
SECStatus rv;
|
||||
SECMODModule *module = NULL;
|
||||
char path[PATH_MAX];
|
||||
const char *filename;
|
||||
char moduleSpec[1024 + PATH_MAX];
|
||||
unsigned num_enabled = 0;
|
||||
int result = 0;
|
||||
int fullPathLen;
|
||||
|
||||
if (argc != 2) {
|
||||
fprintf(stderr, "Syntax: nss-policy-check <path-to-policy-file>\n");
|
||||
result = 2;
|
||||
goto loser_no_shutdown;
|
||||
}
|
||||
|
||||
fullPathLen = strlen(argv[1]);
|
||||
|
||||
if (!fullPathLen || PR_Access(argv[1], PR_ACCESS_READ_OK) != PR_SUCCESS) {
|
||||
fprintf(stderr, "Error: cannot read file %s\n", argv[1]);
|
||||
result = 2;
|
||||
goto loser_no_shutdown;
|
||||
}
|
||||
|
||||
if (fullPathLen >= PATH_MAX) {
|
||||
fprintf(stderr, "Error: filename parameter is too long\n");
|
||||
result = 2;
|
||||
goto loser_no_shutdown;
|
||||
}
|
||||
|
||||
path[0] = 0;
|
||||
filename = argv[1] + fullPathLen - 1;
|
||||
while ((filename > argv[1]) && (*filename != NSSUTIL_PATH_SEPARATOR[0])) {
|
||||
filename--;
|
||||
}
|
||||
|
||||
if (filename == argv[1]) {
|
||||
PORT_Strcpy(path, ".");
|
||||
} else {
|
||||
filename++; /* Go past the path separator. */
|
||||
PORT_Strncat(path, argv[1], (filename - argv[1]));
|
||||
}
|
||||
|
||||
PR_SetEnv("NSS_IGNORE_SYSTEM_POLICY=1");
|
||||
rv = NSS_NoDB_Init(NULL);
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(PR_GetError()));
|
||||
result = 2;
|
||||
goto loser_no_shutdown;
|
||||
}
|
||||
|
||||
PR_SetEnv("NSS_POLICY_LOADED=0");
|
||||
PR_SetEnv("NSS_POLICY_FAIL=0");
|
||||
PR_SetEnv("NSS_POLICY_WARN=0");
|
||||
|
||||
sprintf(moduleSpec,
|
||||
"name=\"Policy File\" "
|
||||
"parameters=\"configdir='sql:%s' "
|
||||
"secmod='%s' "
|
||||
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical,printPolicyFeedback\"",
|
||||
path, filename);
|
||||
|
||||
module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
|
||||
if (!module || !module->loaded || atoi(PR_GetEnvSecure("NSS_POLICY_LOADED")) != 1) {
|
||||
fprintf(stderr, "Error: failed to load policy file\n");
|
||||
result = 2;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr, "enable SSL_SECURITY failed: %s\n", PORT_ErrorToString(PR_GetError()));
|
||||
result = 2;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
for (i = 0; i < SSL_NumImplementedCiphers; i++) {
|
||||
PRUint16 suite = cipherSuites[i];
|
||||
PRBool enabled;
|
||||
SSLCipherSuiteInfo info;
|
||||
|
||||
rv = SSL_CipherPrefGetDefault(suite, &enabled);
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr,
|
||||
"SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
|
||||
suite, i, PORT_ErrorToString(PR_GetError()));
|
||||
continue;
|
||||
}
|
||||
rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr,
|
||||
"SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
|
||||
suite, i, PORT_ErrorToString(PR_GetError()));
|
||||
continue;
|
||||
}
|
||||
if (enabled) {
|
||||
++num_enabled;
|
||||
fprintf(stderr, "NSS-POLICY-INFO: ciphersuite %s is enabled\n", info.cipherSuiteName);
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CIPHERSUITES: %u\n", num_enabled ? sInfo : sWarn, num_enabled);
|
||||
if (!num_enabled) {
|
||||
PR_SetEnv("NSS_POLICY_WARN=1");
|
||||
}
|
||||
|
||||
get_tls_info(ssl_variant_stream, "TLS");
|
||||
get_tls_info(ssl_variant_datagram, "DTLS");
|
||||
|
||||
if (atoi(PR_GetEnvSecure("NSS_POLICY_FAIL")) != 0) {
|
||||
result = 2;
|
||||
} else if (atoi(PR_GetEnvSecure("NSS_POLICY_WARN")) != 0) {
|
||||
result = 1;
|
||||
}
|
||||
|
||||
loser:
|
||||
if (module) {
|
||||
SECMOD_DestroyModule(module);
|
||||
}
|
||||
rv = NSS_Shutdown();
|
||||
if (rv != SECSuccess) {
|
||||
fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(PR_GetError()));
|
||||
result = 2;
|
||||
}
|
||||
loser_no_shutdown:
|
||||
if (result == 2) {
|
||||
fprintf(stderr, "NSS-POLICY-FAIL\n");
|
||||
} else if (result == 1) {
|
||||
fprintf(stderr, "NSS-POLICY-WARN\n");
|
||||
}
|
||||
return result;
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
{
|
||||
'includes': [
|
||||
'../../coreconf/config.gypi',
|
||||
'../../cmd/platlibs.gypi'
|
||||
],
|
||||
'targets': [
|
||||
{
|
||||
'target_name': 'nss-policy-check',
|
||||
'type': 'executable',
|
||||
'sources': [
|
||||
'nss-policy-check.c'
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:nss_exports'
|
||||
]
|
||||
}
|
||||
],
|
||||
'variables': {
|
||||
'module': 'nss'
|
||||
}
|
||||
}
|
|
@ -10,3 +10,4 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
@ -84,7 +84,7 @@
|
|||
|
||||
<varlistentry>
|
||||
<term>-F</term>
|
||||
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
|
||||
<listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
|
||||
<option>-d</option> argument.
|
||||
</para>
|
||||
<para>
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm140440587239488"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
|
||||
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
|
||||
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
|
||||
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm45522631704896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
|
||||
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
|
||||
<code class="option">-d</code> argument.
|
||||
</p><p>
|
||||
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
|
||||
Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.</p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
|
||||
Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
|
||||
|
||||
Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113.
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
.\" Title: CERTUTIL
|
||||
.\" Author: [see the "Authors" section]
|
||||
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
|
||||
.\" Date: 27 October 2017
|
||||
.\" Date: 5 October 2017
|
||||
.\" Manual: NSS Security Tools
|
||||
.\" Source: nss-tools
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
|
||||
.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
|
@ -92,15 +92,11 @@ Add an email certificate to the certificate database\&.
|
|||
.PP
|
||||
\-F
|
||||
.RS 4
|
||||
Delete a private key from a key database\&. Specify the key to delete with the \-n argument\&. Specify the database from which to delete the key with the
|
||||
Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the
|
||||
\fB\-d\fR
|
||||
argument\&. Use the
|
||||
\fB\-k\fR
|
||||
argument to specify explicitly whether to delete a DSA, RSA, or ECC key\&. If you don\*(Aqt use the
|
||||
\fB\-k\fR
|
||||
argument, the option looks for an RSA key matching the specified nickname\&.
|
||||
argument\&.
|
||||
.sp
|
||||
When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using \-D\&. Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. You can display the public key with the command certutil \-K \-h tokenname\&.
|
||||
Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&.
|
||||
.RE
|
||||
.PP
|
||||
\-G
|
||||
|
|
|
@ -160,6 +160,7 @@ TEST_F(PK11URITest, ParseRetrieveTest) {
|
|||
|
||||
TEST_F(PK11URITest, ParseFormatTest) {
|
||||
TestParseFormat("pkcs11:", "pkcs11:");
|
||||
TestParseFormat("PKCS11:", "pkcs11:");
|
||||
TestParseFormat("pkcs11:token=aaa", "pkcs11:token=aaa");
|
||||
TestParseFormat("pkcs11:token=aaa;manufacturer=bbb",
|
||||
"pkcs11:token=aaa;manufacturer=bbb");
|
||||
|
|
|
@ -15,6 +15,10 @@
|
|||
#include <limits.h> /* for UINT_MAX */
|
||||
#include <string.h> /* for memmove */
|
||||
|
||||
#if defined(__MINGW32__)
|
||||
#include <windows.h>
|
||||
#endif
|
||||
|
||||
#define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
|
||||
|
||||
/*
|
||||
|
@ -65,7 +69,32 @@ static const PRCallOnceType error_call_again;
|
|||
static PRStatus
|
||||
error_once_function(void)
|
||||
{
|
||||
|
||||
/*
|
||||
* This #ifdef function is redundant. It performs the same thing as the
|
||||
* else case.
|
||||
*
|
||||
* However, the MinGW version looks up the function from nss3's export
|
||||
* table, and on MinGW _that_ behaves differently than passing a
|
||||
* function pointer in a different module because MinGW has
|
||||
* -mnop-fun-dllimport specified, which generates function thunks for
|
||||
* cross-module calls. And when a module (like nssckbi) gets unloaded,
|
||||
* and you try to call into that thunk (which is now missing) you'll
|
||||
* crash. So we do this bit of ugly to avoid that crash. Fortunately
|
||||
* this is the only place we've had to do this.
|
||||
*/
|
||||
#if defined(__MINGW32__)
|
||||
HMODULE nss3 = GetModuleHandleW(L"nss3");
|
||||
if (nss3) {
|
||||
FARPROC freePtr = GetProcAddress(nss3, "PR_Free");
|
||||
if (freePtr) {
|
||||
return PR_NewThreadPrivateIndex(&error_stack_index, freePtr);
|
||||
}
|
||||
}
|
||||
return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
|
||||
#else
|
||||
return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -39,7 +39,7 @@ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
|||
"2:\n"
|
||||
"str r5, [%3]\n"
|
||||
:
|
||||
: "r"(a), "r"(a_len), "r"(b), "r"(c)
|
||||
: "r"(a), "l"(a_len), "r"(b), "r"(c)
|
||||
: "memory", "cc", "%r4", "%r5", "%r6");
|
||||
}
|
||||
|
||||
|
@ -72,7 +72,7 @@ s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
|||
"2:\n"
|
||||
"str r5, [%3]\n"
|
||||
:
|
||||
: "r"(a), "r"(a_len), "r"(b), "r"(c)
|
||||
: "r"(a), "l"(a_len), "r"(b), "r"(c)
|
||||
: "memory", "cc", "%r4", "%r5", "%r6");
|
||||
}
|
||||
|
||||
|
|
|
@ -1133,3 +1133,9 @@ SEC_CreateSignatureAlgorithmParameters;
|
|||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
;+NSS_3.39 { # NSS 3.39 release
|
||||
;+ global:
|
||||
CERT_GetCertKeyType;
|
||||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
|
|
|
@ -54,7 +54,7 @@ nss_mktemp(char *path)
|
|||
|
||||
#define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") + \
|
||||
sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \
|
||||
sizeof("optimizeSpace")
|
||||
sizeof("optimizeSpace") + sizeof("printPolicyFeedback")
|
||||
#define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
|
||||
|
||||
static char *
|
||||
|
|
|
@ -804,30 +804,12 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
|
|||
/* don't know? look it up */
|
||||
if (keyType == nullKey) {
|
||||
CK_KEY_TYPE pk11Type = CKK_RSA;
|
||||
SECItem info;
|
||||
|
||||
pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
|
||||
isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
|
||||
switch (pk11Type) {
|
||||
case CKK_RSA:
|
||||
keyType = rsaKey;
|
||||
/* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
|
||||
rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info);
|
||||
if (rv == SECSuccess) {
|
||||
CERTSubjectPublicKeyInfo *spki;
|
||||
|
||||
spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info);
|
||||
if (spki) {
|
||||
SECOidTag tag;
|
||||
|
||||
tag = SECOID_GetAlgorithmTag(&spki->algorithm);
|
||||
if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE)
|
||||
keyType = rsaPssKey;
|
||||
SECKEY_DestroySubjectPublicKeyInfo(spki);
|
||||
}
|
||||
SECITEM_FreeItem(&info, PR_FALSE);
|
||||
}
|
||||
|
||||
break;
|
||||
case CKK_DSA:
|
||||
keyType = dsaKey;
|
||||
|
|
|
@ -741,7 +741,7 @@ find_certs_from_nickname(const char *nickname, void *wincx)
|
|||
char *delimit = NULL;
|
||||
char *tokenName;
|
||||
|
||||
if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
|
||||
if (!PORT_Strncasecmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
|
||||
certs = find_certs_from_uri(nickname, wincx);
|
||||
if (certs)
|
||||
return certs;
|
||||
|
|
|
@ -194,7 +194,7 @@ typedef struct {
|
|||
* This table should be merged with the SECOID table.
|
||||
*/
|
||||
#define CIPHER_NAME(x) x, (sizeof(x) - 1)
|
||||
static const oidValDef algOptList[] = {
|
||||
static const oidValDef curveOptList[] = {
|
||||
/* Curves */
|
||||
{ CIPHER_NAME("PRIME192V1"), SEC_OID_ANSIX962_EC_PRIME192V1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
|
@ -316,7 +316,9 @@ static const oidValDef algOptList[] = {
|
|||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
{ CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
};
|
||||
|
||||
static const oidValDef hashOptList[] = {
|
||||
/* Hashes */
|
||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
|
@ -334,7 +336,9 @@ static const oidValDef algOptList[] = {
|
|||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
{ CIPHER_NAME("SHA512"), SEC_OID_SHA512,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
};
|
||||
|
||||
static const oidValDef macOptList[] = {
|
||||
/* MACs */
|
||||
{ CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL },
|
||||
{ CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL },
|
||||
|
@ -342,7 +346,9 @@ static const oidValDef algOptList[] = {
|
|||
{ CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL },
|
||||
{ CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL },
|
||||
{ CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL },
|
||||
};
|
||||
|
||||
static const oidValDef cipherOptList[] = {
|
||||
/* Ciphers */
|
||||
{ CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL },
|
||||
{ CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL },
|
||||
|
@ -362,7 +368,9 @@ static const oidValDef algOptList[] = {
|
|||
{ CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL },
|
||||
{ CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL },
|
||||
{ CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL },
|
||||
};
|
||||
|
||||
static const oidValDef kxOptList[] = {
|
||||
/* Key exchange */
|
||||
{ CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX },
|
||||
|
@ -376,6 +384,20 @@ static const oidValDef algOptList[] = {
|
|||
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
const oidValDef *list;
|
||||
PRUint32 entries;
|
||||
const char *description;
|
||||
} algListsDef;
|
||||
|
||||
static const algListsDef algOptLists[] = {
|
||||
{ curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" },
|
||||
{ hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" },
|
||||
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC" },
|
||||
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" },
|
||||
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" },
|
||||
};
|
||||
|
||||
static const optionFreeDef sslOptList[] = {
|
||||
/* Versions */
|
||||
{ CIPHER_NAME("SSL2.0"), 0x002 },
|
||||
|
@ -447,7 +469,8 @@ secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2,
|
|||
}
|
||||
|
||||
static PRUint32
|
||||
secmod_parsePolicyValue(const char *policyFlags, int policyLength)
|
||||
secmod_parsePolicyValue(const char *policyFlags, int policyLength,
|
||||
PRBool printPolicyFeedback)
|
||||
{
|
||||
const char *flag, *currentString;
|
||||
PRUint32 flags = 0;
|
||||
|
@ -456,6 +479,7 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
|
|||
for (currentString = policyFlags; currentString &&
|
||||
currentString < policyFlags + policyLength;) {
|
||||
int length;
|
||||
PRBool unknown = PR_TRUE;
|
||||
flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
|
||||
¤tString);
|
||||
if (length == 0) {
|
||||
|
@ -467,41 +491,49 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
|
|||
if ((policy->name_size == length) &&
|
||||
PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
|
||||
flags |= policy->flag;
|
||||
unknown = PR_FALSE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (unknown && printPolicyFeedback) {
|
||||
PR_SetEnv("NSS_POLICY_FAIL=1");
|
||||
fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
|
||||
policyLength, policyFlags, length, flag);
|
||||
}
|
||||
}
|
||||
return flags;
|
||||
}
|
||||
|
||||
/* allow symbolic names for values. The only ones currently defines or
|
||||
* SSL protocol versions. */
|
||||
static PRInt32
|
||||
secmod_getPolicyOptValue(const char *policyValue, int policyValueLength)
|
||||
static SECStatus
|
||||
secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
|
||||
PRInt32 *result)
|
||||
{
|
||||
PRInt32 val = atoi(policyValue);
|
||||
int i;
|
||||
|
||||
if ((val != 0) || (*policyValue == '0')) {
|
||||
return val;
|
||||
*result = val;
|
||||
return SECSuccess;
|
||||
}
|
||||
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
|
||||
if (policyValueLength == sslOptList[i].name_size &&
|
||||
PORT_Strncasecmp(sslOptList[i].name, policyValue,
|
||||
sslOptList[i].name_size) == 0) {
|
||||
val = sslOptList[i].option;
|
||||
break;
|
||||
*result = sslOptList[i].option;
|
||||
return SECSuccess;
|
||||
}
|
||||
}
|
||||
return val;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
secmod_applyCryptoPolicy(const char *policyString,
|
||||
PRBool allow)
|
||||
secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
|
||||
PRBool printPolicyFeedback)
|
||||
{
|
||||
const char *cipher, *currentString;
|
||||
unsigned i;
|
||||
unsigned i, j;
|
||||
SECStatus rv = SECSuccess;
|
||||
PRBool unknown;
|
||||
|
||||
|
@ -526,56 +558,63 @@ secmod_applyCryptoPolicy(const char *policyString,
|
|||
/* disable or enable all options by default */
|
||||
PRUint32 value = 0;
|
||||
if (newValue) {
|
||||
value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1);
|
||||
value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1, printPolicyFeedback);
|
||||
}
|
||||
for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
|
||||
PRUint32 enable, disable;
|
||||
if (!newValue) {
|
||||
value = algOptList[i].val;
|
||||
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
|
||||
const algListsDef *algOptList = &algOptLists[i];
|
||||
for (j = 0; j < algOptList->entries; j++) {
|
||||
PRUint32 enable, disable;
|
||||
if (!newValue) {
|
||||
value = algOptList->list[j].val;
|
||||
}
|
||||
if (allow) {
|
||||
enable = value;
|
||||
disable = 0;
|
||||
} else {
|
||||
enable = 0;
|
||||
disable = value;
|
||||
}
|
||||
NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
|
||||
}
|
||||
if (allow) {
|
||||
enable = value;
|
||||
disable = 0;
|
||||
} else {
|
||||
enable = 0;
|
||||
disable = value;
|
||||
}
|
||||
NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
|
||||
const oidValDef *algOpt = &algOptList[i];
|
||||
unsigned name_size = algOpt->name_size;
|
||||
PRBool newOption = PR_FALSE;
|
||||
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
|
||||
const algListsDef *algOptList = &algOptLists[i];
|
||||
for (j = 0; j < algOptList->entries; j++) {
|
||||
const oidValDef *algOpt = &algOptList->list[j];
|
||||
unsigned name_size = algOpt->name_size;
|
||||
PRBool newOption = PR_FALSE;
|
||||
|
||||
if ((length >= name_size) && (cipher[name_size] == '/')) {
|
||||
newOption = PR_TRUE;
|
||||
}
|
||||
if ((newOption || algOpt->name_size == length) &&
|
||||
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
|
||||
PRUint32 value = algOpt->val;
|
||||
PRUint32 enable, disable;
|
||||
if (newOption) {
|
||||
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
|
||||
length - name_size - 1);
|
||||
if ((length >= name_size) && (cipher[name_size] == '/')) {
|
||||
newOption = PR_TRUE;
|
||||
}
|
||||
if (allow) {
|
||||
enable = value;
|
||||
disable = 0;
|
||||
} else {
|
||||
enable = 0;
|
||||
disable = value;
|
||||
if ((newOption || algOpt->name_size == length) &&
|
||||
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
|
||||
PRUint32 value = algOpt->val;
|
||||
PRUint32 enable, disable;
|
||||
if (newOption) {
|
||||
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
|
||||
length - name_size - 1,
|
||||
printPolicyFeedback);
|
||||
}
|
||||
if (allow) {
|
||||
enable = value;
|
||||
disable = 0;
|
||||
} else {
|
||||
enable = 0;
|
||||
disable = value;
|
||||
}
|
||||
rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
|
||||
if (rv != SECSuccess) {
|
||||
/* could not enable option */
|
||||
/* NSS_SetAlgorithPolicy should have set the error code */
|
||||
return SECFailure;
|
||||
}
|
||||
unknown = PR_FALSE;
|
||||
break;
|
||||
}
|
||||
rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
|
||||
if (rv != SECSuccess) {
|
||||
/* could not enable option */
|
||||
/* NSS_SetAlgorithPolicy should have set the error code */
|
||||
return SECFailure;
|
||||
}
|
||||
unknown = PR_FALSE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!unknown) {
|
||||
|
@ -588,9 +627,19 @@ secmod_applyCryptoPolicy(const char *policyString,
|
|||
|
||||
if ((length > name_size) && cipher[name_size] == '=' &&
|
||||
PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) {
|
||||
PRInt32 val = secmod_getPolicyOptValue(&cipher[name_size + 1],
|
||||
length - name_size - 1);
|
||||
|
||||
PRInt32 val;
|
||||
const char *policyValue = &cipher[name_size + 1];
|
||||
int policyValueLength = length - name_size - 1;
|
||||
rv = secmod_getPolicyOptValue(policyValue, policyValueLength,
|
||||
&val);
|
||||
if (rv != SECSuccess) {
|
||||
if (printPolicyFeedback) {
|
||||
PR_SetEnv("NSS_POLICY_FAIL=1");
|
||||
fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
|
||||
length, cipher, policyValueLength, policyValue);
|
||||
}
|
||||
return SECFailure;
|
||||
}
|
||||
rv = NSS_OptionSet(freeOpt->option, val);
|
||||
if (rv != SECSuccess) {
|
||||
/* could not enable option */
|
||||
|
@ -603,12 +652,83 @@ secmod_applyCryptoPolicy(const char *policyString,
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (unknown && printPolicyFeedback) {
|
||||
PR_SetEnv("NSS_POLICY_FAIL=1");
|
||||
fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
|
||||
allow ? "allow" : "disallow", length, cipher);
|
||||
}
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
static void
|
||||
secmod_sanityCheckCryptoPolicy(void)
|
||||
{
|
||||
unsigned i, j;
|
||||
SECStatus rv = SECSuccess;
|
||||
unsigned num_kx_enabled = 0;
|
||||
unsigned num_ssl_enabled = 0;
|
||||
unsigned num_sig_enabled = 0;
|
||||
unsigned enabledCount[PR_ARRAY_SIZE(algOptLists)];
|
||||
const char *sWarn = "WARN";
|
||||
const char *sInfo = "INFO";
|
||||
PRBool haveWarning = PR_FALSE;
|
||||
|
||||
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
|
||||
const algListsDef *algOptList = &algOptLists[i];
|
||||
enabledCount[i] = 0;
|
||||
for (j = 0; j < algOptList->entries; j++) {
|
||||
const oidValDef *algOpt = &algOptList->list[j];
|
||||
PRUint32 value;
|
||||
PRBool anyEnabled = PR_FALSE;
|
||||
rv = NSS_GetAlgorithmPolicy(algOpt->oid, &value);
|
||||
if (rv != SECSuccess) {
|
||||
PR_SetEnv("NSS_POLICY_FAIL=1");
|
||||
fprintf(stderr, "NSS-POLICY-FAIL: internal failure with NSS_GetAlgorithmPolicy at %u\n", i);
|
||||
return;
|
||||
}
|
||||
|
||||
if ((algOpt->val & NSS_USE_ALG_IN_SSL_KX) && (value & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
++num_kx_enabled;
|
||||
anyEnabled = PR_TRUE;
|
||||
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for KX\n", algOpt->name);
|
||||
}
|
||||
if ((algOpt->val & NSS_USE_ALG_IN_SSL) && (value & NSS_USE_ALG_IN_SSL)) {
|
||||
++num_ssl_enabled;
|
||||
anyEnabled = PR_TRUE;
|
||||
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
|
||||
}
|
||||
if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
|
||||
++num_sig_enabled;
|
||||
anyEnabled = PR_TRUE;
|
||||
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
|
||||
}
|
||||
if (anyEnabled) {
|
||||
++enabledCount[i];
|
||||
}
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG-KX: %u\n", num_kx_enabled ? sInfo : sWarn, num_kx_enabled);
|
||||
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG: %u\n", num_ssl_enabled ? sInfo : sWarn, num_ssl_enabled);
|
||||
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CERT-SIG: %u\n", num_sig_enabled ? sInfo : sWarn, num_sig_enabled);
|
||||
if (!num_kx_enabled || !num_ssl_enabled || !num_sig_enabled) {
|
||||
haveWarning = PR_TRUE;
|
||||
}
|
||||
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
|
||||
const algListsDef *algOptList = &algOptLists[i];
|
||||
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]);
|
||||
if (!enabledCount[i]) {
|
||||
haveWarning = PR_TRUE;
|
||||
}
|
||||
}
|
||||
if (haveWarning) {
|
||||
PR_SetEnv("NSS_POLICY_WARN=1");
|
||||
}
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
secmod_parseCryptoPolicy(const char *policyConfig)
|
||||
secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
|
||||
{
|
||||
char *disallow, *allow;
|
||||
SECStatus rv;
|
||||
|
@ -623,16 +743,26 @@ secmod_parseCryptoPolicy(const char *policyConfig)
|
|||
return rv;
|
||||
}
|
||||
disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
|
||||
rv = secmod_applyCryptoPolicy(disallow, PR_FALSE);
|
||||
rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
|
||||
if (disallow)
|
||||
PORT_Free(disallow);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
|
||||
rv = secmod_applyCryptoPolicy(allow, PR_TRUE);
|
||||
rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
|
||||
if (allow)
|
||||
PORT_Free(allow);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
if (printPolicyFeedback) {
|
||||
/* This helps to distinguish configurations that don't contain any
|
||||
* policy config= statement. */
|
||||
PR_SetEnv("NSS_POLICY_LOADED=1");
|
||||
fprintf(stderr, "NSS-POLICY-INFO: LOADED-SUCCESSFULLY\n");
|
||||
secmod_sanityCheckCryptoPolicy();
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
|
@ -649,11 +779,16 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
|
|||
char *slotParams, *ciphers;
|
||||
/* pk11pars.h still does not have const char * interfaces */
|
||||
char *nssc = (char *)nss;
|
||||
PRBool printPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nssc);
|
||||
|
||||
rv = secmod_parseCryptoPolicy(config);
|
||||
rv = secmod_parseCryptoPolicy(config, printPolicyFeedback);
|
||||
|
||||
/* do not load the module if policy parsing fails */
|
||||
if (rv != SECSuccess) {
|
||||
if (printPolicyFeedback) {
|
||||
PR_SetEnv("NSS_POLICY_FAIL=1");
|
||||
fprintf(stderr, "NSS-POLICY-FAIL: policy config parsing failed, not loading module %s\n", moduleName);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
@ -1647,6 +1782,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
|
|||
SECMODModule *module = NULL;
|
||||
SECMODModule *oldModule = NULL;
|
||||
SECStatus rv;
|
||||
PRBool forwardPolicyFeedback = PR_FALSE;
|
||||
|
||||
/* initialize the underlying module structures */
|
||||
SECMOD_Init();
|
||||
|
@ -1659,6 +1795,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
|
|||
}
|
||||
|
||||
module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config);
|
||||
forwardPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nss);
|
||||
if (library)
|
||||
PORT_Free(library);
|
||||
if (moduleName)
|
||||
|
@ -1721,7 +1858,15 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
|
|||
rv = SECFailure;
|
||||
break;
|
||||
}
|
||||
child = SECMOD_LoadModule(*index, module, PR_TRUE);
|
||||
if (!forwardPolicyFeedback) {
|
||||
child = SECMOD_LoadModule(*index, module, PR_TRUE);
|
||||
} else {
|
||||
/* Add printPolicyFeedback to the nss flags */
|
||||
char *specWithForwards =
|
||||
NSSUTIL_AddNSSFlagToModuleSpec(*index, "printPolicyFeedback");
|
||||
child = SECMOD_LoadModule(specWithForwards, module, PR_TRUE);
|
||||
PORT_Free(specWithForwards);
|
||||
}
|
||||
if (!child)
|
||||
break;
|
||||
if (child->isCritical && !child->loaded) {
|
||||
|
|
|
@ -607,12 +607,32 @@ PK11_FindSlotsByNames(const char *dllName, const char *slotName,
|
|||
return slotList;
|
||||
}
|
||||
|
||||
PK11SlotInfo *
|
||||
PK11_FindSlotByName(const char *name)
|
||||
typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg);
|
||||
|
||||
static PRBool
|
||||
pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg)
|
||||
{
|
||||
return PORT_Strcmp(slot->token_name, arg) == 0;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg)
|
||||
{
|
||||
return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0;
|
||||
}
|
||||
|
||||
static PRBool
|
||||
pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg)
|
||||
{
|
||||
return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg);
|
||||
}
|
||||
|
||||
static PK11SlotInfo *
|
||||
pk11_FindSlot(const void *arg, PK11SlotMatchFunc func)
|
||||
{
|
||||
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
||||
SECMODModuleList *mlp;
|
||||
SECMODModuleList *modules;
|
||||
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
||||
int i;
|
||||
PK11SlotInfo *slot = NULL;
|
||||
|
||||
|
@ -620,10 +640,6 @@ PK11_FindSlotByName(const char *name)
|
|||
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
|
||||
return slot;
|
||||
}
|
||||
if ((name == NULL) || (*name == 0)) {
|
||||
return PK11_GetInternalKeySlot();
|
||||
}
|
||||
|
||||
/* work through all the slots */
|
||||
SECMOD_GetReadLock(moduleLock);
|
||||
modules = SECMOD_GetDefaultModuleList();
|
||||
|
@ -631,7 +647,7 @@ PK11_FindSlotByName(const char *name)
|
|||
for (i = 0; i < mlp->module->slotCount; i++) {
|
||||
PK11SlotInfo *tmpSlot = mlp->module->slots[i];
|
||||
if (PK11_IsPresent(tmpSlot)) {
|
||||
if (PORT_Strcmp(tmpSlot->token_name, name) == 0) {
|
||||
if (func(tmpSlot, arg)) {
|
||||
slot = PK11_ReferenceSlot(tmpSlot);
|
||||
break;
|
||||
}
|
||||
|
@ -649,43 +665,41 @@ PK11_FindSlotByName(const char *name)
|
|||
return slot;
|
||||
}
|
||||
|
||||
static PK11SlotInfo *
|
||||
pk11_FindSlotByTokenURI(const char *uriString)
|
||||
{
|
||||
PK11SlotInfo *slot = NULL;
|
||||
PK11URI *uri;
|
||||
|
||||
uri = PK11URI_ParseURI(uriString);
|
||||
if (!uri) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return slot;
|
||||
}
|
||||
|
||||
slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI);
|
||||
PK11URI_DestroyURI(uri);
|
||||
return slot;
|
||||
}
|
||||
|
||||
PK11SlotInfo *
|
||||
PK11_FindSlotByName(const char *name)
|
||||
{
|
||||
if ((name == NULL) || (*name == 0)) {
|
||||
return PK11_GetInternalKeySlot();
|
||||
}
|
||||
|
||||
if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) {
|
||||
return pk11_FindSlotByTokenURI(name);
|
||||
}
|
||||
|
||||
return pk11_FindSlot(name, pk11_MatchSlotByTokenName);
|
||||
}
|
||||
|
||||
PK11SlotInfo *
|
||||
PK11_FindSlotBySerial(char *serial)
|
||||
{
|
||||
SECMODModuleList *mlp;
|
||||
SECMODModuleList *modules;
|
||||
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
||||
int i;
|
||||
PK11SlotInfo *slot = NULL;
|
||||
|
||||
if (!moduleLock) {
|
||||
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
|
||||
return slot;
|
||||
}
|
||||
/* work through all the slots */
|
||||
SECMOD_GetReadLock(moduleLock);
|
||||
modules = SECMOD_GetDefaultModuleList();
|
||||
for (mlp = modules; mlp != NULL; mlp = mlp->next) {
|
||||
for (i = 0; i < mlp->module->slotCount; i++) {
|
||||
PK11SlotInfo *tmpSlot = mlp->module->slots[i];
|
||||
if (PK11_IsPresent(tmpSlot)) {
|
||||
if (PORT_Memcmp(tmpSlot->serial, serial,
|
||||
sizeof(tmpSlot->serial)) == 0) {
|
||||
slot = PK11_ReferenceSlot(tmpSlot);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (slot != NULL)
|
||||
break;
|
||||
}
|
||||
SECMOD_ReleaseReadLock(moduleLock);
|
||||
|
||||
if (slot == NULL) {
|
||||
PORT_SetError(SEC_ERROR_NO_TOKEN);
|
||||
}
|
||||
|
||||
return slot;
|
||||
return pk11_FindSlot(serial, pk11_MatchSlotBySerial);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -328,3 +328,9 @@ SECITEM_MakeItem;
|
|||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
;+NSSUTIL_3.39 { # NSS Utilities 3.39 release
|
||||
;+ global:
|
||||
NSSUTIL_AddNSSFlagToModuleSpec;
|
||||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
|
|
|
@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string)
|
|||
const char *p = string;
|
||||
SECStatus ret;
|
||||
|
||||
if (strncmp("pkcs11:", p, 7) != 0) {
|
||||
if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) {
|
||||
return NULL;
|
||||
}
|
||||
p += 7;
|
||||
|
|
|
@ -913,6 +913,92 @@ NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters,
|
|||
return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL);
|
||||
}
|
||||
|
||||
/************************************************************************
|
||||
* add a single flag to the Flags= section inside the spec's NSS= section */
|
||||
char *
|
||||
NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag)
|
||||
{
|
||||
const char *prefix = "flags=";
|
||||
const size_t prefixLen = strlen(prefix);
|
||||
char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL;
|
||||
char *nss2 = NULL, *result = NULL;
|
||||
SECStatus rv;
|
||||
|
||||
rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, ¶m, &nss, &conf);
|
||||
if (rv != SECSuccess) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) {
|
||||
/* It's already there, nothing to do! */
|
||||
PORT_Free(lib);
|
||||
PORT_Free(name);
|
||||
PORT_Free(param);
|
||||
PORT_Free(nss);
|
||||
PORT_Free(conf);
|
||||
return PORT_Strdup(spec);
|
||||
}
|
||||
|
||||
if (!nss || !strlen(nss)) {
|
||||
nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1);
|
||||
PORT_Strcpy(nss2, prefix);
|
||||
PORT_Strcat(nss2, addFlag);
|
||||
} else {
|
||||
const char *iNss = nss;
|
||||
PRBool alreadyAdded = PR_FALSE;
|
||||
size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */
|
||||
nss2 = PORT_Alloc(maxSize);
|
||||
*nss2 = 0;
|
||||
while (*iNss) {
|
||||
iNss = NSSUTIL_ArgStrip(iNss);
|
||||
if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) {
|
||||
/* We found an existing Flags= section. */
|
||||
char *oldFlags;
|
||||
const char *valPtr;
|
||||
int valSize;
|
||||
valPtr = iNss + prefixLen;
|
||||
oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize);
|
||||
iNss = valPtr + valSize;
|
||||
PORT_Strcat(nss2, prefix);
|
||||
PORT_Strcat(nss2, oldFlags);
|
||||
PORT_Strcat(nss2, ",");
|
||||
PORT_Strcat(nss2, addFlag);
|
||||
PORT_Strcat(nss2, " ");
|
||||
PORT_Free(oldFlags);
|
||||
alreadyAdded = PR_TRUE;
|
||||
iNss = NSSUTIL_ArgStrip(iNss);
|
||||
PORT_Strcat(nss2, iNss); /* remainder of input */
|
||||
break;
|
||||
} else {
|
||||
/* Append this other name=value pair and continue. */
|
||||
const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss);
|
||||
PORT_Strncat(nss2, iNss, (startOfNext - iNss));
|
||||
if (nss2[strlen(nss2) - 1] != ' ') {
|
||||
PORT_Strcat(nss2, " ");
|
||||
}
|
||||
iNss = startOfNext;
|
||||
}
|
||||
iNss = NSSUTIL_ArgStrip(iNss);
|
||||
}
|
||||
if (!alreadyAdded) {
|
||||
/* nss wasn't empty, and it didn't contain a Flags section. We can
|
||||
* assume that other content from nss has already been added to
|
||||
* nss2, which means we already have a trailing space separator. */
|
||||
PORT_Strcat(nss2, prefix);
|
||||
PORT_Strcat(nss2, addFlag);
|
||||
}
|
||||
}
|
||||
|
||||
result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf);
|
||||
PORT_Free(lib);
|
||||
PORT_Free(name);
|
||||
PORT_Free(param);
|
||||
PORT_Free(nss);
|
||||
PORT_Free(nss2);
|
||||
PORT_Free(conf);
|
||||
return result;
|
||||
}
|
||||
|
||||
#define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA"
|
||||
/******************************************************************************
|
||||
* Parse the cipher flags from the NSS parameter
|
||||
|
|
|
@ -46,6 +46,7 @@ char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName,
|
|||
char *parameters, char *NSS);
|
||||
char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName,
|
||||
char *parameters, char *NSS, char *config);
|
||||
char *NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag);
|
||||
void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers,
|
||||
const char *cipherList);
|
||||
char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
|
||||
|
|
|
@ -247,7 +247,7 @@ def parse_arguments():
|
|||
tests = [
|
||||
"cipher", "lowhash", "chains", "cert", "dbtests", "tools", "fips",
|
||||
"sdr", "crmf", "smime", "ssl", "ocsp", "merge", "pkits", "ec",
|
||||
"gtests", "ssl_gtests", "bogo", "interop"
|
||||
"gtests", "ssl_gtests", "bogo", "interop", "policy"
|
||||
]
|
||||
parser_test.add_argument(
|
||||
'test', choices=tests, help="Available tests", action=testAction)
|
||||
|
|
|
@ -135,6 +135,7 @@
|
|||
'cmd/listsuites/listsuites.gyp:listsuites',
|
||||
'cmd/makepqg/makepqg.gyp:makepqg',
|
||||
'cmd/multinit/multinit.gyp:multinit',
|
||||
'cmd/nss-policy-check/nss-policy-check.gyp:nss-policy-check',
|
||||
'cmd/ocspclnt/ocspclnt.gyp:ocspclnt',
|
||||
'cmd/ocspresp/ocspresp.gyp:ocspresp',
|
||||
'cmd/oidcalc/oidcalc.gyp:oidcalc',
|
||||
|
|
|
@ -97,7 +97,7 @@ e.g. `NSS_TESTS=ssl_gtests ./all.sh` or by changing into the according directory
|
|||
and running the bash script there `cd ssl_gtests && ./ssl_gtests.sh`. The
|
||||
following tests are available:
|
||||
|
||||
cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo
|
||||
cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy
|
||||
|
||||
To make tests run faster it's recommended to set `NSS_CYCLES=standard` to run
|
||||
only the standard cycle.
|
||||
|
|
|
@ -37,6 +37,7 @@
|
|||
# memleak.sh - memory leak testing (optional)
|
||||
# ssl_gtests.sh- Gtest based unit tests for ssl
|
||||
# gtests.sh - Gtest based unit tests for everything else
|
||||
# policy.sh - Crypto Policy tests
|
||||
# bogo.sh - Bogo interop tests (disabled by default)
|
||||
# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
|
||||
# interop.sh - Interoperability tests (disabled by default)
|
||||
|
@ -300,7 +301,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
|
|||
RUN_FIPS="fips"
|
||||
fi
|
||||
|
||||
tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
|
||||
tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy"
|
||||
# Don't run chains tests when we have a gyp build.
|
||||
if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
|
||||
tests="$tests chains"
|
||||
|
|
Двоичный файл не отображается.
|
@ -448,6 +448,27 @@ cert_add_cert()
|
|||
fi
|
||||
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
|
||||
|
||||
echo "Importing RSA-PSS server certificate"
|
||||
pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
|
||||
# Let's get the key ID of the imported private key.
|
||||
KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
|
||||
grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
|
||||
|
||||
CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
|
||||
NEWSERIAL=`expr ${CERTSERIAL} + 30000`
|
||||
certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u"
|
||||
certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-i "${CERTNAME}-rsa-pss.cert" 2>&1
|
||||
cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
@ -2103,6 +2124,23 @@ cert_test_implicit_db_init()
|
|||
certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
|
||||
}
|
||||
|
||||
cert_test_token_uri()
|
||||
{
|
||||
echo "$SCRIPTNAME: specify token with PKCS#11 URI"
|
||||
|
||||
CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
|
||||
BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`
|
||||
|
||||
CU_ACTION="List keys in NSS Certificate DB"
|
||||
certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}
|
||||
|
||||
# This token shouldn't have any keys
|
||||
CU_ACTION="List keys in NSS Builtin Objects"
|
||||
RETEXPECTED=255
|
||||
certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
|
||||
RETEXPECTED=0
|
||||
}
|
||||
|
||||
check_sign_algo()
|
||||
{
|
||||
certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
|
||||
|
@ -2475,6 +2513,29 @@ EOF
|
|||
RETEXPECTED=0
|
||||
}
|
||||
|
||||
cert_test_orphan_key_delete()
|
||||
{
|
||||
CU_ACTION="Create orphan key in serverdir"
|
||||
certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
|
||||
# Let's get the key ID of the first orphan key.
|
||||
# The output of certutil -K (list keys) isn't well formatted.
|
||||
# The initial <key-number> part may or may not contain white space, which
|
||||
# makes the use of awk to filter the column unreliable.
|
||||
# To fix that, we remove the initial <number> field using sed, then select the
|
||||
# column that contains the key ID.
|
||||
ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
|
||||
sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
|
||||
CU_ACTION="Delete orphan key"
|
||||
certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR}
|
||||
# Ensure that the key is removed
|
||||
certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN}
|
||||
RET=$?
|
||||
if [ "$RET" -eq 0 ]; then
|
||||
html_failed "Deleting orphan key ($RET)"
|
||||
cert_log "ERROR: Deleting orphan key failed $RET"
|
||||
fi
|
||||
}
|
||||
|
||||
cert_test_orphan_key_reuse()
|
||||
{
|
||||
CU_ACTION="Create orphan key in serverdir"
|
||||
|
@ -2519,6 +2580,7 @@ cert_all_CA
|
|||
cert_test_implicit_db_init
|
||||
cert_extended_ssl
|
||||
cert_ssl
|
||||
cert_test_orphan_key_delete
|
||||
cert_test_orphan_key_reuse
|
||||
cert_smime_client
|
||||
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
|
||||
|
@ -2534,6 +2596,7 @@ cert_test_password
|
|||
cert_test_distrust
|
||||
cert_test_ocspresp
|
||||
cert_test_rsapss
|
||||
cert_test_token_uri
|
||||
|
||||
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
|
||||
cert_crl_ssl
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
# col 1: expected return value of nss-policy-check
|
||||
# col 2: policy config statement, using _ instead of space
|
||||
# col 3: an extended regular expression, expected to match the output
|
||||
# col 4: description of the test
|
||||
#
|
||||
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
|
||||
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
|
||||
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
|
||||
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
|
||||
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
|
||||
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
|
||||
1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
|
||||
1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
|
||||
1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
|
||||
1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
|
||||
1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions
|
||||
1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions
|
||||
1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions
|
||||
1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions
|
|
@ -0,0 +1,58 @@
|
|||
#! /bin/bash
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
########################################################################
|
||||
#
|
||||
# mozilla/security/nss/tests/policy/policy.sh
|
||||
#
|
||||
# Script to test NSS crypto policy code
|
||||
#
|
||||
########################################################################
|
||||
|
||||
ignore_blank_lines()
|
||||
{
|
||||
LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1"
|
||||
}
|
||||
|
||||
policy_run_tests()
|
||||
{
|
||||
html_head "CRYPTO-POLICY"
|
||||
|
||||
POLICY_INPUT=${QADIR}/policy/crypto-policy.txt
|
||||
|
||||
ignore_blank_lines ${POLICY_INPUT} | \
|
||||
while read value policy match testname
|
||||
do
|
||||
echo "$SCRIPTNAME: running \"$testname\" ----------------------------"
|
||||
policy=`echo ${policy} | sed -e 's;_; ;g'`
|
||||
match=`echo ${match} | sed -e 's;_; ;g'`
|
||||
POLICY_FILE="${TMP}/nss-policy"
|
||||
|
||||
echo "$SCRIPTNAME: policy: \"$policy\""
|
||||
|
||||
cat > "$POLICY_FILE" << ++EOF++
|
||||
library=
|
||||
name=Policy
|
||||
NSS=flags=policyOnly,moduleDB
|
||||
++EOF++
|
||||
echo "config=\"${policy}\"" >> "$POLICY_FILE"
|
||||
echo "" >> "$POLICY_FILE"
|
||||
|
||||
nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1
|
||||
ret=$?
|
||||
cat ${TMP}/$HOST.tmp.$$
|
||||
|
||||
html_msg $ret $value "\"${testname}\"" \
|
||||
"produced a returncode of $ret, expected is $value"
|
||||
|
||||
egrep "${match}" ${TMP}/$HOST.tmp.$$
|
||||
ret=$?
|
||||
html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
|
||||
|
||||
done
|
||||
}
|
||||
|
||||
policy_run_tests
|
|
@ -211,22 +211,27 @@ start_selfserv()
|
|||
echo "$SCRIPTNAME: $testname ----"
|
||||
fi
|
||||
sparam=`echo $sparam | sed -e 's;_; ;g'`
|
||||
if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
|
||||
if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
|
||||
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
|
||||
else
|
||||
ECC_OPTIONS=""
|
||||
fi
|
||||
if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then
|
||||
RSA_OPTIONS="-n ${HOSTADDR}"
|
||||
else
|
||||
RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
|
||||
fi
|
||||
echo "selfserv starting at `date`"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
|
||||
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
|
||||
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
|
||||
echo " -V ssl3:tls1.2 $verbose -H 1 &"
|
||||
if [ ${fileout} -eq 1 ]; then
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
|
||||
> ${SERVEROUTFILE} 2>&1 &
|
||||
RET=$?
|
||||
else
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
|
||||
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
|
||||
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
|
||||
RET=$?
|
||||
fi
|
||||
|
@ -283,6 +288,13 @@ ssl_cov()
|
|||
echo "${testname}" | grep "EXPORT" > /dev/null
|
||||
EXP=$?
|
||||
|
||||
# RSA-PSS tests are handled in a separate function
|
||||
case $testname in
|
||||
*RSA-PSS)
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "$SCRIPTNAME: running $testname ----------------------------"
|
||||
VMAX="ssl3"
|
||||
if [ "$testmax" = "TLS10" ]; then
|
||||
|
@ -313,6 +325,59 @@ ssl_cov()
|
|||
html "</TABLE><BR>"
|
||||
}
|
||||
|
||||
ssl_cov_rsa_pss()
|
||||
{
|
||||
#verbose="-v"
|
||||
html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||
|
||||
testname=""
|
||||
sparam="$CIPHER_SUITES"
|
||||
|
||||
if [ "$NORM_EXT" = "Extended Test" ] ; then
|
||||
echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT"
|
||||
return 0
|
||||
fi
|
||||
|
||||
RSA_PSS_CERT=1
|
||||
NO_ECC_CERTS=1
|
||||
start_selfserv # Launch the server
|
||||
RSA_PSS_CERT=0
|
||||
NO_ECC_CERTS=0
|
||||
|
||||
VMIN="tls1.2"
|
||||
VMAX="tls1.2"
|
||||
|
||||
ignore_blank_lines ${SSLCOV} | \
|
||||
while read ectype testmax param testname
|
||||
do
|
||||
case $testname in
|
||||
*RSA-PSS)
|
||||
;;
|
||||
*)
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
|
||||
|
||||
echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
|
||||
echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
|
||||
|
||||
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
||||
${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
|
||||
-d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
|
||||
>${TMP}/$HOST.tmp.$$ 2>&1
|
||||
ret=$?
|
||||
cat ${TMP}/$HOST.tmp.$$
|
||||
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
||||
html_msg $ret 0 "${testname}" \
|
||||
"produced a returncode of $ret, expected is 0"
|
||||
done
|
||||
|
||||
kill_selfserv
|
||||
html "</TABLE><BR>"
|
||||
}
|
||||
|
||||
############################## ssl_auth ################################
|
||||
# local shell function to perform SSL Client Authentication tests
|
||||
########################################################################
|
||||
|
@ -1152,6 +1217,7 @@ ssl_run()
|
|||
;;
|
||||
"cov")
|
||||
ssl_cov
|
||||
ssl_cov_rsa_pss
|
||||
;;
|
||||
"auth")
|
||||
ssl_auth
|
||||
|
|
|
@ -141,3 +141,8 @@
|
|||
ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
ECC TLS12 :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
ECC TLS12 :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
#
|
||||
# Test against server with RSA-PSS server certificate
|
||||
#
|
||||
ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS
|
||||
ECC TLS12 :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS
|
||||
|
|
Загрузка…
Ссылка в новой задаче