Bug 1420060, NSS_3_35_BETA1, r=franziskus

UPGRADE_NSS_RELEASE
This commit is contained in:
Kai Engert 2018-01-11 14:09:34 +01:00
Родитель d37fa86e02
Коммит d0abca54ea
37 изменённых файлов: 589 добавлений и 702 удалений

Просмотреть файл

@ -1 +1 @@
04fc9a90997b
NSS_3_35_BETA1

Просмотреть файл

@ -17,8 +17,8 @@ apt_packages+=('locales')
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Download clang.
curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
# Verify the signature.
gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg --verify clang.tar.xz.sig

Просмотреть файл

@ -25,8 +25,8 @@ apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Download clang.
curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
# Verify the signature.
gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg --verify *.tar.xz.sig

Просмотреть файл

@ -10,8 +10,8 @@ update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
# Get clang-format-3.9
curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
# Verify the signature.
gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg --verify *.tar.xz.sig

Просмотреть файл

@ -48,8 +48,8 @@ apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Download clang.
curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
# Verify the signature.
gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
gpg --verify *.tar.xz.sig

Просмотреть файл

@ -82,8 +82,8 @@ queue.filter(task => {
}
if (task.group == "Test") {
// Don't run test builds on old make platforms
if (task.collection == "make") {
// Don't run test builds on old make platforms, and not for fips gyp.
if (task.collection == "make" || task.collection == "fips") {
return false;
}
}
@ -196,6 +196,12 @@ export default async function main() {
features: ["allowPtrace"],
}, "--ubsan --asan");
await scheduleLinux("Linux 64 (FIPS opt)", {
platform: "linux64",
collection: "fips",
image: LINUX_IMAGE,
}, "--enable-fips --opt");
await scheduleWindows("Windows 2012 64 (debug, make)", {
platform: "windows2012-64",
collection: "make",
@ -368,7 +374,6 @@ async function scheduleLinux(name, base, args = "") {
parent: extra_build,
symbol: "Certs-F",
group: "FIPS",
env: { NSS_TEST_ENABLE_FIPS: "1" }
}));
// Schedule FIPS tests.
@ -811,7 +816,6 @@ async function scheduleWindows(name, base, build_script) {
parent: extra_build,
symbol: "Certs-F",
group: "FIPS",
env: { NSS_TEST_ENABLE_FIPS: "1" }
}));
// Schedule FIPS tests.

Просмотреть файл

@ -22,7 +22,7 @@ function parseOptions(opts) {
}
// Parse platforms.
let allPlatforms = ["linux", "linux64", "linux64-asan",
let allPlatforms = ["linux", "linux64", "linux64-asan", "linux64-fips",
"win", "win64", "win-make", "win64-make",
"linux64-make", "linux-make", "linux-fuzz",
"linux64-fuzz", "aarch64", "mac"];
@ -111,6 +111,7 @@ function filter(opts) {
"linux": "linux32",
"linux-fuzz": "linux32",
"linux64-asan": "linux64",
"linux64-fips": "linux64",
"linux64-fuzz": "linux64",
"linux64-make": "linux64",
"linux-make": "linux32",
@ -126,6 +127,8 @@ function filter(opts) {
// Additional checks.
if (platform == "linux64-asan") {
keep &= coll("asan");
} else if (platform == "linux64-fips") {
keep &= coll("fips");
} else if (platform == "linux64-make" || platform == "linux-make" ||
platform == "win64-make" || platform == "win-make") {
keep &= coll("make");

Просмотреть файл

@ -1053,6 +1053,18 @@ ListModules(void)
return SECSuccess;
}
static void
PrintBuildFlags()
{
#ifdef NSS_FIPS_DISABLED
PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n");
#endif
#ifdef NSS_NO_INIT_SUPPORT
PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n");
#endif
exit(0);
}
static void
PrintSyntax(char *progName)
{
@ -1100,6 +1112,7 @@ PrintSyntax(char *progName)
FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n",
progName);
FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
FPS "\t%s --build-flags\n", progName);
FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
@ -1812,6 +1825,18 @@ luS(enum usage_level ul, const char *command)
FPS "\n");
}
static void
luBuildFlags(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "build-flags"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Print enabled build flags relevant for NSS test execution\n",
"--build-flags");
if (ul == usage_selected && !is_my_command)
return;
FPS "\n");
}
static void
LongUsage(char *progName, enum usage_level ul, const char *command)
{
@ -1826,6 +1851,7 @@ LongUsage(char *progName, enum usage_level ul, const char *command)
luU(ul, command);
luK(ul, command);
luL(ul, command);
luBuildFlags(ul, command);
luM(ul, command);
luN(ul, command);
luT(ul, command);
@ -2401,6 +2427,7 @@ enum {
cmd_Merge,
cmd_UpgradeMerge, /* test only */
cmd_Rename,
cmd_BuildFlags,
max_cmd
};
@ -2503,7 +2530,9 @@ static const secuCommandFlag commands_init[] =
{ /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE,
"upgrade-merge" },
{ /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE,
"rename" }
"rename" },
{ /* cmd_BuildFlags */ 0, PR_FALSE, 0, PR_FALSE,
"build-flags" }
};
#define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
@ -2690,6 +2719,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
exit(1);
}
if (certutil.commands[cmd_BuildFlags].activated) {
PrintBuildFlags();
}
if (certutil.options[opt_PasswordFile].arg) {
pwdata.source = PW_FROMFILE;
pwdata.data = certutil.options[opt_PasswordFile].arg;
@ -3138,7 +3171,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
certutil.commands[cmd_CreateAndAddCert].activated ||
certutil.commands[cmd_AddCert].activated ||
certutil.commands[cmd_AddEmailCert].activated) {
if (PK11_NeedUserInit(slot)) {
if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
char *password = NULL;
/* fetch the password from the command line or the file
* if no password is supplied, initialize the password to NULL */

Просмотреть файл

@ -128,6 +128,7 @@
[ 'disable_fips==1', {
'defines': [
'NSS_FIPS_DISABLED',
'NSS_NO_INIT_SUPPORT',
],
}],
[ 'OS!="android" and OS!="mac" and OS!="win"', {
@ -299,7 +300,6 @@
'Common': {
'abstract': 1,
'defines': [
'NSS_NO_INIT_SUPPORT',
'USE_UTIL_DIRECTLY',
'NO_NSPR_10_SUPPORT',
'SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES',

Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

Просмотреть файл

@ -53,5 +53,9 @@ TEST_F(RSANewKeyTest, WrongKeysizeTest) {
TEST_F(RSANewKeyTest, expThreeTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
#ifdef NSS_FIPS_DISABLED
ASSERT_TRUE(key != nullptr);
#else
ASSERT_TRUE(key == nullptr);
#endif
}

Просмотреть файл

@ -1,4 +1,8 @@
#include <cstdlib>
#if defined(_WIN32)
#include <windows.h>
#include <codecvt>
#endif
#include "cert.h"
#include "certdb.h"
@ -34,6 +38,7 @@ class ScopedUniqueDirectory {
~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); }
const std::string &GetPath() { return mPath; }
const std::string &GetUTF8Path() { return mUTF8Path; }
private:
static const int RETRY_LIMIT = 5;
@ -41,6 +46,7 @@ class ScopedUniqueDirectory {
static bool TryMakingDirectory(/*in/out*/ std::string &prefix);
std::string mPath;
std::string mUTF8Path;
};
ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
@ -60,6 +66,18 @@ ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
}
}
assert(mPath.length() > 0);
#if defined(_WIN32)
// sqldb always uses UTF-8 regardless of the current system locale.
DWORD len =
MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), nullptr, 0);
std::vector<wchar_t> buf(len, L'\0');
MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), buf.data(),
buf.size());
std::wstring_convert<std::codecvt_utf8_utf16<wchar_t>> converter;
mUTF8Path = converter.to_bytes(std::wstring(buf.begin(), buf.end()));
#else
mUTF8Path = mPath;
#endif
}
void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) {
@ -84,10 +102,11 @@ bool ScopedUniqueDirectory::TryMakingDirectory(std::string &prefix) {
class SoftokenTest : public ::testing::Test {
protected:
SoftokenTest() : mNSSDBDir("SoftokenTest.d-") {}
SoftokenTest(const std::string &prefix) : mNSSDBDir(prefix) {}
virtual void SetUp() {
std::string nssInitArg("sql:");
nssInitArg.append(mNSSDBDir.GetPath());
nssInitArg.append(mNSSDBDir.GetUTF8Path());
ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB,
NSS_INIT_NOROOTINIT));
}
@ -202,6 +221,19 @@ TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
EXPECT_NE(nullptr, obj);
}
class SoftokenNonAsciiTest : public SoftokenTest {
protected:
SoftokenNonAsciiTest() : SoftokenTest("SoftokenTest.\xF7-") {}
};
TEST_F(SoftokenNonAsciiTest, NonAsciiPathWorking) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr));
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
}
// This is just any X509 certificate. Its contents don't matter.
static unsigned char certDER[] = {
0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01,

Просмотреть файл

@ -31,7 +31,7 @@ const static uint8_t kCannedTls13ClientHello[] = {
0x00, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x00, 0x06,
0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00,
0x0a, 0x00, 0x12, 0x00, 0x10, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01,
0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x28, 0x00,
0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x33, 0x00,
0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x86, 0x4a, 0xb9, 0xdc,
0x6a, 0x38, 0xa7, 0xce, 0xe7, 0xc2, 0x4f, 0xa6, 0x28, 0xb9, 0xdc, 0x65,
0xbf, 0x73, 0x47, 0x3c, 0x9c, 0x65, 0x8c, 0x47, 0x6d, 0x57, 0x22, 0x8a,
@ -47,7 +47,7 @@ const static uint8_t kCannedTls13ServerHello[] = {
0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
0xf0, 0x5c, 0x70, 0x7a, 0xe0, 0xd1, 0x9b, 0x3e, 0x5a, 0x44, 0x6b,
0xdf, 0xe5, 0xc2, 0x28, 0x64, 0xf7, 0x00, 0xc1, 0x9c, 0x08, 0x76,
0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x28, 0x00, 0x24,
0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24,
0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,

Просмотреть файл

@ -50,6 +50,7 @@ static const uint16_t kManyExtensions[] = {
ssl_supported_groups_xtn,
ssl_ec_point_formats_xtn,
ssl_signature_algorithms_xtn,
ssl_signature_algorithms_cert_xtn,
ssl_use_srtp_xtn,
ssl_app_layer_protocol_xtn,
ssl_signed_cert_timestamp_xtn,

Просмотреть файл

@ -3656,7 +3656,7 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@ -3815,7 +3815,7 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@ -5109,149 +5109,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "DST ACES CA X6"
#
# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
# Not Valid Before: Thu Nov 20 21:19:58 2003
# Not Valid After : Mon Nov 20 21:19:58 2017
# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "DST ACES CA X6"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
\123\124\040\101\103\105\123\040\103\101\040\130\066
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
\123\124\040\101\103\105\123\040\103\101\040\130\066
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
\025\331
END
CKA_VALUE MULTILINE_OCTAL
\060\202\004\011\060\202\002\361\240\003\002\001\002\002\020\015
\136\231\012\326\235\267\170\354\330\007\126\073\206\025\331\060
\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\133
\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040\060
\036\006\003\125\004\012\023\027\104\151\147\151\164\141\154\040
\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164\061
\021\060\017\006\003\125\004\013\023\010\104\123\124\040\101\103
\105\123\061\027\060\025\006\003\125\004\003\023\016\104\123\124
\040\101\103\105\123\040\103\101\040\130\066\060\036\027\015\060
\063\061\061\062\060\062\061\061\071\065\070\132\027\015\061\067
\061\061\062\060\062\061\061\071\065\070\132\060\133\061\013\060
\011\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003
\125\004\012\023\027\104\151\147\151\164\141\154\040\123\151\147
\156\141\164\165\162\145\040\124\162\165\163\164\061\021\060\017
\006\003\125\004\013\023\010\104\123\124\040\101\103\105\123\061
\027\060\025\006\003\125\004\003\023\016\104\123\124\040\101\103
\105\123\040\103\101\040\130\066\060\202\001\042\060\015\006\011
\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
\060\202\001\012\002\202\001\001\000\271\075\365\054\311\224\334
\165\212\225\135\143\350\204\167\166\146\271\131\221\134\106\335
\222\076\237\371\016\003\264\075\141\222\275\043\046\265\143\356
\222\322\236\326\074\310\015\220\137\144\201\261\250\010\015\114
\330\371\323\005\050\122\264\001\045\305\225\034\014\176\076\020
\204\165\317\301\031\221\143\317\350\250\221\210\271\103\122\273
\200\261\125\211\213\061\372\320\267\166\276\101\075\060\232\244
\042\045\027\163\350\036\342\323\254\052\275\133\070\041\325\052
\113\327\125\175\343\072\125\275\327\155\153\002\127\153\346\107
\174\010\310\202\272\336\247\207\075\241\155\270\060\126\302\263
\002\201\137\055\365\342\232\060\030\050\270\146\323\313\001\226
\157\352\212\105\125\326\340\235\377\147\053\027\002\246\116\032
\152\021\013\176\267\173\347\230\326\214\166\157\301\073\333\120
\223\176\345\320\216\037\067\270\275\272\306\237\154\351\174\063
\362\062\074\046\107\372\047\044\002\311\176\035\133\210\102\023
\152\065\174\175\065\351\056\146\221\162\223\325\062\046\304\164
\365\123\243\263\135\232\366\011\313\002\003\001\000\001\243\201
\310\060\201\305\060\017\006\003\125\035\023\001\001\377\004\005
\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004
\004\003\002\001\306\060\037\006\003\125\035\021\004\030\060\026
\201\024\160\153\151\055\157\160\163\100\164\162\165\163\164\144
\163\164\056\143\157\155\060\142\006\003\125\035\040\004\133\060
\131\060\127\006\012\140\206\110\001\145\003\002\001\001\001\060
\111\060\107\006\010\053\006\001\005\005\007\002\001\026\073\150
\164\164\160\072\057\057\167\167\167\056\164\162\165\163\164\144
\163\164\056\143\157\155\057\143\145\162\164\151\146\151\143\141
\164\145\163\057\160\157\154\151\143\171\057\101\103\105\123\055
\151\156\144\145\170\056\150\164\155\154\060\035\006\003\125\035
\016\004\026\004\024\011\162\006\116\030\103\017\345\326\314\303
\152\213\061\173\170\217\250\203\270\060\015\006\011\052\206\110
\206\367\015\001\001\005\005\000\003\202\001\001\000\243\330\216
\326\262\333\316\005\347\062\315\001\323\004\003\345\166\344\126
\053\234\231\220\350\010\060\154\337\175\075\356\345\277\265\044
\100\204\111\341\321\050\256\304\302\072\123\060\210\361\365\167
\156\121\312\372\377\231\257\044\137\033\240\375\362\254\204\312
\337\251\360\137\004\056\255\026\277\041\227\020\201\075\343\377
\207\215\062\334\224\345\107\212\136\152\023\311\224\225\075\322
\356\310\064\225\320\200\324\255\062\010\200\124\074\340\275\122
\123\327\122\174\262\151\077\177\172\317\152\164\312\372\004\052
\234\114\132\006\245\351\040\255\105\146\017\151\361\335\277\351
\343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052
\370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121
\256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233
\150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041
\064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366
\367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101
\363\267\240\247\315\345\172\063\066\152\372\232\053
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for Certificate "DST ACES CA X6"
# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9
# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US
# Not Valid Before: Thu Nov 20 21:19:58 2003
# Not Valid After : Mon Nov 20 21:19:58 2017
# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8
# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "DST ACES CA X6"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\100\124\332\157\034\077\100\164\254\355\017\354\315\333\171\321
\123\373\220\035
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\041\330\114\202\053\231\011\063\242\353\024\044\215\216\137\350
END
CKA_ISSUER MULTILINE_OCTAL
\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141
\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040
\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104
\123\124\040\101\103\105\123\040\103\101\040\130\066
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206
\025\331
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "SwissSign Platinum CA - G2"
#
@ -6916,142 +6773,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Security Communication EV RootCA1"
#
# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
# Serial Number: 0 (0x0)
# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
# Not Valid Before: Wed Jun 06 02:12:32 2007
# Not Valid After : Sat Jun 06 02:12:32 2037
# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Security Communication EV RootCA1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
\101\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000
\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045
\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124
\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056
\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041
\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151
\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101
\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063
\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062
\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120
\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115
\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103
\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013
\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165
\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164
\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171
\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215
\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204
\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007
\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111
\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016
\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130
\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355
\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071
\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035
\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265
\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305
\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017
\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124
\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065
\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061
\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006
\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202
\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003
\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227
\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326
\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350
\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376
\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231
\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045
\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031
\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333
\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117
\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174
\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
\164
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for Certificate "Security Communication EV RootCA1"
# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
# Serial Number: 0 (0x0)
# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
# Not Valid Before: Wed Jun 06 02:12:32 2007
# Not Valid After : Sat Jun 06 02:12:32 2037
# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3
# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Security Communication EV RootCA1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050
\206\145\144\175
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323
END
CKA_ISSUER MULTILINE_OCTAL
\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "OISTE WISeKey Global Root GA CA"
#
@ -14478,169 +14199,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "CA Disig Root R1"
#
# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
# Serial Number:00:c3:03:9a:ee:50:90:6e:28
# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
# Not Valid Before: Thu Jul 19 09:06:56 2012
# Not Valid After : Sat Jul 19 09:06:56 2042
# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "CA Disig Root R1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
\164\040\122\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
\164\040\122\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\011\000\303\003\232\356\120\220\156\050
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\151\060\202\003\121\240\003\002\001\002\002\011\000
\303\003\232\356\120\220\156\050\060\015\006\011\052\206\110\206
\367\015\001\001\005\005\000\060\122\061\013\060\011\006\003\125
\004\006\023\002\123\113\061\023\060\021\006\003\125\004\007\023
\012\102\162\141\164\151\163\154\141\166\141\061\023\060\021\006
\003\125\004\012\023\012\104\151\163\151\147\040\141\056\163\056
\061\031\060\027\006\003\125\004\003\023\020\103\101\040\104\151
\163\151\147\040\122\157\157\164\040\122\061\060\036\027\015\061
\062\060\067\061\071\060\071\060\066\065\066\132\027\015\064\062
\060\067\061\071\060\071\060\066\065\066\132\060\122\061\013\060
\011\006\003\125\004\006\023\002\123\113\061\023\060\021\006\003
\125\004\007\023\012\102\162\141\164\151\163\154\141\166\141\061
\023\060\021\006\003\125\004\012\023\012\104\151\163\151\147\040
\141\056\163\056\061\031\060\027\006\003\125\004\003\023\020\103
\101\040\104\151\163\151\147\040\122\157\157\164\040\122\061\060
\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001
\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000
\252\303\170\367\334\230\243\247\132\136\167\030\262\335\004\144
\017\143\375\233\226\011\200\325\350\252\245\342\234\046\224\072
\350\231\163\214\235\337\327\337\203\363\170\117\100\341\177\322
\247\322\345\312\023\223\347\355\306\167\137\066\265\224\257\350
\070\216\333\233\345\174\273\314\215\353\165\163\341\044\315\346
\247\055\031\056\330\326\212\153\024\353\010\142\012\330\334\263
\000\115\303\043\174\137\103\010\043\062\022\334\355\014\255\300
\175\017\245\172\102\331\132\160\331\277\247\327\001\034\366\233
\253\216\267\112\206\170\240\036\126\061\256\357\202\012\200\101
\367\033\311\256\253\062\046\324\054\153\355\175\153\344\342\136
\042\012\105\313\204\061\115\254\376\333\321\107\272\371\140\227
\071\261\145\307\336\373\231\344\012\042\261\055\115\345\110\046
\151\253\342\252\363\373\374\222\051\062\351\263\076\115\037\047
\241\315\216\271\027\373\045\076\311\156\363\167\332\015\022\366
\135\307\273\066\020\325\124\326\363\340\342\107\110\346\336\024
\332\141\122\257\046\264\365\161\117\311\327\322\006\337\143\312
\377\041\350\131\006\340\010\325\204\025\123\367\103\345\174\305
\240\211\230\153\163\306\150\316\145\336\275\177\005\367\261\356
\366\127\241\140\225\305\314\352\223\072\276\231\256\233\002\243
\255\311\026\265\316\335\136\231\170\176\032\071\176\262\300\005
\244\300\202\245\243\107\236\214\352\134\266\274\147\333\346\052
\115\322\004\334\243\256\105\367\274\213\234\034\247\326\325\003
\334\010\313\056\026\312\134\100\063\350\147\303\056\347\246\104
\352\021\105\034\065\145\055\036\105\141\044\033\202\056\245\235
\063\135\145\370\101\371\056\313\224\077\037\243\014\061\044\104
\355\307\136\255\120\272\306\101\233\254\360\027\145\300\370\135
\157\133\240\012\064\074\356\327\352\210\237\230\371\257\116\044
\372\227\262\144\166\332\253\364\355\343\303\140\357\325\371\002
\310\055\237\203\257\147\151\006\247\061\125\325\317\113\157\377
\004\005\307\130\254\137\026\033\345\322\243\353\061\333\037\063
\025\115\320\362\245\123\365\313\341\075\116\150\055\330\022\335
\252\362\346\115\233\111\345\305\050\241\272\260\132\306\240\265
\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023
\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035
\016\004\026\004\024\211\012\264\070\223\032\346\253\356\233\221
\030\371\365\074\076\065\320\323\202\060\015\006\011\052\206\110
\206\367\015\001\001\005\005\000\003\202\002\001\000\062\213\366
\235\112\311\276\024\345\214\254\070\312\072\011\324\033\316\206
\263\335\353\324\272\050\276\022\256\105\054\004\164\254\023\121
\305\130\030\146\115\202\332\325\334\223\300\047\341\276\174\237
\122\236\022\126\366\325\234\251\364\165\234\372\067\022\217\034
\223\354\127\376\007\017\253\325\022\367\017\256\141\136\126\200
\111\365\374\060\365\233\117\037\101\057\034\204\323\211\307\342
\332\002\166\355\011\317\154\301\270\034\203\034\026\372\224\315
\175\240\310\030\322\310\235\156\365\275\151\324\155\075\065\350
\036\242\117\140\327\007\051\374\262\243\244\235\156\025\222\126
\031\114\012\260\351\174\322\031\115\102\106\354\275\375\366\127
\133\335\230\176\244\115\314\162\003\203\130\135\357\223\072\101
\172\143\252\174\072\250\365\254\244\321\335\242\055\266\052\374
\237\001\216\342\020\261\304\312\344\147\333\125\045\031\077\375
\350\066\176\263\341\341\201\257\021\026\213\120\227\140\031\202
\000\300\153\115\163\270\321\023\007\076\352\266\061\117\360\102
\232\155\342\021\164\345\224\254\215\204\225\074\041\257\305\332
\107\310\337\071\142\142\313\133\120\013\327\201\100\005\234\233
\355\272\266\213\036\004\157\226\040\071\355\244\175\051\333\110
\316\202\334\324\002\215\035\004\061\132\307\113\360\154\141\122
\327\264\121\302\201\154\315\341\373\247\241\322\222\166\317\261
\017\067\130\244\362\122\161\147\077\014\210\170\200\211\301\310
\265\037\222\143\276\247\172\212\126\054\032\250\246\234\265\135
\263\143\320\023\040\241\353\221\154\320\215\175\257\337\013\344
\027\271\206\236\070\261\224\014\130\214\340\125\252\073\143\155
\232\211\140\270\144\052\222\306\067\364\176\103\103\267\163\350
\001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205
\153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121
\243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276
\200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023
\103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066
\016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342
\360\343\355\144\236\075\057\226\122\117\200\123\213
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "CA Disig Root R1"
# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
# Serial Number:00:c3:03:9a:ee:50:90:6e:28
# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
# Not Valid Before: Thu Jul 19 09:06:56 2012
# Not Valid After : Sat Jul 19 09:06:56 2042
# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A
# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "CA Disig Root R1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\216\034\164\370\246\040\271\345\212\364\141\372\354\053\107\126
\121\032\122\306
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\276\354\021\223\232\365\151\041\274\327\301\300\147\211\314\052
END
CKA_ISSUER MULTILINE_OCTAL
\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061
\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163
\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104
\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125
\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
\164\040\122\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\011\000\303\003\232\356\120\220\156\050
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "CA Disig Root R2"
#
@ -17672,188 +17230,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
#
# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Not Valid Before: Thu Mar 26 00:00:00 2009
# Not Valid After : Sun Mar 24 23:59:59 2019
# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\265\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
\163\164\040\116\145\164\167\157\162\153\061\073\060\071\006\003
\125\004\013\023\062\124\145\162\155\163\040\157\146\040\165\163
\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167
\056\166\145\162\151\163\151\147\156\056\143\157\155\057\162\160
\141\040\050\143\051\060\071\061\057\060\055\006\003\125\004\003
\023\046\126\145\162\151\123\151\147\156\040\103\154\141\163\163
\040\063\040\123\145\143\165\162\145\040\123\145\162\166\145\162
\040\103\101\040\055\040\107\062
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
\165\164\150\157\162\151\164\171\040\055\040\107\065
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
\005\256
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\071\060\202\004\041\240\003\002\001\002\002\020\057
\000\156\315\027\160\146\347\137\243\202\012\171\037\005\256\060
\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
\312\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
\156\054\040\111\156\143\056\061\037\060\035\006\003\125\004\013
\023\026\126\145\162\151\123\151\147\156\040\124\162\165\163\164
\040\116\145\164\167\157\162\153\061\072\060\070\006\003\125\004
\013\023\061\050\143\051\040\062\060\060\066\040\126\145\162\151
\123\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162
\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040
\157\156\154\171\061\105\060\103\006\003\125\004\003\023\074\126
\145\162\151\123\151\147\156\040\103\154\141\163\163\040\063\040
\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040\103
\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
\150\157\162\151\164\171\040\055\040\107\065\060\036\027\015\060
\071\060\063\062\066\060\060\060\060\060\060\132\027\015\061\071
\060\063\062\064\062\063\065\071\065\071\132\060\201\265\061\013
\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006
\003\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040
\111\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126
\145\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145
\164\167\157\162\153\061\073\060\071\006\003\125\004\013\023\062
\124\145\162\155\163\040\157\146\040\165\163\145\040\141\164\040
\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
\163\151\147\156\056\143\157\155\057\162\160\141\040\050\143\051
\060\071\061\057\060\055\006\003\125\004\003\023\046\126\145\162
\151\123\151\147\156\040\103\154\141\163\163\040\063\040\123\145
\143\165\162\145\040\123\145\162\166\145\162\040\103\101\040\055
\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
\202\001\001\000\324\126\217\127\073\067\050\246\100\143\322\225
\325\005\164\332\265\031\152\226\326\161\127\057\342\300\064\214
\240\225\263\214\341\067\044\363\056\355\103\105\005\216\211\327
\372\332\112\265\370\076\215\116\307\371\111\120\105\067\100\237
\164\252\240\121\125\141\361\140\204\211\245\236\200\215\057\260
\041\252\105\202\304\317\264\024\177\107\025\040\050\202\260\150
\022\300\256\134\007\327\366\131\314\313\142\126\134\115\111\377
\046\210\253\124\121\072\057\112\332\016\230\342\211\162\271\374
\367\150\074\304\037\071\172\313\027\201\363\014\255\017\334\141
\142\033\020\013\004\036\051\030\161\136\142\313\103\336\276\061
\272\161\002\031\116\046\251\121\332\214\144\151\003\336\234\375
\175\375\173\141\274\374\204\174\210\134\264\303\173\355\137\053
\106\022\361\375\000\001\232\213\133\351\243\005\056\217\056\133
\336\363\033\170\370\146\221\010\300\136\316\325\260\066\312\324
\250\173\240\175\371\060\172\277\370\335\031\121\053\040\272\376
\247\317\241\116\260\147\365\200\252\053\203\056\322\216\124\211
\216\036\051\013\002\003\001\000\001\243\202\001\054\060\202\001
\050\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
\004\003\002\001\006\060\051\006\003\125\035\021\004\042\060\040
\244\036\060\034\061\032\060\030\006\003\125\004\003\023\021\103
\154\141\163\163\063\103\101\062\060\064\070\055\061\055\065\062
\060\035\006\003\125\035\016\004\026\004\024\245\357\013\021\316
\300\101\003\243\112\145\220\110\262\034\340\127\055\175\107\060
\146\006\003\125\035\040\004\137\060\135\060\133\006\013\140\206
\110\001\206\370\105\001\007\027\003\060\114\060\043\006\010\053
\006\001\005\005\007\002\001\026\027\150\164\164\160\163\072\057
\057\144\056\163\171\155\143\142\056\143\157\155\057\143\160\163
\060\045\006\010\053\006\001\005\005\007\002\002\060\031\032\027
\150\164\164\160\163\072\057\057\144\056\163\171\155\143\142\056
\143\157\155\057\162\160\141\060\057\006\003\125\035\037\004\050
\060\046\060\044\240\042\240\040\206\036\150\164\164\160\072\057
\057\163\056\163\171\155\143\142\056\143\157\155\057\160\143\141
\063\055\147\065\056\143\162\154\060\037\006\003\125\035\043\004
\030\060\026\200\024\177\323\145\247\302\335\354\273\360\060\011
\363\103\071\372\002\257\063\061\063\060\015\006\011\052\206\110
\206\367\015\001\001\005\005\000\003\202\001\001\000\053\216\024
\314\354\206\010\140\067\213\154\145\211\045\041\336\057\122\242
\007\236\130\323\263\026\170\001\231\121\225\264\023\167\314\167
\335\013\134\201\067\326\276\366\142\326\004\067\013\030\163\232
\323\366\301\242\036\155\234\273\214\021\346\076\022\136\007\137
\013\203\134\164\002\340\120\364\261\046\033\155\306\350\351\277
\115\271\001\025\031\354\120\232\371\021\360\201\130\103\054\115
\021\100\263\132\106\010\246\136\163\241\210\022\065\214\377\003
\072\275\326\235\372\347\334\226\271\032\144\076\304\375\331\012
\266\145\236\272\245\250\130\374\073\042\360\242\127\356\212\127
\107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
\264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
\366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
\134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
\354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
\013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
\145\110\041\012\057\327\334\176\240\314\145\176\171
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Not Valid Before: Thu Mar 26 00:00:00 2009
# Not Valid After : Sun Mar 24 23:59:59 2019
# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\166\104\131\170\033\254\260\107\143\245\320\241\130\221\145\046
\037\051\216\073
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\277\022\155\372\174\325\133\046\171\072\215\252\021\357\057\134
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
\165\164\150\157\162\151\164\171\040\055\040\107\065
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
\005\256
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Staat der Nederlanden Root CA - G3"
#

Просмотреть файл

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 20
#define NSS_BUILTINS_LIBRARY_VERSION "2.20"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

Просмотреть файл

@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag tag)
return CKM_SHA384;
case SEC_OID_SHA256:
return CKM_SHA256;
case SEC_OID_SHA224:
return CKM_SHA224;
case SEC_OID_SHA1:
return CKM_SHA_1;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
/* fallthrough */
case SEC_OID_SHA1:
break;
return CKM_INVALID_MECHANISM;
}
return CKM_SHA_1;
}
static CK_RSA_PKCS_MGF_TYPE
@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
return CKG_MGF1_SHA384;
case SEC_OID_SHA256:
return CKG_MGF1_SHA256;
case SEC_OID_SHA224:
return CKG_MGF1_SHA224;
case SEC_OID_SHA1:
return CKG_MGF1_SHA1;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
/* fallthrough */
case SEC_OID_SHA1:
break;
return 0;
}
return CKG_MGF1_SHA1;
}
SECStatus
@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
SECStatus rv = SECSuccess;
SECOidTag hashAlgTag;
unsigned long saltLength;
unsigned long trailerField;
PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
}
mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
if (mech->hashAlg == CKM_INVALID_MECHANISM) {
return SECFailure;
}
if (params->maskAlg) {
SECAlgorithmID maskHashAlg;
@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
}
maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
if (mech->mgf == 0) {
return SECFailure;
}
} else {
mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
}
@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
}
mech->sLen = saltLength;
if (params->trailerField.data) {
rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
if (rv != SECSuccess) {
return rv;
}
if (trailerField != 1) {
/* the value must be 1, which represents the trailer field
* with hexadecimal value 0xBC */
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
}
return rv;
}

Просмотреть файл

@ -540,7 +540,10 @@ FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
crv = NSC_GetTokenInfo(slotID, pInfo);
if (crv == CKR_OK) {
if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
/* use the global database to figure out if we are running in
* FIPS 140 Level 1 or Level 2 */
if (slotID == FIPS_SLOT_ID &&
(pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
isLevel2 = PR_FALSE;
}
}
@ -616,7 +619,8 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
* we need to make sure the pin meets FIPS requirements */
if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) {
rv = NSC_InitPIN(hSession, pPin, ulPinLen);
if (rv == CKR_OK) {
if ((rv == CKR_OK) &&
(sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE;
}
}
@ -644,7 +648,8 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
if ((rv = sftk_fipsCheck()) == CKR_OK &&
(rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
if (rv == CKR_OK) {
if ((rv == CKR_OK) &&
(sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
/* if we set the password in level1 we now go
* to level2. NOTE: we don't allow the user to
* go from level2 to level1 */
@ -705,11 +710,23 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
rv = NSC_GetSessionInfo(hSession, pInfo);
if (rv == CKR_OK) {
if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
pInfo->state = CKS_RO_USER_FUNCTIONS;
}
if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
pInfo->state = CKS_RW_USER_FUNCTIONS;
/* handle the case where the auxilary slot doesn't require login.
* piggy back on the main token's login state */
if (isLoggedIn &&
((pInfo->state == CKS_RO_PUBLIC_SESSION) ||
(pInfo->state == CKS_RW_PUBLIC_SESSION))) {
CK_RV crv;
CK_TOKEN_INFO tInfo;
crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession),
&tInfo);
/* if the token doesn't login, use our global login state */
if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) {
if (pInfo->state == CKS_RO_PUBLIC_SESSION) {
pInfo->state = CKS_RO_USER_FUNCTIONS;
} else {
pInfo->state = CKS_RW_USER_FUNCTIONS;
}
}
}
}
return rv;

Просмотреть файл

@ -2364,17 +2364,22 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
return slot;
}
SFTKSlot *
sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
CK_SLOT_ID
sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle)
{
CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
CK_ULONG moduleIndex = (handle >> 31) & 1;
if (slotIDIndex >= nscSlotCount[moduleIndex]) {
return NULL;
return (CK_SLOT_ID)-1;
}
return nscSlotList[moduleIndex][slotIDIndex];
}
return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
SFTKSlot *
sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
{
return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE);
}
static CK_RV

Просмотреть файл

@ -667,6 +667,7 @@ extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
extern void sftk_FreeSession(SFTKSession *session);
extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,

Просмотреть файл

@ -37,6 +37,7 @@
#elif defined(XP_UNIX)
#include <unistd.h>
#endif
#include "utilpars.h"
#ifdef SQLITE_UNSAFE_THREADS
#include "prlock.h"
@ -190,6 +191,34 @@ sdb_done(int err, int *count)
return 0;
}
#if defined(_WIN32)
/*
* NSPR functions and narrow CRT functions do not handle UTF-8 file paths that
* sqlite3 expects.
*/
static int
sdb_chmod(const char *filename, int pmode)
{
int result;
if (!filename) {
return -1;
}
wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
if (!filenameWide) {
return -1;
}
result = _wchmod(filenameWide, pmode);
PORT_Free(filenameWide);
return result;
}
#else
#define sdb_chmod(filename, pmode) chmod((filename), (pmode))
#endif
/*
* find out where sqlite stores the temp tables. We do this by replicating
* the logic from sqlite.
@ -1739,7 +1768,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
* sqlite3 will always create it.
*/
LOCK_SQLITE();
create = (PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
if ((flags == SDB_RDONLY) && create) {
error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
goto loser;
@ -1756,7 +1785,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
*
* NO NSPR call for chmod? :(
*/
if (create && chmod(dbname, 0600) != 0) {
if (create && sdb_chmod(dbname, 0600) != 0) {
error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
goto loser;
}

Просмотреть файл

@ -83,6 +83,10 @@ CK_RV s_open(const char *directory, const char *certPrefix,
int flags, SDB **certdb, SDB **keydb, int *newInit);
CK_RV s_shutdown();
#if defined(_WIN32)
wchar_t *sdb_UTF8ToWide(const char *buf);
#endif
/* flags */
#define SDB_RDONLY 1
#define SDB_RDWR 2

Просмотреть файл

@ -28,6 +28,9 @@
#include "utilpars.h"
#include "secerr.h"
#include "softoken.h"
#if defined(_WIN32)
#include <windows.h>
#endif
/*
* We want all databases to have the same binary representation independent of
@ -2509,6 +2512,53 @@ sftk_oldVersionExists(const char *dir, int version)
return PR_FALSE;
}
#if defined(_WIN32)
/*
* Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the
* current system codepage). Fails if the path contains a character outside
* the current system codepage.
*/
static char *
sftk_legacyPathFromSDBPath(const char *confdir)
{
wchar_t *confdirWide;
DWORD size;
char *nconfdir;
BOOL unmappable;
if (!confdir) {
return NULL;
}
confdirWide = _NSSUTIL_UTF8ToWide(confdir);
if (!confdirWide) {
return NULL;
}
size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
NULL, 0, NULL, &unmappable);
if (size == 0 || unmappable) {
PORT_Free(confdirWide);
return NULL;
}
nconfdir = PORT_Alloc(sizeof(char) * size);
if (!nconfdir) {
PORT_Free(confdirWide);
return NULL;
}
size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
nconfdir, size, NULL, &unmappable);
PORT_Free(confdirWide);
if (size == 0 || unmappable) {
PORT_Free(nconfdir);
return NULL;
}
return nconfdir;
}
#else
#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir))
#endif
static PRBool
sftk_hasLegacyDB(const char *confdir, const char *certPrefix,
const char *keyPrefix, int certVersion, int keyVersion)
@ -2568,6 +2618,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
int flags = SDB_RDONLY;
PRBool newInit = PR_FALSE;
PRBool needUpdate = PR_FALSE;
char *nconfdir = NULL;
if (!readOnly) {
flags = SDB_CREATE;
@ -2606,11 +2657,14 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
* the exists.
*/
if (crv != CKR_OK) {
if (((flags & SDB_RDONLY) == SDB_RDONLY) &&
sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
if ((flags & SDB_RDONLY) == SDB_RDONLY) {
nconfdir = sftk_legacyPathFromSDBPath(confdir);
}
if (nconfdir &&
sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
/* we have legacy databases, if we failed to open the new format
* DB's read only, just use the legacy ones */
crv = sftkdbCall_open(confdir, certPrefix,
crv = sftkdbCall_open(nconfdir, certPrefix,
keyPrefix, 8, 3, flags,
noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
}
@ -2639,7 +2693,10 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
/* if the new format DB was also a newly created DB, and we
* succeeded, then need to update that new database with data
* from the existing legacy DB */
if (sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) {
nconfdir = sftk_legacyPathFromSDBPath(confdir);
if (nconfdir &&
sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
confdir = nconfdir;
needUpdate = PR_TRUE;
}
}
@ -2712,6 +2769,9 @@ done:
if (appName) {
PORT_Free(appName);
}
if (nconfdir) {
PORT_Free(nconfdir);
}
return forceOpen ? CKR_OK : crv;
}

Просмотреть файл

@ -16,7 +16,7 @@ typedef PRUint16 SSL3ProtocolVersion;
/* The TLS 1.3 draft version. Used to avoid negotiating
* between incompatible pre-standard TLS 1.3 drafts.
* TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
#define TLS_1_3_DRAFT_VERSION 22
#define TLS_1_3_DRAFT_VERSION 23
typedef PRUint16 ssl3CipherSuite;
/* The cipher suites are defined in sslproto.h */

Просмотреть файл

@ -425,7 +425,7 @@ typedef enum {
ssl_padding_xtn = 21,
ssl_extended_master_secret_xtn = 23,
ssl_session_ticket_xtn = 35,
ssl_tls13_key_share_xtn = 40,
/* 40 was used in draft versions of TLS 1.3; it is now reserved. */
ssl_tls13_pre_shared_key_xtn = 41,
ssl_tls13_early_data_xtn = 42,
ssl_tls13_supported_versions_xtn = 43,
@ -433,6 +433,8 @@ typedef enum {
ssl_tls13_psk_key_exchange_modes_xtn = 45,
ssl_tls13_ticket_early_data_info_xtn = 46, /* Deprecated. */
ssl_tls13_certificate_authorities_xtn = 47,
ssl_signature_algorithms_cert_xtn = 50,
ssl_tls13_key_share_xtn = 51,
ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
ssl_renegotiation_info_xtn = 0xff01,
ssl_tls13_short_header_xtn = 0xff03 /* Deprecated. */
@ -444,7 +446,7 @@ typedef enum {
/* SSL_MAX_EXTENSIONS includes the maximum number of extensions that are
* supported for any single message type. That is, a ClientHello; ServerHello
* and TLS 1.3 NewSessionTicket and HelloRetryRequest extensions have fewer. */
#define SSL_MAX_EXTENSIONS 19
#define SSL_MAX_EXTENSIONS 20
/* Deprecated */
typedef enum {

Просмотреть файл

@ -4725,6 +4725,8 @@ static const struct {
{ ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) },
{ ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) },
{ ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) },
{ ssl_signature_algorithms_cert_xtn, _M2(client_hello,
certificate_request) },
{ ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) },
{ ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) },
{ ssl_padding_xtn, _M1(client_hello) },

Просмотреть файл

@ -315,3 +315,11 @@ NSS_SecureMemcmpZero;
;+ local:
;+ *;
;+};
;-NSSUTIL_3.35 { # NSS Utilities 3.35 release
;- global:
;-# private exports for softoken
_NSSUTIL_UTF8ToWide;-
_NSSUTIL_Access;-
;- local:
;- *;
;-};

Просмотреть файл

@ -24,6 +24,7 @@
#if defined(_WIN32)
#include <io.h>
#include <windows.h>
#endif
#ifdef XP_UNIX
#include <unistd.h>
@ -34,15 +35,184 @@
#include <fcntl.h>
#if defined(_WIN32)
#define os_open _open
#define os_fdopen _fdopen
#define os_stat _stat
#define os_truncate_open_flags _O_CREAT | _O_RDWR | _O_TRUNC
#define os_append_open_flags _O_CREAT | _O_RDWR | _O_APPEND
#define os_open_permissions_type int
#define os_open_permissions_default _S_IREAD | _S_IWRITE
#define os_stat_type struct _stat
/*
* Convert a UTF8 string to Unicode wide character
*/
LPWSTR
_NSSUTIL_UTF8ToWide(const char *buf)
{
DWORD size;
LPWSTR wide;
if (!buf) {
return NULL;
}
size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0);
if (size == 0) {
return NULL;
}
wide = PORT_Alloc(sizeof(WCHAR) * size);
if (!wide) {
return NULL;
}
size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size);
if (size == 0) {
PORT_Free(wide);
return NULL;
}
return wide;
}
static int
os_open(const char *filename, int oflag, int pmode)
{
int fd;
if (!filename) {
return -1;
}
wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
if (!filenameWide) {
return -1;
}
fd = _wopen(filenameWide, oflag, pmode);
PORT_Free(filenameWide);
return fd;
}
static int
os_stat(const char *path, os_stat_type *buffer)
{
int result;
if (!path) {
return -1;
}
wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path);
if (!pathWide) {
return -1;
}
result = _wstat(pathWide, buffer);
PORT_Free(pathWide);
return result;
}
static FILE *
os_fopen(const char *filename, const char *mode)
{
FILE *fp;
if (!filename || !mode) {
return NULL;
}
wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
if (!filenameWide) {
return NULL;
}
wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode);
if (!modeWide) {
PORT_Free(filenameWide);
return NULL;
}
fp = _wfopen(filenameWide, modeWide);
PORT_Free(filenameWide);
PORT_Free(modeWide);
return fp;
}
PRStatus
_NSSUTIL_Access(const char *path, PRAccessHow how)
{
int result;
if (!path) {
return PR_FAILURE;
}
int mode;
switch (how) {
case PR_ACCESS_WRITE_OK:
mode = 2;
break;
case PR_ACCESS_READ_OK:
mode = 4;
break;
case PR_ACCESS_EXISTS:
mode = 0;
break;
default:
return PR_FAILURE;
}
wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path);
if (!pathWide) {
return PR_FAILURE;
}
result = _waccess(pathWide, mode);
PORT_Free(pathWide);
return result < 0 ? PR_FAILURE : PR_SUCCESS;
}
static PRStatus
nssutil_Delete(const char *name)
{
BOOL result;
if (!name) {
return PR_FAILURE;
}
wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name);
if (!nameWide) {
return PR_FAILURE;
}
result = DeleteFileW(nameWide);
PORT_Free(nameWide);
return result ? PR_SUCCESS : PR_FAILURE;
}
static PRStatus
nssutil_Rename(const char *from, const char *to)
{
BOOL result;
if (!from || !to) {
return PR_FAILURE;
}
wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from);
if (!fromWide) {
return PR_FAILURE;
}
wchar_t *toWide = _NSSUTIL_UTF8ToWide(to);
if (!toWide) {
PORT_Free(fromWide);
return PR_FAILURE;
}
result = MoveFileW(fromWide, toWide);
PORT_Free(fromWide);
PORT_Free(toWide);
return result ? PR_SUCCESS : PR_FAILURE;
}
#else
#define os_fopen fopen
#define os_open open
#define os_fdopen fdopen
#define os_stat stat
@ -51,6 +221,8 @@
#define os_open_permissions_type mode_t
#define os_open_permissions_default 0600
#define os_stat_type struct stat
#define nssutil_Delete PR_Delete
#define nssutil_Rename PR_Rename
#endif
/****************************************************************
@ -219,7 +391,7 @@ nssutil_ReadSecmodDB(const char *appName,
}
/* do we really want to use streams here */
fd = fopen(dbname, "r");
fd = os_fopen(dbname, "r");
if (fd == NULL)
goto done;
@ -403,7 +575,7 @@ done:
}
/* old one exists */
status = PR_Access(olddbname, PR_ACCESS_EXISTS);
status = _NSSUTIL_Access(olddbname, PR_ACCESS_EXISTS);
if (status == PR_SUCCESS) {
PR_smprintf_free(olddbname);
PORT_ZFree(moduleList, useCount * sizeof(char *));
@ -532,7 +704,7 @@ nssutil_DeleteSecmodDBEntry(const char *appName,
}
/* do we really want to use streams here */
fd = fopen(dbname, "r");
fd = os_fopen(dbname, "r");
if (fd == NULL)
goto loser;
@ -602,10 +774,10 @@ nssutil_DeleteSecmodDBEntry(const char *appName,
fclose(fd2);
if (found) {
/* rename dbname2 to dbname */
PR_Delete(dbname);
PR_Rename(dbname2, dbname);
nssutil_Delete(dbname);
nssutil_Rename(dbname2, dbname);
} else {
PR_Delete(dbname2);
nssutil_Delete(dbname2);
}
PORT_Free(dbname2);
PORT_Free(lib);
@ -621,7 +793,7 @@ loser:
fclose(fd2);
}
if (dbname2) {
PR_Delete(dbname2);
nssutil_Delete(dbname2);
PORT_Free(dbname2);
}
PORT_Free(lib);

Просмотреть файл

@ -589,6 +589,7 @@ struct nssutilArgSlotFlagTable {
}
static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = {
NSSUTIL_ARG_ENTRY(RSA, SECMOD_RSA_FLAG),
NSSUTIL_ARG_ENTRY(ECC, SECMOD_ECC_FLAG),
NSSUTIL_ARG_ENTRY(DSA, SECMOD_RSA_FLAG),
NSSUTIL_ARG_ENTRY(RC2, SECMOD_RC4_FLAG),
NSSUTIL_ARG_ENTRY(RC4, SECMOD_RC2_FLAG),

Просмотреть файл

@ -59,5 +59,11 @@ char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
char *_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType,
char **appName, char **filename, PRBool *rw);
const char *_NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType *dbType, char **app);
#if defined(_WIN32)
wchar_t *_NSSUTIL_UTF8ToWide(const char *buf);
PRStatus _NSSUTIL_Access(const char *path, PRAccessHow how);
#else
#define _NSSUTIL_Access(path, how) PR_Access((path), (how))
#endif
#endif /* _UTILPARS_H_ */

Просмотреть файл

@ -43,7 +43,7 @@
#define NSSUTIL_DEFAULT_INTERNAL_INIT3 \
" askpw=any timeout=30})\""
#define NSSUTIL_DEFAULT_SFTKN_FLAGS \
"slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
"slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]"
#define NSSUTIL_DEFAULT_CIPHER_ORDER 0
#define NSSUTIL_DEFAULT_TRUST_ORDER 50

Просмотреть файл

@ -137,3 +137,50 @@ The nss directory contains the following important subdirectories:
A more comprehensible overview of the NSS folder structure and API guidelines
can be found
[here](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_API_Guidelines).
## Build mechanisms related to FIPS compliance
NSS supports build configurations for FIPS-140 compliance, and alternative build
configurations that disable functionality specific to FIPS-140 compliance.
This section documents the environment variables and build parameters that
control these configurations.
### Build FIPS startup tests
The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests.
If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.
The legacy build system (make) by default disables these tests.
To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.
The gyp build system by default disables these tests.
To enable these tests, pass parameter --enable-fips to build.sh.
### Building either FIPS compliant or alternative compliant code
The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code
and enable alternative implementations.
The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses
the FIPS compliant code.
The gyp build system by default defines NSS_FIPS_DISABLED.
To use the FIPS compliant code, pass parameter --enable-fips to build.sh.
### Test execution
The NSS test suite may contain tests that are included, excluded, or are
different based on the FIPS build configuration. To execute the correct tests,
it's necessary to determine which build configuration was used.
The legacy build system (make) uses environment variables to control all
aspects of the build configuration, including FIPS build configuration.
Because the gyp build system doesn't use environment variables to control the
build configuration, the NSS tests cannot rely on environment variables to
determine the build configuration.
A helper binary named nss-build-flags is produced as part of the NSS build,
which prints the C macro symbols that were defined at build time, and which are
relevant to test execution.

Просмотреть файл

@ -295,9 +295,9 @@ fi
cycles="standard pkix upgradedb sharedb"
CYCLES=${NSS_CYCLES:-$cycles}
if [ -n "$NSS_FORCE_FIPS" ]; then
NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT`
if [ $NO_INIT_SUPPORT -eq 0 ]; then
RUN_FIPS="fips"
export NSS_TEST_ENABLE_FIPS=1
fi
tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
@ -310,7 +310,7 @@ TESTS=${NSS_TESTS:-$tests}
ALL_TESTS=${TESTS}
nss_ssl_tests="crl iopr policy"
if [ -n "$NSS_FORCE_FIPS" ]; then
if [ $NO_INIT_SUPPORT -eq 0 ]; then
nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips"
fi
NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"

Просмотреть файл

@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
-----END CERTIFICATE-----

Просмотреть файл

@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
-----END CERTIFICATE-----

Просмотреть файл

@ -1359,7 +1359,7 @@ MODSCRIPT
# local shell function to verify small rsa exponent can be used (only
# run if FIPS has not been turned on in the build).
##############################################################################
cert_rsa_exponent()
cert_rsa_exponent_nonfips()
{
echo "$SCRIPTNAME: Verify that small RSA exponents still work =============="
CU_ACTION="Attempt to generate a key with exponent of 3"
@ -2095,6 +2095,20 @@ cert_test_rsapss()
certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
RETEXPECTED=255
certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
RETEXPECTED=0
CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
RETEXPECTED=255
certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
RETEXPECTED=0
CERTSERIAL=200
# Subject certificate: RSA
@ -2431,16 +2445,12 @@ cert_test_implicit_db_init
cert_extended_ssl
cert_ssl
cert_smime_client
if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then
cert_fips
IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
if [ $IS_FIPS_DISABLED -ne 0 ]; then
cert_rsa_exponent_nonfips
else
cert_fips
fi
# We currently have difficulties to know if the build is a non-FIPS build,
# because of differences between the "make" and "gyp" build systems.
# As soon as we have a reliable way to detect that based on a variable,
# we should enable the following test call. See bug 1409516.
# if SYMBOL_THAT_TELLS_US_FIPS_IS_DISABLED
# cert_rsa_exponent
# fi
cert_eccurves
cert_extensions
cert_san_and_generic_extensions

Просмотреть файл

@ -23,7 +23,6 @@
########################################################################
fips_init()
{
export NSS_TEST_ENABLE_FIPS=1
SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for