mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 504080: Update NSS to the NSS_3_12_4_RTM CVS tag. r=kaie.

This commit is contained in:
Wan-Teh Chang 2009-08-19 06:59:06 -07:00
Родитель 5c032e5046
Коммит d981c68cc2
41 изменённых файлов: 853 добавлений и 494 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
security/coreconf/Darwin.mk
Просмотреть файл

@ -113,6 +113,9 @@ ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
else
OPTIMIZER = -O2
endif
ifdef MOZ_DEBUG_SYMBOLS
OPTIMIZER += -gdwarf-2 -gfull
endif
endif
ARCH = darwin

8
security/coreconf/HP-UX.mk
Просмотреть файл

@ -84,8 +84,12 @@ PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,+e ,' > $@
DSO_LDOPTS = -b +h $(notdir $@)
ifeq ($(USE_64), 1)
RPATH = +b '$$ORIGIN'
RPATH = +b '$$ORIGIN'
ifneq ($(OS_TEST),ia64)
# pa-risc
ifndef USE_64
RPATH =
endif
endif
DSO_LDFLAGS =

11
security/coreconf/Linux.mk
Просмотреть файл

@ -124,7 +124,11 @@ ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
else
OPTIMIZER = -O2
endif
ifdef MOZ_DEBUG_SYMBOLS
OPTIMIZER += -gstabs+
endif
endif
ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread
@ -140,7 +144,12 @@ endif
ARCH = linux
DSO_CFLAGS = -fPIC
DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,-z,defs
DSO_LDOPTS = -shared $(ARCHFLAG)
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there.
ZDEFS_FLAG = -Wl,-z,defs
DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
DSO_LDFLAGS =
LDFLAGS += $(ARCHFLAG)

2
security/coreconf/Linux2.4.mk
Просмотреть файл

@ -45,4 +45,6 @@ ifdef MAPFILE
endif
PROCESS_MAP_FILE = grep -v ';-' $< | \
sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
NSS_NO_FORK_CHECK=1

14
security/coreconf/RISCOS.mk
Просмотреть файл

@ -20,6 +20,7 @@
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
# Peter Naulls
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
@ -37,12 +38,19 @@
include $(CORE_DEPTH)/coreconf/UNIX.mk
DLL_SUFFIX = a
MKSHLIB = $(GCCSDK_INSTALL_CROSSBIN)/arm-unknown-riscos-ar cr
LIB_SUFFIX = a
DLL_SUFFIX = so
AR = ar cr $@
LDOPTS += -L$(SOURCE_LIB_DIR)
MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so)
OS_RELEASE =
OS_TARGET = RISCOS
DSO_CFLAGS = -fPIC
DSO_LDOPTS = -shared
DSO_LDFLAGS =
ifdef BUILD_OPT
OPTIMIZER = -O2 -mpoke-function-name
OPTIMIZER = -O3
endif

2
security/coreconf/WIN32.mk
Просмотреть файл

@ -63,7 +63,7 @@ else
RC = rc.exe
MT = mt.exe
# Determine compiler version
_MSC_VER_6 = 1200 # MSVC 6
_MSC_VER_6 = 1200
_MSC_VER := $(shell $(CC) 2>&1 | sed -ne \
's/.*[^0-9.]\([0-9]\{1,\}\)\.\([0-9]\{1,\}\).*/\1\2/p' )
endif

5
security/coreconf/config.mk
Просмотреть файл

@ -194,6 +194,11 @@ ifdef NSS_DISABLE_DBM
DEFINES += -DNSS_DISABLE_DBM
endif
ifdef NSS_NO_FORK_CHECK
DEFINES += -DNO_FORK_CHECK
DEFINES += -DNO_CHECK_FORK
endif
# Avoid building object leak test code for optimized library
ifndef BUILD_OPT
ifdef PKIX_OBJECT_LEAK_TEST

2
security/coreconf/coreconf.dep
Просмотреть файл

@ -43,5 +43,3 @@
#error "Do not include this header file."
/* NSS 3.12.4 Beta */

4
security/coreconf/rules.mk
Просмотреть файл

@ -337,12 +337,8 @@ ifdef MT
fi
endif # MSVC with manifest tool
endif
else
ifeq ($(OS_TARGET),RISCOS)
$(MKSHLIB) $@ $(OBJS) $(SUB_SHLOBJS)
else
$(MKSHLIB) -o $@ $(OBJS) $(SUB_SHLOBJS) $(LD_LIBS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS)
endif
chmod +x $@
ifeq ($(OS_TARGET),Darwin)
ifdef MAPFILE

4
security/nss/cmd/lib/pk11table.h
Просмотреть файл

@ -74,7 +74,7 @@ typedef enum {
F_Help,
F_Quit,
F_QuitIf,
F_QuitIfString,
F_QuitIfString
} FunctionType;
/*
@ -103,7 +103,7 @@ typedef enum {
ArgFile = 0x800,
ArgStatic = 0x1000,
ArgOpt = 0x2000,
ArgFull = 0x4000,
ArgFull = 0x4000
} ArgType;
typedef enum _constType

5
security/nss/cmd/pk11mode/pk11mode.c
Просмотреть файл

@ -5275,13 +5275,14 @@ CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList,
CK_RV crv = CKR_OK;
#ifndef NO_FORK_CHECK
int rc = -1;
pid_t child, ret;
NUMTESTS++; /* increment NUMTESTS */
if (forkAssert) {
putenv("NSS_STRICT_NOFORK=1");
} else {
putenv("NSS_STRICT_NOFORK=0");
}
pid_t child = fork();
child = fork();
switch (child) {
case -1:
PKM_Error("Fork failed.\n");
@ -5316,7 +5317,7 @@ CK_RV PKM_ForkCheck(int expected, CK_FUNCTION_LIST_PTR fList,
exit(expected & 255);
default:
PKM_LogIt("Fork succeeded.\n");
pid_t ret = wait(&rc);
ret = wait(&rc);
if (ret != child || (!WIFEXITED(rc)) ||
( (expected & 255) != (WEXITSTATUS(rc) & 255)) ) {
int retStatus = -1;

268
security/nss/cmd/pwdecrypt/pwdecrypt.c
Просмотреть файл

@ -37,7 +37,7 @@
/*
* Test program for SDR (Secret Decoder Ring) functions.
*
* $Id: pwdecrypt.c,v 1.5 2008/08/08 23:47:58 julien.pierre.boogz%sun.com Exp $
* $Id: pwdecrypt.c,v 1.7 2009/08/03 07:07:13 nelson%bolyard.com Exp $
*/
#include "nspr.h"
@ -116,23 +116,22 @@ long_usage (char *program_name)
* base64 table only used to identify the end of a base64 string
*/
static unsigned char b64[256] = {
/* 0: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 8: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 16: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 24: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 32: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 40: */ 0, 0, 0, 1, 0, 0, 0, 1,
/* 48: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 56: */ 1, 1, 0, 0, 0, 0, 0, 0,
/* 64: */ 0, 1, 1, 1, 1, 1, 1, 1,
/* 72: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 80: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 88: */ 1, 1, 1, 0, 0, 0, 0, 0,
/* 96: */ 0, 1, 1, 1, 1, 1, 1, 1,
/* 104: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 112: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 120: */ 1, 1, 1, 0, 0, 0, 0, 0,
/* 128: */ 0, 0, 0, 0, 0, 0, 0, 0
/* 00: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 08: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 10: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 18: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 20: */ 0, 0, 0, 0, 0, 0, 0, 0,
/* 28: */ 0, 0, 0, 1, 0, 0, 0, 1,
/* 30: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 38: */ 1, 1, 0, 0, 0, 0, 0, 0,
/* 40: */ 0, 1, 1, 1, 1, 1, 1, 1,
/* 48: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 50: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 58: */ 1, 1, 1, 0, 0, 0, 0, 0,
/* 60: */ 0, 1, 1, 1, 1, 1, 1, 1,
/* 68: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 70: */ 1, 1, 1, 1, 1, 1, 1, 1,
/* 78: */ 1, 1, 1, 0, 0, 0, 0, 0,
};
enum {
@ -140,62 +139,92 @@ enum {
true = 1
} bool;
#define isatobchar(c) (b64[c])
#define MAX_STRING 8192
int
isatobchar(int c) { return b64[c] != 0; }
isBase64(char *inString)
{
unsigned int i;
unsigned char c;
#define MAX_STRING 256
int
getData(FILE *inFile,char **inString) {
int len = 0;
int space = MAX_STRING;
int oneequal = false;
int c;
char *string = (char *) malloc(space);
string[len++]='M';
while ((c = getc(inFile)) != EOF) {
if (len >= space) {
char *newString;
space *= 2;
newString = (char *)realloc(string,space);
if (newString == NULL) {
ungetc(c,inFile);
break;
}
string = newString;
}
string[len++] = c;
if (!isatobchar(c)) {
if (c == '=') {
if (oneequal) {
break;
}
oneequal = true;
continue;
} else {
ungetc(c,inFile);
len--;
break;
}
}
if (oneequal) {
ungetc(c,inFile);
len--;
break;
}
for (i = 0; (c = inString[i]) != 0 && isatobchar(c); ++i)
;
if (c == '=') {
while ((c = inString[++i]) == '=')
; /* skip trailing '=' characters */
}
if (len >= space) {
space += 2;
string = (char *)realloc(string,space);
}
string[len++] = 0;
*inString = string;
if (c && c != '\n' && c != '\r')
return false;
if (i == 0 || i % 4)
return false;
return true;
}
void
doDecrypt(char * dataString, FILE *outFile, FILE *logFile, secuPWData *pwdata)
{
int strLen = strlen(dataString);
SECItem *decoded = NSSBase64_DecodeBuffer(NULL, NULL, dataString, strLen);
SECStatus rv;
int err;
unsigned int i;
SECItem result = { siBuffer, NULL, 0 };
if ((decoded == NULL) || (decoded->len == 0)) {
if (logFile) {
err = PORT_GetError();
fprintf(logFile,"Base 64 decode failed on <%s>\n", dataString);
fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
}
fputs(dataString, outFile);
if (decoded)
SECITEM_FreeItem(decoded, PR_TRUE);
return;
}
rv = PK11SDR_Decrypt(decoded, &result, pwdata);
SECITEM_ZfreeItem(decoded, PR_TRUE);
if (rv == SECSuccess) {
/* result buffer has no extra space for a NULL */
fprintf(outFile, "Decrypted: \"%.*s\"\n", result.len, result.data);
SECITEM_ZfreeItem(&result, PR_FALSE);
return;
}
/* Encryption failed. output raw input. */
if (logFile) {
err = PORT_GetError();
fprintf(logFile,"SDR decrypt failed on <%s>\n", dataString);
fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
}
fputs(dataString,outFile);
}
void
doDecode(char * dataString, FILE *outFile, FILE *logFile)
{
int strLen = strlen(dataString + 1);
SECItem *decoded;
decoded = NSSBase64_DecodeBuffer(NULL, NULL, dataString + 1, strLen);
if ((decoded == NULL) || (decoded->len == 0)) {
if (logFile) {
int err = PORT_GetError();
fprintf(logFile,"Base 64 decode failed on <%s>\n", dataString + 1);
fprintf(logFile," Error %d: %s\n", err, SECU_Strerror(err));
}
fputs(dataString, outFile);
if (decoded)
SECITEM_FreeItem(decoded, PR_TRUE);
return;
}
fprintf(outFile, "Decoded: \"%.*s\"\n", decoded->len, decoded->data);
SECITEM_ZfreeItem(decoded, PR_TRUE);
}
char dataString[MAX_STRING + 1];
int
main (int argc, char **argv)
{
@ -210,11 +239,8 @@ main (int argc, char **argv)
FILE *outFile = stdout;
FILE *logFile = NULL;
PLOptStatus optstatus;
SECItem result;
int c;
secuPWData pwdata = { PW_NONE, NULL };
result.data = 0;
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
@ -270,28 +296,31 @@ main (int argc, char **argv)
}
if (input_file) {
inFile = fopen(input_file,"r");
if (inFile == NULL) {
perror(input_file);
return 1;
}
PR_Free(input_file);
inFile = fopen(input_file,"r");
if (inFile == NULL) {
perror(input_file);
return 1;
}
PR_Free(input_file);
}
if (output_file) {
outFile = fopen(output_file,"w+");
if (outFile == NULL) {
perror(output_file);
return 1;
}
PR_Free(output_file);
outFile = fopen(output_file,"w+");
if (outFile == NULL) {
perror(output_file);
return 1;
}
PR_Free(output_file);
}
if (log_file) {
logFile = fopen(log_file,"w+");
if (logFile == NULL) {
perror(log_file);
return 1;
}
PR_Free(log_file);
if (log_file[0] == '-')
logFile = stderr;
else
logFile = fopen(log_file,"w+");
if (logFile == NULL) {
perror(log_file);
return 1;
}
PR_Free(log_file);
}
/*
@ -308,64 +337,29 @@ main (int argc, char **argv)
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
while (fgets(dataString, sizeof dataString, inFile)) {
unsigned char c = dataString[0];
while ((c = getc(inFile)) != EOF) {
if (c == 'M') {
char *dataString = NULL;
SECItem *inText;
rv = getData(inFile, &dataString);
if (!rv) {
fputs(dataString,outFile);
free(dataString);
continue;
}
inText = NSSBase64_DecodeBuffer(NULL, NULL, dataString,
strlen(dataString));
if ((inText == NULL) || (inText->len == 0)) {
if (logFile) {
fprintf(logFile,"Base 64 decode failed on <%s>\n",
dataString);
fprintf(logFile," Error %x: %s\n",PORT_GetError(),
SECU_Strerror(PORT_GetError()));
}
fputs(dataString,outFile);
free(dataString);
continue;
}
result.data = NULL;
result.len = 0;
rv = PK11SDR_Decrypt(inText, &result, &pwdata);
SECITEM_FreeItem(inText, PR_TRUE);
if (rv != SECSuccess) {
if (logFile) {
fprintf(logFile,"SDR decrypt failed on <%s>\n",
dataString);
fprintf(logFile," Error %x: %s\n",PORT_GetError(),
SECU_Strerror(PORT_GetError()));
}
fputs(dataString,outFile);
free(dataString);
SECITEM_ZfreeItem(&result, PR_FALSE);
continue;
}
/* result buffer has no extra space for a NULL */
fprintf(outFile, "%.*s", result.len, result.data);
SECITEM_ZfreeItem(&result, PR_FALSE);
} else {
putc(c,outFile);
}
if (c == 'M' && isBase64(dataString)) {
doDecrypt(dataString, outFile, logFile, &pwdata);
} else if (c == '~' && isBase64(dataString + 1)) {
doDecode(dataString, outFile, logFile);
} else {
fputs(dataString, outFile);
}
}
if (pwdata.data)
PR_Free(pwdata.data);
fclose(outFile);
fclose(inFile);
if (logFile) {
if (logFile && logFile != stderr) {
fclose(logFile);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError (program_name, "NSS_Shutdown failed");
exit(1);
exit(1);
}
prdone:

2
security/nss/cmd/shlibsign/Makefile
Просмотреть файл

@ -80,7 +80,9 @@ endif
CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
ifndef NSS_DISABLE_DBM
CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
endif
CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
MD_LIB_RELEASE_FILES = $(CHECKLOC)

31
security/nss/lib/certdb/alg1485.c
Просмотреть файл

@ -1358,18 +1358,35 @@ appendStringToBuf(char *dest, char *src, PRUint32 *pRemaining)
return dest;
}
#undef NEEDS_HEX_ESCAPE
#define NEEDS_HEX_ESCAPE(c) (c < 0x20)
static char *
appendItemToBuf(char *dest, SECItem *src, PRUint32 *pRemaining)
{
if (dest && src && src->data && src->len && src->data[0] &&
*pRemaining > src->len + 1 ) {
if (dest && src && src->data && src->len && src->data[0]) {
PRUint32 len = src->len;
PRUint32 i;
for (i = 0; i < len && src->data[i] ; ++i)
dest[i] = tolower(src->data[i]);
dest[len] = 0;
dest += len + 1;
*pRemaining -= len + 1;
PRUint32 reqLen = len + 1;
/* are there any embedded control characters ? */
for (i = 0; i < len; i++) {
if (NEEDS_HEX_ESCAPE(src->data[i]))
reqLen += 2;
}
if (*pRemaining > reqLen) {
for (i = 0; i < len; ++i) {
PRUint8 c = src->data[i];
if (NEEDS_HEX_ESCAPE(c)) {
*dest++ = C_BACKSLASH;
*dest++ = hexChars[ (c >> 4) & 0x0f ];
*dest++ = hexChars[ c & 0x0f ];
} else {
*dest++ = tolower(c);
}
}
*dest++ = '\0';
*pRemaining -= reqLen;
}
}
return dest;
}

4
security/nss/lib/certdb/certi.h
Просмотреть файл

@ -36,7 +36,7 @@
/*
* certi.h - private data structures for the certificate library
*
* $Id: certi.h,v 1.30 2009/04/18 05:15:45 alexei.volkov.bugs%sun.com Exp $
* $Id: certi.h,v 1.31 2009/07/31 18:35:30 christophe.ravel.bugs%sun.com Exp $
*/
#ifndef _CERTI_H_
#define _CERTI_H_
@ -368,7 +368,7 @@ struct NamedCRLCacheEntryStr {
typedef enum {
certRevocationStatusRevoked = 0,
certRevocationStatusValid = 1,
certRevocationStatusUnknown = 2,
certRevocationStatusUnknown = 2
} CERTRevocationStatus;
/* Returns detailed status of the cert(revStatus variable). Tells if

50
security/nss/lib/certdb/crl.c
Просмотреть файл

@ -37,7 +37,7 @@
/*
* Moved from secpkcs7.c
*
* $Id: crl.c,v 1.67 2009/05/13 22:47:28 julien.pierre.boogz%sun.com Exp $
* $Id: crl.c,v 1.68 2009/08/10 22:25:44 julien.pierre.boogz%sun.com Exp $
*/
#include "cert.h"
@ -1047,48 +1047,38 @@ void PreAllocator_Destroy(PreAllocator* PreAllocator)
{
PORT_FreeArena(PreAllocator->arena, PR_TRUE);
}
if (PreAllocator->data)
{
PORT_Free(PreAllocator->data);
}
PORT_Free(PreAllocator);
}
/* constructor for PreAllocator object */
PreAllocator* PreAllocator_Create(PRSize size)
{
PreAllocator prebuffer;
PreAllocator* prepointer = NULL;
memset(&prebuffer, 0, sizeof(PreAllocator));
prebuffer.len = size;
prebuffer.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
PORT_Assert(prebuffer.arena);
if (!prebuffer.arena)
PRArenaPool* arena = NULL;
PreAllocator* prebuffer = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena)
{
PreAllocator_Destroy(&prebuffer);
return NULL;
}
if (prebuffer.len)
prebuffer = (PreAllocator*)PORT_ArenaZAlloc(arena,
sizeof(PreAllocator));
if (!prebuffer)
{
prebuffer.data = PORT_Alloc(prebuffer.len);
if (!prebuffer.data)
PORT_FreeArena(arena, PR_TRUE);
return NULL;
}
prebuffer->arena = arena;
if (size)
{
prebuffer->len = size;
prebuffer->data = PORT_ArenaAlloc(arena, size);
if (!prebuffer->data)
{
PreAllocator_Destroy(&prebuffer);
PORT_FreeArena(arena, PR_TRUE);
return NULL;
}
}
else
{
prebuffer.data = NULL;
}
prepointer = (PreAllocator*)PORT_Alloc(sizeof(PreAllocator));
if (!prepointer)
{
PreAllocator_Destroy(&prebuffer);
return NULL;
}
*prepointer = prebuffer;
return prepointer;
return prebuffer;
}
/* global Named CRL cache object */

8
security/nss/lib/ckfw/builtins/certdata.c
Просмотреть файл

@ -35,7 +35,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $";
static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $";
#endif /* DEBUG */
#ifndef BUILTINS_H
@ -908,7 +908,7 @@ static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"CVS ID", (PRUint32)7 },
{ (void *)"NSS", (PRUint32)4 },
{ (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.54 $ $Date: 2009/05/21 19:50:27 $", (PRUint32)160 }
{ (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.55 $ $Date: 2009/08/13 23:40:29 $", (PRUint32)160 }
};
#endif /* DEBUG */
static const NSSItem nss_builtins_items_1 [] = {
@ -17981,7 +17981,7 @@ static const NSSItem nss_builtins_items_266 [] = {
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"AC Ra+¡z Certic+ímara S.A.", (PRUint32)27 },
{ (void *)"AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.", (PRUint32)39 },
{ (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
{ (void *)"\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061"
"\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144"
@ -18115,7 +18115,7 @@ static const NSSItem nss_builtins_items_267 [] = {
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"AC Ra+¡z Certic+ímara S.A.", (PRUint32)27 },
{ (void *)"AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.", (PRUint32)39 },
{ (void *)"\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351"
"\006\020\323\066"
, (PRUint32)20 },

10
security/nss/lib/ckfw/builtins/certdata.txt
Просмотреть файл

@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.53 $ $Date: 2009/05/21 19:50:28 $"
CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.54 $ $Date: 2009/08/13 23:40:29 $"
#
# certdata.txt
@ -18481,13 +18481,13 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "AC Ra+¡z Certic+ímara S.A."
# Certificate "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "AC Ra+¡z Certic+ímara S.A."
CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
@ -18620,12 +18620,12 @@ CKA_VALUE MULTILINE_OCTAL
\005\211\374\170\326\134\054\046\103\251
END
# Trust for Certificate "AC Ra+¡z Certic+ímara S.A."
# Trust for Certificate "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "AC Ra+¡z Certic+ímara S.A."
CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351
\006\020\323\066

5
security/nss/lib/ckfw/capi/Makefile
Просмотреть файл

@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.5 $ $Date: 2007/05/09 00:09:37 $"
MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $"
include manifest.mn
include $(CORE_DEPTH)/coreconf/config.mk
@ -54,6 +54,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
-lcrypt32 \
-ladvapi32 \
-lrpcrt4 \
$(NULL)
else
EXTRA_SHARED_LIBS += \

4
security/nss/lib/ckfw/capi/cobject.c
Просмотреть файл

@ -36,7 +36,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.5 $ $Date: 2009/02/25 18:37:49 $";
static const char CVS_ID[] = "@(#) $RCSfile: cobject.c,v $ $Revision: 1.6 $ $Date: 2009/07/29 20:15:19 $";
#endif /* DEBUG */
#include "ckcapi.h"
@ -172,7 +172,7 @@ nss_ckcapi_DERUnwrap
len = (len << 8) | (unsigned) *src++;
}
}
if (len + (src-start) > (unsigned int)size) {
if (len + ((unsigned char *)src-start) > (unsigned int)size) {
return start;
}
if (next) {

4
security/nss/lib/libpkix/include/pkixt.h
Просмотреть файл

@ -500,14 +500,14 @@ PKIX_Error* PKIX_ALLOC_ERROR(void);
typedef enum PKIX_RevocationMethodTypeEnum {
PKIX_RevocationMethod_CRL = 0,
PKIX_RevocationMethod_OCSP,
PKIX_RevocationMethod_MAX,
PKIX_RevocationMethod_MAX
} PKIX_RevocationMethodType;
/* A set of statuses revocation checker operates on */
typedef enum PKIX_RevocationStatusEnum {
PKIX_RevStatus_NoInfo = 0,
PKIX_RevStatus_Revoked,
PKIX_RevStatus_Success,
PKIX_RevStatus_Success
} PKIX_RevocationStatus;

4
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
Просмотреть файл

@ -187,7 +187,7 @@ pkix_OcspChecker_CheckLocal(
}
PKIX_CHECK(
PKIX_PL_OcspCertID_GetFreshCacheStatus(cid, NULL,
PKIX_PL_OcspCertID_GetFreshCacheStatus(cid, date,
&hasFreshStatus,
&statusIsGood,
&resultCode,
@ -321,7 +321,7 @@ pkix_OcspChecker_CheckExternal(
}
PKIX_CHECK(
pkix_pl_OcspResponse_GetStatusForCert(cid, response,
pkix_pl_OcspResponse_GetStatusForCert(cid, response, date,
&passed, &resultCode,
plContext),
PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);

12
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
Просмотреть файл

@ -970,10 +970,12 @@ PKIX_Error *
pkix_pl_OcspResponse_GetStatusForCert(
PKIX_PL_OcspCertID *cid,
PKIX_PL_OcspResponse *response,
PKIX_PL_Date *validity,
PKIX_Boolean *pPassed,
SECErrorCodes *pReturnCode,
void *plContext)
{
PRTime time = 0;
SECStatus rv = SECFailure;
SECStatus rvCache;
PRBool certIDWasConsumed = PR_FALSE;
@ -989,11 +991,19 @@ pkix_pl_OcspResponse_GetStatusForCert(
PKIX_NULLCHECK_TWO(response->signerCert, response->request);
PKIX_NULLCHECK_TWO(cid, cid->certID);
if (validity != NULL) {
PKIX_Error *er = pkix_pl_Date_GetPRTime(validity, &time, plContext);
PKIX_DECREF(er);
}
if (!time) {
time = PR_Now();
}
rv = cert_ProcessOCSPResponse(response->handle,
response->nssOCSPResponse,
cid->certID,
response->signerCert,
PR_Now(),
time,
&certIDWasConsumed,
&rvCache);
if (certIDWasConsumed) {

1
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.h
Просмотреть файл

@ -113,6 +113,7 @@ PKIX_Error *
pkix_pl_OcspResponse_GetStatusForCert(
PKIX_PL_OcspCertID *cid,
PKIX_PL_OcspResponse *response,
PKIX_PL_Date *validity,
PKIX_Boolean *pPassed,
SECErrorCodes *pReturnCode,
void *plContext);

7
security/nss/lib/nss/nss.def
Просмотреть файл

@ -972,3 +972,10 @@ PK11_GetSymKeyHandle;
;+ local:
;+ *;
;+};
;+NSS_3.12.4 { # NSS 3.12.4 release
;+ global:
PK11_IsInternalKeySlot;
SECMOD_OpenNewSlot;
;+ local:
;+ *;
;+};

6
security/nss/lib/nss/nss.h
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nss.h,v 1.67 2009/07/20 20:06:57 nelson%bolyard.com Exp $ */
/* $Id: nss.h,v 1.69 2009/08/13 18:11:22 christophe.ravel.bugs%sun.com Exp $ */
#ifndef __nss_h_
#define __nss_h_
@ -66,11 +66,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.12.4.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.12.4.5" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 12
#define NSS_VPATCH 4
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED

3
security/nss/lib/nss/nssinit.c
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nssinit.c,v 1.98 2009/05/29 19:23:30 wtc%google.com Exp $ */
/* $Id: nssinit.c,v 1.99 2009/07/23 01:56:40 nelson%bolyard.com Exp $ */
#include <ctype.h>
#include <string.h>
@ -774,6 +774,7 @@ NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
(nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP)
*sizeof(struct NSSShutdownFuncPair));
if (!funcs) {
PZ_Unlock(nssShutdownList.lock);
return SECFailure;
}
nssShutdownList.funcs = funcs;

15
security/nss/lib/pk11wrap/pk11auth.c
Просмотреть файл

@ -483,10 +483,17 @@ PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw)
int oldLen;
CK_SESSION_HANDLE rwsession;
if (newpw == NULL) newpw = "";
if (oldpw == NULL) oldpw = "";
newLen = PORT_Strlen(newpw);
oldLen = PORT_Strlen(oldpw);
/* use NULL values to trigger the protected authentication path */
if (slot->protectedAuthPath) {
if (newpw == NULL) newLen = 0;
if (oldpw == NULL) oldLen = 0;
} else {
if (newpw == NULL) newpw = "";
if (oldpw == NULL) oldpw = "";
newLen = PORT_Strlen(newpw);
oldLen = PORT_Strlen(oldpw);
}
/* get a rwsession */
rwsession = PK11_GetRWSession(slot);

10
security/nss/lib/pk11wrap/pk11pub.h
Просмотреть файл

@ -109,6 +109,7 @@ PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
const char* slotName, const char* tokenName, PRBool presentOnly);
PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
PRBool PK11_IsInternal(PK11SlotInfo *slot);
PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot);
char * PK11_GetTokenName(PK11SlotInfo *slot);
char * PK11_GetSlotName(PK11SlotInfo *slot);
PRBool PK11_NeedLogin(PK11SlotInfo *slot);
@ -237,6 +238,15 @@ int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
PK11SlotInfo *SECMOD_OpenUserDB(const char *moduleSpec);
SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot);
/*
* This is exactly the same as OpenUserDB except it can be called on any
* module that understands softoken style new slot entries. The resulting
* slot can be closed using SECMOD_CloseUserDB above. Value of moduleSpec
* is token specific.
*/
PK11SlotInfo *SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec);
/*
* merge the permanent objects from on token to another
*/

16
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -1538,6 +1538,22 @@ PK11_IsInternal(PK11SlotInfo *slot)
return slot->isInternal;
}
PRBool
PK11_IsInternalKeySlot(PK11SlotInfo *slot)
{
PK11SlotInfo *int_slot;
PRBool result;
if (!slot->isInternal) {
return PR_FALSE;
}
int_slot = PK11_GetInternalKeySlot();
result = (int_slot == slot) ? PR_TRUE : PR_FALSE;
PK11_FreeSlot(int_slot);
return result;
}
PRBool
PK11_NeedLogin(PK11SlotInfo *slot)
{

185
security/nss/lib/pk11wrap/pk11util.c
Просмотреть файл

@ -1248,13 +1248,12 @@ SECMOD_HasRemovableSlots(SECMODModule *mod)
* helper function to actually create and destroy user defined slots
*/
static SECStatus
secmod_UserDBOp(CK_OBJECT_CLASS objClass, const char *sendSpec)
secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass,
const char *sendSpec)
{
PK11SlotInfo *slot = PK11_GetInternalSlot();
CK_OBJECT_HANDLE dummy;
CK_ATTRIBUTE template[2] ;
CK_ATTRIBUTE *attrs = template;
SECStatus rv;
CK_RV crv;
PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++;
@ -1270,13 +1269,10 @@ secmod_UserDBOp(CK_OBJECT_CLASS objClass, const char *sendSpec)
PK11_ExitSlotMonitor(slot);
if (crv != CKR_OK) {
PK11_FreeSlot(slot);
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
rv = SECMOD_UpdateSlotList(slot->module);
PK11_FreeSlot(slot);
return rv;
return SECMOD_UpdateSlotList(slot->module);
}
/*
@ -1331,6 +1327,112 @@ done:
return retValue;
}
/*
* return true if the selected slot ID is not present or doesn't exist
*/
static PRBool
secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID)
{
PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID);
if (slot) {
PRBool present = PK11_IsPresent(slot);
PK11_FreeSlot(slot);
if (present) {
return PR_FALSE;
}
}
/* it doesn't exist or isn't present, it's available */
return PR_TRUE;
}
/*
* Find an unused slot id in module.
*/
static CK_SLOT_ID
secmod_FindFreeSlot(SECMODModule *mod)
{
CK_SLOT_ID i, minSlotID, maxSlotID;
/* look for a free slot id on the internal module */
if (mod->internal && mod->isFIPS) {
minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID;
maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID;
} else {
minSlotID = SFTK_MIN_USER_SLOT_ID;
maxSlotID = SFTK_MAX_USER_SLOT_ID;
}
for (i=minSlotID; i < maxSlotID; i++) {
if (secmod_SlotIsEmpty(mod,i)) {
return i;
}
}
PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
return (CK_SLOT_ID) -1;
}
/*
* Attempt to open a new slot.
*
* This works the same os OpenUserDB except it can be called against
* any module that understands the softoken protocol for opening new
* slots, not just the softoken itself. If the selected module does not
* understand the protocol, C_CreateObject will fail with
* CKR_INVALID_ATTRIBUTE, and SECMOD_OpenNewSlot will return NULL and set
* SEC_ERROR_BAD_DATA.
*
* NewSlots can be closed with SECMOD_CloseUserDB();
*
* Modulespec is module dependent.
*/
PK11SlotInfo *
SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec)
{
CK_SLOT_ID slotID = 0;
PK11SlotInfo *slot;
char *escSpec;
char *sendSpec;
SECStatus rv;
slotID = secmod_FindFreeSlot(mod);
if (slotID == (CK_SLOT_ID) -1) {
return NULL;
}
if (mod->slotCount == 0) {
return NULL;
}
/* just grab the first slot in the module, any present slot should work */
slot = PK11_ReferenceSlot(mod->slots[0]);
if (slot == NULL) {
return NULL;
}
/* we've found the slot, now build the moduleSpec */
escSpec = nss_doubleEscape(moduleSpec);
if (escSpec == NULL) {
PK11_FreeSlot(slot);
return NULL;
}
sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
PORT_Free(escSpec);
if (sendSpec == NULL) {
/* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */
PK11_FreeSlot(slot);
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec);
PR_smprintf_free(sendSpec);
PK11_FreeSlot(slot);
if (rv != SECSuccess) {
return NULL;
}
return SECMOD_FindSlotByID(mod, slotID);
}
/*
* Open a new database using the softoken. The caller is responsible for making
* sure the module spec is correct and usable. The caller should ask for one
@ -1383,13 +1485,7 @@ done:
PK11SlotInfo *
SECMOD_OpenUserDB(const char *moduleSpec)
{
CK_SLOT_ID slotID = 0;
char *escSpec;
char *sendSpec;
SECStatus rv;
SECMODModule *mod;
CK_SLOT_ID i, minSlotID, maxSlotID;
PRBool found = PR_FALSE;
if (moduleSpec == NULL) {
return NULL;
@ -1403,76 +1499,21 @@ SECMOD_OpenUserDB(const char *moduleSpec)
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
/* look for a free slot id on the internal module */
if (mod->isFIPS) {
minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID;
maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID;
} else {
minSlotID = SFTK_MIN_USER_SLOT_ID;
maxSlotID = SFTK_MAX_USER_SLOT_ID;
}
for (i=minSlotID; i < maxSlotID; i++) {
PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, i);
if (slot) {
PRBool present = PK11_IsPresent(slot);
PK11_FreeSlot(slot);
if (present) {
continue;
}
/* not present means it's available */
}
/* it doesn't exist or isn't present, it's available */
slotID = i;
found = PR_TRUE;
break;
}
if (!found) {
/* this could happen if we try to open too many slots */
PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
return NULL;
}
/* we've found the slot, now build the moduleSpec */
escSpec = nss_doubleEscape(moduleSpec);
if (escSpec == NULL) {
return NULL;
}
sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec);
PORT_Free(escSpec);
if (sendSpec == NULL) {
/* PR_smprintf does not set no memory error */
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
rv = secmod_UserDBOp(CKO_NETSCAPE_NEWSLOT, sendSpec);
PR_smprintf_free(sendSpec);
if (rv != SECSuccess) {
return NULL;
}
return SECMOD_FindSlotByID(mod, slotID);
return SECMOD_OpenNewSlot(mod, moduleSpec);
}
/*
* close an already opened user database. NOTE: the database must be
* in the internal token, and must be one created with SECMOD_OpenUserDB().
* Once the database is closed, the slot will remain as an empty slot
* until it's used again with SECMOD_OpenUserDB().
* until it's used again with SECMOD_OpenUserDB() or SECMOD_OpenNewSlot().
*/
SECStatus
SECMOD_CloseUserDB(PK11SlotInfo *slot)
{
SECStatus rv;
char *sendSpec;
if (!slot->isInternal) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID);
if (sendSpec == NULL) {
@ -1480,7 +1521,7 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot)
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
rv = secmod_UserDBOp(CKO_NETSCAPE_DELSLOT, sendSpec);
rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec);
PR_smprintf_free(sendSpec);
return rv;
}

8
security/nss/lib/pki/pki3hack.c
Просмотреть файл

@ -35,7 +35,7 @@
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.96 $ $Date: 2008/08/09 01:26:05 $";
static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.97 $ $Date: 2009/07/30 22:43:32 $";
#endif /* DEBUG */
/*
@ -668,7 +668,7 @@ STAN_GetCERTCertificateNameForInstance (
}
if (stanNick) {
/* fill other fields needed by NSS3 functions using CERTCertificate */
if (instance && (!PK11_IsInternal(instance->token->pk11slot) ||
if (instance && (!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
PORT_Strchr(stanNick, ':') != NULL) ) {
tokenName = nssToken_GetName(instance->token);
tokenlen = nssUTF8_Size(tokenName, &nssrv);
@ -734,7 +734,7 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
NSSUTF8 *tokenName = NULL;
char *nick;
if (instance &&
(!PK11_IsInternal(instance->token->pk11slot) ||
(!PK11_IsInternalKeySlot(instance->token->pk11slot) ||
(stanNick && PORT_Strchr(stanNick, ':') != NULL))) {
tokenName = nssToken_GetName(instance->token);
tokenlen = nssUTF8_Size(tokenName, &nssrv);
@ -1161,7 +1161,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
nssTrust->stepUpApproved, PR_TRUE);
/* If the selected token can't handle trust, dump the trust on
* the internal token */
if (!newInstance && !PK11_IsInternal(tok->pk11slot)) {
if (!newInstance && !PK11_IsInternalKeySlot(tok->pk11slot)) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
NSSUTF8 *nickname = nssCertificate_GetNickname(c, NULL);
NSSASCII7 *email = c->email;

2
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -57,7 +57,7 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.12.4.4" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.12.4.5" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 12
#define SOFTOKEN_VPATCH 4

4
security/nss/lib/softoken/softoknt.h
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: softoknt.h,v 1.5 2009/01/27 23:13:21 rrelyea%redhat.com Exp $ */
/* $Id: softoknt.h,v 1.6 2009/08/03 16:58:28 christophe.ravel.bugs%sun.com Exp $ */
#ifndef _SOFTOKNT_H_
#define _SOFTOKNT_H_
@ -88,7 +88,7 @@ typedef enum {
NSS_AUDIT_SELF_TEST,
NSS_AUDIT_SET_PIN,
NSS_AUDIT_UNWRAP_KEY,
NSS_AUDIT_WRAP_KEY,
NSS_AUDIT_WRAP_KEY
} NSSAuditType;
#endif /* _SOFTOKNT_H_ */

4
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -51,10 +51,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.12.4.4 Beta"
#define NSSUTIL_VERSION "3.12.4.5"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 12
#define NSSUTIL_VPATCH 4
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
#endif /* __nssutil_h_ */

443
security/nss/lib/util/portreg.c
Просмотреть файл

@ -19,7 +19,9 @@
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Rob McCool (original author)
* Ken Key <key+mozilla@ksquared.net>
* Nelson Bolyard <nelson@bolyard.me>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
@ -38,9 +40,7 @@
/*
* shexp.c: shell-like wildcard match routines
*
*
* See shexp.h for public documentation.
*
*/
#include "seccomon.h"
@ -50,73 +50,75 @@
static int
_valid_subexp(const char *exp, char stop)
_valid_subexp(const char *exp, char stop1, char stop2)
{
register int x,y,t;
int nsc,np,tld;
register int x;
int nsc = 0; /* Number of special characters */
int np; /* Number of pipe characters in union */
int tld = 0; /* Number of tilde characters */
x=0;nsc=0;tld=0;
while(exp[x] && (exp[x] != stop)) {
for (x = 0; exp[x] && (exp[x] != stop1) && (exp[x] != stop2); ++x) {
switch(exp[x]) {
case '~':
if(tld) return INVALID_SXP;
else ++tld;
case '*':
case '?':
case '^':
case '$':
case '~':
if(tld) /* at most one exclusion */
return INVALID_SXP;
if (stop1) /* no exclusions within unions */
return INVALID_SXP;
if (!exp[x+1]) /* exclusion cannot be last character */
return INVALID_SXP;
if (!x) /* exclusion cannot be first character */
return INVALID_SXP;
++tld;
/* fall through */
case '*':
case '?':
case '$':
++nsc;
break;
case '[':
case '[':
++nsc;
if((!exp[++x]) || (exp[x] == ']'))
return INVALID_SXP;
for(++x;exp[x] && (exp[x] != ']');++x)
if(exp[x] == '\\')
if(!exp[++x])
return INVALID_SXP;
for(; exp[x] && (exp[x] != ']'); ++x) {
if(exp[x] == '\\' && !exp[++x])
return INVALID_SXP;
}
if(!exp[x])
return INVALID_SXP;
break;
case '(':
++nsc;np = 0;
while(1) {
if(exp[++x] == ')')
return INVALID_SXP;
for(y=x;(exp[y]) && (exp[y] != '|') && (exp[y] != ')');++y)
if(exp[y] == '\\')
if(!exp[++y])
return INVALID_SXP;
if(!exp[y])
return INVALID_SXP;
if(exp[y] == '|')
++np;
t = _valid_subexp(&exp[x],exp[y]);
if(t == INVALID_SXP)
case '(':
++nsc;
if (stop1) /* no nested unions */
return INVALID_SXP;
np = -1;
do {
int t = _valid_subexp(&exp[++x], ')', '|');
if(t == 0 || t == INVALID_SXP)
return INVALID_SXP;
x+=t;
if(exp[x] == ')') {
if(!np)
return INVALID_SXP;
break;
}
}
if(!exp[x])
return INVALID_SXP;
++np;
} while (exp[x] == '|' );
if(np < 1) /* must be at least one pipe */
return INVALID_SXP;
break;
case ')':
case ']':
case ')':
case '|':
case ']':
return INVALID_SXP;
case '\\':
case '\\':
++nsc;
if(!exp[++x])
return INVALID_SXP;
default:
break;
default:
break;
}
++x;
}
if((!stop) && (!nsc))
if((!stop1) && (!nsc)) /* must be at least one special character */
return NON_SXP;
return ((exp[x] == stop) ? x : INVALID_SXP);
return ((exp[x] == stop1 || exp[x] == stop2) ? x : INVALID_SXP);
}
int
@ -124,7 +126,7 @@ PORT_RegExpValid(const char *exp)
{
int x;
x = _valid_subexp(exp, '\0');
x = _valid_subexp(exp, '\0', '\0');
return (x < 0 ? x : VALID_SXP);
}
@ -136,156 +138,245 @@ PORT_RegExpValid(const char *exp)
#define NOMATCH 1
#define ABORTED -1
static int _shexp_match(const char *str, const char *exp, PRBool case_insensitive);
static int
_handle_union(const char *str, const char *exp, PRBool case_insensitive)
{
char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
register int t,p2,p1 = 1;
int cp;
_shexp_match(const char *str, const char *exp, PRBool case_insensitive,
unsigned int level);
while(1) {
for(cp=1;exp[cp] != ')';cp++)
if(exp[cp] == '\\')
++cp;
for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
if(exp[p1] == '\\')
e2[p2++] = exp[p1++];
e2[p2] = exp[p1];
}
for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
if(_shexp_match(str,e2, case_insensitive) == MATCH) {
PORT_Free(e2);
return MATCH;
}
if(p1 == cp) {
PORT_Free(e2);
return NOMATCH;
}
else ++p1;
/* Count characters until we reach a NUL character or either of the
* two delimiter characters, stop1 or stop2. If we encounter a bracketed
* expression, look only for NUL or ']' inside it. Do not look for stop1
* or stop2 inside it. Return ABORTED if bracketed expression is unterminated.
* Handle all escaping.
* Return index in input string of first stop found, or ABORTED if not found.
* If "dest" is non-NULL, copy counted characters to it and NUL terminate.
*/
static int
_scan_and_copy(const char *exp, char stop1, char stop2, char *dest)
{
register int sx; /* source index */
register char cc;
for (sx = 0; (cc = exp[sx]) && cc != stop1 && cc != stop2; sx++) {
if (cc == '\\') {
if (!exp[++sx])
return ABORTED; /* should be impossible */
} else if (cc == '[') {
while ((cc = exp[++sx]) && cc != ']') {
if(cc == '\\' && !exp[++sx])
return ABORTED;
}
if (!cc)
return ABORTED; /* should be impossible */
}
}
if (dest && sx) {
/* Copy all but the closing delimiter. */
memcpy(dest, exp, sx);
dest[sx] = 0;
}
return cc ? sx : ABORTED; /* index of closing delimiter */
}
/* On input, exp[0] is the opening parenthesis of a union.
* See if any of the alternatives in the union matches as a pattern.
* The strategy is to take each of the alternatives, in turn, and append
* the rest of the expression (after the closing ')' that marks the end of
* this union) to that alternative, and then see if the resultant expression
* matches the input string. Repeat this until some alternative matches,
* or we have an abort.
*/
static int
_handle_union(const char *str, const char *exp, PRBool case_insensitive,
unsigned int level)
{
register int sx; /* source index */
int cp; /* source index of closing parenthesis */
int count;
int ret = NOMATCH;
char *e2;
/* Find the closing parenthesis that ends this union in the expression */
cp = _scan_and_copy(exp, ')', '\0', NULL);
if (cp == ABORTED || cp < 4) /* must be at least "(a|b" before ')' */
return ABORTED;
++cp; /* now index of char after closing parenthesis */
e2 = (char *) PORT_Alloc(1 + strlen(exp));
if (!e2)
return ABORTED;
for (sx = 1; ; ++sx) {
/* Here, exp[sx] is one character past the preceeding '(' or '|'. */
/* Copy everything up to the next delimiter to e2 */
count = _scan_and_copy(exp + sx, ')', '|', e2);
if (count == ABORTED || !count) {
ret = ABORTED;
break;
}
sx += count;
/* Append everything after closing parenthesis to e2. This is safe. */
strcpy(e2+count, exp+cp);
ret = _shexp_match(str, e2, case_insensitive, level + 1);
if (ret != NOMATCH || !exp[sx] || exp[sx] == ')')
break;
}
PORT_Free(e2);
if (sx < 2)
ret = ABORTED;
return ret;
}
/* returns 1 if val is in range from start..end, case insensitive. */
static int
_is_char_in_range(int start, int end, int val)
{
char map[256];
memset(map, 0, sizeof map);
while (start <= end)
map[tolower(start++)] = 1;
return map[tolower(val)];
}
static int
_shexp_match(const char *str, const char *exp, PRBool case_insensitive)
_shexp_match(const char *str, const char *exp, PRBool case_insensitive,
unsigned int level)
{
register int x,y;
register int x; /* input string index */
register int y; /* expression index */
int ret,neg;
ret = 0;
for(x=0,y=0;exp[y];++y,++x) {
if((!str[x]) && (exp[y] != '(') && (exp[y] != '$') && (exp[y] != '*'))
ret = ABORTED;
else {
switch(exp[y]) {
case '$':
if( (str[x]) )
ret = NOMATCH;
else
--x; /* we don't want loop to increment x */
break;
case '*':
while(exp[++y] == '*'){}
if(!exp[y])
return MATCH;
while(str[x]) {
switch(_shexp_match(&str[x++],&exp[y], case_insensitive)) {
case NOMATCH:
continue;
case ABORTED:
ret = ABORTED;
break;
default:
return MATCH;
}
break;
}
if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
return MATCH;
else
ret = ABORTED;
break;
case '[':
neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
if (neg)
++y;
if ((isalnum(exp[y])) && (exp[y+1] == '-') &&
(isalnum(exp[y+2])) && (exp[y+3] == ']'))
{
int start = exp[y], end = exp[y+2];
/* no safeguards here */
if(neg ^ ((str[x] < start) || (str[x] > end))) {
ret = NOMATCH;
break;
}
y+=3;
}
else {
int matched;
for (matched=0;exp[y] != ']';y++)
matched |= (str[x] == exp[y]);
if (neg ^ (!matched))
ret = NOMATCH;
}
break;
case '(':
return _handle_union(&str[x],&exp[y], case_insensitive);
break;
case '?':
break;
case '\\':
++y;
default:
if(case_insensitive)
{
if(toupper(str[x]) != toupper(exp[y]))
ret = NOMATCH;
}
else
{
if(str[x] != exp[y])
ret = NOMATCH;
}
break;
}
}
if(ret)
break;
if (level > 20) /* Don't let the stack get too deep. */
return ABORTED;
for(x = 0, y = 0; exp[y]; ++y, ++x) {
if((!str[x]) && (exp[y] != '$') && (exp[y] != '*')) {
return NOMATCH;
}
switch(exp[y]) {
case '$':
if(str[x])
return NOMATCH;
--x; /* we don't want loop to increment x */
break;
case '*':
while(exp[++y] == '*'){}
if(!exp[y])
return MATCH;
while(str[x]) {
ret = _shexp_match(&str[x++], &exp[y], case_insensitive,
level + 1);
switch(ret) {
case NOMATCH:
continue;
case ABORTED:
return ABORTED;
default:
return MATCH;
}
}
if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
return MATCH;
else
return NOMATCH;
case '[': {
int start, end = 0, i;
neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
if (neg)
++y;
i = y;
start = (unsigned char)(exp[i++]);
if (start == '\\')
start = (unsigned char)(exp[i++]);
if (isalnum(start) && exp[i++] == '-') {
end = (unsigned char)(exp[i++]);
if (end == '\\')
end = (unsigned char)(exp[i++]);
}
if (isalnum(end) && exp[i] == ']') {
/* This is a range form: a-b */
int val = (unsigned char)(str[x]);
if (end < start) { /* swap them */
start ^= end;
end ^= start;
start ^= end;
}
if (case_insensitive && isalpha(val)) {
val = _is_char_in_range(start, end, val);
if (neg == val)
return NOMATCH;
} else if (neg != ((val < start) || (val > end))) {
return NOMATCH;
}
y = i;
} else {
/* Not range form */
int matched = 0;
for (; exp[y] != ']'; y++) {
if (exp[y] == '\\')
++y;
if(case_insensitive) {
matched |= (toupper(str[x]) == toupper(exp[y]));
} else {
matched |= (str[x] == exp[y]);
}
}
if (neg == matched)
return NOMATCH;
}
}
break;
case '(':
if (!exp[y+1])
return ABORTED;
return _handle_union(&str[x], &exp[y], case_insensitive, level);
case '?':
break;
case '|':
case ']':
case ')':
return ABORTED;
case '\\':
++y;
/* fall through */
default:
if(case_insensitive) {
if(toupper(str[x]) != toupper(exp[y]))
return NOMATCH;
} else {
if(str[x] != exp[y])
return NOMATCH;
}
break;
}
}
return (ret ? ret : (str[x] ? NOMATCH : MATCH));
return (str[x] ? NOMATCH : MATCH);
}
static int
port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive) {
register int x;
port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive)
{
char *exp = 0;
int x, ret = MATCH;
if (!strchr(xp, '~'))
return _shexp_match(str, xp, case_insensitive, 0);
exp = PORT_Strdup(xp);
if(!exp)
return 1;
return NOMATCH;
for(x=strlen(exp)-1;x;--x) {
if((exp[x] == '~') && (exp[x-1] != '\\')) {
exp[x] = '\0';
if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH)
goto punt;
break;
x = _scan_and_copy(exp, '~', '\0', NULL);
if (x != ABORTED && exp[x] == '~') {
exp[x++] = '\0';
ret = _shexp_match(str, &exp[x], case_insensitive, 0);
switch (ret) {
case NOMATCH: ret = MATCH; break;
case MATCH: ret = NOMATCH; break;
default: break;
}
}
if(_shexp_match(str,exp, case_insensitive) == MATCH) {
PORT_Free(exp);
return 0;
}
if (ret == MATCH)
ret = _shexp_match(str, exp, case_insensitive, 0);
punt:
PORT_Free(exp);
return 1;
return ret;
}

40
security/nss/lib/util/portreg.h
Просмотреть файл

@ -19,6 +19,8 @@
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Rob McCool (original author)
* Nelson Bolyard <nelson@bolyard.me>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
@ -37,7 +39,6 @@
/*
* shexp.h: Defines and prototypes for shell exp. match routines
*
*
* This routine will match a string with a shell expression. The expressions
* accepted are based loosely on the expressions accepted by zsh.
*
@ -45,15 +46,34 @@
* o ? matches one character
* o \ will escape a special character
* o $ matches the end of the string
* o [abc] matches one occurence of a, b, or c. The only character that needs
* to be escaped in this is ], all others are not special.
* o [a-z] matches any character between a and z
* o [^az] matches any character except a or z
* o ~ followed by another shell expression will remove any pattern
* matching the shell expression from the match list
* o (foo|bar) will match either the substring foo, or the substring bar.
* These can be shell expressions as well.
*
* Bracketed expressions:
* o [abc] matches one occurence of a, b, or c.
* o [^abc] matches any character except a, b, or c.
* To be matched between [ and ], these characters must be escaped: \ ]
* No other characters need be escaped between brackets.
* Unnecessary escaping is permitted.
* o [a-z] matches any character between a and z, inclusive.
* The two range-definition characters must be alphanumeric ASCII.
* If one is upper case and the other is lower case, then the ASCII
* non-alphanumeric characters between Z and a will also be in range.
* o [^a-z] matches any character except those between a and z, inclusive.
* These forms cannot be combined, e.g [a-gp-z] does not work.
* o Exclusions:
* As a top level, outter-most expression only, the expression
* foo~bar will match the expression foo, provided it does not also
* match the expression bar. Either expression or both may be a union.
* Except between brackets, any unescaped ~ is an exclusion.
* At most one exclusion is permitted.
* Exclusions cannot be nested (contain other exclusions).
* example: *~abc will match any string except abc
* o Unions:
* (foo|bar) will match either the expression foo, or the expression bar.
* At least one '|' separator is required. More are permitted.
* Expressions inside unions may not include unions or exclusions.
* Inside a union, to be matched and not treated as a special character,
* these characters must be escaped: \ ( | ) [ ~ except when they occur
* inside a bracketed expression, where only \ and ] require escaping.
*
* The public interface to these routines is documented below.
*
*/

4
security/nss/lib/util/secport.c
Просмотреть файл

@ -41,7 +41,7 @@
*
* NOTE - These are not public interfaces
*
* $Id: secport.c,v 1.23 2008/08/22 01:33:05 wtc%google.com Exp $
* $Id: secport.c,v 1.24 2009/07/30 23:28:21 nelson%bolyard.com Exp $
*/
#include "seccomon.h"
@ -287,6 +287,8 @@ PORT_FreeArena(PLArenaPool *arena, PRBool zero)
static const PRVersionDescription * pvd;
static PRBool doFreeArenaPool = PR_FALSE;
if (!pool)
return;
if (ARENAPOOL_MAGIC == pool->magic ) {
len = sizeof *pool;
lock = pool->lock;

16
security/nss/tests/chains/chains.sh
Просмотреть файл

@ -74,7 +74,8 @@ chains_init()
CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
PK7_NONCE=$CERT_SN_CNT;
PK7_NONCE=$CERT_SN_CNT
SCEN_CNT=0
AIA_FILES="${HOSTDIR}/aiafiles"
@ -415,16 +416,16 @@ process_crldp()
"
for ITEM in ${CRLDP}; do
CRL_PUBLIC="${HOST}-$$-${ITEM}.crl"
CRL_PUBLIC="${HOST}-$$-${ITEM}-${SCEN_CNT}.crl"
EXT_DATA="${EXT_DATA}7
${NSS_AIA_HTTP}/${CRL_PUBLIC}
"
done
EXT_DATA="${EXT_DATA}0
0
0
EXT_DATA="${EXT_DATA}-1
-1
-1
n
n
"
@ -459,7 +460,7 @@ copy_crl()
fi
CRL_LOCAL="${COPYCRL}.crl"
CRL_PUBLIC="${HOST}-$$-${COPYCRL}.crl"
CRL_PUBLIC="${HOST}-$$-${COPYCRL}-${SCEN_CNT}.crl"
cp ${CRL_LOCAL} ${NSS_AIA_PATH}/${CRL_PUBLIC} 2> /dev/null
chmod a+r ${NSS_AIA_PATH}/${CRL_PUBLIC}
@ -857,6 +858,7 @@ parse_config()
EXT_KU=
EXT_NS=
EXT_EKU=
SERIAL=
;;
"type")
TYPE="${VALUE}"
@ -978,6 +980,8 @@ parse_config()
LOGNAME="libpkix-${VALUE}"
LOGFILE="${LOGDIR}/${LOGNAME}"
fi
SCEN_CNT=$(expr ${SCEN_CNT} + 1)
;;
"sleep")
sleep ${VALUE}

97
security/nss/tests/chains/scenarios/crldp.cfg Normal file
Просмотреть файл

@ -0,0 +1,97 @@
scenario CRLDP
entity Root
type Root
entity CA0
type Intermediate
issuer Root
entity CA1
type Intermediate
crldp CA0
issuer CA0
serial 10
aia CA0:Root
entity EE11
type EE
crldp CA0
issuer CA1
entity CA2
type Intermediate
crldp CA0
issuer CA0
serial 20
aia CA0:Root
entity EE21
type EE
issuer CA2
entity EE1
type EE
crldp CA0
issuer CA0
serial 30
aia CA0:Root
entity EE2
type EE
crldp CA0
issuer CA0
serial 40
aia CA0:Root
crl Root
crl CA0
crl CA1
crl CA2
revoke CA0
serial 20
revoke CA0
serial 40
copycrl CA0
db All
import Root::CTu,CTu,CTu
# intermediate CA - OK, EE - OK
verify EE11:CA1
cert CA1:CA0
trust Root:
fetch
rev_type chain
rev_mtype crl
result pass
# intermediate CA - revoked, EE - OK
verify EE21:CA2
cert CA2:CA0
trust Root:
fetch
rev_type chain
rev_mtype crl
result fail
# direct EE - OK
verify EE1:CA0
trust Root:
fetch
rev_type leaf
rev_mtype crl
result pass
# direct EE - revoked
verify EE2:CA0
trust Root:
fetch
rev_type leaf
rev_mtype crl
result fail

24
security/nss/tests/chains/scenarios/ocsp.cfg
Просмотреть файл

@ -23,6 +23,7 @@ verify OCSPEE11:x
cert OCSPCA1:x
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp
result pass
@ -31,6 +32,7 @@ verify OCSPEE12:x
cert OCSPCA1:x
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp
result fail
@ -51,7 +53,7 @@ verify OCSPEE15:x
rev_mtype ocsp
result fail
#EE - OK, CA - revoked, leaf
#EE - OK, CA - revoked, leaf, no fresh info
verify OCSPEE21:x
cert OCSPCA2:x
trust OCSPRoot
@ -59,7 +61,16 @@ verify OCSPEE21:x
rev_mtype ocsp
result pass
#EE - OK, CA - revoked, chain
#EE - OK, CA - revoked, leaf, requireFreshInfo
verify OCSPEE21:x
cert OCSPCA2:x
trust OCSPRoot
rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp
result fail
#EE - OK, CA - revoked, chain, requireFreshInfo
verify OCSPEE21:x
cert OCSPCA2:x
trust OCSPRoot
@ -112,6 +123,15 @@ verify OCSPEE15:x
rev_mflags failIfNoInfo
result fail
#EE - OK, CA - revoked, leaf, failIfNoInfo
verify OCSPEE21:x
cert OCSPCA2:x
trust OCSPRoot
rev_type leaf
rev_mtype ocsp
rev_mflags failIfNoInfo
result fail
testdb OCSPCA1
#EE - OK on OCSP, revoked locally - should fail ??