mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 858231: Upgrade to NSS 3.15 BETA 2. r=wtc.

This commit is contained in:
Wan-Teh Chang 2013-04-29 16:21:02 -07:00
Родитель 98ca2f77c2
Коммит dbbcacbbc3
39 изменённых файлов: 2025 добавлений и 414 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

37
security/nss/Makefile
Просмотреть файл

@ -44,15 +44,9 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
nss_build_all: build_coreconf build_nspr all
nss_build_all: build_nspr all
nss_clean_all: clobber_coreconf clobber_nspr clobber
build_coreconf:
$(MAKE) -C $(CORE_DEPTH)/coreconf
clobber_coreconf:
$(MAKE) -C $(CORE_DEPTH)/coreconf clobber
nss_clean_all: clobber_nspr clobber
NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
@ -102,7 +96,7 @@ NSPR_PREFIX = $$(topsrcdir)/../dist/$(OBJDIR_NAME)
endif
$(NSPR_CONFIG_STATUS): $(NSPR_CONFIGURE)
$(NSINSTALL) -D $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
mkdir -p $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
cd $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) ; \
$(NSPR_COMPILERS) sh ../configure \
$(NSPR_CONFIGURE_OPTS) \
@ -121,30 +115,7 @@ build_docs:
clean_docs:
$(MAKE) -C $(CORE_DEPTH)/doc clean
moz_import::
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
$(NSINSTALL) -D $(DIST)/include/nspr
cp $(DIST)/../include/nspr/*.h $(DIST)/include/nspr
cp $(DIST)/../include/* $(DIST)/include
ifdef BUILD_OPT
cp $(DIST)/../WIN32_O.OBJ/lib/* $(DIST)/lib
else
cp $(DIST)/../WIN32_D.OBJ/lib/* $(DIST)/lib
endif
mv $(DIST)/lib/dbm32.lib $(DIST)/lib/dbm.lib
else
ifeq ($(OS_TARGET),OS2)
cp -rf $(DIST)/../include $(DIST)
cp -rf $(DIST)/../lib $(DIST)
cp -f $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
else
$(NSINSTALL) -L ../../dist include $(DIST)
$(NSINSTALL) -L ../../dist lib $(DIST)
cp $(DIST)/lib/libmozdbm_s.$(LIB_SUFFIX) $(DIST)/lib/libdbm.$(LIB_SUFFIX)
endif
endif
nss_RelEng_bld: build_coreconf import all
nss_RelEng_bld: import all
package:
$(MAKE) -C pkg publish

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_15_BETA1
NSS_3_15_BETA2

21
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -962,6 +962,8 @@ PrintSyntax(char *progName)
FPS "\t%s -D -n cert-name [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName);
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
@ -1221,6 +1223,24 @@ static void luD(enum usage_level ul, const char *command)
}
static void luF(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "F"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Delete a key from the database\n",
"-F");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s The nickname of the key to delete\n",
" -n cert-name");
FPS "%-20s Cert database directory (default is ~/.netscape)\n",
" -d certdir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "\n");
}
static void luU(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "U"));
@ -1608,6 +1628,7 @@ static void LongUsage(char *progName, enum usage_level ul, const char *command)
luC(ul, command);
luG(ul, command);
luD(ul, command);
luF(ul, command);
luU(ul, command);
luK(ul, command);
luL(ul, command);

21
security/nss/cmd/lib/basicutil.c
Просмотреть файл

@ -43,7 +43,8 @@ SECU_GetWrapEnabled(void)
}
void
SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
SECU_PrintErrMsg(FILE *out, int level, const char *progName, const char *msg,
...)
{
va_list args;
PRErrorCode err = PORT_GetError();
@ -63,26 +64,32 @@ SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
}
void
SECU_PrintError(char *progName, char *msg, ...)
SECU_PrintError(const char *progName, const char *msg, ...)
{
va_list args;
PRErrorCode err = PORT_GetError();
const char * errString = PORT_ErrorToString(err);
const char * errName = PR_ErrorToName(err);
const char * errString = PR_ErrorToString(err, 0);
va_start(args, msg);
fprintf(stderr, "%s: ", progName);
vfprintf(stderr, msg, args);
if (errName != NULL) {
fprintf(stderr, ": %s", errName);
} else {
fprintf(stderr, ": error %d", (int)err);
}
if (errString != NULL && PORT_Strlen(errString) > 0)
fprintf(stderr, ": %s\n", errString);
else
fprintf(stderr, ": error %d\n", (int)err);
va_end(args);
}
void
SECU_PrintSystemError(char *progName, char *msg, ...)
SECU_PrintSystemError(const char *progName, const char *msg, ...)
{
va_list args;
@ -614,7 +621,7 @@ SECU_GetOptionArg(const secuCommand *cmd, int optionNum)
void
SECU_PrintPRandOSError(char *progName)
SECU_PrintPRandOSError(const char *progName)
{
char buffer[513];
PRInt32 errLen = PR_GetErrorTextLength();

9
security/nss/cmd/lib/basicutil.h
Просмотреть файл

@ -23,13 +23,14 @@ typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
#endif
/* print out an error message */
extern void SECU_PrintError(char *progName, char *msg, ...);
extern void SECU_PrintError(const char *progName, const char *msg, ...);
/* print out a system error message */
extern void SECU_PrintSystemError(char *progName, char *msg, ...);
extern void SECU_PrintSystemError(const char *progName, const char *msg, ...);
/* print a formatted error message */
extern void SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...);
extern void SECU_PrintErrMsg(FILE *out, int level, const char *progName,
const char *msg, ...);
/* Read the contents of a file into a SECItem */
extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
@ -68,7 +69,7 @@ extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m,
int level);
extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level);
extern void SECU_PrintPRandOSError(char *progName);
extern void SECU_PrintPRandOSError(const char *progName);
/* Caller ensures that dst is at least item->len*2+1 bytes long */
void

19
security/nss/cmd/lib/secutil.c
Просмотреть файл

@ -504,6 +504,8 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
/* Read in ascii data */
rv = SECU_FileToItem(&filedata, inFile);
if (rv != SECSuccess)
return rv;
asc = (char *)filedata.data;
if (!asc) {
fprintf(stderr, "unable to read data from input file\n");
@ -519,20 +521,27 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
if (body)
trailer = strstr(++body, "-----END");
if (trailer != NULL) {
if (trailer != NULL)
*trailer = '\0';
} else {
if (!body || !trailer) {
fprintf(stderr, "input has header but no trailer\n");
PORT_Free(filedata.data);
return SECFailure;
}
} else {
body = asc;
/* need one additional byte for zero terminator */
rv = SECITEM_ReallocItem(NULL, &filedata, filedata.len, filedata.len+1);
if (rv != SECSuccess) {
PORT_Free(filedata.data);
return rv;
}
body = (char*)filedata.data;
body[filedata.len-1] = '\0';
}
/* Convert to binary */
rv = ATOB_ConvertAsciiToItem(der, body);
if (rv) {
if (rv != SECSuccess) {
fprintf(stderr, "error converting ascii to binary (%s)\n",
SECU_Strerror(PORT_GetError()));
PORT_Free(filedata.data);
@ -543,7 +552,7 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
} else {
/* Read in binary der */
rv = SECU_FileToItem(der, inFile);
if (rv) {
if (rv != SECSuccess) {
fprintf(stderr, "error converting der (%s)\n",
SECU_Strerror(PORT_GetError()));
return SECFailure;

0
security/nss/cmd/pk11gcmtest/Makefile Normal file → Executable file
Просмотреть файл

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

206
security/nss/doc/certutil.xml
Просмотреть файл

@ -21,7 +21,7 @@
<refnamediv>
<refname>certutil</refname>
<refpurpose>Manage keys and certificate in the the NSS database.</refpurpose>
<refpurpose>Manage keys and certificate in both NSS databases and other NSS tokens</refpurpose>
</refnamediv>
<refsynopsisdiv>
@ -41,21 +41,20 @@
<refsection id="description">
<title>Description</title>
<para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that manages certs and keys in both NSS databases and other NSS tokens (such as smart cards). It can specifically list, generate, modify, or delete certificates within the database, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para>
<para>The key and certificate management process generally includes certificate issuance once keys and certificates have been created in the key database. This document discusses certificate and key database management. For information security module database management, see the <command>modutil</command> manpage.</para>
<para>The Certificate Database Tool, <command>certutil</command>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</para>
<para>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <command>modutil</command> manpage.</para>
</refsection>
<refsection id="options">
<title>Options and Arguments</title>
<para>Running <command>certutil</command> always requires one and only one option to specify the type of certificate operation. Each option may take arguments, anywhere from none to multiple arguments. Run the command option and <option>-H</option> to see the arguments available for each command option.</para>
<title>Command Options and Arguments</title>
<para>Running <command>certutil</command> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <option>-H</option> will list all the command options and their relevant arguments.</para>
<para><command>Command Options</command></para>
<para>Command options are typically upper case. </para>
<variablelist>
<varlistentry>
<term>-A </term>
<listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default. </para></listitem>
<listitem><para>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</para></listitem>
</varlistentry>
<varlistentry>
@ -89,12 +88,12 @@ When you delete keys, be sure to also remove any certificates associated with th
<varlistentry>
<term>-G </term>
<listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem>
<listitem><para>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</para></listitem>
</varlistentry>
<varlistentry>
<term>-H </term>
<listitem><para>Display a list of the command options and arguments used by the Certificate Database Tool.</para></listitem>
<listitem><para>Display a list of the command options and arguments.</para></listitem>
</varlistentry>
<varlistentry>
@ -125,7 +124,7 @@ Use the -h tokenname argument to specify the certificate database on a particula
<varlistentry>
<term>-R</term>
<listitem><para>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
<listitem><para>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
Use the -a argument to specify ASCII output.</para></listitem>
</varlistentry>
@ -157,7 +156,7 @@ Use the -a argument to specify ASCII output.</para></listitem>
<varlistentry>
<term>--merge</term>
<listitem><para>Merge a source database into the target database. This is used to merge legacy NSS databases (<filename>cert8.db</filename> and <filename>key3.db</filename>) into the newer SQLite databases (<filename>cert9.db</filename> and <filename>key4.db</filename>).</para></listitem>
<listitem><para>Merge two databases into one.</para></listitem>
</varlistentry>
<varlistentry>
@ -194,13 +193,13 @@ If this option is not used, the validity check defaults to the current system ti
<term>-d [prefix]directory</term>
<listitem>
<para>Specify the database directory containing the certificate and key database files.</para>
<para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para>
<para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
<para>NSS recognizes the following prefixes:</para>
<itemizedlist>
<listitem><para><command>sql: explicitly requests the newer database</command></para></listitem>
<listitem><para><command>dbm: explicitly requests the older database</command></para></listitem>
<listitem><para><command>extern: explicitly reserved for future use</command></para></listitem>
<listitem><para><command>sql: requests the newer database</command></para></listitem>
<listitem><para><command>dbm: requests the legacy database</command></para></listitem>
</itemizedlist>
<para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para>
</listitem>
</varlistentry>
@ -224,7 +223,7 @@ If this option is not used, the validity check defaults to the current system ti
<varlistentry>
<term>-h tokenname</term>
<listitem><para>Specify the name of a token to use or act on. Unless specified otherwise the default token is an internal slot.</para></listitem>
<listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem>
</varlistentry>
<varlistentry>
@ -232,24 +231,12 @@ If this option is not used, the validity check defaults to the current system ti
<listitem><para>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</para></listitem>
</varlistentry>
<varlistentry>
<term>-k rsa|dsa|ec|all</term>
<listitem><para>Specify the type of a key. The valid options are RSA, DSA, ECC, or all. The default value is rsa. Specifying the type of key can avoid mistakes caused by duplicate nicknames.</para></listitem>
</varlistentry>
<varlistentry>
<term>-k key-type-or-id</term>
<listitem>
<para>Specify the type or specific ID of a key. </para>
<para>Specify the type or specific ID of a key.</para>
<para>
The valid key type options are RSA, DSA, ECC, or all. The default
value is rsa. Specifying the type of key can avoid mistakes caused by
duplicate nicknames. Giving a key type generates a new key pair;
giving the ID of an existing key reuses that key pair (which is
required to renew certificates).
</para>
<para>
The valid key type options are RSA, DSA, ECC, or all. The default
The valid key type options are rsa, dsa, ec, or all. The default
value is rsa. Specifying the type of key can avoid mistakes caused by
duplicate nicknames. Giving a key type generates a new key pair;
giving the ID of an existing key reuses that key pair (which is
@ -265,8 +252,7 @@ If this option is not used, the validity check defaults to the current system ti
<varlistentry>
<term>-m serial-number</term>
<listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is
provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem>
<listitem><para>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </para></listitem>
</varlistentry>
<varlistentry>
@ -357,7 +343,7 @@ of the attribute codes:
</listitem>
<listitem>
<para>
<command>C</command> - rusted CA for client authentication (ssl server only)
<command>C</command> - trusted CA for client authentication (ssl server only)
</para>
</listitem>
<listitem>
@ -747,28 +733,11 @@ of the attribute codes:
<para>
For example:
</para>
<programlisting>$ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
<programlisting>$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer
Generating key. This may take a few moments...
Certificate request generated by Netscape
Phone: 650-555-0123
Common Name: John Smith
Email: (not ed)
Organization: Example Corp
State: California
Country: US
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw
EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J
CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny
qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
1hP9Gg==
-----END NEW CERTIFICATE REQUEST-----</programlisting>
</programlisting>
<para><command>Creating a Certificate</command></para>
<para>
@ -776,12 +745,15 @@ qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
</para>
<programlisting>$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]</programlisting>
<para>
The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA.
The series of numbers and <option>--ext*</option> options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result.
</para>
<para>
For example, this creates a self-signed certificate:
</para>
<programlisting>$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650</programlisting>
<para>
The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity.
</para>
<para>
From there, new certificates can reference the self-signed certificate:
</para>
@ -795,18 +767,7 @@ qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
<para>
For example:
</para>
<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting>
<para><command>Generating Key Pairs</command></para>
<para>
Key pairs are generated automatically with a certificate request or certificate, but they can also be generated independently using the <option>-G</option> command option.
</para>
<programlisting>certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name</programlisting>
<para>
For example:
</para>
<programlisting>$ certutil -G -h lunasa -k ec -g 256 -q sect193r2</programlisting>
<programlisting>$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com</programlisting>
<para><command>Listing Certificates</command></para>
<para>
@ -824,30 +785,87 @@ Certificate Authority - Example Domain CT,C,C</programlist
<para>
Using additional arguments with <option>-L</option> can return and print the information for a single, specific certificate. For example, the <option>-n</option> argument passes the certificate name, while the <option>-a</option> argument prints the certificate in ASCII format:
</para>
<programlisting>$ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain"
<programlisting>
$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE
b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf
Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0
LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX
JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76
bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu
U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a
nI7q5n1USM3eWQlVXw==
-----END CERTIFICATE-----</programlisting>
MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh
bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV
BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz
JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x
XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
-----END CERTIFICATE-----
</programlisting>
<pa>For a humam-readable display</para>
<programlisting>$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3650 (0xe42)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Example CA"
Validity:
Not Before: Wed Mar 13 19:10:29 2013
Not After : Thu Jun 13 19:10:29 2013
Subject: "CN=Example CA"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30:
4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07:
12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f:
ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49:
3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30:
56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7:
d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74:
11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: none
Name: Certificate Basic Constraints
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Certificate Signing
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91:
1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6:
79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60:
a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6:
36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de:
25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52:
64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33:
ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e
Fingerprint (MD5):
86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80
Fingerprint (SHA1):
48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7
Certificate Trust Flags:
SSL Flags:
Valid CA
Trusted CA
User
Email Flags:
Valid CA
Trusted CA
User
Object Signing Flags:
Valid CA
Trusted CA
User
</programlisting>
<para><command>Listing Keys</command></para>
<para>
@ -856,7 +874,7 @@ nI7q5n1USM3eWQlVXw==
<para>
To list all keys in the database, use the <option>-K</option> command option and the (required) <option>-d</option> argument to give the path to the directory.
</para>
<programlisting>$ certutil -K -d sql:/home/my/sharednssdb
<programlisting>$ certutil -K -d sql:$HOME/nssdb
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services "
&lt; 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
&lt; 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert
@ -1013,7 +1031,7 @@ some flexibility that allows applications to use their own, independent database
requires more flexibility to provide a truly shared security database.</para>
<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than
BerkleyDB. These new databases provide more accessibility and performance:</para>
BerkeleyDB. These new databases provide more accessibility and performance:</para>
<itemizedlist>
<listitem>
<para>
@ -1027,7 +1045,7 @@ BerkleyDB. These new databases provide more accessibility and performance:</para
</listitem>
<listitem>
<para>
pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory
</para>
</listitem>
</itemizedlist>
@ -1110,7 +1128,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -1119,9 +1137,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/cmsutil.xml
Просмотреть файл

@ -260,7 +260,7 @@ cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -269,9 +269,7 @@ cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/crlutil.xml
Просмотреть файл

@ -518,7 +518,7 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -527,9 +527,7 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/derdump.xml
Просмотреть файл

@ -80,7 +80,7 @@
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape and now with Red Hat.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Gerhardus Geldenhuis &lt;gerhardus.geldenhuis@gmail.com>. Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com&gt;
</para>
@ -89,9 +89,7 @@
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/modutil.xml
Просмотреть файл

@ -743,7 +743,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -752,9 +752,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/pk12util.xml
Просмотреть файл

@ -498,7 +498,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -507,9 +507,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

8
security/nss/doc/pp.xml
Просмотреть файл

@ -84,7 +84,7 @@
<refsection id="resources">
<title>Additional Resources</title>
<para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
<para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
<para>IRC: Freenode at #dogtag-pki</para>
@ -93,7 +93,7 @@
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -102,9 +102,7 @@
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/signtool.xml
Просмотреть файл

@ -662,7 +662,7 @@ token: Communicator Certificate DB
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -671,9 +671,7 @@ token: Communicator Certificate DB
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/signver.xml
Просмотреть файл

@ -214,7 +214,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -223,9 +223,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/ssltap.xml
Просмотреть файл

@ -567,7 +567,7 @@ the default BadCert callback, the one you supply must allow for this possibility
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -576,9 +576,7 @@ the default BadCert callback, the one you supply must allow for this possibility
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/vfychain.xml
Просмотреть файл

@ -216,7 +216,7 @@
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -225,9 +225,7 @@
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

6
security/nss/doc/vfyserv.xml
Просмотреть файл

@ -69,7 +69,7 @@
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
@ -78,9 +78,7 @@
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

3
security/nss/lib/certdb/alg1485.c
Просмотреть файл

@ -83,6 +83,9 @@ static const NameToKind name2kinds[] = {
SEC_ASN1_PRINTABLE_STRING},
{ "businessCategory", 64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
/* values defined in X.520 */
{ "name", 64, SEC_OID_AVA_NAME, SEC_ASN1_DS},
{ 0, 256, SEC_OID_UNKNOWN, 0},
};

1738
security/nss/lib/ckfw/builtins/certdata.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

4
security/nss/lib/ckfw/builtins/nssckbi.h
Просмотреть файл

@ -45,8 +45,8 @@
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93
#define NSS_BUILTINS_LIBRARY_VERSION "1.93"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 94
#define NSS_BUILTINS_LIBRARY_VERSION "1.94"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

8
security/nss/lib/freebl/blapit.h
Просмотреть файл

@ -81,6 +81,14 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
*/
#define MAX_ECKEY_LEN 72 /* Bytes */
#ifdef NSS_ECC_MORE_THAN_SUITE_B
#define EC_MAX_KEY 571 /* in bits */
#define EC_MIN_KEY 112 /* in bits */
#else
#define EC_MAX_KEY 521 /* in bits */
#define EC_MIN_KEY 256 /* in bits */
#endif
/* EC point compression format */
#define EC_POINT_FORM_COMPRESSED_Y0 0x02
#define EC_POINT_FORM_COMPRESSED_Y1 0x03

13
security/nss/lib/freebl/ecl/ecp_192.c
Просмотреть файл

@ -6,14 +6,13 @@
#include "mpi.h"
#include "mplogic.h"
#include "mpi-priv.h"
#include <stdlib.h>
#define ECP192_DIGITS ECL_CURVE_DIGITS(192)
/* Fast modular reduction for p192 = 2^192 - 2^64 - 1. a can be r. Uses
* algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
* Implementation of the NIST Elliptic Curves over Prime Fields. */
mp_err
static mp_err
ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -254,7 +253,7 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
* number of words are so small, we don't want to overhead of mp function
* calls. Uses optimized modular reduction for p192.
*/
mp_err
static mp_err
ec_GFp_nistp192_add(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
@ -335,7 +334,7 @@ ec_GFp_nistp192_add(const mp_int *a, const mp_int *b, mp_int *r,
* number of words are so small, we don't want to overhead of mp function
* calls. Uses optimized modular reduction for p192.
*/
mp_err
static mp_err
ec_GFp_nistp192_sub(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
@ -414,7 +413,7 @@ ec_GFp_nistp192_sub(const mp_int *a, const mp_int *b, mp_int *r,
/* Compute the square of polynomial a, reduce modulo p192. Store the
* result in r. r could be a. Uses optimized modular reduction for p192.
*/
mp_err
static mp_err
ec_GFp_nistp192_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -428,7 +427,7 @@ ec_GFp_nistp192_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the product of two polynomials a and b, reduce modulo p192.
* Store the result in r. r could be a or b; a could be b. Uses
* optimized modular reduction for p192. */
mp_err
static mp_err
ec_GFp_nistp192_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
@ -442,7 +441,7 @@ ec_GFp_nistp192_mul(const mp_int *a, const mp_int *b, mp_int *r,
/* Divides two field elements. If a is NULL, then returns the inverse of
* b. */
mp_err
static mp_err
ec_GFp_nistp192_div(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{

9
security/nss/lib/freebl/ecl/ecp_224.c
Просмотреть файл

@ -6,14 +6,13 @@
#include "mpi.h"
#include "mplogic.h"
#include "mpi-priv.h"
#include <stdlib.h>
#define ECP224_DIGITS ECL_CURVE_DIGITS(224)
/* Fast modular reduction for p224 = 2^224 - 2^96 + 1. a can be r. Uses
* algorithm 7 from Brown, Hankerson, Lopez, Menezes. Software
* Implementation of the NIST Elliptic Curves over Prime Fields. */
mp_err
static mp_err
ec_GFp_nistp224_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -275,7 +274,7 @@ ec_GFp_nistp224_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the square of polynomial a, reduce modulo p224. Store the
* result in r. r could be a. Uses optimized modular reduction for p224.
*/
mp_err
static mp_err
ec_GFp_nistp224_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -289,7 +288,7 @@ ec_GFp_nistp224_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the product of two polynomials a and b, reduce modulo p224.
* Store the result in r. r could be a or b; a could be b. Uses
* optimized modular reduction for p224. */
mp_err
static mp_err
ec_GFp_nistp224_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
@ -303,7 +302,7 @@ ec_GFp_nistp224_mul(const mp_int *a, const mp_int *b, mp_int *r,
/* Divides two field elements. If a is NULL, then returns the inverse of
* b. */
mp_err
static mp_err
ec_GFp_nistp224_div(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{

7
security/nss/lib/freebl/ecl/ecp_384.c
Просмотреть файл

@ -6,12 +6,11 @@
#include "mpi.h"
#include "mplogic.h"
#include "mpi-priv.h"
#include <stdlib.h>
/* Fast modular reduction for p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1. a can be r.
* Uses algorithm 2.30 from Hankerson, Menezes, Vanstone. Guide to
* Elliptic Curve Cryptography. */
mp_err
static mp_err
ec_GFp_nistp384_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -219,7 +218,7 @@ ec_GFp_nistp384_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the square of polynomial a, reduce modulo p384. Store the
* result in r. r could be a. Uses optimized modular reduction for p384.
*/
mp_err
static mp_err
ec_GFp_nistp384_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -233,7 +232,7 @@ ec_GFp_nistp384_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the product of two polynomials a and b, reduce modulo p384.
* Store the result in r. r could be a or b; a could be b. Uses
* optimized modular reduction for p384. */
mp_err
static mp_err
ec_GFp_nistp384_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{

9
security/nss/lib/freebl/ecl/ecp_521.c
Просмотреть файл

@ -6,14 +6,13 @@
#include "mpi.h"
#include "mplogic.h"
#include "mpi-priv.h"
#include <stdlib.h>
#define ECP521_DIGITS ECL_CURVE_DIGITS(521)
/* Fast modular reduction for p521 = 2^521 - 1. a can be r. Uses
* algorithm 2.31 from Hankerson, Menezes, Vanstone. Guide to
* Elliptic Curve Cryptography. */
mp_err
static mp_err
ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -72,7 +71,7 @@ ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the square of polynomial a, reduce modulo p521. Store the
* result in r. r could be a. Uses optimized modular reduction for p521.
*/
mp_err
static mp_err
ec_GFp_nistp521_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
{
mp_err res = MP_OKAY;
@ -86,7 +85,7 @@ ec_GFp_nistp521_sqr(const mp_int *a, mp_int *r, const GFMethod *meth)
/* Compute the product of two polynomials a and b, reduce modulo p521.
* Store the result in r. r could be a or b; a could be b. Uses
* optimized modular reduction for p521. */
mp_err
static mp_err
ec_GFp_nistp521_mul(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{
@ -100,7 +99,7 @@ ec_GFp_nistp521_mul(const mp_int *a, const mp_int *b, mp_int *r,
/* Divides two field elements. If a is NULL, then returns the inverse of
* b. */
mp_err
static mp_err
ec_GFp_nistp521_div(const mp_int *a, const mp_int *b, mp_int *r,
const GFMethod *meth)
{

154
security/nss/lib/pkcs7/certread.c
Просмотреть файл

@ -3,7 +3,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "cert.h"
#include "secpkcs7.h"
#include "base64.h"
#include "secitem.h"
#include "secder.h"
@ -12,26 +11,137 @@
#include "secerr.h"
SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
SECStatus
typedef struct ContentInfoStr ContentInfo;
typedef struct DegenerateSignedDataStr DegenerateSignedData;
struct ContentInfoStr {
SECOidTag contentTypeTag; /* local; not part of encoding */
SECItem contentType;
union {
SECItem *data;
DegenerateSignedData *signedData;
} content;
};
struct DegenerateSignedDataStr {
SECItem version;
SECItem **digestAlgorithms;
ContentInfo contentInfo;
SECItem **certificates;
SECItem **crls;
SECItem **signerInfos;
};
static const SEC_ASN1Template *
choose_content_template(void *src_or_dest, PRBool encoding);
static const SEC_ASN1TemplateChooserPtr template_chooser
= choose_content_template;
static const SEC_ASN1Template ContentInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(ContentInfo) },
{ SEC_ASN1_OBJECT_ID,
offsetof(ContentInfo,contentType) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC |
SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
offsetof(ContentInfo,content),
&template_chooser },
{ 0 }
};
static const SEC_ASN1Template DegenerateSignedDataTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(DegenerateSignedData) },
{ SEC_ASN1_INTEGER,
offsetof(DegenerateSignedData,version) },
{ SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
offsetof(DegenerateSignedData,digestAlgorithms),
SEC_ASN1_SUB(SEC_AnyTemplate) },
{ SEC_ASN1_INLINE,
offsetof(DegenerateSignedData,contentInfo),
ContentInfoTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
SEC_ASN1_XTRN | 0,
offsetof(DegenerateSignedData,certificates),
SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
SEC_ASN1_XTRN | 1,
offsetof(DegenerateSignedData,crls),
SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
{ SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
offsetof(DegenerateSignedData,signerInfos),
SEC_ASN1_SUB(SEC_AnyTemplate) },
{ 0 }
};
static const SEC_ASN1Template PointerToDegenerateSignedDataTemplate[] = {
{ SEC_ASN1_POINTER, 0, DegenerateSignedDataTemplate }
};
static SECOidTag
GetContentTypeTag(ContentInfo *cinfo)
{
if (cinfo->contentTypeTag == SEC_OID_UNKNOWN)
cinfo->contentTypeTag = SECOID_FindOIDTag(&cinfo->contentType);
return cinfo->contentTypeTag;
}
static const SEC_ASN1Template *
choose_content_template(void *src_or_dest, PRBool encoding)
{
const SEC_ASN1Template *theTemplate;
ContentInfo *cinfo;
SECOidTag kind;
PORT_Assert(src_or_dest != NULL);
if (src_or_dest == NULL)
return NULL;
cinfo = (ContentInfo*)src_or_dest;
kind = GetContentTypeTag(cinfo);
switch (kind) {
default:
theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
break;
case SEC_OID_PKCS7_DATA:
theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
break;
case SEC_OID_PKCS7_SIGNED_DATA:
theTemplate = PointerToDegenerateSignedDataTemplate;
break;
}
return theTemplate;
}
static SECStatus
SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
{
SEC_PKCS7ContentInfo *contentInfo = NULL;
ContentInfo contentInfo;
SECStatus rv;
SECItem **certs;
int count;
PRArenaPool *arena;
contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if ( contentInfo == NULL ) {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( arena == NULL ) {
return SECFailure;
}
PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
rv = SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
pkcs7Item);
if ( rv != SECSuccess ) {
goto loser;
}
if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
if ( GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
goto loser;
}
certs = contentInfo->content.signedData->rawCerts;
certs = contentInfo.content.signedData->certificates;
if ( certs ) {
count = 0;
@ -39,7 +149,7 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
count++;
certs++;
}
rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
rv = (* f)(arg, contentInfo.content.signedData->certificates, count);
}
rv = SECSuccess;
@ -49,8 +159,8 @@ loser:
rv = SECFailure;
done:
if ( contentInfo ) {
SEC_PKCS7DestroyContentInfo(contentInfo);
if ( arena ) {
PORT_FreeArena(arena, PR_FALSE);
}
return(rv);
@ -60,7 +170,7 @@ const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
{ SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
};
SECStatus
static SECStatus
SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
{
SECStatus rv;
@ -68,26 +178,26 @@ SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
int count;
SECItem **rawCerts = NULL;
PRArenaPool *arena;
SEC_PKCS7ContentInfo *contentInfo = NULL;
ContentInfo contentInfo;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
if ( arena == NULL ) {
return SECFailure;
}
contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if ( contentInfo == NULL ) {
PORT_Memset(&contentInfo, 0, sizeof(contentInfo));
rv = SEC_ASN1DecodeItem(arena, &contentInfo, ContentInfoTemplate,
certsItem);
if ( rv != SECSuccess ) {
goto loser;
}
if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
if ( GetContentTypeTag(&contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
contentInfo->content.data);
contentInfo.content.data);
if (rv != SECSuccess) {
goto loser;
@ -111,10 +221,6 @@ loser:
rv = SECFailure;
done:
if ( contentInfo ) {
SEC_PKCS7DestroyContentInfo(contentInfo);
}
if ( arena ) {
PORT_FreeArena(arena, PR_FALSE);
}

12
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -304,10 +304,14 @@ static const struct mechanismList mechanisms[] = {
CKF_DERIVE}, PR_TRUE},
#ifdef NSS_ENABLE_ECC
/* -------------------- Elliptic Curve Operations --------------------- */
{CKM_EC_KEY_PAIR_GEN, {112, 571, CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDH1_DERIVE, {112, 571, CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDSA, {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDSA_SHA1, {112, 571, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE},
{CKM_EC_KEY_PAIR_GEN, {EC_MIN_KEY, EC_MAX_KEY,
CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDH1_DERIVE, {EC_MIN_KEY, EC_MAX_KEY,
CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDSA, {EC_MIN_KEY, EC_MAX_KEY,
CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDSA_SHA1, {EC_MIN_KEY, EC_MAX_KEY,
CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE},
#endif /* NSS_ENABLE_ECC */
/* ------------------------- RC2 Operations --------------------------- */
{CKM_RC2_KEY_GEN, {1, 128, CKF_GENERATE}, PR_TRUE},

5
security/nss/lib/ssl/derive.c
Просмотреть файл

@ -764,8 +764,9 @@ SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
requiredECCbits = signatureKeyStrength;
ec_curve =
ssl3_GetCurveWithECKeyStrength(SSL3_SUPPORTED_CURVES_MASK,
requiredECCbits);
ssl3_GetCurveWithECKeyStrength(
ssl3_GetSupportedECCCurveMask(NULL),
requiredECCbits);
rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams);
if (rv == SECFailure) {
break;

2
security/nss/lib/ssl/ssl3con.c
Просмотреть файл

@ -10469,7 +10469,7 @@ ssl3_InitState(sslSocket *ss)
ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
#ifdef NSS_ENABLE_ECC
ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCCurveMask(ss);
#endif
ssl_ReleaseSpecWriteLock(ss);

67
security/nss/lib/ssl/ssl3ecc.c
Просмотреть файл

@ -960,7 +960,16 @@ PRBool
ssl3_IsECCEnabled(sslSocket * ss)
{
const ssl3CipherSuite * suite;
PK11SlotInfo *slot;
/* make sure we can do ECC */
slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE, ss->pkcs11PinArg);
if (!slot) {
return PR_FALSE;
}
PK11_FreeSlot(slot);
/* make sure an ECC cipher is enabled */
for (suite = ecSuites; *suite; ++suite) {
PRBool enabled = PR_FALSE;
SECStatus rv = ssl3_CipherPrefGet(ss, *suite, &enabled);
@ -974,21 +983,20 @@ ssl3_IsECCEnabled(sslSocket * ss)
#define BE(n) 0, n
#ifndef NSS_ECC_MORE_THAN_SUITE_B
/* Prefabricated TLS client hello extension, Elliptic Curves List,
* offers only 3 curves, the Suite B curves, 23-25
*/
static const PRUint8 EClist[12] = {
static const PRUint8 suiteBECList[12] = {
BE(10), /* Extension type */
BE( 8), /* octets that follow ( 3 pairs + 1 length pair) */
BE( 6), /* octets that follow ( 3 pairs) */
BE(23), BE(24), BE(25)
};
#else
/* Prefabricated TLS client hello extension, Elliptic Curves List,
* offers curves 1-25.
*/
static const PRUint8 EClist[56] = {
static const PRUint8 tlsECList[56] = {
BE(10), /* Extension type */
BE(52), /* octets that follow (25 pairs + 1 length pair) */
BE(50), /* octets that follow (25 pairs) */
@ -997,7 +1005,6 @@ static const PRUint8 EClist[56] = {
BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23),
BE(24), BE(25)
};
#endif
static const PRUint8 ECPtFmt[6] = {
BE(11), /* Extension type */
@ -1006,6 +1013,29 @@ static const PRUint8 ECPtFmt[6] = {
0 /* uncompressed type only */
};
/* This function already presumes we can do ECC, ssl_IsECCEnabled must be
* called before this function. It looks to see if we have a token which
* is capable of doing smaller than SuiteB curves. If the token can, we
* presume the token can do the whole SSL suite of curves. If it can't we
* presume the token that allowed ECC to be enabled can only do suite B
* curves. */
static PRBool
ssl3_SuiteBOnly(sslSocket *ss)
{
/* look to see if we can handle certs less than 163 bits */
PK11SlotInfo *slot =
PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163,
ss ? ss->pkcs11PinArg : NULL);
if (!slot) {
/* nope, presume we can only do suite B */
return PR_TRUE;
}
/* we can, presume we can do all curves */
PK11_FreeSlot(slot);
return PR_FALSE;
}
/* Send our "canned" (precompiled) Supported Elliptic Curves extension,
* which says that we support all TLS-defined named curves.
*/
@ -1015,10 +1045,22 @@ ssl3_SendSupportedCurvesXtn(
PRBool append,
PRUint32 maxBytes)
{
int ECListSize = 0;
const PRUint8 *ECList = NULL;
if (!ss || !ssl3_IsECCEnabled(ss))
return 0;
if (append && maxBytes >= (sizeof EClist)) {
SECStatus rv = ssl3_AppendHandshake(ss, EClist, (sizeof EClist));
if (ssl3_SuiteBOnly(ss)) {
ECListSize = sizeof (suiteBECList);
ECList = suiteBECList;
} else {
ECListSize = sizeof (tlsECList);
ECList = tlsECList;
}
if (append && maxBytes >= ECListSize) {
SECStatus rv = ssl3_AppendHandshake(ss, ECList, ECListSize);
if (rv != SECSuccess)
return -1;
if (!ss->sec.isServer) {
@ -1027,7 +1069,16 @@ ssl3_SendSupportedCurvesXtn(
ssl_elliptic_curves_xtn;
}
}
return (sizeof EClist);
return ECListSize;
}
PRInt32
ssl3_GetSupportedECCCurveMask(sslSocket *ss)
{
if (ssl3_SuiteBOnly(ss)) {
return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
}
return SSL3_ALL_SUPPORTED_CURVES_MASK;
}
/* Send our "canned" (precompiled) Supported Point Formats extension,

10
security/nss/lib/ssl/sslimpl.h
Просмотреть файл

@ -141,11 +141,9 @@ typedef enum { SSLAppOpRead = 0,
#define NUM_MIXERS 9
/* Mask of the 25 named curves we support. */
#ifndef NSS_ECC_MORE_THAN_SUITE_B
#define SSL3_SUPPORTED_CURVES_MASK 0x3800000 /* only 3 curves, suite B*/
#else
#define SSL3_SUPPORTED_CURVES_MASK 0x3fffffe
#endif
#define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
/* only 3 curves, suite B*/
#define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
#ifndef BPB
#define BPB 8 /* Bits Per Byte */
@ -1493,6 +1491,8 @@ extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
extern PRBool ssl3_IsECCEnabled(sslSocket *ss);
extern SECStatus ssl3_DisableECCSuites(sslSocket * ss,
const ssl3CipherSuite * suite);
extern PRInt32 ssl3_GetSupportedECCCurveMask(sslSocket *ss);
/* Macro for finding a curve equivalent in strength to RSA key's */
#define SSL_RSASTRENGTH_TO_ECSTRENGTH(s) \

2
security/nss/lib/ssl/sslsnce.c
Просмотреть файл

@ -2027,7 +2027,7 @@ ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
PRBool rv = PR_FALSE;
PRUint32 now = 0;
cacheDesc *cache = &globalCache;
uint8 ticketMacKey[AES_256_KEY_LENGTH], ticketEncKey[SHA256_LENGTH];
uint8 ticketMacKey[SHA256_LENGTH], ticketEncKey[AES_256_KEY_LENGTH];
uint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
uint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix;
PRBool cacheIsEnabled = PR_TRUE;

5
security/nss/lib/util/secoid.c
Просмотреть файл

@ -272,6 +272,7 @@ CONST_OID x520BusinessCategory[] = { X520_ATTRIBUTE_TYPE, 15 };
CONST_OID x520PostalAddress[] = { X520_ATTRIBUTE_TYPE, 16 };
CONST_OID x520PostalCode[] = { X520_ATTRIBUTE_TYPE, 17 };
CONST_OID x520PostOfficeBox[] = { X520_ATTRIBUTE_TYPE, 18 };
CONST_OID x520Name[] = { X520_ATTRIBUTE_TYPE, 41 };
CONST_OID x520GivenName[] = { X520_ATTRIBUTE_TYPE, 42 };
CONST_OID x520Initials[] = { X520_ATTRIBUTE_TYPE, 43 };
CONST_OID x520GenerationQualifier[] = { X520_ATTRIBUTE_TYPE, 44 };
@ -1645,7 +1646,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
OD( msExtendedKeyUsageTrustListSigning,
SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING,
"Microsoft Trust List Signing",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
OD( x520Name, SEC_OID_AVA_NAME,
"X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
};
/* PRIVATE EXTENDED SECOID Table

3
security/nss/lib/util/secoidt.h
Просмотреть файл

@ -442,6 +442,9 @@ typedef enum {
*/
SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING = 316,
/* The 'name' attribute type in X.520 */
SEC_OID_AVA_NAME = 317,
SEC_OID_TOTAL
} SECOidTag;

4
security/nss/manifest.mn
Просмотреть файл

@ -10,6 +10,4 @@ IMPORTS = nspr20/v4.8 \
RELEASE = nss
DIRS = lib cmd
DIRS = coreconf lib cmd

0
security/nss/tests/libpkix/certs/make-ca-u50-u51 Normal file → Executable file
Просмотреть файл