mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 487721, deliver NSS 3.12.4 RC0 to mozilla-central 

r=wtc
This commit is contained in:
Kai Engert 2009-04-21 03:51:56 +02:00
Родитель 0421e8a1c5
Коммит 8823039b10
78 изменённых файлов: 1891 добавлений и 1198 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
security/coreconf/OSF1.mk
Просмотреть файл

@ -72,3 +72,9 @@ PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' -e 's,^,-exported_symbol ,' > $@
DSO_LDOPTS += -shared
# required for freebl
USE_64=1
# this platform name does not use a bit tag due to only having a 64-bit ABI
64BIT_TAG=

1
security/coreconf/coreconf.dep
Просмотреть файл

@ -43,3 +43,4 @@
#error "Do not include this header file."
/* NSS 3.12.4 Beta */

16
security/coreconf/location.mk
Просмотреть файл

@ -83,4 +83,20 @@ ifndef NSS_LIB_DIR
NSS_LIB_DIR = $(DIST)/lib
endif
ifdef NSSUTIL_INCLUDE_DIR
INCLUDES += -I$(NSSUTIL_INCLUDE_DIR)
endif
ifndef NSSUTIL_LIB_DIR
NSSUTIL_LIB_DIR = $(DIST)/lib
endif
ifdef SOFTOKEN_INCLUDE_DIR
INCLUDES += -I$(SOFTOKEN_INCLUDE_DIR)
endif
ifndef SOFTOKEN_LIB_DIR
SOFTOKEN_LIB_DIR = $(DIST)/lib
endif
MK_LOCATION = included

7
security/nss/cmd/lib/SECerrs.h
Просмотреть файл

@ -555,3 +555,10 @@ ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED, (SEC_ERROR_BASE + 168),
ER3(SEC_ERROR_PKCS11_DEVICE_ERROR, (SEC_ERROR_BASE + 169),
"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD, (SEC_ERROR_BASE + 170),
"Unknown information access method in certificate extension.")
ER3(SEC_ERROR_CRL_IMPORT_FAILED, (SEC_ERROR_BASE + 171),
"Error attempting to import a CRL.")

2
security/nss/cmd/lib/secutil.c
Просмотреть файл

@ -2351,7 +2351,7 @@ SECU_PrintRDN(FILE *out, CERTRDN *rdn, char *msg, int level)
void
SECU_PrintName(FILE *out, CERTName *name, char *msg, int level)
{
char *nameStr;
char *nameStr = NULL;
char *str;
SECItem my;

20
security/nss/cmd/platlibs.mk
Просмотреть файл

@ -87,14 +87,7 @@ ifeq ($(OS_ARCH), WINNT)
DEFINES += -DNSS_USE_STATIC_LIBS
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
ifdef MOZILLA_SECURITY_BUILD
CRYPTOLIB=$(DIST)/lib/crypto.lib
endif
ifdef MOZILLA_BSAFE_BUILD
CRYPTOLIB+=$(DIST)/lib/bsafe$(BSAFEVER).lib
CRYPTOLIB+=$(DIST)/lib/freebl.lib
endif
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
PKIXLIB = \
$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX) \
@ -143,14 +136,7 @@ EXTRA_LIBS += \
else
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
ifdef MOZILLA_SECURITY_BUILD
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
endif
ifdef MOZILLA_BSAFE_BUILD
CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
CRYPTOLIB+=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
endif
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
PKIXLIB = \
$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
@ -202,6 +188,7 @@ endif
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
$(SQLITE) \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \
@ -253,6 +240,7 @@ EXTRA_SHARED_LIBS += \
-lssl3 \
-lsmime3 \
-lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \

1
security/nss/cmd/shlibsign/Makefile
Просмотреть файл

@ -80,6 +80,7 @@ endif
CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX)
CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX))
CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX)
CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk)
MD_LIB_RELEASE_FILES = $(CHECKLOC)

15
security/nss/lib/Makefile
Просмотреть файл

@ -84,18 +84,3 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
ifdef MOZILLA_SECURITY_BUILD
FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
export::
if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
$(NSINSTALL) -D crypto; \
for file in $(FILES) ; do \
if test -f $$file; then \
$(INSTALL) -m 444 $$file crypto; \
fi; \
done; \
$(INSTALL) -m 444 freebl/sha_fast.c crypto; \
$(INSTALL) -m 444 freebl/sha_fast.h crypto; \
fi
endif

133
security/nss/lib/certdb/alg1485.c
Просмотреть файл

@ -757,9 +757,11 @@ CERT_GetOidString(const SECItem *oid)
CASE(3, 0x7f);
CASE(2, 0x7f);
CASE(1, 0x7f);
case 0: n |= last[0]; /* most significant bit is zero. */
case 0: n |= last[0] & 0x7f;
break;
}
if (last[0] & 0x80)
goto unsupported;
if (!rvString) {
/* This is the first number.. decompose it */
@ -785,9 +787,11 @@ CERT_GetOidString(const SECItem *oid)
CGET(3, 0x7f);
CGET(2, 0x7f);
CGET(1, 0x7f);
n |= last[0]; /* most significant bit is zero. */
CGET(0, 0x7f);
break;
}
if (last[0] & 0x80)
goto unsupported;
if (!rvString) {
/* This is the first number.. decompose it */
@ -905,18 +909,22 @@ get_hex_string(SECItem *data)
static SECStatus
AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
{
#define TMPBUF_LEN 384
const NameToKind *pn2k = name2kinds;
SECItem *avaValue = NULL;
char *unknownTag = NULL;
char *encodedAVA = NULL;
PRBool useHex = PR_FALSE; /* use =#hexXXXX form */
PRBool truncateName = PR_FALSE;
PRBool truncateValue = PR_FALSE;
SECOidTag endKind;
SECStatus rv;
unsigned int len;
int nameLen, valueLen;
unsigned int nameLen, valueLen;
unsigned int maxName, maxValue;
EQMode mode = minimalEscapeAndQuote;
NameToKind n2k = { NULL, 32767, SEC_OID_UNKNOWN, SEC_ASN1_DS };
char tmpBuf[384];
char tmpBuf[TMPBUF_LEN];
#define tagName n2k.name /* non-NULL means use NAME= form */
#define maxBytes n2k.maxLen
@ -971,61 +979,102 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
}
}
if (strict == CERT_N2A_READABLE) {
if (maxBytes > sizeof(tmpBuf) - 4)
maxBytes = sizeof(tmpBuf) - 4;
/* Check value length. Must be room for "..." */
if (avaValue->len > maxBytes + 3) {
/* avaValue is a UTF8 string, freshly allocated and returned to us
** by CERT_DecodeAVAValue or get_hex_string just above, so we can
** modify it here. See if we're in the middle of a multi-byte
** UTF8 character.
*/
len = maxBytes;
while (((avaValue->data[len] & 0xc0) == 0x80) && len > 0) {
len--;
}
/* add elipsis to signify truncation. */
avaValue->data[len++] = '.';
avaValue->data[len++] = '.';
avaValue->data[len++] = '.';
avaValue->data[len] = 0;
avaValue->len = len;
}
}
nameLen = strlen(tagName);
valueLen = (useHex ? avaValue->len :
cert_RFC1485_GetRequiredLen(avaValue->data, avaValue->len,
&mode));
len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
maxName = nameLen;
maxValue = valueLen;
if (len <= sizeof(tmpBuf)) {
encodedAVA = tmpBuf;
} else if (strict == CERT_N2A_READABLE) {
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
} else {
} else if (strict != CERT_N2A_READABLE) {
encodedAVA = PORT_Alloc(len);
if (!encodedAVA) {
SECITEM_FreeItem(avaValue, PR_TRUE);
if (unknownTag)
PR_smprintf_free(unknownTag);
return SECFailure;
}
} else {
/* Must make output fit in tmpbuf */
unsigned int fair = (sizeof tmpBuf)/2 - 1; /* for = and \0 */
if (nameLen < fair) {
/* just truncate the value */
maxValue = (sizeof tmpBuf) - (nameLen + 6); /* for "=...\0",
and possibly '"' */
} else if (valueLen < fair) {
/* just truncate the name */
maxName = (sizeof tmpBuf) - (valueLen + 5); /* for "=...\0" */
} else {
/* truncate both */
maxName = maxValue = fair - 3; /* for "..." */
}
if (nameLen > maxName) {
PORT_Assert(unknownTag && unknownTag == tagName);
truncateName = PR_TRUE;
nameLen = maxName;
}
encodedAVA = tmpBuf;
}
if (!encodedAVA) {
SECITEM_FreeItem(avaValue, PR_TRUE);
if (unknownTag)
PR_smprintf_free(unknownTag);
return SECFailure;
}
memcpy(encodedAVA, tagName, nameLen);
if (truncateName) {
/* If tag name is too long, we know it is an OID form that was
* allocated from the heap, so we can modify it in place
*/
encodedAVA[nameLen-1] = '.';
encodedAVA[nameLen-2] = '.';
encodedAVA[nameLen-3] = '.';
}
encodedAVA[nameLen++] = '=';
if (unknownTag)
PR_smprintf_free(unknownTag);
encodedAVA[nameLen++] = '=';
if (strict == CERT_N2A_READABLE && maxValue > maxBytes)
maxValue = maxBytes;
if (valueLen > maxValue) {
valueLen = maxValue;
truncateValue = PR_TRUE;
}
/* escape and quote as necessary - don't quote hex strings */
if (useHex) {
memcpy(encodedAVA + nameLen, (char *)avaValue->data, avaValue->len);
encodedAVA[nameLen + avaValue->len] = '\0';
char * end = encodedAVA + nameLen + valueLen;
memcpy(encodedAVA + nameLen, (char *)avaValue->data, valueLen);
end[0] = '\0';
if (truncateValue) {
end[-1] = '.';
end[-2] = '.';
end[-3] = '.';
}
rv = SECSuccess;
} else
} else if (!truncateValue) {
rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen,
(char *)avaValue->data, avaValue->len, &mode);
(char *)avaValue->data, avaValue->len, &mode);
} else {
/* must truncate the escaped and quoted value */
char bigTmpBuf[TMPBUF_LEN * 3 + 3];
rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf,
(char *)avaValue->data, valueLen, &mode);
bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
/* See if we're in the middle of a multi-byte UTF8 character */
while (((bigTmpBuf[valueLen] & 0xc0) == 0x80) && valueLen > 0) {
bigTmpBuf[valueLen--] = '\0';
}
/* add ellipsis to signify truncation. */
bigTmpBuf[++valueLen] = '.';
bigTmpBuf[++valueLen] = '.';
bigTmpBuf[++valueLen] = '.';
if (bigTmpBuf[0] == '"')
bigTmpBuf[++valueLen] = '"';
bigTmpBuf[++valueLen] = '\0';
PORT_Assert(nameLen + valueLen <= (sizeof tmpBuf) - 1);
memcpy(encodedAVA + nameLen, bigTmpBuf, valueLen+1);
}
SECITEM_FreeItem(avaValue, PR_TRUE);
if (rv == SECSuccess)
rv = AppendStr(bufp, encodedAVA);

125
security/nss/lib/certhigh/certvfypkix.c
Просмотреть файл

@ -204,7 +204,7 @@ cert_NssKeyUsagesToPkix(
PKIX_RETURN(CERTVFYPKIX);
}
extern char* ekuOidStrings[];
extern SECOidTag ekuOidStrings[];
enum {
ekuIndexSSLServer = 0,
@ -489,6 +489,7 @@ cert_CreatePkixProcessingParams(
PKIX_RevocationChecker *revChecker = NULL;
PKIX_UInt32 methodFlags = 0;
void *plContext = NULL;
CERTStatusConfig *statusConfig = NULL;
PKIX_ENTER(CERTVFYPKIX, "cert_CreatePkixProcessingParams");
PKIX_NULLCHECK_TWO(cert, pprocParams);
@ -539,6 +540,14 @@ cert_CreatePkixProcessingParams(
certSelector, plContext),
PKIX_PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED);
/* Turn off quialification of target cert since leaf cert is
* already check for date validity, key usages and extended
* key usages. */
PKIX_CHECK(
PKIX_ProcessingParams_SetQualifyTargetCert(procParams, PKIX_FALSE,
plContext),
PKIX_PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED);
PKIX_CHECK(
PKIX_PL_Pk11CertStore_Create(&certStore, plContext),
PKIX_PK11CERTSTORECREATEFAILED);
@ -601,34 +610,42 @@ cert_CreatePkixProcessingParams(
0, NULL, PKIX_FALSE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
/* OCSP method flags */
methodFlags =
PKIX_REV_M_TEST_USING_THIS_METHOD |
PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
/* For compatibility with the old code, need to check that
* statusConfig is set in the db handle and status checker
* is defined befor allow ocsp status check on the leaf cert.*/
statusConfig = CERT_GetStatusConfig(CERT_GetDefaultCertDB());
if (statusConfig != NULL && statusConfig->statusChecker != NULL) {
/* Disabling ocsp fetching when checking the status
* of ocsp response signer. Here and in the next if,
* adjust flags for ocsp signer cert validation case. */
if (disableOCSPRemoteFetching) {
methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
}
if (ocsp_FetchingFailureIsVerificationFailure()
&& !disableOCSPRemoteFetching) {
methodFlags |=
PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
}
/* add OCSP revocation method to check only the leaf certificate.*/
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
/* Enable OCSP revocation checking for the leaf cert. */
/* OCSP method flags */
methodFlags =
PKIX_REV_M_TEST_USING_THIS_METHOD |
PKIX_REV_M_ALLOW_NETWORK_FETCHING | /* 0 */
PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | /* 0 */
PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | /* 0 */
PKIX_REV_M_IGNORE_MISSING_FRESH_INFO | /* 0 */
PKIX_REV_M_CONTINUE_TESTING_ON_FRESH_INFO;
/* Disabling ocsp fetching when checking the status
* of ocsp response signer. Here and in the next if,
* adjust flags for ocsp signer cert validation case. */
if (disableOCSPRemoteFetching) {
methodFlags |= PKIX_REV_M_FORBID_NETWORK_FETCHING;
}
if (ocsp_FetchingFailureIsVerificationFailure()
&& !disableOCSPRemoteFetching) {
methodFlags |=
PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO;
}
/* add OCSP revocation method to check only the leaf certificate.*/
PKIX_CHECK(
PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams,
PKIX_RevocationMethod_OCSP, methodFlags,
1, NULL, PKIX_TRUE, plContext),
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
PKIX_REVOCATIONCHECKERADDMETHODFAILED);
}
PKIX_CHECK(
PKIX_ProcessingParams_SetAnyPolicyInhibited(procParams, PR_FALSE,
@ -1206,7 +1223,15 @@ cert_VerifyCertChainPkix(
int memLeakLoopCount = 0;
int objCountTable[PKIX_NUMTYPES];
int fnInvLocalCount = 0;
PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
if (usePKIXValidationEngine) {
/* current memory leak testing implementation does not allow
* to run simultaneous tests one the same or a different threads.
* Setting the variable to false, to make additional chain
* validations be handled by old nss. */
usePKIXValidationEngine = PR_FALSE;
}
testStartFnStackPosition = 2;
fnStackNameArr[0] = "cert_VerifyCertChainPkix";
fnStackInvCountArr[0] = 0;
@ -1320,6 +1345,7 @@ cleanup:
runningLeakTest = PKIX_FALSE;
PR_AtomicDecrement(&parallelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
return rv;
@ -1414,39 +1440,6 @@ cleanup:
return r;
}
/* XXX
* There is no NSS SECItem -> PKIX OID
* conversion function. For now, I go via the ascii
* representation
* this should be in PKIX_PL_*
*/
PKIX_PL_OID *
CERT_PKIXOIDFromNSSOid(SECOidTag tag, void*plContext)
{
char *oidstring = NULL;
char *oidstring_adj = NULL;
PKIX_PL_OID *policyOID = NULL;
SECOidData *data;
data = SECOID_FindOIDByTag(tag);
if (data != NULL) {
oidstring = CERT_GetOidString(&data->oid);
if (oidstring == NULL) {
goto cleanup;
}
oidstring_adj = oidstring;
if (PORT_Strncmp("OID.",oidstring_adj,4) == 0) {
oidstring_adj += 4;
}
PKIX_PL_OID_Create(oidstring_adj, &policyOID, plContext);
}
cleanup:
if (oidstring != NULL) PR_smprintf_free(oidstring);
return policyOID;
}
struct fake_PKIX_PL_CertStruct {
CERTCertificate *nssCert;
@ -1479,8 +1472,8 @@ PKIX_List *cert_PKIXMakeOIDList(const SECOidTag *oids, int oidCount, void *plCon
}
for (i=0; i<oidCount; i++) {
policyOID = CERT_PKIXOIDFromNSSOid(oids[i],plContext);
if (policyOID == NULL) {
error = PKIX_PL_OID_Create(oids[i], &policyOID, plContext);
if (error) {
goto cleanup;
}
error = PKIX_List_AppendItem(policyList,
@ -2061,6 +2054,15 @@ SECStatus CERT_PKIXVerifyCert(
int memLeakLoopCount = 0;
int objCountTable[PKIX_NUMTYPES];
int fnInvLocalCount = 0;
PKIX_Boolean savedUsePkixEngFlag = usePKIXValidationEngine;
if (usePKIXValidationEngine) {
/* current memory leak testing implementation does not allow
* to run simultaneous tests one the same or a different threads.
* Setting the variable to false, to make additional chain
* validations be handled by old nss. */
usePKIXValidationEngine = PR_FALSE;
}
testStartFnStackPosition = 1;
fnStackNameArr[0] = "CERT_PKIXVerifyCert";
fnStackInvCountArr[0] = 0;
@ -2280,6 +2282,7 @@ cleanup:
runningLeakTest = PKIX_FALSE;
PR_AtomicDecrement(&parallelFnInvocationCount);
usePKIXValidationEngine = savedUsePkixEngFlag;
#endif /* PKIX_OBJECT_LEAK_TEST */
return r;

6
security/nss/lib/ckfw/Makefile
Просмотреть файл

@ -41,9 +41,9 @@ include $(CORE_DEPTH)/coreconf/config.mk
include config.mk
include $(CORE_DEPTH)/coreconf/rules.mk
#ifdef MOZILLA_CLIENT
#NSS_BUILD_CAPI = 1
#endif
ifdef MOZILLA_CLIENT
NSS_BUILD_CAPI = 1
endif
# This'll need some help from a build person.

396
security/nss/lib/ckfw/builtins/certdata.c
Просмотреть файл

@ -35,7 +35,7 @@
*
* ***** END LICENSE BLOCK ***** */
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $";
static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $";
#endif /* DEBUG */
#ifndef BUILTINS_H
@ -816,6 +816,24 @@ static const CK_ATTRIBUTE_TYPE nss_builtins_types_252 [] = {
static const CK_ATTRIBUTE_TYPE nss_builtins_types_253 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_254 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_255 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_256 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_257 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_258 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE
};
static const CK_ATTRIBUTE_TYPE nss_builtins_types_259 [] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
};
#ifdef DEBUG
static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
@ -824,7 +842,7 @@ static const NSSItem nss_builtins_items_0 [] = {
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"CVS ID", (PRUint32)7 },
{ (void *)"NSS", (PRUint32)4 },
{ (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.52 $ $Date: 2009/01/15 22:35:15 $", (PRUint32)160 }
{ (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.53 $ $Date: 2009/04/13 02:40:04 $", (PRUint32)160 }
};
#endif /* DEBUG */
static const NSSItem nss_builtins_items_1 [] = {
@ -17101,6 +17119,368 @@ static const NSSItem nss_builtins_items_253 [] = {
{ (void *)&ckt_netscape_untrusted, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
};
static const NSSItem nss_builtins_items_254 [] = {
{ (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"IGC/A", (PRUint32)6 },
{ (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
{ (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122"
"\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143"
"\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151"
"\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123"
"\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103"
"\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107"
"\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001"
"\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155"
"\056\147\157\165\166\056\146\162"
, (PRUint32)136 },
{ (void *)"0", (PRUint32)2 },
{ (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122"
"\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143"
"\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151"
"\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123"
"\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103"
"\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107"
"\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001"
"\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155"
"\056\147\157\165\166\056\146\162"
, (PRUint32)136 },
{ (void *)"\002\005\071\021\105\020\224"
, (PRUint32)7 },
{ (void *)"\060\202\004\002\060\202\002\352\240\003\002\001\002\002\005\071"
"\021\105\020\224\060\015\006\011\052\206\110\206\367\015\001\001"
"\005\005\000\060\201\205\061\013\060\011\006\003\125\004\006\023"
"\002\106\122\061\017\060\015\006\003\125\004\010\023\006\106\162"
"\141\156\143\145\061\016\060\014\006\003\125\004\007\023\005\120"
"\141\162\151\163\061\020\060\016\006\003\125\004\012\023\007\120"
"\115\057\123\107\104\116\061\016\060\014\006\003\125\004\013\023"
"\005\104\103\123\123\111\061\016\060\014\006\003\125\004\003\023"
"\005\111\107\103\057\101\061\043\060\041\006\011\052\206\110\206"
"\367\015\001\011\001\026\024\151\147\143\141\100\163\147\144\156"
"\056\160\155\056\147\157\165\166\056\146\162\060\036\027\015\060"
"\062\061\062\061\063\061\064\062\071\062\063\132\027\015\062\060"
"\061\060\061\067\061\064\062\071\062\062\132\060\201\205\061\013"
"\060\011\006\003\125\004\006\023\002\106\122\061\017\060\015\006"
"\003\125\004\010\023\006\106\162\141\156\143\145\061\016\060\014"
"\006\003\125\004\007\023\005\120\141\162\151\163\061\020\060\016"
"\006\003\125\004\012\023\007\120\115\057\123\107\104\116\061\016"
"\060\014\006\003\125\004\013\023\005\104\103\123\123\111\061\016"
"\060\014\006\003\125\004\003\023\005\111\107\103\057\101\061\043"
"\060\041\006\011\052\206\110\206\367\015\001\011\001\026\024\151"
"\147\143\141\100\163\147\144\156\056\160\155\056\147\157\165\166"
"\056\146\162\060\202\001\042\060\015\006\011\052\206\110\206\367"
"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
"\202\001\001\000\262\037\321\320\142\305\063\073\300\004\206\210"
"\263\334\370\210\367\375\337\103\337\172\215\232\111\134\366\116"
"\252\314\034\271\241\353\047\211\362\106\351\073\112\161\325\035"
"\216\055\317\346\255\253\143\120\307\124\013\156\022\311\220\066"
"\306\330\057\332\221\252\150\305\162\376\027\012\262\027\176\171"
"\265\062\210\160\312\160\300\226\112\216\344\125\315\035\047\224"
"\277\316\162\052\354\134\371\163\040\376\275\367\056\211\147\270"
"\273\107\163\022\367\321\065\151\072\362\012\271\256\377\106\102"
"\106\242\277\241\205\032\371\277\344\377\111\205\367\243\160\206"
"\062\034\135\237\140\367\251\255\245\377\317\321\064\371\175\133"
"\027\306\334\326\016\050\153\302\335\361\365\063\150\235\116\374"
"\207\174\066\022\326\243\200\350\103\015\125\141\224\352\144\067"
"\107\352\167\312\320\262\130\005\303\135\176\261\250\106\220\061"
"\126\316\160\052\226\262\060\270\167\346\171\300\275\051\073\375"
"\224\167\114\275\040\315\101\045\340\056\307\033\273\356\244\004"
"\101\322\135\255\022\152\212\233\107\373\311\335\106\100\341\235"
"\074\063\320\265\002\003\001\000\001\243\167\060\165\060\017\006"
"\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\013"
"\006\003\125\035\017\004\004\003\002\001\106\060\025\006\003\125"
"\035\040\004\016\060\014\060\012\006\010\052\201\172\001\171\001"
"\001\001\060\035\006\003\125\035\016\004\026\004\024\243\005\057"
"\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060\061"
"\066\060\037\006\003\125\035\043\004\030\060\026\200\024\243\005"
"\057\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060"
"\061\066\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
"\000\003\202\001\001\000\005\334\046\330\372\167\025\104\150\374"
"\057\146\072\164\340\135\344\051\377\006\007\023\204\112\253\317"
"\155\240\037\121\224\370\111\313\164\066\024\274\025\335\333\211"
"\057\335\217\240\135\174\365\022\353\237\236\070\244\107\314\263"
"\226\331\276\234\045\253\003\176\063\017\225\201\015\375\026\340"
"\210\276\067\360\154\135\320\061\233\062\053\135\027\145\223\230"
"\140\274\156\217\261\250\074\036\331\034\363\251\046\102\371\144"
"\035\302\347\222\366\364\036\132\252\031\122\135\257\350\242\367"
"\140\240\366\215\360\211\365\156\340\012\005\001\225\311\213\040"
"\012\272\132\374\232\054\074\275\303\267\311\135\170\045\005\077"
"\126\024\233\014\332\373\072\110\376\227\151\136\312\020\206\367"
"\116\226\004\010\115\354\260\276\135\334\073\216\117\301\375\232"
"\066\064\232\114\124\176\027\003\110\225\010\021\034\007\157\205"
"\010\176\135\115\304\235\333\373\256\316\262\321\263\270\203\154"
"\035\262\263\171\361\330\160\231\176\360\023\002\316\136\335\121"
"\323\337\066\201\241\033\170\057\161\263\361\131\114\106\030\050"
"\253\205\322\140\126\132"
, (PRUint32)1030 }
};
static const NSSItem nss_builtins_items_255 [] = {
{ (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"IGC/A", (PRUint32)6 },
{ (void *)"\140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106"
"\151\033\030\054"
, (PRUint32)20 },
{ (void *)"\014\177\335\152\364\052\271\310\233\275\040\176\251\333\134\067"
, (PRUint32)16 },
{ (void *)"\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122"
"\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143"
"\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151"
"\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123"
"\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103"
"\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107"
"\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001"
"\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155"
"\056\147\157\165\166\056\146\162"
, (PRUint32)136 },
{ (void *)"\002\005\071\021\105\020\224"
, (PRUint32)7 },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
};
static const NSSItem nss_builtins_items_256 [] = {
{ (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"Security Communication EV RootCA1", (PRUint32)34 },
{ (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
{ (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
"\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040"
"\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117"
"\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023"
"\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156"
"\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103"
"\101\061"
, (PRUint32)98 },
{ (void *)"0", (PRUint32)2 },
{ (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
"\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040"
"\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117"
"\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023"
"\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156"
"\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103"
"\101\061"
, (PRUint32)98 },
{ (void *)"\002\001\000"
, (PRUint32)3 },
{ (void *)"\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000"
"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
"\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045"
"\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124"
"\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056"
"\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041"
"\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151"
"\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101"
"\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063"
"\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062"
"\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120"
"\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115"
"\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103"
"\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013"
"\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165"
"\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164"
"\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367"
"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
"\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171"
"\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215"
"\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204"
"\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007"
"\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111"
"\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016"
"\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130"
"\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355"
"\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071"
"\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035"
"\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265"
"\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305"
"\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017"
"\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124"
"\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065"
"\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061"
"\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006"
"\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202"
"\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003"
"\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003"
"\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006"
"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001"
"\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227"
"\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326"
"\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350"
"\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376"
"\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231"
"\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045"
"\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031"
"\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333"
"\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117"
"\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174"
"\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176"
"\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343"
"\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240"
"\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116"
"\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017"
"\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217"
"\164"
, (PRUint32)897 }
};
static const NSSItem nss_builtins_items_257 [] = {
{ (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"Security Communication EV RootCA1", (PRUint32)34 },
{ (void *)"\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050"
"\206\145\144\175"
, (PRUint32)20 },
{ (void *)"\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323"
, (PRUint32)16 },
{ (void *)"\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
"\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040"
"\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117"
"\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023"
"\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156"
"\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103"
"\101\061"
, (PRUint32)98 },
{ (void *)"\002\001\000"
, (PRUint32)3 },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
};
static const NSSItem nss_builtins_items_258 [] = {
{ (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"OISTE WISeKey Global Root GA CA", (PRUint32)32 },
{ (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
{ (void *)"\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110"
"\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113"
"\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160"
"\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061"
"\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040"
"\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162"
"\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111"
"\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142"
"\141\154\040\122\157\157\164\040\107\101\040\103\101"
, (PRUint32)141 },
{ (void *)"0", (PRUint32)2 },
{ (void *)"\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110"
"\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113"
"\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160"
"\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061"
"\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040"
"\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162"
"\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111"
"\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142"
"\141\154\040\122\157\157\164\040\107\101\040\103\101"
, (PRUint32)141 },
{ (void *)"\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124"
"\337\232"
, (PRUint32)18 },
{ (void *)"\060\202\003\361\060\202\002\331\240\003\002\001\002\002\020\101"
"\075\162\307\364\153\037\201\103\175\361\322\050\124\337\232\060"
"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
"\212\061\013\060\011\006\003\125\004\006\023\002\103\110\061\020"
"\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145\171"
"\061\033\060\031\006\003\125\004\013\023\022\103\157\160\171\162"
"\151\147\150\164\040\050\143\051\040\062\060\060\065\061\042\060"
"\040\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157"
"\165\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145"
"\144\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124"
"\105\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154"
"\040\122\157\157\164\040\107\101\040\103\101\060\036\027\015\060"
"\065\061\062\061\061\061\066\060\063\064\064\132\027\015\063\067"
"\061\062\061\061\061\066\060\071\065\061\132\060\201\212\061\013"
"\060\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006"
"\003\125\004\012\023\007\127\111\123\145\113\145\171\061\033\060"
"\031\006\003\125\004\013\023\022\103\157\160\171\162\151\147\150"
"\164\040\050\143\051\040\062\060\060\065\061\042\060\040\006\003"
"\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156\144"
"\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061\050"
"\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040\127"
"\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122\157"
"\157\164\040\107\101\040\103\101\060\202\001\042\060\015\006\011"
"\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000"
"\060\202\001\012\002\202\001\001\000\313\117\263\000\233\075\066"
"\335\371\321\111\152\153\020\111\037\354\330\053\262\306\370\062"
"\201\051\103\225\114\232\031\043\041\025\105\336\343\310\034\121"
"\125\133\256\223\350\067\377\053\153\351\324\352\276\052\335\250"
"\121\053\327\146\303\141\134\140\002\310\365\316\162\173\073\270"
"\362\116\145\010\232\315\244\152\031\301\001\273\163\246\327\366"
"\303\335\315\274\244\213\265\231\141\270\001\242\243\324\115\324"
"\005\075\221\255\370\264\010\161\144\257\160\361\034\153\176\366"
"\303\167\235\044\163\173\344\014\214\341\331\066\341\231\213\005"
"\231\013\355\105\061\011\312\302\000\333\367\162\240\226\252\225"
"\207\320\216\307\266\141\163\015\166\146\214\334\033\264\143\242"
"\237\177\223\023\060\361\241\047\333\331\377\054\125\210\221\240"
"\340\117\007\260\050\126\214\030\033\227\104\216\211\335\340\027"
"\156\347\052\357\217\071\012\061\204\202\330\100\024\111\056\172"
"\101\344\247\376\343\144\314\301\131\161\113\054\041\247\133\175"
"\340\035\321\056\201\233\303\330\150\367\275\226\033\254\160\261"
"\026\024\013\333\140\271\046\001\005\002\003\001\000\001\243\121"
"\060\117\060\013\006\003\125\035\017\004\004\003\002\001\206\060"
"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
"\060\035\006\003\125\035\016\004\026\004\024\263\003\176\256\066"
"\274\260\171\321\334\224\046\266\021\276\041\262\151\206\224\060"
"\020\006\011\053\006\001\004\001\202\067\025\001\004\003\002\001"
"\000\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
"\003\202\001\001\000\113\241\377\013\207\156\263\371\301\103\261"
"\110\363\050\300\035\056\311\011\101\372\224\000\034\244\244\253"
"\111\117\217\075\036\357\115\157\275\274\244\366\362\046\060\311"
"\020\312\035\210\373\164\031\037\205\105\275\260\154\121\371\066"
"\176\333\365\114\062\072\101\117\133\107\317\350\013\055\266\304"
"\031\235\164\305\107\306\073\152\017\254\024\333\074\364\163\234"
"\251\005\337\000\334\164\170\372\370\065\140\131\002\023\030\174"
"\274\373\115\260\040\155\103\273\140\060\172\147\063\134\305\231"
"\321\370\055\071\122\163\373\214\252\227\045\134\162\331\010\036"
"\253\116\074\343\201\061\237\003\246\373\300\376\051\210\125\332"
"\204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030"
"\113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000"
"\267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142"
"\026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243"
"\156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051"
"\130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311"
"\374\276\337\012\015"
, (PRUint32)1013 }
};
static const NSSItem nss_builtins_items_259 [] = {
{ (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"OISTE WISeKey Global Root GA CA", (PRUint32)32 },
{ (void *)"\131\042\241\341\132\352\026\065\041\370\230\071\152\106\106\260"
"\104\033\017\251"
, (PRUint32)20 },
{ (void *)"\274\154\121\063\247\351\323\146\143\124\025\162\033\041\222\223"
, (PRUint32)16 },
{ (void *)"\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110"
"\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113"
"\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160"
"\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061"
"\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040"
"\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162"
"\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111"
"\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142"
"\141\154\040\122\157\157\164\040\107\101\040\103\101"
, (PRUint32)141 },
{ (void *)"\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124"
"\337\232"
, (PRUint32)18 },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ckt_netscape_trust_unknown, (PRUint32)sizeof(CK_TRUST) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
};
builtinsInternalObject
nss_builtins_data[] = {
@ -17359,11 +17739,17 @@ nss_builtins_data[] = {
{ 11, nss_builtins_types_250, nss_builtins_items_250, {NULL} },
{ 13, nss_builtins_types_251, nss_builtins_items_251, {NULL} },
{ 11, nss_builtins_types_252, nss_builtins_items_252, {NULL} },
{ 13, nss_builtins_types_253, nss_builtins_items_253, {NULL} }
{ 13, nss_builtins_types_253, nss_builtins_items_253, {NULL} },
{ 11, nss_builtins_types_254, nss_builtins_items_254, {NULL} },
{ 13, nss_builtins_types_255, nss_builtins_items_255, {NULL} },
{ 11, nss_builtins_types_256, nss_builtins_items_256, {NULL} },
{ 13, nss_builtins_types_257, nss_builtins_items_257, {NULL} },
{ 11, nss_builtins_types_258, nss_builtins_items_258, {NULL} },
{ 13, nss_builtins_types_259, nss_builtins_items_259, {NULL} }
};
const PRUint32
#ifdef DEBUG
nss_builtins_nObjects = 253+1;
nss_builtins_nObjects = 259+1;
#else
nss_builtins_nObjects = 253;
nss_builtins_nObjects = 259;
#endif /* DEBUG */

394
security/nss/lib/ckfw/builtins/certdata.txt
Просмотреть файл

@ -34,7 +34,7 @@
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.51 $ $Date: 2009/01/15 22:35:15 $"
CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.52 $ $Date: 2009/04/13 02:40:06 $"
#
# certdata.txt
@ -17628,3 +17628,395 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_UNTRUSTED
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_UNTRUSTED
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_UNTRUSTED
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "IGC/A"
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "IGC/A"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
\056\147\157\165\166\056\146\162
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
\056\147\157\165\166\056\146\162
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\005\071\021\105\020\224
END
CKA_VALUE MULTILINE_OCTAL
\060\202\004\002\060\202\002\352\240\003\002\001\002\002\005\071
\021\105\020\224\060\015\006\011\052\206\110\206\367\015\001\001
\005\005\000\060\201\205\061\013\060\011\006\003\125\004\006\023
\002\106\122\061\017\060\015\006\003\125\004\010\023\006\106\162
\141\156\143\145\061\016\060\014\006\003\125\004\007\023\005\120
\141\162\151\163\061\020\060\016\006\003\125\004\012\023\007\120
\115\057\123\107\104\116\061\016\060\014\006\003\125\004\013\023
\005\104\103\123\123\111\061\016\060\014\006\003\125\004\003\023
\005\111\107\103\057\101\061\043\060\041\006\011\052\206\110\206
\367\015\001\011\001\026\024\151\147\143\141\100\163\147\144\156
\056\160\155\056\147\157\165\166\056\146\162\060\036\027\015\060
\062\061\062\061\063\061\064\062\071\062\063\132\027\015\062\060
\061\060\061\067\061\064\062\071\062\062\132\060\201\205\061\013
\060\011\006\003\125\004\006\023\002\106\122\061\017\060\015\006
\003\125\004\010\023\006\106\162\141\156\143\145\061\016\060\014
\006\003\125\004\007\023\005\120\141\162\151\163\061\020\060\016
\006\003\125\004\012\023\007\120\115\057\123\107\104\116\061\016
\060\014\006\003\125\004\013\023\005\104\103\123\123\111\061\016
\060\014\006\003\125\004\003\023\005\111\107\103\057\101\061\043
\060\041\006\011\052\206\110\206\367\015\001\011\001\026\024\151
\147\143\141\100\163\147\144\156\056\160\155\056\147\157\165\166
\056\146\162\060\202\001\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
\202\001\001\000\262\037\321\320\142\305\063\073\300\004\206\210
\263\334\370\210\367\375\337\103\337\172\215\232\111\134\366\116
\252\314\034\271\241\353\047\211\362\106\351\073\112\161\325\035
\216\055\317\346\255\253\143\120\307\124\013\156\022\311\220\066
\306\330\057\332\221\252\150\305\162\376\027\012\262\027\176\171
\265\062\210\160\312\160\300\226\112\216\344\125\315\035\047\224
\277\316\162\052\354\134\371\163\040\376\275\367\056\211\147\270
\273\107\163\022\367\321\065\151\072\362\012\271\256\377\106\102
\106\242\277\241\205\032\371\277\344\377\111\205\367\243\160\206
\062\034\135\237\140\367\251\255\245\377\317\321\064\371\175\133
\027\306\334\326\016\050\153\302\335\361\365\063\150\235\116\374
\207\174\066\022\326\243\200\350\103\015\125\141\224\352\144\067
\107\352\167\312\320\262\130\005\303\135\176\261\250\106\220\061
\126\316\160\052\226\262\060\270\167\346\171\300\275\051\073\375
\224\167\114\275\040\315\101\045\340\056\307\033\273\356\244\004
\101\322\135\255\022\152\212\233\107\373\311\335\106\100\341\235
\074\063\320\265\002\003\001\000\001\243\167\060\165\060\017\006
\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\013
\006\003\125\035\017\004\004\003\002\001\106\060\025\006\003\125
\035\040\004\016\060\014\060\012\006\010\052\201\172\001\171\001
\001\001\060\035\006\003\125\035\016\004\026\004\024\243\005\057
\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060\061
\066\060\037\006\003\125\035\043\004\030\060\026\200\024\243\005
\057\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060
\061\066\060\015\006\011\052\206\110\206\367\015\001\001\005\005
\000\003\202\001\001\000\005\334\046\330\372\167\025\104\150\374
\057\146\072\164\340\135\344\051\377\006\007\023\204\112\253\317
\155\240\037\121\224\370\111\313\164\066\024\274\025\335\333\211
\057\335\217\240\135\174\365\022\353\237\236\070\244\107\314\263
\226\331\276\234\045\253\003\176\063\017\225\201\015\375\026\340
\210\276\067\360\154\135\320\061\233\062\053\135\027\145\223\230
\140\274\156\217\261\250\074\036\331\034\363\251\046\102\371\144
\035\302\347\222\366\364\036\132\252\031\122\135\257\350\242\367
\140\240\366\215\360\211\365\156\340\012\005\001\225\311\213\040
\012\272\132\374\232\054\074\275\303\267\311\135\170\045\005\077
\126\024\233\014\332\373\072\110\376\227\151\136\312\020\206\367
\116\226\004\010\115\354\260\276\135\334\073\216\117\301\375\232
\066\064\232\114\124\176\027\003\110\225\010\021\034\007\157\205
\010\176\135\115\304\235\333\373\256\316\262\321\263\270\203\154
\035\262\263\171\361\330\160\231\176\360\023\002\316\136\335\121
\323\337\066\201\241\033\170\057\161\263\361\131\114\106\030\050
\253\205\322\140\126\132
END
# Trust for Certificate "IGC/A"
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "IGC/A"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106
\151\033\030\054
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\014\177\335\152\364\052\271\310\233\275\040\176\251\333\134\067
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
\056\147\157\165\166\056\146\162
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\005\071\021\105\020\224
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Security Communication EV RootCA1"
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Security Communication EV RootCA1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
\101\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000
\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045
\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124
\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056
\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041
\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151
\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101
\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063
\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062
\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120
\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115
\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103
\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013
\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165
\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164
\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171
\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215
\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204
\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007
\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111
\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016
\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130
\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355
\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071
\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035
\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265
\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305
\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017
\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124
\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065
\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061
\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006
\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202
\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003
\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227
\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326
\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350
\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376
\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231
\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045
\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031
\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333
\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117
\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174
\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176
\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343
\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240
\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116
\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017
\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217
\164
END
# Trust for Certificate "Security Communication EV RootCA1"
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Security Communication EV RootCA1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050
\206\145\144\175
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323
END
CKA_ISSUER MULTILINE_OCTAL
\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023
\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103
\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "OISTE WISeKey Global Root GA CA"
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "OISTE WISeKey Global Root GA CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110
\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113
\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160
\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061
\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040
\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162
\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111
\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142
\141\154\040\122\157\157\164\040\107\101\040\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110
\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113
\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160
\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061
\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040
\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162
\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111
\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142
\141\154\040\122\157\157\164\040\107\101\040\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124
\337\232
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\361\060\202\002\331\240\003\002\001\002\002\020\101
\075\162\307\364\153\037\201\103\175\361\322\050\124\337\232\060
\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
\212\061\013\060\011\006\003\125\004\006\023\002\103\110\061\020
\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145\171
\061\033\060\031\006\003\125\004\013\023\022\103\157\160\171\162
\151\147\150\164\040\050\143\051\040\062\060\060\065\061\042\060
\040\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157
\165\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145
\144\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124
\105\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154
\040\122\157\157\164\040\107\101\040\103\101\060\036\027\015\060
\065\061\062\061\061\061\066\060\063\064\064\132\027\015\063\067
\061\062\061\061\061\066\060\071\065\061\132\060\201\212\061\013
\060\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006
\003\125\004\012\023\007\127\111\123\145\113\145\171\061\033\060
\031\006\003\125\004\013\023\022\103\157\160\171\162\151\147\150
\164\040\050\143\051\040\062\060\060\065\061\042\060\040\006\003
\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156\144
\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061\050
\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040\127
\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122\157
\157\164\040\107\101\040\103\101\060\202\001\042\060\015\006\011
\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
\060\202\001\012\002\202\001\001\000\313\117\263\000\233\075\066
\335\371\321\111\152\153\020\111\037\354\330\053\262\306\370\062
\201\051\103\225\114\232\031\043\041\025\105\336\343\310\034\121
\125\133\256\223\350\067\377\053\153\351\324\352\276\052\335\250
\121\053\327\146\303\141\134\140\002\310\365\316\162\173\073\270
\362\116\145\010\232\315\244\152\031\301\001\273\163\246\327\366
\303\335\315\274\244\213\265\231\141\270\001\242\243\324\115\324
\005\075\221\255\370\264\010\161\144\257\160\361\034\153\176\366
\303\167\235\044\163\173\344\014\214\341\331\066\341\231\213\005
\231\013\355\105\061\011\312\302\000\333\367\162\240\226\252\225
\207\320\216\307\266\141\163\015\166\146\214\334\033\264\143\242
\237\177\223\023\060\361\241\047\333\331\377\054\125\210\221\240
\340\117\007\260\050\126\214\030\033\227\104\216\211\335\340\027
\156\347\052\357\217\071\012\061\204\202\330\100\024\111\056\172
\101\344\247\376\343\144\314\301\131\161\113\054\041\247\133\175
\340\035\321\056\201\233\303\330\150\367\275\226\033\254\160\261
\026\024\013\333\140\271\046\001\005\002\003\001\000\001\243\121
\060\117\060\013\006\003\125\035\017\004\004\003\002\001\206\060
\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
\060\035\006\003\125\035\016\004\026\004\024\263\003\176\256\066
\274\260\171\321\334\224\046\266\021\276\041\262\151\206\224\060
\020\006\011\053\006\001\004\001\202\067\025\001\004\003\002\001
\000\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
\003\202\001\001\000\113\241\377\013\207\156\263\371\301\103\261
\110\363\050\300\035\056\311\011\101\372\224\000\034\244\244\253
\111\117\217\075\036\357\115\157\275\274\244\366\362\046\060\311
\020\312\035\210\373\164\031\037\205\105\275\260\154\121\371\066
\176\333\365\114\062\072\101\117\133\107\317\350\013\055\266\304
\031\235\164\305\107\306\073\152\017\254\024\333\074\364\163\234
\251\005\337\000\334\164\170\372\370\065\140\131\002\023\030\174
\274\373\115\260\040\155\103\273\140\060\172\147\063\134\305\231
\321\370\055\071\122\163\373\214\252\227\045\134\162\331\010\036
\253\116\074\343\201\061\237\003\246\373\300\376\051\210\125\332
\204\325\120\003\266\342\204\243\246\066\252\021\072\001\341\030
\113\326\104\150\263\075\371\123\164\204\263\106\221\106\226\000
\267\200\054\266\341\343\020\342\333\242\347\050\217\001\226\142
\026\076\000\343\034\245\066\201\030\242\114\122\166\300\021\243
\156\346\035\272\343\132\276\066\123\305\076\165\217\206\151\051
\130\123\265\234\273\157\237\134\305\030\354\335\057\341\230\311
\374\276\337\012\015
END
# Trust for Certificate "OISTE WISeKey Global Root GA CA"
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "OISTE WISeKey Global Root GA CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\131\042\241\341\132\352\026\065\041\370\230\071\152\106\106\260
\104\033\017\251
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\274\154\121\063\247\351\323\146\143\124\025\162\033\041\222\223
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\110
\061\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113
\145\171\061\033\060\031\006\003\125\004\013\023\022\103\157\160
\171\162\151\147\150\164\040\050\143\051\040\062\060\060\065\061
\042\060\040\006\003\125\004\013\023\031\117\111\123\124\105\040
\106\157\165\156\144\141\164\151\157\156\040\105\156\144\157\162
\163\145\144\061\050\060\046\006\003\125\004\003\023\037\117\111
\123\124\105\040\127\111\123\145\113\145\171\040\107\154\157\142
\141\154\040\122\157\157\164\040\107\101\040\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\101\075\162\307\364\153\037\201\103\175\361\322\050\124
\337\232
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

4
security/nss/lib/ckfw/builtins/nssckbi.h
Просмотреть файл

@ -75,8 +75,8 @@
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 73
#define NSS_BUILTINS_LIBRARY_VERSION "1.73"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74
#define NSS_BUILTINS_LIBRARY_VERSION "1.74"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

17
security/nss/lib/freebl/Makefile
Просмотреть файл

@ -77,11 +77,15 @@ endif
ifdef FREEBL_NO_DEPEND
DEFINES += -DFREEBL_NO_DEPEND
endif
# some code wants _X86_ defined for intel CPUs.
# coreconf does this for windows, but not for Linux, FreeBSD, etc.
ifeq (,$(filter-out x86 x86_64,$(CPU_ARCH)))
ifneq (,$(filter-out WIN%,$(OS_TARGET)))
DEFINES += -D_X86_
# NSS_X86 means the target is a 32-bits x86 CPU architecture
# NSS_X64 means the target is a 64-bits x64 CPU architecture
# NSS_X86_OR_X64 means the target is either x86 or x64
ifeq (,$(filter-out x386 x86 x86_64,$(CPU_ARCH)))
DEFINES += -DNSS_X86_OR_X64
ifdef USE_64
DEFINES += -DNSS_X64
else
DEFINES += -DNSS_X86
endif
endif
@ -145,7 +149,7 @@ endif
ifeq ($(OS_TARGET),Linux)
ifeq ($(CPU_ARCH),x86_64)
ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s
ASFLAGS += -march=opteron -m64 -fPIC
ASFLAGS += -march=opteron -m64 -fPIC -Wa,--noexecstack
DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
DEFINES += -DNSS_USE_COMBA
DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
@ -406,7 +410,6 @@ else
MPI_SRCS += mpi_amd64.c
else
# Solaris x86
DEFINES += -D_X86_
DEFINES += -DMP_USE_UINT_DIGIT
DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
DEFINES += -DMP_ASSEMBLY_DIV_2DX1D

4
security/nss/lib/freebl/alg2268.c
Просмотреть файл

@ -37,7 +37,7 @@
*
* ***** END LICENSE BLOCK ***** */
/* $Id: alg2268.c,v 1.8 2008/11/18 19:48:21 rrelyea%redhat.com Exp $ */
/* $Id: alg2268.c,v 1.9 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
@ -105,7 +105,7 @@ struct RC2ContextStr {
((PRUint16 *)output)[2] = R[2]; \
((PRUint16 *)output)[3] = R[3];
#if defined (_X86_)
#if defined (NSS_X86_OR_X64)
#define LOAD(R) LOAD_EASY(R)
#define STORE(R) STORE_EASY(R)
#elif !defined(IS_LITTLE_ENDIAN)

2
security/nss/lib/freebl/config.mk
Просмотреть файл

@ -91,6 +91,7 @@ endif
ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lnspr4 \
@ -107,6 +108,7 @@ else
ifndef FREEBL_NO_DEPEND
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lnspr4 \

8
security/nss/lib/freebl/des.c
Просмотреть файл

@ -400,7 +400,7 @@ static const HALF PC2[8][64] = {
temp = (word ^ (word >> 9)) & 0x00550055; \
word ^= temp | (temp << 9);
#if defined(__GNUC__) && defined(_X86_)
#if defined(__GNUC__) && defined(NSS_X86_OR_X64)
#define BYTESWAP(word, temp) \
__asm("bswap %0" : "+r" (word));
#else
@ -435,7 +435,7 @@ DES_MakeSchedule( HALF * ks, const BYTE * key, DESDirection direction)
int delta;
unsigned int ls;
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
left = HALFPTR(key)[0];
right = HALFPTR(key)[1];
BYTESWAP(left, temp);
@ -586,7 +586,7 @@ DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf)
register HALF left, right;
register HALF temp;
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
left = HALFPTR(inbuf)[0];
right = HALFPTR(inbuf)[1];
BYTESWAP(left, temp);
@ -657,7 +657,7 @@ DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf)
FP(left, right, temp);
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
BYTESWAP(left, temp);
BYTESWAP(right, temp);
HALFPTR(outbuf)[0] = left;

2
security/nss/lib/freebl/desblapi.c
Просмотреть файл

@ -49,7 +49,7 @@
#include <stddef.h>
#include "secerr.h"
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
/* Intel X86 CPUs do unaligned loads and stores without complaint. */
#define COPY8B(to, from, ptr) \
HALFPTR(to)[0] = HALFPTR(from)[0]; \

2
security/nss/lib/freebl/md5.c
Просмотреть файл

@ -475,7 +475,7 @@ MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
/* Iterate over 64-byte chunks of the message. */
while (inputLen >= MD5_BUFFER_SIZE) {
#ifdef IS_LITTLE_ENDIAN
#ifdef _X86_
#ifdef NSS_X86_OR_X64
/* x86 can handle arithmetic on non-word-aligned buffers */
wBuf = (PRUint32 *)input;
#else

25
security/nss/lib/freebl/nsslowhash.c
Просмотреть файл

@ -33,7 +33,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nsslowhash.c,v 1.2 2008/11/27 15:20:44 wtc%google.com Exp $ */
/* $Id: nsslowhash.c,v 1.3 2009/04/15 21:31:55 rrelyea%redhat.com Exp $ */
#include "stubs.h"
#include "prtypes.h"
@ -267,6 +267,27 @@ struct NSSLOWHASHContextStr {
};
static int nsslow_GetFIPSEnabled(void) {
#ifdef LINUX
FILE *f;
char d;
size_t size;
f = fopen("/proc/sys/crypto/fips_enabled", "r");
if (!f)
return 1;
size = fread(&d, 1, 1, f);
fclose(f);
if (size != 1)
return 0;
if (d != '1')
return 0;
#endif
return 1;
}
static int post = 0;
static NSSLOWInitContext dummyContext = { 0 };
@ -283,7 +304,7 @@ NSSLOW_Init(void)
nsprAvailable = (rv == SECSuccess ) ? PR_TRUE : PR_FALSE;
if (!post) {
if (!post && nsslow_GetFIPSEnabled()) {
crv = freebl_fipsPowerUpSelfTest();
if (crv != CKR_OK) {
return NULL;

2
security/nss/lib/freebl/os2_rand.c
Просмотреть файл

@ -369,5 +369,5 @@ static void rng_systemJitter(void)
size_t RNG_SystemRNG(void *dest, size_t maxLen)
{
return rng_systemFromNoise(dest,maxlen);
return rng_systemFromNoise(dest,maxLen);
}

10
security/nss/lib/freebl/rijndael.c
Просмотреть файл

@ -33,7 +33,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: rijndael.c,v 1.24 2008/12/04 18:16:31 rrelyea%redhat.com Exp $ */
/* $Id: rijndael.c,v 1.25 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
@ -563,7 +563,7 @@ rijndael_encryptBlock128(AESContext *cx,
PRUint32 *roundkeyw;
rijndael_state state;
PRUint32 C0, C1, C2, C3;
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
#define pIn input
#define pOut output
#else
@ -639,7 +639,7 @@ rijndael_encryptBlock128(AESContext *cx,
*((PRUint32 *)(pOut + 4)) = C1;
*((PRUint32 *)(pOut + 8)) = C2;
*((PRUint32 *)(pOut + 12)) = C3;
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
#undef pIn
#undef pOut
#else
@ -659,7 +659,7 @@ rijndael_decryptBlock128(AESContext *cx,
PRUint32 *roundkeyw;
rijndael_state state;
PRUint32 C0, C1, C2, C3;
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
#define pIn input
#define pOut output
#else
@ -731,7 +731,7 @@ rijndael_decryptBlock128(AESContext *cx,
*((PRUint32 *)(pOut + 8)) ^= *roundkeyw--;
*((PRUint32 *)(pOut + 4)) ^= *roundkeyw--;
*((PRUint32 *) pOut ) ^= *roundkeyw--;
#if defined(_X86_)
#if defined(NSS_X86_OR_X64)
#undef pIn
#undef pOut
#else

8
security/nss/lib/freebl/sha512.c
Просмотреть файл

@ -36,14 +36,14 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: sha512.c,v 1.13 2008/11/19 21:10:52 nelson%bolyard.com Exp $ */
/* $Id: sha512.c,v 1.14 2009/04/09 22:11:07 julien.pierre.boogz%sun.com Exp $ */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
#include "prcpucfg.h"
#if (defined(_X86_) && !defined(__x86_64__)) || defined(SHA_NO_LONG_LONG)
#if defined(NSS_X86) || defined(SHA_NO_LONG_LONG)
#define NOUNROLL512 1
#undef HAVE_LONG_LONG
#endif
@ -103,7 +103,7 @@ static const PRUint32 H256[8] = {
#pragma intrinsic(_byteswap_ulong)
#define SHA_HTONL(x) _byteswap_ulong(x)
#define BYTESWAP4(x) x = SHA_HTONL(x)
#elif defined(_MSC_VER) && defined(_X86_)
#elif defined(_MSC_VER) && defined(NSS_X86_OR_X64)
#ifndef FORCEINLINE
#if (_MSC_VER >= 1200)
#define FORCEINLINE __forceinline
@ -125,7 +125,7 @@ swap4b(PRUint32 dwd)
#define SHA_HTONL(x) swap4b(x)
#define BYTESWAP4(x) x = SHA_HTONL(x)
#elif defined(__GNUC__) && defined(_X86_)
#elif defined(__GNUC__) && defined(NSS_X86_OR_X64)
static __inline__ PRUint32 swap4b(PRUint32 value)
{
__asm__("bswap %0" : "+r" (value));

8
security/nss/lib/freebl/sha_fast.h
Просмотреть файл

@ -63,7 +63,7 @@ struct SHA1ContextStr {
#if (_MSC_VER >= 1300)
#pragma intrinsic(_byteswap_ulong)
#define SHA_HTONL(x) _byteswap_ulong(x)
#elif defined(_X86_)
#elif defined(NSS_X86_OR_X64)
#ifndef FORCEINLINE
#if (_MSC_VER >= 1200)
#define FORCEINLINE __forceinline
@ -83,7 +83,7 @@ swap4b(PRUint32 dwd)
}
#define SHA_HTONL(x) swap4b(x)
#endif /* _X86_ */
#endif /* NSS_X86_OR_X64 */
#endif /* IS_LITTLE_ENDIAN */
#pragma intrinsic (_lrotr, _lrotl)
@ -108,7 +108,7 @@ static __inline__ PRUint32 SHA_ROTL(PRUint32 t, PRUint32 n)
#endif
#define SHA_ROTL_IS_DEFINED 1
#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64)
#if defined(NSS_X86_OR_X64)
static __inline__ PRUint32 swap4b(PRUint32 value)
{
__asm__("bswap %0" : "+r" (value));
@ -124,7 +124,7 @@ static __inline__ PRUint32 swap4b(PRUint32 value)
#define SHA_ROTL(X,n) (tmp = (X), ((tmp) << (n)) | ((tmp) >> (32-(n))))
#endif
#if defined(_X86_) || defined(__x86_64__) || defined(__x86_64)
#if defined(NSS_X86_OR_X64)
#define SHA_ALLOW_UNALIGNED_ACCESS 1
#endif

70
security/nss/lib/libpkix/include/pkix_certsel.h
Просмотреть файл

@ -118,10 +118,9 @@ extern "C" {
* DESCRIPTION:
*
* This callback function determines whether the specified Cert pointed to by
* "cert" matches the criteria of the CertSelector pointed to by "selector",
* and stores the result at "pResult". If the Cert matches the CertSelector's
* criteria, a value of PKIX_TRUE will be stored at "pResult"; otherwise a
* value of PKIX_FALSE will be stored.
* "cert" matches the criteria of the CertSelector pointed to by "selector".
* If the Cert does not matches the CertSelector's criteria, an exception will
* be thrown.
*
* PARAMETERS:
* "selector"
@ -130,8 +129,6 @@ extern "C" {
* "cert"
* Address of Cert that is to be matched using "selector".
* Must be non-NULL.
* "pResult"
* Address where Boolean value will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
@ -148,7 +145,6 @@ typedef PKIX_Error *
(*PKIX_CertSelector_MatchCallback)(
PKIX_CertSelector *selector,
PKIX_PL_Cert *cert,
PKIX_Boolean *pResult,
void *plContext);
/*
@ -1796,6 +1792,66 @@ PKIX_ComCertSelParams_SetMatchAllSubjAltNames(
PKIX_Boolean match,
void *plContext);
/*
* FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag
* DESCRIPTION:
*
* Return "leafCert" flag of the ComCertSelParams structure. If set to true,
* the flag indicates that a selector should filter out all cert that are not
* qualified to be a leaf cert according to the specified key/ekey usages.
*
* PARAMETERS:
* "params"
* Address of ComCertSelParams object used to determine whether all
* subject alternative names must be matched. Must be non-NULL.
* "pLeafFlag"
* Address of returned value.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertSelector Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error*
PKIX_ComCertSelParams_GetLeafCertFlag(
PKIX_ComCertSelParams *params,
PKIX_Boolean *pLeafFlag,
void *plContext);
/*
* FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag
* DESCRIPTION:
*
* Sets a flag that if its value is true, indicates that the selector
* should only pick certs that qualifies to be leaf for this cert path
* validation.
*
* PARAMETERS:
* "params"
* Address of ComCertSelParams object whose match flag is to be set.
* Must be non-NULL.
* "leafFlag"
* Boolean value used to set the leaf flag.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Not Thread Safe - assumes exclusive access to "params"
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a CertSelector Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ComCertSelParams_SetLeafCertFlag(
PKIX_ComCertSelParams *params,
PKIX_Boolean leafFlag,
void *plContext);
#ifdef __cplusplus
}
#endif

7
security/nss/lib/libpkix/include/pkix_certstore.h
Просмотреть файл

@ -141,6 +141,8 @@ extern "C" {
* "selector"
* Address of CertSelector whose criteria must be satisfied.
* Must be non-NULL.
* "verifyNode"
* Parent log node for tracking of filtered out certs.
* "pNBIOContext"
* Address at which platform-dependent information is stored if the
* operation is suspended for non-blocking I/O. Must be non-NULL.
@ -162,6 +164,7 @@ typedef PKIX_Error *
(*PKIX_CertStore_CertCallback)(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCerts, /* list of PKIX_PL_Cert */
void *plContext);
@ -194,6 +197,8 @@ typedef PKIX_Error *
* "selector"
* Address of CertSelector whose criteria must be satisfied.
* Must be non-NULL.
* "verifyNode"
* Parent log node for tracking of filtered out certs.
* "pNBIOContext"
* Address at which platform-dependent information is stored if the
* operation is suspended for non-blocking I/O. Must be non-NULL.
@ -215,6 +220,7 @@ PKIX_Error *
PKIX_CertStore_CertContinue(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCerts, /* list of PKIX_PL_Cert */
void *plContext);
@ -223,6 +229,7 @@ typedef PKIX_Error *
(*PKIX_CertStore_CertContinueFunction)(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCerts, /* list of PKIX_PL_Cert */
void *plContext);

13
security/nss/lib/libpkix/include/pkix_errorstrings.h
Просмотреть файл

@ -228,9 +228,14 @@ PKIX_ERRORENTRY(CERTSELECTORMATCHAUTHKEYIDFAILED,pkix_CertSelector_Match_AuthKey
PKIX_ERRORENTRY(CERTSELECTORMATCHBASICCONSTRAINTFAILED,pkix_CertSelector_Match_BasicConstraint failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCALLBACKFAILED,PKIX_CertSelector_MatchCallback failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCERTIFICATEVALIDFAILED,pkix_CertSelector_Match_CertificateValid failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCERTISSUERFAILED,cert does not match issuer name,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCERTOBJECTFAILED,cert does not match cert object,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSERIALNUMFAILED,cert does not match serial number,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCERTSUBJECTFAILED,cert does not match subject name,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHCERTVERSIONFAILED,cert does not match cert version,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED,pkix_CertSelector_Match_ExtendedKeyUsage failed,SEC_ERROR_INADEQUATE_CERT_TYPE),
PKIX_ERRORENTRY(CERTSELECTORMATCHFAILED,certSelectorMatch failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHKEYUSAGEFAILED,pkix_CertSelector_Match_KeyUsage failed,SEC_ERROR_INADEQUATE_KEY_USAGE),
PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECONSTRAINTSFAILED,pkix_CertSelector_Match_NameConstraints failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0),
PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0),
@ -283,6 +288,7 @@ PKIX_ERRORENTRY(COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_
PKIX_ERRORENTRY(COMCERTSELPARAMSGETEXTENDEDKEYUSAGEFAILED,PKIX_ComCertSelParams_GetExtendedKeyUsage failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSGETISSUERFAILED,PKIX_ComCertSelParams_GetIssuer failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSGETKEYUSAGEFAILED,PKIX_ComCertSelParams_GetKeyUsage failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSGETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_GetLeafCertFlag failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSGETMATCHALLSUBJALTNAMESFAILED,PKIX_ComCertSelParams_GetMatchAllSubjAltNames failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED,PKIX_ComCertSelParams_GetNameConstraints failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSGETPATHTONAMESFAILED,PKIX_ComCertSelParams_GetPathToNames failed,0),
@ -299,6 +305,7 @@ PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEFAILED,PKIX_ComCertSelParams_SetCe
PKIX_ERRORENTRY(COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED,PKIX_ComCertSelParams_SetCertificateValid failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSSETEXTKEYUSAGEFAILED,PKIX_ComCertSelParams_SetExtendedKeyUsage failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSSETKEYUSAGEFAILED,PKIX_ComCertSelParams_SetKeyUsage failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSSETLEAFCERTFLAGFAILED,PKIX_ComCertSelParams_SetLeafCertFlag failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSSETNISTPOLICYENABLEDFAILED,PKIX_ComCertSelParams_SetNISTPolicyEnabled failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSSETPATHTONAMESFAILED,PKIX_ComCertSelParams_SetPathToNames failed,0),
PKIX_ERRORENTRY(COMCERTSELPARAMSSETSUBJECTFAILED,PKIX_ComCertSelParams_SetSubject failed,0),
@ -927,6 +934,7 @@ PKIX_ERRORENTRY(PROCESSINGPARAMSSETNISTREVOCATIONENABLEDFAILED,PKIX_ProcessingPa
PKIX_ERRORENTRY(PROCESSINGPARAMSSETPOLICYMAPPINGINHIBITED,PKIX_ProcessingParams_SetPolicyMappingInhibited failed,0),
PKIX_ERRORENTRY(PROCESSINGPARAMSSETREVOCATIONCHECKERFAILED,PKIX_ProcessingParams_SetRevocationChecker failed,0),
PKIX_ERRORENTRY(PROCESSINGPARAMSSETTARGETCERTCONSTRAINTSFAILED,PKIX_ProcessingParams_SetTargetCertConstraints failed,0),
PKIX_ERRORENTRY(PROCESSINGPARAMSSETQUALIFYTARGETCERTFLAGFAILED,ProcessingParams_SetQualifyTargetCertFlag failed,0),
PKIX_ERRORENTRY(PRPOLLFAILED,PR_Poll failed,0),
PKIX_ERRORENTRY(PRPOLLRETBADFILENUM,PR_Poll failed,0),
PKIX_ERRORENTRY(PRRECVFAILED,PR_Recv failed,0),
@ -1052,6 +1060,7 @@ PKIX_ERRORENTRY(UNEXPECTEDERRORINESTABLISHINGCONNECTION,Unexpected error in esta
PKIX_ERRORENTRY(UNEXPECTEDRESULTCODEINRESPONSE,Unexpected result code in Response,SEC_ERROR_BAD_LDAP_RESPONSE),
PKIX_ERRORENTRY(UNKNOWNFORMAT,Unknown format,SEC_ERROR_INVALID_ARGS),
PKIX_ERRORENTRY(UNKNOWNINFOACCESSTYPE,Unknown InfoAccess type,SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE),
PKIX_ERRORENTRY(UNKNOWNINFOACCESSMETHOD,Unknown InfoAccess method,SEC_ERROR_BAD_INFO_ACCESS_METHOD),
PKIX_ERRORENTRY(UNKNOWNOBJECTOID,Unknown object OID,0),
PKIX_ERRORENTRY(UNKNOWNOBJECTTYPE,Unknown object type,0),
PKIX_ERRORENTRY(UNKNOWNTYPEARGUMENT,Unknown type argument,0),

31
security/nss/lib/libpkix/include/pkix_params.h
Просмотреть файл

@ -752,6 +752,37 @@ PKIX_ProcessingParams_SetUseAIAForCertFetching(
PKIX_Boolean useAIA,
void *plContext);
/*
* FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert
* DESCRIPTION:
*
* Sets a boolean value that tells if libpkix needs to check that
* the target certificate satisfies the conditions set in processing
* parameters. Includes but not limited to date, ku and eku checks.
*
* PARAMETERS:
* "params"
* Address of ProcessingParams whose List of TrustAnchors are to
* be stored. Must be non-NULL.
* "qualifyTargetCert"
* boolean value if set to true will trigger qualification of the
* target certificate.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Conditionally Thread Safe
* (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Params Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_ProcessingParams_SetQualifyTargetCert(
PKIX_ProcessingParams *params,
PKIX_Boolean qualifyTargetCert,
void *plContext);
/*
* FUNCTION: PKIX_ProcessingParams_GetHintCerts
* DESCRIPTION:

43
security/nss/lib/libpkix/include/pkix_pl_system.h
Просмотреть файл

@ -1462,20 +1462,11 @@ PKIX_PL_ByteArray_GetLength(
* FUNCTION: PKIX_PL_OID_Create
* DESCRIPTION:
*
* Creates a new OID using the string pointed to by "stringRep" and stores it
* at "pOID". The string representation is a null-terminated char * consisting
* of decimal components separated by dots. All other characters are illegal.
* The first field must be be 0, 1 or 2. If the first field is 0 or 1, the
* second field must be between 0 and 39. All fields must be ASCII decimal
* digits less than or equal to 2^32. Once created, an OID is immutable.
*
* The regexp format is as follows:
* OID := [0,1,2](.NUM)+
* NUM := [0-9]+
* Creates a new OID using NSS oid tag.
*
* PARAMETERS:
* "stringRep"
* Address of character data representing an OID. Must be non-NULL.
* "idtag"
* nss oid id tag.
* "pOID"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
@ -1489,7 +1480,33 @@ PKIX_PL_ByteArray_GetLength(
*/
PKIX_Error *
PKIX_PL_OID_Create(
char *stringRep,
SECOidTag idtag,
PKIX_PL_OID **pOID,
void *plContext);
/*
* FUNCTION: PKIX_PL_OID_CreateBySECItem
* DESCRIPTION:
*
* Creates a new OID using a DER encoded OID stored as SECItem.
*
* PARAMETERS:
* "derOid"
* Address of SECItem that holds DER encoded OID.
* "pOID"
* Address where object pointer will be stored. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns an OID Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
PKIX_PL_OID_CreateBySECItem(
SECItem *derOid,
PKIX_PL_OID **pOID,
void *plContext);

32
security/nss/lib/libpkix/include/pkixt.h
Просмотреть файл

@ -473,18 +473,26 @@ PKIX_Error* PKIX_ALLOC_ERROR(void);
/*
* Define Certificate Extension hard-coded OID's
*/
#define PKIX_CERTKEYUSAGE_OID "2.5.29.15"
#define PKIX_CERTSUBJALTNAME_OID "2.5.29.17"
#define PKIX_BASICCONSTRAINTS_OID "2.5.29.19"
#define PKIX_CRLREASONCODE_OID "2.5.29.21"
#define PKIX_NAMECONSTRAINTS_OID "2.5.29.30"
#define PKIX_CERTIFICATEPOLICIES_OID "2.5.29.32"
#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID "2.5.29.32.0"
#define PKIX_POLICYMAPPINGS_OID "2.5.29.33"
#define PKIX_POLICYCONSTRAINTS_OID "2.5.29.36"
#define PKIX_EXTENDEDKEYUSAGE_OID "2.5.29.37"
#define PKIX_INHIBITANYPOLICY_OID "2.5.29.54"
#define PKIX_NSCERTTYPE_OID "2.16.840.1.113730.1.1"
#define PKIX_UNKNOWN_OID SEC_OID_UNKNOWN
#define PKIX_CERTKEYUSAGE_OID SEC_OID_X509_KEY_USAGE
#define PKIX_CERTSUBJALTNAME_OID SEC_OID_X509_SUBJECT_ALT_NAME
#define PKIX_BASICCONSTRAINTS_OID SEC_OID_X509_BASIC_CONSTRAINTS
#define PKIX_CRLREASONCODE_OID SEC_OID_X509_REASON_CODE
#define PKIX_NAMECONSTRAINTS_OID SEC_OID_X509_NAME_CONSTRAINTS
#define PKIX_CERTIFICATEPOLICIES_OID SEC_OID_X509_CERTIFICATE_POLICIES
#define PKIX_CERTIFICATEPOLICIES_ANYPOLICY_OID SEC_OID_X509_ANY_POLICY
#define PKIX_POLICYMAPPINGS_OID SEC_OID_X509_POLICY_MAPPINGS
#define PKIX_POLICYCONSTRAINTS_OID SEC_OID_X509_POLICY_CONSTRAINTS
#define PKIX_EXTENDEDKEYUSAGE_OID SEC_OID_X509_EXT_KEY_USAGE
#define PKIX_INHIBITANYPOLICY_OID SEC_OID_X509_INHIBIT_ANY_POLICY
#define PKIX_NSCERTTYPE_OID SEC_OID_NS_CERT_EXT_CERT_TYPE
#define PKIX_KEY_USAGE_SERVER_AUTH_OID SEC_OID_EXT_KEY_USAGE_SERVER_AUTH
#define PKIX_KEY_USAGE_CLIENT_AUTH_OID SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH
#define PKIX_KEY_USAGE_CODE_SIGN_OID SEC_OID_EXT_KEY_USAGE_CODE_SIGN
#define PKIX_KEY_USAGE_EMAIL_PROTECT_OID SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT
#define PKIX_KEY_USAGE_TIME_STAMP_OID SEC_OID_EXT_KEY_USAGE_TIME_STAMP
#define PKIX_KEY_USAGE_OCSP_RESPONDER_OID SEC_OID_OCSP_RESPONDER
/* Available revocation method types. */
typedef enum PKIX_RevocationMethodTypeEnum {

361
security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c
Просмотреть файл

@ -296,8 +296,7 @@ pkix_CertSelector_Match_Policies(
if (!certPolicyInfos) {
PKIX_CERTSELECTOR_DEBUG("Certificate has no policies\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
}
PKIX_CHECK(PKIX_List_GetLength
@ -334,10 +333,8 @@ pkix_CertSelector_Match_Policies(
PKIX_DECREF(polOID);
}
if (!result) {
PKIX_CERTSELECTOR_DEBUG
("Certificate has no acceptable policies\n");
*pResult = PKIX_FALSE;
goto cleanup;
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHPOLICIESFAILED);
}
}
}
@ -407,7 +404,9 @@ pkix_CertSelector_Match_CertificateValid(
}
cleanup:
if (PKIX_ERROR_RECEIVED) {
*pResult = PKIX_FALSE;
}
PKIX_DECREF(validityTime);
PKIX_RETURN(CERTSELECTOR);
@ -466,6 +465,9 @@ pkix_CertSelector_Match_NameConstraints(
}
cleanup:
if (PKIX_ERROR_RECEIVED) {
*pResult = PKIX_FALSE;
}
PKIX_DECREF(nameConstraints);
PKIX_RETURN(CERTSELECTOR);
@ -531,9 +533,8 @@ pkix_CertSelector_Match_PathToNames(
PKIX_CERTNAMECONSTRAINTSCHECKNAMESINNAMESPACEFAILED);
if (passed != PKIX_TRUE) {
PKIX_CERTSELECTOR_DEBUG("PathToName Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
}
}
@ -607,59 +608,52 @@ pkix_CertSelector_Match_SubjAltNames(
(cert, &certSubjAltNames, plContext),
PKIX_CERTGETSUBJALTNAMESFAILED);
if (certSubjAltNames != NULL) {
if (certSubjAltNames == NULL) {
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
}
PKIX_CHECK(PKIX_List_GetLength
(subjAltNamesList, &numItems, plContext),
PKIX_LISTGETLENGTHFAILED);
for (i = 0; i < numItems; i++) {
PKIX_CHECK(PKIX_List_GetItem
(subjAltNamesList,
PKIX_CHECK(PKIX_List_GetLength
(subjAltNamesList, &numItems, plContext),
PKIX_LISTGETLENGTHFAILED);
for (i = 0; i < numItems; i++) {
PKIX_CHECK(PKIX_List_GetItem
(subjAltNamesList,
i,
(PKIX_PL_Object **) &name,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_List_Contains
(certSubjAltNames,
PKIX_LISTGETITEMFAILED);
PKIX_CHECK(pkix_List_Contains
(certSubjAltNames,
(PKIX_PL_Object *) name,
&checkPassed,
plContext),
PKIX_LISTCONTAINSFAILED);
PKIX_DECREF(name);
if (checkPassed == PKIX_TRUE) {
if (matchAll == PKIX_FALSE) {
/* one match is good enough */
matchCount = numItems;
break;
} else {
/* else continue checking next */
matchCount++;
}
}
PKIX_LISTCONTAINSFAILED);
PKIX_DECREF(name);
if (checkPassed == PKIX_TRUE) {
if (matchAll == PKIX_FALSE) {
/* one match is good enough */
matchCount = numItems;
break;
} else {
/* else continue checking next */
matchCount++;
}
}
if (matchCount != numItems) {
PKIX_CERTSELECTOR_DEBUG("SubjAltName Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
} else {
PKIX_CERTSELECTOR_DEBUG
("SubjAltName Match failed: Cert has no SubjAltName\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
if (matchCount != numItems) {
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
}
}
cleanup:
@ -750,10 +744,8 @@ pkix_CertSelector_Match_ExtendedKeyUsage(
PKIX_DECREF(ekuOid);
if (isContained != PKIX_TRUE) {
PKIX_CERTSELECTOR_DEBUG
("Extended Key Usage Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
}
}
}
@ -819,6 +811,9 @@ pkix_CertSelector_Match_KeyUsage(
}
cleanup:
if (PKIX_ERROR_RECEIVED) {
*pResult = PKIX_FALSE;
}
PKIX_RETURN(CERTSELECTOR);
}
@ -874,24 +869,21 @@ pkix_CertSelector_Match_SubjKeyId(
(cert, &certSubjKeyId, plContext),
PKIX_CERTGETSUBJECTKEYIDENTIFIERFAILED);
if (certSubjKeyId != NULL) {
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selSubjKeyId,
(PKIX_PL_Object *)certSubjKeyId,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
} else {
PKIX_CERTSELECTOR_DEBUG
("SubjKeyId Match failed: Cert has no SubjKeyId\n");
if (certSubjKeyId == NULL) {
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
}
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selSubjKeyId,
(PKIX_PL_Object *)certSubjKeyId,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
}
}
@ -954,24 +946,20 @@ pkix_CertSelector_Match_AuthKeyId(
(cert, &certAuthKeyId, plContext),
PKIX_CERTGETAUTHORITYKEYIDENTIFIERFAILED);
if (certAuthKeyId != NULL) {
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selAuthKeyId,
(PKIX_PL_Object *)certAuthKeyId,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
} else {
PKIX_CERTSELECTOR_DEBUG
("AuthKeyId Match failed: Cert has no AuthKeyId\n");
if (certAuthKeyId == NULL) {
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
}
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selAuthKeyId,
(PKIX_PL_Object *)certAuthKeyId,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
}
}
@ -1035,24 +1023,19 @@ pkix_CertSelector_Match_SubjPKAlgId(
PKIX_CERTGETSUBJECTPUBLICKEYALGIDFAILED);
if (certPKAlgId != NULL) {
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selPKAlgId,
(PKIX_PL_Object *)certPKAlgId,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
PKIX_CERTSELECTOR_DEBUG
("SubjPKAlgId Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
} else {
PKIX_CERTSELECTOR_DEBUG
("SubjPKAlgId Match failed: Cert has no SubjPKAlgId\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
}
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selPKAlgId,
(PKIX_PL_Object *)certPKAlgId,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
}
}
@ -1115,26 +1098,20 @@ pkix_CertSelector_Match_SubjPubKey(
(cert, &certPK, plContext),
PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
if (certPK != NULL) {
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selPK,
(PKIX_PL_Object *)certPK,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
PKIX_CERTSELECTOR_DEBUG
("Subject Public Key Match failed\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
} else {
PKIX_CERTSELECTOR_DEBUG
("SubjPubKey Match failed: Cert has no SubjPubKey\n");
if (certPK == NULL) {
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
}
PKIX_CHECK(PKIX_PL_Object_Equals
((PKIX_PL_Object *)selPK,
(PKIX_PL_Object *)certPK,
&equals,
plContext),
PKIX_OBJECTEQUALSFAILED);
if (equals != PKIX_TRUE) {
*pResult = PKIX_FALSE;
PKIX_ERROR(PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
}
}
@ -1152,9 +1129,8 @@ cleanup:
*
* This default match function determines whether the specified Cert pointed
* to by "cert" matches the criteria of the CertSelector pointed to by
* "selector". If the Cert satisfies the CertSelector's criteria, PKIX_TRUE
* is stored at "pResult". If the Cert does not match the CertSelector's
* criteria, PKIX_FALSE is stored at "pResult".
* "selector". If the Cert does not match the CertSelector's
* criteria, an error will be thrown.
*
* This default match function understands how to process the most common
* parameters. Any common parameter that is not set is assumed to be disabled,
@ -1175,8 +1151,6 @@ cleanup:
* "cert"
* Address of Cert that is to be matched using "selector".
* Must be non-NULL.
* "pResult"
* Address of PKIX_Boolean that returns the match result.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
@ -1191,7 +1165,6 @@ static PKIX_Error *
pkix_CertSelector_DefaultMatch(
PKIX_CertSelector *selector,
PKIX_PL_Cert *cert,
PKIX_Boolean *pResult,
void *plContext)
{
PKIX_ComCertSelParams *params = NULL;
@ -1203,7 +1176,6 @@ pkix_CertSelector_DefaultMatch(
PKIX_PL_BigInt *selSerialNumber = NULL;
PKIX_PL_Cert *selCert = NULL;
PKIX_PL_Date *selDate = NULL;
PKIX_UInt32 requiredKeyUsage = 0;
PKIX_UInt32 selVersion = 0xFFFFFFFF;
PKIX_UInt32 certVersion = 0;
PKIX_Boolean result = PKIX_TRUE;
@ -1215,9 +1187,7 @@ pkix_CertSelector_DefaultMatch(
#endif
PKIX_ENTER(CERTSELECTOR, "pkix_CertSelector_DefaultMatch");
PKIX_NULLCHECK_THREE(selector, cert, pResult);
*pResult = PKIX_TRUE;
PKIX_NULLCHECK_TWO(selector, cert);
PKIX_INCREF(selector->params);
params = selector->params;
@ -1236,9 +1206,7 @@ pkix_CertSelector_DefaultMatch(
PKIX_CERTGETVERSIONFAILED);
if (selVersion != certVersion) {
PKIX_CERTSELECTOR_DEBUG("Version Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTVERSIONFAILED);
}
}
@ -1257,16 +1225,10 @@ pkix_CertSelector_DefaultMatch(
PKIX_X500NAMEMATCHFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG
("Subject Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
}
} else { /* cert has no subject */
PKIX_CERTSELECTOR_DEBUG("Subject Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSUBJECTFAILED);
}
}
@ -1284,9 +1246,7 @@ pkix_CertSelector_DefaultMatch(
PKIX_X500NAMEMATCHFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("Issuer Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTISSUERFAILED);
}
}
@ -1307,9 +1267,7 @@ pkix_CertSelector_DefaultMatch(
PKIX_OBJECTEQUALSFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("Serial Number Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTSERIALNUMFAILED);
}
}
@ -1326,13 +1284,10 @@ pkix_CertSelector_DefaultMatch(
PKIX_OBJECTEQUALSFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("Certificate Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
PKIX_ERROR(PKIX_CERTSELECTORMATCHCERTOBJECTFAILED);
}
}
PKIX_CHECK(PKIX_ComCertSelParams_GetCertificateValid
(params, &selDate, plContext),
PKIX_COMCERTSELPARAMSGETCERTIFICATEVALIDFAILED);
@ -1343,136 +1298,55 @@ pkix_CertSelector_DefaultMatch(
PKIX_CERTCHECKVALIDITYFAILED);
}
PKIX_CHECK(PKIX_ComCertSelParams_GetKeyUsage
(params, &requiredKeyUsage, plContext),
PKIX_COMCERTSELPARAMSGETKEYUSAGEFAILED);
if (requiredKeyUsage != 0) {
PKIX_CHECK(PKIX_PL_Cert_VerifyKeyUsage
(cert, requiredKeyUsage, plContext),
PKIX_CERTVERIFYKEYUSAGEFAILED);
}
PKIX_CHECK(pkix_CertSelector_Match_BasicConstraint
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHBASICCONSTRAINTFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("BasicConstraint Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_Policies
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHPOLICIESFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("Policies Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_CertificateValid
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHCERTIFICATEVALIDFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("CertificateValid Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_NameConstraints
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHNAMECONSTRAINTSFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("NameConstraints Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_PathToNames
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHPATHTONAMESFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("PathToNames Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_SubjAltNames
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHSUBJALTNAMESFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("SubjAltNames Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
/* Next two check are for user supplied additional KU and EKU. */
PKIX_CHECK(pkix_CertSelector_Match_ExtendedKeyUsage
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHEXTENDEDKEYUSAGEFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("ExtendedKeyUsage Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_KeyUsage
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHKEYUSAGEFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("KeyUsage Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_SubjKeyId
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHSUBJKEYIDFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("SubjKeyId Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_AuthKeyId
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHAUTHKEYIDFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("AuthKeyId Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_SubjPKAlgId
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHSUBJPKALGIDFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("SubjPKAlgId Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
PKIX_CHECK(pkix_CertSelector_Match_SubjPubKey
(params, cert, &result, plContext),
PKIX_CERTSELECTORMATCHSUBJPUBKEYFAILED);
if (result == PKIX_FALSE){
PKIX_CERTSELECTOR_DEBUG("SubjPubKey Match FAILED\n");
*pResult = PKIX_FALSE;
goto cleanup;
}
/* if we reach here, the cert has successfully matched criteria */
@ -1725,7 +1599,6 @@ pkix_CertSelector_Select(
PKIX_List **pAfter,
void *plContext)
{
PKIX_Boolean match = PKIX_FALSE;
PKIX_UInt32 numBefore = 0;
PKIX_UInt32 i = 0;
PKIX_List *filtered = NULL;
@ -1747,10 +1620,10 @@ pkix_CertSelector_Select(
PKIX_LISTGETITEMFAILED);
PKIX_CHECK_ONLY_FATAL(selector->matchCallback
(selector, candidate, &match, plContext),
(selector, candidate, plContext),
PKIX_CERTSELECTORMATCHCALLBACKFAILED);
if ((!(PKIX_ERROR_RECEIVED)) && (match == PKIX_TRUE)) {
if (!(PKIX_ERROR_RECEIVED)) {
PKIX_CHECK_ONLY_FATAL(PKIX_List_AppendItem
(filtered,

62
security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.c
Просмотреть файл

@ -192,6 +192,8 @@ pkix_ComCertSelParams_Duplicate(
plContext,
PKIX_OBJECTDUPLICATEFAILED);
paramsDuplicate->leafCertFlag = params->leafCertFlag;
*pNewObject = (PKIX_PL_Object *)paramsDuplicate;
cleanup:
@ -219,21 +221,14 @@ PKIX_Error *
pkix_ComCertSelParams_RegisterSelf(void *plContext)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry entry;
pkix_ClassTable_Entry* entry = &systemClasses[PKIX_COMCERTSELPARAMS_TYPE];
PKIX_ENTER(COMCERTSELPARAMS, "pkix_ComCertSelParams_RegisterSelf");
entry.description = "ComCertSelParams";
entry.objCounter = 0;
entry.typeObjectSize = sizeof(PKIX_ComCertSelParams);
entry.destructor = pkix_ComCertSelParams_Destroy;
entry.equalsFunction = NULL;
entry.hashcodeFunction = NULL;
entry.toStringFunction = NULL;
entry.comparator = NULL;
entry.duplicateFunction = pkix_ComCertSelParams_Duplicate;
systemClasses[PKIX_COMCERTSELPARAMS_TYPE] = entry;
entry->description = "ComCertSelParams";
entry->typeObjectSize = sizeof(PKIX_ComCertSelParams);
entry->destructor = pkix_ComCertSelParams_Destroy;
entry->duplicateFunction = pkix_ComCertSelParams_Duplicate;
PKIX_RETURN(COMCERTSELPARAMS);
}
@ -283,6 +278,7 @@ PKIX_ComCertSelParams_Create(
params->subjKeyId = NULL;
params->subjPubKey = NULL;
params->subjPKAlgId = NULL;
params->leafCertFlag = PKIX_TRUE;
*pParams = params;
@ -1181,3 +1177,45 @@ cleanup:
PKIX_RETURN(COMCERTSELPARAMS);
}
/*
* FUNCTION: PKIX_ComCertSelParams_GetLeafCertFlag
* (see comments in pkix_certsel.h)
*/
PKIX_Error*
PKIX_ComCertSelParams_GetLeafCertFlag(
PKIX_ComCertSelParams *params,
PKIX_Boolean *pLeafFlag,
void *plContext)
{
PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_GetLeafCertFlag");
PKIX_NULLCHECK_TWO(params, pLeafFlag);
*pLeafFlag = params->leafCertFlag;
PKIX_RETURN(COMCERTSELPARAMS);
}
/*
* FUNCTION: PKIX_ComCertSelParams_SetLeafCertFlag
* (see comments in pkix_certsel.h)
*/
PKIX_Error *
PKIX_ComCertSelParams_SetLeafCertFlag(
PKIX_ComCertSelParams *params,
PKIX_Boolean leafFlag,
void *plContext)
{
PKIX_ENTER(COMCERTSELPARAMS, "PKIX_ComCertSelParams_SetLeafCertFlag");
PKIX_NULLCHECK_ONE(params);
params->leafCertFlag = leafFlag;
PKIX_CHECK(PKIX_PL_Object_InvalidateCache
((PKIX_PL_Object *)params, plContext),
PKIX_OBJECTINVALIDATECACHEFAILED);
cleanup:
PKIX_RETURN(COMCERTSELPARAMS);
}

1
security/nss/lib/libpkix/pkix/certsel/pkix_comcertselparams.h
Просмотреть файл

@ -76,6 +76,7 @@ struct PKIX_ComCertSelParamsStruct {
PKIX_PL_ByteArray *subjKeyId;
PKIX_PL_PublicKey *subjPubKey;
PKIX_PL_OID *subjPKAlgId;
PKIX_Boolean leafCertFlag;
};
/* see source file for function documentation */

16
security/nss/lib/libpkix/pkix/checker/pkix_ekuchecker.c
Просмотреть файл

@ -43,14 +43,14 @@
#include "pkix_ekuchecker.h"
char *ekuOidStrings[] = {
"1.3.6.1.5.5.7.3.1", /* id-kp-serverAuth */
"1.3.6.1.5.5.7.3.2", /* id-kp-clientAuth */
"1.3.6.1.5.5.7.3.3", /* id-kp-codeSigning */
"1.3.6.1.5.5.7.3.4", /* id-kp-emailProtection */
"1.3.6.1.5.5.7.3.8", /* id-kp-timeStamping */
"1.3.6.1.5.5.7.3.9", /* id-kp-OCSPSigning */
NULL
SECOidTag ekuOidStrings[] = {
PKIX_KEY_USAGE_SERVER_AUTH_OID,
PKIX_KEY_USAGE_CLIENT_AUTH_OID,
PKIX_KEY_USAGE_CODE_SIGN_OID,
PKIX_KEY_USAGE_EMAIL_PROTECT_OID,
PKIX_KEY_USAGE_TIME_STAMP_OID,
PKIX_KEY_USAGE_OCSP_RESPONDER_OID,
PKIX_UNKNOWN_OID
};
typedef struct pkix_EkuCheckerStruct {

2
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
Просмотреть файл

@ -251,7 +251,7 @@ pkix_OcspChecker_CheckExternal(
PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
void *nbioContext = NULL;
PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_Check");
PKIX_ENTER(OCSPCHECKER, "pkix_OcspChecker_CheckExternal");
PKIX_CHECK(
pkix_CheckType((PKIX_PL_Object*)checkerObject,

6
security/nss/lib/libpkix/pkix/checker/pkix_targetcertchecker.c
Просмотреть файл

@ -378,14 +378,8 @@ pkix_TargetCertChecker_Check(
PKIX_CHECK(certSelectorMatch
(state->certSelector,
cert,
&checkPassed,
plContext),
PKIX_CERTSELECTORMATCHFAILED);
if (checkPassed != PKIX_TRUE){
PKIX_ERROR(PKIX_CERTSELECTORCHECKFAILED);
}
/*
* There are two Extended Key Usage Checkings
* available :

39
security/nss/lib/libpkix/pkix/params/pkix_procparams.c
Просмотреть файл

@ -588,6 +588,7 @@ PKIX_ProcessingParams_Create(
params->isCrlRevocationCheckingEnabledWithNISTPolicy = PKIX_TRUE;
params->useAIAForCertFetching = PKIX_FALSE;
params->qualifyTargetCert = PKIX_TRUE;
*pParams = params;
params = NULL;
@ -636,6 +637,44 @@ PKIX_ProcessingParams_SetUseAIAForCertFetching(
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: PKIX_ProcessingParams_GetQualifyTargetCert
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_GetValidateTargetCert(
PKIX_ProcessingParams *params,
PKIX_Boolean *pQualifyTargetCert,
void *plContext)
{
PKIX_ENTER(PROCESSINGPARAMS,
"PKIX_ProcessingParams_GetValidateTargetCert");
PKIX_NULLCHECK_TWO(params, pQualifyTargetCert);
*pQualifyTargetCert = params->qualifyTargetCert;
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: PKIX_ProcessingParams_SetQualifyTargetCert
* (see comments in pkix_params.h)
*/
PKIX_Error *
PKIX_ProcessingParams_SetQualifyTargetCert(
PKIX_ProcessingParams *params,
PKIX_Boolean qualifyTargetCert,
void *plContext)
{
PKIX_ENTER(PROCESSINGPARAMS,
"PKIX_ProcessingParams_SetQualifyTargetCert");
PKIX_NULLCHECK_ONE(params);
params->qualifyTargetCert = qualifyTargetCert;
PKIX_RETURN(PROCESSINGPARAMS);
}
/*
* FUNCTION: PKIX_ProcessingParams_SetTrustAnchors
* (see comments in pkix_params.h)

1
security/nss/lib/libpkix/pkix/params/pkix_procparams.h
Просмотреть файл

@ -68,6 +68,7 @@ struct PKIX_ProcessingParamsStruct {
PKIX_RevocationChecker *revChecker;
PKIX_ResourceLimits *resourceLimits;
PKIX_Boolean useAIAForCertFetching;
PKIX_Boolean qualifyTargetCert;
};
/* see source file for function documentation */

4
security/nss/lib/libpkix/pkix/store/pkix_store.c
Просмотреть файл

@ -299,6 +299,7 @@ PKIX_Error *
PKIX_CertStore_CertContinue(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCertList,
void *plContext)
@ -307,7 +308,8 @@ PKIX_CertStore_CertContinue(
PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList);
PKIX_CHECK(store->certContinue
(store, selector, pNBIOContext, pCertList, plContext),
(store, selector, verifyNode,
pNBIOContext, pCertList, plContext),
PKIX_CERTSTORECERTCONTINUEFUNCTIONFAILED);
cleanup:

47
security/nss/lib/libpkix/pkix/top/pkix_build.c
Просмотреть файл

@ -53,14 +53,14 @@ extern PRLogModuleInfo *pkixLog;
* checked. Those OIDs need to be removed from the unresolved critical
* extension OIDs list manually (instead of by checker automatically).
*/
static char *buildCheckedCritExtOIDs[] = {
static SECOidTag buildCheckedCritExtOIDs[] = {
PKIX_CERTKEYUSAGE_OID,
PKIX_CERTSUBJALTNAME_OID,
PKIX_BASICCONSTRAINTS_OID,
PKIX_NAMECONSTRAINTS_OID,
PKIX_EXTENDEDKEYUSAGE_OID,
PKIX_NSCERTTYPE_OID,
NULL
PKIX_UNKNOWN_OID
};
/* --Private-ForwardBuilderState-Functions---------------------------------- */
@ -1139,7 +1139,7 @@ pkix_Build_ValidationCheckers(
PKIX_CHECK(PKIX_List_Create(&buildCheckedCritExtOIDsList, plContext),
PKIX_LISTCREATEFAILED);
for (i = 0; buildCheckedCritExtOIDs[i] != NULL; i++) {
for (i = 0; buildCheckedCritExtOIDs[i] != PKIX_UNKNOWN_OID; i++) {
PKIX_CHECK(PKIX_PL_OID_Create
(buildCheckedCritExtOIDs[i], &oid, plContext),
PKIX_OIDCREATEFAILED);
@ -1557,7 +1557,6 @@ pkix_Build_SelectCertsFromTrustAnchors(
PKIX_List *matchList = NULL;
PKIX_CertSelector *certSel = NULL;
PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
PKIX_Boolean certMatch = PKIX_TRUE;
PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
@ -1582,9 +1581,8 @@ pkix_Build_SelectCertsFromTrustAnchors(
(anchor, &trustedCert, plContext),
PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
pkixErrorResult =
(*selectorMatchCB)(certSel, trustedCert,
&certMatch, plContext);
if (!pkixErrorResult && certMatch) {
(*selectorMatchCB)(certSel, trustedCert, plContext);
if (!pkixErrorResult) {
if (!matchList) {
PKIX_CHECK(PKIX_List_Create(&matchList,
plContext),
@ -1796,6 +1794,7 @@ pkix_Build_GatherCerts(
PKIX_CHECK(getCerts
(certStore,
state->certSel,
state->verifyNode,
&nbioContext,
&certsFound,
plContext),
@ -1804,6 +1803,7 @@ pkix_Build_GatherCerts(
PKIX_CHECK(PKIX_CertStore_CertContinue
(certStore,
state->certSel,
state->verifyNode,
&nbioContext,
&certsFound,
plContext),
@ -3211,6 +3211,7 @@ pkix_Build_InitiateBuildChain(
PKIX_TrustAnchor *matchingAnchor = NULL;
PKIX_ForwardBuilderState *state = NULL;
PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
PKIX_CertSelector_MatchCallback selectorCallback = NULL;
PKIX_PL_AIAMgr *aiaMgr = NULL;
PKIX_ENTER(BUILD, "pkix_Build_InitiateBuildChain");
@ -3235,10 +3236,9 @@ pkix_Build_InitiateBuildChain(
PKIX_LISTGETLENGTHFAILED);
/* retrieve stuff from targetCertConstraints */
PKIX_CHECK(PKIX_ProcessingParams_GetTargetCertConstraints
(procParams, &targetConstraints, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
(procParams, &targetConstraints, plContext),
PKIX_PROCESSINGPARAMSGETTARGETCERTCONSTRAINTSFAILED);
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
(targetConstraints, &targetParams, plContext),
@ -3329,10 +3329,28 @@ pkix_Build_InitiateBuildChain(
(tentativeChain, (PKIX_PL_Object *)targetCert, plContext),
PKIX_LISTAPPENDITEMFAILED);
/* Failure here is reportable */
pkixErrorResult = PKIX_PL_Cert_CheckValidity
(targetCert, testDate, plContext);
if (pkixErrorResult) {
if (procParams->qualifyTargetCert) {
/* EE cert validation */
/* Sync up the time on the target selector parameter struct. */
PKIX_CHECK(
PKIX_ComCertSelParams_SetCertificateValid(targetParams,
testDate,
plContext),
PKIX_COMCERTSELPARAMSSETCERTIFICATEVALIDFAILED);
PKIX_CHECK(
PKIX_ComCertSelParams_SetLeafCertFlag(targetParams,
PKIX_TRUE, plContext),
PKIX_COMCERTSELPARAMSSETLEAFCERTFLAGFAILED);
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
(targetConstraints, &selectorCallback, plContext),
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
pkixErrorResult =
(*selectorCallback)(targetConstraints, targetCert,
plContext);
if (pkixErrorResult) {
pkixErrorClass = pkixErrorResult->errClass;
if (pkixErrorClass == PKIX_FATAL_ERROR) {
goto cleanup;
@ -3353,6 +3371,7 @@ pkix_Build_InitiateBuildChain(
}
pkixErrorCode = PKIX_CERTCHECKVALIDITYFAILED;
goto cleanup;
}
}
PKIX_CHECK(PKIX_ProcessingParams_GetCertStores

17
security/nss/lib/libpkix/pkix/util/pkix_tools.c
Просмотреть файл

@ -968,10 +968,10 @@ pkix_CacheCert_Lookup(
PKIX_PL_Date *cacheValidUntilDate = NULL;
PKIX_CertSelector *certSel = NULL;
PKIX_Error *cachedCertError = NULL;
PKIX_Error *selectorError = NULL;
PKIX_CertSelector_MatchCallback selectorMatch = NULL;
PKIX_Int32 cmpValidTimeResult = PKIX_FALSE;
PKIX_Int32 cmpCacheTimeResult = 0;
PKIX_Boolean certMatch = PKIX_FALSE;
PKIX_UInt32 numItems = 0;
PKIX_UInt32 i;
@ -1095,22 +1095,16 @@ pkix_CacheCert_Lookup(
goto cleanup;
}
PKIX_CHECK(selectorMatch
(certSel,
cert,
&certMatch,
plContext),
PKIX_SELECTORMATCHFAILED);
if (certMatch){
selectorError = selectorMatch(certSel, cert, plContext);
if (!selectorError){
/* put on the return list */
PKIX_CHECK(PKIX_List_AppendItem
(selCertList,
(PKIX_PL_Object *)cert,
plContext),
PKIX_LISTAPPENDITEMFAILED);
*pFound = PKIX_TRUE;
} else {
PKIX_DECREF(selectorError);
}
PKIX_DECREF(cert);
@ -1149,6 +1143,7 @@ cleanup:
PKIX_DECREF(selCertList);
PKIX_DECREF(invalidAfterDate);
PKIX_DECREF(cachedCertError);
PKIX_DECREF(selectorError);
PKIX_RETURN(BUILD);
}

8
security/nss/lib/libpkix/pkix/util/pkix_tools.h
Просмотреть файл

@ -659,12 +659,16 @@ extern PLHashNumber PR_CALLBACK pkix_ErrorGen_Hash (const void *key);
* This needs to be replaced with Loggers.
*/
#ifdef DEBUG
#define PKIX_DEBUG(expr) \
do { \
_PKIX_DEBUG_TRACE(pkixLoggersErrors, expr, PKIX_LOGGER_LEVEL_DEBUG); \
(void) printf("(%s: ", myFuncName); \
(void) printf(expr); \
(void) fprintf(stderr, "(%s: ", myFuncName); \
(void) fprintf(stderr, expr); \
} while (0)
#else
#define PKIX_DEBUG(expr)
#endif
/* Logging doesn't support DEBUG with ARG: cannot convert control and arg */
#define PKIX_DEBUG_ARG(expr, arg) \

6
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
Просмотреть файл

@ -910,7 +910,6 @@ pkix_pl_CollectionCertStoreContext_GetSelectedCert(
PKIX_List *selectCertList = NULL;
PKIX_PL_Cert *certItem = NULL;
PKIX_CertSelector_MatchCallback certSelectorMatch = NULL;
PKIX_Boolean pass = PKIX_TRUE;
PKIX_UInt32 numCerts = 0;
PKIX_UInt32 i = 0;
@ -942,10 +941,10 @@ pkix_pl_CollectionCertStoreContext_GetSelectedCert(
if (!PKIX_ERROR_RECEIVED){
PKIX_CHECK_ONLY_FATAL
(certSelectorMatch
(selector, certItem, &pass, plContext),
(selector, certItem, plContext),
PKIX_CERTSELECTORMATCHFAILED);
if (!PKIX_ERROR_RECEIVED && pass){
if (!PKIX_ERROR_RECEIVED){
PKIX_CHECK_ONLY_FATAL
(PKIX_List_AppendItem
(selectCertList,
@ -1098,6 +1097,7 @@ PKIX_Error *
pkix_pl_CollectionCertStore_GetCert(
PKIX_CertStore *certStore,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCerts,
void *plContext)

2
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
Просмотреть файл

@ -590,6 +590,7 @@ PKIX_Error *
pkix_pl_HttpCertStore_GetCert(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCertList,
void *plContext)
@ -668,6 +669,7 @@ PKIX_Error *
pkix_pl_HttpCertStore_GetCertContinue(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCertList,
void *plContext)

9
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
Просмотреть файл

@ -1423,15 +1423,15 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
/* PR_smprintf_free original header buffer */
PR_smprintf_free(sendbuf);
sendbuf = NULL;
} else if (client->send_http_method == HTTP_GET_METHOD) {
sendbuf = PR_smprintf
client->GETBuf = PR_smprintf
("GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n",
client->path,
client->host,
client->portnum);
client->GETBuf = sendbuf;
client->GETLen = PORT_Strlen(sendbuf);
client->GETLen = PORT_Strlen(client->GETBuf);
}
}
@ -1497,6 +1497,9 @@ pkix_pl_HttpDefaultClient_TrySendAndReceive(
}
cleanup:
if (sendbuf) {
PR_smprintf_free(sendbuf);
}
PKIX_RETURN(HTTPDEFAULTCLIENT);

2
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
Просмотреть файл

@ -568,6 +568,7 @@ PKIX_Error *
pkix_pl_LdapCertStore_GetCert(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCertList,
void *plContext)
@ -737,6 +738,7 @@ PKIX_Error *
pkix_pl_LdapCertStore_GetCertContinue(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *verifyNode,
void **pNBIOContext,
PKIX_List **pCertList,
void *plContext)

34
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
Просмотреть файл

@ -680,6 +680,7 @@ PKIX_Error *
pkix_pl_Pk11CertStore_GetCert(
PKIX_CertStore *store,
PKIX_CertSelector *selector,
PKIX_VerifyNode *parentVerifyNode,
void **pNBIOContext,
PKIX_List **pCertList,
void *plContext)
@ -689,11 +690,12 @@ pkix_pl_Pk11CertStore_GetCert(
PKIX_PL_Cert *candidate = NULL;
PKIX_List *selected = NULL;
PKIX_List *filtered = NULL;
PKIX_CertSelector_MatchCallback callback = NULL;
PKIX_CertSelector_MatchCallback selectorCallback = NULL;
PKIX_CertStore_CheckTrustCallback trustCallback = NULL;
PKIX_ComCertSelParams *params = NULL;
PKIX_Boolean pass = PKIX_TRUE;
PKIX_Boolean cacheFlag = PKIX_FALSE;
PKIX_VerifyNode *verifyNode = NULL;
PKIX_Error *selectorError = NULL;
PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_GetCert");
PKIX_NULLCHECK_FOUR(store, selector, pNBIOContext, pCertList);
@ -701,7 +703,7 @@ pkix_pl_Pk11CertStore_GetCert(
*pNBIOContext = NULL; /* We don't use non-blocking I/O */
PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
(selector, &callback, plContext),
(selector, &selectorCallback, plContext),
PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
PKIX_CHECK(PKIX_CertSelector_GetCommonCertSelectorParams
@ -740,12 +742,9 @@ pkix_pl_Pk11CertStore_GetCert(
continue; /* just skip bad certs */
}
PKIX_CHECK_ONLY_FATAL(callback
(selector, candidate, &pass, plContext),
PKIX_CERTSELECTORFAILED);
if (!(PKIX_ERROR_RECEIVED) && pass) {
selectorError =
selectorCallback(selector, candidate, plContext);
if (!selectorError) {
PKIX_CHECK(PKIX_PL_Cert_SetCacheFlag
(candidate, cacheFlag, plContext),
PKIX_CERTSETCACHEFLAGFAILED);
@ -761,8 +760,19 @@ pkix_pl_Pk11CertStore_GetCert(
(PKIX_PL_Object *)candidate,
plContext),
PKIX_LISTAPPENDITEMFAILED);
} else if (parentVerifyNode) {
PKIX_CHECK_FATAL(
pkix_VerifyNode_Create(candidate, 0, selectorError,
&verifyNode, plContext),
PKIX_VERIFYNODECREATEFAILED);
PKIX_CHECK_FATAL(
pkix_VerifyNode_AddToTree(parentVerifyNode,
verifyNode,
plContext),
PKIX_VERIFYNODEADDTOTREEFAILED);
PKIX_DECREF(verifyNode);
}
PKIX_DECREF(selectorError);
PKIX_DECREF(candidate);
}
@ -773,11 +783,13 @@ pkix_pl_Pk11CertStore_GetCert(
filtered = NULL;
cleanup:
fatal:
PKIX_DECREF(filtered);
PKIX_DECREF(candidate);
PKIX_DECREF(selected);
PKIX_DECREF(params);
PKIX_DECREF(verifyNode);
PKIX_DECREF(selectorError);
PKIX_RETURN(CERTSTORE);
}

118
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
Просмотреть файл

@ -146,14 +146,10 @@ pkix_pl_Cert_DecodePolicyInfo(
/* Allocated in the arena; freed in CERT_Destroy... */
CERTCertificatePolicies *certPol = NULL;
CERTPolicyInfo **policyInfos = NULL;
CERTPolicyInfo *policyInfo = NULL;
CERTPolicyQualifier **policyQualifiers = NULL;
CERTPolicyQualifier *policyQualifier = NULL;
/* Holder for the return value */
PKIX_List *infos = NULL;
char *oidAscii = NULL;
PKIX_PL_OID *pkixOID = NULL;
PKIX_List *qualifiers = NULL;
PKIX_PL_CertPolicyInfo *certPolicyInfo = NULL;
@ -204,26 +200,22 @@ pkix_pl_Cert_DecodePolicyInfo(
* building each PKIX_PL_CertPolicyInfo object in turn
*/
while (*policyInfos != NULL) {
policyInfo = *policyInfos;
policyQualifiers = policyInfo->policyQualifiers;
CERTPolicyInfo *policyInfo = *policyInfos;
CERTPolicyQualifier **policyQualifiers =
policyInfo->policyQualifiers;
if (policyQualifiers) {
/* create a PKIX_List of PKIX_PL_CertPolicyQualifiers */
PKIX_CHECK(PKIX_List_Create(&qualifiers, plContext),
PKIX_LISTCREATEFAILED);
while (*policyQualifiers != NULL) {
policyQualifier = *policyQualifiers;
CERTPolicyQualifier *policyQualifier =
*policyQualifiers;
/* create the qualifier's OID object */
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&(policyQualifier->qualifierID),
&oidAscii,
plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(oidAscii, &pkixOID, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(&policyQualifier->qualifierID,
&pkixOID, plContext),
PKIX_OIDCREATEFAILED);
/* create qualifier's ByteArray object */
@ -250,7 +242,6 @@ pkix_pl_Cert_DecodePolicyInfo(
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_DECREF(qualifierArray);
PKIX_DECREF(certPolicyQualifier);
@ -269,13 +260,8 @@ pkix_pl_Cert_DecodePolicyInfo(
* (The CERTPolicyInfo structure has an oid field, but it
* is of type SECOidTag. This function wants a SECItem.)
*/
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&(policyInfo->policyID), &oidAscii, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(oidAscii, &pkixOID, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(&policyInfo->policyID, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
/* Create a CertPolicyInfo object */
@ -288,7 +274,6 @@ pkix_pl_Cert_DecodePolicyInfo(
(infos, (PKIX_PL_Object *)certPolicyInfo, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_DECREF(qualifiers);
PKIX_DECREF(certPolicyInfo);
@ -313,7 +298,6 @@ cleanup:
CERT_DestroyCertificatePoliciesExtension(certPol);
}
PKIX_FREE(oidAscii);
PKIX_DECREF(infos);
PKIX_DECREF(pkixOID);
PKIX_DECREF(qualifiers);
@ -362,13 +346,10 @@ pkix_pl_Cert_DecodePolicyMapping(
/* Allocated in the arena; freed in CERT_Destroy... */
CERTCertificatePolicyMappings *certPolMaps = NULL;
CERTPolicyMap **policyMaps = NULL;
CERTPolicyMap *policyMap = NULL;
/* Holder for the return value */
PKIX_List *maps = NULL;
char *issuerPolicyOIDAscii = NULL;
char *subjectPolicyOIDAscii = NULL;
PKIX_PL_OID *issuerDomainOID = NULL;
PKIX_PL_OID *subjectDomainOID = NULL;
PKIX_PL_CertPolicyMap *certPolicyMap = NULL;
@ -408,30 +389,18 @@ pkix_pl_Cert_DecodePolicyMapping(
* building each CertPolicyMap object in turn
*/
do {
policyMap = *policyMaps;
CERTPolicyMap *policyMap = *policyMaps;
/* create the OID for the issuer Domain Policy */
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&(policyMap->issuerDomainPolicy),
&issuerPolicyOIDAscii,
plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(issuerPolicyOIDAscii, &issuerDomainOID, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(&policyMap->issuerDomainPolicy,
&issuerDomainOID, plContext),
PKIX_OIDCREATEFAILED);
/* create the OID for the subject Domain Policy */
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&(policyMap->subjectDomainPolicy),
&subjectPolicyOIDAscii,
plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(subjectPolicyOIDAscii, &subjectDomainOID, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(&policyMap->subjectDomainPolicy,
&subjectDomainOID, plContext),
PKIX_OIDCREATEFAILED);
/* create the CertPolicyMap */
@ -447,8 +416,6 @@ pkix_pl_Cert_DecodePolicyMapping(
(maps, (PKIX_PL_Object *)certPolicyMap, plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_FREE(issuerPolicyOIDAscii);
PKIX_FREE(subjectPolicyOIDAscii);
PKIX_DECREF(issuerDomainOID);
PKIX_DECREF(subjectDomainOID);
PKIX_DECREF(certPolicyMap);
@ -469,8 +436,6 @@ cleanup:
CERT_DestroyPolicyMappingsExtension(certPolMaps);
}
PKIX_FREE(issuerPolicyOIDAscii);
PKIX_FREE(subjectPolicyOIDAscii);
PKIX_DECREF(maps);
PKIX_DECREF(issuerDomainOID);
PKIX_DECREF(subjectDomainOID);
@ -2052,43 +2017,32 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
PKIX_PL_OID **pSubjKeyAlgId,
void *plContext)
{
CERTCertificate *nssCert = NULL;
PKIX_PL_OID *pubKeyAlgId = NULL;
SECAlgorithmID algorithm;
SECItem algBytes;
char *asciiOID = NULL;
PKIX_ENTER(CERT, "PKIX_PL_Cert_GetSubjectPublicKeyAlgId");
PKIX_NULLCHECK_THREE(cert, cert->nssCert, pSubjKeyAlgId);
/* if we don't have a cached copy from before, we create one */
if (cert->publicKeyAlgId == NULL){
PKIX_OBJECT_LOCK(cert);
if (cert->publicKeyAlgId == NULL){
CERTCertificate *nssCert = cert->nssCert;
SECAlgorithmID *algorithm;
SECItem *algBytes;
nssCert = cert->nssCert;
algorithm = nssCert->subjectPublicKeyInfo.algorithm;
algBytes = algorithm.algorithm;
PKIX_NULLCHECK_ONE(algBytes.data);
if (algBytes.len == 0) {
PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
algorithm = &nssCert->subjectPublicKeyInfo.algorithm;
algBytes = &algorithm->algorithm;
if (!algBytes->data || !algBytes->len) {
PKIX_ERROR_FATAL(PKIX_ALGORITHMBYTESLENGTH0);
}
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&algBytes, &asciiOID, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(asciiOID, &pubKeyAlgId, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(algBytes, &pubKeyAlgId, plContext),
PKIX_OIDCREATEFAILED);
/* save a cached copy in case it is asked for again */
cert->publicKeyAlgId = pubKeyAlgId;
pubKeyAlgId = NULL;
}
PKIX_OBJECT_UNLOCK(cert);
}
@ -2096,7 +2050,7 @@ PKIX_PL_Cert_GetSubjectPublicKeyAlgId(
*pSubjKeyAlgId = cert->publicKeyAlgId;
cleanup:
PKIX_FREE(asciiOID);
PKIX_DECREF(pubKeyAlgId);
PKIX_RETURN(CERT);
}
@ -2413,9 +2367,7 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
CERTCertificate *nssCert = NULL;
PKIX_PL_OID *pkixOID = NULL;
PKIX_List *oidsList = NULL;
char *oidAscii = NULL;
SECItem **oids = NULL;
SECItem *oid = NULL;
SECItem encodedExtKeyUsage;
SECStatus rv;
@ -2462,14 +2414,10 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
PKIX_LISTCREATEFAILED);
while (*oids){
oid = *oids++;
SECItem *oid = *oids++;
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(oid, &oidAscii, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(oidAscii, &pkixOID, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(oid, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
@ -2477,9 +2425,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
(PKIX_PL_Object *)pkixOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
}
@ -2501,7 +2446,6 @@ PKIX_PL_Cert_GetExtendedKeyUsage(
cleanup:
PKIX_OBJECT_UNLOCK(lockedObject);
PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_DECREF(oidsList);
CERT_DestroyOidSequence(extKeyUsage);

53
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
Просмотреть файл

@ -207,54 +207,36 @@ pkix_pl_CRL_GetSignatureAlgId(
PKIX_PL_OID **pSignatureAlgId,
void *plContext)
{
CERTCrl *nssCrl = NULL;
PKIX_PL_OID *signatureAlgId = NULL;
SECAlgorithmID algorithm;
SECItem algBytes;
char *asciiOID = NULL;
PKIX_ENTER(CRL, "pkix_pl_CRL_GetSignatureAlgId");
PKIX_NULLCHECK_THREE(crl, crl->nssSignedCrl, pSignatureAlgId);
/* if we don't have a cached copy from before, we create one */
if (crl->signatureAlgId == NULL){
PKIX_OBJECT_LOCK(crl);
if (crl->signatureAlgId == NULL){
CERTCrl *nssCrl = &(crl->nssSignedCrl->crl);
SECAlgorithmID *algorithm = &nssCrl->signatureAlg;
SECItem *algBytes = &algorithm->algorithm;
nssCrl = &(crl->nssSignedCrl->crl);
algorithm = nssCrl->signatureAlg;
algBytes = algorithm.algorithm;
PKIX_NULLCHECK_ONE(algBytes.data);
if (algBytes.len == 0) {
PKIX_ERROR_FATAL(PKIX_OIDBYTESLENGTH0);
}
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&algBytes, &asciiOID, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(asciiOID, &signatureAlgId, plContext),
PKIX_OIDCREATEFAILED);
/* save a cached copy in case it is asked for again */
crl->signatureAlgId = signatureAlgId;
if (!algBytes->data || !algBytes->len) {
PKIX_ERROR(PKIX_OIDBYTESLENGTH0);
}
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem
(algBytes, &signatureAlgId, plContext),
PKIX_OIDCREATEFAILED);
/* save a cached copy in case it is asked for again */
crl->signatureAlgId = signatureAlgId;
signatureAlgId = NULL;
}
PKIX_OBJECT_UNLOCK(crl);
}
PKIX_INCREF(crl->signatureAlgId);
*pSignatureAlgId = crl->signatureAlgId;
cleanup:
PKIX_FREE(asciiOID);
PKIX_DECREF(signatureAlgId);
PKIX_RETURN(CRL);
}
@ -720,12 +702,7 @@ PKIX_PL_CRL_VerifyUpdateTime(
PKIX_NULLCHECK_FOUR(crl, crl->nssSignedCrl, date, pResult);
nssCrl = &(crl->nssSignedCrl->crl);
PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on date\n");
status = DER_DecodeTimeChoice(&timeToCheck, &(date->nssTime));
if (status != SECSuccess) {
PKIX_ERROR(PKIX_DERDECODETIMECHOICEFAILED);
}
timeToCheck = date->nssTime;
/* nextUpdate can be NULL. Checking before using it */
nextUpdateDer = &nssCrl->nextUpdate;

44
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_generalname.c
Просмотреть файл

@ -241,9 +241,6 @@ pkix_pl_GeneralName_Create(
OtherName *otherName = NULL;
CERTGeneralNameList *nssGenNameList = NULL;
CERTGeneralNameType nameType;
SECItem *secItem = NULL;
char *asciiName = NULL;
SECStatus rv;
PKIX_ENTER(GENERALNAME, "pkix_pl_GeneralName_Create");
PKIX_NULLCHECK_TWO(nssAltName, pGenName);
@ -308,12 +305,8 @@ pkix_pl_GeneralName_Create(
genName->directoryName = pkixDN;
break;
case certRegisterID:
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&nssAltName->name.other, &asciiName, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create(asciiName, &pkixOID, plContext),
PKIX_CHECK(PKIX_PL_OID_CreateBySECItem(&nssAltName->name.other,
&pkixOID, plContext),
PKIX_OIDCREATEFAILED);
genName->oid = pkixOID;
@ -324,39 +317,20 @@ pkix_pl_GeneralName_Create(
case certRFC822Name:
case certX400Address:
case certURI:
PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_AllocItem).\n");
secItem = SECITEM_AllocItem(NULL, NULL, 0);
if (secItem == NULL){
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
PKIX_GENERALNAME_DEBUG("\t\tCalling SECITEM_CopyItem).\n");
rv = SECITEM_CopyItem(NULL, secItem, &nssAltName->name.other);
if (rv != SECSuccess) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
genName->other = secItem;
genName->other = SECITEM_DupItem(&nssAltName->name.other);
if (!genName->other) {
PKIX_ERROR(PKIX_OUTOFMEMORY);
}
break;
default:
PKIX_ERROR(PKIX_NAMETYPENOTSUPPORTED);
}
*pGenName = genName;
genName = NULL;
cleanup:
PKIX_FREE(asciiName);
if (PKIX_ERROR_RECEIVED){
PKIX_DECREF(genName);
if (secItem){
PKIX_GENERALNAME_DEBUG
("\t\tCalling SECITEM_FreeItem).\n");
SECITEM_FreeItem(secItem, PR_TRUE);
secItem = NULL;
}
}
PKIX_DECREF(genName);
PKIX_RETURN(GENERALNAME);
}

45
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
Просмотреть файл

@ -43,16 +43,6 @@
#include "pkix_pl_infoaccess.h"
/* XXX Following SEC_OID_PKIX defines should be merged in NSS */
#define SEC_OID_PKIX_CA_REPOSITORY 1003
#define SEC_OID_PKIX_TIMESTAMPING 1005
/* XXX Following OID defines hould be moved to NSS */
static const unsigned char siaTimeStampingOID[] = {0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x030, 0x03};
static const unsigned char siaCaRepositoryOID[] = {0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x030, 0x05};
/* --Private-InfoAccess-Functions----------------------------------*/
/*
@ -415,37 +405,6 @@ pkix_pl_InfoAccess_CreateList(
PKIX_CERT_DEBUG("\t\tCalling SECOID_FindOIDTag).\n");
method = SECOID_FindOIDTag(&nssInfoAccess[i]->method);
if (method == 0) {
/* XXX
* This part of code is definitely hacking, need NSS decode
* support. We can reuse the CERT_DecodeAuthInfoAccessExtension
* since SIA and AIA are all the same type. However NSS need
* to add SIA, CaRepository, TimeStamping OID definitions and
* the numerical method, timeStamping and caRepository values.
*
* We assume now, since method is 0, implies the method for SIA
* was not decoded by CERT_DecodeAuthInfoAccessExtension()
* so we compare and put value in. This part should be taken
* out eventually if CERT_DecodeInfoAccessExtension (*renamed*)
* is doing the job.
*/
PKIX_CERT_DEBUG("\t\tCalling PORT_Strncmp).\n");
if (PORT_Strncmp
((char *)nssInfoAccess[i]->method.data,
(char *)siaTimeStampingOID,
nssInfoAccess[i]->method.len) == 0) {
method = SEC_OID_PKIX_TIMESTAMPING;
} else if (PORT_Strncmp
((char *)nssInfoAccess[i]->method.data,
(char *)siaCaRepositoryOID,
nssInfoAccess[i]->method.len) == 0) {
method = SEC_OID_PKIX_CA_REPOSITORY;
}
}
/* Map NSS access method value into PKIX constant */
switch(method) {
case SEC_OID_PKIX_CA_ISSUERS:
@ -461,7 +420,7 @@ pkix_pl_InfoAccess_CreateList(
method = PKIX_INFOACCESS_CA_REPOSITORY;
break;
default:
break;
PKIX_ERROR(PKIX_UNKNOWNINFOACCESSMETHOD);
}
PKIX_CHECK(pkix_pl_InfoAccess_Create
@ -650,7 +609,7 @@ pkix_pl_InfoAccess_ParseTokens(
*/
if (numFilters > 2) numFilters = 2;
filterP = PORT_ArenaZNewArray(arena, void*, numFilters+1);
filterP = PORT_ArenaZNewArray(arena, char*, numFilters+1);
if (filterP == NULL) {
PKIX_ERROR(PKIX_PORTARENAALLOCFAILED);
}

26
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
Просмотреть файл

@ -502,7 +502,9 @@ pkix_pl_OcspResponse_Create(
ocspResponse->request = request;
ocspResponse->httpClient = httpClient;
ocspResponse->serverSession = serverSession;
serverSession = NULL;
ocspResponse->sessionRequest = sessionRequest;
sessionRequest = NULL;
ocspResponse->verifyFcn = verifyFcn;
ocspResponse->handle = CERT_GetDefaultCertDB();
ocspResponse->encodedResponse = NULL;
@ -522,10 +524,10 @@ pkix_pl_OcspResponse_Create(
hcv1 = &(httpClient->fcnTable.ftable1);
rv = (*hcv1->trySendAndReceiveFcn)(sessionRequest,
rv = (*hcv1->trySendAndReceiveFcn)(ocspResponse->sessionRequest,
(PRPollDesc **)&nbioContext,
&responseCode,
&responseContentType,
(const char **)&responseContentType,
NULL, /* responseHeaders */
(const char **)&responseData,
&responseDataLen);
@ -560,26 +562,24 @@ pkix_pl_OcspResponse_Create(
responseData, responseDataLen);
}
*pResponse = ocspResponse;
ocspResponse = NULL;
cleanup:
if (path != NULL) {
PORT_Free(path);
}
if (hostname != NULL) {
PORT_Free(hostname);
}
if (PKIX_ERROR_RECEIVED){
if (ocspResponse) {
PKIX_DECREF(ocspResponse);
} else {
if (serverSession)
hcv1->freeSessionFcn(serverSession);
if (sessionRequest)
hcv1->freeFcn(sessionRequest);
}
if (ocspResponse) {
PKIX_DECREF(ocspResponse);
}
if (serverSession) {
hcv1->freeSessionFcn(serverSession);
}
if (sessionRequest) {
hcv1->freeFcn(sessionRequest);
}
PKIX_RETURN(OCSPRESPONSE);

375
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
Просмотреть файл

@ -45,7 +45,7 @@
/* --Private-OID-Functions---------------------------------------- */
/*
/*
* FUNCTION: pkix_pl_OID_Comparator
* (see comments for PKIX_PL_ComparatorCallback in pkix_pl_system.h)
*/
@ -53,15 +53,14 @@ static PKIX_Error *
pkix_pl_OID_Comparator(
PKIX_PL_Object *firstObject,
PKIX_PL_Object *secondObject,
PKIX_Int32 *pResult,
PKIX_Int32 *pRes,
void *plContext)
{
PKIX_PL_OID *firstOID = NULL;
PKIX_PL_OID *secondOID = NULL;
PKIX_UInt32 minLength;
PKIX_ENTER(OID, "pkix_pl_OID_Comparator");
PKIX_NULLCHECK_THREE(firstObject, secondObject, pResult);
PKIX_NULLCHECK_THREE(firstObject, secondObject, pRes);
PKIX_CHECK(pkix_CheckTypes
(firstObject, secondObject, PKIX_OID_TYPE, plContext),
@ -70,19 +69,8 @@ pkix_pl_OID_Comparator(
firstOID = (PKIX_PL_OID*)firstObject;
secondOID = (PKIX_PL_OID*)secondObject;
*pResult = 0;
minLength = (firstOID->length < secondOID->length)?
firstOID->length:
secondOID->length;
/* Check if both array contents are identical */
PKIX_OID_DEBUG("\tCalling PORT_Memcmp).\n");
*pResult = PORT_Memcmp
(firstOID->components,
secondOID->components,
minLength * sizeof (PKIX_UInt32));
*pRes = (PKIX_Int32)SECITEM_CompareItem(&firstOID->derOid,
&secondOID->derOid);
cleanup:
PKIX_RETURN(OID);
}
@ -103,14 +91,10 @@ pkix_pl_OID_Destroy(
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
oid = (PKIX_PL_OID*)object;
PKIX_FREE(oid->components);
oid->length = 0;
SECITEM_FreeItem(&oid->derOid, PR_FALSE);
cleanup:
PKIX_RETURN(OID);
}
@ -124,7 +108,7 @@ pkix_pl_OID_Hashcode(
PKIX_UInt32 *pHashcode,
void *plContext)
{
PKIX_PL_OID *pkixOID = NULL;
PKIX_PL_OID *oid = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_HashCode");
PKIX_NULLCHECK_TWO(object, pHashcode);
@ -132,11 +116,11 @@ pkix_pl_OID_Hashcode(
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
pkixOID = (PKIX_PL_OID *)object;
oid = (PKIX_PL_OID *)object;
PKIX_CHECK(pkix_hash
((unsigned char *)pkixOID->components,
pkixOID->length * sizeof (PKIX_UInt32),
((unsigned char *)oid->derOid.data,
oid->derOid.len * sizeof (char),
pHashcode,
plContext),
PKIX_HASHFAILED);
@ -157,7 +141,7 @@ pkix_pl_OID_Equals(
void *plContext)
{
PKIX_UInt32 secondType;
PKIX_Int32 cmpResult;
SECComparison cmpResult;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
@ -174,9 +158,7 @@ pkix_pl_OID_Equals(
* Do a quick check that the second object is an OID.
* If so, check that their lengths are equal.
*/
if ((secondType != PKIX_OID_TYPE)||
(((PKIX_PL_OID*)first)->length !=
((PKIX_PL_OID*)second)->length)) {
if (secondType != PKIX_OID_TYPE) {
goto cleanup;
}
@ -184,8 +166,7 @@ pkix_pl_OID_Equals(
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);
*pResult = (cmpResult == 0);
*pResult = (cmpResult == SECEqual);
cleanup:
PKIX_RETURN(OID);
@ -194,6 +175,8 @@ cleanup:
/*
* FUNCTION: pkix_pl_OID_ToString
* (see comments for PKIX_PL_ToStringCallback in pkix_pl_system.h)
* Use this function only for printing OIDs and not to make any
* critical security decision.
*/
static PKIX_Error *
pkix_pl_OID_ToString(
@ -201,31 +184,23 @@ pkix_pl_OID_ToString(
PKIX_PL_String **pString,
void *plContext)
{
PKIX_UInt32 *components = NULL;
PKIX_UInt32 length;
char *ascii = NULL;
PKIX_PL_OID *oid = NULL;
char *oidString = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_toString");
PKIX_NULLCHECK_TWO(object, pString);
PKIX_CHECK(pkix_CheckType(object, PKIX_OID_TYPE, plContext),
PKIX_OBJECTNOTANOID);
components = ((PKIX_PL_OID*)object)->components;
length = ((PKIX_PL_OID*)object)->length;
PKIX_CHECK(pkix_pl_helperBytes2Ascii
(components, length, &ascii, plContext),
PKIX_HELPERBYTES2ASCIIFAILED);
oid = (PKIX_PL_OID*)object;
oidString = CERT_GetOidString(&oid->derOid);
PKIX_CHECK(PKIX_PL_String_Create
(PKIX_ESCASCII, ascii, 0, pString, plContext),
(PKIX_ESCASCII, oidString , 0, pString, plContext),
PKIX_STRINGCREATEFAILED);
cleanup:
PKIX_FREE(ascii);
PR_smprintf_free(oidString);
PKIX_RETURN(OID);
}
@ -244,88 +219,19 @@ PKIX_Error *
pkix_pl_OID_RegisterSelf(
void *plContext)
{
extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
pkix_ClassTable_Entry entry;
pkix_ClassTable_Entry *entry = &systemClasses[PKIX_OID_TYPE];
PKIX_ENTER(OID, "pkix_pl_OID_RegisterSelf");
entry.description = "OID";
entry.objCounter = 0;
entry.typeObjectSize = sizeof(PKIX_PL_OID);
entry.destructor = pkix_pl_OID_Destroy;
entry.equalsFunction = pkix_pl_OID_Equals;
entry.hashcodeFunction = pkix_pl_OID_Hashcode;
entry.toStringFunction = pkix_pl_OID_ToString;
entry.comparator = pkix_pl_OID_Comparator;
entry.duplicateFunction = pkix_duplicateImmutable;
systemClasses[PKIX_OID_TYPE] = entry;
PKIX_RETURN(OID);
}
/*
* FUNCTION: pkix_pl_OID_GetNextToken
* DESCRIPTION:
*
* This function is essentially a thread safe version of strtok, except
* that we always use '.' (dot) for the token separator.
*
* Searches for tokens in the string pointed to by "input", using '.' (dot)
* as the token separator. If "input" contains multiple tokens, the first
* token is stored at "pToken", the character immediately follow the first
* token is replaced by a null character, and the rekmainder of "input" is
* stored at "pRem". If no additional tokens are available, this function
* stores NULL at "pToken".
*
* PARAMETERS
* "input"
* Address of string to be tokenized. May be NULL.
* "pToken"
* Destination for OID token. Must be non-NULL.
* "pRem"
* Destination for pointer to remainder of string. Must be non-NULL.
* "plContext"
* Platform-specific context pointer.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns an OID Error if the function fails in a non-fatal way.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
static PKIX_Error *
pkix_pl_OID_GetNextToken(
char *input,
char **pToken,
char **pRem,
void *plContext)
{
char *token = input;
PKIX_ENTER(OID, "pkix_pl_OID_GetNextToken");
PKIX_NULLCHECK_TWO(pToken, pRem);
if (token == NULL){
*pToken = token;
goto cleanup;
}
while (*input != '.' && *input != '\0'){
input++;
}
if (*input == '.'){
*input = 0;
*pRem = input + 1;
} else { /* NULL case */
*pRem = NULL;
}
*pToken = token;
cleanup:
entry->description = "OID";
entry->typeObjectSize = sizeof(PKIX_PL_OID);
entry->destructor = pkix_pl_OID_Destroy;
entry->equalsFunction = pkix_pl_OID_Equals;
entry->hashcodeFunction = pkix_pl_OID_Hashcode;
entry->toStringFunction = pkix_pl_OID_ToString;
entry->comparator = pkix_pl_OID_Comparator;
entry->duplicateFunction = pkix_duplicateImmutable;
PKIX_RETURN(OID);
}
@ -357,11 +263,7 @@ pkix_pl_OID_GetCriticalExtensionOIDs(
void *plContext)
{
PKIX_List *oidsList = NULL;
CERTCertExtension *extension = NULL;
PKIX_PL_OID *pkixOID = NULL;
SECItem critical;
SECItem oid;
char *oidAscii = NULL;
PKIX_ENTER(OID, "pkix_pl_OID_GetCriticalExtensionOIDs");
PKIX_NULLCHECK_ONE(pOidsList);
@ -369,40 +271,28 @@ pkix_pl_OID_GetCriticalExtensionOIDs(
PKIX_CHECK(PKIX_List_Create(&oidsList, plContext),
PKIX_LISTCREATEFAILED);
if (extensions){
if (extensions) {
while (*extensions) {
CERTCertExtension *extension = NULL;
SECItem *critical = NULL;
SECItem *oid = NULL;
while (*extensions){
extension = *extensions++;
PKIX_NULLCHECK_ONE(extension);
/* extension is critical */
critical = extension->critical;
if (critical.len != 0){
if (critical.data[0] == 0xff) {
oid = extension->id;
PKIX_CHECK(pkix_pl_oidBytes2Ascii
(&oid, &oidAscii, plContext),
PKIX_OIDBYTES2ASCIIFAILED);
PKIX_CHECK(PKIX_PL_OID_Create
(oidAscii, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(PKIX_List_AppendItem
(oidsList,
(PKIX_PL_Object *)pkixOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
}
}
PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
extension = *extensions++;
/* extension is critical ? */
critical = &extension->critical;
if (critical->len == 0 || critical->data[0] == 0) {
continue;
}
oid = &extension->id;
PKIX_CHECK(
PKIX_PL_OID_CreateBySECItem(oid, &pkixOID, plContext),
PKIX_OIDCREATEFAILED);
PKIX_CHECK(
PKIX_List_AppendItem(oidsList, (PKIX_PL_Object *)pkixOID,
plContext),
PKIX_LISTAPPENDITEMFAILED);
PKIX_DECREF(pkixOID);
}
}
*pOidsList = oidsList;
@ -410,7 +300,6 @@ pkix_pl_OID_GetCriticalExtensionOIDs(
cleanup:
PKIX_DECREF(oidsList);
PKIX_FREE(oidAscii);
PKIX_DECREF(pkixOID);
PKIX_RETURN(OID);
}
@ -418,137 +307,59 @@ cleanup:
/* --Public-Functions------------------------------------------------------- */
/*
* FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
* FUNCTION: PKIX_PL_OID_CreateBySECItem (see comments in pkix_pl_system.h)
*/
PKIX_Error *
PKIX_PL_OID_Create(
char *stringRep,
PKIX_PL_OID_CreateBySECItem(
SECItem *derOid,
PKIX_PL_OID **pOID,
void *plContext)
{
PKIX_PL_OID *oid = NULL;
char *strCpy1 = NULL;
char *strCpy2 = NULL;
char *token = NULL;
PKIX_UInt32 numTokens, i, length;
PKIX_UInt32 value;
PKIX_Boolean firstFieldTwo;
PKIX_UInt32 *components = NULL;
char *rem = NULL;
PKIX_ENTER(OID, "PKIX_PL_OID_Create");
PKIX_NULLCHECK_TWO(pOID, stringRep);
PKIX_OID_DEBUG("\tCalling PL_strlen).\n");
length = PL_strlen(stringRep);
if (length < 3) {
PKIX_ERROR(PKIX_OIDLENGTHTOOSHORT);
}
for (i = 0; i < length; i++) {
if ((!PKIX_ISDIGIT(stringRep[i]))&&(stringRep[i] != '.')) {
PKIX_ERROR(PKIX_ILLEGALCHARACTERINOID);
}
}
/* Check that string doesn't have extra dots */
if ((stringRep[0] == '.') ||
(stringRep[length-1] == '.')||
(PL_strstr(stringRep, "..") != NULL)) {
PKIX_ERROR(PKIX_ILLEGALDOTINOID);
}
PKIX_OID_DEBUG("\tCalling PL_strdup).\n");
strCpy1 = PL_strdup(stringRep);
strCpy2 = PL_strdup(stringRep);
/* Validate and tally the number of tokens */
PKIX_CHECK(pkix_pl_OID_GetNextToken
(strCpy1, &token, &rem, plContext),
PKIX_OIDGETNEXTTOKENFAILED);
for (numTokens = 0; token != NULL; numTokens++){
if (numTokens == 0) {
/* We know the string is all digits */
PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
value = PORT_Atoi(token);
if (value > 2) {
PKIX_ERROR(PKIX_FIRSTFIELDMUSTBEBETWEEN02);
}
/* Set a flag if the first field is 2 */
firstFieldTwo = (value == 2);
} else if (numTokens == 1) {
PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
value = PORT_Atoi(token);
if ((!firstFieldTwo)&&(value > 39)) {
PKIX_ERROR
(PKIX_SECONDFIELDMUSTBEBETWEEN039);
}
}
/* Check for 32-bit overflow */
if (pkix_pl_UInt32_Overflows(token)){
PKIX_ERROR(PKIX_OIDCOMPONENTTOOBIG);
}
PKIX_CHECK(pkix_pl_OID_GetNextToken
(rem, &token, &rem, plContext),
PKIX_OIDGETNEXTTOKENFAILED);
}
if (numTokens < 2) {
PKIX_ERROR(PKIX_OIDNEEDS2ORMOREFIELDS);
}
PKIX_CHECK(PKIX_PL_Malloc
(numTokens * sizeof (PKIX_UInt32),
(void **)&components, plContext),
PKIX_MALLOCFAILED);
PKIX_CHECK(pkix_pl_OID_GetNextToken
(strCpy2, &token, &rem, plContext),
PKIX_OIDGETNEXTTOKENFAILED);
for (i = 0; token != NULL; i++){
PKIX_OID_DEBUG("\tCalling PORT_Atoi).\n");
components[i] = PORT_Atoi(token);
PKIX_CHECK(pkix_pl_OID_GetNextToken
(rem, &token, &rem, plContext),
PKIX_OIDGETNEXTTOKENFAILED);
}
SECStatus rv;
PKIX_ENTER(OID, "PKIX_PL_OID_CreateBySECItem");
PKIX_NULLCHECK_TWO(pOID, derOid);
PKIX_CHECK(PKIX_PL_Object_Alloc
(PKIX_OID_TYPE,
(PKIX_OID_TYPE,
sizeof (PKIX_PL_OID),
(PKIX_PL_Object **)&oid,
plContext),
PKIX_COULDNOTCREATEOBJECT);
oid->length = numTokens;
oid->components = components;
*pOID = oid;
rv = SECITEM_CopyItem(NULL, &oid->derOid, derOid);
if (rv != SECFailure) {
*pOID = oid;
oid = NULL;
}
cleanup:
PKIX_DECREF(oid);
PKIX_RETURN(OID);
}
/*
* FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
*/
PKIX_Error *
PKIX_PL_OID_Create(
SECOidTag idtag,
PKIX_PL_OID **pOID,
void *plContext)
{
SECOidData *oidData = NULL;
PKIX_ENTER(OID, "PKIX_PL_OID_Create");
PKIX_NULLCHECK_ONE(pOID);
oidData = SECOID_FindOIDByTag((SECOidTag)idtag);
if (!oidData) {
PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED);
}
pkixErrorResult =
PKIX_PL_OID_CreateBySECItem(&oidData->oid, pOID, plContext);
cleanup:
if (strCpy1){
PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
PL_strfree(strCpy1);
}
if (strCpy2){
PKIX_OID_DEBUG("\tCalling PL_strfree).\n");
PL_strfree(strCpy2);
}
if (PKIX_ERROR_RECEIVED){
PKIX_FREE(components);
}
PKIX_RETURN(OID);
}

3
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.h
Просмотреть файл

@ -51,8 +51,7 @@ extern "C" {
#endif
struct PKIX_PL_OIDStruct {
PKIX_UInt32 *components;
PKIX_UInt32 length;
SECItem derOid;
};
/* see source file for function documentation */

2
security/nss/lib/nss/config.mk
Просмотреть файл

@ -53,6 +53,7 @@ RESNAME = $(LIBRARY_NAME).rc
ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \
@ -74,6 +75,7 @@ else
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \

8
security/nss/lib/nss/nss.h
Просмотреть файл

@ -36,7 +36,7 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/* $Id: nss.h,v 1.64 2009/03/27 21:42:54 christophe.ravel.bugs%sun.com Exp $ */
/* $Id: nss.h,v 1.65 2009/04/13 17:46:59 christophe.ravel.bugs%sun.com Exp $ */
#ifndef __nss_h_
#define __nss_h_
@ -66,11 +66,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.12.3" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VERSION "3.12.4" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 12
#define NSS_VPATCH 3
#define NSS_BETA PR_FALSE
#define NSS_VPATCH 4
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

1
security/nss/lib/pk11wrap/pk11nobj.c
Просмотреть файл

@ -527,6 +527,7 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name,
nssCryptokiObject_Destroy(object);
} else {
rvH = CK_INVALID_HANDLE;
PORT_SetError(SEC_ERROR_CRL_IMPORT_FAILED);
}
return rvH;
}

2
security/nss/lib/smime/config.mk
Просмотреть файл

@ -50,6 +50,7 @@ ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \
@ -71,6 +72,7 @@ else
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \

7
security/nss/lib/softoken/config.mk
Просмотреть файл

@ -37,11 +37,6 @@
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
CRYPTODIR=../freebl
ifdef MOZILLA_SECURITY_BUILD
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
CRYPTODIR=../crypto
endif
EXTRA_LIBS += \
$(CRYPTOLIB) \
@ -60,6 +55,7 @@ RESNAME = $(LIBRARY_NAME).rc
ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-lsqlite3 \
-L$(NSPR_LIB_DIR) \
@ -85,6 +81,7 @@ else
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-lsqlite3 \
-L$(NSPR_LIB_DIR) \

7
security/nss/lib/softoken/legacydb/config.mk
Просмотреть файл

@ -37,11 +37,6 @@
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
CRYPTODIR=../freebl
ifdef MOZILLA_SECURITY_BUILD
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
CRYPTODIR=../crypto
endif
EXTRA_LIBS += $(CRYPTOLIB)
@ -62,6 +57,7 @@ RESNAME = $(LIBRARY_NAME).rc
ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \
@ -84,6 +80,7 @@ else
# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \

6
security/nss/lib/softoken/legacydb/lowcert.c
Просмотреть файл

@ -38,7 +38,7 @@
/*
* Certificate handling code
*
* $Id: lowcert.c,v 1.4 2008/02/08 02:50:50 julien.pierre.boogz%sun.com Exp $
* $Id: lowcert.c,v 1.5 2009/04/12 01:31:45 nelson%bolyard.com Exp $
*/
#include "seccomon.h"
@ -363,6 +363,10 @@ nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena,
PORT_SetError(SEC_ERROR_INVALID_ARGS);
goto loser;
}
if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
goto loser;
}
key->data = (unsigned char*)PORT_ArenaAlloc(arena, len);
if ( !key->data ) {
goto loser;

237
security/nss/lib/softoken/legacydb/pcertdb.c
Просмотреть файл

@ -37,7 +37,7 @@
/*
* Permanent Certificate database handling code
*
* $Id: pcertdb.c,v 1.9 2009/04/09 02:00:33 nelson%bolyard.com Exp $
* $Id: pcertdb.c,v 1.11 2009/04/13 17:23:15 nelson%bolyard.com Exp $
*/
#include "lowkeyti.h"
#include "pcert.h"
@ -637,16 +637,16 @@ EncodeDBCertEntry(certDBEntryCert *entry, PRArenaPool *arena, SECItem *dbitem)
/* fill in database record */
buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff;
buf[1] = entry->trust.sslFlags & 0xff;
buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff;
buf[3] = entry->trust.emailFlags & 0xff;
buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff;
buf[5] = entry->trust.objectSigningFlags & 0xff;
buf[6] = ( entry->derCert.len >> 8 ) & 0xff;
buf[7] = entry->derCert.len & 0xff;
buf[8] = ( nnlen >> 8 ) & 0xff;
buf[9] = nnlen & 0xff;
buf[0] = (PRUint8)( entry->trust.sslFlags >> 8 );
buf[1] = (PRUint8)( entry->trust.sslFlags );
buf[2] = (PRUint8)( entry->trust.emailFlags >> 8 );
buf[3] = (PRUint8)( entry->trust.emailFlags );
buf[4] = (PRUint8)( entry->trust.objectSigningFlags >> 8 );
buf[5] = (PRUint8)( entry->trust.objectSigningFlags );
buf[6] = (PRUint8)( entry->derCert.len >> 8 );
buf[7] = (PRUint8)( entry->derCert.len );
buf[8] = (PRUint8)( nnlen >> 8 );
buf[9] = (PRUint8)( nnlen );
PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
entry->derCert.len);
@ -667,6 +667,8 @@ static SECStatus
EncodeDBCertKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey)
{
unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN;
if (len > NSS_MAX_LEGACY_DB_KEY_SIZE)
goto loser;
if (arena) {
dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
} else {
@ -706,12 +708,14 @@ EncodeDBGenericKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey,
dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
goto loser;
dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
if ( dbkey->data == NULL ) {
goto loser;
}
PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
certKey->data, certKey->len);
certKey->data, certKey->len);
dbkey->data[0] = (unsigned char) entryType;
return(SECSuccess);
@ -1156,10 +1160,10 @@ EncodeDBCrlEntry(certDBEntryRevocation *entry, PRArenaPool *arena, SECItem *dbit
/* fill in database record */
buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
buf[0] = ( entry->derCrl.len >> 8 ) & 0xff;
buf[1] = entry->derCrl.len & 0xff;
buf[2] = ( nnlen >> 8 ) & 0xff;
buf[3] = nnlen & 0xff;
buf[0] = (PRUint8)( entry->derCrl.len >> 8 );
buf[1] = (PRUint8)( entry->derCrl.len );
buf[2] = (PRUint8)( nnlen >> 8 );
buf[3] = (PRUint8)( nnlen );
PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
entry->derCrl.len);
@ -1452,7 +1456,6 @@ EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena,
*/
dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
SEC_DB_ENTRY_HEADER_LEN;
dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
if ( dbitem->data == NULL) {
goto loser;
@ -1460,10 +1463,8 @@ EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena,
/* fill in database record */
buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
buf[1] = entry->subjectName.len & 0xff;
buf[0] = (PRUint8)( entry->subjectName.len >> 8 );
buf[1] = (PRUint8)( entry->subjectName.len );
PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
entry->subjectName.len);
@ -1486,6 +1487,8 @@ EncodeDBNicknameKey(char *nickname, PRArenaPool *arena,
/* now get the database key and format it */
dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
goto loser;
dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
if ( dbkey->data == NULL ) {
goto loser;
@ -1777,12 +1780,12 @@ EncodeDBSMimeEntry(certDBEntrySMime *entry, PRArenaPool *arena,
/* fill in database record */
buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
buf[1] = entry->subjectName.len & 0xff;
buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff;
buf[3] = entry->smimeOptions.len & 0xff;
buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff;
buf[5] = entry->optionsDate.len & 0xff;
buf[0] = (PRUint8)( entry->subjectName.len >> 8 );
buf[1] = (PRUint8)( entry->subjectName.len );
buf[2] = (PRUint8)( entry->smimeOptions.len >> 8 );
buf[3] = (PRUint8)( entry->smimeOptions.len );
buf[4] = (PRUint8)( entry->optionsDate.len >> 8 );
buf[5] = (PRUint8)( entry->optionsDate.len );
/* if no smime options, then there should not be an options date either */
PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) &&
@ -1819,6 +1822,8 @@ EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena,
/* now get the database key and format it */
dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
goto loser;
dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
if ( dbkey->data == NULL ) {
goto loser;
@ -2167,8 +2172,8 @@ EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
unsigned int nnlen = 0;
unsigned int eaddrslen = 0;
int keyidoff;
SECItem *certKeys;
SECItem *keyIDs;
SECItem *certKeys = entry->certKeys;
SECItem *keyIDs = entry->keyIDs;;
if ( entry->nickname ) {
nnlen = PORT_Strlen(entry->nickname) + 1;
@ -2184,10 +2189,15 @@ EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
/* compute the length of the entry */
keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen ;
len = keyidoff + 4 * ncerts + eaddrslen;
len = keyidoff + (4 * ncerts) + eaddrslen;
for ( i = 0; i < ncerts; i++ ) {
len += entry->certKeys[i].len;
len += entry->keyIDs[i].len;
if (keyIDs[i].len > 0xffff ||
(certKeys[i].len > 0xffff)) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
goto loser;
}
len += certKeys[i].len;
len += keyIDs[i].len;
}
/* allocate space for encoded database record, including space
@ -2204,50 +2214,44 @@ EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
/* fill in database record */
buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
buf[0] = ( ncerts >> 8 ) & 0xff;
buf[1] = ncerts & 0xff;
buf[2] = ( nnlen >> 8 ) & 0xff;
buf[3] = nnlen & 0xff;
buf[0] = (PRUint8)( ncerts >> 8 );
buf[1] = (PRUint8)( ncerts );
buf[2] = (PRUint8)( nnlen >> 8 );
buf[3] = (PRUint8)( nnlen );
/* v7 email field is NULL in v8 */
buf[4] = 0;
buf[5] = 0;
PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
tmpbuf = &buf[keyidoff];
for ( i = 0; i < ncerts; i++ ) {
certKeys = entry->certKeys;
keyIDs = entry->keyIDs;
buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff;
buf[keyidoff+1+i*2] = certKeys[i].len & 0xff;
buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff;
buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff;
tmpbuf[0] = (PRUint8)( certKeys[i].len >> 8 );
tmpbuf[1] = (PRUint8)( certKeys[i].len );
tmpbuf += 2;
}
for ( i = 0; i < ncerts; i++ ) {
tmpbuf[0] = (PRUint8)( keyIDs[i].len >> 8 );
tmpbuf[1] = (PRUint8)( keyIDs[i].len );
tmpbuf += 2;
}
/* temp pointer used to stuff certkeys and keyids into the buffer */
tmpbuf = &buf[keyidoff+ncerts*4];
for ( i = 0; i < ncerts; i++ ) {
certKeys = entry->certKeys;
PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
tmpbuf = tmpbuf + certKeys[i].len;
tmpbuf += certKeys[i].len;
}
for ( i = 0; i < ncerts; i++ ) {
keyIDs = entry->keyIDs;
PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
tmpbuf = tmpbuf + keyIDs[i].len;
tmpbuf += keyIDs[i].len;
}
if (entry->emailAddrs) {
tmpbuf[0] = (entry->nemailAddrs >> 8) & 0xff;
tmpbuf[1] = entry->nemailAddrs & 0xff;
tmpbuf[0] = (PRUint8)( entry->nemailAddrs >> 8 );
tmpbuf[1] = (PRUint8)( entry->nemailAddrs );
tmpbuf += 2;
for (i=0; i < entry->nemailAddrs; i++) {
int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1;
tmpbuf[0] = (nameLen >> 8) & 0xff;
tmpbuf[1] = nameLen & 0xff;
tmpbuf[0] = (PRUint8)( nameLen >> 8 );
tmpbuf[1] = (PRUint8)( nameLen );
tmpbuf += 2;
PORT_Memcpy(tmpbuf,entry->emailAddrs[i],nameLen);
tmpbuf +=nameLen;
@ -2270,6 +2274,8 @@ EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena,
SECItem *dbkey)
{
dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
goto loser;
dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
if ( dbkey->data == NULL ) {
goto loser;
@ -2288,18 +2294,17 @@ static SECStatus
DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
const SECItem *derSubject)
{
unsigned int ncerts;
PRArenaPool *arena;
unsigned int len, itemlen;
PRArenaPool *arena = entry->common.arena;
unsigned char *tmpbuf;
unsigned char *end;
void *mark = PORT_ArenaMark(arena);
unsigned int eaddrlen;
unsigned int i;
SECStatus rv;
unsigned int keyidoff;
unsigned int nnlen, eaddrlen;
unsigned int stdlen;
arena = entry->common.arena;
unsigned int len;
unsigned int ncerts = 0;
unsigned int nnlen;
SECStatus rv;
rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
if ( rv != SECSuccess ) {
@ -2312,20 +2317,18 @@ DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
goto loser;
}
entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
stdlen = ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
if ( dbentry->len < stdlen) {
entry->ncerts = ncerts = (( dbentry->data[0] << 8 ) | dbentry->data[1] );
nnlen = (( dbentry->data[2] << 8 ) | dbentry->data[3] );
eaddrlen = (( dbentry->data[4] << 8 ) | dbentry->data[5] );
keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
len = keyidoff + (4 * ncerts);
if ( dbentry->len < len) {
PORT_SetError(SEC_ERROR_BAD_DATABASE);
goto loser;
}
entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena,
sizeof(SECItem) * ncerts);
entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena,
sizeof(SECItem) * ncerts);
entry->certKeys = PORT_ArenaNewArray(arena, SECItem, ncerts);
entry->keyIDs = PORT_ArenaNewArray(arena, SECItem, ncerts);
if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
@ -2347,7 +2350,7 @@ DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
/* if we have an old style email entry, there is only one */
entry->nemailAddrs = 0;
if ( eaddrlen > 1 ) { /* null terminator is stored */
entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
entry->emailAddrs = PORT_ArenaNewArray(arena, char *, 2);
if ( entry->emailAddrs == NULL ) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
@ -2368,87 +2371,85 @@ DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
/* collect the lengths of the certKeys and keyIDs, and total the
* overall length.
*/
keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
len = keyidoff + 4 * ncerts;
tmpbuf = &dbentry->data[0];
tmpbuf = &dbentry->data[keyidoff];
for ( i = 0; i < ncerts; i++ ) {
itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ;
len += itemlen;
entry->certKeys[i].len = itemlen;
itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) |
tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ;
len += itemlen;
entry->keyIDs[i].len = itemlen;
unsigned int itemlen = ( tmpbuf[0] << 8 ) | tmpbuf[1];
entry->certKeys[i].len = itemlen;
len += itemlen;
tmpbuf += 2;
}
/* is database entry correct length? */
for ( i = 0; i < ncerts; i++ ) {
unsigned int itemlen = ( tmpbuf[0] << 8 ) | tmpbuf[1] ;
entry->keyIDs[i].len = itemlen;
len += itemlen;
tmpbuf += 2;
}
/* is encoded entry large enough ? */
if ( len > dbentry->len ){
PORT_SetError(SEC_ERROR_BAD_DATABASE);
goto loser;
}
tmpbuf = &tmpbuf[keyidoff + 4*ncerts];
for ( i = 0; i < ncerts; i++ ) {
entry->certKeys[i].data =
(unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len);
unsigned int kLen = entry->certKeys[i].len;
entry->certKeys[i].data = (unsigned char *)PORT_ArenaAlloc(arena, kLen);
if ( entry->certKeys[i].data == NULL ) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len);
tmpbuf = &tmpbuf[entry->certKeys[i].len];
PORT_Memcpy(entry->certKeys[i].data, tmpbuf, kLen);
tmpbuf += kLen;
}
for ( i = 0; i < ncerts; i++ ) {
entry->keyIDs[i].data =
(unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len);
unsigned int iLen = entry->keyIDs[i].len;
entry->keyIDs[i].data = (unsigned char *)PORT_ArenaAlloc(arena, iLen);
if ( entry->keyIDs[i].data == NULL ) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len);
tmpbuf = &tmpbuf[entry->keyIDs[i].len];
PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, iLen);
tmpbuf += iLen;
}
end = &dbentry->data[dbentry->len];
if ((eaddrlen == 0) && (tmpbuf+1 < end)) {
end = dbentry->data + dbentry->len;
if ((eaddrlen == 0) && (end - tmpbuf > 1)) {
/* read in the additional email addresses */
entry->nemailAddrs = tmpbuf[0] << 8 | tmpbuf[1];
entry->nemailAddrs = (((unsigned int)tmpbuf[0]) << 8) | tmpbuf[1];
tmpbuf += 2;
entry->emailAddrs = (char **)
PORT_ArenaAlloc(arena, entry->nemailAddrs * sizeof(char *));
if (end - tmpbuf < 2 * (int)entry->nemailAddrs)
goto loser;
entry->emailAddrs = PORT_ArenaNewArray(arena, char *, entry->nemailAddrs);
if (entry->emailAddrs == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
for (i=0; i < entry->nemailAddrs; i++) {
int nameLen;
if (tmpbuf + 2 > end) {
if (end - tmpbuf < 2) {
goto loser;
}
nameLen = (((int)tmpbuf[0]) << 8) | tmpbuf[1];
tmpbuf += 2;
if (end - tmpbuf < nameLen) {
goto loser;
}
nameLen = tmpbuf[0] << 8 | tmpbuf[1];
entry->emailAddrs[i] = PORT_ArenaAlloc(arena,nameLen);
if (entry->emailAddrs == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
if (tmpbuf + (nameLen+2) > end) {
goto loser;
}
PORT_Memcpy(entry->emailAddrs[i],&tmpbuf[2],nameLen);
tmpbuf += 2 + nameLen;
PORT_Memcpy(entry->emailAddrs[i], tmpbuf, nameLen);
tmpbuf += nameLen;
}
if (tmpbuf != end)
goto loser;
}
PORT_ArenaUnmark(arena, mark);
return(SECSuccess);
loser:
PORT_ArenaRelease(arena, mark); /* discard above allocations */
return(SECFailure);
}

4
security/nss/lib/softoken/legacydb/pcertt.h
Просмотреть файл

@ -36,7 +36,7 @@
/*
* certt.h - public data structures for the certificate library
*
* $Id: pcertt.h,v 1.2 2007/06/13 00:24:57 rrelyea%redhat.com Exp $
* $Id: pcertt.h,v 1.3 2009/04/12 01:31:46 nelson%bolyard.com Exp $
*/
#ifndef _PCERTT_H_
#define _PCERTT_H_
@ -168,6 +168,8 @@ struct NSSLOWCERTCertificateStr {
#define SEC_CRL_VERSION_1 0 /* default */
#define SEC_CRL_VERSION_2 1 /* v2 extensions */
#define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024)
struct NSSLOWCERTIssuerAndSNStr {
SECItem derIssuer;
SECItem serialNumber;

51
security/nss/lib/softoken/lgglue.c
Просмотреть файл

@ -149,6 +149,7 @@ sftkdb_LoadFromPath(const char *path, const char *libname)
return lib;
}
static PRLibrary *
sftkdb_LoadLibrary(const char *libname)
{
@ -188,6 +189,7 @@ done:
libSpec.value.pathname = libname;
lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
}
return lib;
}
@ -270,18 +272,39 @@ sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText)
return rv;
}
static const char *LEGACY_LIB_NAME =
SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX;
/*
* 2 bools to tell us if we've check the legacy library successfully or
* not. Initialize on startup to false by the C BSS segment;
*/
static PRBool legacy_glue_libCheckFailed; /* set if we failed the check */
static PRBool legacy_glue_libCheckSucceeded; /* set if we passed the check */
static PRLibrary *legacy_glue_lib = NULL;
static SECStatus
sftkdbLoad_Legacy()
sftkdbLoad_Legacy(PRBool isFIPS)
{
PRLibrary *lib = NULL;
LGSetCryptFunc setCryptFunction = NULL;
if (legacy_glue_lib) {
/* this check is necessary because it's possible we loaded the
* legacydb to read secmod.db, which told us whether we were in
* FIPS mode or not. */
if (isFIPS && !legacy_glue_libCheckSucceeded) {
if (legacy_glue_libCheckFailed ||
!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
legacy_glue_libCheckFailed = PR_TRUE;
/* don't clobber legacy glue to avoid race. just let it
* get cleared in shutdown */
return SECFailure;
}
legacy_glue_libCheckSucceeded = PR_TRUE;
}
return SECSuccess;
}
lib = sftkdb_LoadLibrary(SHLIB_PREFIX"nssdbm"SHLIB_VERSION"."SHLIB_SUFFIX);
lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
if (lib == NULL) {
return SECFailure;
}
@ -306,6 +329,16 @@ sftkdbLoad_Legacy()
PR_UnloadLibrary(lib);
return SECFailure;
}
/* verify the loaded library if we are in FIPS mode */
if (isFIPS) {
if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
PR_UnloadLibrary(lib);
return SECFailure;
}
legacy_glue_libCheckSucceeded = PR_TRUE;
}
setCryptFunction(sftkdb_encrypt_stub,sftkdb_decrypt_stub);
legacy_glue_lib = lib;
return SECSuccess;
@ -313,12 +346,12 @@ sftkdbLoad_Legacy()
CK_RV
sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix,
int certVersion, int keyVersion, int flags,
int certVersion, int keyVersion, int flags, PRBool isFIPS,
SDB **certDB, SDB **keyDB)
{
SECStatus rv;
rv = sftkdbLoad_Legacy();
rv = sftkdbLoad_Legacy(isFIPS);
if (rv != SECSuccess) {
return CKR_GENERAL_ERROR;
}
@ -337,7 +370,7 @@ sftkdbCall_ReadSecmodDB(const char *appName, const char *filename,
{
SECStatus rv;
rv = sftkdbLoad_Legacy();
rv = sftkdbLoad_Legacy(PR_FALSE);
if (rv != SECSuccess) {
return NULL;
}
@ -355,7 +388,7 @@ sftkdbCall_ReleaseSecmodDBData(const char *appName,
{
SECStatus rv;
rv = sftkdbLoad_Legacy();
rv = sftkdbLoad_Legacy(PR_FALSE);
if (rv != SECSuccess) {
return rv;
}
@ -374,7 +407,7 @@ sftkdbCall_DeleteSecmodDB(const char *appName,
{
SECStatus rv;
rv = sftkdbLoad_Legacy();
rv = sftkdbLoad_Legacy(PR_FALSE);
if (rv != SECSuccess) {
return rv;
}
@ -392,7 +425,7 @@ sftkdbCall_AddSecmodDB(const char *appName,
{
SECStatus rv;
rv = sftkdbLoad_Legacy();
rv = sftkdbLoad_Legacy(PR_FALSE);
if (rv != SECSuccess) {
return rv;
}
@ -427,6 +460,8 @@ sftkdbCall_Shutdown(void)
legacy_glue_releaseSecmod = NULL;
legacy_glue_deleteSecmod = NULL;
legacy_glue_addSecmod = NULL;
legacy_glue_libCheckFailed = PR_FALSE;
legacy_glue_libCheckSucceeded = PR_FALSE;
return crv;
}

2
security/nss/lib/softoken/lgglue.h
Просмотреть файл

@ -75,7 +75,7 @@ typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
*/
CK_RV sftkdbCall_open(const char *dir, const char *certPrefix,
const char *keyPrefix,
int certVersion, int keyVersion, int flags,
int certVersion, int keyVersion, int flags, PRBool isFIPS,
SDB **certDB, SDB **keyDB);
char ** sftkdbCall_ReadSecmodDB(const char *appName, const char *filename,
const char *dbname, char *params, PRBool rw);

4
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -2151,7 +2151,9 @@ SFTK_SlotReInit(SFTKSlot *slot, char *configdir, char *updatedir,
params->updCertPrefix, params->updKeyPrefix,
params->updateID ? params->updateID : updateID,
params->readOnly, params->noCertDB, params->noKeyDB,
params->forceOpen, &certHandle, &keyHandle);
params->forceOpen,
moduleIndex == NSC_FIPS_MODULE,
&certHandle, &keyHandle);
if (crv != CKR_OK) {
goto loser;
}

13
security/nss/lib/softoken/sftkdb.c
Просмотреть файл

@ -2547,7 +2547,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
const char *keyPrefix, const char *updatedir,
const char *updCertPrefix, const char *updKeyPrefix,
const char *updateID, PRBool readOnly, PRBool noCertDB,
PRBool noKeyDB, PRBool forceOpen,
PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS,
SFTKDBHandle **certDB, SFTKDBHandle **keyDB)
{
const char *confdir;
@ -2577,11 +2577,11 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
switch (dbType) {
case SDB_LEGACY:
crv = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
isFIPS, noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
break;
case SDB_MULTIACCESS:
crv = sftkdbCall_open(configdir, certPrefix, keyPrefix, 8, 3, flags,
noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
isFIPS, noCertDB? NULL : &certSDB, noKeyDB ? NULL: &keySDB);
break;
case SDB_SQL:
case SDB_EXTERN: /* SHOULD open a loadable db */
@ -2598,8 +2598,8 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
/* we have legacy databases, if we failed to open the new format
* DB's read only, just use the legacy ones */
crv = sftkdbCall_open(confdir, certPrefix,
keyPrefix, 8, 3, flags, noCertDB? NULL : &certSDB,
noKeyDB ? NULL : &keySDB);
keyPrefix, 8, 3, flags, isFIPS,
noCertDB? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
}
/* Handle the database merge case.
*
@ -2669,7 +2669,8 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
CK_RV crv2;
crv2 = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
noCertDB ? NULL : &updateCert, noKeyDB ? NULL : &updateKey);
isFIPS, noCertDB ? NULL : &updateCert,
noKeyDB ? NULL : &updateKey);
if (crv2 == CKR_OK) {
if (*certDB) {
(*certDB)->update = updateCert;

2
security/nss/lib/softoken/sftkdb.h
Просмотреть файл

@ -107,7 +107,7 @@ CK_RV sftk_DBInit(const char *configdir, const char *certPrefix,
const char *keyPrefix, const char *updatedir,
const char *updCertPrefix, const char *updKeyPrefix,
const char *updateID, PRBool readOnly, PRBool noCertDB,
PRBool noKeyDB, PRBool forceOpen,
PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS,
SFTKDBHandle **certDB, SFTKDBHandle **keyDB);
CK_RV sftkdb_Shutdown(void);

10
security/nss/lib/softoken/sftkpwd.c
Просмотреть файл

@ -686,6 +686,16 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keydb)
value.data = valueData;
value.len = sizeof(valueData);
crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
/* If no password is set, we can update right away */
if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update
&& crv != CKR_OK) {
/* update the peer certdb if it exists */
if (keydb->peerDB) {
sftkdb_Update(keydb->peerDB, NULL);
}
sftkdb_Update(keydb, NULL);
}
return (crv == CKR_OK) ? SECSuccess : SECFailure;
}

4
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -57,10 +57,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.12.3" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.12.4" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 12
#define SOFTOKEN_VPATCH 3
#define SOFTOKEN_VPATCH 4
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */

16
security/nss/lib/ssl/config.mk
Просмотреть файл

@ -56,6 +56,7 @@ ifdef NS_USE_GCC
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \
@ -73,12 +74,7 @@ EXTRA_SHARED_LIBS += \
endif # NS_USE_GCC
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
CRYPTODIR=../freebl
ifdef MOZILLA_SECURITY_BUILD
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
CRYPTODIR=../crypto
endif
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
EXTRA_LIBS += \
$(CRYPTOLIB) \
@ -87,12 +83,7 @@ EXTRA_LIBS += \
else
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
CRYPTODIR=../freebl
ifdef MOZILLA_SECURITY_BUILD
CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
CRYPTODIR=../crypto
endif
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
EXTRA_LIBS += \
$(CRYPTOLIB) \
@ -104,6 +95,7 @@ EXTRA_LIBS += \
EXTRA_SHARED_LIBS += \
-L$(DIST)/lib \
-lnss3 \
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-lplc4 \

6
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -51,10 +51,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.12.3"
#define NSSUTIL_VERSION "3.12.4 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 12
#define NSSUTIL_VPATCH 3
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_VPATCH 4
#define NSSUTIL_BETA PR_TRUE
#endif /* __nssutil_h_ */

3
security/nss/lib/util/secerr.h
Просмотреть файл

@ -225,6 +225,9 @@ SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167),
SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168),
SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169),
SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170),
SEC_ERROR_CRL_IMPORT_FAILED = (SEC_ERROR_BASE + 171),
/* Add new error codes above here. */
SEC_ERROR_END_OF_LIST
} SECErrorCodes;

5
security/nss/lib/util/secoid.c
Просмотреть файл

@ -361,6 +361,8 @@ CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
@ -1586,6 +1588,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
OD( seed_CBC, SEC_OID_SEED_CBC,
"SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION),
OD( x509CertificatePoliciesAnyPolicy, SEC_OID_X509_ANY_POLICY,
"Certificate Policies AnyPolicy",
CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
};
/* PRIVATE EXTENDED SECOID Table

4
security/nss/lib/util/secoidt.h
Просмотреть файл

@ -43,7 +43,7 @@
/*
* secoidt.h - public data structures for ASN.1 OID functions
*
* $Id: secoidt.h,v 1.29 2009/03/13 02:59:03 nelson%bolyard.com Exp $
* $Id: secoidt.h,v 1.30 2009/04/14 02:04:08 alexei.volkov.bugs%sun.com Exp $
*/
#include "secitem.h"
@ -448,6 +448,8 @@ typedef enum {
SEC_OID_SEED_CBC = 302,
SEC_OID_X509_ANY_POLICY = 303,
SEC_OID_TOTAL
} SECOidTag;

2
security/nss/tests/chains/chains.sh
Просмотреть файл

@ -71,7 +71,7 @@ chains_init()
CHAINS_SCENARIOS="${QADIR}/chains/scenarios/scenarios"
CERT_SN_CNT=$(date '+%m%d%H%M%S')
CERT_SN_CNT=$(date '+%m%d%H%M%S' | sed "s/^0*//")
CERT_SN_FIX=$(expr ${CERT_SN_CNT} - 1000)
PK7_NONCE=$CERT_SN_CNT;

2
security/nss/tests/cipher/cipher.sh
Просмотреть файл

@ -1,4 +1,4 @@
#! /bin/sh
#! /bin/bash
#
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1