Cherry-pick merge branch 'f19' into f18
This commit is contained in:
commit
75232d0228
|
@ -8,4 +8,4 @@ TestCA.ca.cert
|
|||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/nss-pem-20130828.tar.bz2
|
||||
/nss-3.15.2.tar.gz
|
||||
/nss-3.15.3.tar.gz
|
||||
|
|
|
@ -1,209 +0,0 @@
|
|||
diff --git a/doc/certutil.xml b/doc/certutil.xml
|
||||
--- a/doc/certutil.xml
|
||||
+++ b/doc/certutil.xml
|
||||
@@ -634,16 +634,37 @@ of the attribute codes:
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>--extSKID</term>
|
||||
<listitem><para>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>--extNC</term>
|
||||
+ <listitem><para>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>--keyAttrFlags attrflags</term>
|
||||
+ <listitem><para>
|
||||
+PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>--keyFlagsOn opflags</term>
|
||||
+ <term>--keyFlagsOff opflags</term>
|
||||
+ <listitem><para>
|
||||
+PKCS #11 key Operation Flags.
|
||||
+Comma separated list of one or more of the following:
|
||||
+{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>--source-dir certdir</term>
|
||||
<listitem><para>Identify the certificate database directory to upgrade.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>--source-prefix certdir</term>
|
||||
<listitem><para>Give the prefix of the certificate and key databases to upgrade.</para></listitem>
|
||||
</varlistentry>
|
||||
@@ -795,17 +816,17 @@ JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0C
|
||||
XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
|
||||
0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
|
||||
AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
|
||||
AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
|
||||
XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
|
||||
ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
|
||||
-----END CERTIFICATE-----
|
||||
</programlisting>
|
||||
-<pa>For a humam-readable display</para>
|
||||
+<para>For a human-readable display</para>
|
||||
<programlisting>$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 3650 (0xe42)
|
||||
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
|
||||
Issuer: "CN=Example CA"
|
||||
Validity:
|
||||
diff --git a/doc/cmsutil.xml b/doc/cmsutil.xml
|
||||
--- a/doc/cmsutil.xml
|
||||
+++ b/doc/cmsutil.xml
|
||||
@@ -84,19 +84,26 @@ The options and arguments for the cmsuti
|
||||
<varlistentry>
|
||||
<term>-S </term>
|
||||
<listitem><para>Sign a message.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
<para><command>Arguments</command></para>
|
||||
- <para>Option arguments modify an action and are lowercase.</para>
|
||||
+ <para>Option arguments modify an action.</para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
+ <term>-b </term>
|
||||
+ <listitem>
|
||||
+ <para>Decode a batch of files named in infile.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>-c content </term>
|
||||
<listitem>
|
||||
<para>Use this detached content (decode only).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-d dbdir</term>
|
||||
@@ -108,37 +115,58 @@ The options and arguments for the cmsuti
|
||||
<varlistentry>
|
||||
<term>-e envfile</term>
|
||||
<listitem>
|
||||
<para>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>-f pwfile</term>
|
||||
+ <listitem>
|
||||
+ <para>Use password file to set password on all PKCS#11 tokens.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>-G</term>
|
||||
<listitem>
|
||||
<para>Include a signing time attribute (sign only).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
-
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>-H hash</term>
|
||||
+ <listitem>
|
||||
+ <para>Use specified hash algorithm (default:SHA1).</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>-h num</term>
|
||||
<listitem>
|
||||
<para>Generate email headers with info about CMS message (decode only).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-i infile</term>
|
||||
<listitem>
|
||||
<para>Use infile as a source of data (default is stdin).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>-k</term>
|
||||
+ <listitem>
|
||||
+ <para>Keep decoded encryption certs in permanent cert db.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>-N nickname</term>
|
||||
<listitem>
|
||||
<para>Specify nickname of certificate to sign with (sign only).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-n </term>
|
||||
@@ -188,16 +216,23 @@ For certificates-only message, list of c
|
||||
<varlistentry>
|
||||
<term>-u certusage</term>
|
||||
<listitem>
|
||||
<para>Set type of cert usage (default is certUsageEmailSigner).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>-v</term>
|
||||
+ <listitem>
|
||||
+ <para>Print debugging information.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>-Y ekprefnick</term>
|
||||
<listitem>
|
||||
<para>Specify an encryption key preference by nickname.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
diff --git a/doc/crlutil.xml b/doc/crlutil.xml
|
||||
--- a/doc/crlutil.xml
|
||||
+++ b/doc/crlutil.xml
|
||||
@@ -261,16 +261,30 @@ Specify type of CRL. possible types are:
|
||||
<term>-u url </term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the url.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>-w pwd-string</term>
|
||||
+ <listitem>
|
||||
+ <para>Provide db password in command line.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>-Z algorithm</term>
|
||||
+ <listitem>
|
||||
+ <para>Specify the hash algorithm to use for signing the CRL.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
</refsection>
|
||||
|
||||
<refsection id="syntax">
|
||||
<title>CRL Generation script syntax</title>
|
||||
<para>CRL generation script file has the following syntax:</para>
|
||||
<para>
|
||||
* Line with comments should have # as a first symbol of a line</para>
|
43
nss.spec
43
nss.spec
|
@ -1,7 +1,7 @@
|
|||
%global nspr_version 4.10.1
|
||||
%global nss_util_version 3.15.2
|
||||
%global nss_softokn_fips_version 3.12.9
|
||||
%global nss_softokn_version 3.15.2
|
||||
%global nspr_version 4.10.2
|
||||
%global nss_util_version 3.15.3
|
||||
%global nss_softokn_fips_version 3.13.5
|
||||
%global nss_softokn_version 3.15.3
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
|
@ -19,8 +19,8 @@
|
|||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.15.2
|
||||
Release: 2%{?dist}
|
||||
Version: 3.15.3
|
||||
Release: 1%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -75,8 +75,6 @@ Patch18: nss-646045.patch
|
|||
Patch25: nsspem-use-system-freebl.patch
|
||||
# This patch is currently meant for stable branches
|
||||
Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
|
||||
# Prevent users from trying to enable ssl pkcs11 bypass
|
||||
Patch39: nss-ssl-enforce-no-pkcs11-bypass.path
|
||||
# TODO: Remove this patch when the ocsp test are fixed
|
||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
Patch44: 0001-sync-up-with-upstream-softokn-changes.patch
|
||||
|
@ -176,7 +174,6 @@ low level services.
|
|||
%patch25 -p0 -b .systemfreebl
|
||||
# activate for stable and beta branches
|
||||
%patch29 -p0 -b .cbcrandomivoff
|
||||
#%%patch39 -p0 -b .nobypass
|
||||
%patch40 -p0 -b .noocsptest
|
||||
%patch44 -p1 -b .syncupwithupstream
|
||||
%patch45 -p0 -b .notrash
|
||||
|
@ -342,13 +339,23 @@ chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
|
|||
date +"%e %B %Y" | tr -d '\n' > date.xml
|
||||
echo -n %{version} > version.xml
|
||||
|
||||
for m in %{SOURCE20} %{SOURCE21}; do
|
||||
# configuration files and setup script
|
||||
for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
|
||||
cp ${m} .
|
||||
done
|
||||
for m in nss-config.xml setup-nsssysinit.xml; do
|
||||
for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
|
||||
xmlto man ${m}
|
||||
done
|
||||
|
||||
# nss databases considered to be configuration files
|
||||
for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
|
||||
cp ${m} .
|
||||
done
|
||||
for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
|
||||
xmlto man ${m}
|
||||
done
|
||||
|
||||
|
||||
%check
|
||||
if [ $DISABLETEST -eq 1 ]; then
|
||||
echo "testing disabled"
|
||||
|
@ -453,10 +460,14 @@ echo "test suite completed"
|
|||
%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
|
||||
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
||||
|
||||
touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
|
||||
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
|
||||
|
||||
# Copy the binary libraries we want
|
||||
for file in libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
do
|
||||
%{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
|
||||
done
|
||||
|
@ -662,6 +673,12 @@ done
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Dec 09 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
|
||||
- Update to NSS_3_15_3_RTM
|
||||
- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
|
||||
- Fix option descriptions for setup-nsssysinit manpage
|
||||
- Remove unused patches
|
||||
|
||||
* Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
|
||||
- Use the full pristine sources from upstream
|
||||
- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
|
||||
|
|
|
@ -27,13 +27,9 @@
|
|||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>setup-nsssysinit</command>
|
||||
<arg><option>--prefix</option></arg>
|
||||
<arg><option>--exec-prefix</option></arg>
|
||||
<arg><option>--includedir</option></arg>
|
||||
<arg><option>--libs</option></arg>
|
||||
<arg><option>--cflags</option></arg>
|
||||
<arg><option>--libdir</option></arg>
|
||||
<arg><option>--version</option></arg>
|
||||
<arg><option>on</option></arg>
|
||||
<arg><option>off</option></arg>
|
||||
<arg><option>status</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
|
@ -49,17 +45,17 @@
|
|||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--on</option></term>
|
||||
<term><option>on</option></term>
|
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--off</option></term>
|
||||
<term><option>off</option></term>
|
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--status</option> <replaceable>count</replaceable></term>
|
||||
<term><option>status</option></term>
|
||||
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -71,13 +67,13 @@
|
|||
|
||||
<para>The following example will query for the status of nss-sysinit:
|
||||
<programlisting>
|
||||
/usr/bin/setup-nsssysinit --status
|
||||
/usr/bin/setup-nsssysinit status
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>The following example, when run as superuser, will turn on nss-sysinit:
|
||||
<programlisting>
|
||||
/usr/bin/setup-nsssysinit --on
|
||||
/usr/bin/setup-nsssysinit on
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
|
@ -85,7 +81,7 @@
|
|||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/usr/sbin/setup-nsssysinit</filename></para>
|
||||
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
|
|
2
sources
2
sources
|
@ -8,4 +8,4 @@ f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert
|
|||
1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert
|
||||
ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert
|
||||
e82dd2b9520f9d0f5d101e7710d59656 nss-pem-20130828.tar.bz2
|
||||
154223568f9734c76c164b46c774450c nss-3.15.2.tar.gz
|
||||
1bb267452359bd37e34d072a215873d5 nss-3.15.3.tar.gz
|
||||
|
|
Loading…
Reference in New Issue