Merge branch 'f14' into f13
This commit is contained in:
commit
85c352f22b
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,5 +1,5 @@
|
||||
nss-3.12.8-stripped.tar.bz2
|
||||
nss-pem-20100809.tar.bz2
|
||||
nss-3.12.9-stripped.tar.bz2
|
||||
nss-pem-20101125.tar.bz2
|
||||
blank-cert8.db
|
||||
blank-key3.db
|
||||
blank-secmod.db
|
||||
|
@ -1,237 +0,0 @@
|
||||
From 8bd0a0427e034262ff982fed98ca5e8c623165db Mon Sep 17 00:00:00 2001
|
||||
From: Rich Megginson <rmeggins@redhat.com>
|
||||
Date: Mon, 12 Jul 2010 16:31:01 -0600
|
||||
Subject: [PATCH] Add support for PKCS#8 encoded private keys
|
||||
|
||||
The code supports PKCS#1 encoded RSA private keys that begin with the
|
||||
BEGIN RSA PRIVATE KEY header in PEM files. This patch adds support for
|
||||
RSA private keys encoded in PEM files that begin with the header
|
||||
BEGIN PRIVATE KEY which are in PKCS#8 format.
|
||||
---
|
||||
prsa.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++------------------
|
||||
util.c | 3 +-
|
||||
2 files changed, 110 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/prsa.c b/prsa.c
|
||||
index 5b2f379..8d4fb92 100644
|
||||
--- a/mozilla/security/nss/lib/ckfw/pem/prsa.c
|
||||
+++ b/mozilla/security/nss/lib/ckfw/pem/prsa.c
|
||||
@@ -63,6 +63,35 @@ const SEC_ASN1Template pem_RSAPrivateKeyTemplate[] = {
|
||||
{0}
|
||||
};
|
||||
|
||||
+static const SEC_ASN1Template pem_AttributeTemplate[] = {
|
||||
+ { SEC_ASN1_SEQUENCE,
|
||||
+ 0, NULL, sizeof(NSSLOWKEYAttribute) },
|
||||
+ { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
|
||||
+ { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue),
|
||||
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
|
||||
+ { 0 }
|
||||
+};
|
||||
+
|
||||
+static const SEC_ASN1Template pem_SetOfAttributeTemplate[] = {
|
||||
+ { SEC_ASN1_SET_OF, 0, pem_AttributeTemplate },
|
||||
+};
|
||||
+
|
||||
+const SEC_ASN1Template pem_PrivateKeyInfoTemplate[] = {
|
||||
+ { SEC_ASN1_SEQUENCE,
|
||||
+ 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
|
||||
+ { SEC_ASN1_INTEGER,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo,version) },
|
||||
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
|
||||
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
|
||||
+ { SEC_ASN1_OCTET_STRING,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
|
||||
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
|
||||
+ pem_SetOfAttributeTemplate },
|
||||
+ { 0 }
|
||||
+};
|
||||
+
|
||||
/* Declarations */
|
||||
SECStatus pem_RSA_Sign(pemLOWKEYPrivateKey * key, unsigned char *output,
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
@@ -116,6 +145,79 @@ pem_DestroyPrivateKey(pemLOWKEYPrivateKey * privk)
|
||||
nss_ZFreeIf(privk);
|
||||
}
|
||||
|
||||
+/* decode and parse the rawkey into the lpk structure */
|
||||
+static pemLOWKEYPrivateKey *
|
||||
+pem_getPrivateKey(PLArenaPool *arena, SECItem *rawkey, CK_RV * pError, NSSItem *modulus)
|
||||
+{
|
||||
+ pemLOWKEYPrivateKey *lpk = NULL;
|
||||
+ SECStatus rv = SECFailure;
|
||||
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
|
||||
+ SECItem *keysrc = NULL;
|
||||
+
|
||||
+ /* make sure SECOID is initialized - not sure why we have to do this outside of nss_Init */
|
||||
+ if (SECSuccess != (rv = SECOID_Init())) {
|
||||
+ *pError = CKR_GENERAL_ERROR;
|
||||
+ return NULL; /* wha???? */
|
||||
+ }
|
||||
+
|
||||
+ pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena,
|
||||
+ sizeof(NSSLOWKEYPrivateKeyInfo));
|
||||
+ if(!pki) {
|
||||
+ *pError = CKR_HOST_MEMORY;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* let's first see if this is a "raw" RSA private key or an RSA private key in PKCS#8 format */
|
||||
+ rv = SEC_ASN1DecodeItem(arena, pki, pem_PrivateKeyInfoTemplate, rawkey);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ /* not PKCS#8 - assume it's a "raw" RSA private key */
|
||||
+ keysrc = rawkey;
|
||||
+ } else if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_ENCRYPTION) {
|
||||
+ keysrc = &pki->privateKey;
|
||||
+ } else { /* unsupported */
|
||||
+ *pError = CKR_FUNCTION_NOT_SUPPORTED;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
|
||||
+ sizeof(pemLOWKEYPrivateKey));
|
||||
+ if (lpk == NULL) {
|
||||
+ *pError = CKR_HOST_MEMORY;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ lpk->arena = arena;
|
||||
+ lpk->keyType = pemLOWKEYRSAKey;
|
||||
+ prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
+
|
||||
+ /* I don't know what this is supposed to accomplish. We free the old
|
||||
+ modulus data and set it again, making a copy of the new data.
|
||||
+ But we just allocated a new empty key structure above with
|
||||
+ nss_ZAlloc. So lpk->u.rsa.modulus.data is NULL and
|
||||
+ lpk->u.rsa.modulus.len. If the intention is to free the old
|
||||
+ modulus data, why not just set it to NULL after freeing? Why
|
||||
+ go through this unnecessary and confusing copying code?
|
||||
+ */
|
||||
+ if (modulus) {
|
||||
+ nss_ZFreeIf(modulus->data);
|
||||
+ modulus->data = (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
|
||||
+ modulus->size = lpk->u.rsa.modulus.len;
|
||||
+ nsslibc_memcpy(modulus->data, lpk->u.rsa.modulus.data,
|
||||
+ lpk->u.rsa.modulus.len);
|
||||
+ }
|
||||
+
|
||||
+ /* decode the private key and any algorithm parameters */
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
+ keysrc);
|
||||
+
|
||||
+ if (rv != SECSuccess) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ return lpk;
|
||||
+}
|
||||
+
|
||||
void
|
||||
pem_PopulateModulusExponent(pemInternalObject * io)
|
||||
{
|
||||
@@ -123,7 +225,7 @@ pem_PopulateModulusExponent(pemInternalObject * io)
|
||||
const NSSItem *keyType = pem_FetchAttribute(io, CKA_KEY_TYPE);
|
||||
pemLOWKEYPrivateKey *lpk = NULL;
|
||||
PLArenaPool *arena;
|
||||
- SECStatus rv;
|
||||
+ CK_RV pError = 0;
|
||||
|
||||
/* make sure we have the right objects */
|
||||
if (((const NSSItem *) NULL == classItem) ||
|
||||
@@ -140,26 +242,12 @@ pem_PopulateModulusExponent(pemInternalObject * io)
|
||||
return;
|
||||
}
|
||||
|
||||
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
|
||||
- sizeof(pemLOWKEYPrivateKey));
|
||||
+ lpk = pem_getPrivateKey(arena, io->u.key.key.privateKey, &pError, NULL);
|
||||
if (lpk == NULL) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
return;
|
||||
}
|
||||
|
||||
- lpk->arena = arena;
|
||||
- lpk->keyType = pemLOWKEYRSAKey;
|
||||
- prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
-
|
||||
- /* decode the private key and any algorithm parameters */
|
||||
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
- io->u.key.key.privateKey);
|
||||
-
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_FreeArena(arena, PR_FALSE);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
nss_ZFreeIf(io->u.key.key.modulus.data);
|
||||
io->u.key.key.modulus.data =
|
||||
(void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
|
||||
@@ -252,13 +340,6 @@ pem_mdCryptoOperationRSAPriv_Create
|
||||
pemInternalCryptoOperationRSAPriv *iOperation;
|
||||
pemLOWKEYPrivateKey *lpk = NULL;
|
||||
PLArenaPool *arena;
|
||||
- SECStatus rv;
|
||||
-
|
||||
- arena = PORT_NewArena(2048);
|
||||
- if (!arena) {
|
||||
- *pError = CKR_HOST_MEMORY;
|
||||
- return (NSSCKMDCryptoOperation *) NULL;
|
||||
- }
|
||||
|
||||
/* make sure we have the right objects */
|
||||
if (((const NSSItem *) NULL == classItem) ||
|
||||
@@ -271,30 +352,15 @@ pem_mdCryptoOperationRSAPriv_Create
|
||||
return (NSSCKMDCryptoOperation *) NULL;
|
||||
}
|
||||
|
||||
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
|
||||
- sizeof (pemLOWKEYPrivateKey));
|
||||
- if (lpk == NULL) {
|
||||
+ arena = PORT_NewArena(2048);
|
||||
+ if (!arena) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
return (NSSCKMDCryptoOperation *) NULL;
|
||||
}
|
||||
- lpk->arena = arena;
|
||||
- lpk->keyType = pemLOWKEYRSAKey;
|
||||
- prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
|
||||
- nss_ZFreeIf(iKey->u.key.key.modulus.data);
|
||||
- iKey->u.key.key.modulus.data =
|
||||
- (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
|
||||
- iKey->u.key.key.modulus.size = lpk->u.rsa.modulus.len;
|
||||
- nsslibc_memcpy(iKey->u.key.key.modulus.data, lpk->u.rsa.modulus.data,
|
||||
- lpk->u.rsa.modulus.len);
|
||||
-
|
||||
- /* decode the private key and any algorithm parameters */
|
||||
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
- iKey->u.key.key.privateKey);
|
||||
-
|
||||
- if (rv != SECSuccess) {
|
||||
+ lpk = pem_getPrivateKey(arena, iKey->u.key.key.privateKey, pError, &iKey->u.key.key.modulus);
|
||||
+ if (lpk == NULL) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
- *pError = CKR_HOST_MEMORY;
|
||||
return (NSSCKMDCryptoOperation *) NULL;
|
||||
}
|
||||
|
||||
diff --git a/util.c b/util.c
|
||||
index a6ca094..d02ee87 100644
|
||||
--- a/mozilla/security/nss/lib/ckfw/pem/util.c
|
||||
+++ b/mozilla/security/nss/lib/ckfw/pem/util.c
|
||||
@@ -164,7 +164,8 @@ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
|
||||
int key = 0;
|
||||
while ((asc) && ((body = strstr(asc, "-----BEGIN")) != NULL)) {
|
||||
key = 0;
|
||||
- if (strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) {
|
||||
+ if ((strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) ||
|
||||
+ (strncmp(body, "-----BEGIN PRIVATE KEY", 21) == 0)) {
|
||||
key = 1;
|
||||
c = body;
|
||||
body = strchr(body, '\n');
|
||||
--
|
||||
1.5.5.6
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 9b7334b61cf3277e5eb48b716f6719b4636e2572 Mon Sep 17 00:00:00 2001
|
||||
From: Rich Megginson <rmeggins@redhat.com>
|
||||
Date: Mon, 12 Jul 2010 17:21:01 -0600
|
||||
Subject: [PATCH] Do not define SEC_SkipTemplate
|
||||
|
||||
Building NSS with PEM support gives an error in pbobject due to multiple
|
||||
definitions of SEC_SkipTemplate. This is already defined in libnssutil
|
||||
---
|
||||
pobject.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/pobject.c b/pobject.c
|
||||
index 81b9028..48f5e78 100644
|
||||
--- a/mozilla/security/nss/lib/ckfw/pem/pobject.c
|
||||
+++ b/mozilla/security/nss/lib/ckfw/pem/pobject.c
|
||||
@@ -172,6 +172,8 @@ static const NSSItem pem_trusted = {
|
||||
(void *) &ckt_netscape_trusted, (PRUint32) sizeof(CK_TRUST)
|
||||
};
|
||||
|
||||
+/* SEC_SkipTemplate is already defined and exported by libnssutil */
|
||||
+#ifdef SEC_SKIP_TEMPLATE
|
||||
/*
|
||||
* Template for skipping a subitem.
|
||||
*
|
||||
@@ -182,6 +184,7 @@ static const NSSItem pem_trusted = {
|
||||
const SEC_ASN1Template SEC_SkipTemplate[] = {
|
||||
{SEC_ASN1_SKIP}
|
||||
};
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Find the subjectName in a DER encoded certificate
|
||||
--
|
||||
1.5.5.6
|
||||
|
196
honor-user-trust-preferences.patch
Normal file
196
honor-user-trust-preferences.patch
Normal file
@ -0,0 +1,196 @@
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11load.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v
|
||||
retrieving revision 1.30
|
||||
retrieving revision 1.30.2.2
|
||||
diff -u -p -r1.30 -r1.30.2.2
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Apr 2010 07:22:54 -0000 1.30
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 27 Jan 2011 01:35:46 -0000 1.30.2.2
|
||||
@@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod
|
||||
char *oldModuleSpec;
|
||||
|
||||
if (secmod_IsInternalKeySlot(newModule)) {
|
||||
- pk11_SetInternalKeySlot(slot);
|
||||
- }
|
||||
+ pk11_SetInternalKeySlotIfFirst(slot);
|
||||
+ }
|
||||
newID = slot->slotID;
|
||||
PK11_FreeSlot(slot);
|
||||
for (thisChild=children, thisID=ids; thisChild && *thisChild;
|
||||
@@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mo
|
||||
/* look down the slot info table */
|
||||
PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
|
||||
SECMOD_SetRootCerts(mod->slots[i],mod);
|
||||
+ /* explicitly mark the internal slot as such if IsInternalKeySlot()
|
||||
+ * is set */
|
||||
+ if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) {
|
||||
+ pk11_SetInternalKeySlotIfFirst(mod->slots[i]);
|
||||
+ }
|
||||
}
|
||||
mod->slotCount = slotCount;
|
||||
mod->slotInfoCount = 0;
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v
|
||||
retrieving revision 1.13
|
||||
retrieving revision 1.13.2.2
|
||||
diff -u -p -r1.13 -r1.13.2.2
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Oct 2009 23:04:46 -0000 1.13
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Jan 2011 01:35:46 -0000 1.13.2.2
|
||||
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
|
||||
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
|
||||
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
|
||||
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
|
||||
+void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
|
||||
|
||||
/*********************************************************************
|
||||
* Mechanism Mapping functions
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v
|
||||
retrieving revision 1.101
|
||||
retrieving revision 1.101.2.3
|
||||
diff -u -p -r1.101 -r1.101.2.3
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 3 Apr 2010 18:27:31 -0000 1.101
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 27 Jan 2011 01:35:46 -0000 1.101.2.3
|
||||
@@ -1349,7 +1349,7 @@ pk11_isRootSlot(PK11SlotInfo *slot)
|
||||
* times as tokens are removed and re-inserted.
|
||||
*/
|
||||
void
|
||||
-PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
|
||||
+PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
|
||||
{
|
||||
SECStatus rv;
|
||||
char *tmp;
|
||||
@@ -1726,6 +1726,12 @@ PK11_NeedUserInit(PK11SlotInfo *slot)
|
||||
}
|
||||
|
||||
static PK11SlotInfo *pk11InternalKeySlot = NULL;
|
||||
+
|
||||
+/*
|
||||
+ * Set a new default internal keyslot. If one has already been set, clear it.
|
||||
+ * Passing NULL falls back to the NSS normally selected default internal key
|
||||
+ * slot.
|
||||
+ */
|
||||
void
|
||||
pk11_SetInternalKeySlot(PK11SlotInfo *slot)
|
||||
{
|
||||
@@ -1735,6 +1741,20 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl
|
||||
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Set a new default internal keyslot if the normal key slot has not already
|
||||
+ * been overridden. Subsequent calls to this function will be ignored unless
|
||||
+ * pk11_SetInternalKeySlot is used to clear the current default.
|
||||
+ */
|
||||
+void
|
||||
+pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot)
|
||||
+{
|
||||
+ if (pk11InternalKeySlot) {
|
||||
+ return;
|
||||
+ }
|
||||
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
|
||||
+}
|
||||
+
|
||||
|
||||
/* get the internal key slot. FIPS has only one slot for both key slots and
|
||||
* default slots */
|
||||
Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v
|
||||
retrieving revision 1.2
|
||||
retrieving revision 1.2.2.2
|
||||
diff -u -p -r1.2 -r1.2.2.2
|
||||
--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c 6 Feb 2010 04:56:37 -0000 1.2
|
||||
+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 26 Jan 2011 00:52:31 -0000 1.2.2.2
|
||||
@@ -221,16 +221,16 @@ getFIPSMode(void)
|
||||
* 2 for the key slot, and
|
||||
* 3 for the crypto operations slot fips
|
||||
*/
|
||||
-#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
|
||||
+#define CIPHER_ORDER_FLAGS "cipherOrder=100"
|
||||
#define SLOT_FLAGS \
|
||||
"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
|
||||
" askpw=any timeout=30 ]"
|
||||
|
||||
static const char *nssDefaultFlags =
|
||||
- ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
|
||||
+ CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
|
||||
|
||||
static const char *nssDefaultFIPSFlags =
|
||||
- ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
|
||||
+ CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
|
||||
|
||||
/*
|
||||
* This function builds the list of databases and modules to load, and sets
|
||||
@@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_
|
||||
"library= "
|
||||
"module=\"NSS User database\" "
|
||||
"parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
|
||||
- "NSS=\"%sflags=internal%s\"",
|
||||
+ "NSS=\"trustOrder=75 %sflags=internal%s\"",
|
||||
userdb, stripped_parameters, nssflags,
|
||||
isFIPS ? ",FIPS" : "");
|
||||
|
||||
@@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_
|
||||
userdb, stripped_parameters);
|
||||
}
|
||||
|
||||
-#if 0
|
||||
- /* This doesn't actually work. If we register
|
||||
- both this and the sysdb (in either order)
|
||||
- then only one of them actually shows up */
|
||||
-
|
||||
- /* Using a NULL filename as a Boolean flag to
|
||||
- * prevent registering both an application-defined
|
||||
- * db and the system db. rhbz #546211.
|
||||
- */
|
||||
- PORT_Assert(filename);
|
||||
- if (sysdb && PL_CompareStrings(filename, sysdb))
|
||||
- filename = NULL;
|
||||
- else if (userdb && PL_CompareStrings(filename, userdb))
|
||||
- filename = NULL;
|
||||
-
|
||||
- if (filename && !userIsRoot()) {
|
||||
- module_list[next++] = PR_smprintf(
|
||||
- "library= "
|
||||
- "module=\"NSS database\" "
|
||||
- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
|
||||
- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
/* now the system database (always read only unless it's root) */
|
||||
if (sysdb) {
|
||||
const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
|
||||
@@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_
|
||||
"library= "
|
||||
"module=\"NSS system database\" "
|
||||
"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
|
||||
- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
|
||||
+ "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
|
||||
}
|
||||
|
||||
/* that was the last module */
|
||||
@@ -372,9 +348,9 @@ overlapstrcpy(char *target, char *src)
|
||||
|
||||
/* determine what options the user was trying to open this database with */
|
||||
/* filename is the directory pointed to by configdir= */
|
||||
-/* stripped is the rest of the paramters with configdir= stripped out */
|
||||
+/* stripped is the rest of the parameters with configdir= stripped out */
|
||||
static SECStatus
|
||||
-parse_paramters(char *parameters, char **filename, char **stripped)
|
||||
+parse_parameters(char *parameters, char **filename, char **stripped)
|
||||
{
|
||||
char *sourcePrev;
|
||||
char *sourceCurr;
|
||||
@@ -423,7 +399,7 @@ NSS_ReturnModuleSpecData(unsigned long f
|
||||
char **retString = NULL;
|
||||
SECStatus rv;
|
||||
|
||||
- rv = parse_paramters(parameters, &filename, &stripped);
|
||||
+ rv = parse_parameters(parameters, &filename, &stripped);
|
||||
if (rv != SECSuccess) {
|
||||
/* use defaults */
|
||||
filename = getSystemDB();
|
@ -1,65 +0,0 @@
|
||||
diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig ./mozilla/security/nss/lib/sysinit/nsssysinit.c
|
||||
--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig 2010-06-17 09:17:30.732643399 -0700
|
||||
+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-06-17 09:20:22.691642397 -0700
|
||||
@@ -263,9 +263,18 @@ get_list(char *filename, char *stripped_
|
||||
sysdb = getSystemDB();
|
||||
userdb = getUserDB();
|
||||
|
||||
- /* Don't open root's user DB */
|
||||
+ /* return a list of databases to open. First the system database. */
|
||||
+ if (sysdb) {
|
||||
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
|
||||
+ module_list[next++] = PR_smprintf(
|
||||
+ "library= "
|
||||
+ "module=\"NSS system database\" "
|
||||
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
|
||||
+ "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
|
||||
+ }
|
||||
+
|
||||
+ /* Next the user database, but not for root. */
|
||||
if (userdb != NULL && !userIsRoot()) {
|
||||
- /* return a list of databases to open. First the user Database */
|
||||
module_list[next++] = PR_smprintf(
|
||||
"library= "
|
||||
"module=\"NSS User database\" "
|
||||
@@ -284,40 +293,6 @@ get_list(char *filename, char *stripped_
|
||||
userdb, stripped_parameters);
|
||||
}
|
||||
|
||||
-#if 0
|
||||
- /* This doesn't actually work. If we register
|
||||
- both this and the sysdb (in either order)
|
||||
- then only one of them actually shows up */
|
||||
-
|
||||
- /* Using a NULL filename as a Boolean flag to
|
||||
- * prevent registering both an application-defined
|
||||
- * db and the system db. rhbz #546211.
|
||||
- */
|
||||
- PORT_Assert(filename);
|
||||
- if (sysdb && PL_CompareStrings(filename, sysdb))
|
||||
- filename = NULL;
|
||||
- else if (userdb && PL_CompareStrings(filename, userdb))
|
||||
- filename = NULL;
|
||||
-
|
||||
- if (filename && !userIsRoot()) {
|
||||
- module_list[next++] = PR_smprintf(
|
||||
- "library= "
|
||||
- "module=\"NSS database\" "
|
||||
- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
|
||||
- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- /* now the system database (always read only unless it's root) */
|
||||
- if (sysdb) {
|
||||
- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
|
||||
- module_list[next++] = PR_smprintf(
|
||||
- "library= "
|
||||
- "module=\"NSS system database\" "
|
||||
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
|
||||
- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
|
||||
- }
|
||||
-
|
||||
/* that was the last module */
|
||||
module_list[next] = 0;
|
||||
|
@ -1,127 +0,0 @@
|
||||
diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 ./mozilla/security/nss/lib/ckfw/pem/pinst.c
|
||||
--- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 2010-06-06 18:27:27.256318318 -0700
|
||||
+++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c 2010-06-06 20:45:28.158442982 -0700
|
||||
@@ -151,7 +151,7 @@ GetCertFields(unsigned char *cert, int c
|
||||
buf = issuer->data + issuer->len;
|
||||
|
||||
/* only wanted issuer/SN */
|
||||
- if (valid == NULL) {
|
||||
+ if (subject == NULL || valid == NULL || subjkey == NULL) {
|
||||
return SECSuccess;
|
||||
}
|
||||
/* validity */
|
||||
@@ -219,53 +219,93 @@ CreateObject(CK_OBJECT_CLASS objClass,
|
||||
memset(&o->u.trust, 0, sizeof(o->u.trust));
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
|
||||
+ if (o->nickname == NULL)
|
||||
+ goto fail;
|
||||
+ strcpy(o->nickname, nickname);
|
||||
+
|
||||
+ sprintf(id, "%d", objid);
|
||||
+ len = strlen(id) + 1; /* zero terminate */
|
||||
+ o->id.data = (void *) nss_ZAlloc(NULL, len);
|
||||
+ if (o->id.data == NULL)
|
||||
+ goto fail;
|
||||
+ (void) nsslibc_memcpy(o->id.data, id, len);
|
||||
+ o->id.size = len;
|
||||
+
|
||||
o->objClass = objClass;
|
||||
o->type = type;
|
||||
o->slotID = slotID;
|
||||
+
|
||||
o->derCert = nss_ZNEW(NULL, SECItem);
|
||||
+ if (o->derCert == NULL)
|
||||
+ goto fail;
|
||||
o->derCert->data = (void *) nss_ZAlloc(NULL, certDER->len);
|
||||
+ if (o->derCert->data == NULL)
|
||||
+ goto fail;
|
||||
o->derCert->len = certDER->len;
|
||||
nsslibc_memcpy(o->derCert->data, certDER->data, certDER->len);
|
||||
|
||||
switch (objClass) {
|
||||
case CKO_CERTIFICATE:
|
||||
case CKO_NETSCAPE_TRUST:
|
||||
- GetCertFields(o->derCert->data,
|
||||
- o->derCert->len, &issuer, &serial,
|
||||
- &derSN, &subject, &valid, &subjkey);
|
||||
+ if (SECSuccess != GetCertFields(o->derCert->data, o->derCert->len,
|
||||
+ &issuer, &serial, &derSN, &subject,
|
||||
+ &valid, &subjkey))
|
||||
+ goto fail;
|
||||
|
||||
o->u.cert.subject.data = (void *) nss_ZAlloc(NULL, subject.len);
|
||||
+ if (o->u.cert.subject.data == NULL)
|
||||
+ goto fail;
|
||||
o->u.cert.subject.size = subject.len;
|
||||
nsslibc_memcpy(o->u.cert.subject.data, subject.data, subject.len);
|
||||
|
||||
o->u.cert.issuer.data = (void *) nss_ZAlloc(NULL, issuer.len);
|
||||
+ if (o->u.cert.issuer.data == NULL) {
|
||||
+ nss_ZFreeIf(o->u.cert.subject.data);
|
||||
+ goto fail;
|
||||
+ }
|
||||
o->u.cert.issuer.size = issuer.len;
|
||||
nsslibc_memcpy(o->u.cert.issuer.data, issuer.data, issuer.len);
|
||||
|
||||
o->u.cert.serial.data = (void *) nss_ZAlloc(NULL, serial.len);
|
||||
+ if (o->u.cert.serial.data == NULL) {
|
||||
+ nss_ZFreeIf(o->u.cert.issuer.data);
|
||||
+ nss_ZFreeIf(o->u.cert.subject.data);
|
||||
+ goto fail;
|
||||
+ }
|
||||
o->u.cert.serial.size = serial.len;
|
||||
nsslibc_memcpy(o->u.cert.serial.data, serial.data, serial.len);
|
||||
break;
|
||||
case CKO_PRIVATE_KEY:
|
||||
o->u.key.key.privateKey = nss_ZNEW(NULL, SECItem);
|
||||
+ if (o->u.key.key.privateKey == NULL)
|
||||
+ goto fail;
|
||||
o->u.key.key.privateKey->data =
|
||||
(void *) nss_ZAlloc(NULL, keyDER->len);
|
||||
+ if (o->u.key.key.privateKey->data == NULL) {
|
||||
+ nss_ZFreeIf(o->u.key.key.privateKey);
|
||||
+ goto fail;
|
||||
+ }
|
||||
o->u.key.key.privateKey->len = keyDER->len;
|
||||
nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data,
|
||||
keyDER->len);
|
||||
}
|
||||
|
||||
- o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
|
||||
- strcpy(o->nickname, nickname);
|
||||
-
|
||||
- sprintf(id, "%d", objid);
|
||||
-
|
||||
- len = strlen(id) + 1; /* zero terminate */
|
||||
- o->id.data = (void *) nss_ZAlloc(NULL, len);
|
||||
- (void) nsslibc_memcpy(o->id.data, id, len);
|
||||
- o->id.size = len;
|
||||
|
||||
return o;
|
||||
+
|
||||
+fail:
|
||||
+ if (o) {
|
||||
+ if (o->derCert) {
|
||||
+ nss_ZFreeIf(o->derCert->data);
|
||||
+ nss_ZFreeIf(o->derCert);
|
||||
+ }
|
||||
+ nss_ZFreeIf(o->id.data);
|
||||
+ nss_ZFreeIf(o->nickname);
|
||||
+ nss_ZFreeIf(o);
|
||||
+ }
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
pemInternalObject *
|
||||
@@ -306,6 +346,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
|
||||
/* object not found, we need to create it */
|
||||
pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
|
||||
filename, objid, slotID);
|
||||
+ if (io == NULL)
|
||||
+ return NULL;
|
||||
|
||||
io->gobjIndex = count;
|
||||
|
52
nsspem-642433.patch
Normal file
52
nsspem-642433.patch
Normal file
@ -0,0 +1,52 @@
|
||||
diff -up ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 ./mozilla/security/nss/lib/ckfw/pem/util.c
|
||||
--- ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 2010-11-25 10:49:27.000000000 -0800
|
||||
+++ ./mozilla/security/nss/lib/ckfw/pem/util.c 2010-12-08 08:02:02.618304926 -0800
|
||||
@@ -96,9 +96,6 @@ static SECItem *AllocItem(SECItem * item
|
||||
return (result);
|
||||
|
||||
loser:
|
||||
- if (result != NULL) {
|
||||
- SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
|
||||
- }
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
@@ -110,7 +107,7 @@ static SECStatus FileToItem(SECItem * ds
|
||||
|
||||
prStatus = PR_GetOpenFileInfo(src, &info);
|
||||
|
||||
- if (prStatus != PR_SUCCESS) {
|
||||
+ if (prStatus != PR_SUCCESS || info.type == PR_FILE_DIRECTORY) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
@@ -126,8 +123,7 @@ static SECStatus FileToItem(SECItem * ds
|
||||
|
||||
return SECSuccess;
|
||||
loser:
|
||||
- SECITEM_FreeItem(dst, PR_FALSE);
|
||||
- nss_ZFreeIf(dst);
|
||||
+ nss_ZFreeIf(dst->data);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
@@ -153,6 +149,10 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
|
||||
/* Read in ascii data */
|
||||
rv = FileToItem(&filedata, inFile);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ PR_Close(inFile);
|
||||
+ return -1;
|
||||
+ }
|
||||
asc = (char *) filedata.data;
|
||||
if (!asc) {
|
||||
PR_Close(inFile);
|
||||
@@ -252,7 +252,7 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
} else {
|
||||
/* Read in binary der */
|
||||
rv = FileToItem(der, inFile);
|
||||
- if (rv) {
|
||||
+ if (rv != SECSuccess) {
|
||||
PR_Close(inFile);
|
||||
return -1;
|
||||
}
|
4
sources
4
sources
@ -1,5 +1,5 @@
|
||||
248bc97cb3fd613b23d66fd1d9d8d60a nss-3.12.8-stripped.tar.bz2
|
||||
765fa031d5affa91ab824dd981777ddf nss-pem-20100809.tar.bz2
|
||||
b3dda60fc3d22d1b02b2330428a2b759 nss-3.12.9-stripped.tar.bz2
|
||||
e63cddf74c07f0d818d1052ecc6fbb1f nss-pem-20101125.tar.bz2
|
||||
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
||||
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
|
||||
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
|
||||
|
97
swap-internal-key-slot.patch
Normal file
97
swap-internal-key-slot.patch
Normal file
@ -0,0 +1,97 @@
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11pars.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss 2011-02-11 07:45:38.324083242 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 2011-02-11 07:48:14.514166538 -0800
|
||||
@@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *m
|
||||
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
|
||||
+void
|
||||
+secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
|
||||
+{
|
||||
+ char flags = (char) mod->internal;
|
||||
+
|
||||
+ if (val) {
|
||||
+ flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
||||
+ } else {
|
||||
+ flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
||||
+ }
|
||||
+ mod->internal = flags;
|
||||
+}
|
||||
+
|
||||
/* forward declarations */
|
||||
static int secmod_escapeSize(const char *string, char quote);
|
||||
static char *secmod_addEscape(const char *string, char quote);
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss 2011-02-11 07:47:45.037226877 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2011-02-11 07:48:28.854164207 -0800
|
||||
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
|
||||
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
|
||||
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
|
||||
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
|
||||
+PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
|
||||
void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
|
||||
|
||||
/*********************************************************************
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss 2011-02-11 07:41:11.258746774 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 2011-02-11 07:48:51.291595867 -0800
|
||||
@@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotI
|
||||
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Swap out a default internal keyslot. Caller owns the Slot Reference
|
||||
+ */
|
||||
+PK11SlotInfo *
|
||||
+pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
|
||||
+{
|
||||
+ PK11SlotInfo *swap = pk11InternalKeySlot;
|
||||
+
|
||||
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
|
||||
+ return swap;
|
||||
+}
|
||||
+
|
||||
|
||||
/* get the internal key slot. FIPS has only one slot for both key slots and
|
||||
* default slots */
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11util.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss 2011-02-11 07:40:23.748066635 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 2011-02-11 07:49:19.674611909 -0800
|
||||
@@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *
|
||||
NULL, SECMOD_FIPS_FLAGS);
|
||||
}
|
||||
if (newModule) {
|
||||
+ PK11SlotInfo *slot;
|
||||
newModule->libraryParams =
|
||||
PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
|
||||
+ /* if an explicit internal key slot has been set, reset it */
|
||||
+ slot = pk11_SwapInternalKeySlot(NULL);
|
||||
+ if (slot) {
|
||||
+ secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
|
||||
+ }
|
||||
rv = SECMOD_AddModule(newModule);
|
||||
if (rv != SECSuccess) {
|
||||
+ /* load failed, restore the internal key slot */
|
||||
+ pk11_SetInternalKeySlot(slot);
|
||||
SECMOD_DestroyModule(newModule);
|
||||
newModule = NULL;
|
||||
}
|
||||
+ /* free the old explicit internal key slot, we now have a new one */
|
||||
+ if (slot) {
|
||||
+ PK11_FreeSlot(slot);
|
||||
+ }
|
||||
}
|
||||
if (newModule == NULL) {
|
||||
SECMODModuleList *last = NULL,*mlp2;
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss ./mozilla/security/nss/lib/pk11wrap/secmodi.h
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss 2011-02-11 07:39:04.685590962 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/secmodi.h 2011-02-11 07:49:28.120021571 -0800
|
||||
@@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMOD
|
||||
SECStatus SECMOD_UnloadModule(SECMODModule *);
|
||||
void SECMOD_SetInternalModule(SECMODModule *);
|
||||
PRBool secmod_IsInternalKeySlot(SECMODModule *);
|
||||
+void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val);
|
||||
+
|
||||
|
||||
/* tools for checking if we are loading the same database twice */
|
||||
typedef struct SECMODConfigListStr SECMODConfigList;
|
Loading…
Reference in New Issue
Block a user