rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to nss-3.16.2 and sync up with changes made for rhel-7.1

This commit is contained in:
Elio Maldonado 2014-07-10 20:40:12 -07:00
parent d0f5af3a94
commit f2b8284caa
2 changed files with 0 additions and 919 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

877
manfixes.patch
View File

@ -1,877 +0,0 @@
diff -up ./nss/doc/certutil.xml.cleanup ./nss/doc/certutil.xml
--- ./nss/doc/certutil.xml.cleanup 2014-05-12 07:53:59.711219952 -0700
+++ ./nss/doc/certutil.xml 2014-05-12 07:53:59.763220129 -0700
@@ -196,10 +196,10 @@ If this option is not used, the validity
<para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
<para>NSS recognizes the following prefixes:</para>
<itemizedlist>
- <listitem><para><command>sql: requests the newer database</command></para></listitem>
- <listitem><para><command>dbm: requests the legacy database</command></para></listitem>
+ <listitem><para><command>sql:</command> requests the newer database</para></listitem>
+ <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
</itemizedlist>
- <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para>
+ <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>dbm:</command> is the default.</para>
</listitem>
</varlistentry>
@@ -432,11 +432,11 @@ of the attribute codes:
<varlistentry>
<term>-1 | --keyUsage keyword,keyword</term>
- <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para>
+ <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para>
<itemizedlist>
<listitem>
<para>
- digital signature
+ digitalSignature
</para>
</listitem>
<listitem>
@@ -498,7 +498,7 @@ of the attribute codes:
<varlistentry>
<term>-5 | --nsCertType keyword,keyword</term>
- <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
+ <listitem><para>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
<itemizedlist>
<listitem>
<para>
diff -up ./nss/doc/cmsutil.xml.cleanup ./nss/doc/cmsutil.xml
--- ./nss/doc/cmsutil.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
+++ ./nss/doc/cmsutil.xml 2014-05-12 07:53:59.763220129 -0700
@@ -62,16 +62,16 @@ The options and arguments for the cmsuti
</para>
<variablelist>
<varlistentry>
- <term>-D </term>
- <listitem><para>Decode a message.</para></listitem>
- </varlistentry>
-
- <varlistentry>
<term>-C</term>
<listitem><para>Encrypt a message.</para></listitem>
</varlistentry>
<varlistentry>
+ <term>-D </term>
+ <listitem><para>Decode a message.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-E </term>
<listitem><para>Envelope a message.</para></listitem>
</varlistentry>
@@ -267,23 +267,11 @@ cmsutil -S [-i infile] [-o outfile] [-d
</refsection>
- <refsection>
+ <refsection id="seealso">
<title>See also</title>
<para>certutil(1)</para>
</refsection>
-
- <refsection id="seealso">
- <title>See Also</title>
- <para></para>
- <para>
- </para>
- <para>
- </para>
- <para>
- </para>
- </refsection>
-
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
diff -up ./nss/doc/crlutil.xml.cleanup ./nss/doc/crlutil.xml
--- ./nss/doc/crlutil.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
+++ ./nss/doc/crlutil.xml 2014-05-12 08:14:08.126368273 -0700
@@ -76,15 +76,6 @@ The options and arguments for the crluti
<variablelist>
<varlistentry>
- <term>-G </term>
- <listitem>
- <para>
-Create new Certificate Revocation List(CRL).
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term>-D </term>
<listitem>
<para>
@@ -93,40 +84,38 @@ Delete Certificate Revocation List from
</listitem>
</varlistentry>
-
<varlistentry>
- <term>-I </term>
+ <term>-E </term>
<listitem>
<para>
-Import a CRL to the cert database
+Erase all CRLs of specified type from the cert database
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-E </term>
+ <term>-G </term>
<listitem>
<para>
-Erase all CRLs of specified type from the cert database
+Create new Certificate Revocation List (CRL).
</para>
</listitem>
</varlistentry>
-
<varlistentry>
- <term>-L </term>
+ <term>-I </term>
<listitem>
<para>
-List existing CRL located in cert database file.
+Import a CRL to the cert database
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-S </term>
+ <term>-L </term>
<listitem>
<para>
-Show contents of a CRL file which isn't stored in the database.
+List existing CRL located in cert database file.
</para>
</listitem>
</varlistentry>
@@ -141,43 +130,34 @@ Modify existing CRL which can be located
</varlistentry>
<varlistentry>
- <term>-G </term>
+ <term>-S </term>
<listitem>
<para>
-
+Show contents of a CRL file which isn't stored in the database.
</para>
</listitem>
</varlistentry>
</variablelist>
<para><command>Arguments</command></para>
- <para>Option arguments modify an action and are lowercase.</para>
+ <para>Option arguments modify an action.</para>
<variablelist>
<varlistentry>
- <term>-B </term>
- <listitem>
- <para>
-Bypass CA signature checks.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>-P dbprefix </term>
+ <term>-a </term>
<listitem>
<para>
-Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
+Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-a </term>
+ <term>-B </term>
<listitem>
<para>
-Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
+Bypass CA signature checks.
</para>
</listitem>
</varlistentry>
@@ -204,19 +184,19 @@ The NSS database files must reside in th
</varlistentry>
<varlistentry>
- <term>-i crl-file </term>
+ <term>-f password-file </term>
<listitem>
<para>
-Specify the file which contains the CRL to import or show.
+Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-f password-file </term>
+ <term>-i crl-file </term>
<listitem>
<para>
-Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
+Specify the file which contains the CRL to import or show.
</para>
</listitem>
</varlistentry>
@@ -249,6 +229,15 @@ Specify the output file name for new CRL
</varlistentry>
<varlistentry>
+ <term>-P dbprefix </term>
+ <listitem>
+ <para>
+Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-t crl-type </term>
<listitem>
<para>
@@ -355,7 +344,7 @@ Implemented Extensions
* Add The Authority Key Identifier extension:
</para>
<para>
- The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
+The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
</para>
<para>
authKeyId critical [key-id | dn cert-serial]
@@ -504,21 +493,9 @@ crlutil -G|-M -c crl-gen-file -n nicknam
</programlisting>
</refsection>
- <refsection>
- <title>See also</title>
- <para>certutil(1)</para>
- </refsection>
-
-
<refsection id="seealso">
<title>See Also</title>
- <para></para>
- <para>
- </para>
- <para>
- </para>
- <para>
- </para>
+ <para>certutil(1)</para>
</refsection>
<!-- don't change -->
diff -up ./nss/doc/modutil.xml.cleanup ./nss/doc/modutil.xml
--- ./nss/doc/modutil.xml.cleanup 2014-05-12 07:53:59.723219994 -0700
+++ ./nss/doc/modutil.xml 2014-05-12 07:53:59.763220129 -0700
@@ -625,7 +625,8 @@ DISABLE: 0x40000000</progr
<para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para>
<para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para>
-<programlisting>user read: 0400
+<programlisting>
+user read: 0400
user write: 0200
user execute: 0100
group read: 0040
@@ -633,7 +634,8 @@ group write: 0020
group execute: 0010
other read: 0004
other write: 0002
-other execute: 0001</programlisting>
+other execute: 0001
+</programlisting>
<para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para>
</refsection>
@@ -693,7 +695,7 @@ Using the SQLite databases must be manua
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist>
diff -up ./nss/doc/pk12util.xml.cleanup ./nss/doc/pk12util.xml
--- ./nss/doc/pk12util.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
+++ ./nss/doc/pk12util.xml 2014-05-12 07:53:59.763220129 -0700
@@ -27,16 +27,14 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>pk12util</command>
- <arg>-i p12File [-h tokenname] [-v] [common-options] </arg>
- <arg>
- -l p12File [-h tokenname] [-r] [common-options] </arg>
- <arg>
- -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] </arg>
- <arg>
-
-common-options are:
-[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
- </arg>
+ <arg>-i p12File|-l p12File|-o p12File</arg>
+ <arg>-d [sql:]directory</arg>
+ <arg>-h tokenname</arg>
+ <arg>-P dbprefix</arg>
+ <arg>-r</arg>
+ <arg>-v</arg>
+ <arg>-k slotPasswordFile|-K slotPassword</arg>
+ <arg>-w p12filePasswordFile|-W p12filePassword</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -73,22 +71,20 @@ common-options are:
<para><command>Arguments</command></para>
<variablelist>
-
<varlistentry>
- <term>-n certname</term>
- <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
+ <term>-c keyCipher</term>
+ <listitem><para>Specify the key encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-d [sql:]directory</term>
- <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
- <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
+ <term>-C certCipher</term>
+ <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-P prefix</term>
- <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
- Changing the names of the certificate and key databases is not recommended.</para></listitem>
+ <term>-d [sql:]directory</term>
+ <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
+ <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
</varlistentry>
<varlistentry>
@@ -97,11 +93,6 @@ common-options are:
</varlistentry>
<varlistentry>
- <term>-v </term>
- <listitem><para>Enable debug logging when importing.</para></listitem>
- </varlistentry>
-
- <varlistentry>
<term>-k slotPasswordFile</term>
<listitem><para>Specify the text file containing the slot's password.</para></listitem>
</varlistentry>
@@ -112,39 +103,46 @@ common-options are:
</varlistentry>
<varlistentry>
- <term>-w p12filePasswordFile</term>
- <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
+ <term>-m | --key-len keyLength</term>
+ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-W p12filePassword</term>
- <listitem><para>Specify the pkcs #12 file password.</para></listitem>
+ <term>-n | --cert-key-len certKeyLength</term>
+ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-c keyCipher</term>
- <listitem><para>Specify the key encryption algorithm.</para></listitem>
+ <term>-n certname</term>
+ <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-C certCipher</term>
- <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
+ <term>-P prefix</term>
+ <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
+ Changing the names of the certificate and key databases is not recommended.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-m | --key-len keyLength</term>
- <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
+ <term>-r</term>
+ <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-n | --cert-key-len certKeyLength</term>
- <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
+ <term>-v </term>
+ <listitem><para>Enable debug logging when importing.</para></listitem>
</varlistentry>
<varlistentry>
- <term>-r</term>
- <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem>
+ <term>-w p12filePasswordFile</term>
+ <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-W p12filePassword</term>
+ <listitem><para>Specify the pkcs #12 file password.</para></listitem>
</varlistentry>
+
</variablelist>
</refsection>
@@ -237,9 +235,12 @@ common-options are:
<para><command>Importing Keys and Certificates</command></para>
<para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
</para>
-<programlisting>pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
+ <para>
+ pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+ </para>
<para>For example:</para>
-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
+ <para> </para>
+ <programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
@@ -253,18 +254,18 @@ pk12util: PKCS12 IMPORT SUCCESSFUL</prog
<para><command>Exporting Keys and Certificates</command></para>
<para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
</para>
-<programlisting>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
+ <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
<para>For example:</para>
-<programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
+ <programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
Enter password for PKCS12 file:
Re-enter password: </programlisting>
<para><command>Listing Keys and Certificates</command></para>
<para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file.
</para>
-<programlisting>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
+ <para>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
<para>For example, this prints the default ASCII output:</para>
-<programlisting># pk12util -l certs.p12
+ <programlisting># pk12util -l certs.p12
Enter password for PKCS12 file:
Key(shrouded):
@@ -283,9 +284,9 @@ Certificate:
Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
own,ST=Western Cape,C=ZA"
-....</programlisting>
+ </programlisting>
<para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para>
-<programlisting># pk12util -l test.p12 -r
+ <programlisting>pk12util -l test.p12 -r
Enter password for PKCS12 file:
Key(shrouded):
Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
@@ -297,7 +298,8 @@ Key(shrouded):
Iteration Count: 1 (0x1)
Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
-Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</programlisting>
+Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+ </programlisting>
</refsection>
<refsection id="encryption">
@@ -309,86 +311,48 @@ Certificate Friendly Name: Thawte Fre
<varlistentry>
<term>Symmetric CBC ciphers for PKCS#5 V2</term>
- <listitem><para>DES_CBC</para>
- <itemizedlist>
- <listitem>
- <para>RC2-CBC</para>
- </listitem>
- <listitem>
- <para>RC5-CBCPad</para>
- </listitem>
- <listitem>
- <para>DES-EDE3-CBC (the default for key encryption)</para>
- </listitem>
- <listitem>
- <para>AES-128-CBC</para>
- </listitem>
- <listitem>
- <para>AES-192-CBC</para>
- </listitem>
- <listitem>
- <para>AES-256-CBC</para>
- </listitem>
- <listitem>
- <para>CAMELLIA-128-CBC</para>
- </listitem>
- <listitem>
- <para>CAMELLIA-192-CBC</para>
- </listitem>
- <listitem>
- <para>CAMELLIA-256-CBC</para></listitem>
- </itemizedlist>
- </listitem>
+ <listitem>
+ <itemizedlist>
+ <listitem><para>DES-CBC</para></listitem>
+ <listitem><para>RC2-CBC</para></listitem>
+ <listitem><para>RC5-CBCPad</para></listitem>
+ <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem>
+ <listitem><para>AES-128-CBC</para></listitem>
+ <listitem><para>AES-192-CBC</para></listitem>
+ <listitem><para>AES-256-CBC</para></listitem>
+ <listitem><para>CAMELLIA-128-CBC</para></listitem>
+ <listitem><para>CAMELLIA-192-CBC</para></listitem>
+ <listitem><para>CAMELLIA-256-CBC</para></listitem>
+ </itemizedlist>
+ </listitem>
</varlistentry>
<varlistentry>
<term>PKCS#12 PBE ciphers</term>
- <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para>
- <itemizedlist>
- <listitem>
- <para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para>
- </listitem>
- <listitem>
- <para>PKCS #12 PBE with Sha1 and Triple DES CBC</para>
- </listitem>
- <listitem>
- <para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para>
- </listitem>
- <listitem>
- <para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para>
- </listitem>
- <listitem>
- <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para>
- </listitem>
- <listitem>
- <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para>
- </listitem>
- <listitem>
- <para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para>
- </listitem>
- <listitem>
- <para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para>
- </listitem>
- <listitem>
- <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para>
- </listitem>
- <listitem>
- <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>PKCS#5 PBE ciphers</term>
- <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para>
- <itemizedlist>
- <listitem>
- <para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para>
- </listitem>
- <listitem>
- <para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
- </itemizedlist>
- </listitem>
+ <listitem>
+ <itemizedlist>
+ <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem>
+ <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem>
+ <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem>
+ <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem>
+ <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem>
+ <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem>
+ <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem>
+ <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem>
+ <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem>
+ <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem>
+ <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+ <varlistentry><term>PKCS#5 PBE ciphers</term>
+ <listitem>
+ <itemizedlist>
+ <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem>
+ <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem>
+ <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
+ </itemizedlist>
+ </listitem>
</varlistentry>
</variablelist>
<para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
diff -up ./nss/doc/signtool.xml.cleanup ./nss/doc/signtool.xml
--- ./nss/doc/signtool.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
+++ ./nss/doc/signtool.xml 2014-05-12 08:12:18.989951466 -0700
@@ -27,36 +27,37 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>signtool</command>
- <arg>-k keyName</arg>
+ <arg>[-b basename]</arg>
+ <arg>[-c Compression Level] </arg>
+ <arg>[-d cert-dir] </arg>
+ <arg>[-e extension] </arg>
+ <arg>[-f filename] </arg>
+ <arg>[-i installer script] </arg>
<arg>[-h]</arg>
<arg>[-H]</arg>
- <arg>[-l]</arg>
- <arg>[-L]</arg>
- <arg>[-M]</arg>
<arg>[-v]</arg>
<arg>[-w]</arg>
<arg>[-G nickname]</arg>
+ <arg>[-J]</arg>
+ <arg>[-j directory] </arg>
+ <arg>-k keyName</arg>
<arg>[--keysize | -s size]</arg>
- <arg>[-b basename]</arg>
- <arg>[-c Compression Level] </arg>
- <arg>[-d cert-dir] </arg>
- <arg>[-i installer script] </arg>
+ <arg>[-l]</arg>
+ <arg>[-L]</arg>
+ <arg>[-M]</arg>
<arg>[-m metafile] </arg>
- <arg>[-x name] </arg>
- <arg>[-f filename] </arg>
- <arg>[-t|--token tokenname] </arg>
- <arg>[-e extension] </arg>
+ <arg>[--norecurse] </arg>
+ <arg>[-O] </arg>
<arg>[-o] </arg>
+ <arg>[--outfile] </arg>
+ <arg>[-p password] </arg>
+ <arg>[-t|--token tokenname] </arg>
<arg>[-z] </arg>
<arg>[-X] </arg>
- <arg>[--outfile] </arg>
+ <arg>[-x name] </arg>
<arg>[--verbose value] </arg>
- <arg>[--norecurse] </arg>
<arg>[--leavearc] </arg>
- <arg>[-j directory] </arg>
<arg>[-Z jarfile] </arg>
- <arg>[-O] </arg>
- <arg>[-p password] </arg>
<arg>directory-tree</arg>
<arg>archive</arg>
<!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit -->
@@ -97,7 +98,7 @@
</varlistentry>
<varlistentry>
<term>-c#</term>
- <listitem><para>
+ <listitem><para>
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.
@@ -124,10 +125,36 @@ The Unix version of signtool assumes ~/.
</para></listitem>
</varlistentry>
<varlistentry>
+ <term>-G nickname</term>
+ <listitem><para>
+ Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
+
+The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
+
+Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
+
+The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
<term>-i scriptname</term>
- <listitem><para>
- Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
-</para></listitem>
+ <listitem><para>
+Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>-J</term>
+ <listitem>
+ <para>
+Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
+
+The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
+
+If the -c# option is not used with the -J option, the default compression value is 6.
+
+Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
+ </para>
+ </listitem>
</varlistentry>
<varlistentry>
<term>-j directory</term>
@@ -148,18 +175,6 @@ It's also possible to use the -k option
</para></listitem>
</varlistentry>
<varlistentry>
- <term>-G nickname</term>
- <listitem><para>
- Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
-
-The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
-
-Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
-
-The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241.
-</para></listitem>
- </varlistentry>
- <varlistentry>
<term>-l</term>
<listitem><para>
Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.
@@ -168,18 +183,6 @@ The -l option is available in Netscape S
</para></listitem>
</varlistentry>
<varlistentry>
- <term>-J</term>
- <listitem><para>
- Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
-
-The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
-
-If the -c# option is not used with the -J option, the default compression value is 6.
-
-Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
-</para></listitem>
- </varlistentry>
- <varlistentry>
<term>-L</term>
<listitem><para>
Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.
diff -up ./nss/doc/signver.xml.cleanup ./nss/doc/signver.xml
--- ./nss/doc/signver.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
+++ ./nss/doc/signver.xml 2014-05-12 07:53:59.770220149 -0700
@@ -163,7 +163,7 @@ Using the SQLite databases must be manua
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist>
diff -up ./nss/doc/ssltap.xml.cleanup ./nss/doc/ssltap.xml
--- ./nss/doc/ssltap.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
+++ ./nss/doc/ssltap.xml 2014-05-12 07:53:59.771220154 -0700
@@ -26,8 +26,8 @@
<refsynopsisdiv>
<cmdsynopsis>
- <command>libssltap</command>
- <arg choice="opt">-vhfsxl</arg>
+ <command>ssltap</command>
+ <arg choice="opt">-fhlsvx</arg>
<arg choice="opt">-p port</arg>
<arg choice="opt">hostname:port</arg>
</cmdsynopsis>
@@ -48,8 +48,10 @@
<title>Options</title>
<variablelist>
<varlistentry>
- <term>-v </term>
- <listitem><para>Print a version string for the tool.</para></listitem>
+ <term>-f </term>
+ <listitem><para>
+Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
+ </para></listitem>
</varlistentry>
<varlistentry>
<term>-h </term>
@@ -58,34 +60,6 @@ Turn on hex/ASCII printing. Instead of o
</para></listitem>
</varlistentry>
<varlistentry>
- <term>-f </term>
- <listitem><para>
-Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
- </para></listitem>
- </varlistentry>
- <varlistentry><term>-s </term>
- <listitem>
- <para>
-Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
- </para>
- <para>
-If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
- </para>
- <para>
-If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>-x </term>
- <listitem>
- <para>
-Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option.
-This option uses the same output format as the -h option.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>-l prefix</term>
<listitem>
<para>
@@ -124,6 +98,28 @@ Turn on looping; that is, continue to ac
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-s </term>
+ <listitem>
+ <para>
+Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
+ </para>
+ <para>
+If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
+ </para>
+ <para>
+If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>-v </term>
+ <listitem><para>Print a version string for the tool.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>-x </term>
+ <listitem><para>Turn on extra SSL hex dumps.</para></listitem>
+ </varlistentry>
</variablelist>
</refsection>

42
nss-versus-softoken-tests.patch
View File

@ -1,42 +0,0 @@
diff -up nss/tests/all.sh.crypto nss/tests/all.sh
--- nss/tests/all.sh.crypto 2013-11-09 09:23:30.000000000 -0800
+++ nss/tests/all.sh 2013-11-27 14:20:57.918671042 -0800
@@ -299,9 +299,14 @@ fi
# created, we check for modutil to know whether the build
# is complete. If a new file is created after that, the
# following test for modutil should check for that instead.
+# Except when building softoken only where shlibsign is the last one built.
+if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
+ export LAST_BUILT=shlibsign
+else
+ export LAST_BUILT=modutil
+fi
-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} ]; then
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
html_head "Testing Initialization"
Exit "Checking for build"
diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
--- nss/tests/cipher/cipher.sh.crypto 2013-11-09 09:23:30.000000000 -0800
+++ nss/tests/cipher/cipher.sh 2013-11-27 14:18:29.817581578 -0800
@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
return 0
fi
cipher_init
-cipher_main
-cipher_gcm
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
+ echo "Skipping cipher_gcm because this is a softoken only build"
+ cipher_main
+elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then
+ echo "Skipping cipher_main because this an nss without softoken build"
+ cipher_gcm
+else
+ # default is to run both
+ cipher_init
+ cipher_main
+ cipher_gcm
+fi
cipher_cleanup