Compare commits
90 Commits
Author | SHA1 | Date |
---|---|---|
Elio Maldonado | 587f00af13 | |
Elio Maldonado | 52412acee2 | |
Elio Maldonado | d0e4f03d68 | |
Elio Maldonado | e620cdde80 | |
Elio Maldonado | 68a35a4e2f | |
Elio Maldonado | c0840bb6ae | |
Elio Maldonado | 33d3470a50 | |
Elio Maldonado | c01002e05f | |
Elio Maldonado | 91d58b56fb | |
Elio Maldonado | 20dceb30dd | |
Elio Maldonado | 5775837bbf | |
Elio Maldonado | 43ee0dde79 | |
Elio Maldonado | cb9c7979b3 | |
Elio Maldonado | 98913cdefd | |
Elio Maldonado | a3c32434c9 | |
Elio Maldonado | c7e7247590 | |
Elio Maldonado | 125ad15fa4 | |
Elio Maldonado | c1dd8ec026 | |
Elio Maldonado | 6b07fe83cc | |
Elio Maldonado | ebac350c8b | |
Elio Maldonado | 6f23c57db3 | |
Elio Maldonado | c4f8125ecb | |
Elio Maldonado | 1a893363ae | |
Elio Maldonado | 9c7cfa3932 | |
Elio Maldonado | c953934393 | |
Elio Maldonado | 87235aed91 | |
Elio Maldonado | fdefa43e4d | |
Elio Maldonado | 690f79c8fa | |
Elio Maldonado | 0ade450edc | |
Elio Maldonado | e7079bbf54 | |
Elio Maldonado | b7d02ab064 | |
Elio Maldonado | 0b65e562e8 | |
Elio Maldonado | 94bf03b9c2 | |
Elio Maldonado | 78e9db1518 | |
Elio Maldonado | 3f18acf7ec | |
Elio Maldonado | 9b182d22ed | |
Elio Maldonado | 93c126b227 | |
Elio Maldonado | 764f26ca9d | |
Elio Maldonado | 6e2d989f14 | |
Elio Maldonado | 96702ba123 | |
Fedora Release Engineering | 07c5cd9e85 | |
Fedora Release Engineering | 64fa704d3a | |
Elio Maldonado | 7cbeb9c7bc | |
Elio Maldonado | 914c37d61e | |
Elio Maldonado | 241c32b985 | |
Elio Maldonado | 3ff6f4da98 | |
Elio Maldonado | f87b9329cd | |
Elio Maldonado | d99a5ee0ec | |
Elio Maldonado | 15ea8e6328 | |
Elio Maldonado | fa2658066e | |
Elio Maldonado | 0a6cda68f8 | |
Elio Maldonado | 6648a39610 | |
Elio Maldonado | 6feac515e8 | |
Elio Maldonado | 7fa225766b | |
Elio Maldonado | 8f79ab452e | |
Elio Maldonado | a6f9d69494 | |
Elio Maldonado | d8583442b1 | |
Elio Maldonado | c0bccc0f7b | |
Elio Maldonado | c6b2155624 | |
Elio Maldonado | 1e4227045b | |
Elio Maldonado | fbb4c50e05 | |
Jesse Keating | 5333c595c9 | |
Elio Maldonado | 83451a19ed | |
Elio Maldonado | 64ce39c763 | |
Elio Maldonado | 96a054f139 | |
Elio Maldonado | 70df32f821 | |
Elio Maldonado | 92db65991e | |
Elio Maldonado | 56dc00989b | |
Elio Maldonado | 91030c96d8 | |
Elio Maldonado | f1a3345519 | |
Elio Maldonado | dd9892b9a8 | |
Elio Maldonado | 55edeec982 | |
Elio Maldonado | 1aff3403a3 | |
Elio Maldonado | 09ecfd57b6 | |
Elio Maldonado | f2ccd473b5 | |
Elio Maldonado | 4f8d878891 | |
Elio Maldonado | 5766a45a65 | |
Elio Maldonado | f8024f1124 | |
Elio Maldonado | cb110c36cc | |
Elio Maldonado | a98531146e | |
Elio Maldonado | 302377ce99 | |
Elio Maldonado | f8ccb63629 | |
Elio Maldonado | a10e23db6b | |
Elio Maldonado | 9d98fbfa61 | |
Bill Nottingham | 6a5ec0e38b | |
Elio Maldonado | 782344fee9 | |
Elio Maldonado | c68a00ee4e | |
Elio Maldonado | 0f54a974d6 | |
Elio Maldonado | 99e8ed3aca | |
Jesse Keating | 92df9c7dc4 |
|
@ -1,51 +1,8 @@
|
|||
nss-3.12.8-stripped.tar.bz2
|
||||
nss-pem-20100809.tar.bz2
|
||||
blank-cert8.db
|
||||
blank-key3.db
|
||||
blank-secmod.db
|
||||
blank-cert9.db
|
||||
blank-key4.db
|
||||
PayPalEE.cert
|
||||
TestCA.ca.cert
|
||||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.25.0.tar.gz
|
||||
/nss-3.26.0.tar.gz
|
||||
/nss-3.27.0.tar.gz
|
||||
/nss-3.27.2.tar.gz
|
||||
/nss-3.28.1.tar.gz
|
||||
/nss-3.29.0.tar.gz
|
||||
/nss-3.29.1.tar.gz
|
||||
/nss-3.30.0.tar.gz
|
||||
/nss-3.30.2.tar.gz
|
||||
/nss-3.31.0.tar.gz
|
||||
/nss-3.32.0.tar.gz
|
||||
/nss-3.32.1.tar.gz
|
||||
/nss-3.33.0.tar.gz
|
||||
/nss-3.34.0.tar.gz
|
||||
/nss-3.35.0.tar.gz
|
||||
/nss-3.36.0.tar.gz
|
||||
/nss-3.36.1.tar.gz
|
||||
/nss-3.37.1.tar.gz
|
||||
/nss-3.37.3.tar.gz
|
||||
/nss-3.38.0.tar.gz
|
||||
/nss-3.39.tar.gz
|
||||
/nss-3.40.1.tar.gz
|
||||
/nss-3.41.tar.gz
|
||||
/nss-3.42.tar.gz
|
||||
/nss-3.42.1.tar.gz
|
||||
/nss-3.43.tar.gz
|
||||
/nss-3.44.tar.gz
|
||||
/nss-3.44.1.tar.gz
|
||||
/nss-3.45.tar.gz
|
||||
/nss-3.46.tar.gz
|
||||
/nss-3.46.1.tar.gz
|
||||
/nss-3.47.tar.gz
|
||||
/nss-3.47.1.tar.gz
|
||||
/nss-3.48.tar.gz
|
||||
/nss-3.49.tar.gz
|
||||
/nss-3.49.2.tar.gz
|
||||
/nss-3.50.tar.gz
|
||||
/nss-3.51.tar.gz
|
||||
/nss-3.51.1.tar.gz
|
||||
/nss-3.52.tar.gz
|
||||
|
|
|
@ -0,0 +1,237 @@
|
|||
From 8bd0a0427e034262ff982fed98ca5e8c623165db Mon Sep 17 00:00:00 2001
|
||||
From: Rich Megginson <rmeggins@redhat.com>
|
||||
Date: Mon, 12 Jul 2010 16:31:01 -0600
|
||||
Subject: [PATCH] Add support for PKCS#8 encoded private keys
|
||||
|
||||
The code supports PKCS#1 encoded RSA private keys that begin with the
|
||||
BEGIN RSA PRIVATE KEY header in PEM files. This patch adds support for
|
||||
RSA private keys encoded in PEM files that begin with the header
|
||||
BEGIN PRIVATE KEY which are in PKCS#8 format.
|
||||
---
|
||||
prsa.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++------------------
|
||||
util.c | 3 +-
|
||||
2 files changed, 110 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/prsa.c b/prsa.c
|
||||
index 5b2f379..8d4fb92 100644
|
||||
--- a/mozilla/security/nss/lib/ckfw/pem/prsa.c
|
||||
+++ b/mozilla/security/nss/lib/ckfw/pem/prsa.c
|
||||
@@ -63,6 +63,35 @@ const SEC_ASN1Template pem_RSAPrivateKeyTemplate[] = {
|
||||
{0}
|
||||
};
|
||||
|
||||
+static const SEC_ASN1Template pem_AttributeTemplate[] = {
|
||||
+ { SEC_ASN1_SEQUENCE,
|
||||
+ 0, NULL, sizeof(NSSLOWKEYAttribute) },
|
||||
+ { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
|
||||
+ { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue),
|
||||
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
|
||||
+ { 0 }
|
||||
+};
|
||||
+
|
||||
+static const SEC_ASN1Template pem_SetOfAttributeTemplate[] = {
|
||||
+ { SEC_ASN1_SET_OF, 0, pem_AttributeTemplate },
|
||||
+};
|
||||
+
|
||||
+const SEC_ASN1Template pem_PrivateKeyInfoTemplate[] = {
|
||||
+ { SEC_ASN1_SEQUENCE,
|
||||
+ 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
|
||||
+ { SEC_ASN1_INTEGER,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo,version) },
|
||||
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
|
||||
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
|
||||
+ { SEC_ASN1_OCTET_STRING,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
|
||||
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
|
||||
+ offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
|
||||
+ pem_SetOfAttributeTemplate },
|
||||
+ { 0 }
|
||||
+};
|
||||
+
|
||||
/* Declarations */
|
||||
SECStatus pem_RSA_Sign(pemLOWKEYPrivateKey * key, unsigned char *output,
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
@@ -116,6 +145,79 @@ pem_DestroyPrivateKey(pemLOWKEYPrivateKey * privk)
|
||||
nss_ZFreeIf(privk);
|
||||
}
|
||||
|
||||
+/* decode and parse the rawkey into the lpk structure */
|
||||
+static pemLOWKEYPrivateKey *
|
||||
+pem_getPrivateKey(PLArenaPool *arena, SECItem *rawkey, CK_RV * pError, NSSItem *modulus)
|
||||
+{
|
||||
+ pemLOWKEYPrivateKey *lpk = NULL;
|
||||
+ SECStatus rv = SECFailure;
|
||||
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
|
||||
+ SECItem *keysrc = NULL;
|
||||
+
|
||||
+ /* make sure SECOID is initialized - not sure why we have to do this outside of nss_Init */
|
||||
+ if (SECSuccess != (rv = SECOID_Init())) {
|
||||
+ *pError = CKR_GENERAL_ERROR;
|
||||
+ return NULL; /* wha???? */
|
||||
+ }
|
||||
+
|
||||
+ pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena,
|
||||
+ sizeof(NSSLOWKEYPrivateKeyInfo));
|
||||
+ if(!pki) {
|
||||
+ *pError = CKR_HOST_MEMORY;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* let's first see if this is a "raw" RSA private key or an RSA private key in PKCS#8 format */
|
||||
+ rv = SEC_ASN1DecodeItem(arena, pki, pem_PrivateKeyInfoTemplate, rawkey);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ /* not PKCS#8 - assume it's a "raw" RSA private key */
|
||||
+ keysrc = rawkey;
|
||||
+ } else if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_ENCRYPTION) {
|
||||
+ keysrc = &pki->privateKey;
|
||||
+ } else { /* unsupported */
|
||||
+ *pError = CKR_FUNCTION_NOT_SUPPORTED;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
|
||||
+ sizeof(pemLOWKEYPrivateKey));
|
||||
+ if (lpk == NULL) {
|
||||
+ *pError = CKR_HOST_MEMORY;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ lpk->arena = arena;
|
||||
+ lpk->keyType = pemLOWKEYRSAKey;
|
||||
+ prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
+
|
||||
+ /* I don't know what this is supposed to accomplish. We free the old
|
||||
+ modulus data and set it again, making a copy of the new data.
|
||||
+ But we just allocated a new empty key structure above with
|
||||
+ nss_ZAlloc. So lpk->u.rsa.modulus.data is NULL and
|
||||
+ lpk->u.rsa.modulus.len. If the intention is to free the old
|
||||
+ modulus data, why not just set it to NULL after freeing? Why
|
||||
+ go through this unnecessary and confusing copying code?
|
||||
+ */
|
||||
+ if (modulus) {
|
||||
+ nss_ZFreeIf(modulus->data);
|
||||
+ modulus->data = (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
|
||||
+ modulus->size = lpk->u.rsa.modulus.len;
|
||||
+ nsslibc_memcpy(modulus->data, lpk->u.rsa.modulus.data,
|
||||
+ lpk->u.rsa.modulus.len);
|
||||
+ }
|
||||
+
|
||||
+ /* decode the private key and any algorithm parameters */
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
+ keysrc);
|
||||
+
|
||||
+ if (rv != SECSuccess) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ return lpk;
|
||||
+}
|
||||
+
|
||||
void
|
||||
pem_PopulateModulusExponent(pemInternalObject * io)
|
||||
{
|
||||
@@ -123,7 +225,7 @@ pem_PopulateModulusExponent(pemInternalObject * io)
|
||||
const NSSItem *keyType = pem_FetchAttribute(io, CKA_KEY_TYPE);
|
||||
pemLOWKEYPrivateKey *lpk = NULL;
|
||||
PLArenaPool *arena;
|
||||
- SECStatus rv;
|
||||
+ CK_RV pError = 0;
|
||||
|
||||
/* make sure we have the right objects */
|
||||
if (((const NSSItem *) NULL == classItem) ||
|
||||
@@ -140,26 +242,12 @@ pem_PopulateModulusExponent(pemInternalObject * io)
|
||||
return;
|
||||
}
|
||||
|
||||
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
|
||||
- sizeof(pemLOWKEYPrivateKey));
|
||||
+ lpk = pem_getPrivateKey(arena, io->u.key.key.privateKey, &pError, NULL);
|
||||
if (lpk == NULL) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
return;
|
||||
}
|
||||
|
||||
- lpk->arena = arena;
|
||||
- lpk->keyType = pemLOWKEYRSAKey;
|
||||
- prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
-
|
||||
- /* decode the private key and any algorithm parameters */
|
||||
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
- io->u.key.key.privateKey);
|
||||
-
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_FreeArena(arena, PR_FALSE);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
nss_ZFreeIf(io->u.key.key.modulus.data);
|
||||
io->u.key.key.modulus.data =
|
||||
(void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
|
||||
@@ -252,13 +340,6 @@ pem_mdCryptoOperationRSAPriv_Create
|
||||
pemInternalCryptoOperationRSAPriv *iOperation;
|
||||
pemLOWKEYPrivateKey *lpk = NULL;
|
||||
PLArenaPool *arena;
|
||||
- SECStatus rv;
|
||||
-
|
||||
- arena = PORT_NewArena(2048);
|
||||
- if (!arena) {
|
||||
- *pError = CKR_HOST_MEMORY;
|
||||
- return (NSSCKMDCryptoOperation *) NULL;
|
||||
- }
|
||||
|
||||
/* make sure we have the right objects */
|
||||
if (((const NSSItem *) NULL == classItem) ||
|
||||
@@ -271,30 +352,15 @@ pem_mdCryptoOperationRSAPriv_Create
|
||||
return (NSSCKMDCryptoOperation *) NULL;
|
||||
}
|
||||
|
||||
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
|
||||
- sizeof (pemLOWKEYPrivateKey));
|
||||
- if (lpk == NULL) {
|
||||
+ arena = PORT_NewArena(2048);
|
||||
+ if (!arena) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
return (NSSCKMDCryptoOperation *) NULL;
|
||||
}
|
||||
- lpk->arena = arena;
|
||||
- lpk->keyType = pemLOWKEYRSAKey;
|
||||
- prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
|
||||
- nss_ZFreeIf(iKey->u.key.key.modulus.data);
|
||||
- iKey->u.key.key.modulus.data =
|
||||
- (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
|
||||
- iKey->u.key.key.modulus.size = lpk->u.rsa.modulus.len;
|
||||
- nsslibc_memcpy(iKey->u.key.key.modulus.data, lpk->u.rsa.modulus.data,
|
||||
- lpk->u.rsa.modulus.len);
|
||||
-
|
||||
- /* decode the private key and any algorithm parameters */
|
||||
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
- iKey->u.key.key.privateKey);
|
||||
-
|
||||
- if (rv != SECSuccess) {
|
||||
+ lpk = pem_getPrivateKey(arena, iKey->u.key.key.privateKey, pError, &iKey->u.key.key.modulus);
|
||||
+ if (lpk == NULL) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
- *pError = CKR_HOST_MEMORY;
|
||||
return (NSSCKMDCryptoOperation *) NULL;
|
||||
}
|
||||
|
||||
diff --git a/util.c b/util.c
|
||||
index a6ca094..d02ee87 100644
|
||||
--- a/mozilla/security/nss/lib/ckfw/pem/util.c
|
||||
+++ b/mozilla/security/nss/lib/ckfw/pem/util.c
|
||||
@@ -164,7 +164,8 @@ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
|
||||
int key = 0;
|
||||
while ((asc) && ((body = strstr(asc, "-----BEGIN")) != NULL)) {
|
||||
key = 0;
|
||||
- if (strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) {
|
||||
+ if ((strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) ||
|
||||
+ (strncmp(body, "-----BEGIN PRIVATE KEY", 21) == 0)) {
|
||||
key = 1;
|
||||
c = body;
|
||||
body = strchr(body, '\n');
|
||||
--
|
||||
1.5.5.6
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 9b7334b61cf3277e5eb48b716f6719b4636e2572 Mon Sep 17 00:00:00 2001
|
||||
From: Rich Megginson <rmeggins@redhat.com>
|
||||
Date: Mon, 12 Jul 2010 17:21:01 -0600
|
||||
Subject: [PATCH] Do not define SEC_SkipTemplate
|
||||
|
||||
Building NSS with PEM support gives an error in pbobject due to multiple
|
||||
definitions of SEC_SkipTemplate. This is already defined in libnssutil
|
||||
---
|
||||
pobject.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/pobject.c b/pobject.c
|
||||
index 81b9028..48f5e78 100644
|
||||
--- a/mozilla/security/nss/lib/ckfw/pem/pobject.c
|
||||
+++ b/mozilla/security/nss/lib/ckfw/pem/pobject.c
|
||||
@@ -172,6 +172,8 @@ static const NSSItem pem_trusted = {
|
||||
(void *) &ckt_netscape_trusted, (PRUint32) sizeof(CK_TRUST)
|
||||
};
|
||||
|
||||
+/* SEC_SkipTemplate is already defined and exported by libnssutil */
|
||||
+#ifdef SEC_SKIP_TEMPLATE
|
||||
/*
|
||||
* Template for skipping a subitem.
|
||||
*
|
||||
@@ -182,6 +184,7 @@ static const NSSItem pem_trusted = {
|
||||
const SEC_ASN1Template SEC_SkipTemplate[] = {
|
||||
{SEC_ASN1_SKIP}
|
||||
};
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Find the subjectName in a DER encoded certificate
|
||||
--
|
||||
1.5.5.6
|
||||
|
68
STAGE2-nss
68
STAGE2-nss
|
@ -1,68 +0,0 @@
|
|||
#requires nspr
|
||||
#requires perl
|
||||
#requires nss-util
|
||||
#requires nss-softokn
|
||||
|
||||
mcd $BUILDDIR/nss
|
||||
|
||||
export BUILD_OPT=1
|
||||
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
|
||||
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
|
||||
export NSPR_INCLUDE_DIR=/usr/include/nspr
|
||||
export NSPR_LIB_DIR=/usr/lib${SUFFIX}
|
||||
export NSS_USE_SYSTEM_SQLITE=1
|
||||
export NSS_BUILD_WITHOUT_SOFTOKEN=1
|
||||
export USE_SYSTEM_SOFTOKEN=1
|
||||
export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
|
||||
export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
|
||||
export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
|
||||
export USE_SYSTEM_NSSUTIL=1
|
||||
export FREEBL_INCLUDE_DIR=/usr/include/nss3
|
||||
export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
|
||||
export USE_SYSTEM_FREEBL=1
|
||||
export NSS_USE_SYSTEM_FREEBL=1
|
||||
export FREEBL_NO_DEPEND=1
|
||||
export IN_TREE_FREEBL_HEADERS_FIRST=1
|
||||
export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
export NSS_NO_SSL2_NO_EXPORT=1
|
||||
export NSS_ECC_MORE_THAN_SUITE_B=1
|
||||
export NSS_NO_PKCS11_BYPASS=1
|
||||
#export NSDISTMODE="copy"
|
||||
|
||||
if [ "$SUFFIX" = "64" ]; then
|
||||
USE_64=1
|
||||
export USE_64
|
||||
fi
|
||||
|
||||
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
|
||||
|
||||
make -C $SRC/nss-3.*/nss/coreconf
|
||||
make -C $SRC/nss-3.*/nss/lib/dbm
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/verref.h which is exported privately, move it to where it can be found.
|
||||
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
|
||||
|
||||
make -C $SRC/nss-3.*/nss
|
||||
cd $SRC/nss-3.*/nss/coreconf
|
||||
make install
|
||||
cd $SRC/nss-3.*/nss/lib/dbm
|
||||
make install
|
||||
cd $SRC/nss-3.*/nss
|
||||
make install
|
||||
# Copy the binary libraries we want
|
||||
NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
|
||||
# BOZO: temporarily disable FIPS140 support
|
||||
#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
|
||||
NSSLIBCHKS=""
|
||||
# END BOZO
|
||||
cd $SRC/nss-3.*
|
||||
for file in $NSSLIBS $NSSLIBCHKS
|
||||
do
|
||||
install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
|
||||
done
|
||||
# Copy the include files we want
|
||||
for file in $SRC/nss-*/dist/public/nss/*.h
|
||||
do
|
||||
install -p -m 644 $file /usr/include/nss3/
|
||||
done
|
59
cert8.db.xml
59
cert8.db.xml
|
@ -1,59 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="cert8.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>cert8.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cert8.db</refname>
|
||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
59
cert9.db.xml
59
cert9.db.xml
|
@ -1,59 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="cert9.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>cert9.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cert9.db</refname>
|
||||
<refpurpose>NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This certificate database is the sqlite-based shared database with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/cert9.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
13
iquote.patch
13
iquote.patch
|
@ -1,13 +0,0 @@
|
|||
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
|
||||
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
|
||||
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
|
||||
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
|
||||
SQLITE_LIB_NAME = sqlite3
|
||||
endif
|
||||
|
||||
+# Prefer in-tree headers over system headers
|
||||
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
||||
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
|
||||
+endif
|
||||
+
|
||||
MK_LOCATION = included
|
59
key3.db.xml
59
key3.db.xml
|
@ -1,59 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="key3.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>key3.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>key3.db</refname>
|
||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
59
key4.db.xml
59
key4.db.xml
|
@ -1,59 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="key4.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>key4.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>key4.db</refname>
|
||||
<refpurpose>NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>key4.db</emphasis> is an NSS key database.</para>
|
||||
<para>This key database is the sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/key4.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -1,62 +0,0 @@
|
|||
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSockett");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
132
nss-config.xml
132
nss-config.xml
|
@ -1,132 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="nss-config">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>nss-config</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>nss-config</refname>
|
||||
<refpurpose>Return meta information about nss libraries</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>nss-config</command>
|
||||
<arg><option>--prefix</option></arg>
|
||||
<arg><option>--exec-prefix</option></arg>
|
||||
<arg><option>--includedir</option></arg>
|
||||
<arg><option>--libs</option></arg>
|
||||
<arg><option>--cflags</option></arg>
|
||||
<arg><option>--libdir</option></arg>
|
||||
<arg><option>--version</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
|
||||
<para><command>nss-config</command> is a shell scrip
|
||||
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Options</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--prefix</option></term>
|
||||
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--exec-prefix</option></term>
|
||||
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--includedir</option> <replaceable>count</replaceable></term>
|
||||
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--version</option></term>
|
||||
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libs</option></term>
|
||||
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--cflags</option></term>
|
||||
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libdir</option></term>
|
||||
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Examples</title>
|
||||
|
||||
<para>The following example will query for both include path and linkage flags:
|
||||
|
||||
<programlisting>
|
||||
/usr/bin/nss-config --cflags --libs
|
||||
</programlisting>
|
||||
|
||||
</para>
|
||||
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
|
||||
<para><filename>/usr/bin/nss-config</filename></para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkg-config(1)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>
|
||||
Authors: Elio Maldonado <emaldona@redhat.com>.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
</refentry>
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
|
||||
--- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem 2008-08-05 16:34:23.000000000 -0700
|
||||
+++ ./mozilla/security/nss/lib/ckfw/manifest.mn 2008-08-05 16:34:30.000000000 -0700
|
||||
@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
|
||||
|
||||
CORE_DEPTH = ../../..
|
||||
|
||||
-DIRS = builtins
|
||||
+DIRS = builtins pem
|
||||
|
||||
PRIVATE_EXPORTS = \
|
||||
ck.h \
|
|
@ -1,21 +0,0 @@
|
|||
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
|
||||
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
|
||||
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
|
||||
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
|
||||
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
|
||||
|
||||
/* deprecated #defines. Drop in future NSS releases */
|
||||
-#ifdef NSS_PKCS11_2_0_COMPAT
|
||||
+#ifndef NSS_PKCS11_3_0_STRICT
|
||||
|
||||
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
|
||||
#define CKF_EC_FP CKF_EC_F_P
|
||||
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
|
||||
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
|
||||
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
|
||||
#else
|
||||
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
|
||||
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
|
||||
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
|
||||
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
|
||||
#endif
|
|
@ -1,31 +0,0 @@
|
|||
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
|
||||
!defined(__clang__)
|
||||
#include <emmintrin.h>
|
||||
typedef __m128i FStar_UInt128_uint128;
|
||||
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
|
||||
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||
+ defined(__s390x__))
|
||||
typedef unsigned __int128 FStar_UInt128_uint128;
|
||||
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
|
||||
typedef __uint128_t FStar_UInt128_uint128;
|
||||
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
@@ -26,7 +26,8 @@
|
||||
|
||||
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
|
||||
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
|
||||
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||
+ defined(__s390x__))
|
||||
|
||||
/* GCC + using native unsigned __int128 support */
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
name=p11-kit-proxy
|
||||
library=p11-kit-proxy.so
|
||||
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
|
||||
--- a/cmd/modutil/install.c
|
||||
+++ b/cmd/modutil/install.c
|
||||
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
|
||||
|
||||
dir = PR_OpenDir(path);
|
||||
if (!dir) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Recursively delete all entries in the directory */
|
||||
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||
- sprintf(filename, "%s/%s", path, entry->name);
|
||||
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||
+ PR_CloseDir(dir);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (rm_dash_r(filename)) {
|
||||
PR_CloseDir(dir);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||
return -1;
|
||||
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
|
||||
--- a/cmd/signtool/util.c
|
||||
+++ b/cmd/signtool/util.c
|
||||
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
|
||||
if (!dir) {
|
||||
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
|
||||
errorCount++;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Recursively delete all entries in the directory */
|
||||
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||
- sprintf(filename, "%s/%s", path, entry->name);
|
||||
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||
+ errorCount++;
|
||||
+ return -1;
|
||||
+ }
|
||||
if (rm_dash_r(filename))
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
|
||||
errorCount++;
|
||||
return -1;
|
||||
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
|
||||
--- a/lib/libpkix/pkix/util/pkix_list.c
|
||||
+++ b/lib/libpkix/pkix/util/pkix_list.c
|
||||
@@ -1530,17 +1530,17 @@ cleanup:
|
||||
*/
|
||||
PKIX_Error *
|
||||
PKIX_List_SetItem(
|
||||
PKIX_List *list,
|
||||
PKIX_UInt32 index,
|
||||
PKIX_PL_Object *item,
|
||||
void *plContext)
|
||||
{
|
||||
- PKIX_List *element;
|
||||
+ PKIX_List *element = NULL;
|
||||
|
||||
PKIX_ENTER(LIST, "PKIX_List_SetItem");
|
||||
PKIX_NULLCHECK_ONE(list);
|
||||
|
||||
if (list->immutable){
|
||||
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
|
||||
}
|
||||
|
||||
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||
@@ -102,17 +102,17 @@ cleanup:
|
||||
*/
|
||||
static PKIX_Error *
|
||||
pkix_pl_OID_Equals(
|
||||
PKIX_PL_Object *first,
|
||||
PKIX_PL_Object *second,
|
||||
PKIX_Boolean *pResult,
|
||||
void *plContext)
|
||||
{
|
||||
- PKIX_Int32 cmpResult;
|
||||
+ PKIX_Int32 cmpResult = 0;
|
||||
|
||||
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
|
||||
PKIX_NULLCHECK_THREE(first, second, pResult);
|
||||
|
||||
PKIX_CHECK(pkix_pl_OID_Comparator
|
||||
(first, second, &cmpResult, plContext),
|
||||
PKIX_OIDCOMPARATORFAILED);
|
||||
|
|
@ -1,116 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
prefix=@prefix@
|
||||
|
||||
major_version=@MOD_MAJOR_VERSION@
|
||||
minor_version=@MOD_MINOR_VERSION@
|
||||
patch_version=@MOD_PATCH_VERSION@
|
||||
|
||||
usage()
|
||||
{
|
||||
cat <<EOF
|
||||
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
|
||||
Options:
|
||||
[--prefix[=DIR]]
|
||||
[--exec-prefix[=DIR]]
|
||||
[--includedir[=DIR]]
|
||||
[--libdir[=DIR]]
|
||||
[--version]
|
||||
[--libs]
|
||||
[--cflags]
|
||||
Dynamic Libraries:
|
||||
softokn3 - Requires full dynamic linking
|
||||
freebl3 - for internal use only (and glibc for self-integrity check)
|
||||
nssdbm3 - for internal use only
|
||||
Dymamically linked
|
||||
EOF
|
||||
exit $1
|
||||
}
|
||||
|
||||
if test $# -eq 0; then
|
||||
usage 1 1>&2
|
||||
fi
|
||||
|
||||
while test $# -gt 0; do
|
||||
case "$1" in
|
||||
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
|
||||
*) optarg= ;;
|
||||
esac
|
||||
|
||||
case $1 in
|
||||
--prefix=*)
|
||||
prefix=$optarg
|
||||
;;
|
||||
--prefix)
|
||||
echo_prefix=yes
|
||||
;;
|
||||
--exec-prefix=*)
|
||||
exec_prefix=$optarg
|
||||
;;
|
||||
--exec-prefix)
|
||||
echo_exec_prefix=yes
|
||||
;;
|
||||
--includedir=*)
|
||||
includedir=$optarg
|
||||
;;
|
||||
--includedir)
|
||||
echo_includedir=yes
|
||||
;;
|
||||
--libdir=*)
|
||||
libdir=$optarg
|
||||
;;
|
||||
--libdir)
|
||||
echo_libdir=yes
|
||||
;;
|
||||
--version)
|
||||
echo ${major_version}.${minor_version}.${patch_version}
|
||||
;;
|
||||
--cflags)
|
||||
echo_cflags=yes
|
||||
;;
|
||||
--libs)
|
||||
echo_libs=yes
|
||||
;;
|
||||
*)
|
||||
usage 1 1>&2
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Set variables that may be dependent upon other variables
|
||||
if test -z "$exec_prefix"; then
|
||||
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
|
||||
fi
|
||||
if test -z "$includedir"; then
|
||||
includedir=`pkg-config --variable=includedir nss-softokn`
|
||||
fi
|
||||
if test -z "$libdir"; then
|
||||
libdir=`pkg-config --variable=libdir nss-softokn`
|
||||
fi
|
||||
|
||||
if test "$echo_prefix" = "yes"; then
|
||||
echo $prefix
|
||||
fi
|
||||
|
||||
if test "$echo_exec_prefix" = "yes"; then
|
||||
echo $exec_prefix
|
||||
fi
|
||||
|
||||
if test "$echo_includedir" = "yes"; then
|
||||
echo $includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libdir" = "yes"; then
|
||||
echo $libdir
|
||||
fi
|
||||
|
||||
if test "$echo_cflags" = "yes"; then
|
||||
echo -I$includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libs" = "yes"; then
|
||||
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
|
||||
echo $libdirs
|
||||
fi
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
#!/bin/bash
|
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||
|
||||
check() {
|
||||
return 255
|
||||
}
|
||||
|
||||
depends() {
|
||||
return 0
|
||||
}
|
||||
|
||||
install() {
|
||||
local _dir
|
||||
|
||||
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
|
||||
libfreebl3.so
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
# turn on nss-softokn module
|
||||
|
||||
add_dracutmodules+=" nss-softokn "
|
|
@ -1,11 +0,0 @@
|
|||
prefix=%prefix%
|
||||
exec_prefix=%exec_prefix%
|
||||
libdir=%libdir%
|
||||
includedir=%includedir%
|
||||
|
||||
Name: NSS-SOFTOKN
|
||||
Description: Network Security Services Softoken PKCS #11 Module
|
||||
Version: %SOFTOKEN_VERSION%
|
||||
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
|
||||
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
|
||||
Cflags: -I${includedir}
|
|
@ -0,0 +1,65 @@
|
|||
diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig ./mozilla/security/nss/lib/sysinit/nsssysinit.c
|
||||
--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig 2010-06-17 09:17:30.732643399 -0700
|
||||
+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-06-17 09:20:22.691642397 -0700
|
||||
@@ -263,9 +263,18 @@ get_list(char *filename, char *stripped_
|
||||
sysdb = getSystemDB();
|
||||
userdb = getUserDB();
|
||||
|
||||
- /* Don't open root's user DB */
|
||||
+ /* return a list of databases to open. First the system database. */
|
||||
+ if (sysdb) {
|
||||
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
|
||||
+ module_list[next++] = PR_smprintf(
|
||||
+ "library= "
|
||||
+ "module=\"NSS system database\" "
|
||||
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
|
||||
+ "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
|
||||
+ }
|
||||
+
|
||||
+ /* Next the user database, but not for root. */
|
||||
if (userdb != NULL && !userIsRoot()) {
|
||||
- /* return a list of databases to open. First the user Database */
|
||||
module_list[next++] = PR_smprintf(
|
||||
"library= "
|
||||
"module=\"NSS User database\" "
|
||||
@@ -284,40 +293,6 @@ get_list(char *filename, char *stripped_
|
||||
userdb, stripped_parameters);
|
||||
}
|
||||
|
||||
-#if 0
|
||||
- /* This doesn't actually work. If we register
|
||||
- both this and the sysdb (in either order)
|
||||
- then only one of them actually shows up */
|
||||
-
|
||||
- /* Using a NULL filename as a Boolean flag to
|
||||
- * prevent registering both an application-defined
|
||||
- * db and the system db. rhbz #546211.
|
||||
- */
|
||||
- PORT_Assert(filename);
|
||||
- if (sysdb && PL_CompareStrings(filename, sysdb))
|
||||
- filename = NULL;
|
||||
- else if (userdb && PL_CompareStrings(filename, userdb))
|
||||
- filename = NULL;
|
||||
-
|
||||
- if (filename && !userIsRoot()) {
|
||||
- module_list[next++] = PR_smprintf(
|
||||
- "library= "
|
||||
- "module=\"NSS database\" "
|
||||
- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
|
||||
- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- /* now the system database (always read only unless it's root) */
|
||||
- if (sysdb) {
|
||||
- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
|
||||
- module_list[next++] = PR_smprintf(
|
||||
- "library= "
|
||||
- "module=\"NSS system database\" "
|
||||
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
|
||||
- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
|
||||
- }
|
||||
-
|
||||
/* that was the last module */
|
||||
module_list[next] = 0;
|
||||
|
|
@ -1,118 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
prefix=@prefix@
|
||||
|
||||
major_version=@MOD_MAJOR_VERSION@
|
||||
minor_version=@MOD_MINOR_VERSION@
|
||||
patch_version=@MOD_PATCH_VERSION@
|
||||
|
||||
usage()
|
||||
{
|
||||
cat <<EOF
|
||||
Usage: nss-util-config [OPTIONS] [LIBRARIES]
|
||||
Options:
|
||||
[--prefix[=DIR]]
|
||||
[--exec-prefix[=DIR]]
|
||||
[--includedir[=DIR]]
|
||||
[--libdir[=DIR]]
|
||||
[--version]
|
||||
[--libs]
|
||||
[--cflags]
|
||||
Dynamic Libraries:
|
||||
nssutil
|
||||
EOF
|
||||
exit $1
|
||||
}
|
||||
|
||||
if test $# -eq 0; then
|
||||
usage 1 1>&2
|
||||
fi
|
||||
|
||||
lib_nssutil=yes
|
||||
|
||||
while test $# -gt 0; do
|
||||
case "$1" in
|
||||
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
|
||||
*) optarg= ;;
|
||||
esac
|
||||
|
||||
case $1 in
|
||||
--prefix=*)
|
||||
prefix=$optarg
|
||||
;;
|
||||
--prefix)
|
||||
echo_prefix=yes
|
||||
;;
|
||||
--exec-prefix=*)
|
||||
exec_prefix=$optarg
|
||||
;;
|
||||
--exec-prefix)
|
||||
echo_exec_prefix=yes
|
||||
;;
|
||||
--includedir=*)
|
||||
includedir=$optarg
|
||||
;;
|
||||
--includedir)
|
||||
echo_includedir=yes
|
||||
;;
|
||||
--libdir=*)
|
||||
libdir=$optarg
|
||||
;;
|
||||
--libdir)
|
||||
echo_libdir=yes
|
||||
;;
|
||||
--version)
|
||||
echo ${major_version}.${minor_version}.${patch_version}
|
||||
;;
|
||||
--cflags)
|
||||
echo_cflags=yes
|
||||
;;
|
||||
--libs)
|
||||
echo_libs=yes
|
||||
;;
|
||||
*)
|
||||
usage 1 1>&2
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Set variables that may be dependent upon other variables
|
||||
if test -z "$exec_prefix"; then
|
||||
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
|
||||
fi
|
||||
if test -z "$includedir"; then
|
||||
includedir=`pkg-config --variable=includedir nss-util`
|
||||
fi
|
||||
if test -z "$libdir"; then
|
||||
libdir=`pkg-config --variable=libdir nss-util`
|
||||
fi
|
||||
|
||||
if test "$echo_prefix" = "yes"; then
|
||||
echo $prefix
|
||||
fi
|
||||
|
||||
if test "$echo_exec_prefix" = "yes"; then
|
||||
echo $exec_prefix
|
||||
fi
|
||||
|
||||
if test "$echo_includedir" = "yes"; then
|
||||
echo $includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libdir" = "yes"; then
|
||||
echo $libdir
|
||||
fi
|
||||
|
||||
if test "$echo_cflags" = "yes"; then
|
||||
echo -I$includedir
|
||||
fi
|
||||
|
||||
if test "$echo_libs" = "yes"; then
|
||||
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
|
||||
if test -n "$lib_nssutil"; then
|
||||
libdirs="$libdirs -lnssutil${major_version}"
|
||||
fi
|
||||
echo $libdirs
|
||||
fi
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
prefix=%prefix%
|
||||
exec_prefix=%exec_prefix%
|
||||
libdir=%libdir%
|
||||
includedir=%includedir%
|
||||
|
||||
Name: NSS-UTIL
|
||||
Description: Network Security Services Utility Library
|
||||
Version: %NSSUTIL_VERSION%
|
||||
Requires: nspr >= %NSPR_VERSION%
|
||||
Libs: -L${libdir} -lnssutil3
|
||||
Cflags: -I${includedir}
|
|
@ -7,5 +7,5 @@ Name: NSS
|
|||
Description: Network Security Services
|
||||
Version: %NSS_VERSION%
|
||||
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
|
||||
Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
|
||||
Libs: -lssl3 -lsmime3 -lnss3
|
||||
Cflags: -I${includedir}
|
||||
|
|
|
@ -0,0 +1,127 @@
|
|||
diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 ./mozilla/security/nss/lib/ckfw/pem/pinst.c
|
||||
--- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 2010-06-06 18:27:27.256318318 -0700
|
||||
+++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c 2010-06-06 20:45:28.158442982 -0700
|
||||
@@ -151,7 +151,7 @@ GetCertFields(unsigned char *cert, int c
|
||||
buf = issuer->data + issuer->len;
|
||||
|
||||
/* only wanted issuer/SN */
|
||||
- if (valid == NULL) {
|
||||
+ if (subject == NULL || valid == NULL || subjkey == NULL) {
|
||||
return SECSuccess;
|
||||
}
|
||||
/* validity */
|
||||
@@ -219,53 +219,93 @@ CreateObject(CK_OBJECT_CLASS objClass,
|
||||
memset(&o->u.trust, 0, sizeof(o->u.trust));
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
|
||||
+ if (o->nickname == NULL)
|
||||
+ goto fail;
|
||||
+ strcpy(o->nickname, nickname);
|
||||
+
|
||||
+ sprintf(id, "%d", objid);
|
||||
+ len = strlen(id) + 1; /* zero terminate */
|
||||
+ o->id.data = (void *) nss_ZAlloc(NULL, len);
|
||||
+ if (o->id.data == NULL)
|
||||
+ goto fail;
|
||||
+ (void) nsslibc_memcpy(o->id.data, id, len);
|
||||
+ o->id.size = len;
|
||||
+
|
||||
o->objClass = objClass;
|
||||
o->type = type;
|
||||
o->slotID = slotID;
|
||||
+
|
||||
o->derCert = nss_ZNEW(NULL, SECItem);
|
||||
+ if (o->derCert == NULL)
|
||||
+ goto fail;
|
||||
o->derCert->data = (void *) nss_ZAlloc(NULL, certDER->len);
|
||||
+ if (o->derCert->data == NULL)
|
||||
+ goto fail;
|
||||
o->derCert->len = certDER->len;
|
||||
nsslibc_memcpy(o->derCert->data, certDER->data, certDER->len);
|
||||
|
||||
switch (objClass) {
|
||||
case CKO_CERTIFICATE:
|
||||
case CKO_NETSCAPE_TRUST:
|
||||
- GetCertFields(o->derCert->data,
|
||||
- o->derCert->len, &issuer, &serial,
|
||||
- &derSN, &subject, &valid, &subjkey);
|
||||
+ if (SECSuccess != GetCertFields(o->derCert->data, o->derCert->len,
|
||||
+ &issuer, &serial, &derSN, &subject,
|
||||
+ &valid, &subjkey))
|
||||
+ goto fail;
|
||||
|
||||
o->u.cert.subject.data = (void *) nss_ZAlloc(NULL, subject.len);
|
||||
+ if (o->u.cert.subject.data == NULL)
|
||||
+ goto fail;
|
||||
o->u.cert.subject.size = subject.len;
|
||||
nsslibc_memcpy(o->u.cert.subject.data, subject.data, subject.len);
|
||||
|
||||
o->u.cert.issuer.data = (void *) nss_ZAlloc(NULL, issuer.len);
|
||||
+ if (o->u.cert.issuer.data == NULL) {
|
||||
+ nss_ZFreeIf(o->u.cert.subject.data);
|
||||
+ goto fail;
|
||||
+ }
|
||||
o->u.cert.issuer.size = issuer.len;
|
||||
nsslibc_memcpy(o->u.cert.issuer.data, issuer.data, issuer.len);
|
||||
|
||||
o->u.cert.serial.data = (void *) nss_ZAlloc(NULL, serial.len);
|
||||
+ if (o->u.cert.serial.data == NULL) {
|
||||
+ nss_ZFreeIf(o->u.cert.issuer.data);
|
||||
+ nss_ZFreeIf(o->u.cert.subject.data);
|
||||
+ goto fail;
|
||||
+ }
|
||||
o->u.cert.serial.size = serial.len;
|
||||
nsslibc_memcpy(o->u.cert.serial.data, serial.data, serial.len);
|
||||
break;
|
||||
case CKO_PRIVATE_KEY:
|
||||
o->u.key.key.privateKey = nss_ZNEW(NULL, SECItem);
|
||||
+ if (o->u.key.key.privateKey == NULL)
|
||||
+ goto fail;
|
||||
o->u.key.key.privateKey->data =
|
||||
(void *) nss_ZAlloc(NULL, keyDER->len);
|
||||
+ if (o->u.key.key.privateKey->data == NULL) {
|
||||
+ nss_ZFreeIf(o->u.key.key.privateKey);
|
||||
+ goto fail;
|
||||
+ }
|
||||
o->u.key.key.privateKey->len = keyDER->len;
|
||||
nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data,
|
||||
keyDER->len);
|
||||
}
|
||||
|
||||
- o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
|
||||
- strcpy(o->nickname, nickname);
|
||||
-
|
||||
- sprintf(id, "%d", objid);
|
||||
-
|
||||
- len = strlen(id) + 1; /* zero terminate */
|
||||
- o->id.data = (void *) nss_ZAlloc(NULL, len);
|
||||
- (void) nsslibc_memcpy(o->id.data, id, len);
|
||||
- o->id.size = len;
|
||||
|
||||
return o;
|
||||
+
|
||||
+fail:
|
||||
+ if (o) {
|
||||
+ if (o->derCert) {
|
||||
+ nss_ZFreeIf(o->derCert->data);
|
||||
+ nss_ZFreeIf(o->derCert);
|
||||
+ }
|
||||
+ nss_ZFreeIf(o->id.data);
|
||||
+ nss_ZFreeIf(o->nickname);
|
||||
+ nss_ZFreeIf(o);
|
||||
+ }
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
pemInternalObject *
|
||||
@@ -306,6 +346,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
|
||||
/* object not found, we need to create it */
|
||||
pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
|
||||
filename, objid, slotID);
|
||||
+ if (io == NULL)
|
||||
+ return NULL;
|
||||
|
||||
io->gobjIndex = count;
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="pkcs11.txt">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>pkcs11.txt</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>pkcs11.txt</refname>
|
||||
<refpurpose>NSS PKCS #11 module configuration file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
|
||||
</para>
|
||||
<para>
|
||||
For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
</refentry>
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.transitional ./mozilla/security/nss/lib/ssl/sslsock.c
|
||||
--- ./mozilla/security/nss/lib/ssl/sslsock.c.transitional 2010-09-04 09:46:50.331327676 -0700
|
||||
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2010-09-04 09:50:02.814325605 -0700
|
||||
@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
- 2, /* enableRenegotiation (default: requires extension) */
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
};
|
|
@ -1,63 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="secmod.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>secmod.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>secmod.db</refname>
|
||||
<refpurpose>Legacy NSS security modules database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
|
||||
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
|
||||
</para>
|
||||
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
|
||||
</para>
|
||||
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -1,106 +0,0 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="setup-nsssysinit">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>setup-nsssysinit</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>setup-nsssysinit</refname>
|
||||
<refpurpose>Query or enable the nss-sysinit module</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>setup-nsssysinit</command>
|
||||
<arg><option>on</option></arg>
|
||||
<arg><option>off</option></arg>
|
||||
<arg><option>status</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
|
||||
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Options</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>on</option></term>
|
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>off</option></term>
|
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>status</option></term>
|
||||
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Examples</title>
|
||||
|
||||
<para>The following example will query for the status of nss-sysinit:
|
||||
<programlisting>
|
||||
/usr/bin/setup-nsssysinit status
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>The following example, when run as superuser, will turn on nss-sysinit:
|
||||
<programlisting>
|
||||
/usr/bin/setup-nsssysinit on
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkg-config(1)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
</refentry>
|
||||
|
14
sources
14
sources
|
@ -1,6 +1,8 @@
|
|||
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
|
||||
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
|
||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
|
||||
248bc97cb3fd613b23d66fd1d9d8d60a nss-3.12.8-stripped.tar.bz2
|
||||
765fa031d5affa91ab824dd981777ddf nss-pem-20100809.tar.bz2
|
||||
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
||||
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
|
||||
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
|
||||
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
f3eaeb308918aeb0748707d8780f321c PayPalEE.cert
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||
# Description: NSS tools should not use SHA1 by default when
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: nss openssl" >> $(METADATA)
|
||||
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
|
||||
Description: NSS tools should not use SHA1 by default when
|
||||
Author: Hubert Kario <hkario@redhat.com>
|
||||
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
|
|
@ -1,125 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
|
||||
# Description: NSS tools should not use SHA1 by default when
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="nss"
|
||||
PACKAGES="nss openssl"
|
||||
DBDIR="nssdb"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm --all
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlRun "mkdir nssdb"
|
||||
rlRun "certutil -N -d $DBDIR --empty-password"
|
||||
rlLogInfo "Create a JAR file"
|
||||
rlRun "mkdir java-dir"
|
||||
rlRun "pushd java-dir"
|
||||
rlRun "mkdir META-INF mypackage"
|
||||
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
|
||||
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
|
||||
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
|
||||
rlRun "popd"
|
||||
#rlRun "mv java-dir/package.jar ."
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Self signing certificates"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
|
||||
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Signing certificates"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
|
||||
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Certificate request"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "mkdir srv2db"
|
||||
rlRun "certutil -d srv2db -N --empty-password"
|
||||
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
|
||||
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "rm -rf srv2db"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Certificate request with SHA1"
|
||||
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||
rlRun "mkdir srv2db"
|
||||
rlRun "certutil -d srv2db -N --empty-password"
|
||||
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
|
||||
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
|
||||
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlRun "rm -rf srv2db"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Signing CMS messages"
|
||||
rlRun "echo 'This is a document' > document.txt"
|
||||
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
|
||||
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
|
||||
rlAssertGrep "algorithm: sha256" $rlRun_LOG
|
||||
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "CRL signing"
|
||||
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
|
||||
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
|
||||
rlRun "echo addext crlNumber 0 1245 >>script"
|
||||
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
|
||||
rlRun "echo addext reasonCode 0 0 >>script"
|
||||
rlRun "cat script"
|
||||
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
|
||||
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
|
||||
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
|
||||
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
# This first play always runs on the local staging system
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
tests:
|
||||
- NSS-tools-should-not-use-SHA1-by-default-when
|
||||
required_packages:
|
||||
- nss-tools
|
||||
- nss
|
Loading…
Reference in New Issue