From 14be89415f26f62d270def7501b1027b749d78d4 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Thu, 11 Jan 2018 14:09:34 +0100 Subject: [PATCH] Bug 1420060, NSS_3_35_BETA1, r=franziskus UPGRADE_NSS_RELEASE --- security/nss/TAG-INFO | 2 +- security/nss/automation/clang-format/setup.sh | 4 +- .../taskcluster/docker-clang-3.9/setup.sh | 4 +- .../taskcluster/docker-hacl/setup.sh | 4 +- .../automation/taskcluster/docker/setup.sh | 4 +- .../taskcluster/graph/src/extend.js | 12 +- .../taskcluster/graph/src/try_syntax.js | 5 +- security/nss/cmd/certutil/certutil.c | 37 +- security/nss/coreconf/config.gypi | 2 +- security/nss/coreconf/coreconf.dep | 1 - .../nss/gtests/freebl_gtest/rsa_unittest.cc | 4 + .../gtests/softoken_gtest/softoken_gtest.cc | 34 +- .../gtests/ssl_gtest/ssl_agent_unittest.cc | 4 +- .../gtests/ssl_gtest/ssl_custext_unittest.cc | 1 + security/nss/lib/ckfw/builtins/certdata.txt | 628 +----------------- security/nss/lib/ckfw/builtins/nssckbi.h | 4 +- security/nss/lib/cryptohi/seckey.c | 38 +- security/nss/lib/softoken/fipstokn.c | 33 +- security/nss/lib/softoken/pkcs11.c | 13 +- security/nss/lib/softoken/pkcs11i.h | 1 + security/nss/lib/softoken/sdb.c | 33 +- security/nss/lib/softoken/sdb.h | 4 + security/nss/lib/softoken/sftkdb.c | 68 +- security/nss/lib/ssl/ssl3prot.h | 2 +- security/nss/lib/ssl/sslt.h | 6 +- security/nss/lib/ssl/tls13con.c | 2 + security/nss/lib/util/nssutil.def | 8 + security/nss/lib/util/utilmod.c | 190 +++++- security/nss/lib/util/utilpars.c | 1 + security/nss/lib/util/utilpars.h | 6 + security/nss/lib/util/utilparst.h | 2 +- security/nss/readme.md | 47 ++ security/nss/tests/all.sh | 6 +- .../nss/tests/cert/TestCA-bogus-rsa-pss1.crt | 26 + .../nss/tests/cert/TestCA-bogus-rsa-pss2.crt | 24 + security/nss/tests/cert/cert.sh | 30 +- security/nss/tests/fips/fips.sh | 1 - 37 files changed, 589 insertions(+), 702 deletions(-) create mode 100644 security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt create mode 100644 security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index e21a0d28a9bf..756d3f53fb42 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -04fc9a90997b +NSS_3_35_BETA1 diff --git a/security/nss/automation/clang-format/setup.sh b/security/nss/automation/clang-format/setup.sh index 9b2480e90287..beac9e905148 100644 --- a/security/nss/automation/clang-format/setup.sh +++ b/security/nss/automation/clang-format/setup.sh @@ -17,8 +17,8 @@ apt_packages+=('locales') apt-get install -y --no-install-recommends ${apt_packages[@]} # Download clang. -curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz -curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig +curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz +curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig # Verify the signature. gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D gpg --verify clang.tar.xz.sig diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh index 7b7d534e668e..3076667a6e55 100644 --- a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh +++ b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh @@ -25,8 +25,8 @@ apt-get -y update apt-get install -y --no-install-recommends ${apt_packages[@]} # Download clang. -curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig +curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz +curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig # Verify the signature. gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D gpg --verify *.tar.xz.sig diff --git a/security/nss/automation/taskcluster/docker-hacl/setup.sh b/security/nss/automation/taskcluster/docker-hacl/setup.sh index 418150a4fa08..f5f8bd7d5e0a 100644 --- a/security/nss/automation/taskcluster/docker-hacl/setup.sh +++ b/security/nss/automation/taskcluster/docker-hacl/setup.sh @@ -10,8 +10,8 @@ update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200 update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200 # Get clang-format-3.9 -curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig +curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz +curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig # Verify the signature. gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D gpg --verify *.tar.xz.sig diff --git a/security/nss/automation/taskcluster/docker/setup.sh b/security/nss/automation/taskcluster/docker/setup.sh index 3ba4e854eff1..01f9c413a570 100644 --- a/security/nss/automation/taskcluster/docker/setup.sh +++ b/security/nss/automation/taskcluster/docker/setup.sh @@ -48,8 +48,8 @@ apt-get -y update apt-get install -y --no-install-recommends ${apt_packages[@]} # Download clang. -curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz -curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig +curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz +curl -LO https://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig # Verify the signature. gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D gpg --verify *.tar.xz.sig diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index afe3e82bc340..90e23ae6018e 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -82,8 +82,8 @@ queue.filter(task => { } if (task.group == "Test") { - // Don't run test builds on old make platforms - if (task.collection == "make") { + // Don't run test builds on old make platforms, and not for fips gyp. + if (task.collection == "make" || task.collection == "fips") { return false; } } @@ -196,6 +196,12 @@ export default async function main() { features: ["allowPtrace"], }, "--ubsan --asan"); + await scheduleLinux("Linux 64 (FIPS opt)", { + platform: "linux64", + collection: "fips", + image: LINUX_IMAGE, + }, "--enable-fips --opt"); + await scheduleWindows("Windows 2012 64 (debug, make)", { platform: "windows2012-64", collection: "make", @@ -368,7 +374,6 @@ async function scheduleLinux(name, base, args = "") { parent: extra_build, symbol: "Certs-F", group: "FIPS", - env: { NSS_TEST_ENABLE_FIPS: "1" } })); // Schedule FIPS tests. @@ -811,7 +816,6 @@ async function scheduleWindows(name, base, build_script) { parent: extra_build, symbol: "Certs-F", group: "FIPS", - env: { NSS_TEST_ENABLE_FIPS: "1" } })); // Schedule FIPS tests. diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js index 2c407536409e..1f4e12eeeee9 100644 --- a/security/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js @@ -22,7 +22,7 @@ function parseOptions(opts) { } // Parse platforms. - let allPlatforms = ["linux", "linux64", "linux64-asan", + let allPlatforms = ["linux", "linux64", "linux64-asan", "linux64-fips", "win", "win64", "win-make", "win64-make", "linux64-make", "linux-make", "linux-fuzz", "linux64-fuzz", "aarch64", "mac"]; @@ -111,6 +111,7 @@ function filter(opts) { "linux": "linux32", "linux-fuzz": "linux32", "linux64-asan": "linux64", + "linux64-fips": "linux64", "linux64-fuzz": "linux64", "linux64-make": "linux64", "linux-make": "linux32", @@ -126,6 +127,8 @@ function filter(opts) { // Additional checks. if (platform == "linux64-asan") { keep &= coll("asan"); + } else if (platform == "linux64-fips") { + keep &= coll("fips"); } else if (platform == "linux64-make" || platform == "linux-make" || platform == "win64-make" || platform == "win-make") { keep &= coll("make"); diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 254182763a6f..03f4478b70ad 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -1053,6 +1053,18 @@ ListModules(void) return SECSuccess; } +static void +PrintBuildFlags() +{ +#ifdef NSS_FIPS_DISABLED + PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n"); +#endif +#ifdef NSS_NO_INIT_SUPPORT + PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n"); +#endif + exit(0); +} + static void PrintSyntax(char *progName) { @@ -1100,6 +1112,7 @@ PrintSyntax(char *progName) FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n", progName); FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n"); + FPS "\t%s --build-flags\n", progName); FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName); @@ -1812,6 +1825,18 @@ luS(enum usage_level ul, const char *command) FPS "\n"); } +static void +luBuildFlags(enum usage_level ul, const char *command) +{ + int is_my_command = (command && 0 == strcmp(command, "build-flags")); + if (ul == usage_all || !command || is_my_command) + FPS "%-15s Print enabled build flags relevant for NSS test execution\n", + "--build-flags"); + if (ul == usage_selected && !is_my_command) + return; + FPS "\n"); +} + static void LongUsage(char *progName, enum usage_level ul, const char *command) { @@ -1826,6 +1851,7 @@ LongUsage(char *progName, enum usage_level ul, const char *command) luU(ul, command); luK(ul, command); luL(ul, command); + luBuildFlags(ul, command); luM(ul, command); luN(ul, command); luT(ul, command); @@ -2401,6 +2427,7 @@ enum { cmd_Merge, cmd_UpgradeMerge, /* test only */ cmd_Rename, + cmd_BuildFlags, max_cmd }; @@ -2503,7 +2530,9 @@ static const secuCommandFlag commands_init[] = { /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE, "upgrade-merge" }, { /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE, - "rename" } + "rename" }, + { /* cmd_BuildFlags */ 0, PR_FALSE, 0, PR_FALSE, + "build-flags" } }; #define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0])) @@ -2690,6 +2719,10 @@ certutil_main(int argc, char **argv, PRBool initialize) exit(1); } + if (certutil.commands[cmd_BuildFlags].activated) { + PrintBuildFlags(); + } + if (certutil.options[opt_PasswordFile].arg) { pwdata.source = PW_FROMFILE; pwdata.data = certutil.options[opt_PasswordFile].arg; @@ -3138,7 +3171,7 @@ certutil_main(int argc, char **argv, PRBool initialize) certutil.commands[cmd_CreateAndAddCert].activated || certutil.commands[cmd_AddCert].activated || certutil.commands[cmd_AddEmailCert].activated) { - if (PK11_NeedUserInit(slot)) { + if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { char *password = NULL; /* fetch the password from the command line or the file * if no password is supplied, initialize the password to NULL */ diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi index 61582c49196a..f4c3fbd0fd7c 100644 --- a/security/nss/coreconf/config.gypi +++ b/security/nss/coreconf/config.gypi @@ -128,6 +128,7 @@ [ 'disable_fips==1', { 'defines': [ 'NSS_FIPS_DISABLED', + 'NSS_NO_INIT_SUPPORT', ], }], [ 'OS!="android" and OS!="mac" and OS!="win"', { @@ -299,7 +300,6 @@ 'Common': { 'abstract': 1, 'defines': [ - 'NSS_NO_INIT_SUPPORT', 'USE_UTIL_DIRECTLY', 'NO_NSPR_10_SUPPORT', 'SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES', diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 590d1bfaeee3..5182f75552c8 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,4 +10,3 @@ */ #error "Do not include this header file." - diff --git a/security/nss/gtests/freebl_gtest/rsa_unittest.cc b/security/nss/gtests/freebl_gtest/rsa_unittest.cc index c2c435330cb1..5c667a1d175d 100644 --- a/security/nss/gtests/freebl_gtest/rsa_unittest.cc +++ b/security/nss/gtests/freebl_gtest/rsa_unittest.cc @@ -53,5 +53,9 @@ TEST_F(RSANewKeyTest, WrongKeysizeTest) { TEST_F(RSANewKeyTest, expThreeTest) { ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03)); +#ifdef NSS_FIPS_DISABLED ASSERT_TRUE(key != nullptr); +#else + ASSERT_TRUE(key == nullptr); +#endif } diff --git a/security/nss/gtests/softoken_gtest/softoken_gtest.cc b/security/nss/gtests/softoken_gtest/softoken_gtest.cc index 9b9927a7417f..d61e2e75fa20 100644 --- a/security/nss/gtests/softoken_gtest/softoken_gtest.cc +++ b/security/nss/gtests/softoken_gtest/softoken_gtest.cc @@ -1,4 +1,8 @@ #include +#if defined(_WIN32) +#include +#include +#endif #include "cert.h" #include "certdb.h" @@ -34,6 +38,7 @@ class ScopedUniqueDirectory { ~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); } const std::string &GetPath() { return mPath; } + const std::string &GetUTF8Path() { return mUTF8Path; } private: static const int RETRY_LIMIT = 5; @@ -41,6 +46,7 @@ class ScopedUniqueDirectory { static bool TryMakingDirectory(/*in/out*/ std::string &prefix); std::string mPath; + std::string mUTF8Path; }; ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) { @@ -60,6 +66,18 @@ ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) { } } assert(mPath.length() > 0); +#if defined(_WIN32) + // sqldb always uses UTF-8 regardless of the current system locale. + DWORD len = + MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), nullptr, 0); + std::vector buf(len, L'\0'); + MultiByteToWideChar(CP_ACP, 0, mPath.data(), mPath.size(), buf.data(), + buf.size()); + std::wstring_convert> converter; + mUTF8Path = converter.to_bytes(std::wstring(buf.begin(), buf.end())); +#else + mUTF8Path = mPath; +#endif } void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) { @@ -84,10 +102,11 @@ bool ScopedUniqueDirectory::TryMakingDirectory(std::string &prefix) { class SoftokenTest : public ::testing::Test { protected: SoftokenTest() : mNSSDBDir("SoftokenTest.d-") {} + SoftokenTest(const std::string &prefix) : mNSSDBDir(prefix) {} virtual void SetUp() { std::string nssInitArg("sql:"); - nssInitArg.append(mNSSDBDir.GetPath()); + nssInitArg.append(mNSSDBDir.GetUTF8Path()); ASSERT_EQ(SECSuccess, NSS_Initialize(nssInitArg.c_str(), "", "", SECMOD_DB, NSS_INIT_NOROOTINIT)); } @@ -202,6 +221,19 @@ TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) { EXPECT_NE(nullptr, obj); } +class SoftokenNonAsciiTest : public SoftokenTest { + protected: + SoftokenNonAsciiTest() : SoftokenTest("SoftokenTest.\xF7-") {} +}; + +TEST_F(SoftokenNonAsciiTest, NonAsciiPathWorking) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr)); + EXPECT_EQ(SECSuccess, PK11_ResetToken(slot.get(), nullptr)); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr)); +} + // This is just any X509 certificate. Its contents don't matter. static unsigned char certDER[] = { 0x30, 0x82, 0x01, 0xEF, 0x30, 0x82, 0x01, 0x94, 0xA0, 0x03, 0x02, 0x01, diff --git a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc index d703e8e785c3..0aa9a4c78d0f 100644 --- a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc +++ b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc @@ -31,7 +31,7 @@ const static uint8_t kCannedTls13ClientHello[] = { 0x00, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x09, 0x00, 0x00, 0x06, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x12, 0x00, 0x10, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, - 0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x28, 0x00, + 0x00, 0x01, 0x01, 0x01, 0x02, 0x01, 0x03, 0x01, 0x04, 0x00, 0x33, 0x00, 0x47, 0x00, 0x45, 0x00, 0x17, 0x00, 0x41, 0x04, 0x86, 0x4a, 0xb9, 0xdc, 0x6a, 0x38, 0xa7, 0xce, 0xe7, 0xc2, 0x4f, 0xa6, 0x28, 0xb9, 0xdc, 0x65, 0xbf, 0x73, 0x47, 0x3c, 0x9c, 0x65, 0x8c, 0x47, 0x6d, 0x57, 0x22, 0x8a, @@ -47,7 +47,7 @@ const static uint8_t kCannedTls13ServerHello[] = { 0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3, 0xf0, 0x5c, 0x70, 0x7a, 0xe0, 0xd1, 0x9b, 0x3e, 0x5a, 0x44, 0x6b, 0xdf, 0xe5, 0xc2, 0x28, 0x64, 0xf7, 0x00, 0xc1, 0x9c, 0x08, 0x76, - 0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x28, 0x00, 0x24, + 0x08, 0x00, 0x13, 0x01, 0x00, 0x00, 0x2e, 0x00, 0x33, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03, 0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9, 0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08, diff --git a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc index 4a7769cea3cd..dad944a1fca1 100644 --- a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc +++ b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc @@ -50,6 +50,7 @@ static const uint16_t kManyExtensions[] = { ssl_supported_groups_xtn, ssl_ec_point_formats_xtn, ssl_signature_algorithms_xtn, + ssl_signature_algorithms_cert_xtn, ssl_use_srtp_xtn, ssl_app_layer_protocol_xtn, ssl_signed_cert_timestamp_xtn, diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index 7b207c705ab8..5d2baf3a56fc 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -3656,7 +3656,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -3815,7 +3815,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -5109,149 +5109,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "DST ACES CA X6" -# -# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US -# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9 -# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US -# Not Valid Before: Thu Nov 20 21:19:58 2003 -# Not Valid After : Mon Nov 20 21:19:58 2017 -# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8 -# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DST ACES CA X6" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141 -\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163 -\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040 -\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104 -\123\124\040\101\103\105\123\040\103\101\040\130\066 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141 -\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163 -\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040 -\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104 -\123\124\040\101\103\105\123\040\103\101\040\130\066 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206 -\025\331 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\011\060\202\002\361\240\003\002\001\002\002\020\015 -\136\231\012\326\235\267\170\354\330\007\126\073\206\025\331\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\133 -\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040\060 -\036\006\003\125\004\012\023\027\104\151\147\151\164\141\154\040 -\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164\061 -\021\060\017\006\003\125\004\013\023\010\104\123\124\040\101\103 -\105\123\061\027\060\025\006\003\125\004\003\023\016\104\123\124 -\040\101\103\105\123\040\103\101\040\130\066\060\036\027\015\060 -\063\061\061\062\060\062\061\061\071\065\070\132\027\015\061\067 -\061\061\062\060\062\061\061\071\065\070\132\060\133\061\013\060 -\011\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003 -\125\004\012\023\027\104\151\147\151\164\141\154\040\123\151\147 -\156\141\164\165\162\145\040\124\162\165\163\164\061\021\060\017 -\006\003\125\004\013\023\010\104\123\124\040\101\103\105\123\061 -\027\060\025\006\003\125\004\003\023\016\104\123\124\040\101\103 -\105\123\040\103\101\040\130\066\060\202\001\042\060\015\006\011 -\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000 -\060\202\001\012\002\202\001\001\000\271\075\365\054\311\224\334 -\165\212\225\135\143\350\204\167\166\146\271\131\221\134\106\335 -\222\076\237\371\016\003\264\075\141\222\275\043\046\265\143\356 -\222\322\236\326\074\310\015\220\137\144\201\261\250\010\015\114 -\330\371\323\005\050\122\264\001\045\305\225\034\014\176\076\020 -\204\165\317\301\031\221\143\317\350\250\221\210\271\103\122\273 -\200\261\125\211\213\061\372\320\267\166\276\101\075\060\232\244 -\042\045\027\163\350\036\342\323\254\052\275\133\070\041\325\052 -\113\327\125\175\343\072\125\275\327\155\153\002\127\153\346\107 -\174\010\310\202\272\336\247\207\075\241\155\270\060\126\302\263 -\002\201\137\055\365\342\232\060\030\050\270\146\323\313\001\226 -\157\352\212\105\125\326\340\235\377\147\053\027\002\246\116\032 -\152\021\013\176\267\173\347\230\326\214\166\157\301\073\333\120 -\223\176\345\320\216\037\067\270\275\272\306\237\154\351\174\063 -\362\062\074\046\107\372\047\044\002\311\176\035\133\210\102\023 -\152\065\174\175\065\351\056\146\221\162\223\325\062\046\304\164 -\365\123\243\263\135\232\366\011\313\002\003\001\000\001\243\201 -\310\060\201\305\060\017\006\003\125\035\023\001\001\377\004\005 -\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004 -\004\003\002\001\306\060\037\006\003\125\035\021\004\030\060\026 -\201\024\160\153\151\055\157\160\163\100\164\162\165\163\164\144 -\163\164\056\143\157\155\060\142\006\003\125\035\040\004\133\060 -\131\060\127\006\012\140\206\110\001\145\003\002\001\001\001\060 -\111\060\107\006\010\053\006\001\005\005\007\002\001\026\073\150 -\164\164\160\072\057\057\167\167\167\056\164\162\165\163\164\144 -\163\164\056\143\157\155\057\143\145\162\164\151\146\151\143\141 -\164\145\163\057\160\157\154\151\143\171\057\101\103\105\123\055 -\151\156\144\145\170\056\150\164\155\154\060\035\006\003\125\035 -\016\004\026\004\024\011\162\006\116\030\103\017\345\326\314\303 -\152\213\061\173\170\217\250\203\270\060\015\006\011\052\206\110 -\206\367\015\001\001\005\005\000\003\202\001\001\000\243\330\216 -\326\262\333\316\005\347\062\315\001\323\004\003\345\166\344\126 -\053\234\231\220\350\010\060\154\337\175\075\356\345\277\265\044 -\100\204\111\341\321\050\256\304\302\072\123\060\210\361\365\167 -\156\121\312\372\377\231\257\044\137\033\240\375\362\254\204\312 -\337\251\360\137\004\056\255\026\277\041\227\020\201\075\343\377 -\207\215\062\334\224\345\107\212\136\152\023\311\224\225\075\322 -\356\310\064\225\320\200\324\255\062\010\200\124\074\340\275\122 -\123\327\122\174\262\151\077\177\172\317\152\164\312\372\004\052 -\234\114\132\006\245\351\040\255\105\146\017\151\361\335\277\351 -\343\062\213\372\340\301\206\115\162\074\056\330\223\170\012\052 -\370\330\322\047\075\031\211\137\132\173\212\073\314\014\332\121 -\256\307\013\367\053\260\067\005\354\274\127\043\342\070\322\233 -\150\363\126\022\210\117\102\174\270\061\304\265\333\344\310\041 -\064\351\110\021\065\356\372\307\222\127\305\237\064\344\307\366 -\367\016\013\114\234\150\170\173\161\061\307\353\036\340\147\101 -\363\267\240\247\315\345\172\063\066\152\372\232\053 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "DST ACES CA X6" -# Issuer: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US -# Serial Number:0d:5e:99:0a:d6:9d:b7:78:ec:d8:07:56:3b:86:15:d9 -# Subject: CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US -# Not Valid Before: Thu Nov 20 21:19:58 2003 -# Not Valid After : Mon Nov 20 21:19:58 2017 -# Fingerprint (MD5): 21:D8:4C:82:2B:99:09:33:A2:EB:14:24:8D:8E:5F:E8 -# Fingerprint (SHA1): 40:54:DA:6F:1C:3F:40:74:AC:ED:0F:EC:CD:DB:79:D1:53:FB:90:1D -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "DST ACES CA X6" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\100\124\332\157\034\077\100\164\254\355\017\354\315\333\171\321 -\123\373\220\035 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\041\330\114\202\053\231\011\063\242\353\024\044\215\216\137\350 -END -CKA_ISSUER MULTILINE_OCTAL -\060\133\061\013\060\011\006\003\125\004\006\023\002\125\123\061 -\040\060\036\006\003\125\004\012\023\027\104\151\147\151\164\141 -\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163 -\164\061\021\060\017\006\003\125\004\013\023\010\104\123\124\040 -\101\103\105\123\061\027\060\025\006\003\125\004\003\023\016\104 -\123\124\040\101\103\105\123\040\103\101\040\130\066 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\015\136\231\012\326\235\267\170\354\330\007\126\073\206 -\025\331 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "SwissSign Platinum CA - G2" # @@ -6916,142 +6773,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "Security Communication EV RootCA1" -# -# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP -# Serial Number: 0 (0x0) -# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP -# Not Valid Before: Wed Jun 06 02:12:32 2007 -# Not Valid After : Sat Jun 06 02:12:32 2037 -# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3 -# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Security Communication EV RootCA1" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040 -\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117 -\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023 -\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156 -\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103 -\101\061 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040 -\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117 -\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023 -\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156 -\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103 -\101\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\000 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\175\060\202\002\145\240\003\002\001\002\002\001\000 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061\045 -\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040\124 -\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117\056 -\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023\041 -\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156\151 -\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103\101 -\061\060\036\027\015\060\067\060\066\060\066\060\062\061\062\063 -\062\132\027\015\063\067\060\066\060\066\060\062\061\062\063\062 -\132\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120 -\061\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115 -\040\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103 -\117\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013 -\023\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165 -\156\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164 -\103\101\061\060\202\001\042\060\015\006\011\052\206\110\206\367 -\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002 -\202\001\001\000\274\177\354\127\233\044\340\376\234\272\102\171 -\251\210\212\372\200\340\365\007\051\103\352\216\012\064\066\215 -\034\372\247\265\071\170\377\227\165\367\057\344\252\153\004\204 -\104\312\246\342\150\216\375\125\120\142\017\244\161\016\316\007 -\070\055\102\205\120\255\074\226\157\213\325\242\016\317\336\111 -\211\075\326\144\056\070\345\036\154\265\127\212\236\357\110\016 -\315\172\151\026\207\104\265\220\344\006\235\256\241\004\227\130 -\171\357\040\112\202\153\214\042\277\354\037\017\351\204\161\355 -\361\016\344\270\030\023\314\126\066\135\321\232\036\121\153\071 -\156\140\166\210\064\013\363\263\321\260\235\312\141\342\144\035 -\301\106\007\270\143\335\036\063\145\263\216\011\125\122\075\265 -\275\377\007\353\255\141\125\030\054\251\151\230\112\252\100\305 -\063\024\145\164\000\371\221\336\257\003\110\305\100\124\334\017 -\204\220\150\040\305\222\226\334\056\345\002\105\252\300\137\124 -\370\155\352\111\317\135\154\113\257\357\232\302\126\134\306\065 -\126\102\152\060\137\302\253\366\342\075\077\263\311\021\217\061 -\114\327\237\111\002\003\001\000\001\243\102\060\100\060\035\006 -\003\125\035\016\004\026\004\024\065\112\365\115\257\077\327\202 -\070\254\253\161\145\027\165\214\235\125\223\346\060\016\006\003 -\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003 -\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006 -\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001 -\000\250\207\351\354\370\100\147\135\303\301\146\307\100\113\227 -\374\207\023\220\132\304\357\240\312\137\213\267\247\267\361\326 -\265\144\267\212\263\270\033\314\332\373\254\146\210\101\316\350 -\374\344\333\036\210\246\355\047\120\033\002\060\044\106\171\376 -\004\207\160\227\100\163\321\300\301\127\031\232\151\245\047\231 -\253\235\142\204\366\121\301\054\311\043\025\330\050\267\253\045 -\023\265\106\341\206\002\377\046\214\304\210\222\035\126\376\031 -\147\362\125\344\200\243\153\234\253\167\341\121\161\015\040\333 -\020\232\333\275\166\171\007\167\231\050\255\232\136\332\261\117 -\104\054\065\216\245\226\307\375\203\360\130\306\171\326\230\174 -\250\215\376\206\076\007\026\222\341\173\347\035\354\063\166\176 -\102\056\112\205\371\221\211\150\204\003\201\245\233\232\276\343 -\067\305\124\253\126\073\030\055\101\244\014\370\102\333\231\240 -\340\162\157\273\135\341\026\117\123\012\144\371\116\364\277\116 -\124\275\170\154\210\352\277\234\023\044\302\160\151\242\177\017 -\310\074\255\010\311\260\230\100\243\052\347\210\203\355\167\217 -\164 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "Security Communication EV RootCA1" -# Issuer: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP -# Serial Number: 0 (0x0) -# Subject: OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP -# Not Valid Before: Wed Jun 06 02:12:32 2007 -# Not Valid After : Sat Jun 06 02:12:32 2037 -# Fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3 -# Fingerprint (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Security Communication EV RootCA1" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\376\270\304\062\334\371\166\232\316\256\075\330\220\217\375\050 -\206\145\144\175 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\042\055\246\001\352\174\012\367\360\154\126\103\077\167\166\323 -END -CKA_ISSUER MULTILINE_OCTAL -\060\140\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040 -\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117 -\056\054\114\124\104\056\061\052\060\050\006\003\125\004\013\023 -\041\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156 -\151\143\141\164\151\157\156\040\105\126\040\122\157\157\164\103 -\101\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\000 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "OISTE WISeKey Global Root GA CA" # @@ -14478,169 +14199,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "CA Disig Root R1" -# -# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK -# Serial Number:00:c3:03:9a:ee:50:90:6e:28 -# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK -# Not Valid Before: Thu Jul 19 09:06:56 2012 -# Not Valid After : Sat Jul 19 09:06:56 2042 -# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A -# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CA Disig Root R1" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061 -\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163 -\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104 -\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125 -\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157 -\164\040\122\061 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061 -\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163 -\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104 -\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125 -\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157 -\164\040\122\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\011\000\303\003\232\356\120\220\156\050 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\151\060\202\003\121\240\003\002\001\002\002\011\000 -\303\003\232\356\120\220\156\050\060\015\006\011\052\206\110\206 -\367\015\001\001\005\005\000\060\122\061\013\060\011\006\003\125 -\004\006\023\002\123\113\061\023\060\021\006\003\125\004\007\023 -\012\102\162\141\164\151\163\154\141\166\141\061\023\060\021\006 -\003\125\004\012\023\012\104\151\163\151\147\040\141\056\163\056 -\061\031\060\027\006\003\125\004\003\023\020\103\101\040\104\151 -\163\151\147\040\122\157\157\164\040\122\061\060\036\027\015\061 -\062\060\067\061\071\060\071\060\066\065\066\132\027\015\064\062 -\060\067\061\071\060\071\060\066\065\066\132\060\122\061\013\060 -\011\006\003\125\004\006\023\002\123\113\061\023\060\021\006\003 -\125\004\007\023\012\102\162\141\164\151\163\154\141\166\141\061 -\023\060\021\006\003\125\004\012\023\012\104\151\163\151\147\040 -\141\056\163\056\061\031\060\027\006\003\125\004\003\023\020\103 -\101\040\104\151\163\151\147\040\122\157\157\164\040\122\061\060 -\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001 -\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000 -\252\303\170\367\334\230\243\247\132\136\167\030\262\335\004\144 -\017\143\375\233\226\011\200\325\350\252\245\342\234\046\224\072 -\350\231\163\214\235\337\327\337\203\363\170\117\100\341\177\322 -\247\322\345\312\023\223\347\355\306\167\137\066\265\224\257\350 -\070\216\333\233\345\174\273\314\215\353\165\163\341\044\315\346 -\247\055\031\056\330\326\212\153\024\353\010\142\012\330\334\263 -\000\115\303\043\174\137\103\010\043\062\022\334\355\014\255\300 -\175\017\245\172\102\331\132\160\331\277\247\327\001\034\366\233 -\253\216\267\112\206\170\240\036\126\061\256\357\202\012\200\101 -\367\033\311\256\253\062\046\324\054\153\355\175\153\344\342\136 -\042\012\105\313\204\061\115\254\376\333\321\107\272\371\140\227 -\071\261\145\307\336\373\231\344\012\042\261\055\115\345\110\046 -\151\253\342\252\363\373\374\222\051\062\351\263\076\115\037\047 -\241\315\216\271\027\373\045\076\311\156\363\167\332\015\022\366 -\135\307\273\066\020\325\124\326\363\340\342\107\110\346\336\024 -\332\141\122\257\046\264\365\161\117\311\327\322\006\337\143\312 -\377\041\350\131\006\340\010\325\204\025\123\367\103\345\174\305 -\240\211\230\153\163\306\150\316\145\336\275\177\005\367\261\356 -\366\127\241\140\225\305\314\352\223\072\276\231\256\233\002\243 -\255\311\026\265\316\335\136\231\170\176\032\071\176\262\300\005 -\244\300\202\245\243\107\236\214\352\134\266\274\147\333\346\052 -\115\322\004\334\243\256\105\367\274\213\234\034\247\326\325\003 -\334\010\313\056\026\312\134\100\063\350\147\303\056\347\246\104 -\352\021\105\034\065\145\055\036\105\141\044\033\202\056\245\235 -\063\135\145\370\101\371\056\313\224\077\037\243\014\061\044\104 -\355\307\136\255\120\272\306\101\233\254\360\027\145\300\370\135 -\157\133\240\012\064\074\356\327\352\210\237\230\371\257\116\044 -\372\227\262\144\166\332\253\364\355\343\303\140\357\325\371\002 -\310\055\237\203\257\147\151\006\247\061\125\325\317\113\157\377 -\004\005\307\130\254\137\026\033\345\322\243\353\061\333\037\063 -\025\115\320\362\245\123\365\313\341\075\116\150\055\330\022\335 -\252\362\346\115\233\111\345\305\050\241\272\260\132\306\240\265 -\002\003\001\000\001\243\102\060\100\060\017\006\003\125\035\023 -\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035 -\017\001\001\377\004\004\003\002\001\006\060\035\006\003\125\035 -\016\004\026\004\024\211\012\264\070\223\032\346\253\356\233\221 -\030\371\365\074\076\065\320\323\202\060\015\006\011\052\206\110 -\206\367\015\001\001\005\005\000\003\202\002\001\000\062\213\366 -\235\112\311\276\024\345\214\254\070\312\072\011\324\033\316\206 -\263\335\353\324\272\050\276\022\256\105\054\004\164\254\023\121 -\305\130\030\146\115\202\332\325\334\223\300\047\341\276\174\237 -\122\236\022\126\366\325\234\251\364\165\234\372\067\022\217\034 -\223\354\127\376\007\017\253\325\022\367\017\256\141\136\126\200 -\111\365\374\060\365\233\117\037\101\057\034\204\323\211\307\342 -\332\002\166\355\011\317\154\301\270\034\203\034\026\372\224\315 -\175\240\310\030\322\310\235\156\365\275\151\324\155\075\065\350 -\036\242\117\140\327\007\051\374\262\243\244\235\156\025\222\126 -\031\114\012\260\351\174\322\031\115\102\106\354\275\375\366\127 -\133\335\230\176\244\115\314\162\003\203\130\135\357\223\072\101 -\172\143\252\174\072\250\365\254\244\321\335\242\055\266\052\374 -\237\001\216\342\020\261\304\312\344\147\333\125\045\031\077\375 -\350\066\176\263\341\341\201\257\021\026\213\120\227\140\031\202 -\000\300\153\115\163\270\321\023\007\076\352\266\061\117\360\102 -\232\155\342\021\164\345\224\254\215\204\225\074\041\257\305\332 -\107\310\337\071\142\142\313\133\120\013\327\201\100\005\234\233 -\355\272\266\213\036\004\157\226\040\071\355\244\175\051\333\110 -\316\202\334\324\002\215\035\004\061\132\307\113\360\154\141\122 -\327\264\121\302\201\154\315\341\373\247\241\322\222\166\317\261 -\017\067\130\244\362\122\161\147\077\014\210\170\200\211\301\310 -\265\037\222\143\276\247\172\212\126\054\032\250\246\234\265\135 -\263\143\320\023\040\241\353\221\154\320\215\175\257\337\013\344 -\027\271\206\236\070\261\224\014\130\214\340\125\252\073\143\155 -\232\211\140\270\144\052\222\306\067\364\176\103\103\267\163\350 -\001\347\177\227\017\327\362\173\031\375\032\327\217\311\372\205 -\153\172\235\236\211\266\246\050\231\223\210\100\367\076\315\121 -\243\312\352\357\171\107\041\265\376\062\342\307\303\121\157\276 -\200\164\360\244\303\072\362\117\351\137\337\031\012\362\073\023 -\103\254\061\244\263\347\353\374\030\326\001\251\363\052\217\066 -\016\353\264\261\274\267\114\311\153\277\241\363\331\364\355\342 -\360\343\355\144\236\075\057\226\122\117\200\123\213 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "CA Disig Root R1" -# Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK -# Serial Number:00:c3:03:9a:ee:50:90:6e:28 -# Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK -# Not Valid Before: Thu Jul 19 09:06:56 2012 -# Not Valid After : Sat Jul 19 09:06:56 2042 -# Fingerprint (MD5): BE:EC:11:93:9A:F5:69:21:BC:D7:C1:C0:67:89:CC:2A -# Fingerprint (SHA1): 8E:1C:74:F8:A6:20:B9:E5:8A:F4:61:FA:EC:2B:47:56:51:1A:52:C6 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "CA Disig Root R1" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\216\034\164\370\246\040\271\345\212\364\141\372\354\053\107\126 -\121\032\122\306 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\276\354\021\223\232\365\151\041\274\327\301\300\147\211\314\052 -END -CKA_ISSUER MULTILINE_OCTAL -\060\122\061\013\060\011\006\003\125\004\006\023\002\123\113\061 -\023\060\021\006\003\125\004\007\023\012\102\162\141\164\151\163 -\154\141\166\141\061\023\060\021\006\003\125\004\012\023\012\104 -\151\163\151\147\040\141\056\163\056\061\031\060\027\006\003\125 -\004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157 -\164\040\122\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\011\000\303\003\232\356\120\220\156\050 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "CA Disig Root R2" # @@ -17672,188 +17230,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" -# -# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US -# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae -# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US -# Not Valid Before: Thu Mar 26 00:00:00 2009 -# Not Valid After : Sun Mar 24 23:59:59 2019 -# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14 -# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\265\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123 -\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125 -\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165 -\163\164\040\116\145\164\167\157\162\153\061\073\060\071\006\003 -\125\004\013\023\062\124\145\162\155\163\040\157\146\040\165\163 -\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167 -\056\166\145\162\151\163\151\147\156\056\143\157\155\057\162\160 -\141\040\050\143\051\060\071\061\057\060\055\006\003\125\004\003 -\023\046\126\145\162\151\123\151\147\156\040\103\154\141\163\163 -\040\063\040\123\145\143\165\162\145\040\123\145\162\166\145\162 -\040\103\101\040\055\040\107\062 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123 -\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125 -\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165 -\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003 -\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145 -\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106 -\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163 -\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023 -\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040 -\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171 -\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101 -\165\164\150\157\162\151\164\171\040\055\040\107\065 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037 -\005\256 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\071\060\202\004\041\240\003\002\001\002\002\020\057 -\000\156\315\027\160\146\347\137\243\202\012\171\037\005\256\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201 -\312\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027 -\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147 -\156\054\040\111\156\143\056\061\037\060\035\006\003\125\004\013 -\023\026\126\145\162\151\123\151\147\156\040\124\162\165\163\164 -\040\116\145\164\167\157\162\153\061\072\060\070\006\003\125\004 -\013\023\061\050\143\051\040\062\060\060\066\040\126\145\162\151 -\123\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162 -\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040 -\157\156\154\171\061\105\060\103\006\003\125\004\003\023\074\126 -\145\162\151\123\151\147\156\040\103\154\141\163\163\040\063\040 -\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040\103 -\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164 -\150\157\162\151\164\171\040\055\040\107\065\060\036\027\015\060 -\071\060\063\062\066\060\060\060\060\060\060\132\027\015\061\071 -\060\063\062\064\062\063\065\071\065\071\132\060\201\265\061\013 -\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006 -\003\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040 -\111\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126 -\145\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145 -\164\167\157\162\153\061\073\060\071\006\003\125\004\013\023\062 -\124\145\162\155\163\040\157\146\040\165\163\145\040\141\164\040 -\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151 -\163\151\147\156\056\143\157\155\057\162\160\141\040\050\143\051 -\060\071\061\057\060\055\006\003\125\004\003\023\046\126\145\162 -\151\123\151\147\156\040\103\154\141\163\163\040\063\040\123\145 -\143\165\162\145\040\123\145\162\166\145\162\040\103\101\040\055 -\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367 -\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002 -\202\001\001\000\324\126\217\127\073\067\050\246\100\143\322\225 -\325\005\164\332\265\031\152\226\326\161\127\057\342\300\064\214 -\240\225\263\214\341\067\044\363\056\355\103\105\005\216\211\327 -\372\332\112\265\370\076\215\116\307\371\111\120\105\067\100\237 -\164\252\240\121\125\141\361\140\204\211\245\236\200\215\057\260 -\041\252\105\202\304\317\264\024\177\107\025\040\050\202\260\150 -\022\300\256\134\007\327\366\131\314\313\142\126\134\115\111\377 -\046\210\253\124\121\072\057\112\332\016\230\342\211\162\271\374 -\367\150\074\304\037\071\172\313\027\201\363\014\255\017\334\141 -\142\033\020\013\004\036\051\030\161\136\142\313\103\336\276\061 -\272\161\002\031\116\046\251\121\332\214\144\151\003\336\234\375 -\175\375\173\141\274\374\204\174\210\134\264\303\173\355\137\053 -\106\022\361\375\000\001\232\213\133\351\243\005\056\217\056\133 -\336\363\033\170\370\146\221\010\300\136\316\325\260\066\312\324 -\250\173\240\175\371\060\172\277\370\335\031\121\053\040\272\376 -\247\317\241\116\260\147\365\200\252\053\203\056\322\216\124\211 -\216\036\051\013\002\003\001\000\001\243\202\001\054\060\202\001 -\050\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001 -\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004 -\004\003\002\001\006\060\051\006\003\125\035\021\004\042\060\040 -\244\036\060\034\061\032\060\030\006\003\125\004\003\023\021\103 -\154\141\163\163\063\103\101\062\060\064\070\055\061\055\065\062 -\060\035\006\003\125\035\016\004\026\004\024\245\357\013\021\316 -\300\101\003\243\112\145\220\110\262\034\340\127\055\175\107\060 -\146\006\003\125\035\040\004\137\060\135\060\133\006\013\140\206 -\110\001\206\370\105\001\007\027\003\060\114\060\043\006\010\053 -\006\001\005\005\007\002\001\026\027\150\164\164\160\163\072\057 -\057\144\056\163\171\155\143\142\056\143\157\155\057\143\160\163 -\060\045\006\010\053\006\001\005\005\007\002\002\060\031\032\027 -\150\164\164\160\163\072\057\057\144\056\163\171\155\143\142\056 -\143\157\155\057\162\160\141\060\057\006\003\125\035\037\004\050 -\060\046\060\044\240\042\240\040\206\036\150\164\164\160\072\057 -\057\163\056\163\171\155\143\142\056\143\157\155\057\160\143\141 -\063\055\147\065\056\143\162\154\060\037\006\003\125\035\043\004 -\030\060\026\200\024\177\323\145\247\302\335\354\273\360\060\011 -\363\103\071\372\002\257\063\061\063\060\015\006\011\052\206\110 -\206\367\015\001\001\005\005\000\003\202\001\001\000\053\216\024 -\314\354\206\010\140\067\213\154\145\211\045\041\336\057\122\242 -\007\236\130\323\263\026\170\001\231\121\225\264\023\167\314\167 -\335\013\134\201\067\326\276\366\142\326\004\067\013\030\163\232 -\323\366\301\242\036\155\234\273\214\021\346\076\022\136\007\137 -\013\203\134\164\002\340\120\364\261\046\033\155\306\350\351\277 -\115\271\001\025\031\354\120\232\371\021\360\201\130\103\054\115 -\021\100\263\132\106\010\246\136\163\241\210\022\065\214\377\003 -\072\275\326\235\372\347\334\226\271\032\144\076\304\375\331\012 -\266\145\236\272\245\250\130\374\073\042\360\242\127\356\212\127 -\107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272 -\264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170 -\366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246 -\134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227 -\354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207 -\013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333 -\145\110\041\012\057\327\334\176\240\314\145\176\171 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" -# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US -# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae -# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US -# Not Valid Before: Thu Mar 26 00:00:00 2009 -# Not Valid After : Sun Mar 24 23:59:59 2019 -# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14 -# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\166\104\131\170\033\254\260\107\143\245\320\241\130\221\145\046 -\037\051\216\073 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\277\022\155\372\174\325\133\046\171\072\215\252\021\357\057\134 -END -CKA_ISSUER MULTILINE_OCTAL -\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123 -\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123 -\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125 -\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165 -\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003 -\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145 -\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106 -\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163 -\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023 -\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040 -\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171 -\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101 -\165\164\150\157\162\151\164\171\040\055\040\107\065 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037 -\005\256 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Staat der Nederlanden Root CA - G3" # diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h index 7b793e2cc2a9..0189369b1b06 100644 --- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 20 -#define NSS_BUILTINS_LIBRARY_VERSION "2.20" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22 +#define NSS_BUILTINS_LIBRARY_VERSION "2.22" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index 0f141b5c538d..0f9353f3beaf 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag tag) return CKM_SHA384; case SEC_OID_SHA256: return CKM_SHA256; + case SEC_OID_SHA224: + return CKM_SHA224; + case SEC_OID_SHA1: + return CKM_SHA_1; default: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - /* fallthrough */ - case SEC_OID_SHA1: - break; + return CKM_INVALID_MECHANISM; } - return CKM_SHA_1; } static CK_RSA_PKCS_MGF_TYPE @@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag) return CKG_MGF1_SHA384; case SEC_OID_SHA256: return CKG_MGF1_SHA256; + case SEC_OID_SHA224: + return CKG_MGF1_SHA224; + case SEC_OID_SHA1: + return CKG_MGF1_SHA1; default: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - /* fallthrough */ - case SEC_OID_SHA1: - break; + return 0; } - return CKG_MGF1_SHA1; } SECStatus @@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech, SECStatus rv = SECSuccess; SECOidTag hashAlgTag; unsigned long saltLength; + unsigned long trailerField; PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); @@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech, hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */ } mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag); + if (mech->hashAlg == CKM_INVALID_MECHANISM) { + return SECFailure; + } if (params->maskAlg) { SECAlgorithmID maskHashAlg; @@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech, } maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg); mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag); + if (mech->mgf == 0) { + return SECFailure; + } } else { mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ } @@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech, } mech->sLen = saltLength; + if (params->trailerField.data) { + rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField); + if (rv != SECSuccess) { + return rv; + } + if (trailerField != 1) { + /* the value must be 1, which represents the trailer field + * with hexadecimal value 0xBC */ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + } + return rv; } diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index fd4fd4207c0c..ca7d7998ac5f 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -540,7 +540,10 @@ FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) crv = NSC_GetTokenInfo(slotID, pInfo); if (crv == CKR_OK) { - if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) { + /* use the global database to figure out if we are running in + * FIPS 140 Level 1 or Level 2 */ + if (slotID == FIPS_SLOT_ID && + (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) { isLevel2 = PR_FALSE; } } @@ -616,7 +619,8 @@ FC_InitPIN(CK_SESSION_HANDLE hSession, * we need to make sure the pin meets FIPS requirements */ if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) { rv = NSC_InitPIN(hSession, pPin, ulPinLen); - if (rv == CKR_OK) { + if ((rv == CKR_OK) && + (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) { isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE; } } @@ -644,7 +648,8 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, if ((rv = sftk_fipsCheck()) == CKR_OK && (rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) { rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen); - if (rv == CKR_OK) { + if ((rv == CKR_OK) && + (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) { /* if we set the password in level1 we now go * to level2. NOTE: we don't allow the user to * go from level2 to level1 */ @@ -705,11 +710,23 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSession, rv = NSC_GetSessionInfo(hSession, pInfo); if (rv == CKR_OK) { - if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) { - pInfo->state = CKS_RO_USER_FUNCTIONS; - } - if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) { - pInfo->state = CKS_RW_USER_FUNCTIONS; + /* handle the case where the auxilary slot doesn't require login. + * piggy back on the main token's login state */ + if (isLoggedIn && + ((pInfo->state == CKS_RO_PUBLIC_SESSION) || + (pInfo->state == CKS_RW_PUBLIC_SESSION))) { + CK_RV crv; + CK_TOKEN_INFO tInfo; + crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession), + &tInfo); + /* if the token doesn't login, use our global login state */ + if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) { + if (pInfo->state == CKS_RO_PUBLIC_SESSION) { + pInfo->state = CKS_RO_USER_FUNCTIONS; + } else { + pInfo->state = CKS_RW_USER_FUNCTIONS; + } + } } } return rv; diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 968fa09d5934..77882a274e30 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -2364,17 +2364,22 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all) return slot; } -SFTKSlot * -sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle) +CK_SLOT_ID +sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle) { CK_ULONG slotIDIndex = (handle >> 24) & 0x7f; CK_ULONG moduleIndex = (handle >> 31) & 1; if (slotIDIndex >= nscSlotCount[moduleIndex]) { - return NULL; + return (CK_SLOT_ID)-1; } + return nscSlotList[moduleIndex][slotIDIndex]; +} - return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE); +SFTKSlot * +sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle) +{ + return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE); } static CK_RV diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index c5f21c30a508..7e57dc5e5c54 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -667,6 +667,7 @@ extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session); extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all); extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle); +extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle); extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle); extern void sftk_FreeSession(SFTKSession *session); extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c index 57337e3342ae..96717cb26837 100644 --- a/security/nss/lib/softoken/sdb.c +++ b/security/nss/lib/softoken/sdb.c @@ -37,6 +37,7 @@ #elif defined(XP_UNIX) #include #endif +#include "utilpars.h" #ifdef SQLITE_UNSAFE_THREADS #include "prlock.h" @@ -190,6 +191,34 @@ sdb_done(int err, int *count) return 0; } +#if defined(_WIN32) +/* + * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that + * sqlite3 expects. + */ + +static int +sdb_chmod(const char *filename, int pmode) +{ + int result; + + if (!filename) { + return -1; + } + + wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); + if (!filenameWide) { + return -1; + } + result = _wchmod(filenameWide, pmode); + PORT_Free(filenameWide); + + return result; +} +#else +#define sdb_chmod(filename, pmode) chmod((filename), (pmode)) +#endif + /* * find out where sqlite stores the temp tables. We do this by replicating * the logic from sqlite. @@ -1739,7 +1768,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, * sqlite3 will always create it. */ LOCK_SQLITE(); - create = (PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS); + create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS); if ((flags == SDB_RDONLY) && create) { error = sdb_mapSQLError(type, SQLITE_CANTOPEN); goto loser; @@ -1756,7 +1785,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, * * NO NSPR call for chmod? :( */ - if (create && chmod(dbname, 0600) != 0) { + if (create && sdb_chmod(dbname, 0600) != 0) { error = sdb_mapSQLError(type, SQLITE_CANTOPEN); goto loser; } diff --git a/security/nss/lib/softoken/sdb.h b/security/nss/lib/softoken/sdb.h index 04b873e0279d..8ff254bf71b6 100644 --- a/security/nss/lib/softoken/sdb.h +++ b/security/nss/lib/softoken/sdb.h @@ -83,6 +83,10 @@ CK_RV s_open(const char *directory, const char *certPrefix, int flags, SDB **certdb, SDB **keydb, int *newInit); CK_RV s_shutdown(); +#if defined(_WIN32) +wchar_t *sdb_UTF8ToWide(const char *buf); +#endif + /* flags */ #define SDB_RDONLY 1 #define SDB_RDWR 2 diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index 716f62c0bfc6..2ae0840682b7 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -28,6 +28,9 @@ #include "utilpars.h" #include "secerr.h" #include "softoken.h" +#if defined(_WIN32) +#include +#endif /* * We want all databases to have the same binary representation independent of @@ -2509,6 +2512,53 @@ sftk_oldVersionExists(const char *dir, int version) return PR_FALSE; } +#if defined(_WIN32) +/* + * Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the + * current system codepage). Fails if the path contains a character outside + * the current system codepage. + */ +static char * +sftk_legacyPathFromSDBPath(const char *confdir) +{ + wchar_t *confdirWide; + DWORD size; + char *nconfdir; + BOOL unmappable; + + if (!confdir) { + return NULL; + } + confdirWide = _NSSUTIL_UTF8ToWide(confdir); + if (!confdirWide) { + return NULL; + } + + size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1, + NULL, 0, NULL, &unmappable); + if (size == 0 || unmappable) { + PORT_Free(confdirWide); + return NULL; + } + nconfdir = PORT_Alloc(sizeof(char) * size); + if (!nconfdir) { + PORT_Free(confdirWide); + return NULL; + } + size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1, + nconfdir, size, NULL, &unmappable); + PORT_Free(confdirWide); + if (size == 0 || unmappable) { + PORT_Free(nconfdir); + return NULL; + } + + return nconfdir; +} +#else +#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir)) +#endif + static PRBool sftk_hasLegacyDB(const char *confdir, const char *certPrefix, const char *keyPrefix, int certVersion, int keyVersion) @@ -2568,6 +2618,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix, int flags = SDB_RDONLY; PRBool newInit = PR_FALSE; PRBool needUpdate = PR_FALSE; + char *nconfdir = NULL; if (!readOnly) { flags = SDB_CREATE; @@ -2606,11 +2657,14 @@ sftk_DBInit(const char *configdir, const char *certPrefix, * the exists. */ if (crv != CKR_OK) { - if (((flags & SDB_RDONLY) == SDB_RDONLY) && - sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) { + if ((flags & SDB_RDONLY) == SDB_RDONLY) { + nconfdir = sftk_legacyPathFromSDBPath(confdir); + } + if (nconfdir && + sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) { /* we have legacy databases, if we failed to open the new format * DB's read only, just use the legacy ones */ - crv = sftkdbCall_open(confdir, certPrefix, + crv = sftkdbCall_open(nconfdir, certPrefix, keyPrefix, 8, 3, flags, noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB); } @@ -2639,7 +2693,10 @@ sftk_DBInit(const char *configdir, const char *certPrefix, /* if the new format DB was also a newly created DB, and we * succeeded, then need to update that new database with data * from the existing legacy DB */ - if (sftk_hasLegacyDB(confdir, certPrefix, keyPrefix, 8, 3)) { + nconfdir = sftk_legacyPathFromSDBPath(confdir); + if (nconfdir && + sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) { + confdir = nconfdir; needUpdate = PR_TRUE; } } @@ -2712,6 +2769,9 @@ done: if (appName) { PORT_Free(appName); } + if (nconfdir) { + PORT_Free(nconfdir); + } return forceOpen ? CKR_OK : crv; } diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h index 6d27dfd7ca98..d1f46db9711d 100644 --- a/security/nss/lib/ssl/ssl3prot.h +++ b/security/nss/lib/ssl/ssl3prot.h @@ -16,7 +16,7 @@ typedef PRUint16 SSL3ProtocolVersion; /* The TLS 1.3 draft version. Used to avoid negotiating * between incompatible pre-standard TLS 1.3 drafts. * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */ -#define TLS_1_3_DRAFT_VERSION 22 +#define TLS_1_3_DRAFT_VERSION 23 typedef PRUint16 ssl3CipherSuite; /* The cipher suites are defined in sslproto.h */ diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index 177d24f7ae18..ce8f6e281e91 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -425,7 +425,7 @@ typedef enum { ssl_padding_xtn = 21, ssl_extended_master_secret_xtn = 23, ssl_session_ticket_xtn = 35, - ssl_tls13_key_share_xtn = 40, + /* 40 was used in draft versions of TLS 1.3; it is now reserved. */ ssl_tls13_pre_shared_key_xtn = 41, ssl_tls13_early_data_xtn = 42, ssl_tls13_supported_versions_xtn = 43, @@ -433,6 +433,8 @@ typedef enum { ssl_tls13_psk_key_exchange_modes_xtn = 45, ssl_tls13_ticket_early_data_info_xtn = 46, /* Deprecated. */ ssl_tls13_certificate_authorities_xtn = 47, + ssl_signature_algorithms_cert_xtn = 50, + ssl_tls13_key_share_xtn = 51, ssl_next_proto_nego_xtn = 13172, /* Deprecated. */ ssl_renegotiation_info_xtn = 0xff01, ssl_tls13_short_header_xtn = 0xff03 /* Deprecated. */ @@ -444,7 +446,7 @@ typedef enum { /* SSL_MAX_EXTENSIONS includes the maximum number of extensions that are * supported for any single message type. That is, a ClientHello; ServerHello * and TLS 1.3 NewSessionTicket and HelloRetryRequest extensions have fewer. */ -#define SSL_MAX_EXTENSIONS 19 +#define SSL_MAX_EXTENSIONS 20 /* Deprecated */ typedef enum { diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c index 23082fdbf955..1fecaf3f8a6f 100644 --- a/security/nss/lib/ssl/tls13con.c +++ b/security/nss/lib/ssl/tls13con.c @@ -4725,6 +4725,8 @@ static const struct { { ssl_server_name_xtn, _M2(client_hello, encrypted_extensions) }, { ssl_supported_groups_xtn, _M2(client_hello, encrypted_extensions) }, { ssl_signature_algorithms_xtn, _M2(client_hello, certificate_request) }, + { ssl_signature_algorithms_cert_xtn, _M2(client_hello, + certificate_request) }, { ssl_use_srtp_xtn, _M2(client_hello, encrypted_extensions) }, { ssl_app_layer_protocol_xtn, _M2(client_hello, encrypted_extensions) }, { ssl_padding_xtn, _M1(client_hello) }, diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index 4159b786fab1..936455f6e7df 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -315,3 +315,11 @@ NSS_SecureMemcmpZero; ;+ local: ;+ *; ;+}; +;-NSSUTIL_3.35 { # NSS Utilities 3.35 release +;- global: +;-# private exports for softoken +_NSSUTIL_UTF8ToWide;- +_NSSUTIL_Access;- +;- local: +;- *; +;-}; diff --git a/security/nss/lib/util/utilmod.c b/security/nss/lib/util/utilmod.c index 971b6c1dcaa7..7d3fcda819f5 100644 --- a/security/nss/lib/util/utilmod.c +++ b/security/nss/lib/util/utilmod.c @@ -24,6 +24,7 @@ #if defined(_WIN32) #include +#include #endif #ifdef XP_UNIX #include @@ -34,15 +35,184 @@ #include #if defined(_WIN32) -#define os_open _open #define os_fdopen _fdopen -#define os_stat _stat #define os_truncate_open_flags _O_CREAT | _O_RDWR | _O_TRUNC #define os_append_open_flags _O_CREAT | _O_RDWR | _O_APPEND #define os_open_permissions_type int #define os_open_permissions_default _S_IREAD | _S_IWRITE #define os_stat_type struct _stat + +/* + * Convert a UTF8 string to Unicode wide character + */ +LPWSTR +_NSSUTIL_UTF8ToWide(const char *buf) +{ + DWORD size; + LPWSTR wide; + + if (!buf) { + return NULL; + } + + size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0); + if (size == 0) { + return NULL; + } + wide = PORT_Alloc(sizeof(WCHAR) * size); + if (!wide) { + return NULL; + } + size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size); + if (size == 0) { + PORT_Free(wide); + return NULL; + } + return wide; +} + +static int +os_open(const char *filename, int oflag, int pmode) +{ + int fd; + + if (!filename) { + return -1; + } + + wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); + if (!filenameWide) { + return -1; + } + fd = _wopen(filenameWide, oflag, pmode); + PORT_Free(filenameWide); + + return fd; +} + +static int +os_stat(const char *path, os_stat_type *buffer) +{ + int result; + + if (!path) { + return -1; + } + + wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); + if (!pathWide) { + return -1; + } + result = _wstat(pathWide, buffer); + PORT_Free(pathWide); + + return result; +} + +static FILE * +os_fopen(const char *filename, const char *mode) +{ + FILE *fp; + + if (!filename || !mode) { + return NULL; + } + + wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); + if (!filenameWide) { + return NULL; + } + wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode); + if (!modeWide) { + PORT_Free(filenameWide); + return NULL; + } + fp = _wfopen(filenameWide, modeWide); + PORT_Free(filenameWide); + PORT_Free(modeWide); + + return fp; +} + +PRStatus +_NSSUTIL_Access(const char *path, PRAccessHow how) +{ + int result; + + if (!path) { + return PR_FAILURE; + } + + int mode; + switch (how) { + case PR_ACCESS_WRITE_OK: + mode = 2; + break; + case PR_ACCESS_READ_OK: + mode = 4; + break; + case PR_ACCESS_EXISTS: + mode = 0; + break; + default: + return PR_FAILURE; + } + + wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); + if (!pathWide) { + return PR_FAILURE; + } + result = _waccess(pathWide, mode); + PORT_Free(pathWide); + + return result < 0 ? PR_FAILURE : PR_SUCCESS; +} + +static PRStatus +nssutil_Delete(const char *name) +{ + BOOL result; + + if (!name) { + return PR_FAILURE; + } + + wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name); + if (!nameWide) { + return PR_FAILURE; + } + result = DeleteFileW(nameWide); + PORT_Free(nameWide); + + return result ? PR_SUCCESS : PR_FAILURE; +} + +static PRStatus +nssutil_Rename(const char *from, const char *to) +{ + BOOL result; + + if (!from || !to) { + return PR_FAILURE; + } + + wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from); + if (!fromWide) { + return PR_FAILURE; + } + wchar_t *toWide = _NSSUTIL_UTF8ToWide(to); + if (!toWide) { + PORT_Free(fromWide); + return PR_FAILURE; + } + result = MoveFileW(fromWide, toWide); + PORT_Free(fromWide); + PORT_Free(toWide); + + return result ? PR_SUCCESS : PR_FAILURE; +} #else +#define os_fopen fopen #define os_open open #define os_fdopen fdopen #define os_stat stat @@ -51,6 +221,8 @@ #define os_open_permissions_type mode_t #define os_open_permissions_default 0600 #define os_stat_type struct stat +#define nssutil_Delete PR_Delete +#define nssutil_Rename PR_Rename #endif /**************************************************************** @@ -219,7 +391,7 @@ nssutil_ReadSecmodDB(const char *appName, } /* do we really want to use streams here */ - fd = fopen(dbname, "r"); + fd = os_fopen(dbname, "r"); if (fd == NULL) goto done; @@ -403,7 +575,7 @@ done: } /* old one exists */ - status = PR_Access(olddbname, PR_ACCESS_EXISTS); + status = _NSSUTIL_Access(olddbname, PR_ACCESS_EXISTS); if (status == PR_SUCCESS) { PR_smprintf_free(olddbname); PORT_ZFree(moduleList, useCount * sizeof(char *)); @@ -532,7 +704,7 @@ nssutil_DeleteSecmodDBEntry(const char *appName, } /* do we really want to use streams here */ - fd = fopen(dbname, "r"); + fd = os_fopen(dbname, "r"); if (fd == NULL) goto loser; @@ -602,10 +774,10 @@ nssutil_DeleteSecmodDBEntry(const char *appName, fclose(fd2); if (found) { /* rename dbname2 to dbname */ - PR_Delete(dbname); - PR_Rename(dbname2, dbname); + nssutil_Delete(dbname); + nssutil_Rename(dbname2, dbname); } else { - PR_Delete(dbname2); + nssutil_Delete(dbname2); } PORT_Free(dbname2); PORT_Free(lib); @@ -621,7 +793,7 @@ loser: fclose(fd2); } if (dbname2) { - PR_Delete(dbname2); + nssutil_Delete(dbname2); PORT_Free(dbname2); } PORT_Free(lib); diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c index 27986057aa07..e7435bfcc393 100644 --- a/security/nss/lib/util/utilpars.c +++ b/security/nss/lib/util/utilpars.c @@ -589,6 +589,7 @@ struct nssutilArgSlotFlagTable { } static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = { NSSUTIL_ARG_ENTRY(RSA, SECMOD_RSA_FLAG), + NSSUTIL_ARG_ENTRY(ECC, SECMOD_ECC_FLAG), NSSUTIL_ARG_ENTRY(DSA, SECMOD_RSA_FLAG), NSSUTIL_ARG_ENTRY(RC2, SECMOD_RC4_FLAG), NSSUTIL_ARG_ENTRY(RC4, SECMOD_RC2_FLAG), diff --git a/security/nss/lib/util/utilpars.h b/security/nss/lib/util/utilpars.h index 70767263aa6c..1b0b1ff1ceb6 100644 --- a/security/nss/lib/util/utilpars.h +++ b/security/nss/lib/util/utilpars.h @@ -59,5 +59,11 @@ char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal, char *_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType, char **appName, char **filename, PRBool *rw); const char *_NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType *dbType, char **app); +#if defined(_WIN32) +wchar_t *_NSSUTIL_UTF8ToWide(const char *buf); +PRStatus _NSSUTIL_Access(const char *path, PRAccessHow how); +#else +#define _NSSUTIL_Access(path, how) PR_Access((path), (how)) +#endif #endif /* _UTILPARS_H_ */ diff --git a/security/nss/lib/util/utilparst.h b/security/nss/lib/util/utilparst.h index f2148e6e32a0..5dda09028886 100644 --- a/security/nss/lib/util/utilparst.h +++ b/security/nss/lib/util/utilparst.h @@ -43,7 +43,7 @@ #define NSSUTIL_DEFAULT_INTERNAL_INIT3 \ " askpw=any timeout=30})\"" #define NSSUTIL_DEFAULT_SFTKN_FLAGS \ - "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" + "slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" #define NSSUTIL_DEFAULT_CIPHER_ORDER 0 #define NSSUTIL_DEFAULT_TRUST_ORDER 50 diff --git a/security/nss/readme.md b/security/nss/readme.md index 41e8b4b16615..17b99e805cea 100644 --- a/security/nss/readme.md +++ b/security/nss/readme.md @@ -137,3 +137,50 @@ The nss directory contains the following important subdirectories: A more comprehensible overview of the NSS folder structure and API guidelines can be found [here](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_API_Guidelines). + +## Build mechanisms related to FIPS compliance + +NSS supports build configurations for FIPS-140 compliance, and alternative build +configurations that disable functionality specific to FIPS-140 compliance. + +This section documents the environment variables and build parameters that +control these configurations. + +### Build FIPS startup tests + +The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests. +If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled. + +The legacy build system (make) by default disables these tests. +To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time. + +The gyp build system by default disables these tests. +To enable these tests, pass parameter --enable-fips to build.sh. + +### Building either FIPS compliant or alternative compliant code + +The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code +and enable alternative implementations. + +The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses +the FIPS compliant code. + +The gyp build system by default defines NSS_FIPS_DISABLED. +To use the FIPS compliant code, pass parameter --enable-fips to build.sh. + +### Test execution + +The NSS test suite may contain tests that are included, excluded, or are +different based on the FIPS build configuration. To execute the correct tests, +it's necessary to determine which build configuration was used. + +The legacy build system (make) uses environment variables to control all +aspects of the build configuration, including FIPS build configuration. + +Because the gyp build system doesn't use environment variables to control the +build configuration, the NSS tests cannot rely on environment variables to +determine the build configuration. + +A helper binary named nss-build-flags is produced as part of the NSS build, +which prints the C macro symbols that were defined at build time, and which are +relevant to test execution. diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh index 31af100ebce9..8d5bd2dbbaad 100755 --- a/security/nss/tests/all.sh +++ b/security/nss/tests/all.sh @@ -295,9 +295,9 @@ fi cycles="standard pkix upgradedb sharedb" CYCLES=${NSS_CYCLES:-$cycles} -if [ -n "$NSS_FORCE_FIPS" ]; then +NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT` +if [ $NO_INIT_SUPPORT -eq 0 ]; then RUN_FIPS="fips" - export NSS_TEST_ENABLE_FIPS=1 fi tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests" @@ -310,7 +310,7 @@ TESTS=${NSS_TESTS:-$tests} ALL_TESTS=${TESTS} nss_ssl_tests="crl iopr policy" -if [ -n "$NSS_FORCE_FIPS" ]; then +if [ $NO_INIT_SUPPORT -eq 0 ]; then nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips" fi NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}" diff --git a/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt b/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt new file mode 100644 index 000000000000..e3c8fcdcf3b8 --- /dev/null +++ b/security/nss/tests/cert/TestCA-bogus-rsa-pss1.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA +oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp +biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB +IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa +GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp +Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO +U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl +ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG +CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB +AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX +yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo +SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK +xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07 +/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK +Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC +BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow +OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA +ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8 +HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba +nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh +pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA +hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh +uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA= +-----END CERTIFICATE----- diff --git a/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt b/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt new file mode 100644 index 000000000000..d46442dc4ee5 --- /dev/null +++ b/security/nss/tests/cert/TestCA-bogus-rsa-pss2.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh +GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT +MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw +EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT +IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2 +NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T +UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3 +DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6 +7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x +Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj +sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa +eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu +aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg +hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E +BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN +AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY +fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D +difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+ +4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2 +g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT +0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ== +-----END CERTIFICATE----- diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 1bf7bc65292c..d1a9148a977b 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -1359,7 +1359,7 @@ MODSCRIPT # local shell function to verify small rsa exponent can be used (only # run if FIPS has not been turned on in the build). ############################################################################## -cert_rsa_exponent() +cert_rsa_exponent_nonfips() { echo "$SCRIPTNAME: Verify that small RSA exponents still work ==============" CU_ACTION="Attempt to generate a key with exponent of 3" @@ -2095,6 +2095,20 @@ cert_test_rsapss() certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 + CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" + certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 + RETEXPECTED=255 + certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 + + CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" + certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 + RETEXPECTED=255 + certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 + RETEXPECTED=0 + CERTSERIAL=200 # Subject certificate: RSA @@ -2431,16 +2445,12 @@ cert_test_implicit_db_init cert_extended_ssl cert_ssl cert_smime_client -if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then - cert_fips +IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED` +if [ $IS_FIPS_DISABLED -ne 0 ]; then + cert_rsa_exponent_nonfips +else + cert_fips fi -# We currently have difficulties to know if the build is a non-FIPS build, -# because of differences between the "make" and "gyp" build systems. -# As soon as we have a reliable way to detect that based on a variable, -# we should enable the following test call. See bug 1409516. -# if SYMBOL_THAT_TELLS_US_FIPS_IS_DISABLED -# cert_rsa_exponent -# fi cert_eccurves cert_extensions cert_san_and_generic_extensions diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh index 11bd70b632cf..4153e61aa36e 100755 --- a/security/nss/tests/fips/fips.sh +++ b/security/nss/tests/fips/fips.sh @@ -23,7 +23,6 @@ ######################################################################## fips_init() { - export NSS_TEST_ENABLE_FIPS=1 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for