nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1893335 - use PK11_ReadDistrustAfterAttribute in isDistrustedCertificateChain. r=keeler

Browse source 
Differential Revision: https://phabricator.services.mozilla.com/D208562
This commit is contained in:
John Schanck 2024-06-03 18:08:06 +00:00
parent e420c20efc
commit 120c0a7134
12 changed files with 335 additions and 96 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

180
security/certverifier/NSSCertDBTrustDomain.cpp
View file

@ -31,6 +31,7 @@
#include "mozilla/glean/GleanMetrics.h"
#include "mozpkix/Result.h"
#include "mozpkix/pkix.h"
#include "mozpkix/pkixcheck.h"
#include "mozpkix/pkixnss.h"
#include "mozpkix/pkixutil.h"
#include "nsCRTGlue.h"
@ -1265,20 +1266,6 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
return rv;
}
SECStatus GetCertDistrustAfterValue(const SECItem* distrustItem,
PRTime& distrustTime) {
if (!distrustItem || !distrustItem->data || distrustItem->len != 13) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
return DER_DecodeTimeChoice(&distrustTime, distrustItem);
}
SECStatus GetCertNotBeforeValue(const CERTCertificate* cert,
PRTime& distrustTime) {
return DER_DecodeTimeChoice(&distrustTime, &cert->validity.notBefore);
}
nsresult isDistrustedCertificateChain(
const nsTArray<nsTArray<uint8_t>>& certArray,
const SECTrustType certDBTrustType, bool& isDistrusted) {
@ -1289,93 +1276,94 @@ nsresult isDistrustedCertificateChain(
// Set the default result to be distrusted.
isDistrusted = true;
// There is no distrust to set if the certDBTrustType is not SSL or Email.
if (certDBTrustType != trustSSL && certDBTrustType != trustEmail) {
CK_ATTRIBUTE_TYPE attrType;
switch (certDBTrustType) {
case trustSSL:
attrType = CKA_NSS_SERVER_DISTRUST_AFTER;
break;
case trustEmail:
attrType = CKA_NSS_EMAIL_DISTRUST_AFTER;
break;
default:
// There is no distrust to set if the certDBTrustType is not SSL or Email.
isDistrusted = false;
return NS_OK;
}
Input endEntityDER;
mozilla::pkix::Result rv = endEntityDER.Init(
certArray.ElementAt(0).Elements(), certArray.ElementAt(0).Length());
if (rv != Success) {
return NS_ERROR_FAILURE;
}
BackCert endEntityBackCert(endEntityDER, EndEntityOrCA::MustBeEndEntity,
nullptr);
rv = endEntityBackCert.Init();
if (rv != Success) {
return NS_ERROR_FAILURE;
}
Time endEntityNotBefore(Time::uninitialized);
rv = ParseValidity(endEntityBackCert.GetValidity(), &endEntityNotBefore,
nullptr);
if (rv != Success) {
return NS_ERROR_FAILURE;
}
Input rootDER;
rv = rootDER.Init(certArray.LastElement().Elements(),
certArray.LastElement().Length());
if (rv != Success) {
return NS_ERROR_FAILURE;
}
SECItem rootDERItem(UnsafeMapInputToSECItem(rootDER));
PRBool distrusted;
PRTime distrustAfter; // time since epoch in microseconds
bool foundDistrust = false;
// This strategy for searching for the builtins module is borrowed
// from CertVerifier::IsCertBuiltInRoot. See the comment on that
// function for more information.
AutoSECMODListReadLock lock;
for (SECMODModuleList* list = SECMOD_GetDefaultModuleList();
list && !foundDistrust; list = list->next) {
for (int i = 0; i < list->module->slotCount; i++) {
PK11SlotInfo* slot = list->module->slots[i];
if (!PK11_IsPresent(slot) || !PK11_HasRootCerts(slot)) {
continue;
}
CK_OBJECT_HANDLE handle =
PK11_FindEncodedCertInSlot(slot, &rootDERItem, nullptr);
if (handle == CK_INVALID_HANDLE) {
continue;
}
// Distrust attributes are only set on builtin roots, so ensure this
// certificate has the CKA_NSS_MOZILLA_CA_POLICY attribute.
if (!PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
false)) {
continue;
}
SECStatus srv = PK11_ReadDistrustAfterAttribute(
slot, handle, attrType, &distrusted, &distrustAfter);
if (srv == SECSuccess) {
foundDistrust = true;
}
}
}
if (!foundDistrust || distrusted == PR_FALSE) {
isDistrusted = false;
return NS_OK;
}
SECStatus runnableRV = SECFailure;
RefPtr<Runnable> isDistrustedChainTask =
NS_NewRunnableFunction("isDistrustedCertificateChain", [&]() {
if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
runnableRV = SECFailure;
return;
}
// Allocate objects and retreive the root and end-entity certificates.
CERTCertDBHandle* certDB(CERT_GetDefaultCertDB());
const nsTArray<uint8_t>& certRootDER = certArray.LastElement();
SECItem certRootDERItem = {
siBuffer, const_cast<unsigned char*>(certRootDER.Elements()),
AssertedCast<unsigned int>(certRootDER.Length())};
UniqueCERTCertificate certRoot(CERT_NewTempCertificate(
certDB, &certRootDERItem, nullptr, false, true));
if (!certRoot) {
runnableRV = SECFailure;
return;
}
const nsTArray<uint8_t>& certLeafDER = certArray.ElementAt(0);
SECItem certLeafDERItem = {
siBuffer, const_cast<unsigned char*>(certLeafDER.Elements()),
AssertedCast<unsigned int>(certLeafDER.Length())};
UniqueCERTCertificate certLeaf(CERT_NewTempCertificate(
certDB, &certLeafDERItem, nullptr, false, true));
if (!certLeaf) {
runnableRV = SECFailure;
return;
}
// Set isDistrusted to false if there is no distrust for the root.
if (!certRoot->distrust) {
isDistrusted = false;
runnableRV = SECSuccess;
return;
}
// Create a pointer to refer to the selected distrust struct.
SECItem* distrustPtr = nullptr;
if (certDBTrustType == trustSSL) {
distrustPtr = &certRoot->distrust->serverDistrustAfter;
}
if (certDBTrustType == trustEmail) {
distrustPtr = &certRoot->distrust->emailDistrustAfter;
}
// Get validity for the current end-entity certificate
// and get the distrust field for the root certificate.
PRTime certRootDistrustAfter;
PRTime certLeafNotBefore;
runnableRV =
GetCertDistrustAfterValue(distrustPtr, certRootDistrustAfter);
if (runnableRV != SECSuccess) {
return;
}
runnableRV = GetCertNotBeforeValue(certLeaf.get(), certLeafNotBefore);
if (runnableRV != SECSuccess) {
return;
}
// Compare the validity of the end-entity certificate with
// the distrust value of the root.
if (certLeafNotBefore <= certRootDistrustAfter) {
isDistrusted = false;
}
runnableRV = SECSuccess;
});
nsCOMPtr<nsIEventTarget> socketThread(
do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID));
if (!socketThread) {
return NS_ERROR_FAILURE;
}
nsresult rv =
SyncRunnable::DispatchToThread(socketThread, isDistrustedChainTask);
if (NS_FAILED(rv) || runnableRV != SECSuccess) {
return NS_ERROR_FAILURE;
Time distrustAfterTime =
mozilla::pkix::TimeFromEpochInSeconds(distrustAfter / PR_USEC_PER_SEC);
if (endEntityNotBefore <= distrustAfterTime) {
isDistrusted = false;
}
return NS_OK;
}

48
security/manager/ssl/tests/unit/test_builtins.js
View file

@ -6,6 +6,9 @@
// Ensure that the appropriate initialization has happened.
do_get_profile();
const gCertDb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
add_setup(function load_nssckbi_testlib() {
let moduleName = "Mock Builtins";
@ -32,3 +35,48 @@ add_setup(function load_nssckbi_testlib() {
"Actual and expected slot names should be equal"
);
});
add_task(async function test_distrust_after() {
let ee_pre_distrust_cert = addCertFromFile(
gCertDb,
"test_builtins/ee-notBefore-2021.pem",
",,"
);
notEqual(
ee_pre_distrust_cert,
null,
"EE cert should have successfully loaded"
);
let ee_post_distrust_cert = addCertFromFile(
gCertDb,
"test_builtins/ee-notBefore-2023.pem",
",,"
);
notEqual(
ee_post_distrust_cert,
null,
"EE cert should have successfully loaded"
);
let int_cert = addCertFromFile(gCertDb, "test_builtins/int.pem", ",,");
notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
// A certificate with a notBefore before the distrustAfter date
// should verify.
await checkCertErrorGeneric(
gCertDb,
ee_pre_distrust_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
);
// A certificate with a notBefore after the distrustAfter date
// should not verify.
await checkCertErrorGeneric(
gCertDb,
ee_post_distrust_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer
);
});

17
security/manager/ssl/tests/unit/test_builtins/ca.pem Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICyTCCAbGgAwIBAgIUW/YBtJLWl0w/qHon39NEQVe2CjgwDQYJKoZIhvcNAQEL
BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMDAxMDEwMDAwMDBaGA8yMDUxMDEwMTAw
MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAnMP8E3DsBOlwY0ak3BWdj0HBu
ij1Fr8pAhd/SU4H39LhMwU71nKSdIjXEYhKlM6xHsVZw5E0ROckSXdFVNqmX0PeX
EeTY2U/SZLnPNvd9rk6hcJNHgIG0/2yPGkwz3kpPLDNU8zdjLwuPINqT6hlPrmkP
IlmyXurIWTkpY8B5wzcUDD4DULL9I1v3npPbVR059t6Nd4jGwsotYPjBGKRFtcwE
By/EXMotFnaZzBlgcgGd6nT/zcutCL0EGpsFLhpslX4nl74pcLxDerCYifkt4lEp
Z7/MgtwnXCy5yAMprWdTKY2vuTtPlSEhSohdYLcklRG6hdBWq9jy9BQaktP/
-----END CERTIFICATE-----

5
security/manager/ssl/tests/unit/test_builtins/ca.pem.certspec Normal file
View file

@ -0,0 +1,5 @@
issuer:ca
subject:ca
validity:20200101-20510101
extension:basicConstraints:cA,
extension:keyUsage:keyCertSign,cRLSign

117
security/manager/ssl/tests/unit/test_builtins/certdata.txt
View file

@ -9,3 +9,120 @@ CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Test Roots"
#
# Certificate "Distrusted After Jan 1 2022 Root"
#
# Issuer: CN=ca
# Serial Number:5b:f6:01:b4:92:d6:97:4c:3f:a8:7a:27:df:d3:44:41:57:b6:0a:38
# Subject: CN=ca
# Not Valid Before: Wed Jan 01 00:00:00 2020
# Not Valid After : Sun Jan 01 00:00:00 2051
# Fingerprint (SHA-256): 5C:E9:72:28:D9:8A:BC:FE:63:23:33:5E:97:5D:6C:42:B5:48:FD:E7:8A:B9:F8:2E:CC:44:B1:16:69:A3:F5:B0
# Fingerprint (SHA1): 6B:15:70:37:F1:81:D0:B6:F7:0C:D9:86:C2:E7:FD:38:E7:53:7B:BE
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrusted After Jan 1 2022 Root"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\133\366\001\264\222\326\227\114\077\250\172\047\337\323
\104\101\127\266\012\070
END
CKA_VALUE MULTILINE_OCTAL
\060\202\002\311\060\202\001\261\240\003\002\001\002\002\024\133
\366\001\264\222\326\227\114\077\250\172\047\337\323\104\101\127
\266\012\070\060\015\006\011\052\206\110\206\367\015\001\001\013
\005\000\060\015\061\013\060\011\006\003\125\004\003\014\002\143
\141\060\042\030\017\062\060\062\060\060\061\060\061\060\060\060
\060\060\060\132\030\017\062\060\065\061\060\061\060\061\060\060
\060\060\060\060\132\060\015\061\013\060\011\006\003\125\004\003
\014\002\143\141\060\202\001\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
\002\202\001\001\000\272\210\121\250\104\216\026\326\101\375\156
\266\210\006\066\020\075\074\023\331\352\344\065\112\264\354\365
\150\127\154\044\173\301\307\045\250\340\330\037\275\261\234\006
\233\156\032\206\362\153\342\257\132\165\153\152\144\161\010\172
\245\132\247\105\207\367\034\325\044\234\002\176\315\103\374\036
\151\320\070\040\051\223\253\040\303\111\344\333\271\114\302\153
\154\016\355\025\202\017\361\176\255\151\032\261\323\002\072\213
\052\101\356\247\160\340\017\015\215\375\146\013\053\260\044\222
\244\175\271\210\141\171\220\261\127\220\075\322\073\305\340\270
\110\037\250\067\323\210\103\357\047\026\330\125\267\146\132\252
\176\002\220\057\072\173\020\200\006\044\314\034\154\227\255\226
\141\133\267\342\226\022\300\165\061\243\014\221\335\264\312\367
\374\255\035\045\323\011\357\271\027\016\247\150\341\263\173\057
\042\157\151\343\264\212\225\141\035\356\046\326\045\235\253\221
\010\116\066\313\034\044\004\054\277\026\213\057\345\361\217\231
\027\061\270\263\376\111\043\372\162\121\304\061\325\003\254\332
\030\012\065\355\215\002\003\001\000\001\243\035\060\033\060\014
\006\003\125\035\023\004\005\060\003\001\001\377\060\013\006\003
\125\035\017\004\004\003\002\001\006\060\015\006\011\052\206\110
\206\367\015\001\001\013\005\000\003\202\001\001\000\047\060\377
\004\334\073\001\072\134\030\321\251\067\005\147\143\320\160\156
\212\075\105\257\312\100\205\337\322\123\201\367\364\270\114\301
\116\365\234\244\235\042\065\304\142\022\245\063\254\107\261\126
\160\344\115\021\071\311\022\135\321\125\066\251\227\320\367\227
\021\344\330\331\117\322\144\271\317\066\367\175\256\116\241\160
\223\107\200\201\264\377\154\217\032\114\063\336\112\117\054\063
\124\363\067\143\057\013\217\040\332\223\352\031\117\256\151\017
\042\131\262\136\352\310\131\071\051\143\300\171\303\067\024\014
\076\003\120\262\375\043\133\367\236\223\333\125\035\071\366\336
\215\167\210\306\302\312\055\140\370\301\030\244\105\265\314\004
\007\057\304\134\312\055\026\166\231\314\031\140\162\001\235\352
\164\377\315\313\255\010\275\004\032\233\005\056\032\154\225\176
\047\227\276\051\160\274\103\172\260\230\211\371\055\342\121\051
\147\277\314\202\334\047\134\054\271\310\003\051\255\147\123\051
\215\257\271\073\117\225\041\041\112\210\135\140\267\044\225\021
\272\205\320\126\253\330\362\364\024\032\222\323\377
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# For Server Distrust After: Sat Jan 01 00:00:00 2022
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\062\060\061\060\061\060\060\060\060\060\060\132
END
# For Email Distrust After: Sat Jan 01 00:00:00 2022
CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
\062\062\060\061\060\061\060\060\060\060\060\060\132
END
# Trust for "Distrusted After Jan 1 2022 Root"
# Issuer: CN=ca
# Serial Number:5b:f6:01:b4:92:d6:97:4c:3f:a8:7a:27:df:d3:44:41:57:b6:0a:38
# Subject: CN=ca
# Not Valid Before: Wed Jan 01 00:00:00 2020
# Not Valid After : Sun Jan 01 00:00:00 2051
# Fingerprint (SHA-256): 5C:E9:72:28:D9:8A:BC:FE:63:23:33:5E:97:5D:6C:42:B5:48:FD:E7:8A:B9:F8:2E:CC:44:B1:16:69:A3:F5:B0
# Fingerprint (SHA1): 6B:15:70:37:F1:81:D0:B6:F7:0C:D9:86:C2:E7:FD:38:E7:53:7B:BE
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Distrusted After Jan 1 2022 Root"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\153\025\160\067\361\201\320\266\367\014\331\206\302\347\375\070
\347\123\173\276
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\342\152\137\376\222\257\271\255\024\346\353\305\132\017\156\341
END
CKA_ISSUER MULTILINE_OCTAL
\060\015\061\013\060\011\006\003\125\004\003\014\002\143\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\024\133\366\001\264\222\326\227\114\077\250\172\047\337\323
\104\101\127\266\012\070
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

17
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2021.pem Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICxDCCAaygAwIBAgIUDXOR6KaexWFGr7UDYphMtEeezXkwDQYJKoZIhvcNAQEL
BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjEwMTAxMDAwMDAwWhgPMjA1MTAxMDEw
MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEF
BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAn2fhudWV+cpqIsRWpfHZc0BhW0sFX/Jq
nPn5kOjlEy9XDp0fKW3iIeo1hipevRgJnvpzeFUU0AzV+v5RhPumxyTioIeybkX5
uVtIz4llubAP5ymFBtIMVtKaKM9JWrmQxxCQyiaGmh/VTNQoyPXRX6sjA/lTFOn/
gyrcDnWi/6Fi3I1qiWxE4Gytk7a6qrKhVlq+UyiLlyHvPfiw6TksltJoSyE7iyno
cFBK98ei1Wq//7tFLSUoCIya3tnccMgPUhkWwhzxc94xuo1ROav8mzS4vh24p3S6
w4hvAylJhRt3BfQDPU14sCnEDjFd/PydAYntdJ66zcujs2YBO6iy8w==
-----END CERTIFICATE-----

4
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2021.pem.certspec Normal file
View file

@ -0,0 +1,4 @@
issuer:int
subject:ee
validity:20210101-20510101
extension:extKeyUsage:serverAuth

17
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2023.pem Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICxDCCAaygAwIBAgIUQbAFBAJcR+nWt1dATlPDuABJgEAwDQYJKoZIhvcNAQEL
BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjMwMTAxMDAwMDAwWhgPMjA1MTAxMDEw
MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEF
BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAfd1W1LYT+JnTb7ZXdz7lJcwdowimjUWR
ylhXpqyMbJmldogIoWXG+wPo9XosdLeaR0H7xizrhpiod6DXvqtXUjzfhdzbH8i8
3sBL3dyO/RAm1IWuDTNmT9d2SX+fty7M7mHH1TLuRda4VItiWyPK+QQIZHcTlhQz
qRebW6ggpWzRb9nqUWieHlvyaVgqWkv9LiCkJYqXXL6nBvQAh8ukf6g127c0hbMO
DIQtoAT6XFbApM6GPuovaiMf0h8n7S2ekIcRBEeadvZOMsy7hdTNMKlS706wQETd
U0jwYTk728Oz0MCdgn488iRWGeDJWi544JZldErK75lWHAU5svaHIQ==
-----END CERTIFICATE-----

4
security/manager/ssl/tests/unit/test_builtins/ee-notBefore-2023.pem.certspec Normal file
View file

@ -0,0 +1,4 @@
issuer:int
subject:ee
validity:20230101-20510101
extension:extKeyUsage:serverAuth

17
security/manager/ssl/tests/unit/test_builtins/int.pem Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL
BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO
H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc
WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD
fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3
ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN
yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A==
-----END CERTIFICATE-----

4
security/manager/ssl/tests/unit/test_builtins/int.pem.certspec Normal file
View file

@ -0,0 +1,4 @@
issuer:ca
subject:int
extension:basicConstraints:cA,
extension:keyUsage:keyCertSign,cRLSign

1
security/nss.symbols
View file

@ -438,6 +438,7 @@ PK11_PubEncryptPKCS1
PK11_PubUnwrapSymKey
PK11_PubWrapSymKey
PK11_RandomUpdate
PK11_ReadDistrustAfterAttribute
PK11_ReadRawAttribute
PK11_ReferenceSlot
PK11_ReferenceSymKey