nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1868774 - land NSS_3_96_RTM, UPGRADE_NSS_RELEASE, r=nkulatova

Browse source 
Differential Revision: https://phabricator.services.mozilla.com/D196540
This commit is contained in:
Benjamin Beurdouche 2023-12-15 09:28:06 +00:00
parent 870a5f2055
commit 60f8910886
14 changed files with 161 additions and 139 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

2
security/nss/TAG-INFO
View file

@ -1 +1 @@
NSS_3_95_RTM
NSS_3_96_RTM

2
security/nss/automation/abi-check/previous-nss-release
View file

@ -1 +1 @@
NSS_3_94_BRANCH
NSS_3_95_BRANCH

8
security/nss/automation/taskcluster/graph/src/extend.js
View file

@ -346,15 +346,15 @@ async function scheduleMac(name, base, args = "") {
DOMSUF: "localdomain",
HOST: "localhost",
},
provisioner: "localprovisioner",
workerType: "nss-macos-10-12",
provisioner: "releng-hardware",
workerType: "nss-1-b-osx-1015",
platform: "mac"
});
// Build base definition.
let build_base_without_command_symbol = merge(mac_base, {
provisioner: "localprovisioner",
workerType: "nss-macos-10-12",
provisioner: "releng-hardware",
workerType: "nss-1-b-osx-1015",
platform: "mac",
maxRunTime: 7200,
artifacts: [{

10
security/nss/automation/taskcluster/scripts/build_gyp.sh
View file

@ -11,6 +11,16 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
popd
fi
# Dependencies
# For MacOS we have hardware in the CI which doesn't allow us o deploy VMs.
# The setup is hardcoded and can't be changed easily.
# This part is a helper We install dependencies manually to help.
if [ "$(uname)" = "Darwin" ]; then
python3 -m pip install --user gyp-next
python3 -m pip install --user ninja
export PATH="$(python3 -m site --user-base)/bin:${PATH}"
fi
# Build.
nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@"

57
security/nss/cmd/digest/digest.c
View file

@ -4,6 +4,7 @@
#include "secutil.h"
#include "pk11func.h"
#include "sechash.h"
#include "secoid.h"
#if defined(XP_WIN) || (defined(__sun) && !defined(SVR4))
@ -16,57 +17,6 @@ extern int fprintf(FILE *, char *, ...);
#include "plgetopt.h"
static SECOidData *
HashTypeToOID(HASH_HashType hashtype)
{
SECOidTag hashtag;
if (hashtype <= HASH_AlgNULL || hashtype >= HASH_AlgTOTAL)
return NULL;
switch (hashtype) {
case HASH_AlgMD2:
hashtag = SEC_OID_MD2;
break;
case HASH_AlgMD5:
hashtag = SEC_OID_MD5;
break;
case HASH_AlgSHA1:
hashtag = SEC_OID_SHA1;
break;
case HASH_AlgSHA256:
hashtag = SEC_OID_SHA256;
break;
case HASH_AlgSHA384:
hashtag = SEC_OID_SHA384;
break;
case HASH_AlgSHA512:
hashtag = SEC_OID_SHA512;
break;
case HASH_AlgSHA224:
hashtag = SEC_OID_SHA224;
break;
case HASH_AlgSHA3_224:
hashtag = SEC_OID_SHA3_224;
break;
case HASH_AlgSHA3_256:
hashtag = SEC_OID_SHA3_256;
break;
case HASH_AlgSHA3_384:
hashtag = SEC_OID_SHA3_384;
break;
case HASH_AlgSHA3_512:
hashtag = SEC_OID_SHA3_512;
break;
default:
fprintf(stderr, "A new hash type has been added to HASH_HashType.\n");
fprintf(stderr, "This program needs to be updated!\n");
return NULL;
}
return SECOID_FindOIDByTag(hashtag);
}
static SECOidData *
HashNameToOID(const char *hashName)
{
@ -74,7 +24,7 @@ HashNameToOID(const char *hashName)
SECOidData *hashOID;
for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
hashOID = HashTypeToOID(htype);
hashOID = SECOID_FindOIDByTag(HASH_GetHashOidTagByHashType(htype));
if (PORT_Strcasecmp(hashName, hashOID->desc) == 0)
break;
}
@ -97,7 +47,8 @@ Usage(char *progName)
"-t type");
fprintf(stderr, "%-20s ", "");
for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
fprintf(stderr, "%s", HashTypeToOID(htype)->desc);
fputs(SECOID_FindOIDByTag(HASH_GetHashOidTagByHashType(htype))->desc,
stderr);
if (htype == (HASH_AlgTOTAL - 2))
fprintf(stderr, " or ");
else if (htype != (HASH_AlgTOTAL - 1))

87
security/nss/cmd/p7sign/p7sign.c
View file

@ -35,9 +35,14 @@ static secuPWData pwdata = { PW_NONE, 0 };
static void
Usage(char *progName)
{
HASH_HashType hashAlg;
fprintf(stderr,
"Usage: %s -k keyname [-d keydir] [-i input] [-o output]\n",
"Usage: %s -k keyname [-d keydir] [-i input] [-o output] [-e]\n",
progName);
fprintf(stderr,
" %*s [-p password|-f password file] [-a hash] [-u certusage]\n",
(int)strlen(progName), "");
fprintf(stderr, "%-20s Nickname of key to use for signature\n",
"-k keyname");
fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n",
@ -48,8 +53,30 @@ Usage(char *progName)
"-o output");
fprintf(stderr, "%-20s Encapsulate content in signature message\n",
"-e");
fprintf(stderr, "%-20s Password to the key databse\n", "-p");
fprintf(stderr, "%-20s password file\n", "-f");
fprintf(stderr, "%-20s Password to the key databse\n", "-p password");
fprintf(stderr, "%-20s File to read password from\n", "-f password file");
fprintf(stderr, "%-20s Use case-insensitive hash algorithm (default: SHA-1)\n",
"-a hash");
fprintf(stderr, "%-25s ", "");
for (hashAlg = HASH_AlgNULL + 1; hashAlg != HASH_AlgTOTAL; ++hashAlg)
fprintf(stderr, "%s%s", hashAlg == HASH_AlgNULL + 1 ? "" : ", ",
SECOID_FindOIDByTag(HASH_GetHashOidTagByHashType(hashAlg))->desc);
fputc('\n', stderr);
fprintf(stderr, "%-20s Sign for usage (default: certUsageEmailSigner)\n",
"-u certusage");
fprintf(stderr, "%-25s 0 - certUsageSSLClient\n", "");
fprintf(stderr, "%-25s 1 - certUsageSSLServer\n", "");
fprintf(stderr, "%-25s 2 - certUsageSSLServerWithStepUp\n", "");
fprintf(stderr, "%-25s 3 - certUsageSSLCA\n", "");
fprintf(stderr, "%-25s 4 - certUsageEmailSigner\n", "");
fprintf(stderr, "%-25s 5 - certUsageEmailRecipient\n", "");
fprintf(stderr, "%-25s 6 - certUsageObjectSigner\n", "");
fprintf(stderr, "%-25s 7 - certUsageUserCertImport\n", "");
fprintf(stderr, "%-25s 8 - certUsageVerifyCA\n", "");
fprintf(stderr, "%-25s 9 - certUsageProtectedObjectSigner\n", "");
fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", "");
fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", "");
fprintf(stderr, "%-25s 12 - certUsageIPsec\n", "");
exit(-1);
}
@ -63,13 +90,13 @@ SignOut(void *arg, const char *buf, unsigned long len)
}
static int
CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int maxlen)
CreateDigest(SECItem *data, char *digestdata, unsigned int *len,
unsigned int maxlen, HASH_HashType hashAlg)
{
const SECHashObject *hashObj;
void *hashcx;
/* XXX probably want to extend interface to allow other hash algorithms */
hashObj = HASH_GetHashObject(HASH_AlgSHA1);
hashObj = HASH_GetHashObject(hashAlg);
hashcx = (*hashObj->create)();
if (hashcx == NULL)
@ -84,9 +111,10 @@ CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int ma
static int
SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert,
PRBool encapsulated)
PRBool encapsulated, HASH_HashType hashAlg, SECOidTag hashAlgOid,
SECCertUsage usage)
{
char digestdata[32];
char digestdata[HASH_LENGTH_MAX];
unsigned int len;
SECItem digest, data2sign;
SEC_PKCS7ContentInfo *cinfo;
@ -105,19 +133,23 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert,
/* SEC_PKCS7CreateSignedData should have a flag to not include */
/* the content for non-encapsulated content at encode time, but */
/* should always compute the hash itself */
if (CreateDigest(&data2sign, digestdata, &len, 32) < 0)
if (CreateDigest(&data2sign, digestdata, &len,
sizeof(digestdata), hashAlg) < 0) {
SECITEM_FreeItem(&data2sign, PR_FALSE);
return -1;
}
digest.data = (unsigned char *)digestdata;
digest.len = len;
}
/* XXX Need a better way to handle that usage stuff! */
cinfo = SEC_PKCS7CreateSignedData(cert, certUsageEmailSigner, NULL,
SEC_OID_SHA1,
cinfo = SEC_PKCS7CreateSignedData(cert, usage, NULL,
hashAlgOid,
encapsulated ? NULL : &digest,
NULL, NULL);
if (cinfo == NULL)
if (cinfo == NULL) {
SECITEM_FreeItem(&data2sign, PR_FALSE);
return -1;
}
if (encapsulated) {
SEC_PKCS7SetContent(cinfo, (char *)data2sign.data, data2sign.len);
@ -126,6 +158,7 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert,
rv = SEC_PKCS7IncludeCertChain(cinfo, NULL);
if (rv != SECSuccess) {
SEC_PKCS7DestroyContentInfo(cinfo);
SECITEM_FreeItem(&data2sign, PR_FALSE);
return -1;
}
@ -151,6 +184,9 @@ main(int argc, char **argv)
CERTCertDBHandle *certHandle;
CERTCertificate *cert = NULL;
PRBool encapsulated = PR_FALSE;
HASH_HashType hashAlg = HASH_AlgSHA1;
SECOidTag hashAlgOid = SEC_OID_SHA1;
SECCertUsage usage = certUsageEmailSigner;
PLOptState *optstate;
PLOptStatus status;
SECStatus rv;
@ -165,7 +201,7 @@ main(int argc, char **argv)
/*
* Parse command line arguments
*/
optstate = PL_CreateOptState(argc, argv, "ed:k:i:o:p:f:");
optstate = PL_CreateOptState(argc, argv, "ed:k:i:o:p:f:a:u:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@ -211,6 +247,24 @@ main(int argc, char **argv)
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'a':
for (hashAlg = HASH_AlgNULL + 1; hashAlg != HASH_AlgTOTAL;
++hashAlg) {
hashAlgOid = HASH_GetHashOidTagByHashType(hashAlg);
if (!PORT_Strcasecmp(optstate->value,
SECOID_FindOIDByTag(hashAlgOid)->desc))
break;
}
if (hashAlg == HASH_AlgTOTAL)
Usage(progName);
break;
case 'u':
usage = atoi(optstate->value);
if (usage < certUsageSSLClient || usage > certUsageIPsec)
Usage(progName);
break;
}
}
PL_DestroyOptState(optstate);
@ -241,7 +295,7 @@ main(int argc, char **argv)
}
/* find cert */
cert = CERT_FindCertByNickname(certHandle, keyName);
cert = SECU_FindCertByNicknameOrFilename(certHandle, keyName, PR_FALSE, NULL);
if (cert == NULL) {
SECU_PrintError(progName,
"the corresponding cert for key \"%s\" does not exist",
@ -250,7 +304,8 @@ main(int argc, char **argv)
goto loser;
}
if (SignFile(outFile, inFile, cert, encapsulated)) {
if (SignFile(outFile, inFile, cert, encapsulated,
hashAlg, hashAlgOid, usage)) {
SECU_PrintError(progName, "problem signing data");
rv = SECFailure;
goto loser;

28
security/nss/cmd/p7verify/p7verify.c
View file

@ -28,27 +28,6 @@ extern int fread(char *, size_t, size_t, FILE *);
extern int fprintf(FILE *, char *, ...);
#endif
static HASH_HashType
AlgorithmToHashType(SECAlgorithmID *digestAlgorithms)
{
SECOidTag tag;
tag = SECOID_GetAlgorithmTag(digestAlgorithms);
switch (tag) {
case SEC_OID_MD2:
return HASH_AlgMD2;
case SEC_OID_MD5:
return HASH_AlgMD5;
case SEC_OID_SHA1:
return HASH_AlgSHA1;
default:
fprintf(stderr, "should never get here\n");
return HASH_AlgNULL;
}
}
static int
DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen,
FILE *inFile, HASH_HashType hashType)
@ -152,7 +131,8 @@ HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
signedData = cinfo->content.signedData;
/* assume that there is only one digest algorithm for now */
digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
digestType = HASH_GetHashTypeByOidTag(
SECOID_GetAlgorithmTag(signedData->digestAlgorithms[0]));
if (digestType == HASH_AlgNULL) {
fprintf(out, "Invalid hash algorithmID\n");
return -1;
@ -239,8 +219,8 @@ main(int argc, char **argv)
case 'u': {
int usageType;
usageType = atoi(strdup(optstate->value));
if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
usageType = atoi(optstate->value);
if (usageType < certUsageSSLClient || usageType > certUsageIPsec)
return -1;
certUsage = (SECCertUsage)usageType;
break;

1
security/nss/coreconf/coreconf.dep
View file

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

2
security/nss/doc/rst/releases/nss_3_65.rst
View file

@ -10,6 +10,8 @@ NSS 3.65 release notes
Network Security Services (NSS) 3.65 was released on **13 May 2021**.
`Distribution Information <#distribution_information>`__
--------------------------------------------------------

4
security/nss/lib/nss/nss.h
View file

@ -22,9 +22,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.95" _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.96" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 95
#define NSS_VMINOR 96
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE

4
security/nss/lib/softoken/softkver.h
View file

@ -17,9 +17,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.95" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.96" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 95
#define SOFTOKEN_VMINOR 96
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE

7
security/nss/lib/ssl/sslsecur.c
View file

@ -488,7 +488,12 @@ ssl_SendSavedWriteData(sslSocket *ss)
if (rv < 0) {
return rv;
}
ss->pendingBuf.len -= rv;
if (rv > ss->pendingBuf.len) {
PORT_Assert(0); /* This shouldn't happen */
ss->pendingBuf.len = 0;
} else {
ss->pendingBuf.len -= rv;
}
if (ss->pendingBuf.len > 0 && rv > 0) {
/* UGH !! This shifts the whole buffer down by copying it */
PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv,

4
security/nss/lib/util/nssutil.h
View file

@ -19,9 +19,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.95 Beta"
#define NSSUTIL_VERSION "3.96"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 95
#define NSSUTIL_VMINOR 96
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE

84
security/nss/tests/smime/smime.sh
View file

@ -1,4 +1,4 @@
#! /bin/sh
#! /bin/bash
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
@ -19,6 +19,8 @@
#
########################################################################
EMAILDATE=`date --rfc-email --utc`
# parameter: MIME part boundary
make_multipart()
{
@ -92,17 +94,17 @@ cms_sign()
SIG=sig.SHA${HASH}
echo "$SCRIPTNAME: Signing Detached Message {$HASH} ------------------"
echo "cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}
echo "cmsutil -S -G -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.d${SIG}
html_msg $? 0 "Create Detached Signature Alice (${HASH})" "."
echo "cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
html_msg $? 0 "Verifying Alice's Detached Signature (${HASH})" "."
echo "$SCRIPTNAME: Signing Attached Message (${HASH}) ------------------"
echo "cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}
echo "cmsutil -S -G -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Alice ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.${SIG}
html_msg $? 0 "Create Attached Signature Alice (${HASH})" "."
echo "cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}"
@ -115,17 +117,17 @@ cms_sign()
# Test ECDSA signing for all hash algorithms.
echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
echo "cmsutil -S -G -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
echo "cmsutil -S -G -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
@ -138,11 +140,13 @@ cms_sign()
}
header_mime_from_to_subject="MIME-Version: 1.0
Date: ${EMAILDATE}
From: Alice@example.com
To: Bob@example.com
Subject: "
header_dave_mime_from_to_subject="MIME-Version: 1.0
Date: ${EMAILDATE}
From: Dave@example.com
To: Bob@example.com
Subject: "
@ -204,7 +208,7 @@ smime_signed_enveloped()
{
SIG=sig.SHA${HASH}
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.d${SIG}
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Alice ${HASH_CMD} -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.d${SIG}
OUT="tb/alice.d${SIG}.multipart"
echo "${multipart_start}" | sed "s/HASHHASH/${HASH}/" >>${OUT}
@ -229,7 +233,7 @@ smime_signed_enveloped()
echo >>${OUT}
sed -i"" "s/\$/$CR/" ${OUT}
${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.textplain.${SIG}
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.textplain.${SIG}
OUT="tb/alice.${SIG}.opaque"
echo "$header_opaque_signed" >>${OUT}
@ -278,7 +282,7 @@ smime_plain_signed()
{
SIG=sig.SHA${HASH}
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.plain.d${SIG}
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.plain.d${SIG}
OUT="tb/alice.plain.d${SIG}.multipart"
echo "${multipart_start}" | sed "s/HASHHASH/${HASH}/" >>${OUT}
@ -287,7 +291,7 @@ smime_plain_signed()
cat tb/alice.plain.d${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
echo "${multipart_end}" >>${OUT}
${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.plain.${SIG}
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Alice ${HASH_CMD} -i tb/alice.textplain -d ${P_R_ALICEDIR} -p nss -o tb/alice.plain.${SIG}
OUT="tb/alice.plain.${SIG}.opaque"
echo "$header_opaque_signed" >>${OUT}
@ -297,7 +301,7 @@ smime_plain_signed()
INPUT="tb/alice.plain.d${SIG}.multipart"
OUT_SIG="${INPUT}.dave.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
OUT_MIME="${OUT_SIG}.opaque"
echo "$header_opaque_signed" >>${OUT_MIME}
@ -312,7 +316,7 @@ smime_plain_signed()
INPUT="tb/alice.plain.${SIG}.opaque"
OUT_SIG="${INPUT}.dave.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
OUT_MIME="${OUT_SIG}.opaque"
echo "$header_opaque_signed" >>${OUT_MIME}
@ -330,7 +334,7 @@ smime_plain_signed()
INPUT="tb/alice.plain.d${SIG}.multipart"
OUT_SIG="${INPUT}.dave.d${SIG}"
cat "$INPUT" | sed "s/\$/$CR/" > "${INPUT}.cr"
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave ${HASH_CMD} -i "${INPUT}.cr" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Dave ${HASH_CMD} -i "${INPUT}.cr" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
OUT_MIME="${OUT_SIG}.multipart"
echo "${multipart_start_b2}" | sed "s/HASHHASH/${HASH}/" >>${OUT_MIME}
@ -351,7 +355,7 @@ smime_plain_signed()
INPUT="tb/alice.plain.${SIG}.opaque"
OUT_SIG="${INPUT}.dave.d${SIG}"
cat "$INPUT" | sed "s/\$/$CR/" > "${INPUT}.cr"
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Dave ${HASH_CMD} -i "${INPUT}.cr" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Dave ${HASH_CMD} -i "${INPUT}.cr" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
OUT_MIME="${OUT_SIG}.multipart"
echo "${multipart_start_b2}" | sed "s/HASHHASH/${HASH}/" >>${OUT_MIME}
@ -374,7 +378,7 @@ smime_enveloped_signed()
{
SIG=sig.SHA${HASH}
${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice ${HASH_CMD} -i tb/alice.env -d ${P_R_ALICEDIR} -p nss -o tb/alice.env.d${SIG}
${PROFTOOL} ${BINDIR}/cmsutil -S -G -T -N Alice ${HASH_CMD} -i tb/alice.env -d ${P_R_ALICEDIR} -p nss -o tb/alice.env.d${SIG}
OUT="tb/alice.env.d${SIG}.multipart"
echo "${multipart_start}" | sed "s/HASHHASH/${HASH}/" >>${OUT}
@ -389,7 +393,7 @@ smime_enveloped_signed()
cat "tb/alice.env.d${SIG}.multipart" >>${OUT}
sed -i"" "s/\$/$CR/" ${OUT}
${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice ${HASH_CMD} -i tb/alice.env -d ${P_R_ALICEDIR} -p nss -o tb/alice.env.${SIG}
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Alice ${HASH_CMD} -i tb/alice.env -d ${P_R_ALICEDIR} -p nss -o tb/alice.env.${SIG}
OUT="tb/alice.env.${SIG}.opaque"
echo "$header_opaque_signed" >>${OUT}
@ -406,7 +410,7 @@ smime_enveloped_signed()
INPUT="tb/alice.env.d${SIG}.multipart"
OUT_SIG="${INPUT}.dave.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
OUT_MIME="${OUT_SIG}.opaque"
echo "$header_opaque_signed" >>${OUT_MIME}
@ -421,7 +425,7 @@ smime_enveloped_signed()
INPUT="tb/alice.env.${SIG}.opaque"
OUT_SIG="${INPUT}.dave.${SIG}"
${PROFTOOL} ${BINDIR}/cmsutil -S -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
${PROFTOOL} ${BINDIR}/cmsutil -S -G -N Dave ${HASH_CMD} -i "$INPUT" -d ${P_R_DAVEDIR} -p nss -o "$OUT_SIG"
OUT_MIME="${OUT_SIG}.opaque"
echo "$header_opaque_signed" >>${OUT_MIME}
@ -452,17 +456,33 @@ smime_p7()
diff alice.txt alice_p7.data.sed
html_msg $? 0 "Compare Decoded Enveloped Data and Original" "."
echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e"
${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e
html_msg $? 0 "Signing file for user Alice" "."
p7sig() {
echo "p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e $alg $usage"
${PROFTOOL} ${BINDIR}/p7sign -d ${P_R_ALICEDIR} -k Alice -i alice.txt -o alice.sig -p nss -e $alg $usage
html_msg $? $1 "Signing file for user Alice $alg $usage$2" "."
}
p7sigver() {
p7sig 0 ''
echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig"
${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig
html_msg $? 0 "Verifying file delivered to user Alice" "."
echo "p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig $usage"
${PROFTOOL} ${BINDIR}/p7verify -d ${P_R_ALICEDIR} -c alice.txt -s alice.sig $usage
html_msg $? 0 "Verifying file delivered to user Alice $alg $usage" "."
}
# no md2 or md5 (SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED)
for alg in "" "-a sha-1" "-a sha-256" "-a sha-384" "-a SHA-512" "-a SHA-224"; do
usage=; p7sigver
for usage in $(seq 0 12); do
case $usage in
2|3|6|10) usage="-u $usage"; p7sig 1 ' (inadequate)' ;; # SEC_ERROR_INADEQUATE_CERT_TYPE/SEC_ERROR_INADEQUATE_KEY_USAGE
7|9) ;; # not well-liked by cert_VerifyCertWithFlags() on debug builds
*) usage="-u $usage"; p7sigver ;;
esac
done
done
}
############################## smime_main ##############################
# local shell function to test basic signed and enveloped messages
# local shell function to test basic signed and enveloped messages
# from 1 --> 2"
########################################################################
smime_main()
@ -548,7 +568,7 @@ smime_main()
diff alice.txt alice.data4
html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
echo "cmsutil -O -r \"Alice,bob@example.com,dave@example.com\" \\"
echo " -d ${P_R_ALICEDIR} > co.der"
@ -584,7 +604,7 @@ smime_data_tb()
CAOUT=tb/TestCA.pem
cat ${P_R_CADIR}/TestCA.ca.cert | sed 's/\r$//' | ${BINDIR}/btoa -w c >> ${CAOUT}
}
############################## smime_cleanup ###########################
# local shell function to finish this script (no exit since it might be
# sourced)