forked from mirrors/gecko-dev
Bug 1539227 - land NSS 67c41e385581 UPGRADE_NSS_RELEASE, r=me
--HG-- extra : rebase_source : cd4c8d05e32ee16c9aaa1aeb23014b2299c100fd
This commit is contained in:
J.C. Jones
parent
e7a4bd4df8
commit
d602553050
41 changed files with 559 additions and 352 deletions
|
|
@ -1538,7 +1538,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
|
|||
_USE_SYSTEM_NSS=1 )
|
||||
|
||||
if test -n "$_USE_SYSTEM_NSS"; then
|
||||
AM_PATH_NSS(3.42, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
|
||||
AM_PATH_NSS(3.44, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
|
||||
fi
|
||||
|
||||
NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ tasks:
|
|||
in:
|
||||
taskId: '${ownTaskId}'
|
||||
taskGroupId: '${ownTaskId}'
|
||||
schedulerId: 'gecko-level-nss'
|
||||
schedulerId: 'nss-level-${repository.level}'
|
||||
created: {$fromNow: ''}
|
||||
deadline: {$fromNow: '1 day'}
|
||||
expires: {$fromNow: '14 days'}
|
||||
|
|
@ -41,7 +41,6 @@ tasks:
|
|||
|
||||
scopes:
|
||||
- 'assume:repo:${repoUrl[8:]}:branch:default'
|
||||
- 'queue:route:notify.email.${ownerEmail}.*'
|
||||
tags:
|
||||
createdForUser: "${ownerEmail}"
|
||||
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
NSS_3_43_RTM
|
||||
67c41e385581
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
1 Added function:
|
||||
|
||||
'function SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType)' {HASH_GetHashOidTagByHashType@@NSS_3.43}
|
||||
'function SECStatus CERT_GetCertificateDer(const CERTCertificate*, SECItem*)' {CERT_GetCertificateDer@@NSS_3.44}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,20 +0,0 @@
|
|||
|
||||
2 functions with some indirect sub-type change:
|
||||
|
||||
[C]'function SECStatus SSL_GetCipherSuiteInfo(PRUint16, SSLCipherSuiteInfo*, PRUintn)' at sslinfo.c:326:1 has some indirect sub-type changes:
|
||||
parameter 2 of type 'SSLCipherSuiteInfo*' has sub-type changes:
|
||||
in pointed to type 'typedef SSLCipherSuiteInfo' at sslt.h:433:1:
|
||||
underlying type 'struct SSLCipherSuiteInfoStr' at sslt.h:366:1 changed:
|
||||
type size changed from 768 to 832 (in bits)
|
||||
1 data member insertion:
|
||||
'SSLHashType SSLCipherSuiteInfoStr::kdfHash', at offset 768 (in bits) at sslt.h:429:1
|
||||
|
||||
[C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:111:1 has some indirect sub-type changes:
|
||||
parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
|
||||
in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:379:1:
|
||||
underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:333:1 changed:
|
||||
type size changed from 160 to 192 (in bits)
|
||||
1 data member insertion:
|
||||
'PRUint16 SSLPreliminaryChannelInfoStr::zeroRttCipherSuite', at offset 160 (in bits) at sslt.h:375:1
|
||||
|
||||
|
||||
|
|
@ -1 +1 @@
|
|||
NSS_3_42_BRANCH
|
||||
NSS_3_43_BRANCH
|
||||
|
|
|
|||
|
|
@ -10,3 +10,4 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
|||
47
security/nss/gtests/certdb_gtest/cert_unittest.cc
Normal file
47
security/nss/gtests/certdb_gtest/cert_unittest.cc
Normal file
|
|
@ -0,0 +1,47 @@
|
|||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "gtest/gtest.h"
|
||||
|
||||
#include "nss.h"
|
||||
#include "secerr.h"
|
||||
#include "pk11pub.h"
|
||||
#include "nss_scoped_ptrs.h"
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
class CertTest : public ::testing::Test {};
|
||||
|
||||
// Tests CERT_GetCertificateDer for the certs we have.
|
||||
TEST_F(CertTest, GetCertDer) {
|
||||
// Listing all the certs should get us the default trust anchors.
|
||||
ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
|
||||
ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
|
||||
|
||||
for (PRCList* cursor = PR_NEXT_LINK(&certs->list); cursor != &certs->list;
|
||||
cursor = PR_NEXT_LINK(cursor)) {
|
||||
CERTCertListNode* node = (CERTCertListNode*)cursor;
|
||||
SECItem der;
|
||||
ASSERT_EQ(SECSuccess, CERT_GetCertificateDer(node->cert, &der));
|
||||
ASSERT_EQ(0, SECITEM_CompareItem(&der, &node->cert->derCert));
|
||||
}
|
||||
}
|
||||
|
||||
TEST_F(CertTest, GetCertDerBad) {
|
||||
EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, nullptr));
|
||||
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
||||
|
||||
ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
|
||||
ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
|
||||
CERTCertListNode* node = (CERTCertListNode*)PR_NEXT_LINK(&certs->list);
|
||||
EXPECT_EQ(SECFailure, CERT_GetCertificateDer(node->cert, nullptr));
|
||||
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
||||
|
||||
SECItem der;
|
||||
EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, &der));
|
||||
EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
|
||||
}
|
||||
}
|
||||
|
|
@ -12,6 +12,8 @@
|
|||
'type': 'executable',
|
||||
'sources': [
|
||||
'alg1485_unittest.cc',
|
||||
'cert_unittest.cc',
|
||||
'decode_certs_unittest.cc',
|
||||
'<(DEPTH)/gtests/common/gtests.cc'
|
||||
],
|
||||
'dependencies': [
|
||||
|
|
@ -20,6 +22,7 @@
|
|||
'<(DEPTH)/lib/util/util.gyp:nssutil3',
|
||||
'<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
|
||||
'<(DEPTH)/lib/nss/nss.gyp:nss3',
|
||||
'<(DEPTH)/lib/smime/smime.gyp:smime3',
|
||||
]
|
||||
}
|
||||
],
|
||||
|
|
|
|||
28
security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
Normal file
28
security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "gtest/gtest.h"
|
||||
|
||||
#include "cert.h"
|
||||
#include "prerror.h"
|
||||
#include "secerr.h"
|
||||
|
||||
class DecodeCertsTest : public ::testing::Test {};
|
||||
|
||||
TEST_F(DecodeCertsTest, EmptyCertPackage) {
|
||||
// This represents a PKCS#7 ContentInfo with a contentType of
|
||||
// '2.16.840.1.113730.2.5' (Netscape data-type cert-sequence) and a content
|
||||
// consisting of an empty SEQUENCE. This is valid ASN.1, but it contains no
|
||||
// certificates, so CERT_DecodeCertFromPackage should just return a null
|
||||
// pointer.
|
||||
unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
|
||||
0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
|
||||
0x05, 0xa0, 0x02, 0x30, 0x00};
|
||||
EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
|
||||
reinterpret_cast<char*>(emptyCertPackage),
|
||||
sizeof(emptyCertPackage)));
|
||||
EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
|
||||
}
|
||||
|
|
@ -8,6 +8,8 @@ MODULE = nss
|
|||
|
||||
CPPSRCS = \
|
||||
alg1485_unittest.cc \
|
||||
cert_unittest.cc \
|
||||
decode_certs_unittest.cc \
|
||||
$(NULL)
|
||||
|
||||
INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
|
||||
|
|
|
|||
|
|
@ -442,6 +442,48 @@ TEST_P(TlsConnectStream, ReplaceRecordLayerAsyncLateAuth) {
|
|||
SendForwardReceive(client_, client_stage, server_);
|
||||
}
|
||||
|
||||
TEST_F(TlsConnectStreamTls13, ReplaceRecordLayerAsyncPostHandshake) {
|
||||
StartConnect();
|
||||
client_->SetServerKeyBits(server_->server_key_bits());
|
||||
|
||||
BadPrSocket bad_layer_client(client_);
|
||||
BadPrSocket bad_layer_server(server_);
|
||||
StagedRecords client_stage(client_);
|
||||
StagedRecords server_stage(server_);
|
||||
|
||||
client_->SetAuthCertificateCallback(AuthCompleteBlock);
|
||||
|
||||
server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
|
||||
client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTING);
|
||||
server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
|
||||
|
||||
ASSERT_TRUE(client_stage.empty());
|
||||
client_->Handshake();
|
||||
ASSERT_TRUE(client_stage.empty());
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
|
||||
|
||||
// Now declare the certificate good.
|
||||
EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
|
||||
client_->Handshake();
|
||||
ASSERT_FALSE(client_stage.empty());
|
||||
|
||||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
|
||||
client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
|
||||
} else {
|
||||
client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
|
||||
server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTED);
|
||||
}
|
||||
CheckKeys();
|
||||
|
||||
// Reading and writing application data should work.
|
||||
SendForwardReceive(client_, client_stage, server_);
|
||||
|
||||
// Post-handshake messages should work here.
|
||||
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
|
||||
SendForwardReceive(server_, server_stage, client_);
|
||||
}
|
||||
|
||||
// This test ensures that data is correctly forwarded when the handshake is
|
||||
// resumed after asynchronous server certificate authentication, when
|
||||
// SSL_AuthCertificateComplete() is called. The logic for resuming the
|
||||
|
|
|
|||
|
|
@ -215,6 +215,12 @@ extern void CERT_DestroyCertificate(CERTCertificate *cert);
|
|||
*/
|
||||
extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
|
||||
|
||||
/* Access the DER of the certificate. This only creates a reference to the DER
|
||||
* in the outparam not a copy. To avoid the pointer becoming invalid, use
|
||||
* CERT_DupCertificate() and keep a reference to the duplicate alive.
|
||||
*/
|
||||
extern SECStatus CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der);
|
||||
|
||||
/*
|
||||
** Create a new certificate request. This result must be wrapped with an
|
||||
** CERTSignedData to create a signed certificate request.
|
||||
|
|
|
|||
|
|
@ -1314,6 +1314,17 @@ CERT_DupCertificate(CERTCertificate *c)
|
|||
return c;
|
||||
}
|
||||
|
||||
SECStatus
|
||||
CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
|
||||
{
|
||||
if (!c || !der) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
*der = c->derCert;
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/*
|
||||
* Allow use of default cert database, so that apps(such as mozilla) don't
|
||||
* have to pass the handle all over the place.
|
||||
|
|
|
|||
|
|
@ -92,23 +92,32 @@ CheckX86CPUSupport()
|
|||
#endif /* NSS_X86_OR_X64 */
|
||||
|
||||
/* clang-format off */
|
||||
#if (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
|
||||
#if defined(__aarch64__) || defined(__arm__)
|
||||
#ifndef __has_include
|
||||
#define __has_include(x) 0
|
||||
#endif
|
||||
#if (__has_include(<sys/auxv.h>) || defined(__linux__)) && \
|
||||
defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
|
||||
/* This might be conflict with host compiler */
|
||||
#if !defined(__ANDROID__)
|
||||
#include <sys/auxv.h>
|
||||
#endif
|
||||
extern unsigned long getauxval(unsigned long type) __attribute__((weak));
|
||||
#else
|
||||
static unsigned long (*getauxval)(unsigned long) = NULL;
|
||||
#define AT_HWCAP2 0
|
||||
#define AT_HWCAP 0
|
||||
#endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
|
||||
#endif /* (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__) */
|
||||
|
||||
#ifndef AT_HWCAP2
|
||||
#define AT_HWCAP2 26
|
||||
#endif
|
||||
#ifndef AT_HWCAP
|
||||
#define AT_HWCAP 16
|
||||
#endif
|
||||
|
||||
#endif /* defined(__aarch64__) || defined(__arm__) */
|
||||
/* clang-format on */
|
||||
|
||||
#if defined(__aarch64__) && !defined(__ANDROID__)
|
||||
#if defined(__aarch64__)
|
||||
// Defines from hwcap.h in Linux kernel - ARM64
|
||||
#ifndef HWCAP_AES
|
||||
#define HWCAP_AES (1 << 3)
|
||||
|
|
@ -138,9 +147,9 @@ CheckARMSupport()
|
|||
/* aarch64 must support NEON. */
|
||||
arm_neon_support_ = disable_arm_neon == NULL;
|
||||
}
|
||||
#endif /* defined(__aarch64__) && !defined(__ANDROID__) */
|
||||
#endif /* defined(__aarch64__) */
|
||||
|
||||
#if defined(__arm__) && !defined(__ANDROID__)
|
||||
#if defined(__arm__)
|
||||
// Defines from hwcap.h in Linux kernel - ARM
|
||||
/*
|
||||
* HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
|
||||
|
|
@ -165,23 +174,58 @@ CheckARMSupport()
|
|||
#define HWCAP2_SHA2 (1 << 3)
|
||||
#endif
|
||||
|
||||
PRBool
|
||||
GetNeonSupport()
|
||||
{
|
||||
char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
|
||||
if (disable_arm_neon) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
#if defined(__ARM_NEON) || defined(__ARM_NEON__)
|
||||
// Compiler generates NEON instruction as default option.
|
||||
// If no getauxval, compiler generate NEON instruction by default,
|
||||
// we should allow NOEN support.
|
||||
return PR_TRUE;
|
||||
#elif !defined(__ANDROID__)
|
||||
// Android's cpu-features.c detects features by the following logic
|
||||
//
|
||||
// - Call getauxval(AT_HWCAP)
|
||||
// - Parse /proc/self/auxv if getauxval is nothing or returns 0
|
||||
// - Parse /proc/cpuinfo if both cannot detect features
|
||||
//
|
||||
// But we don't use it for Android since Android document
|
||||
// (https://developer.android.com/ndk/guides/cpu-features) says
|
||||
// one problem with AT_HWCAP sometimes devices (Nexus 4 and emulator)
|
||||
// are mistaken for IDIV.
|
||||
if (getauxval) {
|
||||
return (getauxval(AT_HWCAP) & HWCAP_NEON);
|
||||
}
|
||||
#endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
void
|
||||
CheckARMSupport()
|
||||
{
|
||||
char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
|
||||
char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
|
||||
if (getauxval) {
|
||||
// Android's cpu-features.c uses AT_HWCAP2 for newer features.
|
||||
// AT_HWCAP2 is implemented on newer devices / kernel, so we can trust
|
||||
// it since cpu-features.c doesn't have workaround / fallback.
|
||||
// Also, AT_HWCAP2 is supported by glibc 2.18+ on Linux/arm, If
|
||||
// AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will
|
||||
// returns 0.
|
||||
long hwcaps = getauxval(AT_HWCAP2);
|
||||
arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL;
|
||||
arm_pmull_support_ = hwcaps & HWCAP2_PMULL;
|
||||
arm_sha1_support_ = hwcaps & HWCAP2_SHA1;
|
||||
arm_sha2_support_ = hwcaps & HWCAP2_SHA2;
|
||||
arm_neon_support_ = hwcaps & HWCAP_NEON && disable_arm_neon == NULL;
|
||||
}
|
||||
arm_neon_support_ = GetNeonSupport();
|
||||
}
|
||||
#endif /* defined(__arm__) && !defined(__ANDROID__) */
|
||||
#endif /* defined(__arm__) */
|
||||
|
||||
// Enable when Firefox can use it.
|
||||
// Enable when Firefox can use it for Android API 16 and 17.
|
||||
// #if defined(__ANDROID__) && (defined(__arm__) || defined(__aarch64__))
|
||||
// #include <cpu-features.h>
|
||||
// void
|
||||
|
|
@ -262,7 +306,7 @@ FreeblInit(void)
|
|||
{
|
||||
#ifdef NSS_X86_OR_X64
|
||||
CheckX86CPUSupport();
|
||||
#elif (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
|
||||
#elif (defined(__aarch64__) || defined(__arm__))
|
||||
CheckARMSupport();
|
||||
#endif
|
||||
return PR_SUCCESS;
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ swap8b(PRUint64 value)
|
|||
return (value);
|
||||
}
|
||||
|
||||
#elif !defined(_MSC_VER)
|
||||
#elif !defined(_MSC_VER) && !__has_builtin(__builtin_bswap64)
|
||||
|
||||
PRUint64
|
||||
swap8b(PRUint64 x)
|
||||
|
|
|
|||
|
|
@ -11,6 +11,11 @@
|
|||
#include <stdlib.h>
|
||||
#include "prtypes.h"
|
||||
|
||||
/* For non-clang platform */
|
||||
#ifndef __has_builtin
|
||||
#define __has_builtin(x) 0
|
||||
#endif
|
||||
|
||||
/* Unfortunately this isn't always set when it should be. */
|
||||
#if defined(HAVE_LONG_LONG)
|
||||
|
||||
|
|
@ -29,11 +34,16 @@
|
|||
/*
|
||||
* FREEBL_HTONLL(x): swap bytes in a 64-bit integer.
|
||||
*/
|
||||
#if defined(IS_LITTLE_ENDIAN)
|
||||
#if defined(_MSC_VER)
|
||||
|
||||
#pragma intrinsic(_byteswap_uint64)
|
||||
#define FREEBL_HTONLL(x) _byteswap_uint64(x)
|
||||
|
||||
#elif __has_builtin(__builtin_bswap64)
|
||||
|
||||
#define FREEBL_HTONLL(x) __builtin_bswap64(x)
|
||||
|
||||
#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__x86_64))
|
||||
|
||||
PRUint64 swap8b(PRUint64 value);
|
||||
|
|
@ -48,4 +58,8 @@ PRUint64 swap8b(PRUint64 x);
|
|||
|
||||
#endif /* _MSC_VER */
|
||||
|
||||
#endif /* HAVE_LONG_LONG */
|
||||
#else /* IS_LITTLE_ENDIAN */
|
||||
#define FREEBL_HTONLL(x) (x)
|
||||
#endif
|
||||
|
||||
#endif /* HAVE_LONG_LONG */
|
||||
|
|
|
|||
|
|
@ -76,11 +76,11 @@
|
|||
'__SSSE3__',
|
||||
],
|
||||
}],
|
||||
[ 'OS=="android"', {
|
||||
# On Android we can't use any of the hardware acceleration :(
|
||||
'defines!': [
|
||||
'__ARM_NEON__',
|
||||
'__ARM_NEON',
|
||||
[ 'target_arch=="arm"', {
|
||||
# Gecko doesn't support non-NEON platform on Android, but tier-3
|
||||
# platform such as Linux/arm will need it
|
||||
'cflags_mozilla': [
|
||||
'-mfpu=neon'
|
||||
],
|
||||
}],
|
||||
],
|
||||
|
|
|
|||
|
|
@ -1145,3 +1145,9 @@ HASH_GetHashOidTagByHashType;
|
|||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
;+NSS_3.44 { # NSS 3.44 release
|
||||
;+ global:
|
||||
CERT_GetCertificateDer;
|
||||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
|
|
|
|||
|
|
@ -22,12 +22,12 @@
|
|||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define NSS_VERSION "3.43" _NSS_CUSTOMIZED
|
||||
#define NSS_VERSION "3.44" _NSS_CUSTOMIZED " Beta"
|
||||
#define NSS_VMAJOR 3
|
||||
#define NSS_VMINOR 43
|
||||
#define NSS_VMINOR 44
|
||||
#define NSS_VPATCH 0
|
||||
#define NSS_VBUILD 0
|
||||
#define NSS_BETA PR_FALSE
|
||||
#define NSS_BETA PR_TRUE
|
||||
|
||||
#ifndef RC_INVOKED
|
||||
|
||||
|
|
|
|||
|
|
@ -492,14 +492,16 @@ typedef struct {
|
|||
static SECStatus
|
||||
collect_certs(void *arg, SECItem **certs, int numcerts)
|
||||
{
|
||||
SECStatus rv;
|
||||
collect_args *collectArgs;
|
||||
|
||||
collectArgs = (collect_args *)arg;
|
||||
|
||||
rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
|
||||
|
||||
return (rv);
|
||||
collect_args *collectArgs = (collect_args *)arg;
|
||||
if (!collectArgs || !collectArgs->arena) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
if (numcerts < 1 || !certs || !*certs) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
return SECFailure;
|
||||
}
|
||||
return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -858,7 +858,6 @@ sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind)
|
|||
return sdb_mapSQLError(sdb_p->type, sqlerr);
|
||||
}
|
||||
|
||||
static const char GET_ATTRIBUTE_CMD[] = "SELECT ALL %s FROM %s WHERE id=$ID;";
|
||||
CK_RV
|
||||
sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
|
||||
CK_ATTRIBUTE *template, CK_ULONG count)
|
||||
|
|
@ -866,8 +865,6 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
|
|||
SDBPrivate *sdb_p = sdb->private;
|
||||
sqlite3 *sqlDB = NULL;
|
||||
sqlite3_stmt *stmt = NULL;
|
||||
char *getStr = NULL;
|
||||
char *newStr = NULL;
|
||||
const char *table = NULL;
|
||||
int sqlerr = SQLITE_OK;
|
||||
CK_RV error = CKR_OK;
|
||||
|
|
@ -875,55 +872,74 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
|
|||
int retry = 0;
|
||||
unsigned int i;
|
||||
|
||||
if (count == 0) {
|
||||
error = CKR_OBJECT_HANDLE_INVALID;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* open a new db if necessary */
|
||||
error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
|
||||
if (error != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
char *columns = NULL;
|
||||
for (i = 0; i < count; i++) {
|
||||
getStr = sqlite3_mprintf("a%x", template[i].type);
|
||||
|
||||
if (getStr == NULL) {
|
||||
char *newColumns;
|
||||
if (columns) {
|
||||
newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type);
|
||||
sqlite3_free(columns);
|
||||
columns = NULL;
|
||||
} else {
|
||||
newColumns = sqlite3_mprintf("a%x", template[i].type);
|
||||
}
|
||||
if (!newColumns) {
|
||||
error = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
}
|
||||
columns = newColumns;
|
||||
}
|
||||
if (!columns) {
|
||||
error = CKR_OBJECT_HANDLE_INVALID;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
newStr = sqlite3_mprintf(GET_ATTRIBUTE_CMD, getStr, table);
|
||||
sqlite3_free(getStr);
|
||||
getStr = NULL;
|
||||
if (newStr == NULL) {
|
||||
error = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;",
|
||||
columns, table);
|
||||
sqlite3_free(columns);
|
||||
columns = NULL;
|
||||
if (!statement) {
|
||||
error = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL);
|
||||
sqlite3_free(statement);
|
||||
statement = NULL;
|
||||
if (sqlerr != SQLITE_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
// NB: indices in sqlite3_bind_int are 1-indexed
|
||||
sqlerr = sqlite3_bind_int(stmt, 1, object_id);
|
||||
if (sqlerr != SQLITE_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
do {
|
||||
sqlerr = sqlite3_step(stmt);
|
||||
if (sqlerr == SQLITE_BUSY) {
|
||||
PR_Sleep(SDB_BUSY_RETRY_TIME);
|
||||
}
|
||||
|
||||
sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
|
||||
sqlite3_free(newStr);
|
||||
newStr = NULL;
|
||||
if (sqlerr == SQLITE_ERROR) {
|
||||
template[i].ulValueLen = -1;
|
||||
error = CKR_ATTRIBUTE_TYPE_INVALID;
|
||||
continue;
|
||||
} else if (sqlerr != SQLITE_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
sqlerr = sqlite3_bind_int(stmt, 1, object_id);
|
||||
if (sqlerr != SQLITE_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
do {
|
||||
sqlerr = sqlite3_step(stmt);
|
||||
if (sqlerr == SQLITE_BUSY) {
|
||||
PR_Sleep(SDB_BUSY_RETRY_TIME);
|
||||
}
|
||||
if (sqlerr == SQLITE_ROW) {
|
||||
if (sqlerr == SQLITE_ROW) {
|
||||
PORT_Assert(!found);
|
||||
for (i = 0; i < count; i++) {
|
||||
unsigned int blobSize;
|
||||
const char *blobData;
|
||||
|
||||
blobSize = sqlite3_column_bytes(stmt, 0);
|
||||
blobData = sqlite3_column_blob(stmt, 0);
|
||||
// NB: indices in sqlite_column_{bytes,blob} are 0-indexed
|
||||
blobSize = sqlite3_column_bytes(stmt, i);
|
||||
blobData = sqlite3_column_blob(stmt, i);
|
||||
if (blobData == NULL) {
|
||||
template[i].ulValueLen = -1;
|
||||
error = CKR_ATTRIBUTE_TYPE_INVALID;
|
||||
|
|
@ -945,13 +961,13 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
|
|||
PORT_Memcpy(template[i].pValue, blobData, blobSize);
|
||||
}
|
||||
template[i].ulValueLen = blobSize;
|
||||
found = 1;
|
||||
}
|
||||
} while (!sdb_done(sqlerr, &retry));
|
||||
sqlite3_reset(stmt);
|
||||
sqlite3_finalize(stmt);
|
||||
stmt = NULL;
|
||||
}
|
||||
found = 1;
|
||||
}
|
||||
} while (!sdb_done(sqlerr, &retry));
|
||||
sqlite3_reset(stmt);
|
||||
sqlite3_finalize(stmt);
|
||||
stmt = NULL;
|
||||
|
||||
loser:
|
||||
/* fix up the error if necessary */
|
||||
|
|
|
|||
|
|
@ -859,92 +859,77 @@ static CK_RV
|
|||
sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
|
||||
CK_OBJECT_HANDLE id, SECItem *newKey)
|
||||
{
|
||||
CK_ATTRIBUTE authAttrs[] = {
|
||||
{ CKA_MODULUS, NULL, 0 },
|
||||
{ CKA_PUBLIC_EXPONENT, NULL, 0 },
|
||||
{ CKA_CERT_SHA1_HASH, NULL, 0 },
|
||||
{ CKA_CERT_MD5_HASH, NULL, 0 },
|
||||
{ CKA_TRUST_SERVER_AUTH, NULL, 0 },
|
||||
{ CKA_TRUST_CLIENT_AUTH, NULL, 0 },
|
||||
{ CKA_TRUST_EMAIL_PROTECTION, NULL, 0 },
|
||||
{ CKA_TRUST_CODE_SIGNING, NULL, 0 },
|
||||
{ CKA_TRUST_STEP_UP_APPROVED, NULL, 0 },
|
||||
{ CKA_NSS_OVERRIDE_EXTENSIONS, NULL, 0 },
|
||||
};
|
||||
CK_ULONG authAttrCount = sizeof(authAttrs) / sizeof(CK_ATTRIBUTE);
|
||||
unsigned int i, count;
|
||||
SFTKDBHandle *keyHandle = handle;
|
||||
SDB *keyTarget = NULL;
|
||||
|
||||
id &= SFTK_OBJ_ID_MASK;
|
||||
|
||||
if (handle->type != SFTK_KEYDB_TYPE) {
|
||||
keyHandle = handle->peerDB;
|
||||
}
|
||||
|
||||
if (keyHandle == NULL) {
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/* old DB's don't have meta data, finished with MACs */
|
||||
// Old DBs don't have metadata, so we can return early here.
|
||||
keyTarget = SFTK_GET_SDB(keyHandle);
|
||||
if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/*
|
||||
* STEP 1: find the MACed attributes of this object
|
||||
*/
|
||||
(void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
|
||||
count = 0;
|
||||
/* allocate space for the attributes */
|
||||
for (i = 0; i < authAttrCount; i++) {
|
||||
if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
|
||||
id &= SFTK_OBJ_ID_MASK;
|
||||
|
||||
CK_ATTRIBUTE_TYPE authAttrTypes[] = {
|
||||
CKA_MODULUS,
|
||||
CKA_PUBLIC_EXPONENT,
|
||||
CKA_CERT_SHA1_HASH,
|
||||
CKA_CERT_MD5_HASH,
|
||||
CKA_TRUST_SERVER_AUTH,
|
||||
CKA_TRUST_CLIENT_AUTH,
|
||||
CKA_TRUST_EMAIL_PROTECTION,
|
||||
CKA_TRUST_CODE_SIGNING,
|
||||
CKA_TRUST_STEP_UP_APPROVED,
|
||||
CKA_NSS_OVERRIDE_EXTENSIONS,
|
||||
};
|
||||
const CK_ULONG authAttrTypeCount = sizeof(authAttrTypes) / sizeof(authAttrTypes[0]);
|
||||
|
||||
// We don't know what attributes this object has, so we update them one at a
|
||||
// time.
|
||||
unsigned int i;
|
||||
for (i = 0; i < authAttrTypeCount; i++) {
|
||||
CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 };
|
||||
CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
|
||||
if (rv != CKR_OK) {
|
||||
continue;
|
||||
}
|
||||
count++;
|
||||
authAttrs[i].pValue = PORT_ArenaAlloc(arena, authAttrs[i].ulValueLen);
|
||||
if (authAttrs[i].pValue == NULL) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* if count was zero, none were found, finished with MACs */
|
||||
if (count == 0) {
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
(void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
|
||||
/* ignore error code, we expect some possible errors */
|
||||
|
||||
/* GetAttributeValue just verified the old macs, safe to write
|
||||
* them out then... */
|
||||
for (i = 0; i < authAttrCount; i++) {
|
||||
SECItem *signText;
|
||||
SECItem plainText;
|
||||
SECStatus rv;
|
||||
|
||||
if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
|
||||
if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (authAttrs[i].ulValueLen == sizeof(CK_ULONG) &&
|
||||
sftkdb_isULONGAttribute(authAttrs[i].type)) {
|
||||
CK_ULONG value = *(CK_ULONG *)authAttrs[i].pValue;
|
||||
sftk_ULong2SDBULong(authAttrs[i].pValue, value);
|
||||
authAttrs[i].ulValueLen = SDB_ULONG_SIZE;
|
||||
authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen);
|
||||
if (authAttr.pValue == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
|
||||
plainText.data = authAttrs[i].pValue;
|
||||
plainText.len = authAttrs[i].ulValueLen;
|
||||
rv = sftkdb_SignAttribute(arena, newKey, id,
|
||||
authAttrs[i].type, &plainText, &signText);
|
||||
if (rv != SECSuccess) {
|
||||
rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
|
||||
if (rv != CKR_OK) {
|
||||
return rv;
|
||||
}
|
||||
if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
rv = sftkdb_PutAttributeSignature(handle, keyTarget, id,
|
||||
authAttrs[i].type, signText);
|
||||
if (rv != SECSuccess) {
|
||||
// GetAttributeValue just verified the old macs, so it is safe to write
|
||||
// them out now.
|
||||
if (authAttr.ulValueLen == sizeof(CK_ULONG) &&
|
||||
sftkdb_isULONGAttribute(authAttr.type)) {
|
||||
CK_ULONG value = *(CK_ULONG *)authAttr.pValue;
|
||||
sftk_ULong2SDBULong(authAttr.pValue, value);
|
||||
authAttr.ulValueLen = SDB_ULONG_SIZE;
|
||||
}
|
||||
SECItem *signText;
|
||||
SECItem plainText;
|
||||
plainText.data = authAttr.pValue;
|
||||
plainText.len = authAttr.ulValueLen;
|
||||
if (sftkdb_SignAttribute(arena, newKey, id, authAttr.type, &plainText,
|
||||
&signText) != SECSuccess) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
if (sftkdb_PutAttributeSignature(handle, keyTarget, id, authAttr.type,
|
||||
signText) != SECSuccess) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
}
|
||||
|
|
@ -956,110 +941,64 @@ static CK_RV
|
|||
sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
|
||||
CK_OBJECT_HANDLE id, SECItem *newKey)
|
||||
{
|
||||
CK_RV crv = CKR_OK;
|
||||
CK_RV crv2;
|
||||
CK_ATTRIBUTE *first, *last;
|
||||
CK_ATTRIBUTE privAttrs[] = {
|
||||
{ CKA_VALUE, NULL, 0 },
|
||||
{ CKA_PRIVATE_EXPONENT, NULL, 0 },
|
||||
{ CKA_PRIME_1, NULL, 0 },
|
||||
{ CKA_PRIME_2, NULL, 0 },
|
||||
{ CKA_EXPONENT_1, NULL, 0 },
|
||||
{ CKA_EXPONENT_2, NULL, 0 },
|
||||
{ CKA_COEFFICIENT, NULL, 0 }
|
||||
CK_ATTRIBUTE_TYPE privAttrTypes[] = {
|
||||
CKA_VALUE,
|
||||
CKA_PRIVATE_EXPONENT,
|
||||
CKA_PRIME_1,
|
||||
CKA_PRIME_2,
|
||||
CKA_EXPONENT_1,
|
||||
CKA_EXPONENT_2,
|
||||
CKA_COEFFICIENT,
|
||||
};
|
||||
CK_ULONG privAttrCount = sizeof(privAttrs) / sizeof(CK_ATTRIBUTE);
|
||||
unsigned int i, count;
|
||||
const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
|
||||
|
||||
/*
|
||||
* STEP 1. Read the old attributes in the clear.
|
||||
*/
|
||||
|
||||
/* Get the attribute sizes.
|
||||
* ignore the error code, we will have unknown attributes here */
|
||||
crv2 = sftkdb_GetAttributeValue(keydb, id, privAttrs, privAttrCount);
|
||||
|
||||
/*
|
||||
* find the valid block of attributes and fill allocate space for
|
||||
* their data */
|
||||
first = last = NULL;
|
||||
// We don't know what attributes this object has, so we update them one at a
|
||||
// time.
|
||||
unsigned int i;
|
||||
for (i = 0; i < privAttrCount; i++) {
|
||||
/* find the block of attributes that are appropriate for this
|
||||
* objects. There should only be once contiguous block, if not
|
||||
* there's an error.
|
||||
*
|
||||
* find the first and last good entry.
|
||||
*/
|
||||
if ((privAttrs[i].ulValueLen == -1) || (privAttrs[i].ulValueLen == 0)) {
|
||||
if (!first)
|
||||
continue;
|
||||
if (!last) {
|
||||
/* previous entry was last good entry */
|
||||
last = &privAttrs[i - 1];
|
||||
}
|
||||
// Read the old attribute in the clear.
|
||||
CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
|
||||
CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
|
||||
if (crv != CKR_OK) {
|
||||
continue;
|
||||
}
|
||||
if (!first) {
|
||||
first = &privAttrs[i];
|
||||
if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
|
||||
continue;
|
||||
}
|
||||
if (last) {
|
||||
/* OOPS, we've found another good entry beyond the end of the
|
||||
* last good entry, we need to fail here. */
|
||||
crv = CKR_GENERAL_ERROR;
|
||||
break;
|
||||
privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen);
|
||||
if (privAttr.pValue == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
privAttrs[i].pValue = PORT_ArenaAlloc(arena, privAttrs[i].ulValueLen);
|
||||
if (privAttrs[i].pValue == NULL) {
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
}
|
||||
if (first == NULL) {
|
||||
/* no valid entries found, return error based on crv2 */
|
||||
return crv2;
|
||||
}
|
||||
if (last == NULL) {
|
||||
last = &privAttrs[privAttrCount - 1];
|
||||
}
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
/* read the attributes */
|
||||
count = (last - first) + 1;
|
||||
crv = sftkdb_GetAttributeValue(keydb, id, first, count);
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
|
||||
/*
|
||||
* STEP 2: read the encrypt the attributes with the new key.
|
||||
*/
|
||||
for (i = 0; i < count; i++) {
|
||||
SECItem plainText;
|
||||
SECItem *result;
|
||||
SECStatus rv;
|
||||
|
||||
plainText.data = first[i].pValue;
|
||||
plainText.len = first[i].ulValueLen;
|
||||
rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result);
|
||||
if (rv != SECSuccess) {
|
||||
if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
first[i].pValue = result->data;
|
||||
first[i].ulValueLen = result->len;
|
||||
/* clear our sensitive data out */
|
||||
SECItem plainText;
|
||||
SECItem *result;
|
||||
plainText.data = privAttr.pValue;
|
||||
plainText.len = privAttr.ulValueLen;
|
||||
if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
privAttr.pValue = result->data;
|
||||
privAttr.ulValueLen = result->len;
|
||||
// Clear sensitive data.
|
||||
PORT_Memset(plainText.data, 0, plainText.len);
|
||||
|
||||
// Write the newly encrypted attributes out directly.
|
||||
CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
|
||||
keydb->newKey = newKey;
|
||||
crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
|
||||
keydb->newKey = NULL;
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* STEP 3: write the newly encrypted attributes out directly
|
||||
*/
|
||||
id &= SFTK_OBJ_ID_MASK;
|
||||
keydb->newKey = newKey;
|
||||
crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count);
|
||||
keydb->newKey = NULL;
|
||||
|
||||
return crv;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
static CK_RV
|
||||
|
|
|
|||
|
|
@ -17,11 +17,11 @@
|
|||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define SOFTOKEN_VERSION "3.43" SOFTOKEN_ECC_STRING
|
||||
#define SOFTOKEN_VERSION "3.44" SOFTOKEN_ECC_STRING " Beta"
|
||||
#define SOFTOKEN_VMAJOR 3
|
||||
#define SOFTOKEN_VMINOR 43
|
||||
#define SOFTOKEN_VMINOR 44
|
||||
#define SOFTOKEN_VPATCH 0
|
||||
#define SOFTOKEN_VBUILD 0
|
||||
#define SOFTOKEN_BETA PR_FALSE
|
||||
#define SOFTOKEN_BETA PR_TRUE
|
||||
|
||||
#endif /* _SOFTKVER_H_ */
|
||||
|
|
|
|||
|
|
@ -8625,6 +8625,45 @@ loser:
|
|||
return SECFailure;
|
||||
}
|
||||
|
||||
/* unwrap helper function to handle the case where the wrapKey doesn't wind
|
||||
* up in the correct token for the master secret */
|
||||
PK11SymKey *
|
||||
ssl_unwrapSymKey(PK11SymKey *wrapKey,
|
||||
CK_MECHANISM_TYPE wrapType, SECItem *param,
|
||||
SECItem *wrappedKey,
|
||||
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
|
||||
int keySize, CK_FLAGS keyFlags, void *pinArg)
|
||||
{
|
||||
PK11SymKey *unwrappedKey;
|
||||
|
||||
/* unwrap the master secret. */
|
||||
unwrappedKey = PK11_UnwrapSymKeyWithFlags(wrapKey, wrapType, param,
|
||||
wrappedKey, target, operation, keySize,
|
||||
keyFlags);
|
||||
if (!unwrappedKey) {
|
||||
PK11SlotInfo *targetSlot = PK11_GetBestSlot(target, pinArg);
|
||||
PK11SymKey *newWrapKey;
|
||||
|
||||
/* it's possible that we failed to unwrap because the wrapKey is in
|
||||
* a slot that can't handle target. Move the wrapKey to a slot that
|
||||
* can handle this mechanism and retry the operation */
|
||||
if (targetSlot == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
newWrapKey = PK11_MoveSymKey(targetSlot, CKA_UNWRAP, 0,
|
||||
PR_FALSE, wrapKey);
|
||||
PK11_FreeSlot(targetSlot);
|
||||
if (newWrapKey == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
unwrappedKey = PK11_UnwrapSymKeyWithFlags(newWrapKey, wrapType, param,
|
||||
wrappedKey, target, operation, keySize,
|
||||
keyFlags);
|
||||
PK11_FreeSymKey(newWrapKey);
|
||||
}
|
||||
return unwrappedKey;
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
ssl3_UnwrapMasterSecretServer(sslSocket *ss, sslSessionID *sid, PK11SymKey **ms)
|
||||
{
|
||||
|
|
@ -8646,12 +8685,14 @@ ssl3_UnwrapMasterSecretServer(sslSocket *ss, sslSessionID *sid, PK11SymKey **ms)
|
|||
keyFlags = CKF_SIGN | CKF_VERIFY;
|
||||
}
|
||||
|
||||
/* unwrap the master secret. */
|
||||
*ms = PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
|
||||
NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
|
||||
CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH, keyFlags);
|
||||
*ms = ssl_unwrapSymKey(wrapKey, sid->u.ssl3.masterWrapMech, NULL,
|
||||
&wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
|
||||
CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH,
|
||||
keyFlags, ss->pkcs11PinArg);
|
||||
PK11_FreeSymKey(wrapKey);
|
||||
if (!*ms) {
|
||||
SSL_TRC(10, ("%d: SSL3[%d]: server wrapping key found, but couldn't unwrap MasterSecret. wrapMech=0x%0lx",
|
||||
SSL_GETPID(), ss->fd, sid->u.ssl3.masterWrapMech));
|
||||
return SECFailure;
|
||||
}
|
||||
return SECSuccess;
|
||||
|
|
@ -11874,7 +11915,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
|
|||
if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
|
||||
(void)ssl3_DecodeError(ss);
|
||||
PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
|
||||
return SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
#undef MAX_HANDSHAKE_MSG_LEN
|
||||
|
||||
|
|
@ -11899,7 +11940,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
|
|||
ss->ssl3.hs.msg_len = 0;
|
||||
ss->ssl3.hs.header_bytes = 0;
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
goto loser;
|
||||
}
|
||||
} else {
|
||||
/* must be copied to msg_body and dealt with from there */
|
||||
|
|
@ -11912,7 +11953,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
|
|||
rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
|
||||
if (rv != SECSuccess) {
|
||||
/* sslBuffer_Grow has set a memory error code. */
|
||||
return SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
|
||||
|
|
@ -11932,7 +11973,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
|
|||
ss->ssl3.hs.msg_len = 0;
|
||||
ss->ssl3.hs.header_bytes = 0;
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
goto loser;
|
||||
}
|
||||
} else {
|
||||
PORT_Assert(buf.len == 0);
|
||||
|
|
@ -11943,6 +11984,17 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
|
|||
|
||||
origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
|
||||
return SECSuccess;
|
||||
|
||||
loser : {
|
||||
/* Make sure to remove any data that was consumed. */
|
||||
unsigned int consumed = origBuf->len - buf.len;
|
||||
PORT_Assert(consumed == buf.buf - origBuf->buf);
|
||||
if (consumed > 0) {
|
||||
memmove(origBuf->buf, origBuf->buf + consumed, buf.len);
|
||||
origBuf->len = buf.len;
|
||||
}
|
||||
}
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/* These macros return the given value with the MSB copied to all the other
|
||||
|
|
|
|||
|
|
@ -1734,6 +1734,14 @@ SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTic
|
|||
PRUint32 encodedTicketLen);
|
||||
PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid);
|
||||
|
||||
/* unwrap helper function to handle the case where the wrapKey doesn't wind
|
||||
* * up in the correct token for the master secret */
|
||||
PK11SymKey *ssl_unwrapSymKey(PK11SymKey *wrapKey,
|
||||
CK_MECHANISM_TYPE wrapType, SECItem *param,
|
||||
SECItem *wrappedKey,
|
||||
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
|
||||
int keySize, CK_FLAGS keyFlags, void *pinArg);
|
||||
|
||||
/* Remove when stable. */
|
||||
|
||||
SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd,
|
||||
|
|
|
|||
|
|
@ -981,13 +981,13 @@ tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid)
|
|||
wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
|
||||
|
||||
/* unwrap the "master secret" which is actually RMS. */
|
||||
ss->ssl3.hs.resumptionMasterSecret = PK11_UnwrapSymKeyWithFlags(
|
||||
ss->ssl3.hs.resumptionMasterSecret = ssl_unwrapSymKey(
|
||||
wrapKey, sid->u.ssl3.masterWrapMech,
|
||||
NULL, &wrappedMS,
|
||||
CKM_SSL3_MASTER_KEY_DERIVE,
|
||||
CKA_DERIVE,
|
||||
tls13_GetHashSizeForHash(hashType),
|
||||
CKF_SIGN | CKF_VERIFY);
|
||||
CKF_SIGN | CKF_VERIFY, ss->pkcs11PinArg);
|
||||
PK11_FreeSymKey(wrapKey);
|
||||
if (!ss->ssl3.hs.resumptionMasterSecret) {
|
||||
return SECFailure;
|
||||
|
|
|
|||
|
|
@ -19,12 +19,12 @@
|
|||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
|
||||
*/
|
||||
#define NSSUTIL_VERSION "3.43"
|
||||
#define NSSUTIL_VERSION "3.44 Beta"
|
||||
#define NSSUTIL_VMAJOR 3
|
||||
#define NSSUTIL_VMINOR 43
|
||||
#define NSSUTIL_VMINOR 44
|
||||
#define NSSUTIL_VPATCH 0
|
||||
#define NSSUTIL_VBUILD 0
|
||||
#define NSSUTIL_BETA PR_FALSE
|
||||
#define NSSUTIL_BETA PR_TRUE
|
||||
|
||||
SEC_BEGIN_PROTOS
|
||||
|
||||
|
|
|
|||
|
|
@ -317,7 +317,7 @@ cert_create_cert()
|
|||
cert_add_cert()
|
||||
{
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
return $RET
|
||||
|
|
@ -343,7 +343,7 @@ cert_add_cert()
|
|||
# Generate and add DSA cert
|
||||
#
|
||||
CU_ACTION="Generate DSA Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
|
|
@ -367,7 +367,7 @@ cert_add_cert()
|
|||
|
||||
# Generate DSA certificate signed with RSA
|
||||
CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
|
|
@ -398,7 +398,7 @@ cert_add_cert()
|
|||
#
|
||||
CURVE="secp384r1"
|
||||
CU_ACTION="Generate EC Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
|
|
@ -422,7 +422,7 @@ cert_add_cert()
|
|||
|
||||
# Generate EC certificate signed with RSA
|
||||
CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
if [ "$RET" -ne 0 ]; then
|
||||
|
|
@ -455,7 +455,7 @@ cert_add_cert()
|
|||
grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
|
||||
|
||||
CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -873,15 +873,15 @@ cert_smime_client()
|
|||
## call to cert_create_cert ends up creating two separate certs
|
||||
## one for Eve and another for Eve-ec but they both end up with
|
||||
## the same Subject Alt Name Extension, i.e., both the cert for
|
||||
## Eve@bogus.com and the cert for Eve-ec@bogus.com end up
|
||||
## listing eve@bogus.net in the Certificate Subject Alt Name extension.
|
||||
## Eve@example.com and the cert for Eve-ec@example.com end up
|
||||
## listing eve@example.net in the Certificate Subject Alt Name extension.
|
||||
## This can cause a problem later when cmsutil attempts to create
|
||||
## enveloped data and accidently picks up the ECC cert (NSS currently
|
||||
## does not support ECC for enveloped data creation). This script
|
||||
## avoids the problem by ensuring that these conflicting certs are
|
||||
## never added to the same cert database (see comment marked XXXX).
|
||||
echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
|
||||
cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
|
||||
cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@example.net,eve@example.org,beve@example.com"
|
||||
|
||||
#echo "************* Copying CA files to ${SERVERDIR}"
|
||||
#cp ${CADIR}/*.db .
|
||||
|
|
@ -891,7 +891,7 @@ cert_smime_client()
|
|||
#
|
||||
#cd ${CERTDIR}
|
||||
#CU_ACTION="Creating ${CERTNAME}'s Server Cert"
|
||||
#CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
|
||||
#CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
|
||||
#certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
|
||||
# -d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
|
||||
|
||||
|
|
@ -975,7 +975,7 @@ cert_extended_ssl()
|
|||
modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
|
||||
|
|
@ -995,7 +995,7 @@ cert_extended_ssl()
|
|||
# Repeat the above for DSA certs
|
||||
#
|
||||
CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1017,7 +1017,7 @@ cert_extended_ssl()
|
|||
# Repeat again for mixed DSA certs
|
||||
#
|
||||
CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1040,7 +1040,7 @@ cert_extended_ssl()
|
|||
#
|
||||
EC_CURVE="secp256r1"
|
||||
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1063,7 +1063,7 @@ cert_extended_ssl()
|
|||
#
|
||||
EC_CURVE="secp256r1"
|
||||
CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1124,7 +1124,7 @@ cert_extended_ssl()
|
|||
modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
|
||||
-o req 2>&1
|
||||
|
||||
|
|
@ -1144,7 +1144,7 @@ cert_extended_ssl()
|
|||
# Repeat the above for DSA certs
|
||||
#
|
||||
CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1167,7 +1167,7 @@ cert_extended_ssl()
|
|||
# Repeat the above for mixed DSA certs
|
||||
#
|
||||
CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1191,7 +1191,7 @@ cert_extended_ssl()
|
|||
# Repeat the above for EC certs
|
||||
#
|
||||
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1214,7 +1214,7 @@ cert_extended_ssl()
|
|||
# Repeat the above for mixed EC certs
|
||||
#
|
||||
CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1387,7 +1387,7 @@ MODSCRIPT
|
|||
RETEXPECTED=0
|
||||
|
||||
CU_ACTION="Generate Certificate for ${CERTNAME}"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
|
||||
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
|
||||
if [ "$RET" -eq 0 ]; then
|
||||
cert_log "SUCCESS: FIPS passed"
|
||||
|
|
@ -1439,7 +1439,7 @@ cert_eccurves()
|
|||
CERTNAME="Curve-${CURVE}"
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1 `
|
||||
CU_ACTION="Generate EC Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
|
|
@ -1464,7 +1464,7 @@ cert_extensions_test()
|
|||
{
|
||||
COUNT=`expr ${COUNT} + 1`
|
||||
CERTNAME=TestExt${COUNT}
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
|
||||
echo
|
||||
echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
|
||||
|
|
@ -2026,7 +2026,7 @@ cert_test_password()
|
|||
|
||||
# finally make sure we can use the old key with the new password
|
||||
CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=password@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
|
||||
if [ "$RET" -eq 0 ]; then
|
||||
cert_log "SUCCESS: PASSWORD passed"
|
||||
|
|
@ -2055,7 +2055,7 @@ cert_test_distrust()
|
|||
certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
|
||||
echo "$SCRIPTNAME: Creating Distrusted Intermediate"
|
||||
CERTNAME="DistrustedCA"
|
||||
ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
|
||||
CU_ACTION="Import Distrusted Intermediate"
|
||||
certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
|
||||
|
|
@ -2065,7 +2065,7 @@ cert_test_distrust()
|
|||
# since it's not signed by TestCA it requires more steps.
|
||||
CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
|
||||
CERTNAME="LeafChainedToDistrustedCA"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2205,7 +2205,7 @@ cert_test_rsapss()
|
|||
CERTNAME="TestUser-rsa-pss1"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2236,7 +2236,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss2"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2267,7 +2267,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss3"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2298,7 +2298,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss4"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2329,7 +2329,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss5"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2360,7 +2360,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss6"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2392,7 +2392,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss7"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2409,7 +2409,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss8"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2440,7 +2440,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss9"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2471,7 +2471,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss10"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2503,7 +2503,7 @@ EOF
|
|||
CERTNAME="TestUser-rsa-pss11"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
@ -2571,7 +2571,7 @@ cert_test_rsapss_policy()
|
|||
# Issuer certificate: RSA
|
||||
# Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
|
|
|
|||
|
|
@ -47,11 +47,12 @@ make_cert() {
|
|||
rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
|
||||
ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
|
||||
esac
|
||||
msg="create certificate: $@"
|
||||
shift 2
|
||||
counter=$(($counter + 1))
|
||||
certscript $@ | ${BINDIR}/certutil -S \
|
||||
-z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
|
||||
-z "$R_NOISE_FILE" -d "$PROFILEDIR" \
|
||||
-n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
|
||||
-w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
|
||||
html_msg $? 0 "create certificate: $@"
|
||||
html_msg $? 0 "$msg"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -58,12 +58,12 @@ crmf_init()
|
|||
crmf_main()
|
||||
{
|
||||
echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
|
||||
echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
|
||||
${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
|
||||
echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode"
|
||||
${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode
|
||||
html_msg $? 0 "CRMF test" "."
|
||||
|
||||
echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
|
||||
${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf
|
||||
echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf"
|
||||
${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf
|
||||
html_msg $? 0 "CMMF test" "."
|
||||
|
||||
# Add tests for key recovery and challange as crmftest's capabilities increase
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@
|
|||
gtest_init()
|
||||
{
|
||||
cd "$(dirname "$1")"
|
||||
pwd
|
||||
SOURCE_DIR="$PWD"/../..
|
||||
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
||||
cd ../common
|
||||
|
|
@ -30,11 +31,14 @@ gtest_init()
|
|||
fi
|
||||
|
||||
SCRIPTNAME=gtests.sh
|
||||
. "${QADIR}"/common/certsetup.sh
|
||||
|
||||
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
|
||||
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
|
||||
fi
|
||||
|
||||
mkdir -p "${GTESTDIR}"
|
||||
cd "${GTESTDIR}"
|
||||
}
|
||||
|
||||
########################## gtest_start #############################
|
||||
|
|
@ -48,20 +52,22 @@ gtest_start()
|
|||
html_unknown "Skipping $i (not built)"
|
||||
continue
|
||||
fi
|
||||
GTESTDIR="${HOSTDIR}/$i"
|
||||
DIR="${GTESTDIR}/$i"
|
||||
html_head "$i"
|
||||
if [ ! -d "$GTESTDIR" ]; then
|
||||
mkdir -p "$GTESTDIR"
|
||||
echo "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
|
||||
"${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
|
||||
if [ ! -d "$DIR" ]; then
|
||||
mkdir -p "$DIR"
|
||||
echo "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
|
||||
"${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
|
||||
|
||||
PROFILEDIR="$DIR" make_cert dummy p256 sign
|
||||
fi
|
||||
cd "$GTESTDIR"
|
||||
GTESTREPORT="$GTESTDIR/report.xml"
|
||||
PARSED_REPORT="$GTESTDIR/report.parsed"
|
||||
pushd "$DIR"
|
||||
GTESTREPORT="$DIR/report.xml"
|
||||
PARSED_REPORT="$DIR/report.parsed"
|
||||
echo "executing $i"
|
||||
"${BINDIR}/$i" "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
|
||||
-d "$GTESTDIR" -w --gtest_output=xml:"${GTESTREPORT}" \
|
||||
--gtest_filter="${GTESTFILTER:-*}"
|
||||
-d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
|
||||
--gtest_filter="${GTESTFILTER:-*}"
|
||||
html_msg $? 0 "$i run successfully"
|
||||
echo "test output dir: ${GTESTREPORT}"
|
||||
echo "executing sed to parse the xml report"
|
||||
|
|
@ -76,14 +82,14 @@ gtest_start()
|
|||
html_failed_ignore_core "$name"
|
||||
fi
|
||||
done
|
||||
popd
|
||||
done
|
||||
}
|
||||
|
||||
gtest_cleanup()
|
||||
{
|
||||
html "</TABLE><BR>"
|
||||
cd "${QADIR}"
|
||||
. common/cleanup.sh
|
||||
. "${QADIR}"/common/cleanup.sh
|
||||
}
|
||||
|
||||
################## main #################################################
|
||||
|
|
|
|||
|
|
@ -252,7 +252,7 @@ download_install_certs() {
|
|||
CERTNAME=$HOSTADDR
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
|
||||
L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
|
||||
-o $sslServerDir/req 2>&1
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ createSignedCert() {
|
|||
|
||||
echo Creating cert $certName-$keyType with SN=$certSN
|
||||
|
||||
CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
repAndExec \
|
||||
certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
|
||||
-k $keyType -o $dir/req 2>&1
|
||||
|
|
@ -267,7 +267,7 @@ generateAndExportCACert() {
|
|||
|
||||
certName=TestCA
|
||||
[ "$caName" ] && certName=$caName
|
||||
CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
repAndExec \
|
||||
certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
|
||||
-f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
|
||||
|
|
|
|||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -26,9 +26,9 @@ n
|
|||
n
|
||||
CERTSCRIPT
|
||||
|
||||
certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
|
||||
certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
|
||||
|
||||
certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
|
||||
certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
|
||||
|
||||
certutil -d . -L -n ca -r > TestCA.ca.cert
|
||||
certutil -d . -L -n u50 -r > TestUser50.cert
|
||||
|
|
|
|||
BIN
security/nss/tests/libpkix/certs/nss2alice
Executable file → Normal file
BIN
security/nss/tests/libpkix/certs/nss2alice
Executable file → Normal file
Binary file not shown.
|
|
@ -1,6 +1,6 @@
|
|||
Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
|
||||
From: bob@bogus.com
|
||||
From: bob@example.com
|
||||
Subject: message Bob --> Alice
|
||||
To: alice@bogus.com
|
||||
To: alice@example.com
|
||||
|
||||
This is a test message from Bob to Alice.
|
||||
|
|
|
|||
|
|
@ -107,8 +107,8 @@ cms_sign()
|
|||
}
|
||||
|
||||
header_mime_from_to_subject="MIME-Version: 1.0
|
||||
From: Alice@bogus.com
|
||||
To: Bob@bogus.com
|
||||
From: Alice@example.com
|
||||
To: Bob@example.com
|
||||
Subject: "
|
||||
|
||||
header_opaque_signed="Content-Type: application/pkcs7-mime; name=smime.p7m;
|
||||
|
|
@ -167,7 +167,7 @@ mime_init()
|
|||
|
||||
smime_enveloped()
|
||||
{
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
|
||||
|
||||
OUT="tb/alice.env.eml"
|
||||
echo -n "${header_mime_from_to_subject}" >>${OUT}
|
||||
|
|
@ -191,7 +191,7 @@ smime_signed_enveloped()
|
|||
cat tb/alice.mime.d${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
|
||||
echo "${multipart_end}" >>${OUT}
|
||||
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
|
||||
|
||||
OUT="tb/alice.d${SIG}.multipart.eml"
|
||||
echo -n "${header_mime_from_to_subject}" >>${OUT}
|
||||
|
|
@ -213,7 +213,7 @@ smime_signed_enveloped()
|
|||
echo "$header_opaque_signed" >>${OUT}
|
||||
cat tb/alice.textplain.${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
|
||||
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
|
||||
|
||||
OUT="tb/alice.${SIG}.opaque.eml"
|
||||
echo -n "${header_mime_from_to_subject}" >>${OUT}
|
||||
|
|
@ -301,9 +301,9 @@ smime_main()
|
|||
smime_signed_enveloped
|
||||
|
||||
echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
|
||||
echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
|
||||
echo "cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
|
||||
echo " -o alice.env"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
|
||||
html_msg $? 0 "Create Enveloped Data Alice" "."
|
||||
|
||||
echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
|
||||
|
|
@ -317,23 +317,23 @@ smime_main()
|
|||
# multiple recip
|
||||
echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
|
||||
echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
|
||||
echo " -r bob@bogus.com,dave@bogus.com"
|
||||
echo " -r bob@example.com,dave@example.com"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
|
||||
-r bob@bogus.com,dave@bogus.com
|
||||
-r bob@example.com,dave@example.com
|
||||
ret=$?
|
||||
html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
|
||||
if [ $ret != 0 ] ; then
|
||||
echo "certutil -L -d ${P_R_ALICEDIR}"
|
||||
${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
|
||||
echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
|
||||
${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
|
||||
echo "certutil -L -d ${P_R_ALICEDIR} -n dave@example.com"
|
||||
${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@example.com
|
||||
fi
|
||||
|
||||
echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
|
||||
echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
|
||||
echo " -r eve@bogus.net"
|
||||
echo " -r eve@example.net"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
|
||||
-r eve@bogus.net
|
||||
-r eve@example.net
|
||||
ret=$?
|
||||
html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
|
||||
|
||||
|
|
@ -359,9 +359,9 @@ smime_main()
|
|||
html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
|
||||
|
||||
echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
|
||||
echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
|
||||
echo "cmsutil -O -r \"Alice,bob@example.com,dave@example.com\" \\"
|
||||
echo " -d ${P_R_ALICEDIR} > co.der"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@example.com,dave@example.com" -d ${P_R_ALICEDIR} > co.der
|
||||
html_msg $? 0 "Create Certs-Only Alice" "."
|
||||
|
||||
echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
|
||||
|
|
@ -370,9 +370,9 @@ smime_main()
|
|||
|
||||
echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
|
||||
echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
|
||||
echo " -r \"bob@bogus.com\" > alice.enc"
|
||||
echo " -r \"bob@example.com\" > alice.enc"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
|
||||
-r "bob@bogus.com" > alice.enc
|
||||
-r "bob@example.com" > alice.enc
|
||||
html_msg $? 0 "Create Encrypted-Data" "."
|
||||
|
||||
echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"
|
||||
|
|
|
|||
Loading…
Reference in a new issue