kamp/RetroZilla
1
0
Fork 0
mirror of https://github.com/rn10950/RetroZilla.git synced 2024-09-21 04:20:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

cherry-picked mozilla NSS upstream changes (to rev b07697c94038, which is on par with 3.16.2):

Browse Source 
bug753136, bug999893, bug1011090, bug1009785, bug1009794, bug421391, bug1011229, bug1013088, bug996237, bug970539, bug1016567, bug485732, bug334013, bug959864, bug1016836, bug1016811, bug1018536, bug996250, bug1009227, bug963150, bug1007126, bug952572, bug1021102, bug1020395, bug902171
This commit is contained in:
Roy Tam 2018-07-11 20:39:02 +08:00 committed by roytam1
parent 30d33aa8e8
commit 5f6fb75167
80 changed files with 5073 additions and 4215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
security/nss/cmd/btoa/btoa.c
View File

@ -92,6 +92,10 @@ static void Usage(char *progName)
"-i input"); "-i input");
fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n", fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
"-o output"); "-o output");
fprintf(stderr, "%-20s Wrap output in BEGIN/END lines and the given suffix\n",
"-w suffix");
fprintf(stderr, "%-20s (use \"c\" as a shortcut for suffix CERTIFICATE)\n",
"");
exit(-1); exit(-1);
} }
@ -102,6 +106,7 @@ int main(int argc, char **argv)
FILE *inFile, *outFile; FILE *inFile, *outFile;
PLOptState *optstate; PLOptState *optstate;
PLOptStatus status; PLOptStatus status;
char *suffix = NULL;
inFile = 0; inFile = 0;
outFile = 0; outFile = 0;
@ -111,7 +116,7 @@ int main(int argc, char **argv)
progName = progName ? progName+1 : argv[0]; progName = progName ? progName+1 : argv[0];
/* Parse command line arguments */ /* Parse command line arguments */
optstate = PL_CreateOptState(argc, argv, "i:o:"); optstate = PL_CreateOptState(argc, argv, "i:o:w:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) { switch (optstate->option) {
default: default:
@ -135,6 +140,13 @@ int main(int argc, char **argv)
return -1; return -1;
} }
break; break;
case 'w':
if (!strcmp(optstate->value, "c"))
suffix = strdup("CERTIFICATE");
else
suffix = strdup(optstate->value);
break;
} }
} }
if (status == PL_OPT_BAD) if (status == PL_OPT_BAD)
@ -171,11 +183,17 @@ int main(int argc, char **argv)
#endif #endif
outFile = stdout; outFile = stdout;
} }
if (suffix) {
fprintf(outFile, "-----BEGIN %s-----\n", suffix);
}
rv = encode_file(outFile, inFile); rv = encode_file(outFile, inFile);
if (rv != SECSuccess) { if (rv != SECSuccess) {
fprintf(stderr, "%s: lossage: error=%d errno=%d\n", fprintf(stderr, "%s: lossage: error=%d errno=%d\n",
progName, PORT_GetError(), errno); progName, PORT_GetError(), errno);
return -1; return -1;
} }
if (suffix) {
fprintf(outFile, "-----END %s-----\n", suffix);
}
return 0; return 0;
} }

344
security/nss/cmd/certutil/certext.c
View File

@ -27,6 +27,8 @@
#include "xconst.h" #include "xconst.h"
#include "prprf.h" #include "prprf.h"
#include "certutil.h" #include "certutil.h"
#include "genname.h"
#include "prnetdb.h"
#define GEN_BREAK(e) rv=e; break; #define GEN_BREAK(e) rv=e; break;
@ -665,53 +667,213 @@ AddNscpCertType (void *extHandle, const char *userSuppliedValue)
} }
SECStatus
GetOidFromString(PLArenaPool *arena, SECItem *to,
const char *from, size_t fromLen)
{
SECStatus rv;
SECOidTag tag;
SECOidData *coid;
/* try dotted form first */
rv = SEC_StringToOID(arena, to, from, fromLen);
if (rv == SECSuccess) {
return rv;
}
/* Check to see if it matches a name in our oid table.
* SECOID_FindOIDByTag returns NULL if tag is out of bounds.
*/
tag = SEC_OID_UNKNOWN;
coid = SECOID_FindOIDByTag(tag);
for ( ; coid; coid = SECOID_FindOIDByTag(++tag)) {
if (PORT_Strncasecmp(from, coid->desc, fromLen) == 0) {
break;
}
}
if (coid == NULL) {
/* none found */
return SECFailure;
}
return SECITEM_CopyItem(arena, to, &coid->oid);
}
static SECStatus static SECStatus
AddSubjectAltNames(PLArenaPool *arena, CERTGeneralName **existingListp, AddSubjectAltNames(PLArenaPool *arena, CERTGeneralName **existingListp,
const char *names, CERTGeneralNameType type) const char *constNames, CERTGeneralNameType type)
{ {
CERTGeneralName *nameList = NULL; CERTGeneralName *nameList = NULL;
CERTGeneralName *current = NULL; CERTGeneralName *current = NULL;
PRCList *prev = NULL; PRCList *prev = NULL;
const char *cp; char *cp, *nextName = NULL;
char *tbuf;
SECStatus rv = SECSuccess; SECStatus rv = SECSuccess;
PRBool readTypeFromName = (PRBool) (type == 0);
char *names = NULL;
if (constNames)
names = PORT_Strdup(constNames);
if (names == NULL) {
return SECFailure;
}
/* /*
* walk down the comma separated list of names. NOTE: there is * walk down the comma separated list of names. NOTE: there is
* no sanity checks to see if the email address look like * no sanity checks to see if the email address look like
* email addresses. * email addresses.
*
* Each name may optionally be prefixed with a type: string.
* If it isn't, the type from the previous name will be used.
* If there wasn't a previous name yet, the type given
* as a parameter to this function will be used.
* If the type value is zero (undefined), we'll fail.
*/ */
for (cp=names; cp; cp = PORT_Strchr(cp,',')) { for (cp=names; cp; cp=nextName) {
int len; int len;
char *end; char *oidString;
char *nextComma;
CERTName *name;
PRStatus status;
unsigned char *data;
PRNetAddr addr;
nextName = NULL;
if (*cp == ',') { if (*cp == ',') {
cp++; cp++;
} }
end = PORT_Strchr(cp,','); nextComma = PORT_Strchr(cp, ',');
len = end ? end-cp : PORT_Strlen(cp); if (nextComma) {
if (len <= 0) { *nextComma = 0;
nextName = nextComma+1;
}
if ((*cp) == 0) {
continue; continue;
} }
tbuf = PORT_ArenaAlloc(arena,len+1); if (readTypeFromName) {
PORT_Memcpy(tbuf,cp,len); char *save=cp;
tbuf[len] = 0; /* Because we already replaced nextComma with end-of-string,
current = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName)); * a found colon belongs to the current name */
cp = PORT_Strchr(cp, ':');
if (cp) {
*cp = 0;
cp++;
type = CERT_GetGeneralNameTypeFromString(save);
if (*cp == 0) {
continue;
}
} else {
if (type == 0) {
/* no type known yet */
rv = SECFailure;
break;
}
cp = save;
}
}
current = PORT_ArenaZNew(arena, CERTGeneralName);
if (!current) { if (!current) {
rv = SECFailure; rv = SECFailure;
break; break;
} }
current->type = type;
switch (type) {
/* string types */
case certRFC822Name:
case certDNSName:
case certURI:
current->name.other.data =
(unsigned char *) PORT_ArenaStrdup(arena,cp);
current->name.other.len = PORT_Strlen(cp);
break;
/* unformated data types */
case certX400Address:
case certEDIPartyName:
/* turn a string into a data and len */
rv = SECFailure; /* punt on these for now */
fprintf(stderr,"EDI Party Name and X.400 Address not supported\n");
break;
case certDirectoryName:
/* certDirectoryName */
name = CERT_AsciiToName(cp);
if (name == NULL) {
rv = SECFailure;
fprintf(stderr, "Invalid Directory Name (\"%s\")\n", cp);
break;
}
rv = CERT_CopyName(arena,&current->name.directoryName,name);
CERT_DestroyName(name);
break;
/* types that require more processing */
case certIPAddress:
/* convert the string to an ip address */
status = PR_StringToNetAddr(cp, &addr);
if (status != PR_SUCCESS) {
rv = SECFailure;
fprintf(stderr, "Invalid IP Address (\"%s\")\n", cp);
break;
}
if (PR_NetAddrFamily(&addr) == PR_AF_INET) {
len = sizeof(addr.inet.ip);
data = (unsigned char *)&addr.inet.ip;
} else if (PR_NetAddrFamily(&addr) == PR_AF_INET6) {
len = sizeof(addr.ipv6.ip);
data = (unsigned char *)&addr.ipv6.ip;
} else {
fprintf(stderr, "Invalid IP Family\n");
rv = SECFailure;
break;
}
current->name.other.data = PORT_ArenaAlloc(arena, len);
if (current->name.other.data == NULL) {
rv = SECFailure;
break;
}
current->name.other.len = len;
PORT_Memcpy(current->name.other.data,data, len);
break;
case certRegisterID:
rv = GetOidFromString(arena, &current->name.other, cp, strlen(cp));
break;
case certOtherName:
oidString = cp;
cp = PORT_Strchr(cp,';');
if (cp == NULL) {
rv = SECFailure;
fprintf(stderr, "missing name in other name\n");
break;
}
*cp++ = 0;
current->name.OthName.name.data =
(unsigned char *) PORT_ArenaStrdup(arena,cp);
if (current->name.OthName.name.data == NULL) {
rv = SECFailure;
break;
}
current->name.OthName.name.len = PORT_Strlen(cp);
rv = GetOidFromString(arena, &current->name.OthName.oid,
oidString, strlen(oidString));
break;
default:
rv = SECFailure;
fprintf(stderr, "Missing or invalid Subject Alternate Name type\n");
break;
}
if (rv == SECFailure) {
break;
}
if (prev) { if (prev) {
current->l.prev = prev; current->l.prev = prev;
prev->next = &(current->l); prev->next = &(current->l);
} else { } else {
nameList = current; nameList = current;
} }
current->type = type;
current->name.other.data = (unsigned char *)tbuf;
current->name.other.len = PORT_Strlen(tbuf);
prev = &(current->l); prev = &(current->l);
} }
PORT_Free(names);
/* at this point nameList points to the head of a doubly linked, /* at this point nameList points to the head of a doubly linked,
* but not yet circular, list and current points to its tail. */ * but not yet circular, list and current points to its tail. */
if (rv == SECSuccess && nameList) { if (rv == SECSuccess && nameList) {
@ -749,6 +911,12 @@ AddDNSSubjectAlt(PLArenaPool *arena, CERTGeneralName **existingListp,
return AddSubjectAltNames(arena, existingListp, dnsNames, certDNSName); return AddSubjectAltNames(arena, existingListp, dnsNames, certDNSName);
} }
static SECStatus
AddGeneralSubjectAlt(PLArenaPool *arena, CERTGeneralName **existingListp,
const char *altNames)
{
return AddSubjectAltNames(arena, existingListp, altNames, 0);
}
static SECStatus static SECStatus
AddBasicConstraint(void *extHandle) AddBasicConstraint(void *extHandle)
@ -1746,12 +1914,73 @@ AddInfoAccess(void *extHandle, PRBool addSIAExt, PRBool isCACert)
return (rv); return (rv);
} }
/* Example of valid input:
* 1.2.3.4:critical:/tmp/abc,5.6.7.8:not-critical:/tmp/xyz
*/
static SECStatus
parseNextGenericExt(const char *nextExtension, const char **oid, int *oidLen,
const char **crit, int *critLen,
const char **filename, int *filenameLen,
const char **next)
{
const char *nextColon;
const char *nextComma;
const char *iter = nextExtension;
if (!iter || !*iter)
return SECFailure;
/* Require colons at earlier positions than nextComma (or end of string ) */
nextComma = strchr(iter, ',');
*oid = iter;
nextColon = strchr(iter, ':');
if (!nextColon || (nextComma && nextColon > nextComma))
return SECFailure;
*oidLen = (nextColon - *oid);
if (!*oidLen)
return SECFailure;
iter = nextColon;
++iter;
*crit = iter;
nextColon = strchr(iter, ':');
if (!nextColon || (nextComma && nextColon > nextComma))
return SECFailure;
*critLen = (nextColon - *crit);
if (!*critLen)
return SECFailure;
iter = nextColon;
++iter;
*filename = iter;
if (nextComma) {
*filenameLen = (nextComma - *filename);
iter = nextComma;
++iter;
*next = iter;
} else {
*filenameLen = strlen(*filename);
*next = NULL;
}
if (!*filenameLen)
return SECFailure;
return SECSuccess;
}
SECStatus SECStatus
AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames, AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
certutilExtnList extList) certutilExtnList extList, const char *extGeneric)
{ {
SECStatus rv = SECSuccess; SECStatus rv = SECSuccess;
char *errstring = NULL; char *errstring = NULL;
const char *nextExtension = NULL;
do { do {
/* Add key usage extension */ /* Add key usage extension */
@ -1864,7 +2093,7 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
} }
} }
if (emailAddrs || dnsNames) { if (emailAddrs || dnsNames || extList[ext_subjectAltName].activated) {
PLArenaPool *arena; PLArenaPool *arena;
CERTGeneralName *namelist = NULL; CERTGeneralName *namelist = NULL;
SECItem item = { 0, NULL, 0 }; SECItem item = { 0, NULL, 0 };
@ -1874,10 +2103,21 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
rv = SECFailure; rv = SECFailure;
break; break;
} }
rv = SECSuccess;
rv = AddEmailSubjectAlt(arena, &namelist, emailAddrs); if (emailAddrs) {
rv |= AddEmailSubjectAlt(arena, &namelist, emailAddrs);
}
rv |= AddDNSSubjectAlt(arena, &namelist, dnsNames); if (dnsNames) {
rv |= AddDNSSubjectAlt(arena, &namelist, dnsNames);
}
if (extList[ext_subjectAltName].activated) {
rv |= AddGeneralSubjectAlt(arena, &namelist,
extList[ext_subjectAltName].arg);
}
if (rv == SECSuccess) { if (rv == SECSuccess) {
rv = CERT_EncodeAltNameExtension(arena, namelist, &item); rv = CERT_EncodeAltNameExtension(arena, namelist, &item);
@ -1898,5 +2138,71 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
if (rv != SECSuccess) { if (rv != SECSuccess) {
SECU_PrintError(progName, "Problem creating %s extension", errstring); SECU_PrintError(progName, "Problem creating %s extension", errstring);
} }
nextExtension = extGeneric;
while (nextExtension && *nextExtension) {
SECItem oid_item, value;
PRBool isCritical;
const char *oid, *crit, *filename, *next;
int oidLen, critLen, filenameLen;
PRFileDesc *inFile = NULL;
char *zeroTerminatedFilename = NULL;
rv = parseNextGenericExt(nextExtension, &oid, &oidLen, &crit, &critLen,
&filename, &filenameLen, &next);
if (rv!= SECSuccess) {
SECU_PrintError(progName,
"error parsing generic extension parameter %s",
nextExtension);
break;
}
oid_item.data = NULL;
oid_item.len = 0;
rv = GetOidFromString(NULL, &oid_item, oid, oidLen);
if (rv != SECSuccess) {
SECU_PrintError(progName, "malformed extension OID %s", nextExtension);
break;
}
if (!strncmp("critical", crit, critLen)) {
isCritical = PR_TRUE;
} else if (!strncmp("not-critical", crit, critLen)) {
isCritical = PR_FALSE;
} else {
rv = SECFailure;
SECU_PrintError(progName, "expected 'critical' or 'not-critical'");
break;
}
zeroTerminatedFilename = PL_strndup(filename, filenameLen);
if (!zeroTerminatedFilename) {
rv = SECFailure;
SECU_PrintError(progName, "out of memory");
break;
}
rv = SECFailure;
inFile = PR_Open(zeroTerminatedFilename, PR_RDONLY, 0);
if (inFile) {
rv = SECU_ReadDERFromFile(&value, inFile, PR_FALSE, PR_FALSE);
PR_Close(inFile);
inFile = NULL;
}
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to read file %s",
zeroTerminatedFilename);
}
PL_strfree(zeroTerminatedFilename);
if (rv != SECSuccess) {
break;
}
rv = CERT_AddExtensionByOID(extHandle, &oid_item, &value, isCritical,
PR_FALSE /*copyData*/);
if (rv != SECSuccess) {
SECITEM_FreeItem(&oid_item, PR_FALSE);
SECITEM_FreeItem(&value, PR_FALSE);
SECU_PrintError(progName, "failed to add extension %s", nextExtension);
break;
}
nextExtension = next;
}
return rv; return rv;
} }

205
security/nss/cmd/certutil/certutil.c
View File

@ -182,7 +182,7 @@ static SECStatus
CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii, SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii,
const char *emailAddrs, const char *dnsNames, const char *emailAddrs, const char *dnsNames,
certutilExtnList extnList, certutilExtnList extnList, const char *extGeneric,
/*out*/ SECItem *result) /*out*/ SECItem *result)
{ {
CERTSubjectPublicKeyInfo *spki; CERTSubjectPublicKeyInfo *spki;
@ -220,7 +220,7 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
PORT_FreeArena (arena, PR_FALSE); PORT_FreeArena (arena, PR_FALSE);
return SECFailure; return SECFailure;
} }
if (AddExtensions(extHandle, emailAddrs, dnsNames, extnList) if (AddExtensions(extHandle, emailAddrs, dnsNames, extnList, extGeneric)
!= SECSuccess) { != SECSuccess) {
PORT_FreeArena (arena, PR_FALSE); PORT_FreeArena (arena, PR_FALSE);
return SECFailure; return SECFailure;
@ -420,11 +420,64 @@ DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii)
} }
static SECStatus static SECStatus
listCerts(CERTCertDBHandle *handle, char *name, char *email, PK11SlotInfo *slot, outputCertOrExtension(CERTCertificate *the_cert, PRBool raw, PRBool ascii,
PRBool raw, PRBool ascii, PRFileDesc *outfile, void *pwarg) SECItem *extensionOID, PRFileDesc *outfile)
{ {
SECItem data; SECItem data;
PRInt32 numBytes; PRInt32 numBytes;
SECStatus rv = SECFailure;
if (extensionOID) {
int i;
PRBool found = PR_FALSE;
for (i=0; the_cert->extensions[i] != NULL; i++) {
CERTCertExtension *extension = the_cert->extensions[i];
if (SECITEM_CompareItem(&extension->id, extensionOID) == SECEqual) {
found = PR_TRUE;
numBytes = PR_Write(outfile, extension->value.data,
extension->value.len);
rv = SECSuccess;
if (numBytes != (PRInt32) extension->value.len) {
SECU_PrintSystemError(progName, "error writing extension");
rv = SECFailure;
}
rv = SECSuccess;
break;
}
}
if (!found) {
SECU_PrintSystemError(progName, "extension not found");
rv = SECFailure;
}
} else {
data.data = the_cert->derCert.data;
data.len = the_cert->derCert.len;
if (ascii) {
PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER,
BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
rv = SECSuccess;
} else if (raw) {
numBytes = PR_Write(outfile, data.data, data.len);
rv = SECSuccess;
if (numBytes != (PRInt32) data.len) {
SECU_PrintSystemError(progName, "error writing raw cert");
rv = SECFailure;
}
} else {
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem printing certificate");
}
}
}
return rv;
}
static SECStatus
listCerts(CERTCertDBHandle *handle, char *name, char *email,
PK11SlotInfo *slot, PRBool raw, PRBool ascii,
SECItem *extensionOID,
PRFileDesc *outfile, void *pwarg)
{
SECStatus rv = SECFailure; SECStatus rv = SECFailure;
CERTCertList *certs; CERTCertList *certs;
CERTCertListNode *node; CERTCertListNode *node;
@ -461,34 +514,13 @@ listCerts(CERTCertDBHandle *handle, char *name, char *email, PK11SlotInfo *slot,
} }
for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs); for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
node = CERT_LIST_NEXT(node)) { node = CERT_LIST_NEXT(node)) {
the_cert = node->cert; rv = outputCertOrExtension(node->cert, raw, ascii, extensionOID,
/* now get the subjectList that matches this cert */ outfile);
data.data = the_cert->derCert.data;
data.len = the_cert->derCert.len;
if (ascii) {
PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER,
BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
rv = SECSuccess;
} else if (raw) {
numBytes = PR_Write(outfile, data.data, data.len);
if (numBytes != (PRInt32) data.len) {
SECU_PrintSystemError(progName, "error writing raw cert");
rv = SECFailure;
}
rv = SECSuccess;
} else {
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem printing certificate");
}
}
if (rv != SECSuccess) { if (rv != SECSuccess) {
break; break;
} }
} }
} else if (email) { } else if (email) {
CERTCertificate *the_cert;
certs = PK11_FindCertsFromEmailAddress(email, NULL); certs = PK11_FindCertsFromEmailAddress(email, NULL);
if (!certs) { if (!certs) {
SECU_PrintError(progName, SECU_PrintError(progName,
@ -498,28 +530,8 @@ listCerts(CERTCertDBHandle *handle, char *name, char *email, PK11SlotInfo *slot,
} }
for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs); for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
node = CERT_LIST_NEXT(node)) { node = CERT_LIST_NEXT(node)) {
the_cert = node->cert; rv = outputCertOrExtension(node->cert, raw, ascii, extensionOID,
/* now get the subjectList that matches this cert */ outfile);
data.data = the_cert->derCert.data;
data.len = the_cert->derCert.len;
if (ascii) {
PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER,
BTOA_DataToAscii(data.data, data.len),
NS_CERT_TRAILER);
rv = SECSuccess;
} else if (raw) {
numBytes = PR_Write(outfile, data.data, data.len);
rv = SECSuccess;
if (numBytes != (PRInt32) data.len) {
SECU_PrintSystemError(progName, "error writing raw cert");
rv = SECFailure;
}
} else {
rv = SEC_PrintCertificateAndTrust(the_cert, "Certificate", NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem printing certificate");
}
}
if (rv != SECSuccess) { if (rv != SECSuccess) {
break; break;
} }
@ -547,8 +559,9 @@ listCerts(CERTCertDBHandle *handle, char *name, char *email, PK11SlotInfo *slot,
static SECStatus static SECStatus
ListCerts(CERTCertDBHandle *handle, char *nickname, char *email, ListCerts(CERTCertDBHandle *handle, char *nickname, char *email,
PK11SlotInfo *slot, PRBool raw, PRBool ascii, PRFileDesc *outfile, PK11SlotInfo *slot, PRBool raw, PRBool ascii,
secuPWData *pwdata) SECItem *extensionOID,
PRFileDesc *outfile, secuPWData *pwdata)
{ {
SECStatus rv; SECStatus rv;
@ -569,7 +582,8 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email,
CERT_DestroyCertList(list); CERT_DestroyCertList(list);
return SECSuccess; return SECSuccess;
} }
rv = listCerts(handle, nickname, email, slot, raw, ascii, outfile, pwdata); rv = listCerts(handle, nickname, email, slot, raw, ascii,
extensionOID, outfile, pwdata);
return rv; return rv;
} }
@ -615,6 +629,15 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
case 'O': case 'O':
usage = certificateUsageStatusResponder; usage = certificateUsageStatusResponder;
break; break;
case 'L':
usage = certificateUsageSSLCA;
break;
case 'A':
usage = certificateUsageAnyCA;
break;
case 'Y':
usage = certificateUsageVerifyCA;
break;
case 'C': case 'C':
usage = certificateUsageSSLClient; usage = certificateUsageSSLClient;
break; break;
@ -989,7 +1012,7 @@ PrintSyntax(char *progName)
FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n"); FPS "\t\t [-f targetPWfile] [-@ sourcePWFile]\n");
FPS "\t%s -L [-n cert-name] [--email email-address] [-X] [-r] [-a]\n", FPS "\t%s -L [-n cert-name] [--email email-address] [-X] [-r] [-a]\n",
progName); progName);
FPS "\t\t [-d certdir] [-P dbprefix]\n"); FPS "\t\t [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n", FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
progName); progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName); FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
@ -1008,7 +1031,8 @@ PrintSyntax(char *progName)
"\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n" "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n"
"\t\t [-8 DNS-names]\n" "\t\t [-8 DNS-names]\n"
"\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n" "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n"
"\t\t [--extSKID] [--extNC]\n", progName); "\t\t [--extSKID] [--extNC] [--extSAN type:name[,type:name]...]\n"
"\t\t [--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...]\n", progName);
FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName);
exit(1); exit(1);
} }
@ -1308,7 +1332,7 @@ static void luL(enum usage_level ul, const char *command)
{ {
int is_my_command = (command && 0 == strcmp(command, "L")); int is_my_command = (command && 0 == strcmp(command, "L"));
if (ul == usage_all || !command || is_my_command) if (ul == usage_all || !command || is_my_command)
FPS "%-15s List all certs, or print out a single named cert\n", FPS "%-15s List all certs, or print out a single named cert (or a subset)\n",
"-L"); "-L");
if (ul == usage_selected && !is_my_command) if (ul == usage_selected && !is_my_command)
return; return;
@ -1327,6 +1351,9 @@ static void luL(enum usage_level ul, const char *command)
" -r"); " -r");
FPS "%-20s For single cert, print ASCII encoding (RFC1113)\n", FPS "%-20s For single cert, print ASCII encoding (RFC1113)\n",
" -a"); " -a");
FPS "%-20s \n"
"%-20s For single cert, print binary DER encoding of extension OID\n",
" --dump-ext-val OID", "");
FPS "\n"); FPS "\n");
} }
@ -1472,6 +1499,9 @@ static void luV(enum usage_level ul, const char *command)
FPS "%-20s Specify certificate usage:\n", " -u certusage"); FPS "%-20s Specify certificate usage:\n", " -u certusage");
FPS "%-25s C \t SSL Client\n", ""); FPS "%-25s C \t SSL Client\n", "");
FPS "%-25s V \t SSL Server\n", ""); FPS "%-25s V \t SSL Server\n", "");
FPS "%-25s L \t SSL CA\n", "");
FPS "%-25s A \t Any CA\n", "");
FPS "%-25s Y \t Verify CA\n", "");
FPS "%-25s S \t Email signer\n", ""); FPS "%-25s S \t Email signer\n", "");
FPS "%-25s R \t Email Recipient\n", ""); FPS "%-25s R \t Email Recipient\n", "");
FPS "%-25s O \t OCSP status responder\n", ""); FPS "%-25s O \t OCSP status responder\n", "");
@ -1638,6 +1668,18 @@ static void luS(enum usage_level ul, const char *command)
" See -G for available key flag options"); " See -G for available key flag options");
FPS "%-20s Create a name constraints extension\n", FPS "%-20s Create a name constraints extension\n",
" --extNC "); " --extNC ");
FPS "%-20s \n"
"%-20s Create a Subject Alt Name extension with one or multiple names\n",
" --extSAN type:name[,type:name]...", "");
FPS "%-20s - type: directory, dn, dns, edi, ediparty, email, ip, ipaddr,\n", "");
FPS "%-20s other, registerid, rfc822, uri, x400, x400addr\n", "");
FPS "%-20s \n"
"%-20s Add one or multiple extensions that certutil cannot encode yet,\n"
"%-20s by loading their encodings from external files.\n",
" --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...", "", "");
FPS "%-20s - OID (example): 1.2.3.4\n", "");
FPS "%-20s - critical-flag: critical or not-critical\n", "");
FPS "%-20s - filename: full path to a file containing an encoded extension\n", "");
FPS "\n"); FPS "\n");
} }
@ -1836,6 +1878,7 @@ CreateCert(
PRBool ascii, PRBool ascii,
PRBool selfsign, PRBool selfsign,
certutilExtnList extnList, certutilExtnList extnList,
const char *extGeneric,
int certVersion, int certVersion,
SECItem * certDER) SECItem * certDER)
{ {
@ -1864,7 +1907,7 @@ CreateCert(
GEN_BREAK (SECFailure) GEN_BREAK (SECFailure)
} }
rv = AddExtensions(extHandle, emailAddrs, dnsNames, extnList); rv = AddExtensions(extHandle, emailAddrs, dnsNames, extnList, extGeneric);
if (rv != SECSuccess) { if (rv != SECSuccess) {
GEN_BREAK (SECFailure) GEN_BREAK (SECFailure)
} }
@ -2212,6 +2255,9 @@ enum certutilOpts {
opt_KeyAttrFlags, opt_KeyAttrFlags,
opt_EmptyPassword, opt_EmptyPassword,
opt_CertVersion, opt_CertVersion,
opt_AddSubjectAltNameExt,
opt_DumpExtensionValue,
opt_GenericExtensions,
opt_Help opt_Help
}; };
@ -2323,6 +2369,11 @@ secuCommandFlag options_init[] =
"empty-password"}, "empty-password"},
{ /* opt_CertVersion */ 0, PR_FALSE, 0, PR_FALSE, { /* opt_CertVersion */ 0, PR_FALSE, 0, PR_FALSE,
"certVersion"}, "certVersion"},
{ /* opt_AddSubjectAltExt */ 0, PR_TRUE, 0, PR_FALSE, "extSAN"},
{ /* opt_DumpExtensionValue */ 0, PR_TRUE, 0, PR_FALSE,
"dump-ext-val"},
{ /* opt_GenericExtensions */ 0, PR_TRUE, 0, PR_FALSE,
"extGeneric"},
}; };
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@ -2663,9 +2714,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
return 255; return 255;
} }
/* if -L is given raw or ascii mode, it must be for only one cert. */ /* if -L is given raw, ascii or dump mode, it must be for only one cert. */
if (certutil.commands[cmd_ListCerts].activated && if (certutil.commands[cmd_ListCerts].activated &&
(certutil.options[opt_ASCIIForIO].activated || (certutil.options[opt_ASCIIForIO].activated ||
certutil.options[opt_DumpExtensionValue].activated ||
certutil.options[opt_BinaryDER].activated) && certutil.options[opt_BinaryDER].activated) &&
!certutil.options[opt_Nickname].activated) { !certutil.options[opt_Nickname].activated) {
PR_fprintf(PR_STDERR, PR_fprintf(PR_STDERR,
@ -2985,10 +3037,29 @@ merge_fail:
/* List certs (-L) */ /* List certs (-L) */
if (certutil.commands[cmd_ListCerts].activated) { if (certutil.commands[cmd_ListCerts].activated) {
rv = ListCerts(certHandle, name, email, slot, if (certutil.options[opt_DumpExtensionValue].activated) {
certutil.options[opt_BinaryDER].activated, const char *oid_str;
certutil.options[opt_ASCIIForIO].activated, SECItem oid_item;
outFile, &pwdata); SECStatus srv;
oid_item.data = NULL;
oid_item.len = 0;
oid_str = certutil.options[opt_DumpExtensionValue].arg;
srv = GetOidFromString(NULL, &oid_item, oid_str, strlen(oid_str));
if (srv != SECSuccess) {
SECU_PrintError(progName, "malformed extension OID %s",
oid_str);
goto shutdown;
}
rv = ListCerts(certHandle, name, email, slot,
PR_TRUE /*binary*/, PR_FALSE /*ascii*/,
&oid_item,
outFile, &pwdata);
} else {
rv = ListCerts(certHandle, name, email, slot,
certutil.options[opt_BinaryDER].activated,
certutil.options[opt_ASCIIForIO].activated,
NULL, outFile, &pwdata);
}
goto shutdown; goto shutdown;
} }
if (certutil.commands[cmd_DumpChain].activated) { if (certutil.commands[cmd_DumpChain].activated) {
@ -3179,6 +3250,12 @@ merge_fail:
certutil_extns[ext_extKeyUsage].arg = certutil_extns[ext_extKeyUsage].arg =
certutil.options[opt_AddCmdExtKeyUsageExt].arg; certutil.options[opt_AddCmdExtKeyUsageExt].arg;
} }
certutil_extns[ext_subjectAltName].activated =
certutil.options[opt_AddSubjectAltNameExt].activated;
if (certutil_extns[ext_subjectAltName].activated) {
certutil_extns[ext_subjectAltName].arg =
certutil.options[opt_AddSubjectAltNameExt].arg;
}
certutil_extns[ext_authInfoAcc].activated = certutil_extns[ext_authInfoAcc].activated =
certutil.options[opt_AddAuthInfoAccExt].activated; certutil.options[opt_AddAuthInfoAccExt].activated;
@ -3218,6 +3295,8 @@ merge_fail:
certutil.options[opt_ExtendedEmailAddrs].arg, certutil.options[opt_ExtendedEmailAddrs].arg,
certutil.options[opt_ExtendedDNSNames].arg, certutil.options[opt_ExtendedDNSNames].arg,
certutil_extns, certutil_extns,
(certutil.options[opt_GenericExtensions].activated ?
certutil.options[opt_GenericExtensions].arg : NULL),
&certReqDER); &certReqDER);
if (rv) if (rv)
goto shutdown; goto shutdown;
@ -3240,6 +3319,8 @@ merge_fail:
NULL, NULL,
NULL, NULL,
nullextnlist, nullextnlist,
(certutil.options[opt_GenericExtensions].activated ?
certutil.options[opt_GenericExtensions].arg : NULL),
&certReqDER); &certReqDER);
if (rv) if (rv)
goto shutdown; goto shutdown;
@ -3259,6 +3340,8 @@ merge_fail:
certutil.commands[cmd_CreateNewCert].activated, certutil.commands[cmd_CreateNewCert].activated,
certutil.options[opt_SelfSign].activated, certutil.options[opt_SelfSign].activated,
certutil_extns, certutil_extns,
(certutil.options[opt_GenericExtensions].activated ?
certutil.options[opt_GenericExtensions].arg : NULL),
certVersion, certVersion,
&certDER); &certDER);
if (rv) if (rv)

7
security/nss/cmd/certutil/certutil.h
View File

@ -35,6 +35,7 @@ enum certutilExtns {
ext_inhibitAnyPolicy, ext_inhibitAnyPolicy,
ext_subjectKeyID, ext_subjectKeyID,
ext_nameConstraints, ext_nameConstraints,
ext_subjectAltName,
ext_End ext_End
}; };
@ -47,7 +48,11 @@ typedef ExtensionEntry certutilExtnList[ext_End];
extern SECStatus extern SECStatus
AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames, AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
certutilExtnList extList); certutilExtnList extList, const char *extGeneric);
extern SECStatus
GetOidFromString(PLArenaPool *arena, SECItem *to,
const char *from, size_t fromLen);
#endif /* _CERTUTIL_H */ #endif /* _CERTUTIL_H */

4
security/nss/cmd/httpserv/httpserv.c
View File

@ -1312,8 +1312,10 @@ main(int argc, char **argv)
inFile = PR_Open(revoInfo->crlFilename, PR_RDONLY, 0); inFile = PR_Open(revoInfo->crlFilename, PR_RDONLY, 0);
if (inFile) { if (inFile) {
rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
PR_Close(inFile);
inFile = NULL;
} }
if (!inFile || rv != SECSuccess) { if (rv != SECSuccess) {
fprintf(stderr, "unable to read crl file %s\n", fprintf(stderr, "unable to read crl file %s\n",
revoInfo->crlFilename); revoInfo->crlFilename);
exit(1); exit(1);

35
security/nss/cmd/lib/secutil.c
View File

@ -52,6 +52,19 @@ static char consoleName[] = {
#include "ssl.h" #include "ssl.h"
#include "sslproto.h" #include "sslproto.h"
static PRBool utf8DisplayEnabled = PR_FALSE;
void
SECU_EnableUtf8Display(PRBool enable)
{
utf8DisplayEnabled = enable;
}
PRBool
SECU_GetUtf8DisplayEnabled(void)
{
return utf8DisplayEnabled;
}
static void static void
secu_ClearPassword(char *p) secu_ClearPassword(char *p)
@ -609,12 +622,22 @@ secu_PrintRawStringQuotesOptional(FILE *out, SECItem *si, const char *m,
for (i = 0; i < si->len; i++) { for (i = 0; i < si->len; i++) {
unsigned char val = si->data[i]; unsigned char val = si->data[i];
unsigned char c;
if (SECU_GetWrapEnabled() && column > 76) { if (SECU_GetWrapEnabled() && column > 76) {
SECU_Newline(out); SECU_Newline(out);
SECU_Indent(out, level); column = level*INDENT_MULT; SECU_Indent(out, level); column = level*INDENT_MULT;
} }
fprintf(out,"%c", printable[val]); column++; if (utf8DisplayEnabled) {
if (val < 32)
c = '.';
else
c = val;
} else {
c = printable[val];
}
fprintf(out,"%c", c);
column++;
} }
if (quotes) { if (quotes) {
@ -2441,19 +2464,19 @@ loser:
int int
SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
{ {
unsigned char fingerprint[20]; unsigned char fingerprint[SHA256_LENGTH];
char *fpStr = NULL; char *fpStr = NULL;
int err = PORT_GetError(); int err = PORT_GetError();
SECStatus rv; SECStatus rv;
SECItem fpItem; SECItem fpItem;
/* print MD5 fingerprint */ /* Print SHA-256 fingerprint */
memset(fingerprint, 0, sizeof fingerprint); memset(fingerprint, 0, sizeof fingerprint);
rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len); rv = PK11_HashBuf(SEC_OID_SHA256, fingerprint, derCert->data, derCert->len);
fpItem.data = fingerprint; fpItem.data = fingerprint;
fpItem.len = MD5_LENGTH; fpItem.len = SHA256_LENGTH;
fpStr = CERT_Hexify(&fpItem, 1); fpStr = CERT_Hexify(&fpItem, 1);
SECU_Indent(out, level); fprintf(out, "%s (MD5):", m); SECU_Indent(out, level); fprintf(out, "%s (SHA-256):", m);
if (SECU_GetWrapEnabled()) { if (SECU_GetWrapEnabled()) {
fprintf(out, "\n"); fprintf(out, "\n");
SECU_Indent(out, level+1); SECU_Indent(out, level+1);

3
security/nss/cmd/lib/secutil.h
View File

@ -139,6 +139,9 @@ SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
extern PRBool SECU_GetWrapEnabled(void); extern PRBool SECU_GetWrapEnabled(void);
extern void SECU_EnableWrap(PRBool enable); extern void SECU_EnableWrap(PRBool enable);
extern PRBool SECU_GetUtf8DisplayEnabled(void);
extern void SECU_EnableUtf8Display(PRBool enable);
/* revalidate the cert and print information about cert verification /* revalidate the cert and print information about cert verification
* failure at time == now */ * failure at time == now */
extern void extern void

50
security/nss/cmd/pp/pp.c
View File

@ -22,22 +22,27 @@ extern int fprintf(FILE *, char *, ...);
static void Usage(char *progName) static void Usage(char *progName)
{ {
fprintf(stderr, fprintf(stderr,
"Usage: %s -t type [-a] [-i input] [-o output] [-w]\n", "Usage: %s [-t type] [-a] [-i input] [-o output] [-w] [-u]\n",
progName); progName);
fprintf(stderr, "%-20s Specify the input type (must be one of %s,\n", fprintf(stderr, "Pretty prints a file containing ASN.1 data in DER or ascii format.\n");
fprintf(stderr, "%-14s Specify input and display type: %s (sk),\n",
"-t type", SEC_CT_PRIVATE_KEY); "-t type", SEC_CT_PRIVATE_KEY);
fprintf(stderr, "%-20s %s, %s, %s,\n", "", SEC_CT_PUBLIC_KEY, fprintf(stderr, "%-14s %s (pk), %s (c), %s (cr),\n", "", SEC_CT_PUBLIC_KEY,
SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST); SEC_CT_CERTIFICATE, SEC_CT_CERTIFICATE_REQUEST);
fprintf(stderr, "%-20s %s, %s, %s or %s)\n", "", SEC_CT_CERTIFICATE_ID, fprintf(stderr, "%-14s %s (ci), %s (p7), %s or %s (n).\n", "", SEC_CT_CERTIFICATE_ID,
SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME); SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n", fprintf(stderr, "%-14s (Use either the long type name or the shortcut.)\n", "", SEC_CT_CERTIFICATE_ID,
SEC_CT_PKCS7, SEC_CT_CRL, SEC_CT_NAME);
fprintf(stderr, "%-14s Input is in ascii encoded form (RFC1113)\n",
"-a"); "-a");
fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n", fprintf(stderr, "%-14s Define an input file to use (default is stdin)\n",
"-i input"); "-i input");
fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n", fprintf(stderr, "%-14s Define an output file to use (default is stdout)\n",
"-o output"); "-o output");
fprintf(stderr, "%-20s Don't wrap long output lines\n", fprintf(stderr, "%-14s Don't wrap long output lines\n",
"-w"); "-w");
fprintf(stderr, "%-14s Use UTF-8 (default is to show non-ascii as .)\n",
"-u");
exit(-1); exit(-1);
} }
@ -59,7 +64,7 @@ int main(int argc, char **argv)
inFile = 0; inFile = 0;
outFile = 0; outFile = 0;
typeTag = 0; typeTag = 0;
optstate = PL_CreateOptState(argc, argv, "at:i:o:w"); optstate = PL_CreateOptState(argc, argv, "at:i:o:uw");
while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) { while ( PL_GetNextOpt(optstate) == PL_OPT_OK ) {
switch (optstate->option) { switch (optstate->option) {
case '?': case '?':
@ -92,6 +97,10 @@ int main(int argc, char **argv)
typeTag = strdup(optstate->value); typeTag = strdup(optstate->value);
break; break;
case 'u':
SECU_EnableUtf8Display(PR_TRUE);
break;
case 'w': case 'w':
wrap = PR_FALSE; wrap = PR_FALSE;
break; break;
@ -125,27 +134,34 @@ int main(int argc, char **argv)
SECU_EnableWrap(wrap); SECU_EnableWrap(wrap);
/* Pretty print it */ /* Pretty print it */
if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0) { if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 ||
PORT_Strcmp(typeTag, "c") == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0, rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
SECU_PrintCertificate); SECU_PrintCertificate);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 ||
PORT_Strcmp(typeTag, "ci") == 0) {
rv = SECU_PrintSignedContent(outFile, &data, 0, 0, rv = SECU_PrintSignedContent(outFile, &data, 0, 0,
SECU_PrintDumpDerIssuerAndSerial); SECU_PrintDumpDerIssuerAndSerial);
} else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0 ||
PORT_Strcmp(typeTag, "cr") == 0) {
rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0, rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
SECU_PrintCertificateRequest); SECU_PrintCertificateRequest);
} else if (PORT_Strcmp (typeTag, SEC_CT_CRL) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_CRL) == 0) {
rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl); rv = SECU_PrintSignedData (outFile, &data, "CRL", 0, SECU_PrintCrl);
#ifdef HAVE_EPV_TEMPLATE #ifdef HAVE_EPV_TEMPLATE
} else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_PRIVATE_KEY) == 0 ||
PORT_Strcmp(typeTag, "sk") == 0) {
rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0); rv = SECU_PrintPrivateKey(outFile, &data, "Private Key", 0);
#endif #endif
} else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_PUBLIC_KEY) == 0 ||
PORT_Strcmp (typeTag, "pk") == 0) {
rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0); rv = SECU_PrintSubjectPublicKeyInfo(outFile, &data, "Public Key", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_PKCS7) == 0 ||
PORT_Strcmp (typeTag, "p7") == 0) {
rv = SECU_PrintPKCS7ContentInfo(outFile, &data, rv = SECU_PrintPKCS7ContentInfo(outFile, &data,
"PKCS #7 Content Info", 0); "PKCS #7 Content Info", 0);
} else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0) { } else if (PORT_Strcmp(typeTag, SEC_CT_NAME) == 0 ||
PORT_Strcmp (typeTag, "n") == 0) {
rv = SECU_PrintDERName(outFile, &data, "Name", 0); rv = SECU_PrintDERName(outFile, &data, "Name", 0);
} else { } else {
fprintf(stderr, "%s: don't know how to print out '%s' files\n", fprintf(stderr, "%s: don't know how to print out '%s' files\n",

4
security/nss/coreconf/Linux.mk
View File

@ -130,7 +130,7 @@ ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread OS_PTHREAD = -lpthread
endif endif
OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
OS_LIBS = $(OS_PTHREAD) -ldl -lc OS_LIBS = $(OS_PTHREAD) -ldl -lc
ifdef USE_PTHREADS ifdef USE_PTHREADS
@ -140,7 +140,7 @@ endif
ARCH = linux ARCH = linux
DSO_CFLAGS = -fPIC DSO_CFLAGS = -fPIC
DSO_LDOPTS = -shared $(ARCHFLAG) DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so # incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there. # we don't use -z defs there.

12
security/nss/doc/certutil.xml
View File

@ -196,10 +196,10 @@ If this option is not used, the validity check defaults to the current system ti
<para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para> <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
<para>NSS recognizes the following prefixes:</para> <para>NSS recognizes the following prefixes:</para>
<itemizedlist> <itemizedlist>
<listitem><para><command>sql: requests the newer database</command></para></listitem> <listitem><para><command>sql:</command> requests the newer database</para></listitem>
<listitem><para><command>dbm: requests the legacy database</command></para></listitem> <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
</itemizedlist> </itemizedlist>
<para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para> <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>dbm:</command> is the default.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -432,11 +432,11 @@ of the attribute codes:
<varlistentry> <varlistentry>
<term>-1 | --keyUsage keyword,keyword</term> <term>-1 | --keyUsage keyword,keyword</term>
<listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para> <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
digital signature digitalSignature
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
@ -498,7 +498,7 @@ of the attribute codes:
<varlistentry> <varlistentry>
<term>-5 | --nsCertType keyword,keyword</term> <term>-5 | --nsCertType keyword,keyword</term>
<listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para> <listitem><para>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>

24
security/nss/doc/cmsutil.xml
View File

@ -61,16 +61,16 @@ Options specify an action. Option arguments modify an action.
The options and arguments for the cmsutil command are defined as follows: The options and arguments for the cmsutil command are defined as follows:
</para> </para>
<variablelist> <variablelist>
<varlistentry>
<term>-D </term>
<listitem><para>Decode a message.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-C</term> <term>-C</term>
<listitem><para>Encrypt a message.</para></listitem> <listitem><para>Encrypt a message.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-D </term>
<listitem><para>Decode a message.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-E </term> <term>-E </term>
<listitem><para>Envelope a message.</para></listitem> <listitem><para>Envelope a message.</para></listitem>
@ -267,23 +267,11 @@ cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [
</refsection> </refsection>
<refsection> <refsection id="seealso">
<title>See also</title> <title>See also</title>
<para>certutil(1)</para> <para>certutil(1)</para>
</refsection> </refsection>
<refsection id="seealso">
<title>See Also</title>
<para></para>
<para>
</para>
<para>
</para>
<para>
</para>
</refsection>
<!-- don't change --> <!-- don't change -->
<refsection id="resources"> <refsection id="resources">
<title>Additional Resources</title> <title>Additional Resources</title>

111
security/nss/doc/crlutil.xml
View File

@ -75,15 +75,6 @@ The options and arguments for the crlutil command are defined as follows:
</para> </para>
<variablelist> <variablelist>
<varlistentry>
<term>-G </term>
<listitem>
<para>
Create new Certificate Revocation List(CRL).
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-D </term> <term>-D </term>
<listitem> <listitem>
@ -93,16 +84,6 @@ Delete Certificate Revocation List from cert database.
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-I </term>
<listitem>
<para>
Import a CRL to the cert database
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-E </term> <term>-E </term>
<listitem> <listitem>
@ -112,6 +93,23 @@ Erase all CRLs of specified type from the cert database
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-G </term>
<listitem>
<para>
Create new Certificate Revocation List (CRL).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I </term>
<listitem>
<para>
Import a CRL to the cert database
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-L </term> <term>-L </term>
@ -122,15 +120,6 @@ List existing CRL located in cert database file.
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-S </term>
<listitem>
<para>
Show contents of a CRL file which isn't stored in the database.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-M </term> <term>-M </term>
<listitem> <listitem>
@ -141,38 +130,20 @@ Modify existing CRL which can be located in cert db or in arbitrary file. If loc
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-G </term> <term>-S </term>
<listitem> <listitem>
<para> <para>
Show contents of a CRL file which isn't stored in the database.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para><command>Arguments</command></para> <para><command>Arguments</command></para>
<para>Option arguments modify an action and are lowercase.</para> <para>Option arguments modify an action.</para>
<variablelist> <variablelist>
<varlistentry>
<term>-B </term>
<listitem>
<para>
Bypass CA signature checks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P dbprefix </term>
<listitem>
<para>
Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-a </term> <term>-a </term>
<listitem> <listitem>
@ -182,6 +153,15 @@ Use ASCII format or allow the use of ASCII format for input and output. This for
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-B </term>
<listitem>
<para>
Bypass CA signature checks.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-c crl-gen-file </term> <term>-c crl-gen-file </term>
<listitem> <listitem>
@ -204,19 +184,19 @@ The NSS database files must reside in the same directory.
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-i crl-file </term> <term>-f password-file </term>
<listitem> <listitem>
<para> <para>
Specify the file which contains the CRL to import or show. Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-f password-file </term> <term>-i crl-file </term>
<listitem> <listitem>
<para> <para>
Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. Specify the file which contains the CRL to import or show.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -248,6 +228,15 @@ Specify the output file name for new CRL. Bracket the output-file string with qu
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-P dbprefix </term>
<listitem>
<para>
Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-t crl-type </term> <term>-t crl-type </term>
<listitem> <listitem>
@ -355,7 +344,7 @@ Implemented Extensions
* Add The Authority Key Identifier extension: * Add The Authority Key Identifier extension:
</para> </para>
<para> <para>
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
</para> </para>
<para> <para>
authKeyId critical [key-id | dn cert-serial] authKeyId critical [key-id | dn cert-serial]
@ -504,21 +493,9 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr
</programlisting> </programlisting>
</refsection> </refsection>
<refsection>
<title>See also</title>
<para>certutil(1)</para>
</refsection>
<refsection id="seealso"> <refsection id="seealso">
<title>See Also</title> <title>See Also</title>
<para></para> <para>certutil(1)</para>
<para>
</para>
<para>
</para>
<para>
</para>
</refsection> </refsection>
<!-- don't change --> <!-- don't change -->

10
security/nss/doc/html/certutil.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm229558164448"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233261230240"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p> </p><p>
@ -10,7 +10,7 @@ For certificate requests, ASCII output defaults to standard output unless redire
</p><p> </p><p>
If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity. If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity.
Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string
with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: requests the legacy database</strong></span></p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p> unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
The valid key type options are rsa, dsa, ec, or all. The default The valid key type options are rsa, dsa, ec, or all. The default
@ -59,8 +59,8 @@ of the attribute codes:
the certificate or adding it to a database. Express the offset in integers, the certificate or adding it to a database. Express the offset in integers,
using a minus sign (-) to indicate a negative offset. If this argument is using a minus sign (-) to indicate a negative offset. If this argument is
not used, the validity period begins at the current system time. The length not used, the validity period begins at the current system time. The length
of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
digital signature digitalSignature
</p></li><li class="listitem"><p> </p></li><li class="listitem"><p>
nonRepudiation nonRepudiation
</p></li><li class="listitem"><p> </p></li><li class="listitem"><p>
@ -75,7 +75,7 @@ of the attribute codes:
crlSigning crlSigning
</p></li><li class="listitem"><p> </p></li><li class="listitem"><p>
critical critical
</p></li></ul></div></dd><dt><span class="term">-2 </span></dt><dd><p>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <span class="command"><strong>certutil</strong></span> prompts for the certificate constraint extension to select.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-3 </span></dt><dd><p>Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-4 </span></dt><dd><p>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <span class="command"><strong>certutil</strong></span> prompts for the URL.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-5 | --nsCertType keyword,keyword</span></dt><dd><p>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> </p></li></ul></div></dd><dt><span class="term">-2 </span></dt><dd><p>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <span class="command"><strong>certutil</strong></span> prompts for the certificate constraint extension to select.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-3 </span></dt><dd><p>Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-4 </span></dt><dd><p>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <span class="command"><strong>certutil</strong></span> prompts for the URL.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-5 | --nsCertType keyword,keyword</span></dt><dd><p>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
sslClient sslClient
</p></li><li class="listitem"><p> </p></li><li class="listitem"><p>
sslServer sslServer

9
security/nss/doc/html/cmsutil.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CMSUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CMSUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CMSUTIL</th></tr></table><hr></div><div class="refentry"><a name="cmsutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cmsutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm207695361776"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CMSUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CMSUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CMSUTIL</th></tr></table><hr></div><div class="refentry"><a name="cmsutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cmsutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233266717696"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>cmsutil</strong></span> command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>cmsutil</strong></span> command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.
</p><p> </p><p>
To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section.
@ -8,7 +8,7 @@ To see a usage string, issue the command without options.
</p><p><span class="command"><strong>Options</strong></span></p><p> </p><p><span class="command"><strong>Options</strong></span></p><p>
Options specify an action. Option arguments modify an action. Options specify an action. Option arguments modify an action.
The options and arguments for the cmsutil command are defined as follows: The options and arguments for the cmsutil command are defined as follows:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-D </span></dt><dd><p>Decode a message.</p></dd><dt><span class="term">-C</span></dt><dd><p>Encrypt a message.</p></dd><dt><span class="term">-E </span></dt><dd><p>Envelope a message.</p></dd><dt><span class="term">-O </span></dt><dd><p>Create a certificates-only message.</p></dd><dt><span class="term">-S </span></dt><dd><p>Sign a message.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b </span></dt><dd><p>Decode a batch of files named in infile.</p></dd><dt><span class="term">-c content </span></dt><dd><p>Use this detached content (decode only).</p></dd><dt><span class="term">-d dbdir</span></dt><dd><p>Specify the key/certificate database directory (default is ".")</p></dd><dt><span class="term">-e envfile</span></dt><dd><p>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</p></dd><dt><span class="term">-f pwfile</span></dt><dd><p>Use password file to set password on all PKCS#11 tokens.</p></dd><dt><span class="term">-G</span></dt><dd><p>Include a signing time attribute (sign only).</p></dd><dt><span class="term">-H hash</span></dt><dd><p>Use specified hash algorithm (default:SHA1).</p></dd><dt><span class="term">-h num</span></dt><dd><p>Generate email headers with info about CMS message (decode only).</p></dd><dt><span class="term">-i infile</span></dt><dd><p>Use infile as a source of data (default is stdin).</p></dd><dt><span class="term">-k</span></dt><dd><p>Keep decoded encryption certs in permanent cert db.</p></dd><dt><span class="term">-N nickname</span></dt><dd><p>Specify nickname of certificate to sign with (sign only).</p></dd><dt><span class="term">-n </span></dt><dd><p>Suppress output of contents (decode only).</p></dd><dt><span class="term">-o outfile</span></dt><dd><p>Use outfile as a destination of data (default is stdout).</p></dd><dt><span class="term">-P</span></dt><dd><p>Include an S/MIME capabilities attribute.</p></dd><dt><span class="term">-p password</span></dt><dd><p>Use password as key database password.</p></dd><dt><span class="term">-r recipient1,recipient2, ...</span></dt><dd><p> </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-C</span></dt><dd><p>Encrypt a message.</p></dd><dt><span class="term">-D </span></dt><dd><p>Decode a message.</p></dd><dt><span class="term">-E </span></dt><dd><p>Envelope a message.</p></dd><dt><span class="term">-O </span></dt><dd><p>Create a certificates-only message.</p></dd><dt><span class="term">-S </span></dt><dd><p>Sign a message.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b </span></dt><dd><p>Decode a batch of files named in infile.</p></dd><dt><span class="term">-c content </span></dt><dd><p>Use this detached content (decode only).</p></dd><dt><span class="term">-d dbdir</span></dt><dd><p>Specify the key/certificate database directory (default is ".")</p></dd><dt><span class="term">-e envfile</span></dt><dd><p>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</p></dd><dt><span class="term">-f pwfile</span></dt><dd><p>Use password file to set password on all PKCS#11 tokens.</p></dd><dt><span class="term">-G</span></dt><dd><p>Include a signing time attribute (sign only).</p></dd><dt><span class="term">-H hash</span></dt><dd><p>Use specified hash algorithm (default:SHA1).</p></dd><dt><span class="term">-h num</span></dt><dd><p>Generate email headers with info about CMS message (decode only).</p></dd><dt><span class="term">-i infile</span></dt><dd><p>Use infile as a source of data (default is stdin).</p></dd><dt><span class="term">-k</span></dt><dd><p>Keep decoded encryption certs in permanent cert db.</p></dd><dt><span class="term">-N nickname</span></dt><dd><p>Specify nickname of certificate to sign with (sign only).</p></dd><dt><span class="term">-n </span></dt><dd><p>Suppress output of contents (decode only).</p></dd><dt><span class="term">-o outfile</span></dt><dd><p>Use outfile as a destination of data (default is stdout).</p></dd><dt><span class="term">-P</span></dt><dd><p>Include an S/MIME capabilities attribute.</p></dd><dt><span class="term">-p password</span></dt><dd><p>Use password as key database password.</p></dd><dt><span class="term">-r recipient1,recipient2, ...</span></dt><dd><p>
Specify list of recipients (email addresses) for an encrypted or enveloped message. Specify list of recipients (email addresses) for an encrypted or enveloped message.
For certificates-only message, list of certificates to send. For certificates-only message, list of certificates to send.
</p></dd><dt><span class="term">-T</span></dt><dd><p>Suppress content in CMS message (sign only).</p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Set type of cert usage (default is certUsageEmailSigner).</p></dd><dt><span class="term">-v</span></dt><dd><p>Print debugging information.</p></dd><dt><span class="term">-Y ekprefnick</span></dt><dd><p>Specify an encryption key preference by nickname.</p></dd></dl></div></div><div class="refsection"><a name="usage"></a><h2>Usage</h2><p>Encrypt Example</p><pre class="programlisting"> </p></dd><dt><span class="term">-T</span></dt><dd><p>Suppress content in CMS message (sign only).</p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Set type of cert usage (default is certUsageEmailSigner).</p></dd><dt><span class="term">-v</span></dt><dd><p>Print debugging information.</p></dd><dt><span class="term">-Y ekprefnick</span></dt><dd><p>Specify an encryption key preference by nickname.</p></dd></dl></div></div><div class="refsection"><a name="usage"></a><h2>Usage</h2><p>Encrypt Example</p><pre class="programlisting">
@ -21,10 +21,7 @@ cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,reci
cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ." cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."
</pre><p>Sign Message Example</p><pre class="programlisting"> </pre><p>Sign Message Example</p><pre class="programlisting">
cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
</pre></div><div class="refsection"><a name="idm207694289248"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p></p><p> </pre></div><div class="refsection"><a name="seealso"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
</p><p>
</p><p>
</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;. Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</p></div></div><div class="navfooter"><hr></div></body></html> </p></div></div><div class="navfooter"><hr></div></body></html>

39
security/nss/doc/html/crlutil.html
View File

@ -1,6 +1,6 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CRLUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CRLUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CRLUTIL</th></tr></table><hr></div><div class="refentry"><a name="crlutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crlutil — <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CRLUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CRLUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CRLUTIL</th></tr></table><hr></div><div class="refentry"><a name="crlutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crlutil —
List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">crlutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm207693223392"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">crlutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233261315520"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Revocation List (CRL) Management Tool, <span class="command"><strong>crlutil</strong></span>, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Revocation List (CRL) Management Tool, <span class="command"><strong>crlutil</strong></span>, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
</p><p> </p><p>
The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation. The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation.
@ -16,44 +16,42 @@ where options and arguments are combinations of the options and arguments listed
</p><p><span class="command"><strong>Options</strong></span></p><p> </p><p><span class="command"><strong>Options</strong></span></p><p>
Options specify an action. Option arguments modify an action. Options specify an action. Option arguments modify an action.
The options and arguments for the crlutil command are defined as follows: The options and arguments for the crlutil command are defined as follows:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-G </span></dt><dd><p> </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-D </span></dt><dd><p>
Create new Certificate Revocation List(CRL).
</p></dd><dt><span class="term">-D </span></dt><dd><p>
Delete Certificate Revocation List from cert database. Delete Certificate Revocation List from cert database.
</p></dd><dt><span class="term">-I </span></dt><dd><p>
Import a CRL to the cert database
</p></dd><dt><span class="term">-E </span></dt><dd><p> </p></dd><dt><span class="term">-E </span></dt><dd><p>
Erase all CRLs of specified type from the cert database Erase all CRLs of specified type from the cert database
</p></dd><dt><span class="term">-G </span></dt><dd><p>
Create new Certificate Revocation List (CRL).
</p></dd><dt><span class="term">-I </span></dt><dd><p>
Import a CRL to the cert database
</p></dd><dt><span class="term">-L </span></dt><dd><p> </p></dd><dt><span class="term">-L </span></dt><dd><p>
List existing CRL located in cert database file. List existing CRL located in cert database file.
</p></dd><dt><span class="term">-S </span></dt><dd><p>
Show contents of a CRL file which isn't stored in the database.
</p></dd><dt><span class="term">-M </span></dt><dd><p> </p></dd><dt><span class="term">-M </span></dt><dd><p>
Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format. Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format.
</p></dd><dt><span class="term">-G </span></dt><dd><p> </p></dd><dt><span class="term">-S </span></dt><dd><p>
Show contents of a CRL file which isn't stored in the database.
</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action and are lowercase.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-B </span></dt><dd><p> </p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a </span></dt><dd><p>
Bypass CA signature checks.
</p></dd><dt><span class="term">-P dbprefix </span></dt><dd><p>
Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
</p></dd><dt><span class="term">-a </span></dt><dd><p>
Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113. Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
</p></dd><dt><span class="term">-B </span></dt><dd><p>
Bypass CA signature checks.
</p></dd><dt><span class="term">-c crl-gen-file </span></dt><dd><p> </p></dd><dt><span class="term">-c crl-gen-file </span></dt><dd><p>
Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input. Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input.
</p></dd><dt><span class="term">-d directory </span></dt><dd><p> </p></dd><dt><span class="term">-d directory </span></dt><dd><p>
Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory. Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory.
</p><p> </p><p>
The NSS database files must reside in the same directory. The NSS database files must reside in the same directory.
</p></dd><dt><span class="term">-i crl-file </span></dt><dd><p>
Specify the file which contains the CRL to import or show.
</p></dd><dt><span class="term">-f password-file </span></dt><dd><p> </p></dd><dt><span class="term">-f password-file </span></dt><dd><p>
Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
</p></dd><dt><span class="term">-i crl-file </span></dt><dd><p>
Specify the file which contains the CRL to import or show.
</p></dd><dt><span class="term">-l algorithm-name </span></dt><dd><p> </p></dd><dt><span class="term">-l algorithm-name </span></dt><dd><p>
Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512 Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
</p></dd><dt><span class="term">-n nickname </span></dt><dd><p> </p></dd><dt><span class="term">-n nickname </span></dt><dd><p>
Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces. Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.
</p></dd><dt><span class="term">-o output-file </span></dt><dd><p> </p></dd><dt><span class="term">-o output-file </span></dt><dd><p>
Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output. Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.
</p></dd><dt><span class="term">-P dbprefix </span></dt><dd><p>
Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
</p></dd><dt><span class="term">-t crl-type </span></dt><dd><p> </p></dd><dt><span class="term">-t crl-type </span></dt><dd><p>
Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete
</p></dd><dt><span class="term">-u url </span></dt><dd><p> </p></dd><dt><span class="term">-u url </span></dt><dd><p>
@ -103,7 +101,7 @@ Implemented Extensions
</p><p> </p><p>
* Add The Authority Key Identifier extension: * Add The Authority Key Identifier extension:
</p><p> </p><p>
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
</p><p> </p><p>
authKeyId critical [key-id | dn cert-serial] authKeyId critical [key-id | dn cert-serial]
</p><p> </p><p>
@ -200,10 +198,7 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr
* Import CRL from file: * Import CRL from file:
</p><pre class="programlisting"> </p><pre class="programlisting">
crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
</pre></div><div class="refsection"><a name="idm207692123648"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p></p><p> </pre></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil(1)</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
</p><p>
</p><p>
</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;. Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</p></div></div><div class="navfooter"><hr></div></body></html> </p></div></div><div class="navfooter"><hr></div></body></html>

12
security/nss/doc/html/modutil.html
View File

File diff suppressed because one or more lines are too long

25
security/nss/doc/html/pk12util.html
View File

@ -1,13 +1,9 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code> [-i p12File [-h tokenname] [-v] [common-options] ] [ <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code> [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm233250345408"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-l p12File [-h tokenname] [-r] [common-options] ] [ </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
-o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] ] [ Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
</p><p>
common-options are: pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] </p><p>For example:</p><p> </p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
]</p></div></div><div class="refsection"><a name="idm224682436944"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
</p><pre class="programlisting">pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
Enter a password which will be used to encrypt your keys. Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long, The password should be at least 8 characters long,
@ -17,10 +13,10 @@ Enter new password:
Re-enter password: Re-enter password:
Enter password for PKCS12 file: Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
</p><pre class="programlisting">pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb </p><p>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
Enter password for PKCS12 file: Enter password for PKCS12 file:
Re-enter password: </pre><p><span class="command"><strong>Listing Keys and Certificates</strong></span></p><p>The information in a <code class="filename">.p12</code> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <code class="filename">.p12</code> file. Re-enter password: </pre><p><span class="command"><strong>Listing Keys and Certificates</strong></span></p><p>The information in a <code class="filename">.p12</code> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <code class="filename">.p12</code> file.
</p><pre class="programlisting">pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example, this prints the default ASCII output:</p><pre class="programlisting"># pk12util -l certs.p12 </p><p>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example, this prints the default ASCII output:</p><pre class="programlisting"># pk12util -l certs.p12
Enter password for PKCS12 file: Enter password for PKCS12 file:
Key(shrouded): Key(shrouded):
@ -39,7 +35,7 @@ Certificate:
Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
own,ST=Western Cape,C=ZA" own,ST=Western Cape,C=ZA"
....</pre><p>Alternatively, the <code class="option">-r</code> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <code class="filename">.p12</code> files. Each certificate is written to a sequentially-number file, beginning with <code class="filename">file0001.der</code> and continuing through <code class="filename">file000N.der</code>, incrementing the number for every certificate:</p><pre class="programlisting"># pk12util -l test.p12 -r </pre><p>Alternatively, the <code class="option">-r</code> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <code class="filename">.p12</code> files. Each certificate is written to a sequentially-number file, beginning with <code class="filename">file0001.der</code> and continuing through <code class="filename">file000N.der</code>, incrementing the number for every certificate:</p><pre class="programlisting">pk12util -l test.p12 -r
Enter password for PKCS12 file: Enter password for PKCS12 file:
Key(shrouded): Key(shrouded):
Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
@ -51,7 +47,8 @@ Key(shrouded):
Iteration Count: 1 (0x1) Iteration Count: 1 (0x1)
Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><p>DES_CBC</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
</pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>DES-CBC</p></li><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
cert8.db for certificates cert8.db for certificates
</p></li><li class="listitem"><p> </p></li><li class="listitem"><p>

6
security/nss/doc/html/pp.html
View File

@ -1,7 +1,7 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm224681757664"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm233254308544"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="idm224678000880"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request, </p></div><div class="refsection"><a name="idm233250605968"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
pkcs7 or crl files pkcs7 or crl files
</p></div><div class="refsection"><a name="idm224677998992"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> </p></div><div class="refsection"><a name="idm233250603984"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;. Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</p></div></div><div class="navfooter"><hr></div></body></html> </p></div></div><div class="navfooter"><hr></div></body></html>

40
security/nss/doc/html/signtool.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm224666150896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-e extension] ] [[-f filename] ] [[-i installer script] ] [[-h]] [[-H]] [[-v]] [[-w]] [[-G nickname]] [[-J]] [[-j directory] ] [-k keyName] [[--keysize | -s size]] [[-l]] [[-L]] [[-M]] [[-m metafile] ] [[--norecurse] ] [[-O] ] [[-o] ] [[--outfile] ] [[-p password] ] [[-t|--token tokenname] ] [[-z] ] [[-X] ] [[-x name] ] [[--verbose value] ] [[--leavearc] ] [[-Z jarfile] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm233257546416"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p>
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
@ -11,9 +11,25 @@ The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT v
Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include. Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include.
</p></dd><dt><span class="term">-f commandfile</span></dt><dd><p> </p></dd><dt><span class="term">-f commandfile</span></dt><dd><p>
Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques". Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques".
</p></dd><dt><span class="term">-i scriptname</span></dt><dd><p> </p></dd><dt><span class="term">-G nickname</span></dt><dd><p>
Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
</p></dd><dt><span class="term">-j directory</span></dt><dd><p>
The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token.
</p></dd><dt><span class="term">-i scriptname</span></dt><dd><p>
Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
</p></dd><dt><span class="term">-J</span></dt><dd><p>
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
If the -c# option is not used with the -J option, the default compression value is 6.
Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
</p></dd><dt><span class="term">-j directory</span></dt><dd><p>
Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT. Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT.
</p></dd><dt><span class="term">-k key ... directory</span></dt><dd><p> </p></dd><dt><span class="term">-k key ... directory</span></dt><dd><p>
Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write
@ -23,26 +39,10 @@ signtool -k MyCert -d . signdir
You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform. You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform.
It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate. It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate.
</p></dd><dt><span class="term">-G nickname</span></dt><dd><p>
Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241.
</p></dd><dt><span class="term">-l</span></dt><dd><p> </p></dd><dt><span class="term">-l</span></dt><dd><p>
Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.
The -l option is available in Netscape Signing Tool 1.0 and later versions only. The -l option is available in Netscape Signing Tool 1.0 and later versions only.
</p></dd><dt><span class="term">-J</span></dt><dd><p>
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
If the -c# option is not used with the -J option, the default compression value is 6.
Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
</p></dd><dt><span class="term">-L</span></dt><dd><p> </p></dd><dt><span class="term">-L</span></dt><dd><p>
Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool. Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.
</p></dd><dt><span class="term">--leavearc</span></dt><dd><p> </p></dd><dt><span class="term">--leavearc</span></dt><dd><p>

8
security/nss/doc/html/signver.html
View File

@ -1,7 +1,7 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm224680848704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm233257229808"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm224681951616"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm233261091008"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
signatureValid=yes</pre></div><div class="refsection"><a name="idm224679496656"></a><h3>Printing Signature Data</h3><p> signatureValid=yes</pre></div><div class="refsection"><a name="idm233261087840"></a><h3>Printing Signature Data</h3><p>
The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout. The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout.
</p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. </p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
@ -20,7 +20,7 @@ BerkleyDB. These new databases provide more accessibility and performance:</p><d
</p></li><li class="listitem"><p> </p></li><li class="listitem"><p>
pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
</p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. </p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type.
Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># signver -A -s <em class="replaceable"><code>signature</code></em> -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># signver -A -s <em class="replaceable"><code>signature</code></em> -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be added to the <code class="filename">~/.bashrc</code> file to make the change permanent for the user.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
https://wiki.mozilla.org/NSS_Shared_DB https://wiki.mozilla.org/NSS_Shared_DB
</p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>signtool (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Setting up the shared NSS database</p><p>https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p> </p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>signtool (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Setting up the shared NSS database</p><p>https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>

27
security/nss/doc/html/ssltap.html
View File

@ -1,18 +1,9 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm224680842512"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">ssltap</code> [-fhlsvx] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm233258230400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-h </span></dt><dd><p> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-f </span></dt><dd><p>
Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
</p></dd><dt><span class="term">-f </span></dt><dd><p>
Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
</p></dd><dt><span class="term">-s </span></dt><dd><p> </p></dd><dt><span class="term">-h </span></dt><dd><p>
Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
</p><p> </p></dd><dt><span class="term">-l prefix</span></dt><dd><p>
If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
</p><p>
If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
</p></dd><dt><span class="term">-x </span></dt><dd><p>
Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option.
This option uses the same output format as the -h option.
</p></dd><dt><span class="term">-l prefix</span></dt><dd><p>
Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete. Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete.
</p></dd><dt><span class="term">-p port</span></dt><dd><p>Change the default rendezvous port (1924) to another port.</p><p>The following are well-known port numbers:</p><p> </p></dd><dt><span class="term">-p port</span></dt><dd><p>Change the default rendezvous port (1924) to another port.</p><p>The following are well-known port numbers:</p><p>
* HTTP 80 * HTTP 80
@ -30,7 +21,13 @@ Turn on looping; that is, continue to accept connections rather than stopping af
* NNTP 119 * NNTP 119
</p><p> </p><p>
* NNTPS 563 (NNTP over SSL) * NNTPS 563 (NNTP over SSL)
</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p> </p></dd><dt><span class="term">-s </span></dt><dd><p>
Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
</p><p>
If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
</p><p>
If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
</p></dd><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-x </span></dt><dd><p>Turn on extra SSL hex dumps.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p>
You can use the SSL Debugging Tool to intercept any connection information. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful. For example, assume your development machine is called intercept. The simplest way to use the debugging tool is to execute the following command from a command shell: You can use the SSL Debugging Tool to intercept any connection information. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful. For example, assume your development machine is called intercept. The simplest way to use the debugging tool is to execute the following command from a command shell:
</p><pre class="programlisting">$ ssltap www.netscape.com</pre><p> </p><pre class="programlisting">$ ssltap www.netscape.com</pre><p>
The program waits for an incoming connection on the default port 1924. In your browser window, enter the URL http://intercept:1924. The browser retrieves the requested page from the server at www.netscape.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept. On its way to the browser, the data is printed to the command shell from which you issued the command. Data sent from the client to the server is surrounded by the following symbols: --&gt; [ data ] Data sent from the server to the client is surrounded by the following symbols: The program waits for an incoming connection on the default port 1924. In your browser window, enter the URL http://intercept:1924. The browser retrieves the requested page from the server at www.netscape.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept. On its way to the browser, the data is printed to the command shell from which you issued the command. Data sent from the client to the server is surrounded by the following symbols: --&gt; [ data ] Data sent from the server to the client is surrounded by the following symbols:

2
security/nss/doc/html/vfychain.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm224658292400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm233261246224"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class="term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara"> * CERT_VerifyCertificate if specified once,</p><p class="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class="term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara"> * CERT_VerifyCertificate if specified once,</p><p class="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p>
0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
4=Email signer, 5=Email recipient, 6=Object signer, 4=Email signer, 5=Email recipient, 6=Object signer,

2
security/nss/doc/html/vfyserv.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm224662974480"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm233266435200"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;. Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

8
security/nss/doc/modutil.xml
View File

@ -625,7 +625,8 @@ DISABLE: 0x40000000</programlisting>
<para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para> <para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para>
<para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para> <para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para>
<programlisting>user read: 0400 <programlisting>
user read: 0400
user write: 0200 user write: 0200
user execute: 0100 user execute: 0100
group read: 0040 group read: 0040
@ -633,7 +634,8 @@ group write: 0020
group execute: 0010 group execute: 0010
other read: 0004 other read: 0004
other write: 0002 other write: 0002
other execute: 0001</programlisting> other execute: 0001
</programlisting>
<para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para> <para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para>
</refsection> </refsection>
@ -693,7 +695,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> <para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist> <itemizedlist>

20
security/nss/doc/nroff/certutil.1
View File

@ -2,12 +2,12 @@
.\" Title: CERTUTIL .\" Title: CERTUTIL
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 31 March 2014 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "CERTUTIL" "1" "31 March 2014" "nss-tools" "NSS Security Tools" .TH "CERTUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -229,7 +229,8 @@ NSS recognizes the following prefixes:
.sp -1 .sp -1
.IP \(bu 2.3 .IP \(bu 2.3
.\} .\}
\fBsql: requests the newer database\fR \fBsql:\fR
requests the newer database
.RE .RE
.sp .sp
.RS 4 .RS 4
@ -240,10 +241,13 @@ NSS recognizes the following prefixes:
.sp -1 .sp -1
.IP \(bu 2.3 .IP \(bu 2.3
.\} .\}
\fBdbm: requests the legacy database\fR \fBdbm:\fR
requests the legacy database
.RE .RE
.sp .sp
If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default\&. If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then
\fBdbm:\fR
is the default\&.
.RE .RE
.PP .PP
\-e \-e
@ -543,7 +547,7 @@ Set a site security officer password on a token\&.
.PP .PP
\-1 | \-\-keyUsage keyword,keyword \-1 | \-\-keyUsage keyword,keyword
.RS 4 .RS 4
Set a Netscape Certificate Type Extension in the certificate\&. There are several available keywords: Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There are several available keywords:
.sp .sp
.RS 4 .RS 4
.ie n \{\ .ie n \{\
@ -553,7 +557,7 @@ Set a Netscape Certificate Type Extension in the certificate\&. There are severa
.sp -1 .sp -1
.IP \(bu 2.3 .IP \(bu 2.3
.\} .\}
digital signature digitalSignature
.RE .RE
.sp .sp
.RS 4 .RS 4
@ -661,7 +665,7 @@ X\&.509 certificate extensions are described in RFC 5280\&.
.PP .PP
\-5 | \-\-nsCertType keyword,keyword \-5 | \-\-nsCertType keyword,keyword
.RS 4 .RS 4
Add a Netscape certificate type extension to a certificate that is being created or added to the database\&. There are several available keywords: Add an X\&.509 V3 certificate type extension to a certificate that is being created or added to the database\&. There are several available keywords:
.sp .sp
.RS 4 .RS 4
.ie n \{\ .ie n \{\

19
security/nss/doc/nroff/cmsutil.1
View File

@ -2,12 +2,12 @@
.\" Title: CMSUTIL .\" Title: CMSUTIL
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 19 July 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "CMSUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .TH "CMSUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -50,16 +50,16 @@ To run cmsutil, type the command cmsutil option [arguments] where option and arg
.PP .PP
Options specify an action\&. Option arguments modify an action\&. The options and arguments for the cmsutil command are defined as follows: Options specify an action\&. Option arguments modify an action\&. The options and arguments for the cmsutil command are defined as follows:
.PP .PP
\-D
.RS 4
Decode a message\&.
.RE
.PP
\-C \-C
.RS 4 .RS 4
Encrypt a message\&. Encrypt a message\&.
.RE .RE
.PP .PP
\-D
.RS 4
Decode a message\&.
.RE
.PP
\-E \-E
.RS 4 .RS 4
Envelope a message\&. Envelope a message\&.
@ -247,11 +247,6 @@ cmsutil \-S [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-N nickname[\
.SH "SEE ALSO" .SH "SEE ALSO"
.PP .PP
certutil(1) certutil(1)
.SH "SEE ALSO"
.PP
.PP
.PP
.PP
.SH "ADDITIONAL RESOURCES" .SH "ADDITIONAL RESOURCES"
.PP .PP
For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at

69
security/nss/doc/nroff/crlutil.1
View File

@ -2,12 +2,12 @@
.\" Title: CRLUTIL .\" Title: CRLUTIL
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 19 July 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "CRLUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" .TH "CRLUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -57,64 +57,55 @@ where options and arguments are combinations of the options and arguments listed
.PP .PP
Options specify an action\&. Option arguments modify an action\&. The options and arguments for the crlutil command are defined as follows: Options specify an action\&. Option arguments modify an action\&. The options and arguments for the crlutil command are defined as follows:
.PP .PP
\-G
.RS 4
Create new Certificate Revocation List(CRL)\&.
.RE
.PP
\-D \-D
.RS 4 .RS 4
Delete Certificate Revocation List from cert database\&. Delete Certificate Revocation List from cert database\&.
.RE .RE
.PP .PP
\-I
.RS 4
Import a CRL to the cert database
.RE
.PP
\-E \-E
.RS 4 .RS 4
Erase all CRLs of specified type from the cert database Erase all CRLs of specified type from the cert database
.RE .RE
.PP .PP
\-G
.RS 4
Create new Certificate Revocation List (CRL)\&.
.RE
.PP
\-I
.RS 4
Import a CRL to the cert database
.RE
.PP
\-L \-L
.RS 4 .RS 4
List existing CRL located in cert database file\&. List existing CRL located in cert database file\&.
.RE .RE
.PP .PP
\-S
.RS 4
Show contents of a CRL file which isn\*(Aqt stored in the database\&.
.RE
.PP
\-M \-M
.RS 4 .RS 4
Modify existing CRL which can be located in cert db or in arbitrary file\&. If located in file it should be encoded in ASN\&.1 encode format\&. Modify existing CRL which can be located in cert db or in arbitrary file\&. If located in file it should be encoded in ASN\&.1 encode format\&.
.RE .RE
.PP .PP
\-G \-S
.RS 4 .RS 4
Show contents of a CRL file which isn\*(Aqt stored in the database\&.
.RE .RE
.PP .PP
\fBArguments\fR \fBArguments\fR
.PP .PP
Option arguments modify an action and are lowercase\&. Option arguments modify an action\&.
.PP
\-B
.RS 4
Bypass CA signature checks\&.
.RE
.PP
\-P dbprefix
.RS 4
Specify the prefix used on the NSS security database files (for example, my_cert8\&.db and my_key3\&.db)\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
.RE
.PP .PP
\-a \-a
.RS 4 .RS 4
Use ASCII format or allow the use of ASCII format for input and output\&. This formatting follows RFC #1113\&. Use ASCII format or allow the use of ASCII format for input and output\&. This formatting follows RFC #1113\&.
.RE .RE
.PP .PP
\-B
.RS 4
Bypass CA signature checks\&.
.RE
.PP
\-c crl\-gen\-file \-c crl\-gen\-file
.RS 4 .RS 4
Specify script file that will be used to control crl generation/modification\&. See crl\-cript\-file format below\&. If options \-M|\-G is used and \-c crl\-script\-file is not specified, crlutil will read script data from standard input\&. Specify script file that will be used to control crl generation/modification\&. See crl\-cript\-file format below\&. If options \-M|\-G is used and \-c crl\-script\-file is not specified, crlutil will read script data from standard input\&.
@ -127,16 +118,16 @@ Specify the database directory containing the certificate and key database files
The NSS database files must reside in the same directory\&. The NSS database files must reside in the same directory\&.
.RE .RE
.PP .PP
\-i crl\-file
.RS 4
Specify the file which contains the CRL to import or show\&.
.RE
.PP
\-f password\-file \-f password\-file
.RS 4 .RS 4
Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&. Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&.
.RE .RE
.PP .PP
\-i crl\-file
.RS 4
Specify the file which contains the CRL to import or show\&.
.RE
.PP
\-l algorithm\-name \-l algorithm\-name
.RS 4 .RS 4
Specify a specific signature algorithm\&. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512 Specify a specific signature algorithm\&. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
@ -152,6 +143,11 @@ Specify the nickname of a certificate or key to list, create, add to a database,
Specify the output file name for new CRL\&. Bracket the output\-file string with quotation marks if it contains spaces\&. If this argument is not used the output destination defaults to standard output\&. Specify the output file name for new CRL\&. Bracket the output\-file string with quotation marks if it contains spaces\&. If this argument is not used the output destination defaults to standard output\&.
.RE .RE
.PP .PP
\-P dbprefix
.RS 4
Specify the prefix used on the NSS security database files (for example, my_cert8\&.db and my_key3\&.db)\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
.RE
.PP
\-t crl\-type \-t crl\-type
.RS 4 .RS 4
Specify type of CRL\&. possible types are: 0 \- SEC_KRL_TYPE, 1 \- SEC_CRL_TYPE\&. This option is obsolete Specify type of CRL\&. possible types are: 0 \- SEC_KRL_TYPE, 1 \- SEC_CRL_TYPE\&. This option is obsolete
@ -369,11 +365,6 @@ crlutil \-G|\-M \-c crl\-gen\-file \-n nickname [\-i crl] [\-u url] [\-d keydir]
.SH "SEE ALSO" .SH "SEE ALSO"
.PP .PP
certutil(1) certutil(1)
.SH "SEE ALSO"
.PP
.PP
.PP
.PP
.SH "ADDITIONAL RESOURCES" .SH "ADDITIONAL RESOURCES"
.PP .PP
For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at

18
security/nss/doc/nroff/modutil.1
View File

@ -1,13 +1,13 @@
'\" t '\" t
.\" Title: MODUTIL .\" Title: MODUTIL
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 15 February 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "MODUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" .TH "MODUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -109,6 +109,8 @@ Delete the named module\&. The default NSS PKCS #11 module cannot be deleted\&.
Disable all slots on the named module\&. Use the Disable all slots on the named module\&. Use the
\fB\-slot\fR \fB\-slot\fR
argument to disable a specific slot\&. argument to disable a specific slot\&.
.sp
The internal NSS PKCS #11 module cannot be disabled\&.
.RE .RE
.PP .PP
\-enable modulename \-enable modulename
@ -1248,7 +1250,7 @@ group write: 0020
group execute: 0010 group execute: 0010
other read: 0004 other read: 0004
other write: 0002 other write: 0002
other execute: 0001 other execute: 0001
.fi .fi
.if n \{\ .if n \{\
.RE .RE
@ -1366,9 +1368,9 @@ export NSS_DEFAULT_DB_TYPE="sql"
.RE .RE
.\} .\}
.PP .PP
This line can be set added to the This line can be added to the
~/\&.bashrc ~/\&.bashrc
file to make the change permanent\&. file to make the change permanent for the user\&.
.PP .PP
Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
.sp .sp
@ -1436,12 +1438,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
IRC: Freenode at #dogtag\-pki IRC: Freenode at #dogtag\-pki
.SH "AUTHORS" .SH "AUTHORS"
.PP .PP
The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&.
.PP .PP
Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&. Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
.SH "LICENSE" .SH "LICENSE"
.PP .PP
Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&.
.SH "NOTES" .SH "NOTES"
.IP " 1." 4 .IP " 1." 4
Mozilla NSS bug 836477 Mozilla NSS bug 836477

139
security/nss/doc/nroff/pk12util.1
View File

@ -2,12 +2,12 @@
.\" Title: PK12UTIL .\" Title: PK12UTIL
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "PK12UTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -31,7 +31,7 @@
pk12util \- Export and import keys and certificate to or from a PKCS #12 file and the NSS database pk12util \- Export and import keys and certificate to or from a PKCS #12 file and the NSS database
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBpk12util\fR\ 'u .HP \w'\fBpk12util\fR\ 'u
\fBpk12util\fR [\-i\ p12File\ [\-h\ tokenname]\ [\-v]\ [common\-options]] [\-l\ p12File\ [\-h\ tokenname]\ [\-r]\ [common\-options]] [\-o\ p12File\ \-n\ certname\ [\-c\ keyCipher]\ [\-C\ certCipher]\ [\-m|\-\-key_len\ keyLen]\ [\-n|\-\-cert_key_len\ certKeyLen]\ [common\-options]] [common\-options\ are:\ [\-d\ [sql:]directory]\ [\-P\ dbprefix]\ [\-k\ slotPasswordFile|\-K\ slotPassword]\ [\-w\ p12filePasswordFile|\-W\ p12filePassword]] \fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-d\ [sql:]directory] [\-h\ tokenname] [\-P\ dbprefix] [\-r] [\-v] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword]
.SH "STATUS" .SH "STATUS"
.PP .PP
This documentation is still work in progress\&. Please contribute to the initial review in This documentation is still work in progress\&. Please contribute to the initial review in
@ -61,9 +61,14 @@ Export keys and certificates from the security database to a PKCS#12 file\&.
.PP .PP
\fBArguments\fR \fBArguments\fR
.PP .PP
\-n certname \-c keyCipher
.RS 4 .RS 4
Specify the nickname of the cert and private key to export\&. Specify the key encryption algorithm\&.
.RE
.PP
\-C certCipher
.RS 4
Specify the key cert (overall package) encryption algorithm\&.
.RE .RE
.PP .PP
\-d [sql:]directory \-d [sql:]directory
@ -80,21 +85,11 @@ pkcs11\&.txt)\&. If the prefix
is not used, then the tool assumes that the given databases are in the old format\&. is not used, then the tool assumes that the given databases are in the old format\&.
.RE .RE
.PP .PP
\-P prefix
.RS 4
Specify the prefix used on the certificate and key databases\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
.RE
.PP
\-h tokenname \-h tokenname
.RS 4 .RS 4
Specify the name of the token to import into or export from\&. Specify the name of the token to import into or export from\&.
.RE .RE
.PP .PP
\-v
.RS 4
Enable debug logging when importing\&.
.RE
.PP
\-k slotPasswordFile \-k slotPasswordFile
.RS 4 .RS 4
Specify the text file containing the slot\*(Aqs password\&. Specify the text file containing the slot\*(Aqs password\&.
@ -105,26 +100,6 @@ Specify the text file containing the slot\*(Aqs password\&.
Specify the slot\*(Aqs password\&. Specify the slot\*(Aqs password\&.
.RE .RE
.PP .PP
\-w p12filePasswordFile
.RS 4
Specify the text file containing the pkcs #12 file password\&.
.RE
.PP
\-W p12filePassword
.RS 4
Specify the pkcs #12 file password\&.
.RE
.PP
\-c keyCipher
.RS 4
Specify the key encryption algorithm\&.
.RE
.PP
\-C certCipher
.RS 4
Specify the key cert (overall package) encryption algorithm\&.
.RE
.PP
\-m | \-\-key\-len keyLength \-m | \-\-key\-len keyLength
.RS 4 .RS 4
Specify the desired length of the symmetric key to be used to encrypt the private key\&. Specify the desired length of the symmetric key to be used to encrypt the private key\&.
@ -135,10 +110,35 @@ Specify the desired length of the symmetric key to be used to encrypt the privat
Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&. Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&.
.RE .RE
.PP .PP
\-n certname
.RS 4
Specify the nickname of the cert and private key to export\&.
.RE
.PP
\-P prefix
.RS 4
Specify the prefix used on the certificate and key databases\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
.RE
.PP
\-r \-r
.RS 4 .RS 4
Dumps all of the data in raw (binary) form\&. This must be saved as a DER file\&. The default is to return information in a pretty\-print ASCII format, which displays the information about the certificates and public keys in the p12 file\&. Dumps all of the data in raw (binary) form\&. This must be saved as a DER file\&. The default is to return information in a pretty\-print ASCII format, which displays the information about the certificates and public keys in the p12 file\&.
.RE .RE
.PP
\-v
.RS 4
Enable debug logging when importing\&.
.RE
.PP
\-w p12filePasswordFile
.RS 4
Specify the text file containing the pkcs #12 file password\&.
.RE
.PP
\-W p12filePassword
.RS 4
Specify the pkcs #12 file password\&.
.RE
.SH "RETURN CODES" .SH "RETURN CODES"
.sp .sp
.RS 4 .RS 4
@ -437,18 +437,12 @@ for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and som
for a directory or for a directory or
\fB\-h\fR \fB\-h\fR
for a token)\&. for a token)\&.
.sp .PP
.if n \{\
.RS 4
.\}
.nf
pk12util \-i p12File [\-h tokenname] [\-v] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] pk12util \-i p12File [\-h tokenname] [\-v] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
.fi
.if n \{\
.RE
.\}
.PP .PP
For example: For example:
.PP
.sp .sp
.if n \{\ .if n \{\
.RS 4 .RS 4
@ -474,16 +468,8 @@ pk12util: PKCS12 IMPORT SUCCESSFUL
Using the Using the
\fBpk12util\fR \fBpk12util\fR
command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
.sp .PP
.if n \{\
.RS 4
.\}
.nf
pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
.fi
.if n \{\
.RE
.\}
.PP .PP
For example: For example:
.sp .sp
@ -506,16 +492,8 @@ The information in a
file are not human\-readable\&. The certificates and keys in the file can be printed (listed) in a human\-readable pretty\-print format that shows information for every certificate and any public keys in the file are not human\-readable\&. The certificates and keys in the file can be printed (listed) in a human\-readable pretty\-print format that shows information for every certificate and any public keys in the
\&.p12 \&.p12
file\&. file\&.
.sp .PP
.if n \{\
.RS 4
.\}
.nf
pk12util \-l p12File [\-h tokenname] [\-r] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] pk12util \-l p12File [\-h tokenname] [\-r] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
.fi
.if n \{\
.RE
.\}
.PP .PP
For example, this prints the default ASCII output: For example, this prints the default ASCII output:
.sp .sp
@ -542,7 +520,7 @@ Certificate:
Issuer: "E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail C Issuer: "E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail C
A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
own,ST=Western Cape,C=ZA" own,ST=Western Cape,C=ZA"
\&.\&.\&.\&.
.fi .fi
.if n \{\ .if n \{\
.RE .RE
@ -561,7 +539,7 @@ file000N\&.der, incrementing the number for every certificate:
.RS 4 .RS 4
.\} .\}
.nf .nf
# pk12util \-l test\&.p12 \-r pk12util \-l test\&.p12 \-r
Enter password for PKCS12 file: Enter password for PKCS12 file:
Key(shrouded): Key(shrouded):
Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
@ -574,6 +552,7 @@ Key(shrouded):
Certificate Friendly Name: Thawte Personal Freemail Issuing CA \- Thawte Consulting Certificate Friendly Name: Thawte Personal Freemail Issuing CA \- Thawte Consulting
Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID
.fi .fi
.if n \{\ .if n \{\
.RE .RE
@ -592,7 +571,17 @@ Several types of ciphers are supported\&.
.PP .PP
Symmetric CBC ciphers for PKCS#5 V2 Symmetric CBC ciphers for PKCS#5 V2
.RS 4 .RS 4
DES_CBC .sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
DES\-CBC
.RE
.sp .sp
.RS 4 .RS 4
.ie n \{\ .ie n \{\
@ -696,7 +685,17 @@ CAMELLIA\-256\-CBC
.PP .PP
PKCS#12 PBE ciphers PKCS#12 PBE ciphers
.RS 4 .RS 4
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
PKCS #12 PBE with Sha1 and 128 Bit RC4 PKCS #12 PBE with Sha1 and 128 Bit RC4
.RE
.sp .sp
.RS 4 .RS 4
.ie n \{\ .ie n \{\
@ -811,7 +810,17 @@ PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
.PP .PP
PKCS#5 PBE ciphers PKCS#5 PBE ciphers
.RS 4 .RS 4
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
PKCS #5 Password Based Encryption with MD2 and DES CBC PKCS #5 Password Based Encryption with MD2 and DES CBC
.RE
.sp .sp
.RS 4 .RS 4
.ie n \{\ .ie n \{\

4
security/nss/doc/nroff/pp.1
View File

@ -2,12 +2,12 @@
.\" Title: PP .\" Title: PP
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "PP" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "PP" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------

26
security/nss/doc/nroff/signtool.1
View File

@ -2,12 +2,12 @@
.\" Title: signtool .\" Title: signtool
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "SIGNTOOL" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "SIGNTOOL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -31,7 +31,7 @@
signtool \- Digitally sign objects and files\&. signtool \- Digitally sign objects and files\&.
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBsigntool\fR\ 'u .HP \w'\fBsigntool\fR\ 'u
\fBsigntool\fR [\-k\ keyName] [[\-h]] [[\-H]] [[\-l]] [[\-L]] [[\-M]] [[\-v]] [[\-w]] [[\-G\ nickname]] [[\-\-keysize\ |\ \-s\ size]] [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]] [[\-i\ installer\ script]] [[\-m\ metafile]] [[\-x\ name]] [[\-f\ filename]] [[\-t|\-\-token\ tokenname]] [[\-e\ extension]] [[\-o]] [[\-z]] [[\-X]] [[\-\-outfile]] [[\-\-verbose\ value]] [[\-\-norecurse]] [[\-\-leavearc]] [[\-j\ directory]] [[\-Z\ jarfile]] [[\-O]] [[\-p\ password]] [directory\-tree] [archive] \fBsigntool\fR [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]] [[\-e\ extension]] [[\-f\ filename]] [[\-i\ installer\ script]] [[\-h]] [[\-H]] [[\-v]] [[\-w]] [[\-G\ nickname]] [[\-J]] [[\-j\ directory]] [\-k\ keyName] [[\-\-keysize\ |\ \-s\ size]] [[\-l]] [[\-L]] [[\-M]] [[\-m\ metafile]] [[\-\-norecurse]] [[\-O]] [[\-o]] [[\-\-outfile]] [[\-p\ password]] [[\-t|\-\-token\ tokenname]] [[\-z]] [[\-X]] [[\-x\ name]] [[\-\-verbose\ value]] [[\-\-leavearc]] [[\-Z\ jarfile]] [directory\-tree] [archive]
.SH "STATUS" .SH "STATUS"
.PP .PP
This documentation is still work in progress\&. Please contribute to the initial review in This documentation is still work in progress\&. Please contribute to the initial review in
@ -91,11 +91,21 @@ Tells signtool to sign only files with the given extension; for example, use \-e
Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format\&. All options and arguments can be expressed through this file\&. For more information about the syntax used with this file, see "Tips and Techniques"\&. Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format\&. All options and arguments can be expressed through this file\&. For more information about the syntax used with this file, see "Tips and Techniques"\&.
.RE .RE
.PP .PP
\-G nickname
.RS 4
Generates a new private\-public key pair and corresponding object\-signing certificate with the given nickname\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with \-G is not signed by a recognized certificate authority\&. Instead, it is self\-signed\&. In addition, a single test signing certificate functions as both an object\-signing certificate and a CA\&. When you are using it to sign objects, it behaves like an object\-signing certificate\&. When it is imported into browser software such as Communicator, it behaves like an object\-signing CA and cannot be used to sign objects\&. The \-G option is available in Netscape Signing Tool 1\&.0 and later versions only\&. By default, it produces only RSA certificates with 1024\-byte keys in the internal token\&. However, you can use the \-s option specify the required key size and the \-t option to specify the token\&.
.RE
.PP
\-i scriptname \-i scriptname
.RS 4 .RS 4
Specifies the name of an installer script for SmartUpdate\&. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature\&. For more details, see the description of \-m that follows\&. The \-i option provides a straightforward way to provide this information if you don\*(Aqt need to specify any metadata other than an installer script\&. Specifies the name of an installer script for SmartUpdate\&. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature\&. For more details, see the description of \-m that follows\&. The \-i option provides a straightforward way to provide this information if you don\*(Aqt need to specify any metadata other than an installer script\&.
.RE .RE
.PP .PP
\-J
.RS 4
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags\&. Even if signtool creates more than one archive file, you need to supply the key database password only once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and later versions\&. The \-J option cannot be used at the same time as the \-Z option\&. If the \-c# option is not used with the \-J option, the default compression value is 6\&. Note that versions 1\&.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages\&.
.RE
.PP
\-j directory \-j directory
.RS 4 .RS 4
Specifies a special JavaScript directory\&. This option causes the specified directory to be signed and tags its entries as inline JavaScript\&. This special type of entry does not have to appear in the JAR file itself\&. Instead, it is located in the HTML page containing the inline scripts\&. When you use signtool \-v, these entries are displayed with the string NOT PRESENT\&. Specifies a special JavaScript directory\&. This option causes the specified directory to be signed and tags its entries as inline JavaScript\&. This special type of entry does not have to appear in the JAR file itself\&. Instead, it is located in the HTML page containing the inline scripts\&. When you use signtool \-v, these entries are displayed with the string NOT PRESENT\&.
@ -106,21 +116,11 @@ Specifies a special JavaScript directory\&. This option causes the specified dir
Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory\&. The directory to sign is always specified as the last command\-line argument\&. Thus, it is possible to write signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname contains a single quotation mark\&. To avoid problems, escape the quotation mark using the escape conventions for your platform\&. It\*(Aqs also possible to use the \-k option without signing any files or specifying a directory\&. For example, you can use it with the \-l option to get detailed information about a particular signing certificate\&. Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory\&. The directory to sign is always specified as the last command\-line argument\&. Thus, it is possible to write signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname contains a single quotation mark\&. To avoid problems, escape the quotation mark using the escape conventions for your platform\&. It\*(Aqs also possible to use the \-k option without signing any files or specifying a directory\&. For example, you can use it with the \-l option to get detailed information about a particular signing certificate\&.
.RE .RE
.PP .PP
\-G nickname
.RS 4
Generates a new private\-public key pair and corresponding object\-signing certificate with the given nickname\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with \-G is not signed by a recognized certificate authority\&. Instead, it is self\-signed\&. In addition, a single test signing certificate functions as both an object\-signing certificate and a CA\&. When you are using it to sign objects, it behaves like an object\-signing certificate\&. When it is imported into browser software such as Communicator, it behaves like an object\-signing CA and cannot be used to sign objects\&. The \-G option is available in Netscape Signing Tool 1\&.0 and later versions only\&. By default, it produces only RSA certificates with 1024\-byte keys in the internal token\&. However, you can use the \-s option specify the required key size and the \-t option to specify the token\&. For more information about the use of the \-G option, see "Generating Test Object\-Signing Certificates""Generating Test Object\-Signing Certificates" on page 1241\&.
.RE
.PP
\-l \-l
.RS 4 .RS 4
Lists signing certificates, including issuing CAs\&. If any of your certificates are expired or invalid, the list will so specify\&. This option can be used with the \-k option to list detailed information about a particular signing certificate\&. The \-l option is available in Netscape Signing Tool 1\&.0 and later versions only\&. Lists signing certificates, including issuing CAs\&. If any of your certificates are expired or invalid, the list will so specify\&. This option can be used with the \-k option to list detailed information about a particular signing certificate\&. The \-l option is available in Netscape Signing Tool 1\&.0 and later versions only\&.
.RE .RE
.PP .PP
\-J
.RS 4
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags\&. Even if signtool creates more than one archive file, you need to supply the key database password only once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and later versions\&. The \-J option cannot be used at the same time as the \-Z option\&. If the \-c# option is not used with the \-J option, the default compression value is 6\&. Note that versions 1\&.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages\&.
.RE
.PP
\-L \-L
.RS 4 .RS 4
Lists the certificates in your database\&. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool\&. Lists the certificates in your database\&. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool\&.

8
security/nss/doc/nroff/signver.1
View File

@ -2,12 +2,12 @@
.\" Title: SIGNVER .\" Title: SIGNVER
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "SIGNVER" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "SIGNVER" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -236,9 +236,9 @@ export NSS_DEFAULT_DB_TYPE="sql"
.RE .RE
.\} .\}
.PP .PP
This line can be set added to the This line can be added to the
~/\&.bashrc ~/\&.bashrc
file to make the change permanent\&. file to make the change permanent for the user\&.
.PP .PP
Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
.sp .sp

50
security/nss/doc/nroff/ssltap.1
View File

@ -2,12 +2,12 @@
.\" Title: SSLTAP .\" Title: SSLTAP
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "SSLTAP" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "SSLTAP" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -30,8 +30,8 @@
.SH "NAME" .SH "NAME"
ssltap \- Tap into SSL connections and display the data going by ssltap \- Tap into SSL connections and display the data going by
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBlibssltap\fR\ 'u .HP \w'\fBssltap\fR\ 'u
\fBlibssltap\fR [\-vhfsxl] [\-p\ port] [hostname:port] \fBssltap\fR [\-fhlsvx] [\-p\ port] [hostname:port]
.SH "STATUS" .SH "STATUS"
.PP .PP
This documentation is still work in progress\&. Please contribute to the initial review in This documentation is still work in progress\&. Please contribute to the initial review in
@ -43,33 +43,14 @@ The SSL Debugging Tool
is an SSL\-aware command\-line proxy\&. It watches TCP connections and displays the data going by\&. If a connection is SSL, the data display includes interpreted SSL records and handshaking is an SSL\-aware command\-line proxy\&. It watches TCP connections and displays the data going by\&. If a connection is SSL, the data display includes interpreted SSL records and handshaking
.SH "OPTIONS" .SH "OPTIONS"
.PP .PP
\-v
.RS 4
Print a version string for the tool\&.
.RE
.PP
\-h
.RS 4
Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&.
.RE
.PP
\-f \-f
.RS 4 .RS 4
Turn on fancy printing\&. Output is printed in colored HTML\&. Data sent from the client to the server is in blue; the server\*(Aqs reply is in red\&. When used with looping mode, the different connections are separated with horizontal lines\&. You can use this option to upload the output into a browser\&. Turn on fancy printing\&. Output is printed in colored HTML\&. Data sent from the client to the server is in blue; the server\*(Aqs reply is in red\&. When used with looping mode, the different connections are separated with horizontal lines\&. You can use this option to upload the output into a browser\&.
.RE .RE
.PP .PP
\-s \-h
.RS 4 .RS 4
Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&. Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&.
.sp
If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&.
.sp
If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&.
.RE
.PP
\-x
.RS 4
Turn on hex/ASCII printing of undecoded data inside parsed SSL records\&. Used only with the \-s option\&. This option uses the same output format as the \-h option\&.
.RE .RE
.PP .PP
\-l prefix \-l prefix
@ -99,6 +80,25 @@ The following are well\-known port numbers:
.sp .sp
* NNTPS 563 (NNTP over SSL) * NNTPS 563 (NNTP over SSL)
.RE .RE
.PP
\-s
.RS 4
Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&.
.sp
If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&.
.sp
If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&.
.RE
.PP
\-v
.RS 4
Print a version string for the tool\&.
.RE
.PP
\-x
.RS 4
Turn on extra SSL hex dumps\&.
.RE
.SH "USAGE AND EXAMPLES" .SH "USAGE AND EXAMPLES"
.PP .PP
You can use the SSL Debugging Tool to intercept any connection information\&. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful\&. For example, assume your development machine is called intercept\&. The simplest way to use the debugging tool is to execute the following command from a command shell: You can use the SSL Debugging Tool to intercept any connection information\&. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful\&. For example, assume your development machine is called intercept\&. The simplest way to use the debugging tool is to execute the following command from a command shell:

4
security/nss/doc/nroff/vfychain.1
View File

@ -2,12 +2,12 @@
.\" Title: VFYCHAIN .\" Title: VFYCHAIN
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "VFYCHAIN" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "VFYCHAIN" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------

4
security/nss/doc/nroff/vfyserv.1
View File

@ -2,12 +2,12 @@
.\" Title: VFYSERV .\" Title: VFYSERV
.\" Author: [see the "Authors" section] .\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12 November 2013 .\" Date: 5 June 2014
.\" Manual: NSS Security Tools .\" Manual: NSS Security Tools
.\" Source: nss-tools .\" Source: nss-tools
.\" Language: English .\" Language: English
.\" .\"
.TH "VFYSERV" "1" "12 November 2013" "nss-tools" "NSS Security Tools" .TH "VFYSERV" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------

220
security/nss/doc/pk12util.xml
View File

@ -27,16 +27,14 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>pk12util</command> <command>pk12util</command>
<arg>-i p12File [-h tokenname] [-v] [common-options] </arg> <arg>-i p12File|-l p12File|-o p12File</arg>
<arg> <arg>-d [sql:]directory</arg>
-l p12File [-h tokenname] [-r] [common-options] </arg> <arg>-h tokenname</arg>
<arg> <arg>-P dbprefix</arg>
-o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] </arg> <arg>-r</arg>
<arg> <arg>-v</arg>
<arg>-k slotPasswordFile|-K slotPassword</arg>
common-options are: <arg>-w p12filePasswordFile|-W p12filePassword</arg>
[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
</arg>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -73,10 +71,14 @@ common-options are:
<para><command>Arguments</command></para> <para><command>Arguments</command></para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>-n certname</term> <term>-c keyCipher</term>
<listitem><para>Specify the nickname of the cert and private key to export.</para></listitem> <listitem><para>Specify the key encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry>
<term>-C certCipher</term>
<listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
@ -85,22 +87,11 @@ common-options are:
<para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem> <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-P prefix</term>
<listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-h tokenname</term> <term>-h tokenname</term>
<listitem><para>Specify the name of the token to import into or export from.</para></listitem> <listitem><para>Specify the name of the token to import into or export from.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-v </term>
<listitem><para>Enable debug logging when importing.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-k slotPasswordFile</term> <term>-k slotPasswordFile</term>
<listitem><para>Specify the text file containing the slot's password.</para></listitem> <listitem><para>Specify the text file containing the slot's password.</para></listitem>
@ -111,26 +102,6 @@ common-options are:
<listitem><para>Specify the slot's password.</para></listitem> <listitem><para>Specify the slot's password.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-w p12filePasswordFile</term>
<listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-W p12filePassword</term>
<listitem><para>Specify the pkcs #12 file password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-c keyCipher</term>
<listitem><para>Specify the key encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry>
<term>-C certCipher</term>
<listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-m | --key-len keyLength</term> <term>-m | --key-len keyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem> <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
@ -141,10 +112,37 @@ common-options are:
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem> <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-n certname</term>
<listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
</varlistentry>
<varlistentry>
<term>-P prefix</term>
<listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-r</term> <term>-r</term>
<listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem> <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-v </term>
<listitem><para>Enable debug logging when importing.</para></listitem>
</varlistentry>
<varlistentry>
<term>-w p12filePasswordFile</term>
<listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-W p12filePassword</term>
<listitem><para>Specify the pkcs #12 file password.</para></listitem>
</varlistentry>
</variablelist> </variablelist>
</refsection> </refsection>
@ -237,9 +235,12 @@ common-options are:
<para><command>Importing Keys and Certificates</command></para> <para><command>Importing Keys and Certificates</command></para>
<para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token). <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
</para> </para>
<programlisting>pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> <para>
pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
</para>
<para>For example:</para> <para>For example:</para>
<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb <para> </para>
<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
Enter a password which will be used to encrypt your keys. Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long, The password should be at least 8 characters long,
@ -253,18 +254,18 @@ pk12util: PKCS12 IMPORT SUCCESSFUL</programlisting>
<para><command>Exporting Keys and Certificates</command></para> <para><command>Exporting Keys and Certificates</command></para>
<para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
</para> </para>
<programlisting>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
<para>For example:</para> <para>For example:</para>
<programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb <programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
Enter password for PKCS12 file: Enter password for PKCS12 file:
Re-enter password: </programlisting> Re-enter password: </programlisting>
<para><command>Listing Keys and Certificates</command></para> <para><command>Listing Keys and Certificates</command></para>
<para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file. <para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file.
</para> </para>
<programlisting>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> <para>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
<para>For example, this prints the default ASCII output:</para> <para>For example, this prints the default ASCII output:</para>
<programlisting># pk12util -l certs.p12 <programlisting># pk12util -l certs.p12
Enter password for PKCS12 file: Enter password for PKCS12 file:
Key(shrouded): Key(shrouded):
@ -283,9 +284,9 @@ Certificate:
Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
own,ST=Western Cape,C=ZA" own,ST=Western Cape,C=ZA"
....</programlisting> </programlisting>
<para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para> <para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para>
<programlisting># pk12util -l test.p12 -r <programlisting>pk12util -l test.p12 -r
Enter password for PKCS12 file: Enter password for PKCS12 file:
Key(shrouded): Key(shrouded):
Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
@ -297,7 +298,8 @@ Key(shrouded):
Iteration Count: 1 (0x1) Iteration Count: 1 (0x1)
Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</programlisting> Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
</programlisting>
</refsection> </refsection>
<refsection id="encryption"> <refsection id="encryption">
@ -309,86 +311,48 @@ Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L
<varlistentry> <varlistentry>
<term>Symmetric CBC ciphers for PKCS#5 V2</term> <term>Symmetric CBC ciphers for PKCS#5 V2</term>
<listitem><para>DES_CBC</para> <listitem>
<itemizedlist> <itemizedlist>
<listitem> <listitem><para>DES-CBC</para></listitem>
<para>RC2-CBC</para> <listitem><para>RC2-CBC</para></listitem>
</listitem> <listitem><para>RC5-CBCPad</para></listitem>
<listitem> <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem>
<para>RC5-CBCPad</para> <listitem><para>AES-128-CBC</para></listitem>
</listitem> <listitem><para>AES-192-CBC</para></listitem>
<listitem> <listitem><para>AES-256-CBC</para></listitem>
<para>DES-EDE3-CBC (the default for key encryption)</para> <listitem><para>CAMELLIA-128-CBC</para></listitem>
</listitem> <listitem><para>CAMELLIA-192-CBC</para></listitem>
<listitem> <listitem><para>CAMELLIA-256-CBC</para></listitem>
<para>AES-128-CBC</para> </itemizedlist>
</listitem> </listitem>
<listitem>
<para>AES-192-CBC</para>
</listitem>
<listitem>
<para>AES-256-CBC</para>
</listitem>
<listitem>
<para>CAMELLIA-128-CBC</para>
</listitem>
<listitem>
<para>CAMELLIA-192-CBC</para>
</listitem>
<listitem>
<para>CAMELLIA-256-CBC</para></listitem>
</itemizedlist>
</listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>PKCS#12 PBE ciphers</term> <term>PKCS#12 PBE ciphers</term>
<listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para> <listitem>
<itemizedlist> <itemizedlist>
<listitem> <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem>
<para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para> <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem>
</listitem> <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem>
<listitem> <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem>
<para>PKCS #12 PBE with Sha1 and Triple DES CBC</para> <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem>
</listitem> <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem>
<listitem> <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem>
<para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para> <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem>
</listitem> <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem>
<listitem> <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem>
<para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para> <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
</listitem> </itemizedlist>
<listitem> </listitem>
<para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
</itemizedlist>
</listitem>
</varlistentry> </varlistentry>
<varlistentry><term>PKCS#5 PBE ciphers</term>
<varlistentry> <listitem>
<term>PKCS#5 PBE ciphers</term> <itemizedlist>
<listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para> <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem>
<itemizedlist> <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem>
<listitem> <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
<para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para> </itemizedlist>
</listitem> </listitem>
<listitem>
<para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
</itemizedlist>
</listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para> <para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>

99
security/nss/doc/signtool.xml
View File

@ -27,36 +27,37 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>signtool</command> <command>signtool</command>
<arg>-k keyName</arg>
<arg>[-h]</arg>
<arg>[-H]</arg>
<arg>[-l]</arg>
<arg>[-L]</arg>
<arg>[-M]</arg>
<arg>[-v]</arg>
<arg>[-w]</arg>
<arg>[-G nickname]</arg>
<arg>[--keysize | -s size]</arg>
<arg>[-b basename]</arg> <arg>[-b basename]</arg>
<arg>[-c Compression Level] </arg> <arg>[-c Compression Level] </arg>
<arg>[-d cert-dir] </arg> <arg>[-d cert-dir] </arg>
<arg>[-i installer script] </arg>
<arg>[-m metafile] </arg>
<arg>[-x name] </arg>
<arg>[-f filename] </arg>
<arg>[-t|--token tokenname] </arg>
<arg>[-e extension] </arg> <arg>[-e extension] </arg>
<arg>[-f filename] </arg>
<arg>[-i installer script] </arg>
<arg>[-h]</arg>
<arg>[-H]</arg>
<arg>[-v]</arg>
<arg>[-w]</arg>
<arg>[-G nickname]</arg>
<arg>[-J]</arg>
<arg>[-j directory] </arg>
<arg>-k keyName</arg>
<arg>[--keysize | -s size]</arg>
<arg>[-l]</arg>
<arg>[-L]</arg>
<arg>[-M]</arg>
<arg>[-m metafile] </arg>
<arg>[--norecurse] </arg>
<arg>[-O] </arg>
<arg>[-o] </arg> <arg>[-o] </arg>
<arg>[--outfile] </arg>
<arg>[-p password] </arg>
<arg>[-t|--token tokenname] </arg>
<arg>[-z] </arg> <arg>[-z] </arg>
<arg>[-X] </arg> <arg>[-X] </arg>
<arg>[--outfile] </arg> <arg>[-x name] </arg>
<arg>[--verbose value] </arg> <arg>[--verbose value] </arg>
<arg>[--norecurse] </arg>
<arg>[--leavearc] </arg> <arg>[--leavearc] </arg>
<arg>[-j directory] </arg>
<arg>[-Z jarfile] </arg> <arg>[-Z jarfile] </arg>
<arg>[-O] </arg>
<arg>[-p password] </arg>
<arg>directory-tree</arg> <arg>directory-tree</arg>
<arg>archive</arg> <arg>archive</arg>
<!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit --> <!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit -->
@ -97,7 +98,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-c#</term> <term>-c#</term>
<listitem><para> <listitem><para>
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6. If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.
@ -123,11 +124,37 @@ The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT v
Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques". Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques".
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-G nickname</term>
<listitem><para>
Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token.
</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-i scriptname</term> <term>-i scriptname</term>
<listitem><para> <listitem><para>
Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
</para></listitem> </para></listitem>
</varlistentry>
<varlistentry>
<term>-J</term>
<listitem>
<para>
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
If the -c# option is not used with the -J option, the default compression value is 6.
Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
</para>
</listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-j directory</term> <term>-j directory</term>
@ -145,18 +172,6 @@ signtool -k MyCert -d . signdir
You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform. You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform.
It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate. It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-G nickname</term>
<listitem><para>
Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
@ -165,18 +180,6 @@ The -G option is available in Netscape Signing Tool 1.0 and later versions only.
Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.
The -l option is available in Netscape Signing Tool 1.0 and later versions only. The -l option is available in Netscape Signing Tool 1.0 and later versions only.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-J</term>
<listitem><para>
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
If the -c# option is not used with the -J option, the default compression value is 6.
Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

2
security/nss/doc/signver.xml
View File

@ -163,7 +163,7 @@ Using the SQLite databases must be manually specified by using the <command>sql:
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> <para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist> <itemizedlist>

60
security/nss/doc/ssltap.xml
View File

@ -26,8 +26,8 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>libssltap</command> <command>ssltap</command>
<arg choice="opt">-vhfsxl</arg> <arg choice="opt">-fhlsvx</arg>
<arg choice="opt">-p port</arg> <arg choice="opt">-p port</arg>
<arg choice="opt">hostname:port</arg> <arg choice="opt">hostname:port</arg>
</cmdsynopsis> </cmdsynopsis>
@ -48,8 +48,10 @@
<title>Options</title> <title>Options</title>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>-v </term> <term>-f </term>
<listitem><para>Print a version string for the tool.</para></listitem> <listitem><para>
Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>-h </term> <term>-h </term>
@ -57,34 +59,6 @@
Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots. Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-f </term>
<listitem><para>
Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
</para></listitem>
</varlistentry>
<varlistentry><term>-s </term>
<listitem>
<para>
Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
</para>
<para>
If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
</para>
<para>
If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x </term>
<listitem>
<para>
Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option.
This option uses the same output format as the -h option.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>-l prefix</term> <term>-l prefix</term>
<listitem> <listitem>
@ -124,6 +98,28 @@ Turn on looping; that is, continue to accept connections rather than stopping af
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>-s </term>
<listitem>
<para>
Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
</para>
<para>
If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
</para>
<para>
If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v </term>
<listitem><para>Print a version string for the tool.</para></listitem>
</varlistentry>
<varlistentry>
<term>-x </term>
<listitem><para>Turn on extra SSL hex dumps.</para></listitem>
</varlistentry>
</variablelist> </variablelist>
</refsection> </refsection>

10
security/nss/lib/certdb/alg1485.c
View File

@ -28,12 +28,12 @@ static const NameToKind name2kinds[] = {
* (See: http://www.iana.org/assignments/ldap-parameters) * (See: http://www.iana.org/assignments/ldap-parameters)
*/ */
/* RFC 3280, 4630 MUST SUPPORT */ /* RFC 3280, 4630 MUST SUPPORT */
{ "CN", 64, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS}, { "CN", 640, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS},
{ "ST", 128, SEC_OID_AVA_STATE_OR_PROVINCE, { "ST", 128, SEC_OID_AVA_STATE_OR_PROVINCE,
SEC_ASN1_DS}, SEC_ASN1_DS},
{ "O", 64, SEC_OID_AVA_ORGANIZATION_NAME, { "O", 128, SEC_OID_AVA_ORGANIZATION_NAME,
SEC_ASN1_DS}, SEC_ASN1_DS},
{ "OU", 64, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, { "OU", 128, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
SEC_ASN1_DS}, SEC_ASN1_DS},
{ "dnQualifier", 32767, SEC_OID_AVA_DN_QUALIFIER, SEC_ASN1_PRINTABLE_STRING}, { "dnQualifier", 32767, SEC_OID_AVA_DN_QUALIFIER, SEC_ASN1_PRINTABLE_STRING},
{ "C", 2, SEC_OID_AVA_COUNTRY_NAME, SEC_ASN1_PRINTABLE_STRING}, { "C", 2, SEC_OID_AVA_COUNTRY_NAME, SEC_ASN1_PRINTABLE_STRING},
@ -377,7 +377,7 @@ ParseRFC1485AVA(PLArenaPool *arena, const char **pbp, const char *endptr)
char sep = 0; char sep = 0;
char tagBuf[32]; char tagBuf[32];
char valBuf[384]; char valBuf[1024];
PORT_Assert(arena); PORT_Assert(arena);
if (SECSuccess != scanTag(pbp, endptr, tagBuf, sizeof tagBuf) || if (SECSuccess != scanTag(pbp, endptr, tagBuf, sizeof tagBuf) ||
@ -889,7 +889,7 @@ get_hex_string(SECItem *data)
static SECStatus static SECStatus
AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict) AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict)
{ {
#define TMPBUF_LEN 384 #define TMPBUF_LEN 2048
const NameToKind *pn2k = name2kinds; const NameToKind *pn2k = name2kinds;
SECItem *avaValue = NULL; SECItem *avaValue = NULL;
char *unknownTag = NULL; char *unknownTag = NULL;

20
security/nss/lib/certdb/certdb.h
View File

@ -7,16 +7,16 @@
/* common flags for all types of certificates */ /* common flags for all types of certificates */
#define CERTDB_TERMINAL_RECORD (1<<0) #define CERTDB_TERMINAL_RECORD (1u<<0)
#define CERTDB_TRUSTED (1<<1) #define CERTDB_TRUSTED (1u<<1)
#define CERTDB_SEND_WARN (1<<2) #define CERTDB_SEND_WARN (1u<<2)
#define CERTDB_VALID_CA (1<<3) #define CERTDB_VALID_CA (1u<<3)
#define CERTDB_TRUSTED_CA (1<<4) /* trusted for issuing server certs */ #define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */
#define CERTDB_NS_TRUSTED_CA (1<<5) #define CERTDB_NS_TRUSTED_CA (1u<<5)
#define CERTDB_USER (1<<6) #define CERTDB_USER (1u<<6)
#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */ #define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */
#define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */ #define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */
#define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */ #define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */
/* old usage, to keep old programs compiling */ /* old usage, to keep old programs compiling */
/* On Windows, Mac, and Linux (and other gcc platforms), we can give compile /* On Windows, Mac, and Linux (and other gcc platforms), we can give compile

37
security/nss/lib/certdb/genname.c
View File

@ -137,6 +137,39 @@ const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
}; };
static struct {
CERTGeneralNameType type;
char *name;
} typesArray[] = {
{ certOtherName, "other" },
{ certRFC822Name, "email" },
{ certRFC822Name, "rfc822" },
{ certDNSName, "dns" },
{ certX400Address, "x400" },
{ certX400Address, "x400addr" },
{ certDirectoryName, "directory" },
{ certDirectoryName, "dn" },
{ certEDIPartyName, "edi" },
{ certEDIPartyName, "ediparty" },
{ certURI, "uri" },
{ certIPAddress, "ip" },
{ certIPAddress, "ipaddr" },
{ certRegisterID, "registerid" }
};
CERTGeneralNameType
CERT_GetGeneralNameTypeFromString(const char *string)
{
int types_count = sizeof(typesArray)/sizeof(typesArray[0]);
int i;
for (i=0; i < types_count; i++) {
if (PORT_Strcasecmp(string, typesArray[i].name) == 0) {
return typesArray[i].type;
}
}
return 0;
}
CERTGeneralName * CERTGeneralName *
CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type) CERT_NewGeneralName(PLArenaPool *arena, CERTGeneralNameType type)
@ -1578,9 +1611,9 @@ getNameExtensionsBuiltIn(CERTCertificate *cert,
"\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75" "\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75"
"\x76\x2E\x66\x72"; "\x76\x2E\x66\x72";
const SECItem anssi_subject = {0, (char *) rawANSSISubject, const SECItem anssi_subject = {0, (unsigned char *) rawANSSISubject,
sizeof(rawANSSISubject)-1}; sizeof(rawANSSISubject)-1};
const SECItem permitFranceGovNC = {0, (char *) constraintFranceGov, const SECItem permitFranceGovNC = {0, (unsigned char *) constraintFranceGov,
sizeof(constraintFranceGov)-1}; sizeof(constraintFranceGov)-1};
if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) { if (SECITEM_ItemsAreEqual(&cert->derSubject, &anssi_subject)) {

3
security/nss/lib/certdb/genname.h
View File

@ -26,6 +26,9 @@ cert_DecodeGeneralNames(PLArenaPool *arena, SECItem **encodedGenName);
extern SECStatus extern SECStatus
cert_DestroyGeneralNames(CERTGeneralName *name); cert_DestroyGeneralNames(CERTGeneralName *name);
extern CERTGeneralNameType
CERT_GetGeneralNameTypeFromString(const char *string);
extern SECStatus extern SECStatus
cert_EncodeNameConstraints(CERTNameConstraints *constraints, PLArenaPool *arena, cert_EncodeNameConstraints(CERTNameConstraints *constraints, PLArenaPool *arena,
SECItem *dest); SECItem *dest);

4
security/nss/lib/ckfw/builtins/nssckbi.h
View File

@ -45,8 +45,8 @@
* of the comment in the CK_VERSION type definition. * of the comment in the CK_VERSION type definition.
*/ */
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 96 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 98
#define NSS_BUILTINS_LIBRARY_VERSION "1.96" #define NSS_BUILTINS_LIBRARY_VERSION "1.98"
/* These version numbers detail the semantic changes to the ckfw engine. */ /* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

2
security/nss/lib/cryptohi/cryptohi.h
View File

@ -56,7 +56,7 @@ extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len);
/* /*
** Create a new signature context used for signing a data stream. ** Create a new signature context used for signing a data stream.
** "alg" the signature algorithm to use (e.g. SEC_OID_RSA_WITH_MD5) ** "alg" the signature algorithm to use (e.g. SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION)
** "privKey" the private key to use ** "privKey" the private key to use
*/ */
extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey); extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);

2
security/nss/lib/cryptohi/secsign.c
View File

@ -37,7 +37,7 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
* PKCS #7 algTag if we were just going to change here you might * PKCS #7 algTag if we were just going to change here you might
* ask. Well the answer is for some cards we may have to do the * ask. Well the answer is for some cards we may have to do the
* hashing on card. It may not support CKM_RSA_PKCS sign algorithm, * hashing on card. It may not support CKM_RSA_PKCS sign algorithm,
* it may just support CKM_RSA_PKCS_WITH_SHA1 and/or CKM_RSA_PKCS_WITH_MD5. * it may just support CKM_SHA1_RSA_PKCS and/or CKM_MD5_RSA_PKCS.
*/ */
/* we have a private key, not a public key, so don't pass it in */ /* we have a private key, not a public key, so don't pass it in */
rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg); rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg);

2
security/nss/lib/freebl/Makefile
View File

@ -664,7 +664,7 @@ $(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
# symbolic names to registers, for example, # symbolic names to registers, for example,
# .set Htbl, %rdi # .set Htbl, %rdi
# So we can't use Clang's integrated assembler with intel-gcm.s. # So we can't use Clang's integrated assembler with intel-gcm.s.
ifneq (,$(findstring clang,$(AS))) ifneq (,$(findstring clang,$(shell $(AS) --version)))
$(OBJDIR)/$(PROG_PREFIX)intel-gcm$(OBJ_SUFFIX): ASFLAGS += -no-integrated-as $(OBJDIR)/$(PROG_PREFIX)intel-gcm$(OBJ_SUFFIX): ASFLAGS += -no-integrated-as
endif endif
endif endif

2
security/nss/lib/freebl/blapi.h
View File

@ -62,7 +62,7 @@ extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey * key,
/* /*
** Perform a check of private key parameters for consistency. ** Perform a check of private key parameters for consistency.
*/ */
extern SECStatus RSA_PrivateKeyCheck(RSAPrivateKey *key); extern SECStatus RSA_PrivateKeyCheck(const RSAPrivateKey *key);
/* /*
** Given only minimal private key parameters, fill in the rest of the ** Given only minimal private key parameters, fill in the rest of the

2
security/nss/lib/freebl/loader.c
View File

@ -214,7 +214,7 @@ RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
} }
SECStatus SECStatus
RSA_PrivateKeyCheck(RSAPrivateKey *key) RSA_PrivateKeyCheck(const RSAPrivateKey *key)
{ {
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure; return SECFailure;

2
security/nss/lib/freebl/loader.h
View File

@ -229,7 +229,7 @@ struct FREEBLVectorStr {
unsigned char *output, unsigned char *output,
const unsigned char *input); const unsigned char *input);
SECStatus (* p_RSA_PrivateKeyCheck)(RSAPrivateKey *key); SECStatus (* p_RSA_PrivateKeyCheck)(const RSAPrivateKey *key);
void (* p_BL_Cleanup)(void); void (* p_BL_Cleanup)(void);

75
security/nss/lib/freebl/rsa.c
View File

@ -1353,33 +1353,8 @@ RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
return rsa_PrivateKeyOp(key, output, input, PR_TRUE); return rsa_PrivateKeyOp(key, output, input, PR_TRUE);
} }
static SECStatus
swap_in_key_value(PLArenaPool *arena, mp_int *mpval, SECItem *buffer)
{
int len;
mp_err err = MP_OKAY;
memset(buffer->data, 0, buffer->len);
len = mp_unsigned_octet_size(mpval);
if (len <= 0) return SECFailure;
if ((unsigned int)len <= buffer->len) {
/* The new value is no longer than the old buffer, so use it */
err = mp_to_unsigned_octets(mpval, buffer->data, len);
if (err >= 0) err = MP_OKAY;
buffer->len = len;
} else if (arena) {
/* The new value is longer, but working within an arena */
(void)SECITEM_AllocItem(arena, buffer, len);
err = mp_to_unsigned_octets(mpval, buffer->data, len);
if (err >= 0) err = MP_OKAY;
} else {
/* The new value is longer, no arena, can't handle this key */
return SECFailure;
}
return (err == MP_OKAY) ? SECSuccess : SECFailure;
}
SECStatus SECStatus
RSA_PrivateKeyCheck(RSAPrivateKey *key) RSA_PrivateKeyCheck(const RSAPrivateKey *key)
{ {
mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res; mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;
mp_err err = MP_OKAY; mp_err err = MP_OKAY;
@ -1406,6 +1381,17 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
CHECK_MPI_OK( mp_init(&d_q) ); CHECK_MPI_OK( mp_init(&d_q) );
CHECK_MPI_OK( mp_init(&qInv) ); CHECK_MPI_OK( mp_init(&qInv) );
CHECK_MPI_OK( mp_init(&res) ); CHECK_MPI_OK( mp_init(&res) );
if (!key->modulus.data || !key->prime1.data || !key->prime2.data ||
!key->publicExponent.data || !key->privateExponent.data ||
!key->exponent1.data || !key->exponent2.data ||
!key->coefficient.data) {
/* call RSA_PopulatePrivateKey first, if the application wishes to
* recover these parameters */
err = MP_BADARG;
goto cleanup;
}
SECITEM_TO_MPINT(key->modulus, &n); SECITEM_TO_MPINT(key->modulus, &n);
SECITEM_TO_MPINT(key->prime1, &p); SECITEM_TO_MPINT(key->prime1, &p);
SECITEM_TO_MPINT(key->prime2, &q); SECITEM_TO_MPINT(key->prime2, &q);
@ -1414,18 +1400,10 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
SECITEM_TO_MPINT(key->exponent1, &d_p); SECITEM_TO_MPINT(key->exponent1, &d_p);
SECITEM_TO_MPINT(key->exponent2, &d_q); SECITEM_TO_MPINT(key->exponent2, &d_q);
SECITEM_TO_MPINT(key->coefficient, &qInv); SECITEM_TO_MPINT(key->coefficient, &qInv);
/* p > q */ /* p > q */
if (mp_cmp(&p, &q) <= 0) { if (mp_cmp(&p, &q) <= 0) {
/* mind the p's and q's (and d_p's and d_q's) */ rv = SECFailure;
SECItem tmp; goto cleanup;
mp_exch(&p, &q);
mp_exch(&d_p,&d_q);
tmp = key->prime1;
key->prime1 = key->prime2;
key->prime2 = tmp;
tmp = key->exponent1;
key->exponent1 = key->exponent2;
key->exponent2 = tmp;
} }
#define VERIFY_MPI_EQUAL(m1, m2) \ #define VERIFY_MPI_EQUAL(m1, m2) \
if (mp_cmp(m1, m2) != 0) { \ if (mp_cmp(m1, m2) != 0) { \
@ -1437,9 +1415,6 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
rv = SECFailure; \ rv = SECFailure; \
goto cleanup; \ goto cleanup; \
} }
/*
* The following errors cannot be recovered from.
*/
/* n == p * q */ /* n == p * q */
CHECK_MPI_OK( mp_mul(&p, &q, &res) ); CHECK_MPI_OK( mp_mul(&p, &q, &res) );
VERIFY_MPI_EQUAL(&res, &n); VERIFY_MPI_EQUAL(&res, &n);
@ -1457,28 +1432,16 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key)
/* d*e == 1 mod q-1 */ /* d*e == 1 mod q-1 */
CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) ); CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) );
VERIFY_MPI_EQUAL_1(&res); VERIFY_MPI_EQUAL_1(&res);
/*
* The following errors can be recovered from.
*/
/* d_p == d mod p-1 */ /* d_p == d mod p-1 */
CHECK_MPI_OK( mp_mod(&d, &psub1, &res) ); CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );
if (mp_cmp(&d_p, &res) != 0) { VERIFY_MPI_EQUAL(&res, &d_p);
/* swap in the correct value */
CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent1) );
}
/* d_q == d mod q-1 */ /* d_q == d mod q-1 */
CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) ); CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );
if (mp_cmp(&d_q, &res) != 0) { VERIFY_MPI_EQUAL(&res, &d_q);
/* swap in the correct value */
CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent2) );
}
/* q * q**-1 == 1 mod p */ /* q * q**-1 == 1 mod p */
CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) ); CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );
if (mp_cmp_d(&res, 1) != 0) { VERIFY_MPI_EQUAL_1(&res);
/* compute the correct value */
CHECK_MPI_OK( mp_invmod(&q, &p, &qInv) );
CHECK_SEC_OK( swap_in_key_value(key->arena, &qInv, &key->coefficient) );
}
cleanup: cleanup:
mp_clear(&n); mp_clear(&n);
mp_clear(&p); mp_clear(&p);

5
security/nss/lib/jar/jarver.c
View File

@ -14,13 +14,8 @@
#include "certdb.h" #include "certdb.h"
#include "certt.h" #include "certt.h"
#include "secpkcs7.h" #include "secpkcs7.h"
/*#include "cdbhdl.h" */
#include "secder.h" #include "secder.h"
/* from certdb.h */
#define CERTDB_USER (1<<6)
#define SZ 512 #define SZ 512
static int static int

9
security/nss/lib/nss/nss.def
View File

@ -1053,3 +1053,12 @@ SECMOD_InternaltoPubMechFlags;
;+ local: ;+ local:
;+ *; ;+ *;
;+}; ;+};
;+NSS_3.16.2 { # NSS 3.16.2 release
;+ global:
CERT_AddExtensionByOID;
CERT_GetGeneralNameTypeFromString;
PK11_PubEncrypt;
PK11_PrivDecrypt;
;+ local:
;+ *;
;+};

8
security/nss/lib/nss/nss.h
View File

@ -33,11 +33,11 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/ */
#define NSS_VERSION "3.15.5" _NSS_ECC_STRING _NSS_CUSTOMIZED #define NSS_VERSION "3.16.2.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3 #define NSS_VMAJOR 3
#define NSS_VMINOR 15 #define NSS_VMINOR 16
#define NSS_VPATCH 5 #define NSS_VPATCH 2
#define NSS_VBUILD 0 #define NSS_VBUILD 1
#define NSS_BETA PR_FALSE #define NSS_BETA PR_FALSE
#ifndef RC_INVOKED #ifndef RC_INVOKED

7
security/nss/lib/pk11wrap/pk11cert.c
View File

@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
* CERTCertificate, and finish * CERTCertificate, and finish
*/ */
nssPKIObject_AddInstance(&c->object, certobj); nssPKIObject_AddInstance(&c->object, certobj);
/* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
* replace 'c' by a different value. So we add a reference to 'c' to
* prevent 'c' from being destroyed. */
nssCertificate_AddRef(c);
nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1); nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
/* XXX should we pass the original value of 'c' to
* STAN_ForceCERTCertificateUpdate? */
(void)STAN_ForceCERTCertificateUpdate(c); (void)STAN_ForceCERTCertificateUpdate(c);
nssCertificate_Destroy(c);
SECITEM_FreeItem(keyID,PR_TRUE); SECITEM_FreeItem(keyID,PR_TRUE);
return SECSuccess; return SECSuccess;
loser: loser:

37
security/nss/lib/pk11wrap/pk11load.c
View File

@ -55,6 +55,11 @@ static const CK_C_INITIALIZE_ARGS secmodLockFunctions = {
CKF_OS_LOCKING_OK CKF_OS_LOCKING_OK
,NULL ,NULL
}; };
static const CK_C_INITIALIZE_ARGS secmodNoLockArgs = {
NULL, NULL, NULL, NULL,
CKF_LIBRARY_CANT_CREATE_OS_THREADS
,NULL
};
static PRBool loadSingleThreadedModules = PR_TRUE; static PRBool loadSingleThreadedModules = PR_TRUE;
static PRBool enforceAlreadyInitializedError = PR_TRUE; static PRBool enforceAlreadyInitializedError = PR_TRUE;
@ -209,12 +214,18 @@ secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload,
return SECFailure; return SECFailure;
} }
if (mod->isThreadSafe == PR_FALSE) { if (mod->libraryParams == NULL) {
pInitArgs = NULL; if (mod->isThreadSafe) {
} else if (mod->libraryParams == NULL) { pInitArgs = (void *) &secmodLockFunctions;
pInitArgs = (void *) &secmodLockFunctions; } else {
pInitArgs = NULL;
}
} else { } else {
moduleArgs = secmodLockFunctions; if (mod->isThreadSafe) {
moduleArgs = secmodLockFunctions;
} else {
moduleArgs = secmodNoLockArgs;
}
moduleArgs.LibraryParameters = (void *) mod->libraryParams; moduleArgs.LibraryParameters = (void *) mod->libraryParams;
pInitArgs = &moduleArgs; pInitArgs = &moduleArgs;
} }
@ -251,18 +262,30 @@ secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload,
} }
} }
if (crv != CKR_OK) { if (crv != CKR_OK) {
if (pInitArgs == NULL || if (!mod->isThreadSafe ||
crv == CKR_NETSCAPE_CERTDB_FAILED || crv == CKR_NETSCAPE_CERTDB_FAILED ||
crv == CKR_NETSCAPE_KEYDB_FAILED) { crv == CKR_NETSCAPE_KEYDB_FAILED) {
PORT_SetError(PK11_MapError(crv)); PORT_SetError(PK11_MapError(crv));
return SECFailure; return SECFailure;
} }
/* If we had attempted to init a single threaded module "with"
* parameters and it failed, should we retry "without" parameters?
* (currently we don't retry in this scenario) */
if (!loadSingleThreadedModules) { if (!loadSingleThreadedModules) {
PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11); PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
return SECFailure; return SECFailure;
} }
/* If we arrive here, the module failed a ThreadSafe init. */
mod->isThreadSafe = PR_FALSE; mod->isThreadSafe = PR_FALSE;
crv = PK11_GETTAB(mod)->C_Initialize(NULL); if (!mod->libraryParams) {
pInitArgs = NULL;
} else {
moduleArgs = secmodNoLockArgs;
moduleArgs.LibraryParameters = (void *) mod->libraryParams;
pInitArgs = &moduleArgs;
}
crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs);
if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) && if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) &&
(!enforceAlreadyInitializedError)) { (!enforceAlreadyInitializedError)) {
*alreadyLoaded = PR_TRUE; *alreadyLoaded = PR_TRUE;

113
security/nss/lib/pk11wrap/pk11obj.c
View File

@ -914,17 +914,11 @@ PK11_Encrypt(PK11SymKey *symKey,
return SECSuccess; return SECSuccess;
} }
/*
* Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
* RSA keys, or they'll fail. We do the checks up front. If anyone comes
* up with a meaning for rawdecrypt for any other public key operation,
* then we need to move this check into some of PK11_PubDecrypt callers,
* (namely SSL 2.0).
*/
static SECStatus static SECStatus
pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, pk11_PrivDecryptRaw(SECKEYPrivateKey *key,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned char *data, unsigned *outLen, unsigned int maxLen,
unsigned encLen, CK_MECHANISM_PTR mech) const unsigned char *enc, unsigned encLen,
CK_MECHANISM_PTR mech)
{ {
PK11SlotInfo *slot = key->pkcs11Slot; PK11SlotInfo *slot = key->pkcs11Slot;
CK_ULONG out = maxLen; CK_ULONG out = maxLen;
@ -960,11 +954,12 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
* do C_Login with CKU_CONTEXT_SPECIFIC * do C_Login with CKU_CONTEXT_SPECIFIC
* between C_DecryptInit and C_Decrypt * between C_DecryptInit and C_Decrypt
* ... But see note above about servers */ * ... But see note above about servers */
if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE);
} }
crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out); crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen,
data, &out);
if (haslock) PK11_ExitSlotMonitor(slot); if (haslock) PK11_ExitSlotMonitor(slot);
pk11_CloseSession(slot,session,owner); pk11_CloseSession(slot,session,owner);
*outLen = out; *outLen = out;
@ -976,41 +971,37 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
} }
SECStatus SECStatus
PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, PK11_PubDecryptRaw(SECKEYPrivateKey *key,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned char *data, unsigned *outLen, unsigned int maxLen,
unsigned encLen) const unsigned char *enc, unsigned encLen)
{ {
CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
} }
SECStatus SECStatus
PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned char *data, unsigned *outLen, unsigned int maxLen,
unsigned encLen) const unsigned char *enc, unsigned encLen)
{ {
CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
} }
static SECStatus static SECStatus
pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, pk11_PubEncryptRaw(SECKEYPublicKey *key,
unsigned char *data, unsigned dataLen, unsigned char *out, unsigned int *outLen,
CK_MECHANISM_PTR mech, void *wincx) unsigned int maxLen,
const unsigned char *data, unsigned dataLen,
CK_MECHANISM_PTR mech, void *wincx)
{ {
PK11SlotInfo *slot; PK11SlotInfo *slot;
CK_OBJECT_HANDLE id; CK_OBJECT_HANDLE id;
CK_ULONG out; CK_ULONG len = maxLen;
PRBool owner = PR_TRUE; PRBool owner = PR_TRUE;
CK_SESSION_HANDLE session; CK_SESSION_HANDLE session;
CK_RV crv; CK_RV crv;
if (!key || key->keyType != rsaKey) {
PORT_SetError( SEC_ERROR_BAD_KEY );
return SECFailure;
}
out = SECKEY_PublicKeyStrength(key);
slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx); slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx);
if (slot == NULL) { if (slot == NULL) {
PORT_SetError( SEC_ERROR_NO_MODULE ); PORT_SetError( SEC_ERROR_NO_MODULE );
@ -1035,10 +1026,12 @@ pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
PORT_SetError( PK11_MapError(crv) ); PORT_SetError( PK11_MapError(crv) );
return SECFailure; return SECFailure;
} }
crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out); crv = PK11_GETTAB(slot)->C_Encrypt(session,(unsigned char *)data,dataLen,
out,&len);
if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
pk11_CloseSession(slot,session,owner); pk11_CloseSession(slot,session,owner);
PK11_FreeSlot(slot); PK11_FreeSlot(slot);
*outLen = len;
if (crv != CKR_OK) { if (crv != CKR_OK) {
PORT_SetError( PK11_MapError(crv) ); PORT_SetError( PK11_MapError(crv) );
return SECFailure; return SECFailure;
@ -1047,19 +1040,69 @@ pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
} }
SECStatus SECStatus
PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, PK11_PubEncryptRaw(SECKEYPublicKey *key,
unsigned char *data, unsigned dataLen, void *wincx) unsigned char *enc,
const unsigned char *data, unsigned dataLen,
void *wincx)
{ {
CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx); unsigned int outLen;
if (!key || key->keyType != rsaKey) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
outLen = SECKEY_PublicKeyStrength(key);
return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech,
wincx);
} }
SECStatus SECStatus
PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc, PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
unsigned char *data, unsigned dataLen, void *wincx) unsigned char *enc,
const unsigned char *data, unsigned dataLen,
void *wincx)
{ {
CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx); unsigned int outLen;
if (!key || key->keyType != rsaKey) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
outLen = SECKEY_PublicKeyStrength(key);
return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech,
wincx);
}
SECStatus
PK11_PrivDecrypt(SECKEYPrivateKey *key,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned encLen)
{
CK_MECHANISM mech = { mechanism, NULL, 0 };
if (param) {
mech.pParameter = param->data;
mech.ulParameterLen = param->len;
}
return pk11_PrivDecryptRaw(key, out, outLen, maxLen, enc, encLen, &mech);
}
SECStatus
PK11_PubEncrypt(SECKEYPublicKey *key,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *data, unsigned dataLen,
void *wincx)
{
CK_MECHANISM mech = { mechanism, NULL, 0 };
if (param) {
mech.pParameter = param->data;
mech.ulParameterLen = param->len;
}
return pk11_PubEncryptRaw(key, out, outLen, maxLen, data, dataLen, &mech,
wincx);
} }
SECKEYPrivateKey * SECKEYPrivateKey *

36
security/nss/lib/pk11wrap/pk11pub.h
View File

@ -520,18 +520,38 @@ SECStatus PK11_Encrypt(PK11SymKey *symKey,
const unsigned char *data, unsigned int dataLen); const unsigned char *data, unsigned int dataLen);
/* note: despite the name, this function takes a private key. */ /* note: despite the name, this function takes a private key. */
SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen); unsigned char *data, unsigned *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned encLen);
#define PK11_PrivDecryptRaw PK11_PubDecryptRaw #define PK11_PrivDecryptRaw PK11_PubDecryptRaw
/* The encrypt function that complements the above decrypt function. */ /* The encrypt function that complements the above decrypt function. */
SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key,
unsigned char *data, unsigned dataLen, void *wincx); unsigned char *enc,
const unsigned char *data, unsigned dataLen,
void *wincx);
SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen); unsigned char *data, unsigned *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned encLen);
/* The encrypt function that complements the above decrypt function. */ /* The encrypt function that complements the above decrypt function. */
SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc, SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
unsigned char *data, unsigned dataLen, void *wincx); unsigned char *enc,
const unsigned char *data, unsigned dataLen,
void *wincx);
SECStatus PK11_PrivDecrypt(SECKEYPrivateKey *key,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *enc, unsigned int encLen);
SECStatus PK11_PubEncrypt(SECKEYPublicKey *key,
CK_MECHANISM_TYPE mechanism, SECItem *param,
unsigned char *out, unsigned int *outLen,
unsigned int maxLen,
const unsigned char *data, unsigned int dataLen,
void *wincx);
SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECKEYPrivateKeyInfo *pki, SECItem *nickname,

6
security/nss/lib/softoken/legacydb/lgattr.c
View File

@ -1372,7 +1372,7 @@ lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *templ,
{ {
LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK); LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
CK_RV crv, crvCollect = CKR_OK; CK_RV crv, crvCollect = CKR_OK;
int i; unsigned int i;
if (obj == NULL) { if (obj == NULL) {
return CKR_OBJECT_HANDLE_INVALID; return CKR_OBJECT_HANDLE_INVALID;
@ -1434,7 +1434,7 @@ lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
{ {
PRBool match = PR_TRUE; PRBool match = PR_TRUE;
LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class); LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class);
int i; unsigned int i;
if (obj == NULL) { if (obj == NULL) {
return PR_FALSE; return PR_FALSE;
@ -1758,7 +1758,7 @@ lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle,
LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK); LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
CK_RV crv, crvCollect = CKR_OK; CK_RV crv, crvCollect = CKR_OK;
PRBool writePrivate = PR_FALSE; PRBool writePrivate = PR_FALSE;
int i; unsigned int i;
if (obj == NULL) { if (obj == NULL) {
return CKR_OBJECT_HANDLE_INVALID; return CKR_OBJECT_HANDLE_INVALID;

2
security/nss/lib/softoken/legacydb/lgutil.c
View File

@ -18,7 +18,7 @@ const CK_ATTRIBUTE *
lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
CK_ULONG count ) CK_ULONG count )
{ {
int i; unsigned int i;
for (i=0; i < count; i++) { for (i=0; i < count; i++) {
if (templ[i].type == type) { if (templ[i].type == type) {

7
security/nss/lib/softoken/legacydb/pcertdb.c
View File

@ -4598,9 +4598,12 @@ nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
} }
return (SECSuccess); return (SECSuccess);
loser:
loser:
if (handle->dbMon) {
PZ_DestroyMonitor(handle->dbMon);
handle->dbMon = NULL;
}
PORT_SetError(SEC_ERROR_BAD_DATABASE); PORT_SetError(SEC_ERROR_BAD_DATABASE);
return(SECFailure); return(SECFailure);
} }

24
security/nss/lib/softoken/legacydb/pcertt.h
View File

@ -397,18 +397,18 @@ typedef union {
#define DB_CERT_ENTRY_HEADER_LEN 10 #define DB_CERT_ENTRY_HEADER_LEN 10
/* common flags for all types of certificates */ /* common flags for all types of certificates */
#define CERTDB_TERMINAL_RECORD (1<<0) #define CERTDB_TERMINAL_RECORD (1u<<0)
#define CERTDB_TRUSTED (1<<1) #define CERTDB_TRUSTED (1u<<1)
#define CERTDB_SEND_WARN (1<<2) #define CERTDB_SEND_WARN (1u<<2)
#define CERTDB_VALID_CA (1<<3) #define CERTDB_VALID_CA (1u<<3)
#define CERTDB_TRUSTED_CA (1<<4) /* trusted for issuing server certs */ #define CERTDB_TRUSTED_CA (1u<<4) /* trusted for issuing server certs */
#define CERTDB_NS_TRUSTED_CA (1<<5) #define CERTDB_NS_TRUSTED_CA (1u<<5)
#define CERTDB_USER (1<<6) #define CERTDB_USER (1u<<6)
#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */ #define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */
#define CERTDB_INVISIBLE_CA (1<<8) /* don't show in UI */ #define CERTDB_INVISIBLE_CA (1u<<8) /* don't show in UI */
#define CERTDB_GOVT_APPROVED_CA (1<<9) /* can do strong crypto in export ver */ #define CERTDB_GOVT_APPROVED_CA (1u<<9) /* can do strong crypto in export ver */
#define CERTDB_MUST_VERIFY (1<<10) /* explicitly don't trust this cert */ #define CERTDB_MUST_VERIFY (1u<<10) /* explicitly don't trust this cert */
#define CERTDB_TRUSTED_UNKNOWN (1<<11) /* accept trust from another source */ #define CERTDB_TRUSTED_UNKNOWN (1u<<11) /* accept trust from another source */
/* bits not affected by the CKO_NETSCAPE_TRUST object */ /* bits not affected by the CKO_NETSCAPE_TRUST object */
#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \

63
security/nss/lib/softoken/manifest.mn.orig
View File

@ -1,63 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../..
MODULE = nss
DIRS = legacydb
LIBRARY_NAME = softokn
LIBRARY_VERSION = 3
MAPFILE = $(OBJDIR)/softokn.def
DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
SQLITE_INCLUDE_DIR=$(DIST)/include/sqlite3
ifdef SQLITE_INCLUDE_DIR
INCLUDES += -I$(SQLITE_INCLUDE_DIR)
endif
EXPORTS = \
$(NULL)
PRIVATE_EXPORTS = \
lgglue.h \
lowkeyi.h \
lowkeyti.h \
pkcs11ni.h \
softoken.h \
softoknt.h \
softkver.h \
sdb.h \
sftkdbt.h \
$(NULL)
CSRCS = \
ecdecode.c \
fipsaudt.c \
fipstest.c \
fipstokn.c \
lgglue.c \
lowkey.c \
lowpbe.c \
padbuf.c \
pkcs11.c \
pkcs11c.c \
pkcs11u.c \
sdb.c \
sftkdb.c \
sftkhmac.c \
sftkpars.c \
sftkpwd.c \
softkver.c \
tlsprf.c \
jpakesftk.c \
$(NULL)
ifdef SQLITE_UNSAFE_THREADS
DEFINES += -DSQLITE_UNSAFE_THREADS
endif
# This part of the code, including all sub-dirs, can be optimized for size
export ALLOW_OPT_CODE_SIZE = 1

153
security/nss/lib/softoken/pkcs11.c
View File

@ -266,6 +266,8 @@ static const struct mechanismList mechanisms[] = {
CKF_DUZ_IT_ALL}, PR_TRUE}, CKF_DUZ_IT_ALL}, PR_TRUE},
{CKM_RSA_PKCS_PSS, {RSA_MIN_MODULUS_BITS,CK_MAX, {CKM_RSA_PKCS_PSS, {RSA_MIN_MODULUS_BITS,CK_MAX,
CKF_SN_VR}, PR_TRUE}, CKF_SN_VR}, PR_TRUE},
{CKM_RSA_PKCS_OAEP, {RSA_MIN_MODULUS_BITS,CK_MAX,
CKF_EN_DE_WR_UN}, PR_TRUE},
#ifdef SFTK_RSA9796_SUPPORTED #ifdef SFTK_RSA9796_SUPPORTED
{CKM_RSA_9796, {RSA_MIN_MODULUS_BITS,CK_MAX, {CKM_RSA_9796, {RSA_MIN_MODULUS_BITS,CK_MAX,
CKF_DUZ_IT_ALL}, PR_TRUE}, CKF_DUZ_IT_ALL}, PR_TRUE},
@ -987,7 +989,7 @@ static NSSLOWKEYPrivateKey *
sftk_mkPrivKey(SFTKObject *object,CK_KEY_TYPE key, CK_RV *rvp); sftk_mkPrivKey(SFTKObject *object,CK_KEY_TYPE key, CK_RV *rvp);
static SECStatus static SECStatus
sftk_fillRSAPrivateKey(SFTKObject *object); sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded);
/* /*
* check the consistancy and initialize a Private Key Object * check the consistancy and initialize a Private Key Object
@ -1003,12 +1005,14 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
CK_BBOOL derive = CK_TRUE; CK_BBOOL derive = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE; CK_BBOOL ckfalse = CK_FALSE;
PRBool createObjectInfo = PR_TRUE; PRBool createObjectInfo = PR_TRUE;
PRBool fillPrivateKey = PR_FALSE;
int missing_rsa_mod_component = 0; int missing_rsa_mod_component = 0;
int missing_rsa_exp_component = 0; int missing_rsa_exp_component = 0;
int missing_rsa_crt_component = 0; int missing_rsa_crt_component = 0;
SECItem mod; SECItem mod;
CK_RV crv; CK_RV crv;
SECStatus rv;
switch (key_type) { switch (key_type) {
case CKK_RSA: case CKK_RSA:
@ -1043,19 +1047,19 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
int have_exp = 2- missing_rsa_exp_component; int have_exp = 2- missing_rsa_exp_component;
int have_component = 5- int have_component = 5-
(missing_rsa_exp_component+missing_rsa_mod_component); (missing_rsa_exp_component+missing_rsa_mod_component);
SECStatus rv;
if ((have_exp == 0) || (have_component < 3)) { if ((have_exp == 0) || (have_component < 3)) {
/* nope, not enough to reconstruct the private key */ /* nope, not enough to reconstruct the private key */
return CKR_TEMPLATE_INCOMPLETE; return CKR_TEMPLATE_INCOMPLETE;
} }
/*fill in the missing parameters */ fillPrivateKey = PR_TRUE;
rv = sftk_fillRSAPrivateKey(object);
if (rv != SECSuccess) {
return CKR_TEMPLATE_INCOMPLETE;
}
} }
/*verify the parameters for consistency*/
rv = sftk_verifyRSAPrivateKey(object, fillPrivateKey);
if (rv != SECSuccess) {
return CKR_TEMPLATE_INCOMPLETE;
}
/* make sure Netscape DB attribute is set correctly */ /* make sure Netscape DB attribute is set correctly */
crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS); crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
if (crv != CKR_OK) return crv; if (crv != CKR_OK) return crv;
@ -1149,7 +1153,6 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
if (sftk_isTrue(object,CKA_TOKEN)) { if (sftk_isTrue(object,CKA_TOKEN)) {
SFTKSlot *slot = session->slot; SFTKSlot *slot = session->slot;
SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
CK_RV crv;
if (keyHandle == NULL) { if (keyHandle == NULL) {
return CKR_TOKEN_WRITE_PROTECTED; return CKR_TOKEN_WRITE_PROTECTED;
@ -1940,10 +1943,11 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
} }
/* /*
* we have a partial rsa private key, fill in the rest * If a partial RSA private key is present, fill in the rest if necessary,
* and then verify the parameters are well-formed
*/ */
static SECStatus static SECStatus
sftk_fillRSAPrivateKey(SFTKObject *object) sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded)
{ {
RSAPrivateKey tmpKey = { 0 }; RSAPrivateKey tmpKey = { 0 };
SFTKAttribute *modulus = NULL; SFTKAttribute *modulus = NULL;
@ -1951,6 +1955,9 @@ sftk_fillRSAPrivateKey(SFTKObject *object)
SFTKAttribute *prime2 = NULL; SFTKAttribute *prime2 = NULL;
SFTKAttribute *privateExponent = NULL; SFTKAttribute *privateExponent = NULL;
SFTKAttribute *publicExponent = NULL; SFTKAttribute *publicExponent = NULL;
SFTKAttribute *exponent1 = NULL;
SFTKAttribute *exponent2 = NULL;
SFTKAttribute *coefficient = NULL;
SECStatus rv; SECStatus rv;
CK_RV crv; CK_RV crv;
@ -1981,44 +1988,82 @@ sftk_fillRSAPrivateKey(SFTKObject *object)
if (publicExponent) { if (publicExponent) {
tmpKey.publicExponent.data = publicExponent->attrib.pValue; tmpKey.publicExponent.data = publicExponent->attrib.pValue;
tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen; tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen;
} }
exponent1 = sftk_FindAttribute(object, CKA_EXPONENT_1);
if (exponent1) {
tmpKey.exponent1.data = exponent1->attrib.pValue;
tmpKey.exponent1.len = exponent1->attrib.ulValueLen;
}
exponent2 = sftk_FindAttribute(object, CKA_EXPONENT_2);
if (exponent2) {
tmpKey.exponent2.data = exponent2->attrib.pValue;
tmpKey.exponent2.len = exponent2->attrib.ulValueLen;
}
coefficient = sftk_FindAttribute(object, CKA_COEFFICIENT);
if (coefficient) {
tmpKey.coefficient.data = coefficient->attrib.pValue;
tmpKey.coefficient.len = coefficient->attrib.ulValueLen;
}
/* if (fillIfNeeded) {
* populate requires one exponent plus 2 other components to work. /*
* we expected our caller to check that first. If that didn't happen, * populate requires one exponent plus 2 other components to work.
* populate will simply return an error here. * we expected our caller to check that first. If that didn't happen,
*/ * populate will simply return an error here.
rv = RSA_PopulatePrivateKey(&tmpKey); */
rv = RSA_PopulatePrivateKey(&tmpKey);
if (rv != SECSuccess) {
goto loser;
}
}
rv = RSA_PrivateKeyCheck(&tmpKey);
if (rv != SECSuccess) { if (rv != SECSuccess) {
goto loser; goto loser;
} }
/* now that we have a fully populated key, set all our attribute values */ /* now that we have a fully populated key, set all our attribute values */
rv = SECFailure; rv = SECFailure;
crv = sftk_forceAttribute(object,CKA_MODULUS, if (!modulus || modulus->attrib.pValue != tmpKey.modulus.data) {
sftk_item_expand(&tmpKey.modulus)); crv = sftk_forceAttribute(object,CKA_MODULUS,
if (crv != CKR_OK) goto loser; sftk_item_expand(&tmpKey.modulus));
crv = sftk_forceAttribute(object,CKA_PUBLIC_EXPONENT, if (crv != CKR_OK) goto loser;
sftk_item_expand(&tmpKey.publicExponent)); }
if (crv != CKR_OK) goto loser; if (!publicExponent ||
crv = sftk_forceAttribute(object,CKA_PRIVATE_EXPONENT, publicExponent->attrib.pValue != tmpKey.publicExponent.data) {
sftk_item_expand(&tmpKey.privateExponent)); crv = sftk_forceAttribute(object, CKA_PUBLIC_EXPONENT,
if (crv != CKR_OK) goto loser; sftk_item_expand(&tmpKey.publicExponent));
crv = sftk_forceAttribute(object,CKA_PRIME_1, if (crv != CKR_OK) goto loser;
sftk_item_expand(&tmpKey.prime1)); }
if (crv != CKR_OK) goto loser; if (!privateExponent ||
crv = sftk_forceAttribute(object,CKA_PRIME_2, privateExponent->attrib.pValue != tmpKey.privateExponent.data) {
sftk_item_expand(&tmpKey.prime2)); crv = sftk_forceAttribute(object, CKA_PRIVATE_EXPONENT,
if (crv != CKR_OK) goto loser; sftk_item_expand(&tmpKey.privateExponent));
crv = sftk_forceAttribute(object,CKA_EXPONENT_1, if (crv != CKR_OK) goto loser;
sftk_item_expand(&tmpKey.exponent1)); }
if (crv != CKR_OK) goto loser; if (!prime1 || prime1->attrib.pValue != tmpKey.prime1.data) {
crv = sftk_forceAttribute(object,CKA_EXPONENT_2, crv = sftk_forceAttribute(object, CKA_PRIME_1,
sftk_item_expand(&tmpKey.exponent2)); sftk_item_expand(&tmpKey.prime1));
if (crv != CKR_OK) goto loser; if (crv != CKR_OK) goto loser;
crv = sftk_forceAttribute(object,CKA_COEFFICIENT, }
sftk_item_expand(&tmpKey.coefficient)); if (!prime2 || prime2->attrib.pValue != tmpKey.prime2.data) {
if (crv != CKR_OK) goto loser; crv = sftk_forceAttribute(object, CKA_PRIME_2,
sftk_item_expand(&tmpKey.prime2));
if (crv != CKR_OK) goto loser;
}
if (!exponent1 || exponent1->attrib.pValue != tmpKey.exponent1.data) {
crv = sftk_forceAttribute(object, CKA_EXPONENT_1,
sftk_item_expand(&tmpKey.exponent1));
if (crv != CKR_OK) goto loser;
}
if (!exponent2 || exponent2->attrib.pValue != tmpKey.exponent2.data) {
crv = sftk_forceAttribute(object, CKA_EXPONENT_2,
sftk_item_expand(&tmpKey.exponent2));
if (crv != CKR_OK) goto loser;
}
if (!coefficient || coefficient->attrib.pValue != tmpKey.coefficient.data) {
crv = sftk_forceAttribute(object, CKA_COEFFICIENT,
sftk_item_expand(&tmpKey.coefficient));
if (crv != CKR_OK) goto loser;
}
rv = SECSuccess; rv = SECSuccess;
/* we're done (one way or the other), clean up all our stuff */ /* we're done (one way or the other), clean up all our stuff */
@ -2041,15 +2086,18 @@ loser:
if (publicExponent) { if (publicExponent) {
sftk_FreeAttribute(publicExponent); sftk_FreeAttribute(publicExponent);
} }
if (exponent1) {
sftk_FreeAttribute(exponent1);
}
if (exponent2) {
sftk_FreeAttribute(exponent2);
}
if (coefficient) {
sftk_FreeAttribute(coefficient);
}
return rv; return rv;
} }
/* Generate a low private key structure from an object */ /* Generate a low private key structure from an object */
NSSLOWKEYPrivateKey * NSSLOWKEYPrivateKey *
sftk_GetPrivKey(SFTKObject *object,CK_KEY_TYPE key_type, CK_RV *crvp) sftk_GetPrivKey(SFTKObject *object,CK_KEY_TYPE key_type, CK_RV *crvp)
@ -3128,9 +3176,6 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
if (slot == NULL) return CKR_SLOT_ID_INVALID; if (slot == NULL) return CKR_SLOT_ID_INVALID;
pInfo->firmwareVersion.major = 0;
pInfo->firmwareVersion.minor = 0;
PORT_Memcpy(pInfo->manufacturerID,manufacturerID, PORT_Memcpy(pInfo->manufacturerID,manufacturerID,
sizeof(pInfo->manufacturerID)); sizeof(pInfo->manufacturerID));
PORT_Memcpy(pInfo->slotDescription,slot->slotDescription, PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,
@ -3157,6 +3202,8 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
/* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */ /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR; pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR; pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR;
pInfo->firmwareVersion.major = SOFTOKEN_VPATCH;
pInfo->firmwareVersion.minor = SOFTOKEN_VBUILD;
return CKR_OK; return CKR_OK;
} }

66
security/nss/lib/softoken/pkcs11c.c
View File

@ -302,6 +302,46 @@ GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
} }
} }
/*
* Returns true if "params" contains a valid set of PSS parameters
*/
static PRBool
sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params)
{
if (!params) {
return PR_FALSE;
}
if (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL ||
GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) {
return PR_FALSE;
}
return PR_TRUE;
}
/*
* Returns true if "params" contains a valid set of OAEP parameters
*/
static PRBool
sftk_ValidateOaepParams(const CK_RSA_PKCS_OAEP_PARAMS *params)
{
if (!params) {
return PR_FALSE;
}
/* The requirements of ulSourceLen/pSourceData come from PKCS #11, which
* state:
* If the parameter is empty, pSourceData must be NULL and
* ulSourceDataLen must be zero.
*/
if (params->source != CKZ_DATA_SPECIFIED ||
(GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) ||
(GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) ||
(params->ulSourceDataLen == 0 && params->pSourceData != NULL) ||
(params->ulSourceDataLen != 0 && params->pSourceData == NULL)) {
return PR_FALSE;
}
return PR_TRUE;
}
/* /*
* return a context based on the SFTKContext type. * return a context based on the SFTKContext type.
*/ */
@ -588,11 +628,6 @@ sftk_RSAEncryptOAEP(SFTKOAEPEncryptInfo *info, unsigned char *output,
hashAlg = GetHashTypeFromMechanism(info->params->hashAlg); hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
maskHashAlg = GetHashTypeFromMechanism(info->params->mgf); maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
if (info->params->source != CKZ_DATA_SPECIFIED) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
return RSA_EncryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg, return RSA_EncryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
(const unsigned char*)info->params->pSourceData, (const unsigned char*)info->params->pSourceData,
info->params->ulSourceDataLen, NULL, 0, info->params->ulSourceDataLen, NULL, 0,
@ -617,11 +652,6 @@ sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
hashAlg = GetHashTypeFromMechanism(info->params->hashAlg); hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
maskHashAlg = GetHashTypeFromMechanism(info->params->mgf); maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
if (info->params->source != CKZ_DATA_SPECIFIED) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
rv = RSA_DecryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg, rv = RSA_DecryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
(const unsigned char*)info->params->pSourceData, (const unsigned char*)info->params->pSourceData,
info->params->ulSourceDataLen, info->params->ulSourceDataLen,
@ -710,19 +740,18 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
} }
context->destroy = sftk_Null; context->destroy = sftk_Null;
break; break;
/* XXX: Disabled until unit tests land.
case CKM_RSA_PKCS_OAEP: case CKM_RSA_PKCS_OAEP:
if (key_type != CKK_RSA) { if (key_type != CKK_RSA) {
crv = CKR_KEY_TYPE_INCONSISTENT; crv = CKR_KEY_TYPE_INCONSISTENT;
break; break;
} }
context->multi = PR_FALSE; if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS) ||
context->rsa = PR_TRUE; !sftk_ValidateOaepParams((CK_RSA_PKCS_OAEP_PARAMS*)pMechanism->pParameter)) {
if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS)) {
crv = CKR_MECHANISM_PARAM_INVALID; crv = CKR_MECHANISM_PARAM_INVALID;
break; break;
} }
/\* XXX: Need Parameter validation here *\/ context->multi = PR_FALSE;
context->rsa = PR_TRUE;
if (isEncrypt) { if (isEncrypt) {
SFTKOAEPEncryptInfo *info = PORT_New(SFTKOAEPEncryptInfo); SFTKOAEPEncryptInfo *info = PORT_New(SFTKOAEPEncryptInfo);
if (info == NULL) { if (info == NULL) {
@ -758,7 +787,6 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
} }
context->destroy = (SFTKDestroy) sftk_Space; context->destroy = (SFTKDestroy) sftk_Space;
break; break;
*/
case CKM_RC2_CBC_PAD: case CKM_RC2_CBC_PAD:
context->doPad = PR_TRUE; context->doPad = PR_TRUE;
/* fall thru */ /* fall thru */
@ -2386,7 +2414,8 @@ finish_rsa:
break; break;
} }
context->rsa = PR_TRUE; context->rsa = PR_TRUE;
if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) { if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
!sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS*)pMechanism->pParameter)) {
crv = CKR_MECHANISM_PARAM_INVALID; crv = CKR_MECHANISM_PARAM_INVALID;
break; break;
} }
@ -3023,7 +3052,8 @@ finish_rsa:
break; break;
} }
context->rsa = PR_TRUE; context->rsa = PR_TRUE;
if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) { if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
!sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS*)pMechanism->pParameter)) {
crv = CKR_MECHANISM_PARAM_INVALID; crv = CKR_MECHANISM_PARAM_INVALID;
break; break;
} }

8
security/nss/lib/softoken/softkver.h
View File

@ -25,11 +25,11 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/ */
#define SOFTOKEN_VERSION "3.15.5" SOFTOKEN_ECC_STRING #define SOFTOKEN_VERSION "3.16.2.1" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 15 #define SOFTOKEN_VMINOR 16
#define SOFTOKEN_VPATCH 5 #define SOFTOKEN_VPATCH 2
#define SOFTOKEN_VBUILD 0 #define SOFTOKEN_VBUILD 1
#define SOFTOKEN_BETA PR_FALSE #define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */ #endif /* _SOFTKVER_H_ */

6
security/nss/lib/ssl/SSLerrs.h
View File

@ -412,3 +412,9 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR_BASE + 127),
ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
"Incorrect signature algorithm specified in a digitally-signed element.") "Incorrect signature algorithm specified in a digitally-signed element.")
ER3(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK, (SSL_ERROR_BASE + 129),
"The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.")
ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130),
"The server supports no protocols that the client advertises in the ALPN extension.")

527
security/nss/lib/ssl/dtlscon.c
View File

@ -51,16 +51,21 @@ static const ssl3CipherSuite nonDTLSSuites[] = {
* *
* TLS DTLS * TLS DTLS
* 1.1 (0302) 1.0 (feff) * 1.1 (0302) 1.0 (feff)
* 1.2 (0303) 1.2 (fefd)
*/ */
SSL3ProtocolVersion SSL3ProtocolVersion
dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv) dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv)
{ {
/* Anything other than TLS 1.1 is an error, so return if (tlsv == SSL_LIBRARY_VERSION_TLS_1_1) {
* the invalid version ffff. */ return SSL_LIBRARY_VERSION_DTLS_1_0_WIRE;
if (tlsv != SSL_LIBRARY_VERSION_TLS_1_1) }
return 0xffff; if (tlsv == SSL_LIBRARY_VERSION_TLS_1_2) {
return SSL_LIBRARY_VERSION_DTLS_1_2_WIRE;
}
return SSL_LIBRARY_VERSION_DTLS_1_0_WIRE; /* Anything other than TLS 1.1 or 1.2 is an error, so return
* the invalid version 0xffff. */
return 0xffff;
} }
/* Map known DTLS versions to known TLS versions. /* Map known DTLS versions to known TLS versions.
@ -71,14 +76,18 @@ SSL3ProtocolVersion
dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv) dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv)
{ {
if (MSB(dtlsv) == 0xff) { if (MSB(dtlsv) == 0xff) {
return 0; return 0;
} }
if (dtlsv == SSL_LIBRARY_VERSION_DTLS_1_0_WIRE) if (dtlsv == SSL_LIBRARY_VERSION_DTLS_1_0_WIRE) {
return SSL_LIBRARY_VERSION_TLS_1_1; return SSL_LIBRARY_VERSION_TLS_1_1;
}
if (dtlsv == SSL_LIBRARY_VERSION_DTLS_1_2_WIRE) {
return SSL_LIBRARY_VERSION_TLS_1_2;
}
/* Return a fictional higher version than we know of */ /* Return a fictional higher version than we know of */
return SSL_LIBRARY_VERSION_TLS_1_1 + 1; return SSL_LIBRARY_VERSION_TLS_1_2 + 1;
} }
/* On this socket, Disable non-DTLS cipher suites in the argument's list */ /* On this socket, Disable non-DTLS cipher suites in the argument's list */
@ -88,9 +97,9 @@ ssl3_DisableNonDTLSSuites(sslSocket * ss)
const ssl3CipherSuite * suite; const ssl3CipherSuite * suite;
for (suite = nonDTLSSuites; *suite; ++suite) { for (suite = nonDTLSSuites; *suite; ++suite) {
SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE); SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
PORT_Assert(rv == SECSuccess); /* else is coding error */ PORT_Assert(rv == SECSuccess); /* else is coding error */
} }
return SECSuccess; return SECSuccess;
} }
@ -101,17 +110,17 @@ ssl3_DisableNonDTLSSuites(sslSocket * ss)
*/ */
static DTLSQueuedMessage * static DTLSQueuedMessage *
dtls_AllocQueuedMessage(PRUint16 epoch, SSL3ContentType type, dtls_AllocQueuedMessage(PRUint16 epoch, SSL3ContentType type,
const unsigned char *data, PRUint32 len) const unsigned char *data, PRUint32 len)
{ {
DTLSQueuedMessage *msg = NULL; DTLSQueuedMessage *msg = NULL;
msg = PORT_ZAlloc(sizeof(DTLSQueuedMessage)); msg = PORT_ZAlloc(sizeof(DTLSQueuedMessage));
if (!msg) if (!msg)
return NULL; return NULL;
msg->data = PORT_Alloc(len); msg->data = PORT_Alloc(len);
if (!msg->data) { if (!msg->data) {
PORT_Free(msg); PORT_Free(msg);
return NULL; return NULL;
} }
PORT_Memcpy(msg->data, data, len); PORT_Memcpy(msg->data, data, len);
@ -132,7 +141,7 @@ static void
dtls_FreeHandshakeMessage(DTLSQueuedMessage *msg) dtls_FreeHandshakeMessage(DTLSQueuedMessage *msg)
{ {
if (!msg) if (!msg)
return; return;
PORT_ZFree(msg->data, msg->len); PORT_ZFree(msg->data, msg->len);
PORT_Free(msg); PORT_Free(msg);
@ -151,9 +160,9 @@ dtls_FreeHandshakeMessages(PRCList *list)
PRCList *cur_p; PRCList *cur_p;
while (!PR_CLIST_IS_EMPTY(list)) { while (!PR_CLIST_IS_EMPTY(list)) {
cur_p = PR_LIST_TAIL(list); cur_p = PR_LIST_TAIL(list);
PR_REMOVE_LINK(cur_p); PR_REMOVE_LINK(cur_p);
dtls_FreeHandshakeMessage((DTLSQueuedMessage *)cur_p); dtls_FreeHandshakeMessage((DTLSQueuedMessage *)cur_p);
} }
} }
@ -204,18 +213,18 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
} }
/* Parse the header */ /* Parse the header */
type = buf.buf[0]; type = buf.buf[0];
message_length = (buf.buf[1] << 16) | (buf.buf[2] << 8) | buf.buf[3]; message_length = (buf.buf[1] << 16) | (buf.buf[2] << 8) | buf.buf[3];
message_seq = (buf.buf[4] << 8) | buf.buf[5]; message_seq = (buf.buf[4] << 8) | buf.buf[5];
fragment_offset = (buf.buf[6] << 16) | (buf.buf[7] << 8) | buf.buf[8]; fragment_offset = (buf.buf[6] << 16) | (buf.buf[7] << 8) | buf.buf[8];
fragment_length = (buf.buf[9] << 16) | (buf.buf[10] << 8) | buf.buf[11]; fragment_length = (buf.buf[9] << 16) | (buf.buf[10] << 8) | buf.buf[11];
#define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */
if (message_length > MAX_HANDSHAKE_MSG_LEN) { if (message_length > MAX_HANDSHAKE_MSG_LEN) {
(void)ssl3_DecodeError(ss); (void)ssl3_DecodeError(ss);
PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
return SECFailure; return SECFailure;
} }
#undef MAX_HANDSHAKE_MSG_LEN #undef MAX_HANDSHAKE_MSG_LEN
buf.buf += 12; buf.buf += 12;
@ -229,7 +238,7 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
} }
/* Sanity check the packet contents */ /* Sanity check the packet contents */
if ((fragment_length + fragment_offset) > message_length) { if ((fragment_length + fragment_offset) > message_length) {
PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
rv = SECFailure; rv = SECFailure;
break; break;
@ -245,8 +254,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
* This is the common case for short messages * This is the common case for short messages
*/ */
if ((message_seq == ss->ssl3.hs.recvMessageSeq) if ((message_seq == ss->ssl3.hs.recvMessageSeq)
&& (fragment_offset == 0) && (fragment_offset == 0)
&& (fragment_length == message_length)) { && (fragment_length == message_length)) {
/* Complete next message. Process immediately */ /* Complete next message. Process immediately */
ss->ssl3.hs.msg_type = (SSL3HandshakeType)type; ss->ssl3.hs.msg_type = (SSL3HandshakeType)type;
ss->ssl3.hs.msg_len = message_length; ss->ssl3.hs.msg_len = message_length;
@ -254,14 +263,14 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
/* At this point we are advancing our state machine, so /* At this point we are advancing our state machine, so
* we can free our last flight of messages */ * we can free our last flight of messages */
dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
ss->ssl3.hs.recvdHighWater = -1; ss->ssl3.hs.recvdHighWater = -1;
dtls_CancelTimer(ss); dtls_CancelTimer(ss);
/* Reset the timer to the initial value if the retry counter /* Reset the timer to the initial value if the retry counter
* is 0, per Sec. 4.2.4.1 */ * is 0, per Sec. 4.2.4.1 */
if (ss->ssl3.hs.rtRetries == 0) { if (ss->ssl3.hs.rtRetries == 0) {
ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
} }
rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len); rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len);
if (rv == SECFailure) { if (rv == SECFailure) {
@ -269,68 +278,68 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
break; break;
} }
} else { } else {
if (message_seq < ss->ssl3.hs.recvMessageSeq) { if (message_seq < ss->ssl3.hs.recvMessageSeq) {
/* Case 3: we do an immediate retransmit if we're /* Case 3: we do an immediate retransmit if we're
* in a waiting state*/ * in a waiting state*/
if (ss->ssl3.hs.rtTimerCb == NULL) { if (ss->ssl3.hs.rtTimerCb == NULL) {
/* Ignore */ /* Ignore */
} else if (ss->ssl3.hs.rtTimerCb == } else if (ss->ssl3.hs.rtTimerCb ==
dtls_RetransmitTimerExpiredCb) { dtls_RetransmitTimerExpiredCb) {
SSL_TRC(30, ("%d: SSL3[%d]: Retransmit detected", SSL_TRC(30, ("%d: SSL3[%d]: Retransmit detected",
SSL_GETPID(), ss->fd)); SSL_GETPID(), ss->fd));
/* Check to see if we retransmitted recently. If so, /* Check to see if we retransmitted recently. If so,
* suppress the triggered retransmit. This avoids * suppress the triggered retransmit. This avoids
* retransmit wars after packet loss. * retransmit wars after packet loss.
* This is not in RFC 5346 but should be * This is not in RFC 5346 but should be
*/ */
if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) > if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) >
(ss->ssl3.hs.rtTimeoutMs / 4)) { (ss->ssl3.hs.rtTimeoutMs / 4)) {
SSL_TRC(30, SSL_TRC(30,
("%d: SSL3[%d]: Shortcutting retransmit timer", ("%d: SSL3[%d]: Shortcutting retransmit timer",
SSL_GETPID(), ss->fd)); SSL_GETPID(), ss->fd));
/* Cancel the timer and call the CB, /* Cancel the timer and call the CB,
* which re-arms the timer */ * which re-arms the timer */
dtls_CancelTimer(ss); dtls_CancelTimer(ss);
dtls_RetransmitTimerExpiredCb(ss); dtls_RetransmitTimerExpiredCb(ss);
rv = SECSuccess; rv = SECSuccess;
break; break;
} else { } else {
SSL_TRC(30, SSL_TRC(30,
("%d: SSL3[%d]: We just retransmitted. Ignoring.", ("%d: SSL3[%d]: We just retransmitted. Ignoring.",
SSL_GETPID(), ss->fd)); SSL_GETPID(), ss->fd));
rv = SECSuccess; rv = SECSuccess;
break; break;
} }
} else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) { } else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
/* Retransmit the messages and re-arm the timer /* Retransmit the messages and re-arm the timer
* Note that we are not backing off the timer here. * Note that we are not backing off the timer here.
* The spec isn't clear and my reasoning is that this * The spec isn't clear and my reasoning is that this
* may be a re-ordered packet rather than slowness, * may be a re-ordered packet rather than slowness,
* so let's be aggressive. */ * so let's be aggressive. */
dtls_CancelTimer(ss); dtls_CancelTimer(ss);
rv = dtls_TransmitMessageFlight(ss); rv = dtls_TransmitMessageFlight(ss);
if (rv == SECSuccess) { if (rv == SECSuccess) {
rv = dtls_StartTimer(ss, dtls_FinishedTimerCb); rv = dtls_StartTimer(ss, dtls_FinishedTimerCb);
} }
if (rv != SECSuccess) if (rv != SECSuccess)
return rv; return rv;
break; break;
} }
} else if (message_seq > ss->ssl3.hs.recvMessageSeq) { } else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
/* Case 2 /* Case 2
* *
* Ignore this message. This means we don't handle out of * Ignore this message. This means we don't handle out of
* order complete messages that well, but we're still * order complete messages that well, but we're still
* compliant and this probably does not happen often * compliant and this probably does not happen often
* *
* XXX OK for now. Maybe do something smarter at some point? * XXX OK for now. Maybe do something smarter at some point?
*/ */
} else { } else {
/* Case 1 /* Case 1
* *
* Buffer the fragment for reassembly * Buffer the fragment for reassembly
*/ */
/* Make room for the message */ /* Make room for the message */
if (ss->ssl3.hs.recvdHighWater == -1) { if (ss->ssl3.hs.recvdHighWater == -1) {
PRUint32 map_length = OFFSET_BYTE(message_length) + 1; PRUint32 map_length = OFFSET_BYTE(message_length) + 1;
@ -347,8 +356,8 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
/* Reset the reassembly map */ /* Reset the reassembly map */
ss->ssl3.hs.recvdHighWater = 0; ss->ssl3.hs.recvdHighWater = 0;
PORT_Memset(ss->ssl3.hs.recvdFragments.buf, 0, PORT_Memset(ss->ssl3.hs.recvdFragments.buf, 0,
ss->ssl3.hs.recvdFragments.space); ss->ssl3.hs.recvdFragments.space);
ss->ssl3.hs.msg_type = (SSL3HandshakeType)type; ss->ssl3.hs.msg_type = (SSL3HandshakeType)type;
ss->ssl3.hs.msg_len = message_length; ss->ssl3.hs.msg_len = message_length;
} }
@ -381,7 +390,7 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
* case of adjacent fragments received in sequence * case of adjacent fragments received in sequence
*/ */
if (fragment_offset <= ss->ssl3.hs.recvdHighWater) { if (fragment_offset <= ss->ssl3.hs.recvdHighWater) {
/* Either this is the adjacent fragment or an overlapping /* Either this is the adjacent fragment or an overlapping
* fragment */ * fragment */
ss->ssl3.hs.recvdHighWater = fragment_offset + ss->ssl3.hs.recvdHighWater = fragment_offset +
fragment_length; fragment_length;
@ -397,9 +406,9 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
/* Now figure out the new high water mark if appropriate */ /* Now figure out the new high water mark if appropriate */
for (offset = ss->ssl3.hs.recvdHighWater; for (offset = ss->ssl3.hs.recvdHighWater;
offset < ss->ssl3.hs.msg_len; offset++) { offset < ss->ssl3.hs.msg_len; offset++) {
/* Note that this loop is not efficient, since it counts /* Note that this loop is not efficient, since it counts
* bit by bit. If we have a lot of out-of-order packets, * bit by bit. If we have a lot of out-of-order packets,
* we should optimize this */ * we should optimize this */
if (ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] & if (ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] &
OFFSET_MASK(offset)) { OFFSET_MASK(offset)) {
ss->ssl3.hs.recvdHighWater++; ss->ssl3.hs.recvdHighWater++;
@ -418,25 +427,25 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
if (rv == SECFailure) if (rv == SECFailure)
break; /* Skip rest of record */ break; /* Skip rest of record */
/* At this point we are advancing our state machine, so /* At this point we are advancing our state machine, so
* we can free our last flight of messages */ * we can free our last flight of messages */
dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight); dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
dtls_CancelTimer(ss); dtls_CancelTimer(ss);
/* If there have been no retries this time, reset the /* If there have been no retries this time, reset the
* timer value to the default per Section 4.2.4.1 */ * timer value to the default per Section 4.2.4.1 */
if (ss->ssl3.hs.rtRetries == 0) { if (ss->ssl3.hs.rtRetries == 0) {
ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS; ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
} }
} }
} }
} }
buf.buf += fragment_length; buf.buf += fragment_length;
buf.len -= fragment_length; buf.len -= fragment_length;
} }
origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */ origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
/* XXX OK for now. In future handle rv == SECWouldBlock safely in order /* XXX OK for now. In future handle rv == SECWouldBlock safely in order
* to deal with asynchronous certificate verification */ * to deal with asynchronous certificate verification */
@ -461,10 +470,10 @@ SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
msg = dtls_AllocQueuedMessage(ss->ssl3.cwSpec->epoch, type, pIn, nIn); msg = dtls_AllocQueuedMessage(ss->ssl3.cwSpec->epoch, type, pIn, nIn);
if (!msg) { if (!msg) {
PORT_SetError(SEC_ERROR_NO_MEMORY); PORT_SetError(SEC_ERROR_NO_MEMORY);
rv = SECFailure; rv = SECFailure;
} else { } else {
PR_APPEND_LINK(&msg->link, &ss->ssl3.hs.lastMessageFlight); PR_APPEND_LINK(&msg->link, &ss->ssl3.hs.lastMessageFlight);
} }
return rv; return rv;
@ -490,7 +499,7 @@ dtls_StageHandshakeMessage(sslSocket *ss)
/* This function is sometimes called when no data is actually to /* This function is sometimes called when no data is actually to
* be staged, so just return SECSuccess. */ * be staged, so just return SECSuccess. */
if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len) if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
return rv; return rv;
rv = dtls_QueueMessage(ss, content_handshake, rv = dtls_QueueMessage(ss, content_handshake,
ss->sec.ci.sendBuf.buf, ss->sec.ci.sendBuf.len); ss->sec.ci.sendBuf.buf, ss->sec.ci.sendBuf.len);
@ -522,11 +531,11 @@ dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
rv = dtls_TransmitMessageFlight(ss); rv = dtls_TransmitMessageFlight(ss);
if (rv != SECSuccess) if (rv != SECSuccess)
return rv; return rv;
if (!(flags & ssl_SEND_FLAG_NO_RETRANSMIT)) { if (!(flags & ssl_SEND_FLAG_NO_RETRANSMIT)) {
ss->ssl3.hs.rtRetries = 0; ss->ssl3.hs.rtRetries = 0;
rv = dtls_StartTimer(ss, dtls_RetransmitTimerExpiredCb); rv = dtls_StartTimer(ss, dtls_RetransmitTimerExpiredCb);
} }
} }
return rv; return rv;
@ -546,22 +555,22 @@ dtls_RetransmitTimerExpiredCb(sslSocket *ss)
ss->ssl3.hs.rtRetries++; ss->ssl3.hs.rtRetries++;
if (!(ss->ssl3.hs.rtRetries % 3)) { if (!(ss->ssl3.hs.rtRetries % 3)) {
/* If one of the messages was potentially greater than > MTU, /* If one of the messages was potentially greater than > MTU,
* then downgrade. Do this every time we have retransmitted a * then downgrade. Do this every time we have retransmitted a
* message twice, per RFC 6347 Sec. 4.1.1 */ * message twice, per RFC 6347 Sec. 4.1.1 */
dtls_SetMTU(ss, ss->ssl3.hs.maxMessageSent - 1); dtls_SetMTU(ss, ss->ssl3.hs.maxMessageSent - 1);
} }
rv = dtls_TransmitMessageFlight(ss); rv = dtls_TransmitMessageFlight(ss);
if (rv == SECSuccess) { if (rv == SECSuccess) {
/* Re-arm the timer */ /* Re-arm the timer */
rv = dtls_RestartTimer(ss, PR_TRUE, dtls_RetransmitTimerExpiredCb); rv = dtls_RestartTimer(ss, PR_TRUE, dtls_RetransmitTimerExpiredCb);
} }
if (rv == SECFailure) { if (rv == SECFailure) {
/* XXX OK for now. In future maybe signal the stack that we couldn't /* XXX OK for now. In future maybe signal the stack that we couldn't
* transmit. For now, let the read handle any real network errors */ * transmit. For now, let the read handle any real network errors */
} }
} }
@ -591,87 +600,87 @@ dtls_TransmitMessageFlight(sslSocket *ss)
*/ */
PORT_Assert(!ss->pendingBuf.len); PORT_Assert(!ss->pendingBuf.len);
for (msg_p = PR_LIST_HEAD(&ss->ssl3.hs.lastMessageFlight); for (msg_p = PR_LIST_HEAD(&ss->ssl3.hs.lastMessageFlight);
msg_p != &ss->ssl3.hs.lastMessageFlight; msg_p != &ss->ssl3.hs.lastMessageFlight;
msg_p = PR_NEXT_LINK(msg_p)) { msg_p = PR_NEXT_LINK(msg_p)) {
DTLSQueuedMessage *msg = (DTLSQueuedMessage *)msg_p; DTLSQueuedMessage *msg = (DTLSQueuedMessage *)msg_p;
/* The logic here is: /* The logic here is:
* *
* 1. If this is a message that will not fit into the remaining * 1. If this is a message that will not fit into the remaining
* space, then flush. * space, then flush.
* 2. If the message will now fit into the remaining space, * 2. If the message will now fit into the remaining space,
* encrypt, buffer, and loop. * encrypt, buffer, and loop.
* 3. If the message will not fit, then fragment. * 3. If the message will not fit, then fragment.
* *
* At the end of the function, flush. * At the end of the function, flush.
*/ */
if ((msg->len + SSL3_BUFFER_FUDGE) > room_left) { if ((msg->len + SSL3_BUFFER_FUDGE) > room_left) {
/* The message will not fit into the remaining space, so flush */ /* The message will not fit into the remaining space, so flush */
rv = dtls_SendSavedWriteData(ss); rv = dtls_SendSavedWriteData(ss);
if (rv != SECSuccess) if (rv != SECSuccess)
break; break;
room_left = ss->ssl3.mtu; room_left = ss->ssl3.mtu;
} }
if ((msg->len + SSL3_BUFFER_FUDGE) <= room_left) { if ((msg->len + SSL3_BUFFER_FUDGE) <= room_left) {
/* The message will fit, so encrypt and then continue with the /* The message will fit, so encrypt and then continue with the
* next packet */ * next packet */
sent = ssl3_SendRecord(ss, msg->epoch, msg->type, sent = ssl3_SendRecord(ss, msg->epoch, msg->type,
msg->data, msg->len, msg->data, msg->len,
ssl_SEND_FLAG_FORCE_INTO_BUFFER | ssl_SEND_FLAG_FORCE_INTO_BUFFER |
ssl_SEND_FLAG_USE_EPOCH); ssl_SEND_FLAG_USE_EPOCH);
if (sent != msg->len) { if (sent != msg->len) {
rv = SECFailure; rv = SECFailure;
if (sent != -1) { if (sent != -1) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
} }
break; break;
} }
room_left = ss->ssl3.mtu - ss->pendingBuf.len; room_left = ss->ssl3.mtu - ss->pendingBuf.len;
} else { } else {
/* The message will not fit, so fragment. /* The message will not fit, so fragment.
* *
* XXX OK for now. Arrange to coalesce the last fragment * XXX OK for now. Arrange to coalesce the last fragment
* of this message with the next message if possible. * of this message with the next message if possible.
* That would be more efficient. * That would be more efficient.
*/ */
PRUint32 fragment_offset = 0; PRUint32 fragment_offset = 0;
unsigned char fragment[DTLS_MAX_MTU]; /* >= than largest unsigned char fragment[DTLS_MAX_MTU]; /* >= than largest
* plausible MTU */ * plausible MTU */
/* Assert that we have already flushed */ /* Assert that we have already flushed */
PORT_Assert(room_left == ss->ssl3.mtu); PORT_Assert(room_left == ss->ssl3.mtu);
/* Case 3: We now need to fragment this message /* Case 3: We now need to fragment this message
* DTLS only supports fragmenting handshaking messages */ * DTLS only supports fragmenting handshaking messages */
PORT_Assert(msg->type == content_handshake); PORT_Assert(msg->type == content_handshake);
/* The headers consume 12 bytes so the smalles possible /* The headers consume 12 bytes so the smalles possible
* message (i.e., an empty one) is 12 bytes * message (i.e., an empty one) is 12 bytes
*/ */
PORT_Assert(msg->len >= 12); PORT_Assert(msg->len >= 12);
while ((fragment_offset + 12) < msg->len) { while ((fragment_offset + 12) < msg->len) {
PRUint32 fragment_len; PRUint32 fragment_len;
const unsigned char *content = msg->data + 12; const unsigned char *content = msg->data + 12;
PRUint32 content_len = msg->len - 12; PRUint32 content_len = msg->len - 12;
/* The reason we use 8 here is that that's the length of /* The reason we use 8 here is that that's the length of
* the new DTLS data that we add to the header */ * the new DTLS data that we add to the header */
fragment_len = PR_MIN(room_left - (SSL3_BUFFER_FUDGE + 8), fragment_len = PR_MIN(room_left - (SSL3_BUFFER_FUDGE + 8),
content_len - fragment_offset); content_len - fragment_offset);
PORT_Assert(fragment_len < DTLS_MAX_MTU - 12); PORT_Assert(fragment_len < DTLS_MAX_MTU - 12);
/* Make totally sure that we are within the buffer. /* Make totally sure that we are within the buffer.
* Note that the only way that fragment len could get * Note that the only way that fragment len could get
* adjusted here is if * adjusted here is if
* *
* (a) we are in release mode so the PORT_Assert is compiled out * (a) we are in release mode so the PORT_Assert is compiled out
* (b) either the MTU table is inconsistent with DTLS_MAX_MTU * (b) either the MTU table is inconsistent with DTLS_MAX_MTU
* or ss->ssl3.mtu has become corrupt. * or ss->ssl3.mtu has become corrupt.
*/ */
fragment_len = PR_MIN(fragment_len, DTLS_MAX_MTU - 12); fragment_len = PR_MIN(fragment_len, DTLS_MAX_MTU - 12);
/* Construct an appropriate-sized fragment */ /* Construct an appropriate-sized fragment */
/* Type, length, sequence */ /* Type, length, sequence */
@ -691,25 +700,25 @@ dtls_TransmitMessageFlight(sslSocket *ss)
fragment_len); fragment_len);
/* /*
* Send the record. We do this in two stages * Send the record. We do this in two stages
* 1. Encrypt * 1. Encrypt
*/ */
sent = ssl3_SendRecord(ss, msg->epoch, msg->type, sent = ssl3_SendRecord(ss, msg->epoch, msg->type,
fragment, fragment_len + 12, fragment, fragment_len + 12,
ssl_SEND_FLAG_FORCE_INTO_BUFFER | ssl_SEND_FLAG_FORCE_INTO_BUFFER |
ssl_SEND_FLAG_USE_EPOCH); ssl_SEND_FLAG_USE_EPOCH);
if (sent != (fragment_len + 12)) { if (sent != (fragment_len + 12)) {
rv = SECFailure; rv = SECFailure;
if (sent != -1) { if (sent != -1) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
} }
break; break;
} }
/* 2. Flush */ /* 2. Flush */
rv = dtls_SendSavedWriteData(ss); rv = dtls_SendSavedWriteData(ss);
if (rv != SECSuccess) if (rv != SECSuccess)
break; break;
fragment_offset += fragment_len; fragment_offset += fragment_len;
} }
@ -718,7 +727,7 @@ dtls_TransmitMessageFlight(sslSocket *ss)
/* Finally, we need to flush */ /* Finally, we need to flush */
if (rv == SECSuccess) if (rv == SECSuccess)
rv = dtls_SendSavedWriteData(ss); rv = dtls_SendSavedWriteData(ss);
/* Give up the locks */ /* Give up the locks */
ssl_ReleaseSpecReadLock(ss); ssl_ReleaseSpecReadLock(ss);
@ -740,19 +749,19 @@ SECStatus dtls_SendSavedWriteData(sslSocket *ss)
sent = ssl_SendSavedWriteData(ss); sent = ssl_SendSavedWriteData(ss);
if (sent < 0) if (sent < 0)
return SECFailure; return SECFailure;
/* We should always have complete writes b/c datagram sockets /* We should always have complete writes b/c datagram sockets
* don't really block */ * don't really block */
if (ss->pendingBuf.len > 0) { if (ss->pendingBuf.len > 0) {
ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE); ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
return SECFailure; return SECFailure;
} }
/* Update the largest message sent so we can adjust the MTU /* Update the largest message sent so we can adjust the MTU
* estimate if necessary */ * estimate if necessary */
if (sent > ss->ssl3.hs.maxMessageSent) if (sent > ss->ssl3.hs.maxMessageSent)
ss->ssl3.hs.maxMessageSent = sent; ss->ssl3.hs.maxMessageSent = sent;
return SECSuccess; return SECSuccess;
} }
@ -767,16 +776,16 @@ SECStatus dtls_SendSavedWriteData(sslSocket *ss)
SECStatus SECStatus
dtls_CompressMACEncryptRecord(sslSocket * ss, dtls_CompressMACEncryptRecord(sslSocket * ss,
DTLSEpoch epoch, DTLSEpoch epoch,
PRBool use_epoch, PRBool use_epoch,
SSL3ContentType type, SSL3ContentType type,
const SSL3Opaque * pIn, const SSL3Opaque * pIn,
PRUint32 contentLen, PRUint32 contentLen,
sslBuffer * wrBuf) sslBuffer * wrBuf)
{ {
SECStatus rv = SECFailure; SECStatus rv = SECFailure;
ssl3CipherSpec * cwSpec; ssl3CipherSpec * cwSpec;
ssl_GetSpecReadLock(ss); /********************************/ ssl_GetSpecReadLock(ss); /********************************/
/* The reason for this switch-hitting code is that we might have /* The reason for this switch-hitting code is that we might have
* a flight of records spanning an epoch boundary, e.g., * a flight of records spanning an epoch boundary, e.g.,
@ -789,23 +798,23 @@ dtls_CompressMACEncryptRecord(sslSocket * ss,
* about which epoch to use is carried with the record. * about which epoch to use is carried with the record.
*/ */
if (use_epoch) { if (use_epoch) {
if (ss->ssl3.cwSpec->epoch == epoch) if (ss->ssl3.cwSpec->epoch == epoch)
cwSpec = ss->ssl3.cwSpec; cwSpec = ss->ssl3.cwSpec;
else if (ss->ssl3.pwSpec->epoch == epoch) else if (ss->ssl3.pwSpec->epoch == epoch)
cwSpec = ss->ssl3.pwSpec; cwSpec = ss->ssl3.pwSpec;
else else
cwSpec = NULL; cwSpec = NULL;
} else { } else {
cwSpec = ss->ssl3.cwSpec; cwSpec = ss->ssl3.cwSpec;
} }
if (cwSpec) { if (cwSpec) {
rv = ssl3_CompressMACEncryptRecord(cwSpec, ss->sec.isServer, PR_TRUE, rv = ssl3_CompressMACEncryptRecord(cwSpec, ss->sec.isServer, PR_TRUE,
PR_FALSE, type, pIn, contentLen, PR_FALSE, type, pIn, contentLen,
wrBuf); wrBuf);
} else { } else {
PR_NOT_REACHED("Couldn't find a cipher spec matching epoch"); PR_NOT_REACHED("Couldn't find a cipher spec matching epoch");
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
} }
ssl_ReleaseSpecReadLock(ss); /************************************/ ssl_ReleaseSpecReadLock(ss); /************************************/
@ -838,9 +847,9 @@ SECStatus
dtls_RestartTimer(sslSocket *ss, PRBool backoff, DTLSTimerCb cb) dtls_RestartTimer(sslSocket *ss, PRBool backoff, DTLSTimerCb cb)
{ {
if (backoff) { if (backoff) {
ss->ssl3.hs.rtTimeoutMs *= 2; ss->ssl3.hs.rtTimeoutMs *= 2;
if (ss->ssl3.hs.rtTimeoutMs > MAX_DTLS_TIMEOUT_MS) if (ss->ssl3.hs.rtTimeoutMs > MAX_DTLS_TIMEOUT_MS)
ss->ssl3.hs.rtTimeoutMs = MAX_DTLS_TIMEOUT_MS; ss->ssl3.hs.rtTimeoutMs = MAX_DTLS_TIMEOUT_MS;
} }
return dtls_StartTimer(ss, cb); return dtls_StartTimer(ss, cb);
@ -868,18 +877,18 @@ void
dtls_CheckTimer(sslSocket *ss) dtls_CheckTimer(sslSocket *ss)
{ {
if (!ss->ssl3.hs.rtTimerCb) if (!ss->ssl3.hs.rtTimerCb)
return; return;
if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) > if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) >
PR_MillisecondsToInterval(ss->ssl3.hs.rtTimeoutMs)) { PR_MillisecondsToInterval(ss->ssl3.hs.rtTimeoutMs)) {
/* Timer has expired */ /* Timer has expired */
DTLSTimerCb cb = ss->ssl3.hs.rtTimerCb; DTLSTimerCb cb = ss->ssl3.hs.rtTimerCb;
/* Cancel the timer so that we can call the CB safely */
dtls_CancelTimer(ss);
/* Now call the CB */ /* Cancel the timer so that we can call the CB safely */
cb(ss); dtls_CancelTimer(ss);
/* Now call the CB */
cb(ss);
} }
} }
@ -928,17 +937,17 @@ dtls_SetMTU(sslSocket *ss, PRUint16 advertised)
int i; int i;
if (advertised == 0) { if (advertised == 0) {
ss->ssl3.mtu = COMMON_MTU_VALUES[0]; ss->ssl3.mtu = COMMON_MTU_VALUES[0];
SSL_TRC(30, ("Resetting MTU to %d", ss->ssl3.mtu)); SSL_TRC(30, ("Resetting MTU to %d", ss->ssl3.mtu));
return; return;
} }
for (i = 0; i < PR_ARRAY_SIZE(COMMON_MTU_VALUES); i++) { for (i = 0; i < PR_ARRAY_SIZE(COMMON_MTU_VALUES); i++) {
if (COMMON_MTU_VALUES[i] <= advertised) { if (COMMON_MTU_VALUES[i] <= advertised) {
ss->ssl3.mtu = COMMON_MTU_VALUES[i]; ss->ssl3.mtu = COMMON_MTU_VALUES[i];
SSL_TRC(30, ("Resetting MTU to %d", ss->ssl3.mtu)); SSL_TRC(30, ("Resetting MTU to %d", ss->ssl3.mtu));
return; return;
} }
} }
/* Fallback */ /* Fallback */
@ -953,57 +962,57 @@ dtls_SetMTU(sslSocket *ss, PRUint16 advertised)
SECStatus SECStatus
dtls_HandleHelloVerifyRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) dtls_HandleHelloVerifyRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
{ {
int errCode = SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST; int errCode = SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST;
SECStatus rv; SECStatus rv;
PRInt32 temp; PRInt32 temp;
SECItem cookie = {siBuffer, NULL, 0}; SECItem cookie = {siBuffer, NULL, 0};
SSL3AlertDescription desc = illegal_parameter; SSL3AlertDescription desc = illegal_parameter;
SSL_TRC(3, ("%d: SSL3[%d]: handle hello_verify_request handshake", SSL_TRC(3, ("%d: SSL3[%d]: handle hello_verify_request handshake",
SSL_GETPID(), ss->fd)); SSL_GETPID(), ss->fd));
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
if (ss->ssl3.hs.ws != wait_server_hello) { if (ss->ssl3.hs.ws != wait_server_hello) {
errCode = SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST; errCode = SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST;
desc = unexpected_message; desc = unexpected_message;
goto alert_loser; goto alert_loser;
} }
/* The version */ /* The version */
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) { if (temp < 0) {
goto loser; /* alert has been sent */ goto loser; /* alert has been sent */
} }
if (temp != SSL_LIBRARY_VERSION_DTLS_1_0_WIRE) { if (temp != SSL_LIBRARY_VERSION_DTLS_1_0_WIRE &&
/* Note: this will need adjustment for DTLS 1.2 per Section 4.2.1 */ temp != SSL_LIBRARY_VERSION_DTLS_1_2_WIRE) {
goto alert_loser; goto alert_loser;
} }
/* The cookie */ /* The cookie */
rv = ssl3_ConsumeHandshakeVariable(ss, &cookie, 1, &b, &length); rv = ssl3_ConsumeHandshakeVariable(ss, &cookie, 1, &b, &length);
if (rv != SECSuccess) { if (rv != SECSuccess) {
goto loser; /* alert has been sent */ goto loser; /* alert has been sent */
} }
if (cookie.len > DTLS_COOKIE_BYTES) { if (cookie.len > DTLS_COOKIE_BYTES) {
desc = decode_error; desc = decode_error;
goto alert_loser; /* malformed. */ goto alert_loser; /* malformed. */
} }
PORT_Memcpy(ss->ssl3.hs.cookie, cookie.data, cookie.len); PORT_Memcpy(ss->ssl3.hs.cookie, cookie.data, cookie.len);
ss->ssl3.hs.cookieLen = cookie.len; ss->ssl3.hs.cookieLen = cookie.len;
ssl_GetXmitBufLock(ss); /*******************************/ ssl_GetXmitBufLock(ss); /*******************************/
/* Now re-send the client hello */ /* Now re-send the client hello */
rv = ssl3_SendClientHello(ss, PR_TRUE); rv = ssl3_SendClientHello(ss, PR_TRUE);
ssl_ReleaseXmitBufLock(ss); /*******************************/ ssl_ReleaseXmitBufLock(ss); /*******************************/
if (rv == SECSuccess) if (rv == SECSuccess)
return rv; return rv;
alert_loser: alert_loser:
(void)SSL3_SendAlert(ss, alert_fatal, desc); (void)SSL3_SendAlert(ss, alert_fatal, desc);
@ -1042,14 +1051,14 @@ dtls_RecordGetRecvd(DTLSRecvdRecords *records, PRUint64 seq)
/* Out of range to the left */ /* Out of range to the left */
if (seq < records->left) { if (seq < records->left) {
return -1; return -1;
} }
/* Out of range to the right; since we advance the window on /* Out of range to the right; since we advance the window on
* receipt, that means that this packet has not been received * receipt, that means that this packet has not been received
* yet */ * yet */
if (seq > records->right) if (seq > records->right)
return 0; return 0;
offset = seq % DTLS_RECVD_RECORDS_WINDOW; offset = seq % DTLS_RECVD_RECORDS_WINDOW;
@ -1066,34 +1075,34 @@ dtls_RecordSetRecvd(DTLSRecvdRecords *records, PRUint64 seq)
PRUint64 offset; PRUint64 offset;
if (seq < records->left) if (seq < records->left)
return; return;
if (seq > records->right) { if (seq > records->right) {
PRUint64 new_left; PRUint64 new_left;
PRUint64 new_right; PRUint64 new_right;
PRUint64 right; PRUint64 right;
/* Slide to the right; this is the tricky part /* Slide to the right; this is the tricky part
* *
* 1. new_top is set to have room for seq, on the * 1. new_top is set to have room for seq, on the
* next byte boundary by setting the right 8 * next byte boundary by setting the right 8
* bits of seq * bits of seq
* 2. new_left is set to compensate. * 2. new_left is set to compensate.
* 3. Zero all bits between top and new_top. Since * 3. Zero all bits between top and new_top. Since
* this is a ring, this zeroes everything as-yet * this is a ring, this zeroes everything as-yet
* unseen. Because we always operate on byte * unseen. Because we always operate on byte
* boundaries, we can zero one byte at a time * boundaries, we can zero one byte at a time
*/ */
new_right = seq | 0x07; new_right = seq | 0x07;
new_left = (new_right - DTLS_RECVD_RECORDS_WINDOW) + 1; new_left = (new_right - DTLS_RECVD_RECORDS_WINDOW) + 1;
for (right = records->right + 8; right <= new_right; right += 8) { for (right = records->right + 8; right <= new_right; right += 8) {
offset = right % DTLS_RECVD_RECORDS_WINDOW; offset = right % DTLS_RECVD_RECORDS_WINDOW;
records->data[offset / 8] = 0; records->data[offset / 8] = 0;
} }
records->right = new_right; records->right = new_right;
records->left = new_left; records->left = new_left;
} }
offset = seq % DTLS_RECVD_RECORDS_WINDOW; offset = seq % DTLS_RECVD_RECORDS_WINDOW;

38
security/nss/lib/ssl/ssl3con.c
View File

@ -633,6 +633,7 @@ ssl3_CipherSuiteAllowedForVersionRange(
* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: never implemented * TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: never implemented
*/ */
return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
case TLS_RSA_WITH_AES_256_CBC_SHA256: case TLS_RSA_WITH_AES_256_CBC_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
@ -645,6 +646,31 @@ ssl3_CipherSuiteAllowedForVersionRange(
case TLS_RSA_WITH_AES_128_GCM_SHA256: case TLS_RSA_WITH_AES_128_GCM_SHA256:
case TLS_RSA_WITH_NULL_SHA256: case TLS_RSA_WITH_NULL_SHA256:
return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
/* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
* point formats.*/
case TLS_ECDH_ECDSA_WITH_NULL_SHA:
case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
case TLS_ECDH_RSA_WITH_NULL_SHA:
case TLS_ECDH_RSA_WITH_RC4_128_SHA:
case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_RSA_WITH_NULL_SHA:
case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_0;
default: default:
return PR_TRUE; return PR_TRUE;
} }
@ -3471,6 +3497,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
SSL_GETPID(), ss->fd)); SSL_GETPID(), ss->fd));
if (ws != wait_change_cipher) { if (ws != wait_change_cipher) {
if (IS_DTLS(ss)) {
/* Ignore this because it's out of order. */
SSL_TRC(3, ("%d: SSL3[%d]: discard out of order "
"DTLS change_cipher_spec",
SSL_GETPID(), ss->fd));
buf->len = 0;
return SECSuccess;
}
(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
return SECFailure; return SECFailure;
@ -5171,7 +5205,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
rv = ssl3_AppendHandshakeVariable( rv = ssl3_AppendHandshakeVariable(
ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
else else
rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
if (rv != SECSuccess) { if (rv != SECSuccess) {
if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
return rv; /* err set by ssl3_AppendHandshake* */ return rv; /* err set by ssl3_AppendHandshake* */
@ -8614,7 +8648,7 @@ ssl3_SendServerHello(sslSocket *ss)
rv = ssl3_AppendHandshakeVariable( rv = ssl3_AppendHandshakeVariable(
ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1); ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
else else
rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1); rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return rv; /* err set by AppendHandshake. */ return rv; /* err set by AppendHandshake. */
} }

812
security/nss/lib/ssl/ssl3ecc.c
View File

File diff suppressed because it is too large Load Diff

2034
security/nss/lib/ssl/ssl3ext.c
View File

File diff suppressed because it is too large Load Diff

145
security/nss/lib/ssl/ssl3prot.h
View File

@ -17,25 +17,25 @@ typedef PRUint16 SSL3ProtocolVersion;
typedef PRUint16 ssl3CipherSuite; typedef PRUint16 ssl3CipherSuite;
/* The cipher suites are defined in sslproto.h */ /* The cipher suites are defined in sslproto.h */
#define MAX_CERT_TYPES 10 #define MAX_CERT_TYPES 10
#define MAX_COMPRESSION_METHODS 10 #define MAX_COMPRESSION_METHODS 10
#define MAX_MAC_LENGTH 64 #define MAX_MAC_LENGTH 64
#define MAX_PADDING_LENGTH 64 #define MAX_PADDING_LENGTH 64
#define MAX_KEY_LENGTH 64 #define MAX_KEY_LENGTH 64
#define EXPORT_KEY_LENGTH 5 #define EXPORT_KEY_LENGTH 5
#define SSL3_RANDOM_LENGTH 32 #define SSL3_RANDOM_LENGTH 32
#define SSL3_RECORD_HEADER_LENGTH 5 #define SSL3_RECORD_HEADER_LENGTH 5
/* SSL3_RECORD_HEADER_LENGTH + epoch/sequence_number */ /* SSL3_RECORD_HEADER_LENGTH + epoch/sequence_number */
#define DTLS_RECORD_HEADER_LENGTH 13 #define DTLS_RECORD_HEADER_LENGTH 13
#define MAX_FRAGMENT_LENGTH 16384 #define MAX_FRAGMENT_LENGTH 16384
typedef enum { typedef enum {
content_change_cipher_spec = 20, content_change_cipher_spec = 20,
content_alert = 21, content_alert = 21,
content_handshake = 22, content_handshake = 22,
content_application_data = 23 content_application_data = 23
} SSL3ContentType; } SSL3ContentType;
@ -77,11 +77,11 @@ typedef enum {
close_notify = 0, close_notify = 0,
unexpected_message = 10, unexpected_message = 10,
bad_record_mac = 20, bad_record_mac = 20,
decryption_failed_RESERVED = 21, /* do not send; see RFC 5246 */ decryption_failed_RESERVED = 21, /* do not send; see RFC 5246 */
record_overflow = 22, /* TLS only */ record_overflow = 22, /* TLS only */
decompression_failure = 30, decompression_failure = 30,
handshake_failure = 40, handshake_failure = 40,
no_certificate = 41, /* SSL3 only, NOT TLS */ no_certificate = 41, /* SSL3 only, NOT TLS */
bad_certificate = 42, bad_certificate = 42,
unsupported_certificate = 43, unsupported_certificate = 43,
certificate_revoked = 44, certificate_revoked = 44,
@ -106,7 +106,8 @@ typedef enum {
certificate_unobtainable = 111, certificate_unobtainable = 111,
unrecognized_name = 112, unrecognized_name = 112,
bad_certificate_status_response = 113, bad_certificate_status_response = 113,
bad_certificate_hash_value = 114 bad_certificate_hash_value = 114,
no_application_protocol = 120
} SSL3AlertDescription; } SSL3AlertDescription;
@ -116,44 +117,44 @@ typedef struct {
} SSL3Alert; } SSL3Alert;
typedef enum { typedef enum {
hello_request = 0, hello_request = 0,
client_hello = 1, client_hello = 1,
server_hello = 2, server_hello = 2,
hello_verify_request = 3, hello_verify_request = 3,
new_session_ticket = 4, new_session_ticket = 4,
certificate = 11, certificate = 11,
server_key_exchange = 12, server_key_exchange = 12,
certificate_request = 13, certificate_request = 13,
server_hello_done = 14, server_hello_done = 14,
certificate_verify = 15, certificate_verify = 15,
client_key_exchange = 16, client_key_exchange = 16,
finished = 20, finished = 20,
certificate_status = 22, certificate_status = 22,
next_proto = 67 next_proto = 67
} SSL3HandshakeType; } SSL3HandshakeType;
typedef struct { typedef struct {
PRUint8 empty; PRUint8 empty;
} SSL3HelloRequest; } SSL3HelloRequest;
typedef struct { typedef struct {
SSL3Opaque rand[SSL3_RANDOM_LENGTH]; SSL3Opaque rand[SSL3_RANDOM_LENGTH];
} SSL3Random; } SSL3Random;
typedef struct { typedef struct {
SSL3Opaque id[32]; SSL3Opaque id[32];
PRUint8 length; PRUint8 length;
} SSL3SessionID; } SSL3SessionID;
typedef struct { typedef struct {
SSL3ProtocolVersion client_version; SSL3ProtocolVersion client_version;
SSL3Random random; SSL3Random random;
SSL3SessionID session_id; SSL3SessionID session_id;
SECItem cipher_suites; SECItem cipher_suites;
PRUint8 cm_count; PRUint8 cm_count;
SSLCompressionMethod compression_methods[MAX_COMPRESSION_METHODS]; SSLCompressionMethod compression_methods[MAX_COMPRESSION_METHODS];
} SSL3ClientHello; } SSL3ClientHello;
typedef struct { typedef struct {
SSL3ProtocolVersion server_version; SSL3ProtocolVersion server_version;
SSL3Random random; SSL3Random random;
@ -161,29 +162,29 @@ typedef struct {
ssl3CipherSuite cipher_suite; ssl3CipherSuite cipher_suite;
SSLCompressionMethod compression_method; SSLCompressionMethod compression_method;
} SSL3ServerHello; } SSL3ServerHello;
typedef struct { typedef struct {
SECItem list; SECItem list;
} SSL3Certificate; } SSL3Certificate;
/* SSL3SignType moved to ssl.h */ /* SSL3SignType moved to ssl.h */
/* The SSL key exchange method used */ /* The SSL key exchange method used */
typedef enum { typedef enum {
kea_null, kea_null,
kea_rsa, kea_rsa,
kea_rsa_export, kea_rsa_export,
kea_rsa_export_1024, kea_rsa_export_1024,
kea_dh_dss, kea_dh_dss,
kea_dh_dss_export, kea_dh_dss_export,
kea_dh_rsa, kea_dh_rsa,
kea_dh_rsa_export, kea_dh_rsa_export,
kea_dhe_dss, kea_dhe_dss,
kea_dhe_dss_export, kea_dhe_dss_export,
kea_dhe_rsa, kea_dhe_rsa,
kea_dhe_rsa_export, kea_dhe_rsa_export,
kea_dh_anon, kea_dh_anon,
kea_dh_anon_export, kea_dh_anon_export,
kea_rsa_fips, kea_rsa_fips,
kea_ecdh_ecdsa, kea_ecdh_ecdsa,
kea_ecdhe_ecdsa, kea_ecdhe_ecdsa,
@ -191,7 +192,7 @@ typedef enum {
kea_ecdhe_rsa, kea_ecdhe_rsa,
kea_ecdh_anon kea_ecdh_anon
} SSL3KeyExchangeAlgorithm; } SSL3KeyExchangeAlgorithm;
typedef struct { typedef struct {
SECItem modulus; SECItem modulus;
SECItem exponent; SECItem exponent;
@ -205,8 +206,8 @@ typedef struct {
typedef struct { typedef struct {
union { union {
SSL3ServerDHParams dh; SSL3ServerDHParams dh;
SSL3ServerRSAParams rsa; SSL3ServerRSAParams rsa;
} u; } u;
} SSL3ServerParams; } SSL3ServerParams;
@ -250,56 +251,56 @@ typedef struct {
unsigned int len; unsigned int len;
SECOidTag hashAlg; SECOidTag hashAlg;
union { union {
PRUint8 raw[64]; PRUint8 raw[64];
SSL3HashesIndividually s; SSL3HashesIndividually s;
} u; } u;
} SSL3Hashes; } SSL3Hashes;
typedef struct { typedef struct {
union { union {
SSL3Opaque anonymous; SSL3Opaque anonymous;
SSL3Hashes certified; SSL3Hashes certified;
} u; } u;
} SSL3ServerKeyExchange; } SSL3ServerKeyExchange;
typedef enum { typedef enum {
ct_RSA_sign = 1, ct_RSA_sign = 1,
ct_DSS_sign = 2, ct_DSS_sign = 2,
ct_RSA_fixed_DH = 3, ct_RSA_fixed_DH = 3,
ct_DSS_fixed_DH = 4, ct_DSS_fixed_DH = 4,
ct_RSA_ephemeral_DH = 5, ct_RSA_ephemeral_DH = 5,
ct_DSS_ephemeral_DH = 6, ct_DSS_ephemeral_DH = 6,
ct_ECDSA_sign = 64, ct_ECDSA_sign = 64,
ct_RSA_fixed_ECDH = 65, ct_RSA_fixed_ECDH = 65,
ct_ECDSA_fixed_ECDH = 66 ct_ECDSA_fixed_ECDH = 66
} SSL3ClientCertificateType; } SSL3ClientCertificateType;
typedef SECItem *SSL3DistinquishedName; typedef SECItem *SSL3DistinquishedName;
typedef struct { typedef struct {
SSL3Opaque client_version[2]; SSL3Opaque client_version[2];
SSL3Opaque random[46]; SSL3Opaque random[46];
} SSL3RSAPreMasterSecret; } SSL3RSAPreMasterSecret;
typedef SECItem SSL3EncryptedPreMasterSecret; typedef SECItem SSL3EncryptedPreMasterSecret;
typedef SSL3Opaque SSL3MasterSecret[48]; typedef SSL3Opaque SSL3MasterSecret[48];
typedef enum { implicit, explicit } SSL3PublicValueEncoding; typedef enum { implicit, explicit } SSL3PublicValueEncoding;
typedef struct { typedef struct {
union { union {
SSL3Opaque implicit; SSL3Opaque implicit;
SECItem explicit; SECItem explicit;
} dh_public; } dh_public;
} SSL3ClientDiffieHellmanPublic; } SSL3ClientDiffieHellmanPublic;
typedef struct { typedef struct {
union { union {
SSL3EncryptedPreMasterSecret rsa; SSL3EncryptedPreMasterSecret rsa;
SSL3ClientDiffieHellmanPublic diffie_helman; SSL3ClientDiffieHellmanPublic diffie_helman;
} exchange_keys; } exchange_keys;
} SSL3ClientKeyExchange; } SSL3ClientKeyExchange;
@ -312,7 +313,7 @@ typedef enum {
sender_server = 0x53525652 sender_server = 0x53525652
} SSL3Sender; } SSL3Sender;
typedef SSL3HashesIndividually SSL3Finished; typedef SSL3HashesIndividually SSL3Finished;
typedef struct { typedef struct {
SSL3Opaque verify_data[12]; SSL3Opaque verify_data[12];
@ -320,7 +321,7 @@ typedef struct {
/* /*
* TLS extension related data structures and constants. * TLS extension related data structures and constants.
*/ */
/* SessionTicket extension related data structures. */ /* SessionTicket extension related data structures. */
@ -339,7 +340,7 @@ typedef enum {
typedef struct { typedef struct {
ClientAuthenticationType client_auth_type; ClientAuthenticationType client_auth_type;
union { union {
SSL3Opaque *certificate_list; SSL3Opaque *certificate_list;
} identity; } identity;
} ClientIdentity; } ClientIdentity;
@ -355,7 +356,7 @@ typedef struct {
unsigned char *mac; unsigned char *mac;
} EncryptedSessionTicket; } EncryptedSessionTicket;
#define TLS_EX_SESS_TICKET_MAC_LENGTH 32 #define TLS_EX_SESS_TICKET_MAC_LENGTH 32
#define TLS_STE_NO_SERVER_NAME -1 #define TLS_STE_NO_SERVER_NAME -1

255
security/nss/lib/ssl/sslerr.h
View File

@ -8,179 +8,179 @@
#define __SSL_ERR_H_ #define __SSL_ERR_H_
#define SSL_ERROR_BASE (-0x3000) #define SSL_ERROR_BASE (-0x3000)
#define SSL_ERROR_LIMIT (SSL_ERROR_BASE + 1000) #define SSL_ERROR_LIMIT (SSL_ERROR_BASE + 1000)
#define IS_SSL_ERROR(code) \ #define IS_SSL_ERROR(code) \
(((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT)) (((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
#ifndef NO_SECURITY_ERROR_ENUM #ifndef NO_SECURITY_ERROR_ENUM
typedef enum { typedef enum {
SSL_ERROR_EXPORT_ONLY_SERVER = (SSL_ERROR_BASE + 0), SSL_ERROR_EXPORT_ONLY_SERVER = (SSL_ERROR_BASE + 0),
SSL_ERROR_US_ONLY_SERVER = (SSL_ERROR_BASE + 1), SSL_ERROR_US_ONLY_SERVER = (SSL_ERROR_BASE + 1),
SSL_ERROR_NO_CYPHER_OVERLAP = (SSL_ERROR_BASE + 2), SSL_ERROR_NO_CYPHER_OVERLAP = (SSL_ERROR_BASE + 2),
/* /*
* Received an alert reporting what we did wrong. (more alerts below) * Received an alert reporting what we did wrong. (more alerts below)
*/ */
SSL_ERROR_NO_CERTIFICATE /*_ALERT */ = (SSL_ERROR_BASE + 3), SSL_ERROR_NO_CERTIFICATE /*_ALERT */ = (SSL_ERROR_BASE + 3),
SSL_ERROR_BAD_CERTIFICATE = (SSL_ERROR_BASE + 4), SSL_ERROR_BAD_CERTIFICATE = (SSL_ERROR_BASE + 4),
SSL_ERROR_UNUSED_5 = (SSL_ERROR_BASE + 5), SSL_ERROR_UNUSED_5 = (SSL_ERROR_BASE + 5),
/* error 5 is obsolete */ /* error 5 is obsolete */
SSL_ERROR_BAD_CLIENT = (SSL_ERROR_BASE + 6), SSL_ERROR_BAD_CLIENT = (SSL_ERROR_BASE + 6),
SSL_ERROR_BAD_SERVER = (SSL_ERROR_BASE + 7), SSL_ERROR_BAD_SERVER = (SSL_ERROR_BASE + 7),
SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE = (SSL_ERROR_BASE + 8), SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE = (SSL_ERROR_BASE + 8),
SSL_ERROR_UNSUPPORTED_VERSION = (SSL_ERROR_BASE + 9), SSL_ERROR_UNSUPPORTED_VERSION = (SSL_ERROR_BASE + 9),
SSL_ERROR_UNUSED_10 = (SSL_ERROR_BASE + 10), SSL_ERROR_UNUSED_10 = (SSL_ERROR_BASE + 10),
/* error 10 is obsolete */ /* error 10 is obsolete */
SSL_ERROR_WRONG_CERTIFICATE = (SSL_ERROR_BASE + 11), SSL_ERROR_WRONG_CERTIFICATE = (SSL_ERROR_BASE + 11),
SSL_ERROR_BAD_CERT_DOMAIN = (SSL_ERROR_BASE + 12), SSL_ERROR_BAD_CERT_DOMAIN = (SSL_ERROR_BASE + 12),
SSL_ERROR_POST_WARNING = (SSL_ERROR_BASE + 13), SSL_ERROR_POST_WARNING = (SSL_ERROR_BASE + 13),
SSL_ERROR_SSL2_DISABLED = (SSL_ERROR_BASE + 14), SSL_ERROR_SSL2_DISABLED = (SSL_ERROR_BASE + 14),
SSL_ERROR_BAD_MAC_READ = (SSL_ERROR_BASE + 15), SSL_ERROR_BAD_MAC_READ = (SSL_ERROR_BASE + 15),
/* /*
* Received an alert reporting what we did wrong. * Received an alert reporting what we did wrong.
* (two more alerts above, and many more below) * (two more alerts above, and many more below)
*/ */
SSL_ERROR_BAD_MAC_ALERT = (SSL_ERROR_BASE + 16), SSL_ERROR_BAD_MAC_ALERT = (SSL_ERROR_BASE + 16),
SSL_ERROR_BAD_CERT_ALERT = (SSL_ERROR_BASE + 17), SSL_ERROR_BAD_CERT_ALERT = (SSL_ERROR_BASE + 17),
SSL_ERROR_REVOKED_CERT_ALERT = (SSL_ERROR_BASE + 18), SSL_ERROR_REVOKED_CERT_ALERT = (SSL_ERROR_BASE + 18),
SSL_ERROR_EXPIRED_CERT_ALERT = (SSL_ERROR_BASE + 19), SSL_ERROR_EXPIRED_CERT_ALERT = (SSL_ERROR_BASE + 19),
SSL_ERROR_SSL_DISABLED = (SSL_ERROR_BASE + 20), SSL_ERROR_SSL_DISABLED = (SSL_ERROR_BASE + 20),
SSL_ERROR_FORTEZZA_PQG = (SSL_ERROR_BASE + 21), SSL_ERROR_FORTEZZA_PQG = (SSL_ERROR_BASE + 21),
SSL_ERROR_UNKNOWN_CIPHER_SUITE = (SSL_ERROR_BASE + 22), SSL_ERROR_UNKNOWN_CIPHER_SUITE = (SSL_ERROR_BASE + 22),
SSL_ERROR_NO_CIPHERS_SUPPORTED = (SSL_ERROR_BASE + 23), SSL_ERROR_NO_CIPHERS_SUPPORTED = (SSL_ERROR_BASE + 23),
SSL_ERROR_BAD_BLOCK_PADDING = (SSL_ERROR_BASE + 24), SSL_ERROR_BAD_BLOCK_PADDING = (SSL_ERROR_BASE + 24),
SSL_ERROR_RX_RECORD_TOO_LONG = (SSL_ERROR_BASE + 25), SSL_ERROR_RX_RECORD_TOO_LONG = (SSL_ERROR_BASE + 25),
SSL_ERROR_TX_RECORD_TOO_LONG = (SSL_ERROR_BASE + 26), SSL_ERROR_TX_RECORD_TOO_LONG = (SSL_ERROR_BASE + 26),
/* /*
* Received a malformed (too long or short) SSL handshake. * Received a malformed (too long or short) SSL handshake.
*/ */
SSL_ERROR_RX_MALFORMED_HELLO_REQUEST = (SSL_ERROR_BASE + 27), SSL_ERROR_RX_MALFORMED_HELLO_REQUEST = (SSL_ERROR_BASE + 27),
SSL_ERROR_RX_MALFORMED_CLIENT_HELLO = (SSL_ERROR_BASE + 28), SSL_ERROR_RX_MALFORMED_CLIENT_HELLO = (SSL_ERROR_BASE + 28),
SSL_ERROR_RX_MALFORMED_SERVER_HELLO = (SSL_ERROR_BASE + 29), SSL_ERROR_RX_MALFORMED_SERVER_HELLO = (SSL_ERROR_BASE + 29),
SSL_ERROR_RX_MALFORMED_CERTIFICATE = (SSL_ERROR_BASE + 30), SSL_ERROR_RX_MALFORMED_CERTIFICATE = (SSL_ERROR_BASE + 30),
SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 31), SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 31),
SSL_ERROR_RX_MALFORMED_CERT_REQUEST = (SSL_ERROR_BASE + 32), SSL_ERROR_RX_MALFORMED_CERT_REQUEST = (SSL_ERROR_BASE + 32),
SSL_ERROR_RX_MALFORMED_HELLO_DONE = (SSL_ERROR_BASE + 33), SSL_ERROR_RX_MALFORMED_HELLO_DONE = (SSL_ERROR_BASE + 33),
SSL_ERROR_RX_MALFORMED_CERT_VERIFY = (SSL_ERROR_BASE + 34), SSL_ERROR_RX_MALFORMED_CERT_VERIFY = (SSL_ERROR_BASE + 34),
SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 35), SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 35),
SSL_ERROR_RX_MALFORMED_FINISHED = (SSL_ERROR_BASE + 36), SSL_ERROR_RX_MALFORMED_FINISHED = (SSL_ERROR_BASE + 36),
/* /*
* Received a malformed (too long or short) SSL record. * Received a malformed (too long or short) SSL record.
*/ */
SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER = (SSL_ERROR_BASE + 37), SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER = (SSL_ERROR_BASE + 37),
SSL_ERROR_RX_MALFORMED_ALERT = (SSL_ERROR_BASE + 38), SSL_ERROR_RX_MALFORMED_ALERT = (SSL_ERROR_BASE + 38),
SSL_ERROR_RX_MALFORMED_HANDSHAKE = (SSL_ERROR_BASE + 39), SSL_ERROR_RX_MALFORMED_HANDSHAKE = (SSL_ERROR_BASE + 39),
SSL_ERROR_RX_MALFORMED_APPLICATION_DATA = (SSL_ERROR_BASE + 40), SSL_ERROR_RX_MALFORMED_APPLICATION_DATA = (SSL_ERROR_BASE + 40),
/* /*
* Received an SSL handshake that was inappropriate for the state we're in. * Received an SSL handshake that was inappropriate for the state we're in.
* E.g. Server received message from server, or wrong state in state machine. * E.g. Server received message from server, or wrong state in state machine.
*/ */
SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST = (SSL_ERROR_BASE + 41), SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST = (SSL_ERROR_BASE + 41),
SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO = (SSL_ERROR_BASE + 42), SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO = (SSL_ERROR_BASE + 42),
SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO = (SSL_ERROR_BASE + 43), SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO = (SSL_ERROR_BASE + 43),
SSL_ERROR_RX_UNEXPECTED_CERTIFICATE = (SSL_ERROR_BASE + 44), SSL_ERROR_RX_UNEXPECTED_CERTIFICATE = (SSL_ERROR_BASE + 44),
SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 45), SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 45),
SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST = (SSL_ERROR_BASE + 46), SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST = (SSL_ERROR_BASE + 46),
SSL_ERROR_RX_UNEXPECTED_HELLO_DONE = (SSL_ERROR_BASE + 47), SSL_ERROR_RX_UNEXPECTED_HELLO_DONE = (SSL_ERROR_BASE + 47),
SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY = (SSL_ERROR_BASE + 48), SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY = (SSL_ERROR_BASE + 48),
SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 49), SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 49),
SSL_ERROR_RX_UNEXPECTED_FINISHED = (SSL_ERROR_BASE + 50), SSL_ERROR_RX_UNEXPECTED_FINISHED = (SSL_ERROR_BASE + 50),
/* /*
* Received an SSL record that was inappropriate for the state we're in. * Received an SSL record that was inappropriate for the state we're in.
*/ */
SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER = (SSL_ERROR_BASE + 51), SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER = (SSL_ERROR_BASE + 51),
SSL_ERROR_RX_UNEXPECTED_ALERT = (SSL_ERROR_BASE + 52), SSL_ERROR_RX_UNEXPECTED_ALERT = (SSL_ERROR_BASE + 52),
SSL_ERROR_RX_UNEXPECTED_HANDSHAKE = (SSL_ERROR_BASE + 53), SSL_ERROR_RX_UNEXPECTED_HANDSHAKE = (SSL_ERROR_BASE + 53),
SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA= (SSL_ERROR_BASE + 54), SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA = (SSL_ERROR_BASE + 54),
/* /*
* Received record/message with unknown discriminant. * Received record/message with unknown discriminant.
*/ */
SSL_ERROR_RX_UNKNOWN_RECORD_TYPE = (SSL_ERROR_BASE + 55), SSL_ERROR_RX_UNKNOWN_RECORD_TYPE = (SSL_ERROR_BASE + 55),
SSL_ERROR_RX_UNKNOWN_HANDSHAKE = (SSL_ERROR_BASE + 56), SSL_ERROR_RX_UNKNOWN_HANDSHAKE = (SSL_ERROR_BASE + 56),
SSL_ERROR_RX_UNKNOWN_ALERT = (SSL_ERROR_BASE + 57), SSL_ERROR_RX_UNKNOWN_ALERT = (SSL_ERROR_BASE + 57),
/* /*
* Received an alert reporting what we did wrong. (more alerts above) * Received an alert reporting what we did wrong. (more alerts above)
*/ */
SSL_ERROR_CLOSE_NOTIFY_ALERT = (SSL_ERROR_BASE + 58), SSL_ERROR_CLOSE_NOTIFY_ALERT = (SSL_ERROR_BASE + 58),
SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT = (SSL_ERROR_BASE + 59), SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT = (SSL_ERROR_BASE + 59),
SSL_ERROR_DECOMPRESSION_FAILURE_ALERT = (SSL_ERROR_BASE + 60), SSL_ERROR_DECOMPRESSION_FAILURE_ALERT = (SSL_ERROR_BASE + 60),
SSL_ERROR_HANDSHAKE_FAILURE_ALERT = (SSL_ERROR_BASE + 61), SSL_ERROR_HANDSHAKE_FAILURE_ALERT = (SSL_ERROR_BASE + 61),
SSL_ERROR_ILLEGAL_PARAMETER_ALERT = (SSL_ERROR_BASE + 62), SSL_ERROR_ILLEGAL_PARAMETER_ALERT = (SSL_ERROR_BASE + 62),
SSL_ERROR_UNSUPPORTED_CERT_ALERT = (SSL_ERROR_BASE + 63), SSL_ERROR_UNSUPPORTED_CERT_ALERT = (SSL_ERROR_BASE + 63),
SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT = (SSL_ERROR_BASE + 64), SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT = (SSL_ERROR_BASE + 64),
SSL_ERROR_GENERATE_RANDOM_FAILURE = (SSL_ERROR_BASE + 65), SSL_ERROR_GENERATE_RANDOM_FAILURE = (SSL_ERROR_BASE + 65),
SSL_ERROR_SIGN_HASHES_FAILURE = (SSL_ERROR_BASE + 66), SSL_ERROR_SIGN_HASHES_FAILURE = (SSL_ERROR_BASE + 66),
SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE = (SSL_ERROR_BASE + 67), SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE = (SSL_ERROR_BASE + 67),
SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 68), SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 68),
SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 69), SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE = (SSL_ERROR_BASE + 69),
SSL_ERROR_ENCRYPTION_FAILURE = (SSL_ERROR_BASE + 70), SSL_ERROR_ENCRYPTION_FAILURE = (SSL_ERROR_BASE + 70),
SSL_ERROR_DECRYPTION_FAILURE = (SSL_ERROR_BASE + 71), /* don't use */ SSL_ERROR_DECRYPTION_FAILURE = (SSL_ERROR_BASE + 71), /* don't use */
SSL_ERROR_SOCKET_WRITE_FAILURE = (SSL_ERROR_BASE + 72), SSL_ERROR_SOCKET_WRITE_FAILURE = (SSL_ERROR_BASE + 72),
SSL_ERROR_MD5_DIGEST_FAILURE = (SSL_ERROR_BASE + 73), SSL_ERROR_MD5_DIGEST_FAILURE = (SSL_ERROR_BASE + 73),
SSL_ERROR_SHA_DIGEST_FAILURE = (SSL_ERROR_BASE + 74), SSL_ERROR_SHA_DIGEST_FAILURE = (SSL_ERROR_BASE + 74),
SSL_ERROR_MAC_COMPUTATION_FAILURE = (SSL_ERROR_BASE + 75), SSL_ERROR_MAC_COMPUTATION_FAILURE = (SSL_ERROR_BASE + 75),
SSL_ERROR_SYM_KEY_CONTEXT_FAILURE = (SSL_ERROR_BASE + 76), SSL_ERROR_SYM_KEY_CONTEXT_FAILURE = (SSL_ERROR_BASE + 76),
SSL_ERROR_SYM_KEY_UNWRAP_FAILURE = (SSL_ERROR_BASE + 77), SSL_ERROR_SYM_KEY_UNWRAP_FAILURE = (SSL_ERROR_BASE + 77),
SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED = (SSL_ERROR_BASE + 78), SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED = (SSL_ERROR_BASE + 78),
SSL_ERROR_IV_PARAM_FAILURE = (SSL_ERROR_BASE + 79), SSL_ERROR_IV_PARAM_FAILURE = (SSL_ERROR_BASE + 79),
SSL_ERROR_INIT_CIPHER_SUITE_FAILURE = (SSL_ERROR_BASE + 80), SSL_ERROR_INIT_CIPHER_SUITE_FAILURE = (SSL_ERROR_BASE + 80),
SSL_ERROR_SESSION_KEY_GEN_FAILURE = (SSL_ERROR_BASE + 81), SSL_ERROR_SESSION_KEY_GEN_FAILURE = (SSL_ERROR_BASE + 81),
SSL_ERROR_NO_SERVER_KEY_FOR_ALG = (SSL_ERROR_BASE + 82), SSL_ERROR_NO_SERVER_KEY_FOR_ALG = (SSL_ERROR_BASE + 82),
SSL_ERROR_TOKEN_INSERTION_REMOVAL = (SSL_ERROR_BASE + 83), SSL_ERROR_TOKEN_INSERTION_REMOVAL = (SSL_ERROR_BASE + 83),
SSL_ERROR_TOKEN_SLOT_NOT_FOUND = (SSL_ERROR_BASE + 84), SSL_ERROR_TOKEN_SLOT_NOT_FOUND = (SSL_ERROR_BASE + 84),
SSL_ERROR_NO_COMPRESSION_OVERLAP = (SSL_ERROR_BASE + 85), SSL_ERROR_NO_COMPRESSION_OVERLAP = (SSL_ERROR_BASE + 85),
SSL_ERROR_HANDSHAKE_NOT_COMPLETED = (SSL_ERROR_BASE + 86), SSL_ERROR_HANDSHAKE_NOT_COMPLETED = (SSL_ERROR_BASE + 86),
SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE = (SSL_ERROR_BASE + 87), SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE = (SSL_ERROR_BASE + 87),
SSL_ERROR_CERT_KEA_MISMATCH = (SSL_ERROR_BASE + 88), SSL_ERROR_CERT_KEA_MISMATCH = (SSL_ERROR_BASE + 88),
/* SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA became obsolete in NSS 3.14. */ /* SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA became obsolete in NSS 3.14. */
SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA = (SSL_ERROR_BASE + 89), SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA = (SSL_ERROR_BASE + 89),
SSL_ERROR_SESSION_NOT_FOUND = (SSL_ERROR_BASE + 90), SSL_ERROR_SESSION_NOT_FOUND = (SSL_ERROR_BASE + 90),
SSL_ERROR_DECRYPTION_FAILED_ALERT = (SSL_ERROR_BASE + 91), SSL_ERROR_DECRYPTION_FAILED_ALERT = (SSL_ERROR_BASE + 91),
SSL_ERROR_RECORD_OVERFLOW_ALERT = (SSL_ERROR_BASE + 92), SSL_ERROR_RECORD_OVERFLOW_ALERT = (SSL_ERROR_BASE + 92),
SSL_ERROR_UNKNOWN_CA_ALERT = (SSL_ERROR_BASE + 93), SSL_ERROR_UNKNOWN_CA_ALERT = (SSL_ERROR_BASE + 93),
SSL_ERROR_ACCESS_DENIED_ALERT = (SSL_ERROR_BASE + 94), SSL_ERROR_ACCESS_DENIED_ALERT = (SSL_ERROR_BASE + 94),
SSL_ERROR_DECODE_ERROR_ALERT = (SSL_ERROR_BASE + 95), SSL_ERROR_DECODE_ERROR_ALERT = (SSL_ERROR_BASE + 95),
SSL_ERROR_DECRYPT_ERROR_ALERT = (SSL_ERROR_BASE + 96), SSL_ERROR_DECRYPT_ERROR_ALERT = (SSL_ERROR_BASE + 96),
SSL_ERROR_EXPORT_RESTRICTION_ALERT = (SSL_ERROR_BASE + 97), SSL_ERROR_EXPORT_RESTRICTION_ALERT = (SSL_ERROR_BASE + 97),
SSL_ERROR_PROTOCOL_VERSION_ALERT = (SSL_ERROR_BASE + 98), SSL_ERROR_PROTOCOL_VERSION_ALERT = (SSL_ERROR_BASE + 98),
SSL_ERROR_INSUFFICIENT_SECURITY_ALERT = (SSL_ERROR_BASE + 99), SSL_ERROR_INSUFFICIENT_SECURITY_ALERT = (SSL_ERROR_BASE + 99),
SSL_ERROR_INTERNAL_ERROR_ALERT = (SSL_ERROR_BASE + 100), SSL_ERROR_INTERNAL_ERROR_ALERT = (SSL_ERROR_BASE + 100),
SSL_ERROR_USER_CANCELED_ALERT = (SSL_ERROR_BASE + 101), SSL_ERROR_USER_CANCELED_ALERT = (SSL_ERROR_BASE + 101),
SSL_ERROR_NO_RENEGOTIATION_ALERT = (SSL_ERROR_BASE + 102), SSL_ERROR_NO_RENEGOTIATION_ALERT = (SSL_ERROR_BASE + 102),
SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED = (SSL_ERROR_BASE + 103), SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED = (SSL_ERROR_BASE + 103),
SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT = (SSL_ERROR_BASE + 104), SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT = (SSL_ERROR_BASE + 104),
SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT = (SSL_ERROR_BASE + 105), SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT = (SSL_ERROR_BASE + 105),
SSL_ERROR_UNRECOGNIZED_NAME_ALERT = (SSL_ERROR_BASE + 106), SSL_ERROR_UNRECOGNIZED_NAME_ALERT = (SSL_ERROR_BASE + 106),
SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT = (SSL_ERROR_BASE + 107), SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT = (SSL_ERROR_BASE + 107),
SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT = (SSL_ERROR_BASE + 108), SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT = (SSL_ERROR_BASE + 108),
SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 109), SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 109),
SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 110), SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 110),
SSL_ERROR_DECOMPRESSION_FAILURE = (SSL_ERROR_BASE + 111), SSL_ERROR_DECOMPRESSION_FAILURE = (SSL_ERROR_BASE + 111),
SSL_ERROR_RENEGOTIATION_NOT_ALLOWED = (SSL_ERROR_BASE + 112), SSL_ERROR_RENEGOTIATION_NOT_ALLOWED = (SSL_ERROR_BASE + 112),
SSL_ERROR_UNSAFE_NEGOTIATION = (SSL_ERROR_BASE + 113), SSL_ERROR_UNSAFE_NEGOTIATION = (SSL_ERROR_BASE + 113),
SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114), SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114),
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115), SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115),
SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID = (SSL_ERROR_BASE + 116), SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID = (SSL_ERROR_BASE + 116),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117), SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118), SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118),
SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119), SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119),
SSL_ERROR_INVALID_VERSION_RANGE = (SSL_ERROR_BASE + 120), SSL_ERROR_INVALID_VERSION_RANGE = (SSL_ERROR_BASE + 120),
SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION = (SSL_ERROR_BASE + 121), SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION = (SSL_ERROR_BASE + 121),
SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 122), SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 122),
SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123), SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
@ -189,11 +189,14 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124),
SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 125), SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 125),
SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (SSL_ERROR_BASE + 126), SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (SSL_ERROR_BASE + 126),
SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127), SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128), SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK = (SSL_ERROR_BASE + 129),
SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL = (SSL_ERROR_BASE + 130),
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes; } SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */ #endif /* NO_SECURITY_ERROR_ENUM */

238
security/nss/lib/ssl/sslproto.h
View File

@ -1,5 +1,5 @@
/* /*
* Various and sundry protocol constants. DON'T CHANGE THESE. These values * Various and sundry protocol constants. DON'T CHANGE THESE. These values
* are mostly defined by the SSL2, SSL3, or TLS protocol specifications. * are mostly defined by the SSL2, SSL3, or TLS protocol specifications.
* Cipher kinds and ciphersuites are part of the public API. * Cipher kinds and ciphersuites are part of the public API.
* *
@ -11,75 +11,77 @@
#define __sslproto_h_ #define __sslproto_h_
/* All versions less than 3_0 are treated as SSL version 2 */ /* All versions less than 3_0 are treated as SSL version 2 */
#define SSL_LIBRARY_VERSION_2 0x0002 #define SSL_LIBRARY_VERSION_2 0x0002
#define SSL_LIBRARY_VERSION_3_0 0x0300 #define SSL_LIBRARY_VERSION_3_0 0x0300
#define SSL_LIBRARY_VERSION_TLS_1_0 0x0301 #define SSL_LIBRARY_VERSION_TLS_1_0 0x0301
#define SSL_LIBRARY_VERSION_TLS_1_1 0x0302 #define SSL_LIBRARY_VERSION_TLS_1_1 0x0302
#define SSL_LIBRARY_VERSION_TLS_1_2 0x0303 #define SSL_LIBRARY_VERSION_TLS_1_2 0x0303
/* Note: this is the internal format, not the wire format */ /* Note: this is the internal format, not the wire format */
#define SSL_LIBRARY_VERSION_DTLS_1_0 0x0302 #define SSL_LIBRARY_VERSION_DTLS_1_0 0x0302
#define SSL_LIBRARY_VERSION_DTLS_1_2 0x0303
/* deprecated old name */ /* deprecated old name */
#define SSL_LIBRARY_VERSION_3_1_TLS SSL_LIBRARY_VERSION_TLS_1_0 #define SSL_LIBRARY_VERSION_3_1_TLS SSL_LIBRARY_VERSION_TLS_1_0
/* The DTLS version used in the spec */ /* The DTLS versions used in the spec */
#define SSL_LIBRARY_VERSION_DTLS_1_0_WIRE ((~0x0100) & 0xffff) #define SSL_LIBRARY_VERSION_DTLS_1_0_WIRE ((~0x0100) & 0xffff)
#define SSL_LIBRARY_VERSION_DTLS_1_2_WIRE ((~0x0102) & 0xffff)
/* Header lengths of some of the messages */ /* Header lengths of some of the messages */
#define SSL_HL_ERROR_HBYTES 3 #define SSL_HL_ERROR_HBYTES 3
#define SSL_HL_CLIENT_HELLO_HBYTES 9 #define SSL_HL_CLIENT_HELLO_HBYTES 9
#define SSL_HL_CLIENT_MASTER_KEY_HBYTES 10 #define SSL_HL_CLIENT_MASTER_KEY_HBYTES 10
#define SSL_HL_CLIENT_FINISHED_HBYTES 1 #define SSL_HL_CLIENT_FINISHED_HBYTES 1
#define SSL_HL_SERVER_HELLO_HBYTES 11 #define SSL_HL_SERVER_HELLO_HBYTES 11
#define SSL_HL_SERVER_VERIFY_HBYTES 1 #define SSL_HL_SERVER_VERIFY_HBYTES 1
#define SSL_HL_SERVER_FINISHED_HBYTES 1 #define SSL_HL_SERVER_FINISHED_HBYTES 1
#define SSL_HL_REQUEST_CERTIFICATE_HBYTES 2 #define SSL_HL_REQUEST_CERTIFICATE_HBYTES 2
#define SSL_HL_CLIENT_CERTIFICATE_HBYTES 6 #define SSL_HL_CLIENT_CERTIFICATE_HBYTES 6
/* Security handshake protocol codes */ /* Security handshake protocol codes */
#define SSL_MT_ERROR 0 #define SSL_MT_ERROR 0
#define SSL_MT_CLIENT_HELLO 1 #define SSL_MT_CLIENT_HELLO 1
#define SSL_MT_CLIENT_MASTER_KEY 2 #define SSL_MT_CLIENT_MASTER_KEY 2
#define SSL_MT_CLIENT_FINISHED 3 #define SSL_MT_CLIENT_FINISHED 3
#define SSL_MT_SERVER_HELLO 4 #define SSL_MT_SERVER_HELLO 4
#define SSL_MT_SERVER_VERIFY 5 #define SSL_MT_SERVER_VERIFY 5
#define SSL_MT_SERVER_FINISHED 6 #define SSL_MT_SERVER_FINISHED 6
#define SSL_MT_REQUEST_CERTIFICATE 7 #define SSL_MT_REQUEST_CERTIFICATE 7
#define SSL_MT_CLIENT_CERTIFICATE 8 #define SSL_MT_CLIENT_CERTIFICATE 8
/* Certificate types */ /* Certificate types */
#define SSL_CT_X509_CERTIFICATE 0x01 #define SSL_CT_X509_CERTIFICATE 0x01
#if 0 /* XXX Not implemented yet */ #if 0 /* XXX Not implemented yet */
#define SSL_PKCS6_CERTIFICATE 0x02 #define SSL_PKCS6_CERTIFICATE 0x02
#endif #endif
#define SSL_AT_MD5_WITH_RSA_ENCRYPTION 0x01 #define SSL_AT_MD5_WITH_RSA_ENCRYPTION 0x01
/* Error codes */ /* Error codes */
#define SSL_PE_NO_CYPHERS 0x0001 #define SSL_PE_NO_CYPHERS 0x0001
#define SSL_PE_NO_CERTIFICATE 0x0002 #define SSL_PE_NO_CERTIFICATE 0x0002
#define SSL_PE_BAD_CERTIFICATE 0x0004 #define SSL_PE_BAD_CERTIFICATE 0x0004
#define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006 #define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
/* Cypher kinds (not the spec version!) */ /* Cypher kinds (not the spec version!) */
#define SSL_CK_RC4_128_WITH_MD5 0x01 #define SSL_CK_RC4_128_WITH_MD5 0x01
#define SSL_CK_RC4_128_EXPORT40_WITH_MD5 0x02 #define SSL_CK_RC4_128_EXPORT40_WITH_MD5 0x02
#define SSL_CK_RC2_128_CBC_WITH_MD5 0x03 #define SSL_CK_RC2_128_CBC_WITH_MD5 0x03
#define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x04 #define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 0x04
#define SSL_CK_IDEA_128_CBC_WITH_MD5 0x05 #define SSL_CK_IDEA_128_CBC_WITH_MD5 0x05
#define SSL_CK_DES_64_CBC_WITH_MD5 0x06 #define SSL_CK_DES_64_CBC_WITH_MD5 0x06
#define SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0x07 #define SSL_CK_DES_192_EDE3_CBC_WITH_MD5 0x07
/* Cipher enables. These are used only for SSL_EnableCipher /* Cipher enables. These are used only for SSL_EnableCipher
* These values define the SSL2 suites, and do not colide with the * These values define the SSL2 suites, and do not colide with the
* SSL3 Cipher suites defined below. * SSL3 Cipher suites defined below.
*/ */
#define SSL_EN_RC4_128_WITH_MD5 0xFF01 #define SSL_EN_RC4_128_WITH_MD5 0xFF01
#define SSL_EN_RC4_128_EXPORT40_WITH_MD5 0xFF02 #define SSL_EN_RC4_128_EXPORT40_WITH_MD5 0xFF02
#define SSL_EN_RC2_128_CBC_WITH_MD5 0xFF03 #define SSL_EN_RC2_128_CBC_WITH_MD5 0xFF03
#define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 0xFF04 #define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 0xFF04
#define SSL_EN_IDEA_128_CBC_WITH_MD5 0xFF05 #define SSL_EN_IDEA_128_CBC_WITH_MD5 0xFF05
#define SSL_EN_DES_64_CBC_WITH_MD5 0xFF06 #define SSL_EN_DES_64_CBC_WITH_MD5 0xFF06
#define SSL_EN_DES_192_EDE3_CBC_WITH_MD5 0xFF07 #define SSL_EN_DES_192_EDE3_CBC_WITH_MD5 0xFF07
/* Deprecated SSL 3.0 & libssl names replaced by IANA-registered TLS names. */ /* Deprecated SSL 3.0 & libssl names replaced by IANA-registered TLS names. */
#ifndef SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES #ifndef SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
@ -117,66 +119,66 @@
#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA #define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
#endif #endif
#define TLS_NULL_WITH_NULL_NULL 0x0000 #define TLS_NULL_WITH_NULL_NULL 0x0000
#define TLS_RSA_WITH_NULL_MD5 0x0001 #define TLS_RSA_WITH_NULL_MD5 0x0001
#define TLS_RSA_WITH_NULL_SHA 0x0002 #define TLS_RSA_WITH_NULL_SHA 0x0002
#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 #define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003
#define TLS_RSA_WITH_RC4_128_MD5 0x0004 #define TLS_RSA_WITH_RC4_128_MD5 0x0004
#define TLS_RSA_WITH_RC4_128_SHA 0x0005 #define TLS_RSA_WITH_RC4_128_SHA 0x0005
#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 #define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006
#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 #define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007
#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 #define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008
#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 #define TLS_RSA_WITH_DES_CBC_SHA 0x0009
#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a #define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000a
#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000b #define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000b
#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000c #define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000c
#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000d #define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000d
#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000e #define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000e
#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000f #define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000f
#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 #define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010
#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 #define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011
#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 #define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012
#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 #define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013
#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 #define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014
#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 #define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015
#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 #define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016
#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017 #define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 0x0017
#define TLS_DH_anon_WITH_RC4_128_MD5 0x0018 #define TLS_DH_anon_WITH_RC4_128_MD5 0x0018
#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019 #define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 0x0019
#define TLS_DH_anon_WITH_DES_CBC_SHA 0x001a #define TLS_DH_anon_WITH_DES_CBC_SHA 0x001a
#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001b #define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 0x001b
#define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c /* deprecated */ #define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c /* deprecated */
#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d /* deprecated */ #define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d /* deprecated */
#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e /* deprecated */ #define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e /* deprecated */
#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F
#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030
#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031
#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033
#define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034 #define TLS_DH_anon_WITH_AES_128_CBC_SHA 0x0034
#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 #define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035
#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036
#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037
#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039
#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A #define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A
#define TLS_RSA_WITH_NULL_SHA256 0x003B #define TLS_RSA_WITH_NULL_SHA256 0x003B
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C #define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D #define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D
#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041
#define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042
#define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043 #define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043
#define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 #define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044
#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 #define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045
#define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 0x0046 #define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 0x0046
#define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062 #define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062
#define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064 #define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064
@ -187,14 +189,14 @@
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084
#define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085
#define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086 #define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086
#define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 #define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 #define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088
#define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089 #define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 0x0089
#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 #define TLS_RSA_WITH_SEED_CBC_SHA 0x0096
#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C #define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C
#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E
@ -204,7 +206,7 @@
* Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending * Must NEVER be chosen by server. SSL 3.0 server acknowledges by sending
* back an empty Renegotiation Info (RI) server hello extension. * back an empty Renegotiation Info (RI) server hello extension.
*/ */
#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
/* Cipher Suite Values starting with 0xC000 are defined in informational /* Cipher Suite Values starting with 0xC000 are defined in informational
* RFCs. * RFCs.
@ -248,18 +250,18 @@
#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
/* Netscape "experimental" cipher suites. */ /* Netscape "experimental" cipher suites. */
#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0 #define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1 #define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
/* New non-experimental openly spec'ed versions of those cipher suites. */ /* New non-experimental openly spec'ed versions of those cipher suites. */
#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff #define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff
#define SSL_RSA_FIPS_WITH_DES_CBC_SHA 0xfefe #define SSL_RSA_FIPS_WITH_DES_CBC_SHA 0xfefe
/* DTLS-SRTP cipher suites from RFC 5764 */ /* DTLS-SRTP cipher suites from RFC 5764 */
/* If you modify this, also modify MAX_DTLS_SRTP_CIPHER_SUITES in sslimpl.h */ /* If you modify this, also modify MAX_DTLS_SRTP_CIPHER_SUITES in sslimpl.h */
#define SRTP_AES128_CM_HMAC_SHA1_80 0x0001 #define SRTP_AES128_CM_HMAC_SHA1_80 0x0001
#define SRTP_AES128_CM_HMAC_SHA1_32 0x0002 #define SRTP_AES128_CM_HMAC_SHA1_32 0x0002
#define SRTP_NULL_HMAC_SHA1_80 0x0005 #define SRTP_NULL_HMAC_SHA1_80 0x0005
#define SRTP_NULL_HMAC_SHA1_32 0x0006 #define SRTP_NULL_HMAC_SHA1_32 0x0006
#endif /* __sslproto_h_ */ #endif /* __sslproto_h_ */

2201
security/nss/lib/ssl/sslsock.c
View File

File diff suppressed because it is too large Load Diff

8
security/nss/lib/util/nssutil.h
View File

@ -19,11 +19,11 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/ */
#define NSSUTIL_VERSION "3.15.5" #define NSSUTIL_VERSION "3.16.2.1"
#define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 15 #define NSSUTIL_VMINOR 16
#define NSSUTIL_VPATCH 5 #define NSSUTIL_VPATCH 2
#define NSSUTIL_VBUILD 0 #define NSSUTIL_VBUILD 1
#define NSSUTIL_BETA PR_FALSE #define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS SEC_BEGIN_PROTOS

354
security/nss/lib/util/secerr.h
View File

@ -7,211 +7,211 @@
#include "utilrename.h" #include "utilrename.h"
#define SEC_ERROR_BASE (-0x2000) #define SEC_ERROR_BASE (-0x2000)
#define SEC_ERROR_LIMIT (SEC_ERROR_BASE + 1000) #define SEC_ERROR_LIMIT (SEC_ERROR_BASE + 1000)
#define IS_SEC_ERROR(code) \ #define IS_SEC_ERROR(code) \
(((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT)) (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
#ifndef NO_SECURITY_ERROR_ENUM #ifndef NO_SECURITY_ERROR_ENUM
typedef enum { typedef enum {
SEC_ERROR_IO = SEC_ERROR_BASE + 0, SEC_ERROR_IO = SEC_ERROR_BASE + 0,
SEC_ERROR_LIBRARY_FAILURE = SEC_ERROR_BASE + 1, SEC_ERROR_LIBRARY_FAILURE = SEC_ERROR_BASE + 1,
SEC_ERROR_BAD_DATA = SEC_ERROR_BASE + 2, SEC_ERROR_BAD_DATA = SEC_ERROR_BASE + 2,
SEC_ERROR_OUTPUT_LEN = SEC_ERROR_BASE + 3, SEC_ERROR_OUTPUT_LEN = SEC_ERROR_BASE + 3,
SEC_ERROR_INPUT_LEN = SEC_ERROR_BASE + 4, SEC_ERROR_INPUT_LEN = SEC_ERROR_BASE + 4,
SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5, SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5,
SEC_ERROR_INVALID_ALGORITHM = SEC_ERROR_BASE + 6, SEC_ERROR_INVALID_ALGORITHM = SEC_ERROR_BASE + 6,
SEC_ERROR_INVALID_AVA = SEC_ERROR_BASE + 7, SEC_ERROR_INVALID_AVA = SEC_ERROR_BASE + 7,
SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8, SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8,
SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9, SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9,
SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10, SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10,
SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11, SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11,
SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12, SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12,
SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13, SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13,
SEC_ERROR_BAD_KEY = SEC_ERROR_BASE + 14, SEC_ERROR_BAD_KEY = SEC_ERROR_BASE + 14,
SEC_ERROR_BAD_PASSWORD = SEC_ERROR_BASE + 15, SEC_ERROR_BAD_PASSWORD = SEC_ERROR_BASE + 15,
SEC_ERROR_RETRY_PASSWORD = SEC_ERROR_BASE + 16, SEC_ERROR_RETRY_PASSWORD = SEC_ERROR_BASE + 16,
SEC_ERROR_NO_NODELOCK = SEC_ERROR_BASE + 17, SEC_ERROR_NO_NODELOCK = SEC_ERROR_BASE + 17,
SEC_ERROR_BAD_DATABASE = SEC_ERROR_BASE + 18, SEC_ERROR_BAD_DATABASE = SEC_ERROR_BASE + 18,
SEC_ERROR_NO_MEMORY = SEC_ERROR_BASE + 19, SEC_ERROR_NO_MEMORY = SEC_ERROR_BASE + 19,
SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20, SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20,
SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21, SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21,
SEC_ERROR_DUPLICATE_CERT = (SEC_ERROR_BASE + 22), SEC_ERROR_DUPLICATE_CERT = (SEC_ERROR_BASE + 22),
SEC_ERROR_DUPLICATE_CERT_NAME = (SEC_ERROR_BASE + 23), SEC_ERROR_DUPLICATE_CERT_NAME = (SEC_ERROR_BASE + 23),
SEC_ERROR_ADDING_CERT = (SEC_ERROR_BASE + 24), SEC_ERROR_ADDING_CERT = (SEC_ERROR_BASE + 24),
SEC_ERROR_FILING_KEY = (SEC_ERROR_BASE + 25), SEC_ERROR_FILING_KEY = (SEC_ERROR_BASE + 25),
SEC_ERROR_NO_KEY = (SEC_ERROR_BASE + 26), SEC_ERROR_NO_KEY = (SEC_ERROR_BASE + 26),
SEC_ERROR_CERT_VALID = (SEC_ERROR_BASE + 27), SEC_ERROR_CERT_VALID = (SEC_ERROR_BASE + 27),
SEC_ERROR_CERT_NOT_VALID = (SEC_ERROR_BASE + 28), SEC_ERROR_CERT_NOT_VALID = (SEC_ERROR_BASE + 28),
SEC_ERROR_CERT_NO_RESPONSE = (SEC_ERROR_BASE + 29), SEC_ERROR_CERT_NO_RESPONSE = (SEC_ERROR_BASE + 29),
SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = (SEC_ERROR_BASE + 30), SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = (SEC_ERROR_BASE + 30),
SEC_ERROR_CRL_EXPIRED = (SEC_ERROR_BASE + 31), SEC_ERROR_CRL_EXPIRED = (SEC_ERROR_BASE + 31),
SEC_ERROR_CRL_BAD_SIGNATURE = (SEC_ERROR_BASE + 32), SEC_ERROR_CRL_BAD_SIGNATURE = (SEC_ERROR_BASE + 32),
SEC_ERROR_CRL_INVALID = (SEC_ERROR_BASE + 33), SEC_ERROR_CRL_INVALID = (SEC_ERROR_BASE + 33),
SEC_ERROR_EXTENSION_VALUE_INVALID = (SEC_ERROR_BASE + 34), SEC_ERROR_EXTENSION_VALUE_INVALID = (SEC_ERROR_BASE + 34),
SEC_ERROR_EXTENSION_NOT_FOUND = (SEC_ERROR_BASE + 35), SEC_ERROR_EXTENSION_NOT_FOUND = (SEC_ERROR_BASE + 35),
SEC_ERROR_CA_CERT_INVALID = (SEC_ERROR_BASE + 36), SEC_ERROR_CA_CERT_INVALID = (SEC_ERROR_BASE + 36),
SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID = (SEC_ERROR_BASE + 37), SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID = (SEC_ERROR_BASE + 37),
SEC_ERROR_CERT_USAGES_INVALID = (SEC_ERROR_BASE + 38), SEC_ERROR_CERT_USAGES_INVALID = (SEC_ERROR_BASE + 38),
SEC_INTERNAL_ONLY = (SEC_ERROR_BASE + 39), SEC_INTERNAL_ONLY = (SEC_ERROR_BASE + 39),
SEC_ERROR_INVALID_KEY = (SEC_ERROR_BASE + 40), SEC_ERROR_INVALID_KEY = (SEC_ERROR_BASE + 40),
SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 41), SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 41),
SEC_ERROR_OLD_CRL = (SEC_ERROR_BASE + 42), SEC_ERROR_OLD_CRL = (SEC_ERROR_BASE + 42),
SEC_ERROR_NO_EMAIL_CERT = (SEC_ERROR_BASE + 43), SEC_ERROR_NO_EMAIL_CERT = (SEC_ERROR_BASE + 43),
SEC_ERROR_NO_RECIPIENT_CERTS_QUERY = (SEC_ERROR_BASE + 44), SEC_ERROR_NO_RECIPIENT_CERTS_QUERY = (SEC_ERROR_BASE + 44),
SEC_ERROR_NOT_A_RECIPIENT = (SEC_ERROR_BASE + 45), SEC_ERROR_NOT_A_RECIPIENT = (SEC_ERROR_BASE + 45),
SEC_ERROR_PKCS7_KEYALG_MISMATCH = (SEC_ERROR_BASE + 46), SEC_ERROR_PKCS7_KEYALG_MISMATCH = (SEC_ERROR_BASE + 46),
SEC_ERROR_PKCS7_BAD_SIGNATURE = (SEC_ERROR_BASE + 47), SEC_ERROR_PKCS7_BAD_SIGNATURE = (SEC_ERROR_BASE + 47),
SEC_ERROR_UNSUPPORTED_KEYALG = (SEC_ERROR_BASE + 48), SEC_ERROR_UNSUPPORTED_KEYALG = (SEC_ERROR_BASE + 48),
SEC_ERROR_DECRYPTION_DISALLOWED = (SEC_ERROR_BASE + 49), SEC_ERROR_DECRYPTION_DISALLOWED = (SEC_ERROR_BASE + 49),
/* Fortezza Alerts */ /* Fortezza Alerts */
XP_SEC_FORTEZZA_BAD_CARD = (SEC_ERROR_BASE + 50), XP_SEC_FORTEZZA_BAD_CARD = (SEC_ERROR_BASE + 50),
XP_SEC_FORTEZZA_NO_CARD = (SEC_ERROR_BASE + 51), XP_SEC_FORTEZZA_NO_CARD = (SEC_ERROR_BASE + 51),
XP_SEC_FORTEZZA_NONE_SELECTED = (SEC_ERROR_BASE + 52), XP_SEC_FORTEZZA_NONE_SELECTED = (SEC_ERROR_BASE + 52),
XP_SEC_FORTEZZA_MORE_INFO = (SEC_ERROR_BASE + 53), XP_SEC_FORTEZZA_MORE_INFO = (SEC_ERROR_BASE + 53),
XP_SEC_FORTEZZA_PERSON_NOT_FOUND = (SEC_ERROR_BASE + 54), XP_SEC_FORTEZZA_PERSON_NOT_FOUND = (SEC_ERROR_BASE + 54),
XP_SEC_FORTEZZA_NO_MORE_INFO = (SEC_ERROR_BASE + 55), XP_SEC_FORTEZZA_NO_MORE_INFO = (SEC_ERROR_BASE + 55),
XP_SEC_FORTEZZA_BAD_PIN = (SEC_ERROR_BASE + 56), XP_SEC_FORTEZZA_BAD_PIN = (SEC_ERROR_BASE + 56),
XP_SEC_FORTEZZA_PERSON_ERROR = (SEC_ERROR_BASE + 57), XP_SEC_FORTEZZA_PERSON_ERROR = (SEC_ERROR_BASE + 57),
SEC_ERROR_NO_KRL = (SEC_ERROR_BASE + 58), SEC_ERROR_NO_KRL = (SEC_ERROR_BASE + 58),
SEC_ERROR_KRL_EXPIRED = (SEC_ERROR_BASE + 59), SEC_ERROR_KRL_EXPIRED = (SEC_ERROR_BASE + 59),
SEC_ERROR_KRL_BAD_SIGNATURE = (SEC_ERROR_BASE + 60), SEC_ERROR_KRL_BAD_SIGNATURE = (SEC_ERROR_BASE + 60),
SEC_ERROR_REVOKED_KEY = (SEC_ERROR_BASE + 61), SEC_ERROR_REVOKED_KEY = (SEC_ERROR_BASE + 61),
SEC_ERROR_KRL_INVALID = (SEC_ERROR_BASE + 62), SEC_ERROR_KRL_INVALID = (SEC_ERROR_BASE + 62),
SEC_ERROR_NEED_RANDOM = (SEC_ERROR_BASE + 63), SEC_ERROR_NEED_RANDOM = (SEC_ERROR_BASE + 63),
SEC_ERROR_NO_MODULE = (SEC_ERROR_BASE + 64), SEC_ERROR_NO_MODULE = (SEC_ERROR_BASE + 64),
SEC_ERROR_NO_TOKEN = (SEC_ERROR_BASE + 65), SEC_ERROR_NO_TOKEN = (SEC_ERROR_BASE + 65),
SEC_ERROR_READ_ONLY = (SEC_ERROR_BASE + 66), SEC_ERROR_READ_ONLY = (SEC_ERROR_BASE + 66),
SEC_ERROR_NO_SLOT_SELECTED = (SEC_ERROR_BASE + 67), SEC_ERROR_NO_SLOT_SELECTED = (SEC_ERROR_BASE + 67),
SEC_ERROR_CERT_NICKNAME_COLLISION = (SEC_ERROR_BASE + 68), SEC_ERROR_CERT_NICKNAME_COLLISION = (SEC_ERROR_BASE + 68),
SEC_ERROR_KEY_NICKNAME_COLLISION = (SEC_ERROR_BASE + 69), SEC_ERROR_KEY_NICKNAME_COLLISION = (SEC_ERROR_BASE + 69),
SEC_ERROR_SAFE_NOT_CREATED = (SEC_ERROR_BASE + 70), SEC_ERROR_SAFE_NOT_CREATED = (SEC_ERROR_BASE + 70),
SEC_ERROR_BAGGAGE_NOT_CREATED = (SEC_ERROR_BASE + 71), SEC_ERROR_BAGGAGE_NOT_CREATED = (SEC_ERROR_BASE + 71),
XP_JAVA_REMOVE_PRINCIPAL_ERROR = (SEC_ERROR_BASE + 72), XP_JAVA_REMOVE_PRINCIPAL_ERROR = (SEC_ERROR_BASE + 72),
XP_JAVA_DELETE_PRIVILEGE_ERROR = (SEC_ERROR_BASE + 73), XP_JAVA_DELETE_PRIVILEGE_ERROR = (SEC_ERROR_BASE + 73),
XP_JAVA_CERT_NOT_EXISTS_ERROR = (SEC_ERROR_BASE + 74), XP_JAVA_CERT_NOT_EXISTS_ERROR = (SEC_ERROR_BASE + 74),
SEC_ERROR_BAD_EXPORT_ALGORITHM = (SEC_ERROR_BASE + 75), SEC_ERROR_BAD_EXPORT_ALGORITHM = (SEC_ERROR_BASE + 75),
SEC_ERROR_EXPORTING_CERTIFICATES = (SEC_ERROR_BASE + 76), SEC_ERROR_EXPORTING_CERTIFICATES = (SEC_ERROR_BASE + 76),
SEC_ERROR_IMPORTING_CERTIFICATES = (SEC_ERROR_BASE + 77), SEC_ERROR_IMPORTING_CERTIFICATES = (SEC_ERROR_BASE + 77),
SEC_ERROR_PKCS12_DECODING_PFX = (SEC_ERROR_BASE + 78), SEC_ERROR_PKCS12_DECODING_PFX = (SEC_ERROR_BASE + 78),
SEC_ERROR_PKCS12_INVALID_MAC = (SEC_ERROR_BASE + 79), SEC_ERROR_PKCS12_INVALID_MAC = (SEC_ERROR_BASE + 79),
SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM = (SEC_ERROR_BASE + 80), SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM = (SEC_ERROR_BASE + 80),
SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE = (SEC_ERROR_BASE + 81), SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE = (SEC_ERROR_BASE + 81),
SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE = (SEC_ERROR_BASE + 82), SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE = (SEC_ERROR_BASE + 82),
SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM = (SEC_ERROR_BASE + 83), SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM = (SEC_ERROR_BASE + 83),
SEC_ERROR_PKCS12_UNSUPPORTED_VERSION = (SEC_ERROR_BASE + 84), SEC_ERROR_PKCS12_UNSUPPORTED_VERSION = (SEC_ERROR_BASE + 84),
SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT = (SEC_ERROR_BASE + 85), SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT = (SEC_ERROR_BASE + 85),
SEC_ERROR_PKCS12_CERT_COLLISION = (SEC_ERROR_BASE + 86), SEC_ERROR_PKCS12_CERT_COLLISION = (SEC_ERROR_BASE + 86),
SEC_ERROR_USER_CANCELLED = (SEC_ERROR_BASE + 87), SEC_ERROR_USER_CANCELLED = (SEC_ERROR_BASE + 87),
SEC_ERROR_PKCS12_DUPLICATE_DATA = (SEC_ERROR_BASE + 88), SEC_ERROR_PKCS12_DUPLICATE_DATA = (SEC_ERROR_BASE + 88),
SEC_ERROR_MESSAGE_SEND_ABORTED = (SEC_ERROR_BASE + 89), SEC_ERROR_MESSAGE_SEND_ABORTED = (SEC_ERROR_BASE + 89),
SEC_ERROR_INADEQUATE_KEY_USAGE = (SEC_ERROR_BASE + 90), SEC_ERROR_INADEQUATE_KEY_USAGE = (SEC_ERROR_BASE + 90),
SEC_ERROR_INADEQUATE_CERT_TYPE = (SEC_ERROR_BASE + 91), SEC_ERROR_INADEQUATE_CERT_TYPE = (SEC_ERROR_BASE + 91),
SEC_ERROR_CERT_ADDR_MISMATCH = (SEC_ERROR_BASE + 92), SEC_ERROR_CERT_ADDR_MISMATCH = (SEC_ERROR_BASE + 92),
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY = (SEC_ERROR_BASE + 93), SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY = (SEC_ERROR_BASE + 93),
SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN = (SEC_ERROR_BASE + 94), SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN = (SEC_ERROR_BASE + 94),
SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95), SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY = (SEC_ERROR_BASE + 96), SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY = (SEC_ERROR_BASE + 96),
SEC_ERROR_PKCS12_UNABLE_TO_WRITE = (SEC_ERROR_BASE + 97), SEC_ERROR_PKCS12_UNABLE_TO_WRITE = (SEC_ERROR_BASE + 97),
SEC_ERROR_PKCS12_UNABLE_TO_READ = (SEC_ERROR_BASE + 98), SEC_ERROR_PKCS12_UNABLE_TO_READ = (SEC_ERROR_BASE + 98),
SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED = (SEC_ERROR_BASE + 99), SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED = (SEC_ERROR_BASE + 99),
SEC_ERROR_KEYGEN_FAIL = (SEC_ERROR_BASE + 100), SEC_ERROR_KEYGEN_FAIL = (SEC_ERROR_BASE + 100),
SEC_ERROR_INVALID_PASSWORD = (SEC_ERROR_BASE + 101), SEC_ERROR_INVALID_PASSWORD = (SEC_ERROR_BASE + 101),
SEC_ERROR_RETRY_OLD_PASSWORD = (SEC_ERROR_BASE + 102), SEC_ERROR_RETRY_OLD_PASSWORD = (SEC_ERROR_BASE + 102),
SEC_ERROR_BAD_NICKNAME = (SEC_ERROR_BASE + 103), SEC_ERROR_BAD_NICKNAME = (SEC_ERROR_BASE + 103),
SEC_ERROR_NOT_FORTEZZA_ISSUER = (SEC_ERROR_BASE + 104), SEC_ERROR_NOT_FORTEZZA_ISSUER = (SEC_ERROR_BASE + 104),
SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY = (SEC_ERROR_BASE + 105), SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY = (SEC_ERROR_BASE + 105),
SEC_ERROR_JS_INVALID_MODULE_NAME = (SEC_ERROR_BASE + 106), SEC_ERROR_JS_INVALID_MODULE_NAME = (SEC_ERROR_BASE + 106),
SEC_ERROR_JS_INVALID_DLL = (SEC_ERROR_BASE + 107), SEC_ERROR_JS_INVALID_DLL = (SEC_ERROR_BASE + 107),
SEC_ERROR_JS_ADD_MOD_FAILURE = (SEC_ERROR_BASE + 108), SEC_ERROR_JS_ADD_MOD_FAILURE = (SEC_ERROR_BASE + 108),
SEC_ERROR_JS_DEL_MOD_FAILURE = (SEC_ERROR_BASE + 109), SEC_ERROR_JS_DEL_MOD_FAILURE = (SEC_ERROR_BASE + 109),
SEC_ERROR_OLD_KRL = (SEC_ERROR_BASE + 110), SEC_ERROR_OLD_KRL = (SEC_ERROR_BASE + 110),
SEC_ERROR_CKL_CONFLICT = (SEC_ERROR_BASE + 111), SEC_ERROR_CKL_CONFLICT = (SEC_ERROR_BASE + 111),
SEC_ERROR_CERT_NOT_IN_NAME_SPACE = (SEC_ERROR_BASE + 112), SEC_ERROR_CERT_NOT_IN_NAME_SPACE = (SEC_ERROR_BASE + 112),
SEC_ERROR_KRL_NOT_YET_VALID = (SEC_ERROR_BASE + 113), SEC_ERROR_KRL_NOT_YET_VALID = (SEC_ERROR_BASE + 113),
SEC_ERROR_CRL_NOT_YET_VALID = (SEC_ERROR_BASE + 114), SEC_ERROR_CRL_NOT_YET_VALID = (SEC_ERROR_BASE + 114),
SEC_ERROR_UNKNOWN_CERT = (SEC_ERROR_BASE + 115), SEC_ERROR_UNKNOWN_CERT = (SEC_ERROR_BASE + 115),
SEC_ERROR_UNKNOWN_SIGNER = (SEC_ERROR_BASE + 116), SEC_ERROR_UNKNOWN_SIGNER = (SEC_ERROR_BASE + 116),
SEC_ERROR_CERT_BAD_ACCESS_LOCATION = (SEC_ERROR_BASE + 117), SEC_ERROR_CERT_BAD_ACCESS_LOCATION = (SEC_ERROR_BASE + 117),
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE = (SEC_ERROR_BASE + 118), SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE = (SEC_ERROR_BASE + 118),
SEC_ERROR_OCSP_BAD_HTTP_RESPONSE = (SEC_ERROR_BASE + 119), SEC_ERROR_OCSP_BAD_HTTP_RESPONSE = (SEC_ERROR_BASE + 119),
SEC_ERROR_OCSP_MALFORMED_REQUEST = (SEC_ERROR_BASE + 120), SEC_ERROR_OCSP_MALFORMED_REQUEST = (SEC_ERROR_BASE + 120),
SEC_ERROR_OCSP_SERVER_ERROR = (SEC_ERROR_BASE + 121), SEC_ERROR_OCSP_SERVER_ERROR = (SEC_ERROR_BASE + 121),
SEC_ERROR_OCSP_TRY_SERVER_LATER = (SEC_ERROR_BASE + 122), SEC_ERROR_OCSP_TRY_SERVER_LATER = (SEC_ERROR_BASE + 122),
SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = (SEC_ERROR_BASE + 123), SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = (SEC_ERROR_BASE + 123),
SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = (SEC_ERROR_BASE + 124), SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = (SEC_ERROR_BASE + 124),
SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS = (SEC_ERROR_BASE + 125), SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS = (SEC_ERROR_BASE + 125),
SEC_ERROR_OCSP_UNKNOWN_CERT = (SEC_ERROR_BASE + 126), SEC_ERROR_OCSP_UNKNOWN_CERT = (SEC_ERROR_BASE + 126),
SEC_ERROR_OCSP_NOT_ENABLED = (SEC_ERROR_BASE + 127), SEC_ERROR_OCSP_NOT_ENABLED = (SEC_ERROR_BASE + 127),
SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER = (SEC_ERROR_BASE + 128), SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER = (SEC_ERROR_BASE + 128),
SEC_ERROR_OCSP_MALFORMED_RESPONSE = (SEC_ERROR_BASE + 129), SEC_ERROR_OCSP_MALFORMED_RESPONSE = (SEC_ERROR_BASE + 129),
SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = (SEC_ERROR_BASE + 130), SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = (SEC_ERROR_BASE + 130),
SEC_ERROR_OCSP_FUTURE_RESPONSE = (SEC_ERROR_BASE + 131), SEC_ERROR_OCSP_FUTURE_RESPONSE = (SEC_ERROR_BASE + 131),
SEC_ERROR_OCSP_OLD_RESPONSE = (SEC_ERROR_BASE + 132), SEC_ERROR_OCSP_OLD_RESPONSE = (SEC_ERROR_BASE + 132),
/* smime stuff */ /* smime stuff */
SEC_ERROR_DIGEST_NOT_FOUND = (SEC_ERROR_BASE + 133), SEC_ERROR_DIGEST_NOT_FOUND = (SEC_ERROR_BASE + 133),
SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE = (SEC_ERROR_BASE + 134), SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE = (SEC_ERROR_BASE + 134),
SEC_ERROR_MODULE_STUCK = (SEC_ERROR_BASE + 135), SEC_ERROR_MODULE_STUCK = (SEC_ERROR_BASE + 135),
SEC_ERROR_BAD_TEMPLATE = (SEC_ERROR_BASE + 136), SEC_ERROR_BAD_TEMPLATE = (SEC_ERROR_BASE + 136),
SEC_ERROR_CRL_NOT_FOUND = (SEC_ERROR_BASE + 137), SEC_ERROR_CRL_NOT_FOUND = (SEC_ERROR_BASE + 137),
SEC_ERROR_REUSED_ISSUER_AND_SERIAL = (SEC_ERROR_BASE + 138), SEC_ERROR_REUSED_ISSUER_AND_SERIAL = (SEC_ERROR_BASE + 138),
SEC_ERROR_BUSY = (SEC_ERROR_BASE + 139), SEC_ERROR_BUSY = (SEC_ERROR_BASE + 139),
SEC_ERROR_EXTRA_INPUT = (SEC_ERROR_BASE + 140), SEC_ERROR_EXTRA_INPUT = (SEC_ERROR_BASE + 140),
/* error codes used by elliptic curve code */ /* error codes used by elliptic curve code */
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = (SEC_ERROR_BASE + 141), SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = (SEC_ERROR_BASE + 141),
SEC_ERROR_UNSUPPORTED_EC_POINT_FORM = (SEC_ERROR_BASE + 142), SEC_ERROR_UNSUPPORTED_EC_POINT_FORM = (SEC_ERROR_BASE + 142),
SEC_ERROR_UNRECOGNIZED_OID = (SEC_ERROR_BASE + 143), SEC_ERROR_UNRECOGNIZED_OID = (SEC_ERROR_BASE + 143),
SEC_ERROR_OCSP_INVALID_SIGNING_CERT = (SEC_ERROR_BASE + 144), SEC_ERROR_OCSP_INVALID_SIGNING_CERT = (SEC_ERROR_BASE + 144),
/* new revocation errors */ /* new revocation errors */
SEC_ERROR_REVOKED_CERTIFICATE_CRL = (SEC_ERROR_BASE + 145), SEC_ERROR_REVOKED_CERTIFICATE_CRL = (SEC_ERROR_BASE + 145),
SEC_ERROR_REVOKED_CERTIFICATE_OCSP = (SEC_ERROR_BASE + 146), SEC_ERROR_REVOKED_CERTIFICATE_OCSP = (SEC_ERROR_BASE + 146),
SEC_ERROR_CRL_INVALID_VERSION = (SEC_ERROR_BASE + 147), SEC_ERROR_CRL_INVALID_VERSION = (SEC_ERROR_BASE + 147),
SEC_ERROR_CRL_V1_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 148), SEC_ERROR_CRL_V1_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 148),
SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 149), SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION = (SEC_ERROR_BASE + 149),
SEC_ERROR_UNKNOWN_OBJECT_TYPE = (SEC_ERROR_BASE + 150), SEC_ERROR_UNKNOWN_OBJECT_TYPE = (SEC_ERROR_BASE + 150),
SEC_ERROR_INCOMPATIBLE_PKCS11 = (SEC_ERROR_BASE + 151), SEC_ERROR_INCOMPATIBLE_PKCS11 = (SEC_ERROR_BASE + 151),
SEC_ERROR_NO_EVENT = (SEC_ERROR_BASE + 152), SEC_ERROR_NO_EVENT = (SEC_ERROR_BASE + 152),
SEC_ERROR_CRL_ALREADY_EXISTS = (SEC_ERROR_BASE + 153), SEC_ERROR_CRL_ALREADY_EXISTS = (SEC_ERROR_BASE + 153),
SEC_ERROR_NOT_INITIALIZED = (SEC_ERROR_BASE + 154), SEC_ERROR_NOT_INITIALIZED = (SEC_ERROR_BASE + 154),
SEC_ERROR_TOKEN_NOT_LOGGED_IN = (SEC_ERROR_BASE + 155), SEC_ERROR_TOKEN_NOT_LOGGED_IN = (SEC_ERROR_BASE + 155),
SEC_ERROR_OCSP_RESPONDER_CERT_INVALID = (SEC_ERROR_BASE + 156), SEC_ERROR_OCSP_RESPONDER_CERT_INVALID = (SEC_ERROR_BASE + 156),
SEC_ERROR_OCSP_BAD_SIGNATURE = (SEC_ERROR_BASE + 157), SEC_ERROR_OCSP_BAD_SIGNATURE = (SEC_ERROR_BASE + 157),
SEC_ERROR_OUT_OF_SEARCH_LIMITS = (SEC_ERROR_BASE + 158), SEC_ERROR_OUT_OF_SEARCH_LIMITS = (SEC_ERROR_BASE + 158),
SEC_ERROR_INVALID_POLICY_MAPPING = (SEC_ERROR_BASE + 159), SEC_ERROR_INVALID_POLICY_MAPPING = (SEC_ERROR_BASE + 159),
SEC_ERROR_POLICY_VALIDATION_FAILED = (SEC_ERROR_BASE + 160), SEC_ERROR_POLICY_VALIDATION_FAILED = (SEC_ERROR_BASE + 160),
/* No longer used. Unknown AIA location types are now silently ignored. */ /* No longer used. Unknown AIA location types are now silently ignored. */
SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE = (SEC_ERROR_BASE + 161), SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE = (SEC_ERROR_BASE + 161),
SEC_ERROR_BAD_HTTP_RESPONSE = (SEC_ERROR_BASE + 162), SEC_ERROR_BAD_HTTP_RESPONSE = (SEC_ERROR_BASE + 162),
SEC_ERROR_BAD_LDAP_RESPONSE = (SEC_ERROR_BASE + 163), SEC_ERROR_BAD_LDAP_RESPONSE = (SEC_ERROR_BASE + 163),
SEC_ERROR_FAILED_TO_ENCODE_DATA = (SEC_ERROR_BASE + 164), SEC_ERROR_FAILED_TO_ENCODE_DATA = (SEC_ERROR_BASE + 164),
SEC_ERROR_BAD_INFO_ACCESS_LOCATION = (SEC_ERROR_BASE + 165), SEC_ERROR_BAD_INFO_ACCESS_LOCATION = (SEC_ERROR_BASE + 165),
SEC_ERROR_LIBPKIX_INTERNAL = (SEC_ERROR_BASE + 166), SEC_ERROR_LIBPKIX_INTERNAL = (SEC_ERROR_BASE + 166),
SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167), SEC_ERROR_PKCS11_GENERAL_ERROR = (SEC_ERROR_BASE + 167),
SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168), SEC_ERROR_PKCS11_FUNCTION_FAILED = (SEC_ERROR_BASE + 168),
SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169), SEC_ERROR_PKCS11_DEVICE_ERROR = (SEC_ERROR_BASE + 169),
SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170), SEC_ERROR_BAD_INFO_ACCESS_METHOD = (SEC_ERROR_BASE + 170),
SEC_ERROR_CRL_IMPORT_FAILED = (SEC_ERROR_BASE + 171), SEC_ERROR_CRL_IMPORT_FAILED = (SEC_ERROR_BASE + 171),
SEC_ERROR_EXPIRED_PASSWORD = (SEC_ERROR_BASE + 172), SEC_ERROR_EXPIRED_PASSWORD = (SEC_ERROR_BASE + 172),
SEC_ERROR_LOCKED_PASSWORD = (SEC_ERROR_BASE + 173), SEC_ERROR_LOCKED_PASSWORD = (SEC_ERROR_BASE + 173),
SEC_ERROR_UNKNOWN_PKCS11_ERROR = (SEC_ERROR_BASE + 174), SEC_ERROR_UNKNOWN_PKCS11_ERROR = (SEC_ERROR_BASE + 174),
SEC_ERROR_BAD_CRL_DP_URL = (SEC_ERROR_BASE + 175), SEC_ERROR_BAD_CRL_DP_URL = (SEC_ERROR_BASE + 175),
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 176), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 176),
SEC_ERROR_LEGACY_DATABASE = (SEC_ERROR_BASE + 177), SEC_ERROR_LEGACY_DATABASE = (SEC_ERROR_BASE + 177),
SEC_ERROR_APPLICATION_CALLBACK_ERROR = (SEC_ERROR_BASE + 178), SEC_ERROR_APPLICATION_CALLBACK_ERROR = (SEC_ERROR_BASE + 178),
/* Add new error codes above here. */ /* Add new error codes above here. */
SEC_ERROR_END_OF_LIST SEC_ERROR_END_OF_LIST
} SECErrorCodes; } SECErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */ #endif /* NO_SECURITY_ERROR_ENUM */

10
security/nss/tests/all.sh
View File

@ -299,9 +299,15 @@ fi
# created, we check for modutil to know whether the build # created, we check for modutil to know whether the build
# is complete. If a new file is created after that, the # is complete. If a new file is created after that, the
# following test for modutil should check for that instead. # following test for modutil should check for that instead.
# Exception: when building softoken only, shlibsign is the
# last file created.
if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
LAST_FILE_BUILT=shlibsign
else
LAST_FILE_BUILT=modutil
fi
if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \ if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
echo "Build Incomplete. Aborting test." >> ${LOGFILE} echo "Build Incomplete. Aborting test." >> ${LOGFILE}
html_head "Testing Initialization" html_head "Testing Initialization"
Exit "Checking for build" Exit "Checking for build"

196
security/nss/tests/cert/cert.sh
View File

@ -1176,6 +1176,201 @@ cert_extensions()
done < ${QADIR}/cert/certext.txt done < ${QADIR}/cert/certext.txt
} }
cert_make_with_param()
{
DIRPASS="$1"
CERTNAME="$2"
MAKE="$3"
SUBJ="$4"
EXTRA="$5"
EXPECT="$6"
TESTNAME="$7"
echo certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
${BINDIR}/certutil ${DIRPASS} -s "${SUBJ}" ${MAKE} ${CERTNAME} ${EXTRA}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
# if we expected failure to create, then delete unexpected certificate
if [ "${EXPECT}" -ne 0 ]; then
${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
fi
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - ${EXTRA}"
cert_log "ERROR: ${TESTNAME} - ${EXTRA} failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_list_and_count_dns()
{
DIRPASS="$1"
CERTNAME="$2"
EXPECT="$3"
EXPECTCOUNT="$4"
TESTNAME="$5"
echo certutil ${DIRPASS} -L ${CERTNAME}
${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - list and count"
cert_log "ERROR: ${TESTNAME} - list and count failed"
return 1
fi
LISTCOUNT=`${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} | grep -wc DNS`
if [ "${LISTCOUNT}" -ne "${EXPECTCOUNT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - list and count"
cert_log "ERROR: ${TESTNAME} - list and count failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_dump_ext_to_file()
{
DIRPASS="$1"
CERTNAME="$2"
OID="$3"
OUTFILE="$4"
EXPECT="$5"
TESTNAME="$6"
echo certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID}
echo "writing output to ${OUTFILE}"
${BINDIR}/certutil ${DIRPASS} -L ${CERTNAME} --dump-ext-val ${OID} > ${OUTFILE}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - dump to file"
cert_log "ERROR: ${TESTNAME} - dump to file failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_delete()
{
DIRPASS="$1"
CERTNAME="$2"
EXPECT="$3"
TESTNAME="$4"
echo certutil ${DIRPASS} -D ${CERTNAME}
${BINDIR}/certutil ${DIRPASS} -D ${CERTNAME}
RET=$?
if [ "${RET}" -ne "${EXPECT}" ]; then
CERTFAILED=1
html_failed "${TESTNAME} (${COUNT}) - delete cert"
cert_log "ERROR: ${TESTNAME} - delete cert failed"
return 1
fi
html_passed "${TESTNAME} (${COUNT})"
return 0
}
cert_inc_count()
{
COUNT=`expr ${COUNT} + 1`
}
############################## cert_crl_ssl ############################
# test adding subject-alt-name, dumping, and adding generic extension
########################################################################
cert_san_and_generic_extensions()
{
EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der
DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}"
CERTNAME="-n WithSAN"
MAKE="-S -t ,, -x -z ${R_NOISE_FILE}"
SUBJ="CN=example.com"
TESTNAME="san-and-generic-extensions"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extSAN example.com" 255 \
"create cert with invalid SAN parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extSAN example.com,dns:www.example.com" 255 \
"create cert with invalid SAN parameter"
TN="create cert with valid SAN parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extSAN dns:example.com,dns:www.example.com" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
"${TN}"
cert_inc_count
cert_dump_ext_to_file "${DIR}" "${CERTNAME}" "2.5.29.17" "${EXTDUMP}" 0 \
"dump extension 2.5.29.17 to file ${EXTDUMP}"
cert_inc_count
cert_delete "${DIR}" "${CERTNAME}" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
"expect failure to list cert, because we deleted it"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric ${EXTDUMP}" 255 \
"create cert with invalid generic ext parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric not-critical:${EXTDUMP}" 255 \
"create cert with invalid generic ext parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric not-critical:${EXTDUMP},2.5.29.17:critical:${EXTDUMP}" 255 \
"create cert with invalid generic ext parameter"
TN="create cert with valid generic ext parameter"
cert_inc_count
cert_make_with_param "${DIR}" "${CERTNAME}" "${MAKE}" "${SUBJ}" \
"--extGeneric 2.5.29.17:not-critical:${EXTDUMP}" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 0 2 \
"${TN}"
cert_inc_count
cert_delete "${DIR}" "${CERTNAME}" 0 \
"${TN}"
cert_inc_count
cert_list_and_count_dns "${DIR}" "${CERTNAME}" 255 0 \
"expect failure to list cert, because we deleted it"
}
############################## cert_crl_ssl ############################ ############################## cert_crl_ssl ############################
# local shell function to generate certs and crls for SSL tests # local shell function to generate certs and crls for SSL tests
######################################################################## ########################################################################
@ -1513,6 +1708,7 @@ if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
fi fi
cert_eccurves cert_eccurves
cert_extensions cert_extensions
cert_san_and_generic_extensions
cert_test_password cert_test_password
cert_test_distrust cert_test_distrust
cert_test_ocspresp cert_test_ocspresp

10
security/nss/tests/cipher/cipher.sh
View File

@ -129,6 +129,12 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
return 0 return 0
fi fi
cipher_init cipher_init
cipher_main # Skip cipher_main if this an NSS without softoken build.
cipher_gcm if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
cipher_main
fi
# Skip cipher_gcm if this is a softoken only build.
if [ "${NSS_BUILD_SOFTOKEN_ONLY}" != "1" ]; then
cipher_gcm
fi
cipher_cleanup cipher_cleanup