diff options
author | kaie%kuix.de <devnull@localhost> | 2006-06-12 12:55:43 +0000 |
---|---|---|
committer | kaie%kuix.de <devnull@localhost> | 2006-06-12 12:55:43 +0000 |
commit | 4c54109352c9d7fbb2d4ff2fd381a40355dcaf03 (patch) | |
tree | 9068e2f39bf7ca9cd6bb99d99651f8ca571f146d | |
parent | 684796c0e530e754cbace93c29f074e59fde22e1 (diff) | |
download | nss-hg-4c54109352c9d7fbb2d4ff2fd381a40355dcaf03.tar.gz |
Bug 340724, Upgrade NSS on Mozilla 1.8 branch to NSS_3_11_20060609_TAGTHUNDERBIRD_2_0a1_RELEASEFIREFOX_2_0b1_RELEASEFIREFOX_2_0b1_RC3FIREFOX_2_0b1_RC2FIREFOX_2_0b1_RC1
r=wtchang, a=wtchang
28 files changed, 1006 insertions, 196 deletions
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index a5855ffe8..0367ab32f 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -763,6 +763,9 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date, } switch (*certUsage) { + case 'O': + usage = certificateUsageStatusResponder; + break; case 'C': usage = certificateUsageSSLClient; break; @@ -994,6 +997,7 @@ Usage(char *progName) FPS "Usage: %s -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile]\n", progName); FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", progName); + FPS "\t%s -B -i batch-file\n", progName); FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n" "\t\t [-m serial-number] [-w warp-months] [-v months-valid]\n" "\t\t [-f pwfile] [-d certdir] [-P dbprefix] [-1] [-2] [-3] [-4] [-5]\n" @@ -1042,6 +1046,8 @@ static void LongUsage(char *progName) FPS "%-15s Add a certificate to the database (create if needed)\n", "-A"); + FPS "%-15s Run a series of certutil commands from a batch file\n", "-B"); + FPS "%-20s Specify the batch file\n", " -i batch-file"); FPS "%-15s Add an Email certificate to the database (create if needed)\n", "-E"); FPS "%-20s Specify the nickname of the certificate to add\n", @@ -1308,6 +1314,7 @@ static void LongUsage(char *progName) FPS "%-25s V \t SSL Server\n", ""); FPS "%-25s S \t Email signer\n", ""); FPS "%-25s R \t Email Recipient\n", ""); + FPS "%-25s O \t OCSP status responder\n", ""); FPS "%-20s Cert database directory (default is ~/.netscape)\n", " -d certdir"); FPS "%-20s Cert & Key database prefix\n", @@ -1561,7 +1568,7 @@ AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag) return SECSuccess; } -SEC_ASN1_MKSUB(SEC_ObjectIDTemplate); +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) const SEC_ASN1Template CERT_OidSeqTemplate[] = { { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, @@ -2302,7 +2309,8 @@ enum { cmd_ListModules, cmd_CheckCertValidity, cmd_ChangePassword, - cmd_Version + cmd_Version, + cmd_Batch }; /* Certutil options */ @@ -2344,8 +2352,7 @@ enum { opt_RW, opt_Exponent, opt_NoiseFile, - opt_Hash, - opt_Batch + opt_Hash }; static int @@ -2402,7 +2409,8 @@ secuCommandFlag certutil_commands[] = { /* cmd_ListModules */ 'U', PR_FALSE, 0, PR_FALSE }, { /* cmd_CheckCertValidity */ 'V', PR_FALSE, 0, PR_FALSE }, { /* cmd_ChangePassword */ 'W', PR_FALSE, 0, PR_FALSE }, - { /* cmd_Version */ 'Y', PR_FALSE, 0, PR_FALSE } + { /* cmd_Version */ 'Y', PR_FALSE, 0, PR_FALSE }, + { /* cmd_Batch */ 'B', PR_FALSE, 0, PR_FALSE } }; secuCommandFlag certutil_options[] = @@ -2444,8 +2452,7 @@ secuCommandFlag certutil_options[] = { /* opt_RW */ 'X', PR_FALSE, 0, PR_FALSE }, { /* opt_Exponent */ 'y', PR_TRUE, 0, PR_FALSE }, { /* opt_NoiseFile */ 'z', PR_TRUE, 0, PR_FALSE }, - { /* opt_Hash */ 'Z', PR_TRUE, 0, PR_FALSE }, - { /* opt_Batch */ 'B', PR_TRUE, 0, PR_FALSE } + { /* opt_Hash */ 'Z', PR_TRUE, 0, PR_FALSE } }; @@ -3076,13 +3083,21 @@ shutdown: * - each line in the batch file is limited to 512 characters */ - if ((SECSuccess == rv) && certutil.options[opt_Batch].activated) { - FILE* batchFile = fopen(certutil.options[opt_Batch].arg, "r"); + if ((SECSuccess == rv) && certutil.commands[cmd_Batch].activated) { + FILE* batchFile = NULL; char nextcommand[512]; + if (!certutil.options[opt_InputFile].activated || + !certutil.options[opt_InputFile].arg) { + PR_fprintf(PR_STDERR, + "%s: no batch input file specified.\n", + progName); + return 255; + } + batchFile = fopen(certutil.options[opt_InputFile].arg, "r"); if (!batchFile) { PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading (%ld, %ld).\n", - progName, certutil.options[opt_Batch].arg, + progName, certutil.options[opt_InputFile].arg, PR_GetError(), PR_GetOSError()); return 255; } diff --git a/security/nss/cmd/modutil/specification.html b/security/nss/cmd/modutil/specification.html index 9ab09627d..b64fe80c7 100644 --- a/security/nss/cmd/modutil/specification.html +++ b/security/nss/cmd/modutil/specification.html @@ -54,7 +54,7 @@ (<a href="#changepw">-changepw</a>) <li>Create databases (secmod[ule].db, key3.db, cert7.db) from scratch. (<a href="#create">-create</a>) -<li>Switch to and from FIPS-140-1 compliant mode. +<li>Switch to and from FIPS-140 compliant mode. (<a href="#fips">-fips</a>) <li>Delete a PKCS #11 module. (<a href="#delete">-delete</a>) <li>List installed PKCS #11 modules. (<a href="#list">-list</a>) diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c index c37e1d004..933456e9a 100644 --- a/security/nss/lib/certdb/crl.c +++ b/security/nss/lib/certdb/crl.c @@ -2776,27 +2776,29 @@ SECStatus CERT_UncacheCRL(CERTCertDBHandle* dbhandle, SECItem* olddercrl) } if (PR_TRUE == dupe) { - DPCache_RemoveCRL(cache, i); /* got a match */ - cache->mustchoose = PR_TRUE; - removed = PR_TRUE; + rv = DPCache_RemoveCRL(cache, i); /* got a match */ + if (SECSuccess == rv) { + cache->mustchoose = PR_TRUE; + removed = PR_TRUE; + } break; } } DPCache_UnlockWrite(); - rv = CachedCrl_Destroy(returned); + if (SECSuccess != CachedCrl_Destroy(returned) ) { + rv = SECFailure; + } } ReleaseDPCache(cache, writeLocked); - - if (PR_TRUE != removed) - { - rv = SECFailure; - } } - SEC_DestroyCrl(oldcrl); /* need to do this because object is refcounted */ - if (PR_TRUE != removed) + if (SECSuccess != SEC_DestroyCrl(oldcrl) ) { + /* need to do this because object is refcounted */ + rv = SECFailure; + } + if (SECSuccess == rv && PR_TRUE != removed) { PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); } diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index a101ca4c8..ea7f50a0e 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -443,15 +443,16 @@ CollectNicknames( NSSCertificate *c, void *data) /* allocate the node */ node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode)); if ( node == NULL ) { - return(PR_FAILURE); + PORT_Free(nickname); + return PR_FAILURE; } /* copy the string */ len = PORT_Strlen(nickname) + 1; node->string = (char*)PORT_ArenaAlloc(names->arena, len); if ( node->string == NULL ) { - if (nickname) PORT_Free(nickname); - return(PR_FAILURE); + PORT_Free(nickname); + return PR_FAILURE; } PORT_Memcpy(node->string, nickname, len); @@ -494,7 +495,7 @@ CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx) names->totallen = 0; /* make sure we are logged in */ - (void) pk11_TraverseAllSlots(NULL, NULL, wincx); + (void) pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx); NSSTrustDomain_TraverseCertificates(handle, CollectNicknames, (void *)names); @@ -672,12 +673,12 @@ CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames, arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) goto loser; - dnames = (CERTDistNames*)PORT_Alloc(sizeof(CERTDistNames)); + dnames = PORT_ArenaZNew(arena, CERTDistNames); if (dnames == NULL) goto loser; dnames->arena = arena; dnames->nnames = nnames; - dnames->names = names = (SECItem*)PORT_Alloc(nnames * sizeof(SECItem)); + dnames->names = names = PORT_ArenaZNewArray(arena, SECItem, nnames); if (names == NULL) goto loser; for (i = 0; i < nnames; i++) { diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c index ca3d68970..5bf4c24d1 100644 --- a/security/nss/lib/ckfw/builtins/certdata.c +++ b/security/nss/lib/ckfw/builtins/certdata.c @@ -623,6 +623,18 @@ static const CK_ATTRIBUTE_TYPE nss_builtins_types_188 [] = { static const CK_ATTRIBUTE_TYPE nss_builtins_types_189 [] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED }; +static const CK_ATTRIBUTE_TYPE nss_builtins_types_190 [] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE +}; +static const CK_ATTRIBUTE_TYPE nss_builtins_types_191 [] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED +}; +static const CK_ATTRIBUTE_TYPE nss_builtins_types_192 [] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ID, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE +}; +static const CK_ATTRIBUTE_TYPE nss_builtins_types_193 [] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_TRUST_SERVER_AUTH, CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED +}; #ifdef DEBUG static const NSSItem nss_builtins_items_0 [] = { { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) }, @@ -11833,6 +11845,188 @@ static const NSSItem nss_builtins_items_178 [] = { { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"NetLock Qualified (Class QA) Root", (PRUint32)34 }, + { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, + { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125" +"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160" +"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145" +"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172" +"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030" +"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141" +"\156\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004" +"\003\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163" +"\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151" +"\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165" +"\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034" +"\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146" +"\157\100\156\145\164\154\157\143\153\056\150\165" +, (PRUint32)204 }, + { (void *)"0", (PRUint32)2 }, + { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125" +"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160" +"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145" +"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172" +"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030" +"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141" +"\156\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004" +"\003\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163" +"\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151" +"\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165" +"\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034" +"\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146" +"\157\100\156\145\164\154\157\143\153\056\150\165" +, (PRUint32)204 }, + { (void *)"\002\001\173" +, (PRUint32)3 }, + { (void *)"\060\202\006\321\060\202\005\271\240\003\002\001\002\002\001\173" +"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060" +"\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125\061" +"\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145" +"\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145\164" +"\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172\164" +"\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030\006" +"\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141\156" +"\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004\003" +"\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163\151" +"\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151\040" +"\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165\163" +"\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034\006" +"\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146\157" +"\100\156\145\164\154\157\143\153\056\150\165\060\036\027\015\060" +"\063\060\063\063\060\060\061\064\067\061\061\132\027\015\062\062" +"\061\062\061\065\060\061\064\067\061\061\132\060\201\311\061\013" +"\060\011\006\003\125\004\006\023\002\110\125\061\021\060\017\006" +"\003\125\004\007\023\010\102\165\144\141\160\145\163\164\061\047" +"\060\045\006\003\125\004\012\023\036\116\145\164\114\157\143\153" +"\040\110\141\154\157\172\141\164\142\151\172\164\157\156\163\141" +"\147\151\040\113\146\164\056\061\032\060\030\006\003\125\004\013" +"\023\021\124\141\156\165\163\151\164\166\141\156\171\153\151\141" +"\144\157\153\061\102\060\100\006\003\125\004\003\023\071\116\145" +"\164\114\157\143\153\040\115\151\156\157\163\151\164\145\164\164" +"\040\113\157\172\152\145\147\171\172\157\151\040\050\103\154\141" +"\163\163\040\121\101\051\040\124\141\156\165\163\151\164\166\141" +"\156\171\153\151\141\144\157\061\036\060\034\006\011\052\206\110" +"\206\367\015\001\011\001\026\017\151\156\146\157\100\156\145\164" +"\154\157\143\153\056\150\165\060\202\001\042\060\015\006\011\052" +"\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060" +"\202\001\012\002\202\001\001\000\307\122\045\262\330\075\324\204" +"\125\011\247\033\275\154\271\024\364\212\002\333\166\374\152\052" +"\170\253\345\167\360\156\340\214\043\147\333\245\144\231\271\335" +"\001\076\157\357\055\232\074\042\360\135\311\127\240\125\101\177" +"\362\103\136\130\202\123\061\145\316\036\362\046\272\000\124\036" +"\257\260\274\034\344\122\214\240\062\257\267\067\261\123\147\150" +"\164\147\120\366\055\056\144\336\256\046\171\337\337\231\206\253" +"\253\177\205\354\240\373\200\314\364\270\014\036\223\105\143\271" +"\334\270\133\233\355\133\071\324\137\142\260\247\216\174\146\070" +"\054\252\261\010\143\027\147\175\314\275\263\361\303\077\317\120" +"\071\355\321\031\203\025\333\207\022\047\226\267\332\352\345\235" +"\274\272\352\071\117\213\357\164\232\347\305\320\322\352\206\121" +"\034\344\376\144\010\050\004\171\005\353\312\305\161\016\013\357" +"\253\352\354\022\021\241\030\005\062\151\321\014\054\032\075\045" +"\231\077\265\174\312\155\260\256\231\231\372\010\140\347\031\302" +"\362\275\121\323\314\323\002\254\301\021\014\200\316\253\334\224" +"\235\153\243\071\123\072\326\205\002\003\000\305\175\243\202\002" +"\300\060\202\002\274\060\022\006\003\125\035\023\001\001\377\004" +"\010\060\006\001\001\377\002\001\004\060\016\006\003\125\035\017" +"\001\001\377\004\004\003\002\001\006\060\202\002\165\006\011\140" +"\206\110\001\206\370\102\001\015\004\202\002\146\026\202\002\142" +"\106\111\107\131\105\114\105\115\041\040\105\172\145\156\040\164" +"\141\156\165\163\151\164\166\141\156\171\040\141\040\116\145\164" +"\114\157\143\153\040\113\146\164\056\040\115\151\156\157\163\151" +"\164\145\164\164\040\123\172\157\154\147\141\154\164\141\164\141" +"\163\151\040\123\172\141\142\141\154\171\172\141\164\141\142\141" +"\156\040\154\145\151\162\164\040\145\154\152\141\162\141\163\157" +"\153\040\141\154\141\160\152\141\156\040\153\145\163\172\165\154" +"\164\056\040\101\040\155\151\156\157\163\151\164\145\164\164\040" +"\145\154\145\153\164\162\157\156\151\153\165\163\040\141\154\141" +"\151\162\141\163\040\152\157\147\150\141\164\141\163\040\145\162" +"\166\145\156\171\145\163\165\154\145\163\145\156\145\153\054\040" +"\166\141\154\141\155\151\156\164\040\145\154\146\157\147\141\144" +"\141\163\141\156\141\153\040\146\145\154\164\145\164\145\154\145" +"\040\141\040\115\151\156\157\163\151\164\145\164\164\040\123\172" +"\157\154\147\141\154\164\141\164\141\163\151\040\123\172\141\142" +"\141\154\171\172\141\164\142\141\156\054\040\141\172\040\101\154" +"\164\141\154\141\156\157\163\040\123\172\145\162\172\157\144\145" +"\163\151\040\106\145\154\164\145\164\145\154\145\153\142\145\156" +"\040\145\154\157\151\162\164\040\145\154\154\145\156\157\162\172" +"\145\163\151\040\145\154\152\141\162\141\163\040\155\145\147\164" +"\145\164\145\154\145\056\040\101\040\144\157\153\165\155\145\156" +"\164\165\155\157\153\040\155\145\147\164\141\154\141\154\150\141" +"\164\157\153\040\141\040\150\164\164\160\163\072\057\057\167\167" +"\167\056\156\145\164\154\157\143\153\056\150\165\057\144\157\143" +"\163\057\040\143\151\155\145\156\040\166\141\147\171\040\153\145" +"\162\150\145\164\157\153\040\141\172\040\151\156\146\157\100\156" +"\145\164\154\157\143\153\056\156\145\164\040\145\055\155\141\151" +"\154\040\143\151\155\145\156\056\040\127\101\122\116\111\116\107" +"\041\040\124\150\145\040\151\163\163\165\141\156\143\145\040\141" +"\156\144\040\164\150\145\040\165\163\145\040\157\146\040\164\150" +"\151\163\040\143\145\162\164\151\146\151\143\141\164\145\040\141" +"\162\145\040\163\165\142\152\145\143\164\040\164\157\040\164\150" +"\145\040\116\145\164\114\157\143\153\040\121\165\141\154\151\146" +"\151\145\144\040\103\120\123\040\141\166\141\151\154\141\142\154" +"\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167" +"\056\156\145\164\154\157\143\153\056\150\165\057\144\157\143\163" +"\057\040\157\162\040\142\171\040\145\055\155\141\151\154\040\141" +"\164\040\151\156\146\157\100\156\145\164\154\157\143\153\056\156" +"\145\164\060\035\006\003\125\035\016\004\026\004\024\011\152\142" +"\026\222\260\132\273\125\016\313\165\062\072\062\345\262\041\311" +"\050\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000" +"\003\202\001\001\000\221\152\120\234\333\170\201\233\077\213\102" +"\343\073\374\246\303\356\103\340\317\363\342\200\065\111\105\166" +"\002\342\343\057\005\305\361\052\347\300\101\063\306\266\233\320" +"\063\071\315\300\333\241\255\154\067\002\114\130\101\073\362\227" +"\222\306\110\250\315\345\212\071\211\141\371\122\227\351\275\366" +"\371\224\164\350\161\016\274\167\206\303\006\314\132\174\112\176" +"\064\120\060\056\373\177\062\232\215\075\363\040\133\370\152\312" +"\206\363\061\114\054\131\200\002\175\376\070\311\060\165\034\267" +"\125\343\274\237\272\250\155\204\050\005\165\263\213\015\300\221" +"\124\041\347\246\013\264\231\365\121\101\334\315\243\107\042\331" +"\307\001\201\304\334\107\117\046\352\037\355\333\315\015\230\364" +"\243\234\264\163\062\112\226\231\376\274\177\310\045\130\370\130" +"\363\166\146\211\124\244\246\076\304\120\134\272\211\030\202\165" +"\110\041\322\117\023\350\140\176\007\166\333\020\265\121\346\252" +"\271\150\252\315\366\235\220\165\022\352\070\032\312\104\350\267" +"\231\247\052\150\225\146\225\253\255\357\211\313\140\251\006\022" +"\306\224\107\351\050" +, (PRUint32)1749 } +}; +static const NSSItem nss_builtins_items_179 [] = { + { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"NetLock Qualified (Class QA) Root", (PRUint32)34 }, + { (void *)"\001\150\227\341\240\270\362\303\261\064\146\134\040\247\047\267" +"\241\130\342\217" +, (PRUint32)20 }, + { (void *)"\324\200\145\150\044\371\211\042\050\333\365\244\232\027\217\024" +, (PRUint32)16 }, + { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125" +"\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160" +"\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145" +"\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172" +"\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030" +"\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141" +"\156\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004" +"\003\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163" +"\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151" +"\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165" +"\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034" +"\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146" +"\157\100\156\145\164\154\157\143\153\056\150\165" +, (PRUint32)204 }, + { (void *)"\002\001\173" +, (PRUint32)3 }, + { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } +}; +static const NSSItem nss_builtins_items_180 [] = { + { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, { (void *)"NetLock Notary (Class A) Root", (PRUint32)30 }, { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, { (void *)"\060\201\257\061\013\060\011\006\003\125\004\006\023\002\110\125" @@ -11971,7 +12165,7 @@ static const NSSItem nss_builtins_items_178 [] = { "\210" , (PRUint32)1665 } }; -static const NSSItem nss_builtins_items_179 [] = { +static const NSSItem nss_builtins_items_181 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12002,7 +12196,7 @@ static const NSSItem nss_builtins_items_179 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -static const NSSItem nss_builtins_items_180 [] = { +static const NSSItem nss_builtins_items_182 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12121,7 +12315,7 @@ static const NSSItem nss_builtins_items_180 [] = { "\066\053\143\254\130\001\153\063\051\120\206\203\361\001\110" , (PRUint32)1359 } }; -static const NSSItem nss_builtins_items_181 [] = { +static const NSSItem nss_builtins_items_183 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12150,7 +12344,7 @@ static const NSSItem nss_builtins_items_181 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -static const NSSItem nss_builtins_items_182 [] = { +static const NSSItem nss_builtins_items_184 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12270,7 +12464,7 @@ static const NSSItem nss_builtins_items_182 [] = { "\063\004\324" , (PRUint32)1363 } }; -static const NSSItem nss_builtins_items_183 [] = { +static const NSSItem nss_builtins_items_185 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12299,7 +12493,7 @@ static const NSSItem nss_builtins_items_183 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -static const NSSItem nss_builtins_items_184 [] = { +static const NSSItem nss_builtins_items_186 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12400,7 +12594,7 @@ static const NSSItem nss_builtins_items_184 [] = { "\264\003\045\274" , (PRUint32)1076 } }; -static const NSSItem nss_builtins_items_185 [] = { +static const NSSItem nss_builtins_items_187 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12429,7 +12623,7 @@ static const NSSItem nss_builtins_items_185 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -static const NSSItem nss_builtins_items_186 [] = { +static const NSSItem nss_builtins_items_188 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12522,7 +12716,7 @@ static const NSSItem nss_builtins_items_186 [] = { "\177\333\275\237" , (PRUint32)1028 } }; -static const NSSItem nss_builtins_items_187 [] = { +static const NSSItem nss_builtins_items_189 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12548,7 +12742,7 @@ static const NSSItem nss_builtins_items_187 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; -static const NSSItem nss_builtins_items_188 [] = { +static const NSSItem nss_builtins_items_190 [] = { { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12642,7 +12836,7 @@ static const NSSItem nss_builtins_items_188 [] = { "\037\027\224" , (PRUint32)1043 } }; -static const NSSItem nss_builtins_items_189 [] = { +static const NSSItem nss_builtins_items_191 [] = { { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, @@ -12668,6 +12862,157 @@ static const NSSItem nss_builtins_items_189 [] = { { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } }; +static const NSSItem nss_builtins_items_192 [] = { + { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"StartCom Ltd.", (PRUint32)14 }, + { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }, + { (void *)"\060\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114" +"\061\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145" +"\154\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141" +"\164\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162" +"\164\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125" +"\004\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171" +"\040\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040" +"\106\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151" +"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171" +"\061\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026" +"\022\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056" +"\157\162\147" +, (PRUint32)179 }, + { (void *)"0", (PRUint32)2 }, + { (void *)"\060\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114" +"\061\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145" +"\154\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141" +"\164\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162" +"\164\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125" +"\004\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171" +"\040\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040" +"\106\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151" +"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171" +"\061\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026" +"\022\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056" +"\157\162\147" +, (PRUint32)179 }, + { (void *)"\002\001\000" +, (PRUint32)3 }, + { (void *)"\060\202\005\026\060\202\004\177\240\003\002\001\002\002\001\000" +"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060" +"\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114\061" +"\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145\154" +"\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141\164" +"\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164" +"\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125\004" +"\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171\040" +"\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040\106" +"\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151\143" +"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061" +"\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022" +"\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056\157" +"\162\147\060\036\027\015\060\065\060\063\061\067\061\067\063\067" +"\064\070\132\027\015\063\065\060\063\061\060\061\067\063\067\064" +"\070\132\060\201\260\061\013\060\011\006\003\125\004\006\023\002" +"\111\114\061\017\060\015\006\003\125\004\010\023\006\111\163\162" +"\141\145\154\061\016\060\014\006\003\125\004\007\023\005\105\151" +"\154\141\164\061\026\060\024\006\003\125\004\012\023\015\123\164" +"\141\162\164\103\157\155\040\114\164\144\056\061\032\060\030\006" +"\003\125\004\013\023\021\103\101\040\101\165\164\150\157\162\151" +"\164\171\040\104\145\160\056\061\051\060\047\006\003\125\004\003" +"\023\040\106\162\145\145\040\123\123\114\040\103\145\162\164\151" +"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151" +"\164\171\061\041\060\037\006\011\052\206\110\206\367\015\001\011" +"\001\026\022\141\144\155\151\156\100\163\164\141\162\164\143\157" +"\155\056\157\162\147\060\201\237\060\015\006\011\052\206\110\206" +"\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002\201" +"\201\000\355\204\140\000\043\236\310\112\121\051\047\336\072\241" +"\071\265\151\253\011\262\057\064\375\141\334\075\323\260\317\261" +"\327\302\304\302\261\344\226\126\304\276\252\024\016\347\314\072" +"\120\310\072\142\235\303\243\254\131\173\216\356\125\032\034\107" +"\276\243\227\071\263\265\357\043\054\010\350\330\257\163\057\271" +"\311\203\350\355\000\017\310\165\245\057\064\114\030\350\166\210" +"\043\111\212\333\266\355\150\332\303\265\142\051\114\245\113\267" +"\230\264\011\024\020\240\370\376\142\166\042\025\013\244\326\010" +"\057\065\002\003\001\000\001\243\202\002\074\060\202\002\070\060" +"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377" +"\060\013\006\003\125\035\017\004\004\003\002\001\346\060\035\006" +"\003\125\035\016\004\026\004\024\034\211\303\226\314\275\376\062" +"\325\015\214\201\061\266\230\235\215\050\144\215\060\201\335\006" +"\003\125\035\043\004\201\325\060\201\322\200\024\034\211\303\226" +"\314\275\376\062\325\015\214\201\061\266\230\235\215\050\144\215" +"\241\201\266\244\201\263\060\201\260\061\013\060\011\006\003\125" +"\004\006\023\002\111\114\061\017\060\015\006\003\125\004\010\023" +"\006\111\163\162\141\145\154\061\016\060\014\006\003\125\004\007" +"\023\005\105\151\154\141\164\061\026\060\024\006\003\125\004\012" +"\023\015\123\164\141\162\164\103\157\155\040\114\164\144\056\061" +"\032\060\030\006\003\125\004\013\023\021\103\101\040\101\165\164" +"\150\157\162\151\164\171\040\104\145\160\056\061\051\060\047\006" +"\003\125\004\003\023\040\106\162\145\145\040\123\123\114\040\103" +"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164" +"\150\157\162\151\164\171\061\041\060\037\006\011\052\206\110\206" +"\367\015\001\011\001\026\022\141\144\155\151\156\100\163\164\141" +"\162\164\143\157\155\056\157\162\147\202\001\000\060\035\006\003" +"\125\035\021\004\026\060\024\201\022\141\144\155\151\156\100\163" +"\164\141\162\164\143\157\155\056\157\162\147\060\035\006\003\125" +"\035\022\004\026\060\024\201\022\141\144\155\151\156\100\163\164" +"\141\162\164\143\157\155\056\157\162\147\060\021\006\011\140\206" +"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\057\006" +"\011\140\206\110\001\206\370\102\001\015\004\042\026\040\106\162" +"\145\145\040\123\123\114\040\103\145\162\164\151\146\151\143\141" +"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\062" +"\006\011\140\206\110\001\206\370\102\001\004\004\045\026\043\150" +"\164\164\160\072\057\057\143\145\162\164\056\163\164\141\162\164" +"\143\157\155\056\157\162\147\057\143\141\055\143\162\154\056\143" +"\162\154\060\050\006\011\140\206\110\001\206\370\102\001\002\004" +"\033\026\031\150\164\164\160\072\057\057\143\145\162\164\056\163" +"\164\141\162\164\143\157\155\056\157\162\147\057\060\071\006\011" +"\140\206\110\001\206\370\102\001\010\004\054\026\052\150\164\164" +"\160\072\057\057\143\145\162\164\056\163\164\141\162\164\143\157" +"\155\056\157\162\147\057\151\156\144\145\170\056\160\150\160\077" +"\141\160\160\075\061\061\061\060\015\006\011\052\206\110\206\367" +"\015\001\001\004\005\000\003\201\201\000\154\161\045\341\236\064" +"\221\041\357\333\154\275\001\010\126\217\210\330\101\072\123\365" +"\162\337\047\127\113\166\204\367\150\244\376\353\077\011\176\050" +"\270\127\352\037\301\252\342\377\226\237\111\231\346\262\225\163" +"\226\306\110\307\136\215\007\162\126\370\203\217\237\167\257\051" +"\323\105\016\244\356\260\066\164\055\360\315\230\043\173\067\113" +"\332\376\121\230\304\036\064\074\210\375\231\073\120\247\301\213" +"\063\307\302\122\026\022\225\123\145\042\357\272\213\316\142\333" +"\160\043\261\200\337\032\040\070\347\176" +, (PRUint32)1306 } +}; +static const NSSItem nss_builtins_items_193 [] = { + { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"StartCom Ltd.", (PRUint32)14 }, + { (void *)"\225\346\255\370\327\161\106\002\115\325\152\041\262\347\077\315" +"\362\073\065\377" +, (PRUint32)20 }, + { (void *)"\010\174\130\037\122\053\104\264\073\171\315\001\370\305\303\311" +, (PRUint32)16 }, + { (void *)"\060\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114" +"\061\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145" +"\154\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141" +"\164\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162" +"\164\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125" +"\004\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171" +"\040\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040" +"\106\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151" +"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171" +"\061\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026" +"\022\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056" +"\157\162\147" +, (PRUint32)179 }, + { (void *)"\002\001\000" +, (PRUint32)3 }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) } +}; PR_IMPLEMENT_DATA(builtinsInternalObject) nss_builtins_data[] = { @@ -12862,11 +13207,15 @@ nss_builtins_data[] = { { 11, nss_builtins_types_186, nss_builtins_items_186, {NULL} }, { 13, nss_builtins_types_187, nss_builtins_items_187, {NULL} }, { 11, nss_builtins_types_188, nss_builtins_items_188, {NULL} }, - { 13, nss_builtins_types_189, nss_builtins_items_189, {NULL} } + { 13, nss_builtins_types_189, nss_builtins_items_189, {NULL} }, + { 11, nss_builtins_types_190, nss_builtins_items_190, {NULL} }, + { 13, nss_builtins_types_191, nss_builtins_items_191, {NULL} }, + { 11, nss_builtins_types_192, nss_builtins_items_192, {NULL} }, + { 13, nss_builtins_types_193, nss_builtins_items_193, {NULL} } }; PR_IMPLEMENT_DATA(const PRUint32) #ifdef DEBUG - nss_builtins_nObjects = 189+1; + nss_builtins_nObjects = 193+1; #else - nss_builtins_nObjects = 189; + nss_builtins_nObjects = 193; #endif /* DEBUG */ diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index 8a8b1c5b6..bb8be07ee 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -12170,6 +12170,198 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # +# Certificate "NetLock Qualified (Class QA) Root" +# +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NetLock Qualified (Class QA) Root" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125 +\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160 +\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145 +\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172 +\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030 +\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141 +\156\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004 +\003\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163 +\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151 +\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165 +\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034 +\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146 +\157\100\156\145\164\154\157\143\153\056\150\165 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125 +\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160 +\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145 +\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172 +\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030 +\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141 +\156\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004 +\003\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163 +\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151 +\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165 +\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034 +\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146 +\157\100\156\145\164\154\157\143\153\056\150\165 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\001\173 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\006\321\060\202\005\271\240\003\002\001\002\002\001\173 +\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 +\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125\061 +\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160\145 +\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145\164 +\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172\164 +\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030\006 +\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141\156 +\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004\003 +\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163\151 +\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151\040 +\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165\163 +\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034\006 +\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146\157 +\100\156\145\164\154\157\143\153\056\150\165\060\036\027\015\060 +\063\060\063\063\060\060\061\064\067\061\061\132\027\015\062\062 +\061\062\061\065\060\061\064\067\061\061\132\060\201\311\061\013 +\060\011\006\003\125\004\006\023\002\110\125\061\021\060\017\006 +\003\125\004\007\023\010\102\165\144\141\160\145\163\164\061\047 +\060\045\006\003\125\004\012\023\036\116\145\164\114\157\143\153 +\040\110\141\154\157\172\141\164\142\151\172\164\157\156\163\141 +\147\151\040\113\146\164\056\061\032\060\030\006\003\125\004\013 +\023\021\124\141\156\165\163\151\164\166\141\156\171\153\151\141 +\144\157\153\061\102\060\100\006\003\125\004\003\023\071\116\145 +\164\114\157\143\153\040\115\151\156\157\163\151\164\145\164\164 +\040\113\157\172\152\145\147\171\172\157\151\040\050\103\154\141 +\163\163\040\121\101\051\040\124\141\156\165\163\151\164\166\141 +\156\171\153\151\141\144\157\061\036\060\034\006\011\052\206\110 +\206\367\015\001\011\001\026\017\151\156\146\157\100\156\145\164 +\154\157\143\153\056\150\165\060\202\001\042\060\015\006\011\052 +\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060 +\202\001\012\002\202\001\001\000\307\122\045\262\330\075\324\204 +\125\011\247\033\275\154\271\024\364\212\002\333\166\374\152\052 +\170\253\345\167\360\156\340\214\043\147\333\245\144\231\271\335 +\001\076\157\357\055\232\074\042\360\135\311\127\240\125\101\177 +\362\103\136\130\202\123\061\145\316\036\362\046\272\000\124\036 +\257\260\274\034\344\122\214\240\062\257\267\067\261\123\147\150 +\164\147\120\366\055\056\144\336\256\046\171\337\337\231\206\253 +\253\177\205\354\240\373\200\314\364\270\014\036\223\105\143\271 +\334\270\133\233\355\133\071\324\137\142\260\247\216\174\146\070 +\054\252\261\010\143\027\147\175\314\275\263\361\303\077\317\120 +\071\355\321\031\203\025\333\207\022\047\226\267\332\352\345\235 +\274\272\352\071\117\213\357\164\232\347\305\320\322\352\206\121 +\034\344\376\144\010\050\004\171\005\353\312\305\161\016\013\357 +\253\352\354\022\021\241\030\005\062\151\321\014\054\032\075\045 +\231\077\265\174\312\155\260\256\231\231\372\010\140\347\031\302 +\362\275\121\323\314\323\002\254\301\021\014\200\316\253\334\224 +\235\153\243\071\123\072\326\205\002\003\000\305\175\243\202\002 +\300\060\202\002\274\060\022\006\003\125\035\023\001\001\377\004 +\010\060\006\001\001\377\002\001\004\060\016\006\003\125\035\017 +\001\001\377\004\004\003\002\001\006\060\202\002\165\006\011\140 +\206\110\001\206\370\102\001\015\004\202\002\146\026\202\002\142 +\106\111\107\131\105\114\105\115\041\040\105\172\145\156\040\164 +\141\156\165\163\151\164\166\141\156\171\040\141\040\116\145\164 +\114\157\143\153\040\113\146\164\056\040\115\151\156\157\163\151 +\164\145\164\164\040\123\172\157\154\147\141\154\164\141\164\141 +\163\151\040\123\172\141\142\141\154\171\172\141\164\141\142\141 +\156\040\154\145\151\162\164\040\145\154\152\141\162\141\163\157 +\153\040\141\154\141\160\152\141\156\040\153\145\163\172\165\154 +\164\056\040\101\040\155\151\156\157\163\151\164\145\164\164\040 +\145\154\145\153\164\162\157\156\151\153\165\163\040\141\154\141 +\151\162\141\163\040\152\157\147\150\141\164\141\163\040\145\162 +\166\145\156\171\145\163\165\154\145\163\145\156\145\153\054\040 +\166\141\154\141\155\151\156\164\040\145\154\146\157\147\141\144 +\141\163\141\156\141\153\040\146\145\154\164\145\164\145\154\145 +\040\141\040\115\151\156\157\163\151\164\145\164\164\040\123\172 +\157\154\147\141\154\164\141\164\141\163\151\040\123\172\141\142 +\141\154\171\172\141\164\142\141\156\054\040\141\172\040\101\154 +\164\141\154\141\156\157\163\040\123\172\145\162\172\157\144\145 +\163\151\040\106\145\154\164\145\164\145\154\145\153\142\145\156 +\040\145\154\157\151\162\164\040\145\154\154\145\156\157\162\172 +\145\163\151\040\145\154\152\141\162\141\163\040\155\145\147\164 +\145\164\145\154\145\056\040\101\040\144\157\153\165\155\145\156 +\164\165\155\157\153\040\155\145\147\164\141\154\141\154\150\141 +\164\157\153\040\141\040\150\164\164\160\163\072\057\057\167\167 +\167\056\156\145\164\154\157\143\153\056\150\165\057\144\157\143 +\163\057\040\143\151\155\145\156\040\166\141\147\171\040\153\145 +\162\150\145\164\157\153\040\141\172\040\151\156\146\157\100\156 +\145\164\154\157\143\153\056\156\145\164\040\145\055\155\141\151 +\154\040\143\151\155\145\156\056\040\127\101\122\116\111\116\107 +\041\040\124\150\145\040\151\163\163\165\141\156\143\145\040\141 +\156\144\040\164\150\145\040\165\163\145\040\157\146\040\164\150 +\151\163\040\143\145\162\164\151\146\151\143\141\164\145\040\141 +\162\145\040\163\165\142\152\145\143\164\040\164\157\040\164\150 +\145\040\116\145\164\114\157\143\153\040\121\165\141\154\151\146 +\151\145\144\040\103\120\123\040\141\166\141\151\154\141\142\154 +\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167 +\056\156\145\164\154\157\143\153\056\150\165\057\144\157\143\163 +\057\040\157\162\040\142\171\040\145\055\155\141\151\154\040\141 +\164\040\151\156\146\157\100\156\145\164\154\157\143\153\056\156 +\145\164\060\035\006\003\125\035\016\004\026\004\024\011\152\142 +\026\222\260\132\273\125\016\313\165\062\072\062\345\262\041\311 +\050\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000 +\003\202\001\001\000\221\152\120\234\333\170\201\233\077\213\102 +\343\073\374\246\303\356\103\340\317\363\342\200\065\111\105\166 +\002\342\343\057\005\305\361\052\347\300\101\063\306\266\233\320 +\063\071\315\300\333\241\255\154\067\002\114\130\101\073\362\227 +\222\306\110\250\315\345\212\071\211\141\371\122\227\351\275\366 +\371\224\164\350\161\016\274\167\206\303\006\314\132\174\112\176 +\064\120\060\056\373\177\062\232\215\075\363\040\133\370\152\312 +\206\363\061\114\054\131\200\002\175\376\070\311\060\165\034\267 +\125\343\274\237\272\250\155\204\050\005\165\263\213\015\300\221 +\124\041\347\246\013\264\231\365\121\101\334\315\243\107\042\331 +\307\001\201\304\334\107\117\046\352\037\355\333\315\015\230\364 +\243\234\264\163\062\112\226\231\376\274\177\310\045\130\370\130 +\363\166\146\211\124\244\246\076\304\120\134\272\211\030\202\165 +\110\041\322\117\023\350\140\176\007\166\333\020\265\121\346\252 +\271\150\252\315\366\235\220\165\022\352\070\032\312\104\350\267 +\231\247\052\150\225\146\225\253\255\357\211\313\140\251\006\022 +\306\224\107\351\050 +END + +# Trust for Certificate "NetLock Qualified (Class QA) Root" +CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "NetLock Qualified (Class QA) Root" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\001\150\227\341\240\270\362\303\261\064\146\134\040\247\047\267 +\241\130\342\217 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\324\200\145\150\044\371\211\042\050\333\365\244\232\027\217\024 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\311\061\013\060\011\006\003\125\004\006\023\002\110\125 +\061\021\060\017\006\003\125\004\007\023\010\102\165\144\141\160 +\145\163\164\061\047\060\045\006\003\125\004\012\023\036\116\145 +\164\114\157\143\153\040\110\141\154\157\172\141\164\142\151\172 +\164\157\156\163\141\147\151\040\113\146\164\056\061\032\060\030 +\006\003\125\004\013\023\021\124\141\156\165\163\151\164\166\141 +\156\171\153\151\141\144\157\153\061\102\060\100\006\003\125\004 +\003\023\071\116\145\164\114\157\143\153\040\115\151\156\157\163 +\151\164\145\164\164\040\113\157\172\152\145\147\171\172\157\151 +\040\050\103\154\141\163\163\040\121\101\051\040\124\141\156\165 +\163\151\164\166\141\156\171\153\151\141\144\157\061\036\060\034 +\006\011\052\206\110\206\367\015\001\011\001\026\017\151\156\146 +\157\100\156\145\164\154\157\143\153\056\150\165 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\001\173 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# # Certificate "NetLock Notary (Class A) Root" # CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE @@ -13068,3 +13260,164 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "StartCom Ltd." +# +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "StartCom Ltd." +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114 +\061\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145 +\154\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141 +\164\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162 +\164\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125 +\004\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171 +\040\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040 +\106\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151 +\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\061\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026 +\022\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056 +\157\162\147 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114 +\061\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145 +\154\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141 +\164\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162 +\164\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125 +\004\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171 +\040\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040 +\106\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151 +\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\061\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026 +\022\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056 +\157\162\147 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\001\000 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\026\060\202\004\177\240\003\002\001\002\002\001\000 +\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060 +\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114\061 +\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145\154 +\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141\164 +\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162\164 +\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125\004 +\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171\040 +\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040\106 +\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151\143 +\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061 +\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022 +\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056\157 +\162\147\060\036\027\015\060\065\060\063\061\067\061\067\063\067 +\064\070\132\027\015\063\065\060\063\061\060\061\067\063\067\064 +\070\132\060\201\260\061\013\060\011\006\003\125\004\006\023\002 +\111\114\061\017\060\015\006\003\125\004\010\023\006\111\163\162 +\141\145\154\061\016\060\014\006\003\125\004\007\023\005\105\151 +\154\141\164\061\026\060\024\006\003\125\004\012\023\015\123\164 +\141\162\164\103\157\155\040\114\164\144\056\061\032\060\030\006 +\003\125\004\013\023\021\103\101\040\101\165\164\150\157\162\151 +\164\171\040\104\145\160\056\061\051\060\047\006\003\125\004\003 +\023\040\106\162\145\145\040\123\123\114\040\103\145\162\164\151 +\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151 +\164\171\061\041\060\037\006\011\052\206\110\206\367\015\001\011 +\001\026\022\141\144\155\151\156\100\163\164\141\162\164\143\157 +\155\056\157\162\147\060\201\237\060\015\006\011\052\206\110\206 +\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002\201 +\201\000\355\204\140\000\043\236\310\112\121\051\047\336\072\241 +\071\265\151\253\011\262\057\064\375\141\334\075\323\260\317\261 +\327\302\304\302\261\344\226\126\304\276\252\024\016\347\314\072 +\120\310\072\142\235\303\243\254\131\173\216\356\125\032\034\107 +\276\243\227\071\263\265\357\043\054\010\350\330\257\163\057\271 +\311\203\350\355\000\017\310\165\245\057\064\114\030\350\166\210 +\043\111\212\333\266\355\150\332\303\265\142\051\114\245\113\267 +\230\264\011\024\020\240\370\376\142\166\042\025\013\244\326\010 +\057\065\002\003\001\000\001\243\202\002\074\060\202\002\070\060 +\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377 +\060\013\006\003\125\035\017\004\004\003\002\001\346\060\035\006 +\003\125\035\016\004\026\004\024\034\211\303\226\314\275\376\062 +\325\015\214\201\061\266\230\235\215\050\144\215\060\201\335\006 +\003\125\035\043\004\201\325\060\201\322\200\024\034\211\303\226 +\314\275\376\062\325\015\214\201\061\266\230\235\215\050\144\215 +\241\201\266\244\201\263\060\201\260\061\013\060\011\006\003\125 +\004\006\023\002\111\114\061\017\060\015\006\003\125\004\010\023 +\006\111\163\162\141\145\154\061\016\060\014\006\003\125\004\007 +\023\005\105\151\154\141\164\061\026\060\024\006\003\125\004\012 +\023\015\123\164\141\162\164\103\157\155\040\114\164\144\056\061 +\032\060\030\006\003\125\004\013\023\021\103\101\040\101\165\164 +\150\157\162\151\164\171\040\104\145\160\056\061\051\060\047\006 +\003\125\004\003\023\040\106\162\145\145\040\123\123\114\040\103 +\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164 +\150\157\162\151\164\171\061\041\060\037\006\011\052\206\110\206 +\367\015\001\011\001\026\022\141\144\155\151\156\100\163\164\141 +\162\164\143\157\155\056\157\162\147\202\001\000\060\035\006\003 +\125\035\021\004\026\060\024\201\022\141\144\155\151\156\100\163 +\164\141\162\164\143\157\155\056\157\162\147\060\035\006\003\125 +\035\022\004\026\060\024\201\022\141\144\155\151\156\100\163\164 +\141\162\164\143\157\155\056\157\162\147\060\021\006\011\140\206 +\110\001\206\370\102\001\001\004\004\003\002\000\007\060\057\006 +\011\140\206\110\001\206\370\102\001\015\004\042\026\040\106\162 +\145\145\040\123\123\114\040\103\145\162\164\151\146\151\143\141 +\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\062 +\006\011\140\206\110\001\206\370\102\001\004\004\045\026\043\150 +\164\164\160\072\057\057\143\145\162\164\056\163\164\141\162\164 +\143\157\155\056\157\162\147\057\143\141\055\143\162\154\056\143 +\162\154\060\050\006\011\140\206\110\001\206\370\102\001\002\004 +\033\026\031\150\164\164\160\072\057\057\143\145\162\164\056\163 +\164\141\162\164\143\157\155\056\157\162\147\057\060\071\006\011 +\140\206\110\001\206\370\102\001\010\004\054\026\052\150\164\164 +\160\072\057\057\143\145\162\164\056\163\164\141\162\164\143\157 +\155\056\157\162\147\057\151\156\144\145\170\056\160\150\160\077 +\141\160\160\075\061\061\061\060\015\006\011\052\206\110\206\367 +\015\001\001\004\005\000\003\201\201\000\154\161\045\341\236\064 +\221\041\357\333\154\275\001\010\126\217\210\330\101\072\123\365 +\162\337\047\127\113\166\204\367\150\244\376\353\077\011\176\050 +\270\127\352\037\301\252\342\377\226\237\111\231\346\262\225\163 +\226\306\110\307\136\215\007\162\126\370\203\217\237\167\257\051 +\323\105\016\244\356\260\066\164\055\360\315\230\043\173\067\113 +\332\376\121\230\304\036\064\074\210\375\231\073\120\247\301\213 +\063\307\302\122\026\022\225\123\145\042\357\272\213\316\142\333 +\160\043\261\200\337\032\040\070\347\176 +END + +# Trust for Certificate "StartCom Ltd." +CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "StartCom Ltd." +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\225\346\255\370\327\161\106\002\115\325\152\041\262\347\077\315 +\362\073\065\377 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\010\174\130\037\122\053\104\264\073\171\315\001\370\305\303\311 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\260\061\013\060\011\006\003\125\004\006\023\002\111\114 +\061\017\060\015\006\003\125\004\010\023\006\111\163\162\141\145 +\154\061\016\060\014\006\003\125\004\007\023\005\105\151\154\141 +\164\061\026\060\024\006\003\125\004\012\023\015\123\164\141\162 +\164\103\157\155\040\114\164\144\056\061\032\060\030\006\003\125 +\004\013\023\021\103\101\040\101\165\164\150\157\162\151\164\171 +\040\104\145\160\056\061\051\060\047\006\003\125\004\003\023\040 +\106\162\145\145\040\123\123\114\040\103\145\162\164\151\146\151 +\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171 +\061\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026 +\022\141\144\155\151\156\100\163\164\141\162\164\143\157\155\056 +\157\162\147 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\001\000 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h index b0378eea9..f132aa5f4 100644 --- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -75,8 +75,8 @@ * of the comment in the CK_VERSION type definition. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60 -#define NSS_BUILTINS_LIBRARY_VERSION "1.60" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 61 +#define NSS_BUILTINS_LIBRARY_VERSION "1.61" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/security/nss/lib/crmf/crmfpop.c b/security/nss/lib/crmf/crmfpop.c index b5a4883ed..e4c885318 100644 --- a/security/nss/lib/crmf/crmfpop.c +++ b/security/nss/lib/crmf/crmfpop.c @@ -261,7 +261,7 @@ CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg *inCertReqMsg, { SECAlgorithmID *algID; PRArenaPool *poolp; - SECItem derDest = {siBuffer, NULL, 0}; + SECItem derTemp = {siBuffer, NULL, 0}; void *mark; SECStatus rv; CRMFPOPOSigningKeyInput *signKeyInput = NULL; @@ -304,7 +304,7 @@ CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg *inCertReqMsg, pop->popChoice.signature.algorithmIdentifier = algID; inCertReqMsg->pop = pop; - rv = crmf_init_encoder_callback_arg (&encoderArg, &derDest); + rv = crmf_init_encoder_callback_arg (&encoderArg, &derTemp); if (rv != SECSuccess) { goto loser; } @@ -314,18 +314,18 @@ CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg *inCertReqMsg, if (rv != SECSuccess) { goto loser; } - rv = SECITEM_CopyItem(poolp, &(inCertReqMsg->derPOP), &derDest); - PORT_Free (derDest.data); + rv = SECITEM_CopyItem(poolp, &(inCertReqMsg->derPOP), &derTemp); if (rv != SECSuccess) { goto loser; } + PORT_Free (derTemp.data); PORT_ArenaUnmark(poolp,mark); return SECSuccess; loser: PORT_ArenaRelease(poolp,mark); - if (derDest.data != NULL) { - PORT_Free(derDest.data); + if (derTemp.data != NULL) { + PORT_Free(derTemp.data); } return SECFailure; } @@ -358,13 +358,13 @@ crmf_encode_popoprivkey(PRArenaPool *poolp, const SEC_ASN1Template *privKeyTemplate) { struct crmfEncoderArg encoderArg; - SECItem derDest; + SECItem derTemp; SECStatus rv; void *mark; const SEC_ASN1Template *subDerTemplate; mark = PORT_ArenaMark(poolp); - rv = crmf_init_encoder_callback_arg(&encoderArg, &derDest); + rv = crmf_init_encoder_callback_arg(&encoderArg, &derTemp); if (rv != SECSuccess) { goto loser; } @@ -378,32 +378,32 @@ crmf_encode_popoprivkey(PRArenaPool *poolp, if (rv != SECSuccess) { goto loser; } - if (encoderArg.allocatedLen > derDest.len+2) { - void *dummy = PORT_Realloc(derDest.data, derDest.len+2); + if (encoderArg.allocatedLen > derTemp.len+2) { + void *dummy = PORT_Realloc(derTemp.data, derTemp.len+2); if (dummy == NULL) { goto loser; } - derDest.data = dummy; + derTemp.data = dummy; } - PORT_Memmove(&derDest.data[2], &derDest.data[0], derDest.len); + PORT_Memmove(&derTemp.data[2], &derTemp.data[0], derTemp.len); /* I couldn't figure out how to get the ASN1 encoder to implicitly * tag an implicitly tagged der blob. So I'm putting in the outter- * most tag myself. -javi */ - derDest.data[0] = (unsigned char)privKeyTemplate->kind; - derDest.data[1] = (unsigned char)derDest.len; - derDest.len += 2; - rv = SECITEM_CopyItem(poolp, &inCertReqMsg->derPOP, &derDest); + derTemp.data[0] = (unsigned char)privKeyTemplate->kind; + derTemp.data[1] = (unsigned char)derTemp.len; + derTemp.len += 2; + rv = SECITEM_CopyItem(poolp, &inCertReqMsg->derPOP, &derTemp); if (rv != SECSuccess) { goto loser; } - PORT_Free(derDest.data); + PORT_Free(derTemp.data); PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: PORT_ArenaRelease(poolp, mark); - if (derDest.data) { - PORT_Free(derDest.data); + if (derTemp.data) { + PORT_Free(derTemp.data); } return SECFailure; } diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h index 9a35bead8..350b88d0f 100644 --- a/security/nss/lib/cryptohi/keyhi.h +++ b/security/nss/lib/cryptohi/keyhi.h @@ -90,6 +90,11 @@ extern unsigned SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk); extern unsigned SECKEY_PublicKeyStrengthInBits(SECKEYPublicKey *pubk); /* +** Return the length of the signature in bytes +*/ +extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk); + +/* ** Make a copy of the private key "privKey" */ extern SECKEYPrivateKey *SECKEY_CopyPrivateKey(SECKEYPrivateKey *privKey); diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index d2bd046e1..8a128af5f 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -198,8 +198,11 @@ SECKEYPrivateKey * SECKEY_CreateRSAPrivateKey(int keySizeInBits,SECKEYPublicKey **pubk, void *cx) { SECKEYPrivateKey *privk; - PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx); PK11RSAGenParams param; + PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx); + if (!slot) { + return NULL; + } param.keySizeInBits = keySizeInBits; param.pe = 65537L; @@ -222,6 +225,9 @@ SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, SECKEYPublicKey **pubk, void *c { SECKEYPrivateKey *privk; PK11SlotInfo *slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,cx); + if (!slot) { + return NULL; + } privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, pubk, PR_FALSE, PR_FALSE, cx); @@ -245,6 +251,9 @@ SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *c { SECKEYPrivateKey *privk; PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN,cx); + if (!slot) { + return NULL; + } privk = PK11_GenerateKeyPair(slot, CKM_EC_KEY_PAIR_GEN, param, pubk, PR_FALSE, PR_FALSE, cx); @@ -1284,7 +1293,8 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams) return 571; default: - return 0; + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return 0; } } @@ -1430,7 +1440,8 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams) return 570; default: - return 0; + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return 0; } } @@ -1467,6 +1478,7 @@ SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk) default: break; } + PORT_SetError(SEC_ERROR_INVALID_KEY); return 0; } @@ -1489,6 +1501,33 @@ SECKEY_PublicKeyStrengthInBits(SECKEYPublicKey *pubk) default: break; } + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; +} + +/* returns signature length in bytes (not bits) */ +unsigned +SECKEY_SignatureLen(const SECKEYPublicKey *pubk) +{ + unsigned char b0; + unsigned size; + + switch (pubk->keyType) { + case rsaKey: + b0 = pubk->u.rsa.modulus.data[0]; + return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1; + case fortezzaKey: + case dsaKey: + return DSA_SIGNATURE_LEN; + case ecKey: + /* Get the base point order length in bits and adjust */ + size = SECKEY_ECParamsToBasePointOrderLen( + &pubk->u.ec.DEREncodedParams); + return ((size + 7)/8) * 2; + default: + break; + } + PORT_SetError(SEC_ERROR_INVALID_KEY); return 0; } diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c index 7a7c6ec98..3d2394627 100644 --- a/security/nss/lib/cryptohi/secvfy.c +++ b/security/nss/lib/cryptohi/secvfy.c @@ -341,14 +341,18 @@ vfy_CreateContextPrivate(const SECKEYPublicKey *key, const SECItem *sig, case ecKey: if (key->keyType == ecKey) { cx->type = VFY_ECDSA; - /* Unlike DSA, EDSA does not have a fixed signature length + /* Unlike DSA, ECDSA does not have a fixed signature length * (it depends on the key size) */ - sigLen = SECKEY_PublicKeyStrength((SECKEYPublicKey *)key) * 2; + sigLen = SECKEY_SignatureLen(key); } else { cx->type = VFY_DSA; sigLen = DSA_SIGNATURE_LEN; } + if (sigLen == 0) { + rv = SECFailure; + break; + } rv = decodeSigAlg(algid, params, key, &cx->alg); if (rv != SECSuccess) { break; @@ -463,7 +467,10 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig) if (cx->type == VFY_DSA) { dsasig.len = DSA_SIGNATURE_LEN; } else { - dsasig.len = SECKEY_PublicKeyStrength(cx->key) * 2; + dsasig.len = SECKEY_SignatureLen(cx->key); + } + if (dsasig.len == 0) { + return SECFailure; } if (sig) { rv = decodeECorDSASignature(cx->sigAlg,sig,dsasig.data, @@ -540,11 +547,14 @@ VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig, case ecKey: dsasig.data = cx->u.buffer; if (key->keyType == ecKey) { - dsasig.len = SECKEY_PublicKeyStrength(cx->key) * 2; + dsasig.len = SECKEY_SignatureLen(cx->key); } else { /* magic size of dsa signature */ dsasig.len = DSA_SIGNATURE_LEN; } + if (dsasig.len == 0) { + break; + } if (PK11_Verify(cx->key, &dsasig, digest, cx->wincx) != SECSuccess) { PORT_SetError(SEC_ERROR_BAD_SIGNATURE); diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index b9d6971d1..622614da5 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -881,3 +881,9 @@ SEC_RegisterDefaultHttpClient; ;+ local: ;+ *; ;+}; +;+NSS_3.11.2 { +;+ global: +SECKEY_SignatureLen; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 0c8e23bca..c0d10f9ac 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -481,7 +481,7 @@ PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *), struct nss3_cert_cbstr pk11cb; /* authenticate to the tokens first */ - (void) pk11_TraverseAllSlots( NULL, NULL, wincx); + (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, wincx); fda.callback = callback; fda.arg = arg; @@ -2323,7 +2323,7 @@ PK11_ListCerts(PK11CertListType type, void *pwarg) listCerts.certList = certList; /* authenticate to the slots */ - (void) pk11_TraverseAllSlots( NULL, NULL, pwarg); + (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, pwarg); NSSTrustDomain_TraverseCertificates(defaultTD, pk11ListCertCallback, &listCerts); return certList; diff --git a/security/nss/lib/pk11wrap/pk11nobj.c b/security/nss/lib/pk11wrap/pk11nobj.c index db9aa6ba9..3fac66128 100644 --- a/security/nss/lib/pk11wrap/pk11nobj.c +++ b/security/nss/lib/pk11wrap/pk11nobj.c @@ -270,7 +270,7 @@ PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { creater.findTemplate = theTemplate; creater.templateCount = (attrs - theTemplate); - return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx); + return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, PR_FALSE, wincx); } struct crlOptionsStr { @@ -421,7 +421,7 @@ SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, creater.findTemplate = theTemplate; creater.templateCount = (attrs - theTemplate); - return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx); + return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, PR_FALSE, wincx); } /* diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c index 07536003c..1bc9e8443 100644 --- a/security/nss/lib/pk11wrap/pk11obj.c +++ b/security/nss/lib/pk11wrap/pk11obj.c @@ -1571,8 +1571,8 @@ PK11_TraverseSlot(PK11SlotInfo *slot, void *arg) * Traverse all the objects in all slots. */ SECStatus -pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), - void *arg,void *wincx) { +pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), + void *arg, PRBool forceLogin, void *wincx) { PK11SlotList *list; PK11SlotListElement *le; SECStatus rv; @@ -1583,9 +1583,11 @@ pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), /* look at each slot and authenticate as necessary */ for (le = list->head ; le; le = le->next) { - rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx); - if (rv != SECSuccess) { - continue; + if (forceLogin) { + rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx); + if (rv != SECSuccess) { + continue; + } } if (callback) { (*callback)(le->slot,arg); diff --git a/security/nss/lib/pk11wrap/pk11pqg.c b/security/nss/lib/pk11wrap/pk11pqg.c index 62afc7756..711818639 100644 --- a/security/nss/lib/pk11wrap/pk11pqg.c +++ b/security/nss/lib/pk11wrap/pk11pqg.c @@ -119,6 +119,10 @@ PK11_PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes, } parena = PORT_NewArena(60); + if (!parena) { + goto loser; + } + crv = PK11_GetAttributes(parena, slot, objectID, pTemplate, pTemplateCount); if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); @@ -145,6 +149,10 @@ PK11_PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes, varena = PORT_NewArena(60); + if (!varena) { + goto loser; + } + crv = PK11_GetAttributes(varena, slot, objectID, vTemplate, vTemplateCount); if (crv != CKR_OK) { PORT_SetError( PK11_MapError(crv) ); diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h index 6d0b012b0..feef1959a 100644 --- a/security/nss/lib/pk11wrap/pk11priv.h +++ b/security/nss/lib/pk11wrap/pk11priv.h @@ -207,7 +207,7 @@ SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, /* private */ SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), - void *cbArg, void *pwArg); + void *cbArg, PRBool forceLogin, void *pwArg); /* fetch multiple CRLs for a specific issuer */ SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index ce5cbd811..f7cb05411 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -929,6 +929,13 @@ PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, count = attrs - genTemplate; PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE)); + /* Initialize the Key Gen Mechanism */ + mechanism.mechanism = PK11_GetKeyGenWithSize(type, keySize); + if (mechanism.mechanism == CKM_FAKE_RANDOM) { + PORT_SetError( SEC_ERROR_NO_MODULE ); + return NULL; + } + /* find a slot to generate the key into */ /* Only do slot management if this is not a token key */ if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) { @@ -951,13 +958,6 @@ PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, symKey->size = keySize; symKey->origin = PK11_OriginGenerated; - /* Initialize the Key Gen Mechanism */ - mechanism.mechanism = PK11_GetKeyGenWithSize(type, keySize); - if (mechanism.mechanism == CKM_FAKE_RANDOM) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; - } - /* Set the parameters for the key gen if provided */ mechanism.pParameter = NULL; mechanism.ulParameterLen = 0; @@ -1646,17 +1646,35 @@ PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, return NULL; } -PK11SymKey * -PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, - PRBool isSender, SECItem *randomA, SECItem *randomB, - CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, - CK_ULONG kdf, SECItem *sharedData, void *wincx) +static PK11SymKey * +pk11_PubDeriveECKeyWithKDF( + SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx) { - PK11SlotInfo *slot = privKey->pkcs11Slot; - PK11SymKey *symKey; - CK_MECHANISM mechanism; - CK_RV crv; + PK11SlotInfo *slot = privKey->pkcs11Slot; + PK11SymKey *symKey; + CK_MECHANISM mechanism; + CK_RV crv; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; + + if (pubKey->keyType != ecKey) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; + } + if ((kdf < CKD_NULL) || (kdf > CKD_SHA1_KDF)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } /* get our key Structure */ symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx); @@ -1666,6 +1684,62 @@ PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, symKey->origin = PK11_OriginDerive; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(target,keySize); + key_size = keySize; + symKey->size = keySize; + if (key_size == 0) + templateCount--; + + mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); + if (!mechParams) { + PK11_FreeSymKey(symKey); + return NULL; + } + mechParams->kdf = kdf; + if (sharedData == NULL) { + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; + } else { + mechParams->ulSharedDataLen = sharedData->len; + mechParams->pSharedData = sharedData->data; + } + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; + + mechanism.mechanism = derive; + mechanism.pParameter = mechParams; + mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + + if (crv != CKR_OK) { + PK11_FreeSymKey(symKey); + symKey = NULL; + PORT_SetError( PK11_MapError(crv) ); + } + return symKey; +} + +PK11SymKey * +PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx) +{ + switch (privKey->keyType) { case rsaKey: case nullKey: @@ -1673,75 +1747,16 @@ PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, case keaKey: case fortezzaKey: case dhKey: - PK11_FreeSymKey(symKey); return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB, derive, target, operation, keySize, wincx); case ecKey: - { - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_ULONG key_size = 0; - CK_ATTRIBUTE keyTemplate[4]; - int templateCount; - CK_ATTRIBUTE *attrs = keyTemplate; - CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; - - if (pubKey->keyType != ecKey) { - PORT_SetError(SEC_ERROR_BAD_KEY); - break; - } - - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); - attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); - attrs++; - PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); - attrs++; - templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); - - keyType = PK11_GetKeyType(target,keySize); - key_size = keySize; - symKey->size = keySize; - if (key_size == 0) templateCount--; - - mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); - if ((kdf < CKD_NULL) || (kdf > CKD_SHA1_KDF)) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; - } - mechParams->kdf = kdf; - if (sharedData == NULL) { - mechParams->ulSharedDataLen = 0; - mechParams->pSharedData = NULL; - } else { - mechParams->ulSharedDataLen = sharedData->len; - mechParams->pSharedData = sharedData->data; - } - mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; - mechParams->pPublicData = pubKey->u.ec.publicValue.data; - - mechanism.mechanism = derive; - mechanism.pParameter = mechParams; - mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); - - pk11_EnterKeyMonitor(symKey); - crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, - &mechanism, privKey->pkcs11ID, keyTemplate, - templateCount, &symKey->objectID); - pk11_ExitKeyMonitor(symKey); - - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - - if (crv == CKR_OK) return symKey; - PORT_SetError( PK11_MapError(crv) ); - } - } + return pk11_PubDeriveECKeyWithKDF( privKey, pubKey, isSender, + randomA, randomB, derive, target, operation, keySize, + kdf, sharedData, wincx); + default: break; + } - PK11_FreeSymKey(symKey); - return NULL; + return NULL; } /* diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c index 34e097cf2..7e5d2b514 100644 --- a/security/nss/lib/smime/cmsencode.c +++ b/security/nss/lib/smime/cmsencode.c @@ -563,8 +563,10 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, rv = SECFailure; break; } - if (rv != SECSuccess) + if (rv != SECSuccess) { + PORT_Free(p7ecx); return NULL; + } /* Initialize the BER encoder. * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */ diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c index b632b1a0d..559d2fd37 100644 --- a/security/nss/lib/smime/smimeutil.c +++ b/security/nss/lib/smime/smimeutil.c @@ -116,15 +116,18 @@ static const SEC_ASN1Template smime_encryptionkeypref_template[] = { { SEC_ASN1_CHOICE, offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL, sizeof(NSSSMIMEEncryptionKeyPreference) }, - { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0 + | SEC_ASN1_CONSTRUCTED, offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN), SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), NSSSMIMEEncryptionKeyPref_IssuerSN }, - { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1, + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1 + | SEC_ASN1_CONSTRUCTED, offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID), NSSCMSRecipientKeyIdentifierTemplate, NSSSMIMEEncryptionKeyPref_IssuerSN }, - { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 + | SEC_ASN1_CONSTRUCTED, offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID), SEC_ASN1_SUB(SEC_OctetStringTemplate), NSSSMIMEEncryptionKeyPref_SubjectKeyID }, @@ -738,7 +741,7 @@ NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECIt return NULL; /* decode DERekp */ - if (SEC_ASN1DecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template, + if (SEC_QuickDERDecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template, DERekp) != SECSuccess) goto loser; diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 713d6c6ad..36eeb3e0b 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -896,7 +896,7 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, * using ASN (unlike DSA where ASN encoding is used * with TLS but not with SSL3) */ - len = SECKEY_PublicKeyStrength(key) * 2; + len = SECKEY_SignatureLen(key); if (len == 0) { SECKEY_DestroyPublicKey(key); PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index e72d1ff3a..d97d6ce6c 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -1748,6 +1748,8 @@ hide_loser: * in the first byte, and none of the SSLv2 ciphers do. * * Called from ssl2_HandleClientHelloMessage(). +* Returns the number of bytes of "qualified cipher specs", +* which is typically a multiple of 3, but will be zero if there are none. */ static int ssl2_QualifyCypherSpecs(sslSocket *ss, @@ -1765,7 +1767,9 @@ ssl2_QualifyCypherSpecs(sslSocket *ss, PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); if (!ss->cipherSpecs) { - ssl2_ConstructCipherSpecs(ss); + SECStatus rv = ssl2_ConstructCipherSpecs(ss); + if (rv != SECSuccess || !ss->cipherSpecs) + return 0; } PRINT_BUF(10, (ss, "specs from client:", cs, csLen)); @@ -1821,19 +1825,23 @@ ssl2_ChooseSessionCypher(sslSocket *ss, int keySize; int realKeySize; PRUint8 * ohs = hs; + const PRUint8 * preferred; + static const PRUint8 noneSuch[3] = { 0, 0, 0 }; PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) ); PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); if (!ss->cipherSpecs) { - ssl2_ConstructCipherSpecs(ss); + SECStatus rv = ssl2_ConstructCipherSpecs(ss); + if (rv != SECSuccess || !ss->cipherSpecs) + goto loser; } if (!ss->preferredCipher) { - const PRUint8 * preferred = implementedCipherSuites; - unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & + unsigned int allowed = ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED; if (allowed) { + preferred = implementedCipherSuites; for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) { if (0 != (allowed & (1U << preferred[0]))) { ss->preferredCipher = preferred; @@ -1843,6 +1851,7 @@ ssl2_ChooseSessionCypher(sslSocket *ss, } } } + preferred = ss->preferredCipher ? ss->preferredCipher : noneSuch; /* ** Scan list of ciphers recieved from peer and look for a match in ** our list. @@ -1855,9 +1864,9 @@ ssl2_ChooseSessionCypher(sslSocket *ss, bestCypher = -1; while (--hc >= 0) { for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) { - if ((hs[0] == ss->preferredCipher[0]) && - (hs[1] == ss->preferredCipher[1]) && - (hs[2] == ss->preferredCipher[2]) && + if ((hs[0] == preferred[0]) && + (hs[1] == preferred[1]) && + (hs[2] == preferred[2]) && hs[0] != 0) { /* Pick this cipher immediately! */ *pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3; diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c index 0c5ae4cee..77860b3fa 100644 --- a/security/nss/lib/ssl/sslmutex.c +++ b/security/nss/lib/ssl/sslmutex.c @@ -143,17 +143,6 @@ sslMutex_Init(sslMutex *pMutex, int shared) if (err) { return err; } - /* close-on-exec is false by default */ - if (!shared) { - err = fcntl(pMutex->u.pipeStr.mPipes[0], F_SETFD, FD_CLOEXEC); - if (err) - goto loser; - - err = fcntl(pMutex->u.pipeStr.mPipes[1], F_SETFD, FD_CLOEXEC); - if (err) - goto loser; - } - #if NONBLOCKING_POSTS err = setNonBlocking(pMutex->u.pipeStr.mPipes[1], 1); if (err) diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index 91731c843..e0a8f6439 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -1670,6 +1670,8 @@ sec_asn1d_add_to_subitems (sec_asn1d_state *state, copy = sec_asn1d_alloc (state->top->our_pool, len); if (copy == NULL) { state->top->status = decodeError; + if (!state->top->our_pool) + PORT_Free(thing); return NULL; } PORT_Memcpy (copy, data, len); diff --git a/security/nss/manifest.mn b/security/nss/manifest.mn index b080f94d6..60f1ba41a 100644 --- a/security/nss/manifest.mn +++ b/security/nss/manifest.mn @@ -37,7 +37,7 @@ CORE_DEPTH = .. DEPTH = .. -IMPORTS = nspr20/v4.6 \ +IMPORTS = nspr20/v4.6.2 \ $(NULL) RELEASE = nss diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 8e0e44f89..e347e8df5 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -857,8 +857,8 @@ cert_stresscerts() cert_fips() { CERTFAILED=0 - echo "$SCRIPTNAME: Creating FIPS 140-1 DSA Certificates ==============" - cert_init_cert "${FIPSDIR}" "FIPS PUB 140-1 Test Certificate" 1000 "${D_FIPS}" + echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" + cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" CU_ACTION="Initializing ${CERTNAME}'s Cert DB" certu -N -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" 2>&1 @@ -878,7 +878,7 @@ MODSCRIPT fi CU_ACTION="Generate Certificate for ${CERTNAME}" - CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US" + CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US" certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1 if [ "$RET" -eq 0 ]; then cert_log "SUCCESS: FIPS passed" diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 9097ff59c..0cdffc796 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -395,7 +395,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then FIPSPWFILE=${TMP}/tests.fipspw.$$ FIPSBADPWFILE=${TMP}/tests.fipsbadpw.$$ FIPSP12PWFILE=${TMP}/tests.fipsp12pw.$$ - FIPSCERTNICK="FIPS_PUB_140-1_Test_Certificate" + FIPSCERTNICK="FIPS_PUB_140_Test_Certificate" # domains to handle ipc based access to databases D_CA="TestCA.$version" diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh index 6a4986f0f..71dd9a28c 100755 --- a/security/nss/tests/fips/fips.sh +++ b/security/nss/tests/fips/fips.sh @@ -70,7 +70,7 @@ fips_init() . ./cert.sh fi SCRIPTNAME=fips.sh - html_head "FIPS 140-1 Compliance Tests" + html_head "FIPS 140 Compliance Tests" grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { Exit 15 "Fatal - FIPS of cert.sh needs to pass first" @@ -92,11 +92,11 @@ fips_init() cd ${FIPSDIR} } -############################## fips_140_1 ############################## +############################## fips_140 ############################## # local shell function to test basic functionality of NSS while in -# FIPS 140-1 compliant mode +# FIPS 140 compliant mode ######################################################################## -fips_140_1() +fips_140() { echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" echo "modutil -dbdir ${P_R_FIPSDIR} -list" @@ -214,6 +214,6 @@ fips_cleanup() fips_init -fips_140_1 +fips_140 fips_cleanup |