wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 898431: Update to NSS 3.15.4 beta 3 (NSS_3_15_4_BETA3), r=me

Browse Source 
--HG--
extra : rebase_source : a6dd976f23ebdd33dcf6fd26e4752ddb2bbc5363
This commit is contained in:
Brian Smith 2013-11-17 13:50:25 -08:00
parent a93e764b5e
commit 4cc114fd5f
32 changed files with 727 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_15_4_BETA2
NSS_3_15_4_BETA3

5
security/nss/cmd/modutil/install-ds.c
View File

@ -214,13 +214,14 @@ Pk11Install_File_Generate(Pk11Install_File* _this,
FILE_PERMISSIONS_STRING)) {
subiter = Pk11Install_ListIter_new(subpair->list);
subval = subiter->current;
if(!subval || (subval->type != STRING_VALUE)){
if(!subval || (subval->type != STRING_VALUE) ||
!subval->string || !subval->string[0]){
errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
_this->jarPath);
goto loser;
}
_this->permissions = (int) strtol(subval->string, &endp, 8);
if(*endp != '\0' || subval->string == "\0") {
if(*endp != '\0') {
errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
_this->jarPath);
goto loser;

1
security/nss/coreconf/coreconf.dep
View File

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

2
security/nss/coreconf/nsinstall/pathsub.c
View File

@ -240,7 +240,7 @@ diagnosePath(const char * path)
if (rv < 0) {
perror(myPath);
} else if (S_ISLNK(sb.st_mode)) {
rv = readlink(myPath, buf, sizeof buf);
rv = readlink(myPath, buf, sizeof(buf) - 1);
if (rv < 0) {
perror("readlink");
buf[0] = 0;

4
security/nss/doc/certutil.xml
View File

@ -660,8 +660,8 @@ PKCS #11 key Attributes. Comma separated list of key attribute flags, selected f
</varlistentry>
<varlistentry>
<term>--keyFlagsOn opflags</term>
<term>--keyFlagsOff opflags</term>
<term>--keyOpFlagsOn opflags</term>
<term>--keyOpFlagsOff opflags</term>
<listitem><para>
PKCS #11 key Operation Flags.
Comma separated list of one or more of the following:

4
security/nss/doc/html/certutil.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139822584390064"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm224672048528"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the
<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname.
</p><p>
@ -110,7 +110,7 @@ of the attribute codes:
</p></li><li class="listitem"><p>
critical
</p></li></ul></div><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-7 emailAddrs</span></dt><dd><p>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">-8 dns-names</span></dt><dd><p>Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</p></dd><dt><span class="term">--extAIA</span></dt><dd><p>Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSIA</span></dt><dd><p>Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extCP</span></dt><dd><p>Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPM</span></dt><dd><p>Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extPC</span></dt><dd><p>Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extIA</span></dt><dd><p>Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extSKID</span></dt><dd><p>Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--extNC</span></dt><dd><p>Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">--empty-password</span></dt><dd><p>Use empty password when creating new certificate database with -N.</p></dd><dt><span class="term">--keyAttrFlags attrflags</span></dt><dd><p>
PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--keyFlagsOn opflags, </span><span class="term">--keyFlagsOff opflags</span></dt><dd><p>
PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</p></dd><dt><span class="term">--keyOpFlagsOn opflags, </span><span class="term">--keyOpFlagsOff opflags</span></dt><dd><p>
PKCS #11 key Operation Flags.
Comma separated list of one or more of the following:
{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}

2
security/nss/doc/html/modutil.html
View File

File diff suppressed because one or more lines are too long

2
security/nss/doc/html/pk12util.html
View File

@ -4,7 +4,7 @@
common-options are:
[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
]</p></div></div><div class="refsection"><a name="idm212191438032"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
]</p></div></div><div class="refsection"><a name="idm224682436944"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
</p><pre class="programlisting">pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb

6
security/nss/doc/html/pp.html
View File

@ -1,7 +1,7 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm212208370176"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="idm212212496016"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm224681757664"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="idm224678000880"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request,
pkcs7 or crl files
</p></div><div class="refsection"><a name="idm212212494128"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
</p></div><div class="refsection"><a name="idm224677998992"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</p></div></div><div class="navfooter"><hr></div></body></html>

2
security/nss/doc/html/signtool.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm212213289088"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm224666150896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p>
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.

6
security/nss/doc/html/signver.html
View File

@ -1,7 +1,7 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm212178498944"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm212182187744"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm224680848704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm224681951616"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb
signatureValid=yes</pre></div><div class="refsection"><a name="idm212182184528"></a><h3>Printing Signature Data</h3><p>
signatureValid=yes</pre></div><div class="refsection"><a name="idm224679496656"></a><h3>Printing Signature Data</h3><p>
The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout.
</p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

2
security/nss/doc/html/ssltap.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm212195756784"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm224680842512"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-h </span></dt><dd><p>
Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
</p></dd><dt><span class="term">-f </span></dt><dd><p>

2
security/nss/doc/html/vfychain.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm212186283232"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm224658292400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class="term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara"> * CERT_VerifyCertificate if specified once,</p><p class="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p>
0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
4=Email signer, 5=Email recipient, 6=Object signer,

2
security/nss/doc/html/vfyserv.html
View File

@ -1,4 +1,4 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm212187704608"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm224662974480"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
</p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p>
Authors: Elio Maldonado &lt;emaldona@redhat.com&gt;, Deon Lackey &lt;dlackey@redhat.com&gt;.
</p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

6
security/nss/doc/nroff/certutil.1
View File

@ -2,12 +2,12 @@
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "CERTUTIL" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "CERTUTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@ -920,7 +920,7 @@ Use empty password when creating new certificate database with \-N\&.
PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
.RE
.PP
\-\-keyFlagsOn opflags, \-\-keyFlagsOff opflags
\-\-keyOpFlagsOn opflags, \-\-keyOpFlagsOff opflags
.RS 4
PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
.RE

4
security/nss/doc/nroff/pk12util.1
View File

@ -2,12 +2,12 @@
.\" Title: PK12UTIL
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "PK12UTIL" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "PK12UTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

4
security/nss/doc/nroff/pp.1
View File

@ -2,12 +2,12 @@
.\" Title: PP
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "PP" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "PP" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

4
security/nss/doc/nroff/signtool.1
View File

@ -2,12 +2,12 @@
.\" Title: signtool
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "SIGNTOOL" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "SIGNTOOL" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

4
security/nss/doc/nroff/signver.1
View File

@ -2,12 +2,12 @@
.\" Title: SIGNVER
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "SIGNVER" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "SIGNVER" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

4
security/nss/doc/nroff/ssltap.1
View File

@ -2,12 +2,12 @@
.\" Title: SSLTAP
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "SSLTAP" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "SSLTAP" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

4
security/nss/doc/nroff/vfychain.1
View File

@ -2,12 +2,12 @@
.\" Title: VFYCHAIN
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "VFYCHAIN" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "VFYCHAIN" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

4
security/nss/doc/nroff/vfyserv.1
View File

@ -2,12 +2,12 @@
.\" Title: VFYSERV
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 5 November 2013
.\" Date: 12 November 2013
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
.TH "VFYSERV" "1" "5 November 2013" "nss-tools" "NSS Security Tools"
.TH "VFYSERV" "1" "12 November 2013" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------

667
security/nss/lib/ckfw/builtins/certdata.txt
View File

@ -9147,139 +9147,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Wells Fargo Root CA"
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Wells Fargo Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
\157\162\151\164\171
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
\157\162\151\164\171
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\004\071\344\227\236
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\345\060\202\002\315\240\003\002\001\002\002\004\071
\344\227\236\060\015\006\011\052\206\110\206\367\015\001\001\005
\005\000\060\201\202\061\013\060\011\006\003\125\004\006\023\002
\125\123\061\024\060\022\006\003\125\004\012\023\013\127\145\154
\154\163\040\106\141\162\147\157\061\054\060\052\006\003\125\004
\013\023\043\127\145\154\154\163\040\106\141\162\147\157\040\103
\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
\150\157\162\151\164\171\061\057\060\055\006\003\125\004\003\023
\046\127\145\154\154\163\040\106\141\162\147\157\040\122\157\157
\164\040\103\145\162\164\151\146\151\143\141\164\145\040\101\165
\164\150\157\162\151\164\171\060\036\027\015\060\060\061\060\061
\061\061\066\064\061\062\070\132\027\015\062\061\060\061\061\064
\061\066\064\061\062\070\132\060\201\202\061\013\060\011\006\003
\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012
\023\013\127\145\154\154\163\040\106\141\162\147\157\061\054\060
\052\006\003\125\004\013\023\043\127\145\154\154\163\040\106\141
\162\147\157\040\103\145\162\164\151\146\151\143\141\164\151\157
\156\040\101\165\164\150\157\162\151\164\171\061\057\060\055\006
\003\125\004\003\023\046\127\145\154\154\163\040\106\141\162\147
\157\040\122\157\157\164\040\103\145\162\164\151\146\151\143\141
\164\145\040\101\165\164\150\157\162\151\164\171\060\202\001\042
\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
\202\001\017\000\060\202\001\012\002\202\001\001\000\325\250\063
\073\046\371\064\377\315\233\176\345\004\107\316\000\342\175\167
\347\061\302\056\047\245\115\150\271\061\272\215\103\131\227\307
\163\252\177\075\134\100\236\005\345\241\342\211\331\114\270\077
\233\371\014\264\310\142\031\054\105\256\221\036\163\161\101\304
\113\023\375\160\302\045\254\042\365\165\013\267\123\344\245\053
\335\316\275\034\072\172\303\367\023\217\046\124\234\026\153\153
\257\373\330\226\261\140\232\110\340\045\042\044\171\064\316\016
\046\000\013\116\253\375\213\316\202\327\057\010\160\150\301\250
\012\371\164\117\007\253\244\371\342\203\176\047\163\164\076\270
\371\070\102\374\245\250\133\110\043\263\353\343\045\262\200\256
\226\324\012\234\302\170\232\306\150\030\256\067\142\067\136\121
\165\250\130\143\300\121\356\100\170\176\250\257\032\240\341\260
\170\235\120\214\173\347\263\374\216\043\260\333\145\000\160\204
\001\010\000\024\156\124\206\232\272\314\371\067\020\366\340\336
\204\055\235\244\205\067\323\207\343\025\320\301\027\220\176\031
\041\152\022\251\166\375\022\002\351\117\041\136\027\002\003\001
\000\001\243\141\060\137\060\017\006\003\125\035\023\001\001\377
\004\005\060\003\001\001\377\060\114\006\003\125\035\040\004\105
\060\103\060\101\006\013\140\206\110\001\206\373\173\207\007\001
\013\060\062\060\060\006\010\053\006\001\005\005\007\002\001\026
\044\150\164\164\160\072\057\057\167\167\167\056\167\145\154\154
\163\146\141\162\147\157\056\143\157\155\057\143\145\162\164\160
\157\154\151\143\171\060\015\006\011\052\206\110\206\367\015\001
\001\005\005\000\003\202\001\001\000\322\047\335\234\012\167\053
\273\042\362\002\265\112\112\221\371\321\055\276\344\273\032\150
\357\016\244\000\351\356\347\357\356\366\371\345\164\244\302\330
\122\130\304\164\373\316\153\265\073\051\171\030\132\357\233\355
\037\153\066\356\110\045\045\024\266\126\242\020\350\356\247\177
\320\077\243\320\303\135\046\356\007\314\303\301\044\041\207\036
\337\052\022\123\157\101\026\347\355\256\224\372\214\162\372\023
\107\360\074\176\256\175\021\072\023\354\355\372\157\162\144\173
\235\175\177\046\375\172\373\045\255\352\076\051\177\114\343\000
\127\062\260\263\351\355\123\027\331\213\262\024\016\060\350\345
\325\023\306\144\257\304\000\325\330\130\044\374\365\217\354\361
\307\175\245\333\017\047\321\306\362\100\210\346\037\366\141\250
\364\102\310\271\067\323\251\276\054\126\170\302\162\233\131\135
\065\100\212\350\116\143\032\266\351\040\152\121\342\316\244\220
\337\166\160\231\134\160\103\115\267\266\247\031\144\116\222\267
\305\221\074\177\110\026\145\173\026\375\313\374\373\331\325\326
\117\041\145\073\112\177\107\243\373
END
# Trust for Certificate "Wells Fargo Root CA"
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Wells Fargo Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\223\346\253\042\003\003\265\043\050\334\332\126\236\272\344\321
\321\314\373\145
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\040\013\112\172\210\247\251\102\206\212\137\164\126\173\210\005
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\202\061\013\060\011\006\003\125\004\006\023\002\125\123
\061\024\060\022\006\003\125\004\012\023\013\127\145\154\154\163
\040\106\141\162\147\157\061\054\060\052\006\003\125\004\013\023
\043\127\145\154\154\163\040\106\141\162\147\157\040\103\145\162
\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
\162\151\164\171\061\057\060\055\006\003\125\004\003\023\046\127
\145\154\154\163\040\106\141\162\147\157\040\122\157\157\164\040
\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150
\157\162\151\164\171
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\004\071\344\227\236
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Swisscom Root CA 1"
#
@ -26216,3 +26083,537 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "SG TRUST SERVICES RACINE"
#
# Issuer: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
# Serial Number:3e:d5:51:19:e6:4d:ce:7e
# Subject: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
# Not Valid Before: Mon Sep 06 12:53:42 2010
# Not Valid After : Thu Sep 05 12:53:42 2030
# Fingerprint (MD5): 25:EF:CF:48:4A:84:B7:30:9F:60:D3:1D:56:91:2F:E1
# Fingerprint (SHA1): 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "SG TRUST SERVICES RACINE"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
\013\060\011\006\003\125\004\006\023\002\106\122
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
\013\060\011\006\003\125\004\006\023\002\106\122
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\010\076\325\121\031\346\115\316\176
END
CKA_VALUE MULTILINE_OCTAL
\060\202\006\031\060\202\004\001\240\003\002\001\002\002\010\076
\325\121\031\346\115\316\176\060\015\006\011\052\206\110\206\367
\015\001\001\013\005\000\060\152\061\041\060\037\006\003\125\004
\003\023\030\123\107\040\124\122\125\123\124\040\123\105\122\126
\111\103\105\123\040\122\101\103\111\116\105\061\034\060\032\006
\003\125\004\013\023\023\060\060\060\062\040\064\063\065\062\065
\062\070\071\065\060\060\060\062\062\061\032\060\030\006\003\125
\004\012\023\021\123\107\040\124\122\125\123\124\040\123\105\122
\126\111\103\105\123\061\013\060\011\006\003\125\004\006\023\002
\106\122\060\036\027\015\061\060\060\071\060\066\061\062\065\063
\064\062\132\027\015\063\060\060\071\060\065\061\062\065\063\064
\062\132\060\152\061\041\060\037\006\003\125\004\003\023\030\123
\107\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123
\040\122\101\103\111\116\105\061\034\060\032\006\003\125\004\013
\023\023\060\060\060\062\040\064\063\065\062\065\062\070\071\065
\060\060\060\062\062\061\032\060\030\006\003\125\004\012\023\021
\123\107\040\124\122\125\123\124\040\123\105\122\126\111\103\105
\123\061\013\060\011\006\003\125\004\006\023\002\106\122\060\202
\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\332
\250\126\002\354\174\225\360\116\351\012\322\267\007\243\042\213
\120\263\271\056\031\075\127\333\031\252\322\053\344\316\102\342
\154\241\344\135\045\036\063\035\266\105\321\264\372\131\212\126
\160\311\155\010\166\151\160\232\346\307\234\010\060\023\376\346
\321\222\150\141\076\114\021\362\156\362\261\173\127\126\113\011
\275\334\017\331\161\014\350\232\067\336\042\020\034\231\136\326
\261\027\007\323\244\071\055\302\032\163\375\312\113\051\007\302
\171\051\310\310\046\256\054\304\374\043\310\113\342\206\126\017
\050\375\266\207\033\150\137\071\144\105\375\150\203\154\165\044
\036\074\165\231\141\372\322\024\370\251\113\261\330\175\247\170
\322\023\142\145\265\326\276\176\152\003\274\265\262\374\144\060
\303\320\302\231\075\231\244\323\315\321\261\304\123\207\173\114
\023\023\146\177\277\325\145\123\150\371\134\036\345\264\377\066
\231\105\243\237\142\300\177\021\202\001\124\336\017\145\245\071
\256\235\110\114\211\243\020\073\340\346\203\365\260\332\054\036
\172\034\134\037\000\254\314\253\247\140\144\263\306\305\173\307
\125\106\164\074\220\201\016\112\216\131\235\124\260\110\261\122
\114\073\230\356\253\332\064\267\123\315\111\332\057\353\225\276
\014\127\021\366\226\114\004\171\134\231\325\345\344\276\157\352
\107\356\121\113\357\042\046\256\265\330\021\252\103\273\170\277
\013\176\264\335\317\164\035\045\251\211\143\261\342\064\201\304
\210\065\070\342\002\015\017\023\311\325\052\202\025\360\212\304
\103\062\126\344\123\035\035\254\266\317\175\233\226\135\036\144
\351\164\163\304\126\344\026\112\122\155\222\071\323\341\115\016
\077\142\271\336\255\265\035\145\271\135\122\376\135\011\251\234
\264\244\014\331\057\105\166\245\317\216\152\232\236\252\260\021
\241\353\141\306\353\077\036\374\146\264\022\235\106\177\062\026
\211\276\161\105\257\221\041\331\375\223\277\264\002\221\102\377
\111\037\355\213\025\150\335\037\216\254\233\335\202\005\234\104
\151\026\144\027\126\137\101\017\112\117\004\017\145\120\206\223
\227\354\105\277\135\302\034\334\317\304\330\072\346\170\005\320
\305\125\125\251\136\376\253\072\041\273\345\162\024\367\013\002
\003\001\000\001\243\201\302\060\201\277\060\035\006\003\125\035
\016\004\026\004\024\051\040\313\361\303\017\332\006\216\023\223
\207\376\137\140\032\051\273\363\266\060\017\006\003\125\035\023
\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125\035
\043\004\030\060\026\200\024\051\040\313\361\303\017\332\006\216
\023\223\207\376\137\140\032\051\273\363\266\060\021\006\003\125
\035\040\004\012\060\010\060\006\006\004\125\035\040\000\060\111
\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206
\070\150\164\164\160\072\057\057\143\162\154\056\163\147\164\162
\165\163\164\163\145\162\166\151\143\145\163\056\143\157\155\057
\162\141\143\151\156\145\055\107\162\157\165\160\145\123\107\057
\114\141\164\145\163\164\103\122\114\060\016\006\003\125\035\017
\001\001\377\004\004\003\002\001\006\060\015\006\011\052\206\110
\206\367\015\001\001\013\005\000\003\202\002\001\000\114\106\147
\340\104\120\365\305\266\272\262\121\012\045\023\035\267\307\210
\056\037\271\053\144\240\313\223\210\122\131\252\140\365\314\051
\122\027\377\004\347\067\264\061\021\106\176\053\036\154\247\213
\074\107\232\136\364\252\135\220\073\105\075\237\112\311\212\173
\216\300\356\076\171\213\222\243\310\224\112\270\050\021\153\246
\045\137\135\275\307\310\373\203\117\125\061\346\134\360\023\174
\343\275\177\052\054\067\067\224\111\257\204\037\024\047\242\130
\020\217\012\071\067\032\022\040\101\217\031\366\251\037\031\355
\262\064\262\255\175\063\104\213\137\012\007\103\362\166\105\105
\055\255\344\215\016\000\375\004\010\252\347\153\373\027\275\260
\010\126\016\065\052\162\360\263\347\115\072\117\015\334\363\140
\022\263\070\144\214\333\371\341\046\215\057\357\116\350\044\107
\076\066\064\212\151\017\050\153\213\207\306\275\205\046\371\323
\353\151\041\126\140\221\326\367\340\142\302\250\161\256\056\336
\146\043\265\122\106\246\244\110\067\054\177\001\026\127\021\367
\047\015\016\345\017\326\220\105\341\036\077\041\334\322\374\026
\030\023\076\115\152\262\046\152\100\136\045\170\375\070\364\254
\130\172\067\033\230\100\004\307\216\311\324\304\147\141\261\230
\256\360\315\016\334\271\257\145\203\173\012\004\212\077\141\252
\367\135\101\206\346\306\114\302\117\072\134\126\352\050\073\247
\104\317\310\112\144\365\162\140\055\343\103\270\112\340\165\074
\062\344\252\026\327\021\271\301\105\331\233\146\143\146\345\042
\267\064\356\272\325\164\057\045\144\363\201\124\313\167\336\127
\324\223\343\254\007\061\072\076\134\003\203\127\123\307\360\376
\150\330\045\120\115\022\310\346\341\225\215\147\253\074\223\077
\027\002\272\070\327\236\367\060\245\075\075\104\001\063\032\232
\237\216\320\237\361\356\060\210\163\357\256\044\031\272\227\163
\025\301\354\161\014\204\144\265\173\354\274\151\076\244\155\011
\026\066\312\112\071\212\313\247\173\306\035\176\347\063\210\311
\276\060\155\234\205\225\041\351\107\073\006\176\201\342\352\106
\346\160\130\200\346\250\362\235\013\151\321\063\211\131\060\363
\144\323\013\366\316\053\011\373\175\020\166\056\020
END
# Trust for "SG TRUST SERVICES RACINE"
# Issuer: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
# Serial Number:3e:d5:51:19:e6:4d:ce:7e
# Subject: C=FR,O=SG TRUST SERVICES,OU=0002 43525289500022,CN=SG TRUST SERVICES RACINE
# Not Valid Before: Mon Sep 06 12:53:42 2010
# Not Valid After : Thu Sep 05 12:53:42 2030
# Fingerprint (MD5): 25:EF:CF:48:4A:84:B7:30:9F:60:D3:1D:56:91:2F:E1
# Fingerprint (SHA1): 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "SG TRUST SERVICES RACINE"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\014\142\217\134\125\160\261\311\127\372\375\070\077\260\075\173
\175\327\271\306
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\045\357\317\110\112\204\267\060\237\140\323\035\126\221\057\341
END
CKA_ISSUER MULTILINE_OCTAL
\060\152\061\041\060\037\006\003\125\004\003\023\030\123\107\040
\124\122\125\123\124\040\123\105\122\126\111\103\105\123\040\122
\101\103\111\116\105\061\034\060\032\006\003\125\004\013\023\023
\060\060\060\062\040\064\063\065\062\065\062\070\071\065\060\060
\060\062\062\061\032\060\030\006\003\125\004\012\023\021\123\107
\040\124\122\125\123\124\040\123\105\122\126\111\103\105\123\061
\013\060\011\006\003\125\004\006\023\002\106\122
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\010\076\325\121\031\346\115\316\176
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "ACCVRAIZ1"
#
# Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
# Serial Number:5e:c3:b7:a6:43:7f:a4:e0
# Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
# Not Valid Before: Thu May 05 09:37:37 2011
# Not Valid After : Tue Dec 31 09:37:37 2030
# Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
# Fingerprint (SHA1): 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "ACCVRAIZ1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
\023\002\105\123
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
\023\002\105\123
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\010\136\303\267\246\103\177\244\340
END
CKA_VALUE MULTILINE_OCTAL
\060\202\007\323\060\202\005\273\240\003\002\001\002\002\010\136
\303\267\246\103\177\244\340\060\015\006\011\052\206\110\206\367
\015\001\001\005\005\000\060\102\061\022\060\020\006\003\125\004
\003\014\011\101\103\103\126\122\101\111\132\061\061\020\060\016
\006\003\125\004\013\014\007\120\113\111\101\103\103\126\061\015
\060\013\006\003\125\004\012\014\004\101\103\103\126\061\013\060
\011\006\003\125\004\006\023\002\105\123\060\036\027\015\061\061
\060\065\060\065\060\071\063\067\063\067\132\027\015\063\060\061
\062\063\061\060\071\063\067\063\067\132\060\102\061\022\060\020
\006\003\125\004\003\014\011\101\103\103\126\122\101\111\132\061
\061\020\060\016\006\003\125\004\013\014\007\120\113\111\101\103
\103\126\061\015\060\013\006\003\125\004\012\014\004\101\103\103
\126\061\013\060\011\006\003\125\004\006\023\002\105\123\060\202
\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\233
\251\253\277\141\112\227\257\057\227\146\232\164\137\320\331\226
\375\317\342\344\146\357\037\037\107\063\302\104\243\337\232\336
\037\265\124\335\025\174\151\065\021\157\273\310\014\216\152\030
\036\330\217\331\026\274\020\110\066\134\360\143\263\220\132\134
\044\067\327\243\326\313\011\161\271\361\001\162\204\260\175\333
\115\200\315\374\323\157\311\370\332\266\016\202\322\105\205\250
\033\150\250\075\350\364\104\154\275\241\302\313\003\276\214\076
\023\000\204\337\112\110\300\343\042\012\350\351\067\247\030\114
\261\011\015\043\126\177\004\115\331\027\204\030\245\310\332\100
\224\163\353\316\016\127\074\003\201\072\235\012\241\127\103\151
\254\127\155\171\220\170\345\265\264\073\330\274\114\215\050\241
\247\243\247\272\002\116\045\321\052\256\355\256\003\042\270\153
\040\017\060\050\124\225\177\340\356\316\012\146\235\321\100\055
\156\042\257\235\032\301\005\031\322\157\300\362\237\370\173\263
\002\102\373\120\251\035\055\223\017\043\253\306\301\017\222\377
\320\242\025\365\123\011\161\034\377\105\023\204\346\046\136\370
\340\210\034\012\374\026\266\250\163\006\270\360\143\204\002\240
\306\132\354\347\164\337\160\256\243\203\045\352\326\307\227\207
\223\247\306\212\212\063\227\140\067\020\076\227\076\156\051\025
\326\241\017\321\210\054\022\237\157\252\244\306\102\353\101\242
\343\225\103\323\001\205\155\216\273\073\363\043\066\307\376\073
\340\241\045\007\110\253\311\211\164\377\010\217\200\277\300\226
\145\363\356\354\113\150\275\235\210\303\061\263\100\361\350\317
\366\070\273\234\344\321\177\324\345\130\233\174\372\324\363\016
\233\165\221\344\272\122\056\031\176\321\365\315\132\031\374\272
\006\366\373\122\250\113\231\004\335\370\371\264\213\120\243\116
\142\211\360\207\044\372\203\102\301\207\372\325\055\051\052\132
\161\172\144\152\327\047\140\143\015\333\316\111\365\215\037\220
\211\062\027\370\163\103\270\322\132\223\206\141\326\341\165\012
\352\171\146\166\210\117\161\353\004\045\326\012\132\172\223\345
\271\113\027\100\017\261\266\271\365\336\117\334\340\263\254\073
\021\160\140\204\112\103\156\231\040\300\051\161\012\300\145\002
\003\001\000\001\243\202\002\313\060\202\002\307\060\175\006\010
\053\006\001\005\005\007\001\001\004\161\060\157\060\114\006\010
\053\006\001\005\005\007\060\002\206\100\150\164\164\160\072\057
\057\167\167\167\056\141\143\143\166\056\145\163\057\146\151\154
\145\141\144\155\151\156\057\101\162\143\150\151\166\157\163\057
\143\145\162\164\151\146\151\143\141\144\157\163\057\162\141\151
\172\141\143\143\166\061\056\143\162\164\060\037\006\010\053\006
\001\005\005\007\060\001\206\023\150\164\164\160\072\057\057\157
\143\163\160\056\141\143\143\166\056\145\163\060\035\006\003\125
\035\016\004\026\004\024\322\207\264\343\337\067\047\223\125\366
\126\352\201\345\066\314\214\036\077\275\060\017\006\003\125\035
\023\001\001\377\004\005\060\003\001\001\377\060\037\006\003\125
\035\043\004\030\060\026\200\024\322\207\264\343\337\067\047\223
\125\366\126\352\201\345\066\314\214\036\077\275\060\202\001\163
\006\003\125\035\040\004\202\001\152\060\202\001\146\060\202\001
\142\006\004\125\035\040\000\060\202\001\130\060\202\001\042\006
\010\053\006\001\005\005\007\002\002\060\202\001\024\036\202\001
\020\000\101\000\165\000\164\000\157\000\162\000\151\000\144\000
\141\000\144\000\040\000\144\000\145\000\040\000\103\000\145\000
\162\000\164\000\151\000\146\000\151\000\143\000\141\000\143\000
\151\000\363\000\156\000\040\000\122\000\141\000\355\000\172\000
\040\000\144\000\145\000\040\000\154\000\141\000\040\000\101\000
\103\000\103\000\126\000\040\000\050\000\101\000\147\000\145\000
\156\000\143\000\151\000\141\000\040\000\144\000\145\000\040\000
\124\000\145\000\143\000\156\000\157\000\154\000\157\000\147\000
\355\000\141\000\040\000\171\000\040\000\103\000\145\000\162\000
\164\000\151\000\146\000\151\000\143\000\141\000\143\000\151\000
\363\000\156\000\040\000\105\000\154\000\145\000\143\000\164\000
\162\000\363\000\156\000\151\000\143\000\141\000\054\000\040\000
\103\000\111\000\106\000\040\000\121\000\064\000\066\000\060\000
\061\000\061\000\065\000\066\000\105\000\051\000\056\000\040\000
\103\000\120\000\123\000\040\000\145\000\156\000\040\000\150\000
\164\000\164\000\160\000\072\000\057\000\057\000\167\000\167\000
\167\000\056\000\141\000\143\000\143\000\166\000\056\000\145\000
\163\060\060\006\010\053\006\001\005\005\007\002\001\026\044\150
\164\164\160\072\057\057\167\167\167\056\141\143\143\166\056\145
\163\057\154\145\147\151\163\154\141\143\151\157\156\137\143\056
\150\164\155\060\125\006\003\125\035\037\004\116\060\114\060\112
\240\110\240\106\206\104\150\164\164\160\072\057\057\167\167\167
\056\141\143\143\166\056\145\163\057\146\151\154\145\141\144\155
\151\156\057\101\162\143\150\151\166\157\163\057\143\145\162\164
\151\146\151\143\141\144\157\163\057\162\141\151\172\141\143\143
\166\061\137\144\145\162\056\143\162\154\060\016\006\003\125\035
\017\001\001\377\004\004\003\002\001\006\060\027\006\003\125\035
\021\004\020\060\016\201\014\141\143\143\166\100\141\143\143\166
\056\145\163\060\015\006\011\052\206\110\206\367\015\001\001\005
\005\000\003\202\002\001\000\227\061\002\237\347\375\103\147\110
\104\024\344\051\207\355\114\050\146\320\217\065\332\115\141\267
\112\227\115\265\333\220\340\005\056\016\306\171\320\362\227\151
\017\275\004\107\331\276\333\265\051\332\233\331\256\251\231\325
\323\074\060\223\365\215\241\250\374\006\215\104\364\312\026\225
\174\063\334\142\213\250\067\370\047\330\011\055\033\357\310\024
\047\040\251\144\104\377\056\326\165\252\154\115\140\100\031\111
\103\124\143\332\342\314\272\146\345\117\104\172\133\331\152\201
\053\100\325\177\371\001\047\130\054\310\355\110\221\174\077\246
\000\317\304\051\163\021\066\336\206\031\076\235\356\031\212\033
\325\260\355\216\075\234\052\300\015\330\075\146\343\074\015\275
\325\224\134\342\342\247\065\033\004\000\366\077\132\215\352\103
\275\137\211\035\251\301\260\314\231\342\115\000\012\332\311\047
\133\347\023\220\134\344\365\063\242\125\155\334\340\011\115\057
\261\046\133\047\165\000\011\304\142\167\051\010\137\236\131\254
\266\176\255\237\124\060\042\003\301\036\161\144\376\371\070\012
\226\030\335\002\024\254\043\313\006\034\036\244\175\215\015\336
\047\101\350\255\332\025\267\260\043\335\053\250\323\332\045\207
\355\350\125\104\115\210\364\066\176\204\232\170\254\367\016\126
\111\016\326\063\045\326\204\120\102\154\040\022\035\052\325\276
\274\362\160\201\244\160\140\276\005\265\233\236\004\104\276\141
\043\254\351\245\044\214\021\200\224\132\242\242\271\111\322\301
\334\321\247\355\061\021\054\236\031\246\356\341\125\341\300\352
\317\015\204\344\027\267\242\174\245\336\125\045\006\356\314\300
\207\134\100\332\314\225\077\125\340\065\307\270\204\276\264\135
\315\172\203\001\162\356\207\346\137\035\256\265\205\306\046\337
\346\301\232\351\036\002\107\237\052\250\155\251\133\317\354\105
\167\177\230\047\232\062\135\052\343\204\356\305\230\146\057\226
\040\035\335\330\303\047\327\260\371\376\331\175\315\320\237\217
\013\024\130\121\237\057\213\303\070\055\336\350\217\326\215\207
\244\365\126\103\026\231\054\364\244\126\264\064\270\141\067\311
\302\130\200\033\240\227\241\374\131\215\351\021\366\321\017\113
\125\064\106\052\213\206\073
END
# Trust for "ACCVRAIZ1"
# Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
# Serial Number:5e:c3:b7:a6:43:7f:a4:e0
# Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
# Not Valid Before: Thu May 05 09:37:37 2011
# Not Valid After : Tue Dec 31 09:37:37 2030
# Fingerprint (MD5): D0:A0:5A:EE:05:B6:09:94:21:A1:7D:F1:B2:29:82:02
# Fingerprint (SHA1): 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "ACCVRAIZ1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\223\005\172\210\025\306\117\316\210\057\372\221\026\122\050\170
\274\123\144\027
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\320\240\132\356\005\266\011\224\041\241\175\361\262\051\202\002
END
CKA_ISSUER MULTILINE_OCTAL
\060\102\061\022\060\020\006\003\125\004\003\014\011\101\103\103
\126\122\101\111\132\061\061\020\060\016\006\003\125\004\013\014
\007\120\113\111\101\103\103\126\061\015\060\013\006\003\125\004
\012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
\023\002\105\123
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\010\136\303\267\246\103\177\244\340
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "TWCA Global Root CA"
#
# Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
# Serial Number: 3262 (0xcbe)
# Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
# Not Valid Before: Wed Jun 27 06:28:33 2012
# Not Valid After : Tue Dec 31 15:59:59 2030
# Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
# Fingerprint (SHA1): 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TWCA Global Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
\040\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
\040\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\014\276
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\101\060\202\003\051\240\003\002\001\002\002\002\014
\276\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
\040\103\101\060\036\027\015\061\062\060\066\062\067\060\066\062
\070\063\063\132\027\015\063\060\061\062\063\061\061\065\065\071
\065\071\132\060\121\061\013\060\011\006\003\125\004\006\023\002
\124\127\061\022\060\020\006\003\125\004\012\023\011\124\101\111
\127\101\116\055\103\101\061\020\060\016\006\003\125\004\013\023
\007\122\157\157\164\040\103\101\061\034\060\032\006\003\125\004
\003\023\023\124\127\103\101\040\107\154\157\142\141\154\040\122
\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052\206
\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202
\002\012\002\202\002\001\000\260\005\333\310\353\214\304\156\212
\041\357\216\115\234\161\012\037\122\160\355\155\202\234\227\305
\327\114\116\105\111\313\100\102\265\022\064\154\031\302\164\244
\061\137\205\002\227\354\103\063\012\123\322\234\214\216\267\270
\171\333\053\325\152\362\216\146\304\356\053\001\007\222\324\263
\320\002\337\120\366\125\257\146\016\313\340\107\140\057\053\062
\071\065\122\072\050\203\370\173\026\306\030\270\142\326\107\045
\221\316\360\031\022\115\255\143\365\323\077\165\137\051\360\241
\060\034\052\240\230\246\025\275\356\375\031\066\360\342\221\103
\217\372\312\326\020\047\111\114\357\335\301\361\205\160\233\312
\352\250\132\103\374\155\206\157\163\351\067\105\251\360\066\307
\314\210\165\036\273\154\006\377\233\153\076\027\354\141\252\161
\174\306\035\242\367\111\351\025\265\074\326\241\141\365\021\367
\005\157\035\375\021\276\320\060\007\302\051\260\011\116\046\334
\343\242\250\221\152\037\302\221\105\210\134\345\230\270\161\245
\025\031\311\174\165\021\314\160\164\117\055\233\035\221\104\375
\126\050\240\376\273\206\152\310\372\134\013\130\334\306\113\166
\310\253\042\331\163\017\245\364\132\002\211\077\117\236\042\202
\356\242\164\123\052\075\123\047\151\035\154\216\062\054\144\000
\046\143\141\066\116\243\106\267\077\175\263\055\254\155\220\242
\225\242\316\317\332\202\347\007\064\031\226\351\270\041\252\051
\176\246\070\276\216\051\112\041\146\171\037\263\303\265\011\147
\336\326\324\007\106\363\052\332\346\042\067\140\313\201\266\017
\240\017\351\310\225\177\277\125\221\005\172\317\075\025\300\157
\336\011\224\001\203\327\064\033\314\100\245\360\270\233\147\325
\230\221\073\247\204\170\225\046\244\132\010\370\053\164\264\000
\004\074\337\270\024\216\350\337\251\215\154\147\222\063\035\300
\267\322\354\222\310\276\011\277\054\051\005\157\002\153\236\357
\274\277\052\274\133\300\120\217\101\160\161\207\262\115\267\004
\251\204\243\062\257\256\356\153\027\213\262\261\376\154\341\220
\214\210\250\227\110\316\310\115\313\363\006\317\137\152\012\102
\261\036\036\167\057\216\240\346\222\016\006\374\005\042\322\046
\341\061\121\175\062\334\017\002\003\001\000\001\243\043\060\041
\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
\377\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\003\202\002\001\000\137\064\201\166\357\226\035\325\345\265\331
\002\143\204\026\301\256\240\160\121\247\367\114\107\065\310\013
\327\050\075\211\161\331\252\063\101\352\024\033\154\041\000\300
\154\102\031\176\237\151\133\040\102\337\242\322\332\304\174\227
\113\215\260\350\254\310\356\245\151\004\231\012\222\246\253\047
\056\032\115\201\277\204\324\160\036\255\107\376\375\112\235\063
\340\362\271\304\105\010\041\012\332\151\151\163\162\015\276\064
\376\224\213\255\303\036\065\327\242\203\357\345\070\307\245\205
\037\253\317\064\354\077\050\376\014\361\127\206\116\311\125\367
\034\324\330\245\175\006\172\157\325\337\020\337\201\116\041\145
\261\266\341\027\171\225\105\006\316\137\314\334\106\211\143\150
\104\215\223\364\144\160\240\075\235\050\005\303\071\160\270\142
\173\040\375\344\333\351\010\241\270\236\075\011\307\117\373\054
\370\223\166\101\336\122\340\341\127\322\235\003\274\167\236\376
\236\051\136\367\301\121\140\037\336\332\013\262\055\165\267\103
\110\223\347\366\171\306\204\135\200\131\140\224\374\170\230\217
\074\223\121\355\100\220\007\337\144\143\044\313\116\161\005\241
\327\224\032\210\062\361\042\164\042\256\245\246\330\022\151\114
\140\243\002\356\053\354\324\143\222\013\136\276\057\166\153\243
\266\046\274\217\003\330\012\362\114\144\106\275\071\142\345\226
\353\064\143\021\050\314\225\361\255\357\357\334\200\130\110\351
\113\270\352\145\254\351\374\200\265\265\310\105\371\254\301\237
\331\271\352\142\210\216\304\361\113\203\022\255\346\213\204\326
\236\302\353\203\030\237\152\273\033\044\140\063\160\314\354\367
\062\363\134\331\171\175\357\236\244\376\311\043\303\044\356\025
\222\261\075\221\117\046\206\275\146\163\044\023\352\244\256\143
\301\255\175\204\003\074\020\170\206\033\171\343\304\363\362\004
\225\040\256\043\202\304\263\072\000\142\277\346\066\044\341\127
\272\307\036\220\165\325\137\077\225\141\053\301\073\315\345\263
\150\141\320\106\046\251\041\122\151\055\353\056\307\353\167\316
\246\072\265\003\063\117\166\321\347\134\124\001\135\313\170\364
\311\014\277\317\022\216\027\055\043\150\224\347\253\376\251\262
\053\006\320\004\315
END
# Trust for "TWCA Global Root CA"
# Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
# Serial Number: 3262 (0xcbe)
# Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
# Not Valid Before: Wed Jun 27 06:28:33 2012
# Not Valid After : Tue Dec 31 15:59:59 2030
# Fingerprint (MD5): F9:03:7E:CF:E6:9E:3C:73:7A:2A:90:07:69:FF:2B:96
# Fingerprint (SHA1): 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TWCA Global Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\234\273\110\123\366\244\366\323\122\244\350\062\122\125\140\023
\365\255\257\145
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\371\003\176\317\346\236\074\163\172\052\220\007\151\377\053\226
END
CKA_ISSUER MULTILINE_OCTAL
\060\121\061\013\060\011\006\003\125\004\006\023\002\124\127\061
\022\060\020\006\003\125\004\012\023\011\124\101\111\127\101\116
\055\103\101\061\020\060\016\006\003\125\004\013\023\007\122\157
\157\164\040\103\101\061\034\060\032\006\003\125\004\003\023\023
\124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
\040\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\014\276
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

4
security/nss/lib/ckfw/builtins/nssckbi.h
View File

@ -45,8 +45,8 @@
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 94
#define NSS_BUILTINS_LIBRARY_VERSION "1.94"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 95
#define NSS_BUILTINS_LIBRARY_VERSION "1.95"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

4
security/nss/lib/nss/nss.def
View File

@ -1037,13 +1037,13 @@ CERT_AddCertToListHead;
;+ local:
;+ *;
;+};
;+NSS_3.15.3 { # NSS 3.15.3 release
;+NSS_3.15.4 { # NSS 3.15.4 release
;+ global:
CERT_DestroyCrl;
CERT_ForcePostMethodForOCSP;
CERT_GetEncodedOCSPResponseByMechanism;
CERT_GetSPKIDigest;
CERT_GetSubjectNameDigest;
CERT_ForcePostMethodForOCSP;
;+ local:
;+ *;
;+};

2
security/nss/lib/ssl/ssl.def
View File

@ -163,7 +163,7 @@ SSL_SetStapledOCSPResponses;
;+ local:
;+*;
;+};
;+NSS_3.15.3 { # NSS 3.15.3 release
;+NSS_3.15.4 { # NSS 3.15.4 release
;+ global:
SSL_PeerCertificateChain;
SSL_RecommendedCanFalseStart;

112
security/nss/lib/ssl/ssl3con.c
View File

@ -85,81 +85,77 @@ static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
*/
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
/* cipher_suite policy enabled isPresent */
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
#ifdef NSS_ENABLE_ECC
{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#ifdef NSS_ENABLE_ECC
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
/* RSA */
{ TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
#ifdef NSS_ENABLE_ECC
{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_ENABLE_ECC */
{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
/* 56-bit DES "domestic" cipher suites */
{ SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
/* export ciphersuites with 1024-bit public key exchange keys */
{ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
/* export ciphersuites with 512-bit public key exchange keys */
{ SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
/* ciphersuites with no encryption */
#ifdef NSS_ENABLE_ECC
{ TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
@ -171,6 +167,24 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
{ SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
};
/* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
*/
#ifdef DEBUG
void ssl3_CheckCipherSuiteOrderConsistency()
{
unsigned int i;
/* Note that SSL_ImplementedCiphers has more elements than cipherSuites
* because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
*/
PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
}
}
#endif
/* This list of SSL3 compression methods is sorted in descending order of
* precedence (desirability). It only includes compression methods we
* implement.
@ -865,16 +879,10 @@ ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion,
static SECStatus
ssl3_GetNewRandom(SSL3Random *random)
{
PRUint32 gmt = ssl_Time();
SECStatus rv;
random->rand[0] = (unsigned char)(gmt >> 24);
random->rand[1] = (unsigned char)(gmt >> 16);
random->rand[2] = (unsigned char)(gmt >> 8);
random->rand[3] = (unsigned char)(gmt);
/* first 4 bytes are reserverd for time */
rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
}

117
security/nss/lib/ssl/sslenum.c
View File

@ -10,16 +10,6 @@
#include "sslproto.h"
/*
* The ciphers are listed in the following order:
* - stronger ciphers before weaker ciphers
* - national ciphers before international ciphers
* - faster ciphers before slower ciphers
*
* National ciphers such as Camellia are listed before international ciphers
* such as AES and RC4 to allow servers that prefer Camellia to negotiate
* Camellia without having to disable AES and RC4, which are needed for
* interoperability with clients that don't yet implement Camellia.
*
* The ordering of cipher suites in this table must match the ordering in
* the cipherSuites table in ssl3con.c.
*
@ -27,75 +17,78 @@
* in ssl3ecc.c.
*
* Finally, update the ssl_V3_SUITES_IMPLEMENTED macro in sslimpl.h.
*
* The ordering is as follows:
* * No-encryption cipher suites last
* * Export/weak/obsolete cipher suites before no-encryption cipher suites
* * Order by key exchange algorithm: ECDHE, then DHE, then ECDH, RSA.
* * Within key agreement sections, order by symmetric encryption algorithm:
* AES-128, then Camellia-128, then AES-256, then Camellia-256, then SEED,
* then FIPS-3DES, then 3DES, then RC4. AES is commonly accepted as a
* strong cipher internationally, and is often hardware-accelerated.
* Camellia also has wide international support across standards
* organizations. SEED is only recommended by the Korean government. 3DES
* only provides 112 bits of security. RC4 is now deprecated or forbidden
* by many standards organizations.
* * Within symmetric algorithm sections, order by message authentication
* algorithm: GCM, then HMAC-SHA1, then HMAC-SHA256, then HMAC-MD5.
* * Within message authentication algorithm sections, order by asymmetric
* signature algorithm: ECDSA, then RSA, then DSS.
*/
const PRUint16 SSL_ImplementedCiphers[] = {
/* AES-GCM */
#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
#endif /* NSS_ENABLE_ECC */
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
/* 256-bit */
#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
#endif /* NSS_ENABLE_ECC */
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
#ifdef NSS_ENABLE_ECC
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
#endif /* NSS_ENABLE_ECC */
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
/* 128-bit */
#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
#endif /* NSS_ENABLE_ECC */
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_RC4_128_SHA,
#ifdef NSS_ENABLE_ECC
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
#endif /* NSS_ENABLE_ECC */
TLS_RSA_WITH_SEED_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5,
/* 112-bit 3DES */
#ifdef NSS_ENABLE_ECC
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
#endif /* NSS_ENABLE_ECC */
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_DSS_WITH_RC4_128_SHA,
#ifdef NSS_ENABLE_ECC
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
#endif /* NSS_ENABLE_ECC */
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_SEED_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5,
/* 56-bit DES "domestic" cipher suites */
SSL_DHE_RSA_WITH_DES_CBC_SHA,

4
security/nss/lib/ssl/sslimpl.h
View File

@ -1850,6 +1850,10 @@ dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv);
/********************** misc calls *********************/
#ifdef DEBUG
extern void ssl3_CheckCipherSuiteOrderConsistency();
#endif
extern int ssl_MapLowLevelError(int hiLevelError);
extern PRUint32 ssl_Time(void);

5
security/nss/lib/ssl/sslinit.c
View File

@ -22,6 +22,11 @@ ssl_Init(void)
PORT_SetError(SEC_ERROR_NO_MEMORY);
return (SECFailure);
}
#ifdef DEBUG
ssl3_CheckCipherSuiteOrderConsistency();
#endif
ssl_inited = 1;
}
return SECSuccess;

25
security/nss/tests/chains/scenarios/method.cfg Normal file
View File

@ -0,0 +1,25 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
scenario Method
check_ocsp OCSPEE11OCSPCA1:d
testdb ../OCSPD/Client
#EE - OK, CA - OK
verify OCSPEE11OCSPCA1:d
cert OCSPCA1OCSPRoot:d
rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp
result pass
#EE - revoked, CA - OK
verify OCSPEE12OCSPCA1:d
cert OCSPCA1OCSPRoot:d
rev_type leaf
rev_flags requireFreshInfo
rev_mtype ocsp
result fail

67
security/nss/tests/ocsp/ocsp.sh
View File

@ -49,73 +49,6 @@ ocsp_init()
cd ${CLIENTDIR}
}
ocsp_stapling()
{
# Parameter -4 is used as a temporary workaround for lack of IPv6 connectivity
# on some build bot slaves.
TESTNAME="startssl valid, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}
html_msg $? 0 "$TESTNAME"
# TESTNAME="startssl revoked, supports OCSP stapling"
# echo "$SCRIPTNAME: $TESTNAME"
# echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}"
# ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}
# html_msg $? 3 "$TESTNAME"
TESTNAME="comodo trial test expired revoked, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}
html_msg $? 1 "$TESTNAME"
TESTNAME="thawte (expired) valid, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5146 -d . < ${REQF}
html_msg $? 1 "$TESTNAME"
TESTNAME="thawte (expired) revoked, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5147 -d . < ${REQF}
html_msg $? 1 "$TESTNAME"
TESTNAME="digicert valid, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5148 -d . < ${REQF}
html_msg $? 0 "$TESTNAME"
TESTNAME="digicert revoked, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5149 -d . < ${REQF}
html_msg $? 3 "$TESTNAME"
TESTNAME="live valid, supports OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}"
${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h login.live.com -p 443 -d . < ${REQF}
html_msg $? 0 "$TESTNAME"
TESTNAME="startssl valid, doesn't support OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}"
${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 443 -d . < ${REQF}
html_msg $? 2 "$TESTNAME"
TESTNAME="cacert untrusted, doesn't support OCSP stapling"
echo "$SCRIPTNAME: $TESTNAME"
echo "tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}"
${BINDIR}/tstclnt -V tls1.0: -T -v -F -M 1 -O -h www.cacert.org -p 443 -d . < ${REQF}
html_msg $? 1 "$TESTNAME"
}
################## main #################################################
ocsp_init
ocsp_iopr_run
ocsp_stapling