From 5a897812a65e0877eb2e57e1ea28439f3d9ee177 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 29 2019 15:26:55 +0000 Subject: import nss-util-3.36.0-1.1.el7_6 --- diff --git a/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch new file mode 100644 index 0000000..d7aeaac --- /dev/null +++ b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch @@ -0,0 +1,124 @@ +diff --git a/lib/util/secoid.c b/lib/util/secoid.c +--- a/lib/util/secoid.c ++++ b/lib/util/secoid.c +@@ -117,17 +117,19 @@ const char __nss_util_version[] = "Versi + /* for DH algorithm */ + /* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */ + /* need real OID person to look at this, copied the above line + * and added 6 to second to last value (and changed '4' to '2' */ + #define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2 + + #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45 + +-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07 ++#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05 ++ ++#define PKIX INTERNET_SECURITY_MECH, 0x07 + #define PKIX_CERT_EXTENSIONS PKIX, 1 + #define PKIX_POLICY_QUALIFIERS PKIX, 2 + #define PKIX_KEY_USAGE PKIX, 3 + #define PKIX_ACCESS_DESCRIPTION PKIX, 0x30 + #define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1 + #define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2 + + #define PKIX_ID_PKIP PKIX, 5 +@@ -355,16 +357,17 @@ CONST_OID x509CertificatePolicies[] = { + CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 }; + CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 }; + CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 }; + CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; + CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; + CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; + + CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 }; ++CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 }; + + CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; + CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; + + CONST_OID x509SIATimeStamping[] = { PKIX_ACCESS_DESCRIPTION, 0x03 }; + CONST_OID x509SIACaRepository[] = { PKIX_ACCESS_DESCRIPTION, 0x05 }; + + /* pkcs 12 additions */ +@@ -449,18 +452,23 @@ CONST_OID pkixRegInfoUTF8Pairs[] = { PKI + CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 }; + + CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 }; + CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 }; + CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 }; + CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 }; + CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 }; + CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 }; ++/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */ ++CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 }; + CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 }; + ++CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 }; ++CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 }; ++ + /* OIDs for Netscape defined algorithms */ + CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 }; + + /* Fortezza algorithm OIDs */ + CONST_OID skipjackCBC[] = { MISSI, 0x04 }; + CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 }; + + CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 }; +@@ -1749,16 +1757,32 @@ const static SECOidData oids[SEC_OID_TOT + ODE(SEC_OID_TLS_FFDHE_8192, + "TLS FFDHE 8192-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + ODE(SEC_OID_TLS_DHE_CUSTOM, + "TLS DHE custom group key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + OD(curve25519, SEC_OID_CURVE25519, + "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + ODE(SEC_OID_TLS13_KEA_ANY, + "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ ++ OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE, ++ "Any Extended Key Usage", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ OD(pkixExtendedKeyUsageIPsecIKE, ++ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE, ++ "IPsec IKE Certificate", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ OD(ipsecIKEEnd, ++ SEC_OID_IPSEC_IKE_END, ++ "IPsec IKE End", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ OD(ipsecIKEIntermediate, ++ SEC_OID_IPSEC_IKE_INTERMEDIATE, ++ "IPsec IKE Intermediate", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; + + /* PRIVATE EXTENDED SECOID Table + * This table is private. Its structure is opaque to the outside. + * It is indexed by the same SECOidTag as the oids table above. + * Every member of this struct must have accessor functions (set, get) + * and those functions must operate by value, not by reference. + * The addresses of the contents of this table must not be exposed +diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h +--- a/lib/util/secoidt.h ++++ b/lib/util/secoidt.h +@@ -489,16 +489,21 @@ typedef enum { + SEC_OID_TLS_FFDHE_6144 = 352, + SEC_OID_TLS_FFDHE_8192 = 353, + SEC_OID_TLS_DHE_CUSTOM = 354, + + SEC_OID_CURVE25519 = 355, + + SEC_OID_TLS13_KEA_ANY = 356, + ++ SEC_OID_X509_ANY_EXT_KEY_USAGE = 357, ++ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358, ++ SEC_OID_IPSEC_IKE_END = 359, ++ SEC_OID_IPSEC_IKE_INTERMEDIATE = 360, ++ + SEC_OID_TOTAL + } SECOidTag; + + #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1 + #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1 + #define SEC_OID_PKCS12_KEY_USAGE SEC_OID_X509_KEY_USAGE + + /* fake OID for DSS sign/verify */ diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index f170c87..0b10a2c 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -5,7 +5,7 @@ Summary: Network Security Services Utilities Library Name: nss-util Version: 3.36.0 -Release: 1%{?dist} +Release: 1.1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -42,6 +42,8 @@ Patch8: nss-util-3.19.1-tls12-mechanisms.patch # To revert the change in: # https://bugzilla.mozilla.org/show_bug.cgi?id=1377940 Patch9: nss-util-sql-default.patch +# revert when rebase to 3.40 +Patch10: nss-util-3.36-ipsec_cert_vfy.patch %description Utilities for Network Security Services and the Softoken module @@ -67,6 +69,7 @@ Header and library files for doing development with Network Security Services. %patch8 -p1 -b .tls12_mechs pushd nss %patch9 -p1 -R -b .sql-default +%patch10 -p1 -b .ipsec_vfy popd @@ -240,6 +243,9 @@ done %{_includedir}/nss3/templates/templates.c %changelog +* Mon Nov 12 2018 Bob Relyea - 3.36.0-1.1 +- Update the cert verify code to allow a new ipsec usage and follow RFC 4945 + * Mon Mar 5 2018 Daiki Ueno - 3.36.0-1 - Rebase to NSS 3.36