diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c

--- ./cmd/crmftest/testcrmf.c.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./cmd/crmftest/testcrmf.c	2022-06-20 16:47:35.023785628 -0700

@@ -85,7 +85,7 @@

 #include "sechash.h"

 #endif

-#define MAX_KEY_LEN 512

+#define MAX_KEY_LEN 1024

 #define PATH_LEN 150

 #define BUFF_SIZE 150

 #define UID_BITS 800

diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc

--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc	2022-06-20 16:47:35.024785635 -0700

@@ -16,6 +16,7 @@

 #include "secerr.h"

 #include "sechash.h"

 #include "pk11_signature_test.h"

+#include "blapit.h"

 #include "testvectors/rsa_signature_2048_sha224-vectors.h"

 #include "testvectors/rsa_signature_2048_sha256-vectors.h"

@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest

  * Use 6 as the invalid value since modLen % 16 must be zero.

  */

 TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {

-  const size_t kRsaShortKeyBits = 736;

+#define RSA_SHORT_KEY_LENGTH 736

+/* if our minimum supported key length is big enough to handle

+ * our largest Hash function, we can't test a short length */

+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH

+  const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;

   const size_t kRsaKeyBits = 752;

   static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};

   static const std::vector<uint8_t> kSha512DigestInfo{

@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)

                               SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,

                               nullptr);

   EXPECT_EQ(SECSuccess, rv);

+#else

+  GTEST_SKIP();

+#endif

 }

 TEST(RsaPkcs1Test, RequireNullParameter) {

diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc

--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc	2022-06-20 16:47:35.024785635 -0700

@@ -9,6 +9,8 @@

 #include "prtime.h"

 #include "secerr.h"

 #include "ssl.h"

+#include "nss.h"

+#include "blapit.h"

 #include "gtest_utils.h"

 #include "tls_agent.h"

@@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC

   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());

   ASSERT_TRUE(slot);

   PK11RSAGenParams rsaparams;

-  // The absolute minimum size of RSA key that we can use with SHA-256 is

-  // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.

+// The absolute minimum size of RSA key that we can use with SHA-256 is

+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.

+#define RSA_WEAK_KEY 528

+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY

   rsaparams.keySizeInBits = 528;

+#else

+  rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;

+#endif

   rsaparams.pe = 65537;

   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient

@@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {

                                                 ssl_sig_rsa_pss_pss_sha256};

   client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));

   server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));

+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY

+  // save the MIN POLICY length.

+  PRInt32 minRsa;

+

+  ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));

+#if RSA_MIN_MODULUS_BITS >= 2048

+  ASSERT_EQ(SECSuccess,

+            NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));

+#else

+  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));

+#endif

+#endif

   ScopedSECKEYPrivateKey dc_priv;

   ScopedSECKEYPublicKey dc_pub;

@@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {

   auto cfilter = MakeTlsFilter<TlsExtensionCapture>(

       client_, ssl_delegated_credentials_xtn);

   ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);

+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY

+  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));

+#endif

 }

 class ReplaceDCSigScheme : public TlsHandshakeFilter {

diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h

--- ./lib/cryptohi/keyhi.h.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/cryptohi/keyhi.h	2022-06-20 16:47:35.024785635 -0700

@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength

 extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);

 /*

+** Return the strength of the private key in bits

+*/

+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);

+

+/*

 ** Return the length of the signature in bytes

 */

 extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);

diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h

--- ./lib/cryptohi/keyi.h.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/cryptohi/keyi.h	2022-06-20 16:47:35.024785635 -0700

@@ -4,6 +4,7 @@

 #ifndef _KEYI_H_

 #define _KEYI_H_

+#include "secerr.h"

 SEC_BEGIN_PROTOS

 /* NSS private functions */

@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan

                                             const SECItem *params,

                                             CK_RSA_PKCS_PSS_PARAMS *mech);

+/* make sure the key length matches the policy for keyType */

+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,

+                                SECErrorCodes error);

 SEC_END_PROTOS

 #endif /* _KEYHI_H_ */

diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c

--- ./lib/cryptohi/seckey.c.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/cryptohi/seckey.c	2022-06-20 16:47:35.025785641 -0700

@@ -14,6 +14,7 @@

 #include "secdig.h"

 #include "prtime.h"

 #include "keyi.h"

+#include "nss.h"

 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)

 SEC_ASN1_MKSUB(SEC_IntegerTemplate)

@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC

     return bitSize;

 }

+unsigned

+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)

+{

+    unsigned bitSize = 0;

+    CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;

+    SECItem params;

+    SECStatus rv;

+

+    if (!privk) {

+        PORT_SetError(SEC_ERROR_INVALID_KEY);

+        return 0;

+    }

+

+    /* interpret modulus length as key strength */

+    switch (privk->keyType) {

+        case rsaKey:

+        case rsaPssKey:

+        case rsaOaepKey:

+            /* some tokens don't export CKA_MODULUS on the private key,

+             * PK11_SignatureLen works around this if necessary */

+            bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;

+            if (bitSize == -1) {

+                bitSize = 0;

+            }

+            return bitSize;

+        case dsaKey:

+        case fortezzaKey:

+        case dhKey:

+        case keaKey:

+            attribute = CKA_PRIME;

+            break;

+        case ecKey:

+            rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,

+                                    CKA_EC_PARAMS, NULL, &params);

+            if ((rv != SECSuccess) || (params.data == NULL)) {

+                return 0;

+            }

+            bitSize = SECKEY_ECParamsToKeySize(&params);

+            PORT_Free(params.data);

+            return bitSize;

+        default:

+            PORT_SetError(SEC_ERROR_INVALID_KEY);

+            return 0;

+    }

+    PORT_Assert(attribute != CKT_INVALID_TYPE);

+    rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,

+                            attribute, NULL, &params);

+    if ((rv != SECSuccess) || (params.data == NULL)) {

+        PORT_SetError(SEC_ERROR_INVALID_KEY);

+        return 0;

+    }

+    bitSize = SECKEY_BigIntegerBitLength(&params);

+    PORT_Free(params.data);

+    return bitSize;

+}

+

 /* returns signature length in bytes (not bits) */

 unsigned

 SECKEY_SignatureLen(const SECKEYPublicKey *pubk)

@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK

 }

 /*

+ * Check that a given key meets the policy limits for the given key

+ * size.

+ */

+SECStatus

+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)

+{

+    PRInt32 opt = -1;

+    PRInt32 optVal;

+    SECStatus rv;

+

+    switch (keyType) {

+        case rsaKey:

+        case rsaPssKey:

+        case rsaOaepKey:

+            opt = NSS_RSA_MIN_KEY_SIZE;

+            break;

+        case dsaKey:

+        case fortezzaKey:

+            opt = NSS_DSA_MIN_KEY_SIZE;

+            break;

+        case dhKey:

+        case keaKey:

+            opt = NSS_DH_MIN_KEY_SIZE;

+            break;

+        case ecKey:

+            opt = NSS_ECC_MIN_KEY_SIZE;

+            break;

+        case nullKey:

+        default:

+            PORT_SetError(SEC_ERROR_INVALID_KEY);

+            return SECFailure;

+    }

+    PORT_Assert(opt != -1);

+    rv = NSS_OptionGet(opt, &optVal);

+    if (rv != SECSuccess) {

+        return rv;

+    }

+    if (optVal < keyLength) {

+        PORT_SetError(error);

+        return SECFailure;

+    }

+    return SECSuccess;

+}

+

+/*

  * Use the private key to find a public key handle. The handle will be on

  * the same slot as the private key.

  */

diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c

--- ./lib/cryptohi/secsign.c.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/cryptohi/secsign.c	2022-06-20 16:47:35.025785641 -0700

@@ -15,6 +15,7 @@

 #include "pk11func.h"

 #include "secerr.h"

 #include "keyi.h"

+#include "nss.h"

 struct SGNContextStr {

     SECOidTag signalg;

@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p

     SECOidTag hashalg, signalg;

     KeyType keyType;

     PRUint32 policyFlags;

+    PRInt32 optFlags;

     SECStatus rv;

     /* OK, map a PKCS #7 hash and encrypt algorithm into

@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p

         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);

         return NULL;

     }

+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {

+        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {

+            rv = seckey_EnforceKeySize(key->keyType,

+                                       SECKEY_PrivateKeyStrengthInBits(key),

+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);

+            if (rv != SECSuccess) {

+                return NULL;

+            }

+        }

+    }

     /* check the policy on the hash algorithm */

     if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||

         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {

@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,

     SGNDigestInfo *di = 0;

     SECOidTag enctag;

     PRUint32 policyFlags;

+    PRInt32 optFlags;

     result->data = 0;

+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {

+        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {

+            rv = seckey_EnforceKeySize(privKey->keyType,

+                                       SECKEY_PrivateKeyStrengthInBits(privKey),

+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);

+            if (rv != SECSuccess) {

+                return SECFailure;

+            }

+        }

+    }

     /* check the policy on the hash algorithm */

     if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||

         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {

diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c

--- ./lib/cryptohi/secvfy.c.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/cryptohi/secvfy.c	2022-06-20 16:47:35.025785641 -0700

@@ -16,6 +16,7 @@

 #include "secdig.h"

 #include "secerr.h"

 #include "keyi.h"

+#include "nss.h"

 /*

 ** Recover the DigestInfo from an RSA PKCS#1 signature.

@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey

     unsigned int sigLen;

     KeyType type;

     PRUint32 policyFlags;

+    PRInt32 optFlags;

     /* make sure the encryption algorithm matches the key type */

     /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */

@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey

         PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);

         return NULL;

     }

-

+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {

+        if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {

+            rv = seckey_EnforceKeySize(key->keyType,

+                                       SECKEY_PublicKeyStrengthInBits(key),

+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);

+            if (rv != SECSuccess) {

+                return NULL;

+            }

+        }

+    }

     /* check the policy on the encryption algorithm */

     if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||

         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {

diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h

--- ./lib/freebl/blapit.h.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/freebl/blapit.h	2022-06-20 16:47:35.025785641 -0700

@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu

  * These values come from the initial key size limits from the PKCS #11

  * module. They may be arbitrarily adjusted to any value freebl supports.

  */

-#define RSA_MIN_MODULUS_BITS 128

+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */

 #define RSA_MAX_MODULUS_BITS 16384

 #define RSA_MAX_EXPONENT_BITS 64

 #define DH_MIN_P_BITS 128

diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h

--- ./lib/nss/nss.h.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/nss/nss.h	2022-06-20 16:47:35.026785647 -0700

@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu

 #define NSS_DEFAULT_LOCKS 0x00d /* lock default values */

 #define NSS_DEFAULT_SSL_LOCK 1  /* lock the ssl default values */

+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to

+ * the NSS_XXX_MIN_KEY_SIZE values.

+ *    NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input

+ *                              value

+ *     On get it returns all the flags

+ *    NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and

+ *                                  does not affect the other flags

+ *     On get it returns all the flags

+ *    NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input

+ *                                    value and does not affect the other flags

+ *     On get it returns all the compliment of all the flags

+ *     (cleared flags == 1) */

+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e

+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f

+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010

+/* currently defined flags */

+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1

+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2

+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4

+

+#define NSS_ECC_MIN_KEY_SIZE 0x011

+

 /*

  * Set and get global options for the NSS library.

  */

diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c

--- ./lib/nss/nssoptions.c.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/nss/nssoptions.c	2022-06-20 16:47:35.026785647 -0700

@@ -26,6 +26,8 @@ struct nssOps {

     PRInt32 dtlsVersionMaxPolicy;

     PRInt32 pkcs12DecodeForceUnicode;

     PRInt32 defaultLocks;

+    PRInt32 keySizePolicyFlags;

+    PRInt32 eccMinKeySize;

 };

 static struct nssOps nss_ops = {

@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {

     1,

     0xffff,

     PR_FALSE,

-    0

+    0,

+    NSS_KEY_SIZE_POLICY_SSL_FLAG,

+    SSL_ECC_MIN_CURVE_BITS

 };

 SECStatus

@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val

         case NSS_DEFAULT_LOCKS:

             nss_ops.defaultLocks = value;

             break;

+        case NSS_KEY_SIZE_POLICY_FLAGS:

+            nss_ops.keySizePolicyFlags = value;

+            break;

+        case NSS_KEY_SIZE_POLICY_SET_FLAGS:

+            nss_ops.keySizePolicyFlags |= value;

+            break;

+        case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:

+            nss_ops.keySizePolicyFlags &= ~value;

+            break;

+        case NSS_ECC_MIN_KEY_SIZE:

+            nss_ops.eccMinKeySize = value;

+            break;

         default:

             PORT_SetError(SEC_ERROR_INVALID_ARGS);

             rv = SECFailure;

@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va

         case NSS_DEFAULT_LOCKS:

             *value = nss_ops.defaultLocks;

             break;

+        case NSS_KEY_SIZE_POLICY_FLAGS:

+        case NSS_KEY_SIZE_POLICY_SET_FLAGS:

+            *value = nss_ops.keySizePolicyFlags;

+            break;

+        case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:

+            *value = ~nss_ops.keySizePolicyFlags;

+            break;

+        case NSS_ECC_MIN_KEY_SIZE:

+            *value = nss_ops.eccMinKeySize;

+            break;

         default:

             rv = SECFailure;

     }

diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h

--- ./lib/nss/nssoptions.h.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/nss/nssoptions.h	2022-06-20 16:47:35.026785647 -0700

@@ -18,3 +18,5 @@

  * happens because NSS used to count bit lengths incorrectly. */

 #define SSL_DH_MIN_P_BITS 1023

 #define SSL_DSA_MIN_P_BITS 1023

+/* not really used by SSL, but define it here for consistency */

+#define SSL_ECC_MIN_CURVE_BITS 256

diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c

--- ./lib/pk11wrap/pk11kea.c.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/pk11wrap/pk11kea.c	2022-06-20 16:47:35.026785647 -0700

@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_

         if (privKeyHandle == CK_INVALID_HANDLE) {

             PK11RSAGenParams rsaParams;

-            if (symKeyLength > 53) /* bytes */ {

-                /* we'd have to generate an RSA key pair > 512 bits long,

+            if (symKeyLength > 120) /* bytes */ {

+                /* we'd have to generate an RSA key pair > 1024 bits long,

                 ** and that's too costly.  Don't even try.

                 */

                 PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);

                 goto rsa_failed;

             }

-            rsaParams.keySizeInBits =

-                (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;

+            rsaParams.keySizeInBits = 1024;

             rsaParams.pe = 0x10001;

             privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,

                                            &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);

diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c

--- ./lib/pk11wrap/pk11pars.c.sign_policy	2022-06-20 16:47:35.004785510 -0700

+++ ./lib/pk11wrap/pk11pars.c	2022-06-20 16:47:35.026785647 -0700

@@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[]

     { CIPHER_NAME("DTLS1.3"), 0x304 },

 };

+static const optionFreeDef keySizeFlagsList[] = {

+    { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },

+    { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },

+    { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },

+};

+

 static const optionFreeDef freeOptList[] = {

     /* Restrictions for asymetric keys */

     { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },

     { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },

     { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },

+    { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },

+    /* what operations doe the key size apply to */

+    { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },

     /* constraints on SSL Protocols */

     { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },

     { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },

@@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol

         *result = val;

         return SECSuccess;

     }

+    /* handle any ssl strings */

     for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {

         if (policyValueLength == sslOptList[i].name_size &&

             PORT_Strncasecmp(sslOptList[i].name, policyValue,

@@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol

             return SECSuccess;

         }

     }

-    return SECFailure;

+    /* handle key_size flags. Each flag represents a bit, which

+     * gets or'd together. They can be separated by , | or + */

+    val = 0;

+    while (*policyValue) {

+        PRBool found = PR_FALSE;

+        for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {

+            if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,

+                                 keySizeFlagsList[i].name_size) == 0) {

+                val |= keySizeFlagsList[i].option;

+                found = PR_TRUE;

+                policyValue += keySizeFlagsList[i].name_size;

+                break;

+            }

+        }

+        if (!found) {

+            return SECFailure;

+        }

+        if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {

+            policyValue++;

+        }

+    }

+    *result = val;

+    return SECSuccess;

 }

 /* Policy operations:

diff -up ./lib/softoken/fips_algorithms.h.sign_policy ./lib/softoken/fips_algorithms.h

--- ./lib/softoken/fips_algorithms.h.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./lib/softoken/fips_algorithms.h	2022-06-20 16:47:35.026785647 -0700

@@ -54,7 +54,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]

 /* mechanisms using the same key types share the same key type

  * limits */

 #define RSA_FB_KEY 2048, 4096 /* min, max */

-#define RSA_FB_STEP 1024

+#define RSA_FB_STEP 1

+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */

+#define RSA_LEGACY_FB_STEP 256

 #define DSA_FB_KEY 2048, 4096 /* min, max */

 #define DSA_FB_STEP 1024

 #define DH_FB_KEY 2048, 4096 /* min, max */

@@ -66,6 +68,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]

     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },

+    { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

     /* -------------- RSA Multipart Signing Operations -------------------- */

     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

@@ -75,6 +78,14 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]

     { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

     /* ------------------------- DSA Operations --------------------------- */

     { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },

     { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },

diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c

--- ./lib/ssl/ssl3con.c.sign_policy	2022-06-20 16:47:34.998785473 -0700

+++ ./lib/ssl/ssl3con.c	2022-06-20 16:47:35.028785660 -0700

@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket

     unsigned dh_p_bits;

     unsigned dh_g_bits;

     PRInt32 minDH;

+    PRInt32 optval;

+    PRBool usePolicyLength = PR_FALSE;

     SSL3Hashes hashes;

     SECItem signature = { siBuffer, NULL, 0 };

@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket

     if (rv != SECSuccess) {

         goto loser; /* malformed. */

     }

+    rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);

+    if (rv == SECSuccess) {

+        usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);

+    }

-    rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);

+    rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)

+                         : SECFailure;

     if (rv != SECSuccess || minDH <= 0) {

         minDH = SSL_DH_MIN_P_BITS;

     }

@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const

     SECStatus rv;

     PRUint32 minKey;

     PRInt32 optval;

+    PRBool usePolicyLength = PR_TRUE;

+

+    rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);

+    if (rv == SECSuccess) {

+        usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);

+    }

     ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);

     switch (SECKEY_GetPublicKeyType(pubKey)) {

         case rsaKey:

         case rsaPssKey:

         case rsaOaepKey:

-            rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);

+            rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)

+                                 : SECFailure;

             if (rv == SECSuccess && optval > 0) {

                 minKey = (PRUint32)optval;

             } else {

@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const

             break;

         case dsaKey:

-            rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);

+            rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)

+                                 : SECFailure;

             if (rv == SECSuccess && optval > 0) {

                 minKey = (PRUint32)optval;

             } else {

@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const

             break;

         case dhKey:

-            rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);

+            rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)

+                                 : SECFailure;

             if (rv == SECSuccess && optval > 0) {

                 minKey = (PRUint32)optval;

             } else {

@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const

             break;

         case ecKey:

-            /* Don't check EC strength here on the understanding that we only

-             * support curves we like. */

-            minKey = ss->sec.authKeyBits;

+            rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)

+                                 : SECFailure;

+            if (rv == SECSuccess && optval > 0) {

+                minKey = (PRUint32)optval;

+            } else {

+                /* Don't check EC strength here on the understanding that we

+                 * only support curves we like. */

+                minKey = ss->sec.authKeyBits;

+            }

             break;

         default:

diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt

--- ./tests/policy/crypto-policy.txt.sign_policy	2022-05-26 02:54:33.000000000 -0700

+++ ./tests/policy/crypto-policy.txt	2022-06-20 16:47:35.028785660 -0700

@@ -6,6 +6,8 @@

 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy

 0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy

 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy

+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size

+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size

 2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value

 2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value

 2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier

diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt

--- ./tests/ssl/sslpolicy.txt.sign_policy	2022-06-20 16:47:35.028785660 -0700

+++ ./tests/ssl/sslpolicy.txt	2022-06-20 16:50:08.958742135 -0700

@@ -196,6 +196,11 @@

 # rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary

 # compatibility reasons

 #  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly

++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification

++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing

++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL

++  0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL

+

 # test default settings

 # NOTE: tstclient will attempt to overide the defaults, so we detect we

 # were successful by locking in our settings

diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh

--- ./tests/dbupgrade/dbupgrade.sh.sign_policy	2022-06-22 08:43:55.905407738 -0700

+++ ./tests/dbupgrade/dbupgrade.sh	2022-06-22 08:43:58.837426779 -0700

@@ -69,7 +69,7 @@ dbupgrade_main()

 		echo $i

 		if [ -d $i ]; then

 			echo "upgrading db $i"

-			${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1

+			${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1